[SCM] Samba Shared Repository - branch v4-20-stable updated
4 selftest/expectedfail_heimdal Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index face2103327..08865ca2c42 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -146,8 +146,7 @@ include: - ccache -z -M 500M - ccache -s # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI -- git config --global --add safe.directory `pwd` -- git config --global --add safe.directory /builds/samba-team/devel/samba/.git +- git config --global --add safe.directory '*' after_script: - mount - df -h diff --git a/VERSION b/VERSION index 200f6ccac3e..b0f4f114077 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=20 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index fb964d7a6f4..93dd250d052 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,106 @@ + == + Release Notes for Samba 4.20.3 + August 02, 2024 + == + + +This is the latest stable release of the Samba 4.20 release series. + +LDAP TLS/SASL channel binding support +- + +The ldap server supports SASL binds with +kerberos or NTLMSSP over TLS connections +now (either ldaps or starttls). + +Setups where 'ldap server require strong auth = allow_sasl_over_tls' +was required before, can now most likely move to the +default of 'ldap server require strong auth = yes'. + +If SASL binds without correct tls channel bindings are required +'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' +should be used now, as 'allow_sasl_over_tls' will generate a +warning in every start of 'samba', as well as '[samba-tool ]testparm'. + +This is similar to LdapEnforceChannelBinding under +HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters +on Windows. + +All client tools using ldaps also include the correct +channel bindings now. + +smb.conf changes + + + Parameter Name Description Default + -- --- --- + ldap server require strong auth new values + +Changes since 4.20.2 + + +o Andreas Schneider + * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. + +o Andrew Bartlett + * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a + Windows computer when user account need to change their own password. + +o Douglas Bagnall + * BUG 15671: Invalid client warning about command line passwords. + * BUG 15672: Version string is truncated in manpages. + * BUG 15673: --version-* options are still not ergonomic, and they reject + tilde characters. + * BUG 15674: cmdline_burn does not always burn secrets. + * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in + AD_DS_Classes_Windows_Server_v1903.ldf. + +o Jo Sutton + * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a + Windows computer when user account need to change their own password. + +o Pavel Filipenský + * BUG 15660: The images don\'t build after the git security release and + CentOS 8 Stream is EOL. + +o Ralph Boehme + * BUG 15676: Fix clock skew error message and memory cache clock skew + recovery. + +o Stefan Metzmacher + * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in + init_sec_context/repl_mutual. + * BUG 15621: s4:ldap_server: does not support tls channel bindings + for sasl binds. + +o Xavi Hernandez + * BUG 15678: CTDB socket output queues may suffer unbounded delays under some + special conditions. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes f
[Announce] Samba 4.20.3 Available for Download
Release Announcements - This is the latest stable release of the Samba 4.20 release series. LDAP TLS/SASL channel binding support - The ldap server supports SASL binds with kerberos or NTLMSSP over TLS connections now (either ldaps or starttls). Setups where 'ldap server require strong auth = allow_sasl_over_tls' was required before, can now most likely move to the default of 'ldap server require strong auth = yes'. If SASL binds without correct tls channel bindings are required 'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' should be used now, as 'allow_sasl_over_tls' will generate a warning in every start of 'samba', as well as '[samba-tool ]testparm'. This is similar to LdapEnforceChannelBinding under HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters on Windows. All client tools using ldaps also include the correct channel bindings now. smb.conf changes Parameter Name Description Default -- --- --- ldap server require strong auth new values Changes since 4.20.2 o Andreas Schneider * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. o Andrew Bartlett * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Douglas Bagnall * BUG 15671: Invalid client warning about command line passwords. * BUG 15672: Version string is truncated in manpages. * BUG 15673: --version-* options are still not ergonomic, and they reject tilde characters. * BUG 15674: cmdline_burn does not always burn secrets. * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in AD_DS_Classes_Windows_Server_v1903.ldf. o Jo Sutton * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a Windows computer when user account need to change their own password. o Pavel Filipenský * BUG 15660: The images don\'t build after the git security release and CentOS 8 Stream is EOL. o Ralph Boehme * BUG 15676: Fix clock skew error message and memory cache clock skew recovery. o Stefan Metzmacher * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in init_sec_context/repl_mutual. * BUG 15621: s4:ldap_server: does not support tls channel bindings for sasl binds. o Xavi Hernandez * BUG 15678: CTDB socket output queues may suffer unbounded delays under some special conditions. ### Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.20.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8b61355 NEWS[4.20.3]: Samba 4.20.3 Available for Download from a13124c NEWS[4.21.0rc1]: Samba 4.21.0rc1 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 8b6135578a6975f6677e16313d0d1202e23ed874 Author: Stefan Metzmacher Date: Fri Aug 2 14:02:26 2024 +0200 NEWS[4.20.3]: Samba 4.20.3 Available for Download Signed-off-by: Stefan Metzmacher --- Summary of changes: history/samba-4.20.3.html| 102 +++ posted_news/20240802-120549.4.20.3.body.html | 13 +++ posted_news/20240802-120549.4.20.3.headline.html | 3 + 3 files changed, 118 insertions(+) create mode 100644 history/samba-4.20.3.html create mode 100644 posted_news/20240802-120549.4.20.3.body.html create mode 100644 posted_news/20240802-120549.4.20.3.headline.html Changeset truncated at 500 lines: diff --git a/history/samba-4.20.3.html b/history/samba-4.20.3.html new file mode 100644 index 000..b697293 --- /dev/null +++ b/history/samba-4.20.3.html @@ -0,0 +1,102 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.20.3 - Release Notes + + +Samba 4.20.3 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.20.3.tar.gz;>Samba 4.20.3 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.20.3.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.20.2-4.20.3.diffs.gz;>Patch (gzipped) against Samba 4.20.2 +https://download.samba.org/pub/samba/patches/samba-4.20.2-4.20.3.diffs.asc;>Signature + + + + == + Release Notes for Samba 4.20.3 + August 02, 2024 + == + + +This is the latest stable release of the Samba 4.20 release series. + +LDAP TLS/SASL channel binding support +- + +The ldap server supports SASL binds with +kerberos or NTLMSSP over TLS connections +now (either ldaps or starttls). + +Setups where ldap server require strong auth = allow_sasl_over_tls +was required before, can now most likely move to the +default of ldap server require strong auth = yes. + +If SASL binds without correct tls channel bindings are required +ldap server require strong auth = allow_sasl_without_tls_channel_bindings +should be used now, as allow_sasl_over_tls will generate a +warning in every start of samba, as well as [samba-tool ]testparm. + +This is similar to LdapEnforceChannelBinding under +HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters +on Windows. + +All client tools using ldaps also include the correct +channel bindings now. + +smb.conf changes + + + Parameter Name Description Default + -- --- --- + ldap server require strong auth new values + +Changes since 4.20.2 + + +o Andreas Schneider a...@samba.org + * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. + +o Andrew Bartlett abart...@samba.org + * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a + Windows computer when user account need to change their own password. + +o Douglas Bagnall douglas.bagn...@catalyst.net.nz + * BUG 15671: Invalid client warning about command line passwords. + * BUG 15672: Version string is truncated in manpages. + * BUG 15673: --version-* options are still not ergonomic, and they reject + tilde characters. + * BUG 15674: cmdline_burn does not always burn secrets. + * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in + AD_DS_Classes_Windows_Server_v1903.ldf. + +o Jo Sutton josut...@catalyst.net.nz + * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a + Windows computer when user account need to change their own password. + +o Pavel Filipenský pfilipen...@samba.org + * BUG 15660: The images don\t build after the git security release and + CentOS 8 Stream is EOL. + +o Ralph Boehme s...@samba.org + * BUG 15676: Fix clock skew error message and memory cache clock skew + recovery. + +o Stefan Metzmacher me...@samba.org + * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in + init_sec_context/repl_mutual. + * BUG 15621: s4:ldap_server: does not support tls channel bindings + for sasl binds. + +o Xavi Hernandez xhernan...@redhat.com + * BUG 15678: CTDB socket output queues may suffer unbounded delays under some + special conditions. + + + + + + diff --git a/posted_news/20240802-120549.4.20.3.body.html b/posted_news/20240802-120549.4.20.3.body.html new file mode 100644 inde
[SCM] Samba Shared Repository - annotated tag samba-4.20.3 created
The annotated tag, samba-4.20.3 has been created at 235085c00d0f9aecc602974e9bec6d6ac46b03d6 (tag) tagging 803665cb481c6a897e9bdaecaccfc7a353b3683a (commit) replaces samba-4.20.2 tagged by Stefan Metzmacher on Fri Aug 2 14:01:59 2024 +0200 - Log - samba: tag release samba-4.20.3 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmasyrcACgkQqplEL7aA tiDSnxAArU3wJX+0KymejzTnZS9IULSQ9Oq38u0duzyXTQn8imL5bmpvVSk+0jO4 53Qqrufcirv1uc0w9po4yoqddA7WmcDxzYU2wfbTdW3vsIuTlMm6hg/cuOL8coIi m6791xNybvq5xPX5JLzu9hLiCmBpdg7oNvznoziCmgyfCGJmrzOGq/H/fl9ub6o4 jyDzEPA/d79NoxzACIqLCsBfiitjf0cqin5kpfT6DcGSZ0cvvITN+j/kfStkM9P+ J83KlBOKuHhsjZG5GJQPXFlL3V3rgoqMvB48qSsWtPBBC2a7NDdTuVS7MR2JdlIA SU/YXYi9vRL354vdN22Lj7X+1OaiMb9GSmuUwuRaGKjeUfMchLCWSLcRJp/EZ1z8 1VA23bWNdCQCLxa8/TLnuqkXtz/Sx/0O+p752HyYEt567bfk8jXEOQy/NSGbgGbC lRbu0A7PwIg9H+42ap8hjn+UegtHTpdV6QF7EcT4Z8ZjaM00NidR7AKElqOVYl4D LfNvv9WY4jxR6PaNgFlkR2vwCp1gWHnm5Z/QmRe4xShKSK/Udw3k8v5yZg88zaAS Mnt06I7PHZcnP6HEGanbecbWQ3Da4qkuBZjPQElkr1W78Mj1O3riE0G+ZUANEaz2 Gk9CkfXdVhSqnZTdJX1Q1KBrVjzo7CGHVn11eNtYo9HRUnYQdCk= =zBkL -END PGP SIGNATURE- Andreas Schneider (2): gitlab-ci: Also add the git directory for pipeline in the main mirror s3:printing: Allow to run samba-bgqd as a standalone systemd service Andrew Bartlett (2): dsdb: Reduce minimum maxPwdAge from 1 day to nil python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED Douglas Bagnall (19): buildtools: sanitise strange characters in vendor strings build: --vendor-suffix instead of --vendor-patch-revision --vendor-name selftest: move some more expected failures to expectedfail.d docs-xml:manpages: allow for longer version strings cmdline:burn: '-U' does not imply secrets without '%' selftest: run the cmdline tests that we already have cmdline:tests: extend cmdline_burn tests cmdline:burn: do not retain false memories cmdline:burn: handle arguments separated from their --options cmdline:burn: always return true if burnt cmdline:burn: localise some variables cmdline:burn: do not burn options starting --user-*, --password-* cmdline: test_cmdline tests more burning cmdline:burn: use allowlist to ensure more passwords burn cmdline:burn: explicitly burn --username cmdline:burn: add a note about short option combinations cmdline: samba-tool test for bad option warning cmdline:burn: list commands to always burn; warn on unknown libcli:security: allow spaces after BAD: Jo Sutton (4): tests/krb5: Fix PK-INIT test framework to allow expired password keys tests/krb5: Allow creation of disabled accounts for testing tests/krb5: Add tests for errors produced when logging in with unusable accounts third_party/heimdal: Import lorikeet-heimdal-202406240121 (commit 4315286377278234be2f3b6d52225a17b6116d54) Jule Anger (1): VERSION: Bump version up to Samba 4.20.3... Pavel Filipenský (1): .gitlab-ci-main.yml: Add safe.directory '*' Ralph Boehme (1): third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0) Stefan Metzmacher (29): s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid s4:libcli/ldap: fix no memory error code in ldap_bind_sasl() s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl() s4:lib/tls: remove tstream_tls_push_trigger_write step s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed s4:lib/tls: assert that event contexts are not mixed s4:lib/tls: split out tstream_tls_prepare_gnutls() s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS s4:lib/tls: include a TLS server name indication in the client handshake s4:lib/tls: split out tstream_tls_verify_peer() helper s4:lib/tls: add tstream_tls_params_client_lpcfg() s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg() s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg() s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg() lib/crypto: add legacy_gnutls_server_end_point_cb() if needed s4:lib/tls: add tstream_tls_channel_bindings() third_party/heimdal: import lorikeet-heimdal-202404171655 (commit 28a56d818074e049f0361ef74d7017f2a9391847) wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG auth/gensec: add gensec_set_channel_bindings() function auth/ntlmssp: implement channel binding support s4:gensec_gssapi: implement channel binding support s3:crypto/gse: implement channel binding support s4:ldap_server: add support for tls channel bindings s4:libcli/ldap: add tls channel bindi
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via f81fdcb2dfe VERSION: Bump version up to Samba 4.20.4... via 803665cb481 VERSION: Disable GIT_SNAPSHOT for the 4.20.3 release. via a13bed3b9ef WHATSNEW: Add release notes for Samba 4.20.3. from f8e50d04e9f libcli:security: allow spaces after BAD: https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit f81fdcb2dfe15519851e046d59dc6c2d66415148 Author: Stefan Metzmacher Date: Fri Aug 2 13:50:36 2024 +0200 VERSION: Bump version up to Samba 4.20.4... and re-enable GIT_SNAPSHOT. Signed-off-by: Stefan Metzmacher commit 803665cb481c6a897e9bdaecaccfc7a353b3683a Author: Stefan Metzmacher Date: Fri Aug 2 13:49:07 2024 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.20.3 release. Signed-off-by: Stefan Metzmacher commit a13bed3b9ef7586d5fb679ab93a2bce742a580ed Author: Stefan Metzmacher Date: Fri Aug 2 13:43:39 2024 +0200 WHATSNEW: Add release notes for Samba 4.20.3. Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 107 +-- 2 files changed, 106 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 4cb90cc5643..28e5aa22c01 100644 --- a/VERSION +++ b/VERSION @@ -27,7 +27,7 @@ SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=20 -SAMBA_VERSION_RELEASE=3 +SAMBA_VERSION_RELEASE=4 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index fb964d7a6f4..93dd250d052 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,106 @@ + == + Release Notes for Samba 4.20.3 + August 02, 2024 + == + + +This is the latest stable release of the Samba 4.20 release series. + +LDAP TLS/SASL channel binding support +- + +The ldap server supports SASL binds with +kerberos or NTLMSSP over TLS connections +now (either ldaps or starttls). + +Setups where 'ldap server require strong auth = allow_sasl_over_tls' +was required before, can now most likely move to the +default of 'ldap server require strong auth = yes'. + +If SASL binds without correct tls channel bindings are required +'ldap server require strong auth = allow_sasl_without_tls_channel_bindings' +should be used now, as 'allow_sasl_over_tls' will generate a +warning in every start of 'samba', as well as '[samba-tool ]testparm'. + +This is similar to LdapEnforceChannelBinding under +HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters +on Windows. + +All client tools using ldaps also include the correct +channel bindings now. + +smb.conf changes + + + Parameter Name Description Default + -- --- --- + ldap server require strong auth new values + +Changes since 4.20.2 + + +o Andreas Schneider + * BUG 15683: Running samba-bgqd a a standalone systemd service does not work. + +o Andrew Bartlett + * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a + Windows computer when user account need to change their own password. + +o Douglas Bagnall + * BUG 15671: Invalid client warning about command line passwords. + * BUG 15672: Version string is truncated in manpages. + * BUG 15673: --version-* options are still not ergonomic, and they reject + tilde characters. + * BUG 15674: cmdline_burn does not always burn secrets. + * BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in + AD_DS_Classes_Windows_Server_v1903.ldf. + +o Jo Sutton + * BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a + Windows computer when user account need to change their own password. + +o Pavel Filipenský + * BUG 15660: The images don\'t build after the git security release and + CentOS 8 Stream is EOL. + +o Ralph Boehme + * BUG 15676: Fix clock skew error message and memory cache clock skew + recovery. + +o Stefan Metzmacher + * BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in + init_sec_context/repl_mutual. + * BUG 15621: s4:ldap_server: does not support tls channel bindings + for sasl binds. + +o Xavi Hernandez + * BUG 15678: CTDB socket output queues may suffer unbounded delays under some + special conditions. + + +### +Reporting bugs & Developm
[SCM] Samba Shared Repository - branch v4-21-test updated
The branch, v4-21-test has been updated via 5ba371e09ab WHATSNEW: update the Per-user and group "veto files" and "hide files" section via bffa9349d42 docs: Document parametric form of hide and veto files via d5be00ab537 lib: Remove "token" parameter from set_namearray via 13dbaf5556c lib: Remove per-user support from append_to_namearray via 244ade4f12c tests: Test parametric per-user syntax for hide/veto files via fd73c865eed smbd: Respect per-user hide and veto files with parametric options via af0085aced4 lib: Factor out append_namearray from set_namearray via 0b9371aa0c2 loadparm: Add lp_wi_scan_share_parametrics via 5148ff97061 loadparm: Factor out lp_wi_scan_parametrics from 13fc70f5e04 VERSION: Bump version up to Samba 4.21.0rc2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test - Log - commit 5ba371e09ab284e4ada0e6f3275a07711e7dd069 Author: Stefan Metzmacher Date: Wed Jul 31 11:56:35 2024 +0200 WHATSNEW: update the Per-user and group "veto files" and "hide files" section BUG: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(v4-21-test): Stefan Metzmacher Autobuild-Date(v4-21-test): Wed Jul 31 16:07:37 UTC 2024 on atb-devel-224 commit bffa9349d425bcb2b4532ea27194d4a0727b6d31 Author: Volker Lendecke Date: Tue Jul 30 14:06:21 2024 +0200 docs: Document parametric form of hide and veto files Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 31 09:41:54 UTC 2024 on atb-devel-224 (cherry picked from commit 10e9b858a3f9ca8d7e5dfd1c4e1e7937a03db671) commit d5be00ab537b2e5256926c4753793b4ce561956d Author: Volker Lendecke Date: Tue Jul 30 13:55:57 2024 +0200 lib: Remove "token" parameter from set_namearray Not needed anymore Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit a150714cc64294d75028bac47132084bdf6f72c9) commit 13dbaf5556c6a3778d384ed833a896e266546557 Author: Volker Lendecke Date: Tue Jul 30 13:30:21 2024 +0200 lib: Remove per-user support from append_to_namearray This is done in check_user_ok now Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit b5169dd717ed5cf66d1e1e90aaf1a4646f7b5ea5) commit 244ade4f12c0b9f72ffd640cd16a6c1a2c1ce37e Author: Volker Lendecke Date: Tue Jul 30 14:11:53 2024 +0200 tests: Test parametric per-user syntax for hide/veto files Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit b5a128685e68f05a3688aa1391393b9095bf32b0) commit fd73c865eed811d89da023a77792aba7a603fc60 Author: Volker Lendecke Date: Mon Jul 29 17:49:49 2024 +0200 smbd: Respect per-user hide and veto files with parametric options For my taste this is a nicer configuration syntax than /../username1/file1/../username2/file2/ Is this too expensive? I don't think so. The scanning only happens an tcon time, and it only walks the parametric options. If this turns out to be a performance problem, we should think about smarter data structures for parametric options instead of just a linked list of string triples for everything. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit 17becb5f526015de56d00cd1c8f603f8ddacd0ba) commit af0085aced4f2a7c8a11bbf357dc25b5ceb0928a Author: Volker Lendecke Date: Tue Jul 30 13:07:22 2024 +0200 lib: Factor out append_namearray from set_namearray We'll have to add to an existing namearray soon. This turns one talloc_array() into a set of reallocs. This is slower, but set_namearray is only used for smb.conf entries where we don't expect hundreds or more entries to add. I've done this to avoid array length calculations, but if it turns out to be too slow we can get smarter again. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit fcd595a4642a08169b427af534a00116daf220bf) commit 0b9371aa0c22684bb9d168a67891d92107023736 Author: Volker Lendecke Date: Mon Jul 29 07:17:21 2024 -0700 loadparm: Add lp_wi_scan_share_parametrics Bug: https://bugzil
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 10e9b858a3f docs: Document parametric form of hide and veto files via a150714cc64 lib: Remove "token" parameter from set_namearray via b5169dd717e lib: Remove per-user support from append_to_namearray via b5a128685e6 tests: Test parametric per-user syntax for hide/veto files via 17becb5f526 smbd: Respect per-user hide and veto files with parametric options via fcd595a4642 lib: Factor out append_namearray from set_namearray via 89da15756d8 loadparm: Add lp_wi_scan_share_parametrics via 0536ac96e92 loadparm: Factor out lp_wi_scan_parametrics from 7dc19dd94cb s4:torture/smb2: add 'smb2.bench.session-setup' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 10e9b858a3f9ca8d7e5dfd1c4e1e7937a03db671 Author: Volker Lendecke Date: Tue Jul 30 14:06:21 2024 +0200 docs: Document parametric form of hide and veto files Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 31 09:41:54 UTC 2024 on atb-devel-224 commit a150714cc64294d75028bac47132084bdf6f72c9 Author: Volker Lendecke Date: Tue Jul 30 13:55:57 2024 +0200 lib: Remove "token" parameter from set_namearray Not needed anymore Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit b5169dd717ed5cf66d1e1e90aaf1a4646f7b5ea5 Author: Volker Lendecke Date: Tue Jul 30 13:30:21 2024 +0200 lib: Remove per-user support from append_to_namearray This is done in check_user_ok now Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit b5a128685e68f05a3688aa1391393b9095bf32b0 Author: Volker Lendecke Date: Tue Jul 30 14:11:53 2024 +0200 tests: Test parametric per-user syntax for hide/veto files Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 17becb5f526015de56d00cd1c8f603f8ddacd0ba Author: Volker Lendecke Date: Mon Jul 29 17:49:49 2024 +0200 smbd: Respect per-user hide and veto files with parametric options For my taste this is a nicer configuration syntax than /../username1/file1/../username2/file2/ Is this too expensive? I don't think so. The scanning only happens an tcon time, and it only walks the parametric options. If this turns out to be a performance problem, we should think about smarter data structures for parametric options instead of just a linked list of string triples for everything. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit fcd595a4642a08169b427af534a00116daf220bf Author: Volker Lendecke Date: Tue Jul 30 13:07:22 2024 +0200 lib: Factor out append_namearray from set_namearray We'll have to add to an existing namearray soon. This turns one talloc_array() into a set of reallocs. This is slower, but set_namearray is only used for smb.conf entries where we don't expect hundreds or more entries to add. I've done this to avoid array length calculations, but if it turns out to be too slow we can get smarter again. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 89da15756d81746d80b43c2fe04c51fc07591849 Author: Volker Lendecke Date: Mon Jul 29 07:17:21 2024 -0700 loadparm: Add lp_wi_scan_share_parametrics Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 0536ac96e927c00121e220f45cd63682726bc8e3 Author: Volker Lendecke Date: Mon Jul 29 06:27:51 2024 -0700 loadparm: Factor out lp_wi_scan_parametrics We'll scan share parametrics soon as well. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15688 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher --- Summary of changes: docs-xml/smbdotconf/filename/hidefiles.xml | 29 +-- docs-xml/smbdotconf/filename/vetofiles.xml | 29 +-- selftest/target/Samba3.pm | 6 +- source3/include/proto.h| 4 +- source3/lib/util_namearray.c | 119 -- source3/modules/vfs_virusfilter.c | 2 - source3/param/loadparm.c | 50 +-- source3/param/loadparm.h | 7 ++ source3/smbd/smb2_service.c| 2 -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 07c0afe91d5 WHATSNEW.txt: document "veto files" and "hide files" via 607d2c1e3e9 s3/lib: return error from set_namearray() via 02ae847b453 smbd: return errors from token_contains_name() via 0f27c521449 s3/lib: use lookup_name_smbconf_ex() in token_contains_name() via 8364db8a3cd s3/passdb: add lookup_name_smbconf_ex() using lookup_name_internal() via 01b0b856210 s3/passdb: factor out lookup_name_internal() via 1d6feea6772 s3/passdb: use winbind_lookup_name_ex() in lookup_name() instead of winbind_lookup_name() via 3a13b90ceef s3/passdb: add winbind_lookup_name_ex() via 5d3c6dbf61b s3-errormap: add WBC_ERR_NOT_MAPPED -> NT_STATUS_NONE_MAPPED via 1b63d503fce s3-errormap: move map_nt_error_from_wbcErr() back into errormap.c via 02da9704a05 s3/rpc_client: fix handling of NT_STATUS_SOME_NOT_MAPPED via 148a102800f winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names via 12c5adb49ae libwbclient: prepare wbcCtxLookupName() for dealing with WBC_SID_NAME_UNKNOWN via 315ee3801b9 libwbclient: add error WBC_ERR_NOT_MAPPED via 21b9eb5b8c1 winbindd: properly initialize sid and type in wb_cache_name_to_sid() via cbd4aee50b5 winbindd: collapse two if expressions via 6baf9547e53 winbindd: reformatting via dc95763757b winbindd: rename variable old_status to was_online in wb_cache_name_to_sid() via 89a26b50f42 CI: add a test for per-user (and per-group) veto files via 7e835339daf CI: fix test file cleanup via b8b2f218352 s3/lib: add per-user support to set_namearray() via 02e7c70ab31 smbd: move token_contains_name() to util_namearray.c and make it public via 2f273a50855 selftest: add groups "group1" and "group2" to Samba3 via c4ede22db0d s3/lib: move set_namearray() to util_namearray.c via 8ab29157b9b smbd: maintain veto_list and hide_list in the vuid cache via cfa9a73319e smbd: prepare free_conn_session_info_if_unused() for more cleanup logic via 630f1228d17 smbd: move target code out of loop body via 7fc74c7883c s3/lib: modernize set_namearray() via f564fcb7c1a s3/lib: move path_to_strv() to util_path.c via 0c6725a73ce s3/lib: remove name_compare_entry typedef via a1c1057f620 selftest: remove net groupmap delete stuff via 5160da2997f selftest: ensure the "fileserver" test environment is removed before provisioning via a1d5df42034 selftest: setup "fileserver" testenv specific directories after calling provision() via 2cd9da518dd selftest: setup "simpleserver" testenv specific directories after calling provision() via 25ff9e59630 selftest: remove check for $no_delete_prefix from 8903876f65d libcli:security: allow spaces after BAD: https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 07c0afe91d5c4631a2fa6424bb38fff1ddc89b0c Author: Ralph Boehme Date: Fri Feb 2 15:14:27 2024 +0100 WHATSNEW.txt: document "veto files" and "hide files" Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jul 26 11:10:42 UTC 2024 on atb-devel-224 commit 607d2c1e3e9017d260e4a76eeac7e2c638eaff03 Author: Ralph Boehme Date: Wed Feb 7 11:40:29 2024 +0100 s3/lib: return error from set_namearray() Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 02ae847b45375091cc9c0ef76c49b6b1edcdb4e8 Author: Ralph Boehme Date: Fri Feb 2 08:10:54 2024 +0100 smbd: return errors from token_contains_name() Invalid names in "valid users", "invalid users", "read list", "write list", "veto files" and "hide files" are logged and ignored, but a failure to contact winbind or a DC from winbind, or a memory allocation failure, now all trigger a failure of the tree connect. Manually tested with smbclient with the following hack in winbindd: ---8<--- $ git di source3/winbindd/winbindd_cache.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c index c889489dbbbc..8ccf0a28e11a 100644 --- a/source3/winbindd/winbindd_cache.c +++ b/source3/winbindd/winbindd_cache.c @@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain, ZERO_STRUCTP(sid); *type = SID_NAME_UNKNOWN; + if (strequal(name, "unknown")) { + return NT_STATUS_OK; + }
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 34c586680ea s3:tests: let modprinter.pl use $TMPDIR via 92ea6b00e71 third_party: Update pam_wrapper to version 1.1.7 via 6481fab912b selftest:Samba3: don't use PAM_WRAPPER_KEEP_DIR and PAM_WRAPPER_DEBUGLEVEL from ead5a3111f3 ctdb-daemon: Use ctdb_parse_node_address() in ctdbd https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 34c586680eaa324421a9375033fb2d1786b2df75 Author: Stefan Metzmacher Date: Tue Jul 23 11:46:57 2024 +0200 s3:tests: let modprinter.pl use $TMPDIR We should avoid using /tmp in selftest Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jul 23 13:53:13 UTC 2024 on atb-devel-224 commit 92ea6b00e712e3d2c1fa6c465cf39f6fe83d5095 Author: Andreas Schneider Date: Tue Jul 23 10:41:30 2024 +0200 third_party: Update pam_wrapper to version 1.1.7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 6481fab912bb5d14e39a0140cb882f99fe330081 Author: Stefan Metzmacher Date: Tue Jul 23 09:27:37 2024 +0200 selftest:Samba3: don't use PAM_WRAPPER_KEEP_DIR and PAM_WRAPPER_DEBUGLEVEL They are both only for debugging problems. In normal runs we don't need them and this avoids leaving to many /tmp/pam.* directories arround. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Martin Schwenke --- Summary of changes: buildtools/wafsamba/samba_third_party.py| 2 +- selftest/target/Samba3.pm | 3 +- source3/script/tests/printing/modprinter.pl | 6 ++- third_party/pam_wrapper/pam_wrapper.c | 69 + third_party/pam_wrapper/wscript | 3 +- 5 files changed, 29 insertions(+), 54 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py index 96484893b2f..d6fe609c896 100644 --- a/buildtools/wafsamba/samba_third_party.py +++ b/buildtools/wafsamba/samba_third_party.py @@ -44,5 +44,5 @@ Build.BuildContext.CHECK_UID_WRAPPER = CHECK_UID_WRAPPER @conf def CHECK_PAM_WRAPPER(conf): -return conf.CHECK_BUNDLED_SYSTEM_PKG('pam_wrapper', minversion='1.1.4') +return conf.CHECK_BUNDLED_SYSTEM_PKG('pam_wrapper', minversion='1.1.7') Build.BuildContext.CHECK_PAM_WRAPPER = CHECK_PAM_WRAPPER diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index c7cdbefc72d..b35769266ae 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -1809,9 +1809,8 @@ sub setup_simpleserver close(FILE); $vars->{PAM_WRAPPER} = "1"; - $vars->{PAM_WRAPPER_KEEP_DIR} = "1"; $vars->{PAM_WRAPPER_SERVICE_DIR} = $pam_service_dir; - $vars->{PAM_WRAPPER_DEBUGLEVEL} = "3"; + #$vars->{PAM_WRAPPER_DEBUGLEVEL} = "3"; if (not $self->check_or_start( env_vars => $vars, diff --git a/source3/script/tests/printing/modprinter.pl b/source3/script/tests/printing/modprinter.pl index 28817dbd284..bfe395a8509 100755 --- a/source3/script/tests/printing/modprinter.pl +++ b/source3/script/tests/printing/modprinter.pl @@ -122,7 +122,11 @@ while () { } } if ($opt_add) { - print CONFIGFILE_NEW "[$share_name]\n\tprintable = yes\n\tpath = /tmp\n"; + my $tmpdir = "/tmp"; + if (defined($ENV{TMPDIR})) { + $tmpdir = $ENV{TMPDIR}; + } + print CONFIGFILE_NEW "[$share_name]\n\tprintable = yes\n\tpath = $tmpdir\n"; } close (CONFIGFILE); close (CONFIGFILE_NEW); diff --git a/third_party/pam_wrapper/pam_wrapper.c b/third_party/pam_wrapper/pam_wrapper.c index da2c7381656..606fb66e7d5 100644 --- a/third_party/pam_wrapper/pam_wrapper.c +++ b/third_party/pam_wrapper/pam_wrapper.c @@ -336,7 +336,7 @@ static void *pwrap_load_lib_handle(enum pwrap_lib lib) #ifdef RTLD_DEEPBIND const char *env_preload = getenv("LD_PRELOAD"); - const char *env_deepbind = getenv("UID_WRAPPER_DISABLE_DEEPBIND"); + const char *env_deepbind = getenv("PAM_WRAPPER_DISABLE_DEEPBIND"); bool enable_deepbind = true; /* Don't do a deepbind if we run with libasan */ @@ -749,6 +749,7 @@ static int copy_confdir(const char *src) static int p_rmdirs(const char *path); +#ifndef HAVE_PAM_START_CONFDIR static void pwrap_clean_stale_dirs(const char *dir) { size_t len = strlen(dir); @@ -816,20 +817,18 @@ static void pwrap_clean_stale_dirs(const char *dir
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 818bd2dcb3c python:tests: make test_export_keytab_nochange_update() more reliable from 687139144a2 s3:auth: allow real plaintext authentication https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 818bd2dcb3c67728f4e82722154e25023a09c919 Author: Stefan Metzmacher Date: Wed Jul 17 07:03:34 2024 + python:tests: make test_export_keytab_nochange_update() more reliable net.export_keytab() includes the current timestamp into the resulting keytab. So we need to make sure the two compared exports actually run within the same second. And klist may also print the keytab filename... Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 17 14:21:30 UTC 2024 on atb-devel-224 --- Summary of changes: python/samba/tests/dckeytab.py | 42 -- 1 file changed, 36 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/dckeytab.py b/python/samba/tests/dckeytab.py index 9dee64e0cea..56be897e0f0 100644 --- a/python/samba/tests/dckeytab.py +++ b/python/samba/tests/dckeytab.py @@ -18,6 +18,7 @@ import os import subprocess +import time from samba.net import Net from samba import enable_net_export_keytab @@ -148,10 +149,38 @@ class DCKeytabTests(TestCaseInTempDir): self.addCleanup(self.samdb.deleteuser, "keytab_testuser") net = Net(None, self.lp) -self.addCleanup(self.rm_files, self.ktfile) -net.export_keytab(keytab=self.ktfile, principal=new_principal) -self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created') +self.addCleanup(self.rm_files, self.ktfile) +ktfile1 = self.ktfile + ".1" +self.addCleanup(self.rm_files, ktfile1, allow_missing=True) +ktfile2 = self.ktfile + ".2" +self.addCleanup(self.rm_files, ktfile2, allow_missing=True) + +# The export includes the current timestamp +# so we better do both exports within the +# same second. +# +# First we sleep until we reach the next second +now = time.time() +next = float(int(now)+1) +sleep = next-now +time.sleep(sleep) +start = time.time() +net.export_keytab(keytab=ktfile1, principal=new_principal) +net.export_keytab(keytab=ktfile2, principal=new_principal) +end = time.time() +self.assertTrue(os.path.exists(ktfile1), 'keytab1 was not created') +self.assertTrue(os.path.exists(ktfile2), 'keytab2 was not created') +print("now: %f" % now) +print("next: %f" % next) +print("sleep: %f" % sleep) +print("start: %f" % start) +print("end: %f" % end) +self.assertEqual(int(end), int(start)) + +# The output may contain the file name +# so we have to use self.ktfile... +os.rename(ktfile1, self.ktfile) cmd = ['klist', '-K', '-C', '-t', '-k', self.ktfile] keytab_orig_content = subprocess.Popen( cmd, @@ -163,9 +192,10 @@ class DCKeytabTests(TestCaseInTempDir): with open(self.ktfile, 'rb') as bytes_kt: keytab_orig_bytes = bytes_kt.read() -net.export_keytab(keytab=self.ktfile, principal=new_principal) -self.assertTrue(os.path.exists(self.ktfile), 'keytab was not created') - +# The output may contain the file name +# so we have to use self.ktfile... +os.rename(ktfile2, self.ktfile) +cmd = ['klist', '-K', '-C', '-t', '-k', self.ktfile] keytab_content = subprocess.Popen( cmd, shell=False, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 687139144a2 s3:auth: allow real plaintext authentication via 66e9d3fe01f selftest: setup pam_matrix in the simpleserver env via 108724ac346 s3:auth: let smb_pam_conv() handle resp=NULL via 97f0408f776 third_party/pam_wrapper: add pam_matrix module via 9afe7b7a0f2 s3:passdb: don't clear the LM HASH without a password change via 8e35933ceb5 s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests via f7574a59226 selftest:Samba3: allow lanman auth in setup_nt4_member via 1e21b99b643 selftest:Samba3: add simpleserver globals before include = global_inject.conf via 8937dce1334 libcli/auth: fix debug level 100 valgrind warnings in SMBOWFencrypt_ntv2() from eaed0cd9403 s3:lib: Fix a typo in MACRO https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 687139144a2f6210aae570accedafca9250753e1 Author: Stefan Metzmacher Date: Fri Jul 12 17:12:46 2024 +0200 s3:auth: allow real plaintext authentication In standalone setups we use the PAM stack to verify the plaintext authentication, so we need to pass it down... There are still production systems out there (legacy audio/video recording systems...) using this. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 17 11:17:54 UTC 2024 on atb-devel-224 commit 66e9d3fe01f80f19264aaf8250d92c82a707162a Author: Stefan Metzmacher Date: Fri Jul 12 20:23:52 2024 +0200 selftest: setup pam_matrix in the simpleserver env This allows testing a plaintext password authentication on a standalone server using the PAM stack to verify it. There are still production systems out in the wild using this... BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 108724ac34663a234ab0a506a1e5d5e0a106af9c Author: Stefan Metzmacher Date: Mon Jul 15 18:47:24 2024 +0200 s3:auth: let smb_pam_conv() handle resp=NULL pam_matrix calls smb_pam_conv() with resp=NULL in some situation, we should not segfault... BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 97f0408f776ecbde4bec6d3001d0bdc82f9d86eb Author: Stefan Metzmacher Date: Mon Jul 15 18:43:37 2024 +0200 third_party/pam_wrapper: add pam_matrix module This allows testing pam with simple passwords. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 9afe7b7a0f248d2d31dfc2a13bd61906d113c932 Author: Stefan Metzmacher Date: Fri Jul 12 19:38:40 2024 +0200 s3:passdb: don't clear the LM HASH without a password change Updating things like the bad pwd count should not clear the stored LM HASH with 'lanman auth = no'. This allows testing with 'lanman auth = no' and 'lanman auth = yes'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 8e35933ceb5bcede2b45d8223766bd8b2ebd7ef1 Author: Stefan Metzmacher Date: Mon Jul 15 18:32:42 2024 +0200 s3:selftest: add samba3.blackbox.smb1_lanman_plaintext tests This demonstrates that we currently have problems with plaintext and lanman authentication. In both domain member and standalone setups. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit f7574a59226ed65c6048af64507c0be0d044eb8c Author: Stefan Metzmacher Date: Mon Jul 15 18:31:18 2024 +0200 selftest:Samba3: allow lanman auth in setup_nt4_member Note that the LM HASH is only generated for passwords up to 14 characters... We use extra_options_before_inject in order to allow overriding any existing parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 1e21b99b643c4d2177c382a296c2edfc2b7e7f91 Author: Stefan Metzmacher Date: Fri Jul 12 18:26:07 2024 +0200 selftest:Samba3: add simpleserver globals before include = global_inject.conf This allows overriding any existing parameter. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 8937dce133485ff5e8fd0291f096adbaffba56be Author: Stefan Metzmacher Date: Mon Jun 3 12:56:02 2024 +0200 libcli/auth: fix debug level 100 valgrind warnings
Re: [cifs-protocol] What is ADWS? - TrackingID#2406240040003279
Hi, in all this wireshark MC-NMF support is most likely very useful for you, it only does very basic dissection, but the important gssapi/kerberos decryption steps are there... https://gitlab.com/wireshark/wireshark/-/merge_requests/16456 metze Am 10.07.24 um 20:41 schrieb Jeff McCashland (He/him) via cifs-protocol: Hi Douglas, We can confirm that MS-NBFS describes the SOAP protocol, and I see the document does provide binary representation of the Soap format. Is that what you needed, or was something more missing for you to decode the traffic? If so, I'd like to collect a network trace with the traffic you're unable to decode. To collect that, our policies require me to give you access to our file sharing workspace. In order to do that, I need a Microsoft Account email address. You can create one at Live.com if you don't already have one. Please let me know how you would like to proceed. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 From: Jeff McCashland (He/him) Sent: Tuesday, July 9, 2024 2:58 PM To: Douglas Bagnall Cc: cifs-protocol@lists.samba.org ; Microsoft Support Subject: Re: What is ADWS? - TrackingID#2406240040003279 [Sreekanth to BCC] Hi Douglas, Is there a specific problem you're trying to solve? Is this blocking your implementation of ADWS? MS-ADDM is the main documentation for ADWS. MS-NBFS describes the SOAP protocol. ADWS uses the common SOAP based web service protocol described in MS-NBFS, but MS-NBFS is not specific for ADWS. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 From: Sreekanth Nadendla Sent: Monday, June 24, 2024 5:42 AM To: Douglas Bagnall Cc: cifs-protocol@lists.samba.org ; Microsoft Support Subject: What is ADWS? - TrackingID#2406240040003279 Dochelp in Bcc Hello Douglas, thank you for your question about Microsoft Open Specifications. We've created an incident #2406240040003279 to track the investigation for this issue. One of the open specifications team members will contact you soon to assist you. Regards, Sreekanth Nadendla Microsoft Windows Open Specifications From: Douglas Bagnall Sent: Sunday, June 23, 2024 7:19 PM To: Interoperability Documentation Help ; cifs-protocol@lists.samba.org Subject: [EXTERNAL] What is ADWS? hi Dochelp. I thought for a long time that Active Directory Web Services (ADWS) was not fully documented because it the documentation talked about SOAP while the wire packets are in a binary format that doesn't look at all like XML. But then I found [MC-NBFX] and [MC-NBFS] and it all fell into place. I think. What I want to ask is: Is it broadly correct to say ADWS is mostly described in [MS-ADDM], but the wire packets have been transformed using the encoding described in [MS-NBFS] (which describes a specialisation of [MS-NBFX])? There are other things that extend it various ways ([MS-WSDS], [MS-WSPELD], [MS-ADCAP], etc), but [MS-ADDM] and [MS-NBFS] are the main ones? Is there some documentation that links the two together? I note they don't mention each other. I don't need a long answer, unless I am completely on the wrong track. thanks, Douglas ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e450ff685b5 pidl: Wireshark: Another C99 type conversion via 9870457e962 pidl: Wireshark: Don't assign hash undef, assign it an empty array via 5b12d3d2e7d pidl: Wireshark: Remove init of proto variables via 00f57728742 pidl: Wireshark: Convert the pidl dissector generation code to C99 types via e60c5b881d9 pidl: Wireshark: Update test for removal of ett initialization via 2f5a388dd10 pidl: Wireshark: Const-ify dcerpc_sub_dissector structures. via 5a5e68c2747 pidl: Wireshark: Don't initialise static hf and ett variables. via f2ed371e1cc pidl: Wireshark: Remove init of proto variables via c3ca2a6575b pidl: Update Wireshark generated DRSUAPI code from 3a21b7d9a4e .gitlab-ci-main.yml: Add safe.directory '*' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e450ff685b57849470aecdab5397a1a8ea5d19d2 Author: John Thacker Date: Wed Jul 3 08:03:41 2024 -0400 pidl: Wireshark: Another C99 type conversion Pick up change from Wireshark: commit bdb719f846f9d8f7800b9f50dadfde5e7f7a89e1 Author: John Thacker Date: Sun Jun 23 08:15:45 2024 -0400 pidl: Another C99 type conversion Change an automated sizeof() call in the pidl dissector generation from prefixing a "g" to getting the actual C type. Ping #19116 Signed-off-by: John Thacker Reviewed-by: Jo Sutton Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jul 12 11:08:03 UTC 2024 on atb-devel-224 commit 9870457e962b2ce2da590777aa4f58269361b95b Author: John Thacker Date: Wed Jul 3 08:00:59 2024 -0400 pidl: Wireshark: Don't assign hash undef, assign it an empty array Pick up change from Wireshark: commit ade6577f109e2bf741909226254b758e79a816f1 Author: John Thacker Date: Fri Jun 21 20:27:51 2024 -0400 pidl: Don't assign hash undef, assign it an empty array Perl works, but complains if warnings are on, if a hash is initialized to undef instead of to empty. Upstream Samba turned on warnings in the next commit to catch things like this. Signed-off-by: John Thacker Reviewed-by: Jo Sutton Reviewed-by: Stefan Metzmacher commit 5b12d3d2e7d82bc07c1c1c96229ed0cd71a6a967 Author: John Thacker Date: Wed Jul 3 07:58:04 2024 -0400 pidl: Wireshark: Remove init of proto variables Pick up change from Wireshark: commit 10b046cbdd110dbae8f4cab048e5954bf6955402 Author: John Thacker Date: Sat Jun 22 20:31:40 2024 -0400 pidl: Remove init of proto variables Remove initialization of proto variables from pidl generated dissectors and regenerate. Follow up to 2a9bc63325c99653c5da873c273430add3b5e9dd Signed-off-by: John Thacker Reviewed-by: Jo Sutton Reviewed-by: Stefan Metzmacher commit 00f5772874265d0cd8535cd60a76e6117ce715b5 Author: John Thacker Date: Wed Jul 3 07:56:42 2024 -0400 pidl: Wireshark: Convert the pidl dissector generation code to C99 types Pick up change from Wireshark: commit 4df8d2884ddfe72a03d0b322c10ae515a8366ea4 Author: John Thacker Date: Sat Jun 22 11:21:47 2024 -0400 pidl: Convert the pidl dissector generation code to C99 types Switch the Wireshark.pm pidl dissector generation code to using C99 types, and regenerated the dcerpc pidl dissectors. Ping #19116 Signed-off-by: John Thacker Reviewed-by: Jo Sutton Reviewed-by: Stefan Metzmacher commit e60c5b881d95d7b6073abc87d42ecba52778f192 Author: John Thacker Date: Wed Jul 3 07:54:40 2024 -0400 pidl: Wireshark: Update test for removal of ett initialization Pick up change from Wireshark: commit 6e4c81b324e9b1752ce6bc253a09355512b5b387 Author: John Thacker Date: Sat Jun 22 11:10:48 2024 -0400 pidl: Update test for removal of ett initialization Also remove trailing whitespace Signed-off-by: John Thacker Reviewed-by: Jo Sutton Reviewed-by: Stefan Metzmacher commit 2f5a388dd105f43d69b730f05be1b1b109c87212 Author: John Thacker Date: Wed Jul 3 07:52:42 2024 -0400 pidl: Wireshark: Const-ify dcerpc_sub_dissector structures. Pick up change from Wireshark: commit 8a2a42241fd148ce735e776a6a1e6b49b64d215e Author: Darius Davis Date: Sun May 19 17:39:38 2024 +1000 Const-ify dcerpc_sub_dissector structures. This moves about 56 kBytes of data from a read-write data sectio
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 63c8ed2a386 .gitlab-ci-main.yml: Add safe.directory '*' via b22c93aca20 gitlab-ci: Also add the git directory for pipeline in the main mirror from 8d08c814134 third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0) https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 63c8ed2a38699e9f3e6f10dc2ba4e6c2904af5a1 Author: Pavel Filipenský Date: Thu Jul 4 11:08:03 2024 +0200 .gitlab-ci-main.yml: Add safe.directory '*' This is to fix the error when pushing to personal gitlab repo: 2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba' Cloning into '/builds/samba-testbase/master'... fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git' To add an exception for this directory, call: git config --global --add safe.directory /builds/pfilipen/samba/.git fatal: Could not read from remote repository. Instead of adding more and more explicit repositories we should just allow any, we're in an isolated environment... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Pavel Filipenský Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224 (cherry picked from commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36) Autobuild-User(v4-19-test): Stefan Metzmacher Autobuild-Date(v4-19-test): Thu Jul 11 13:22:43 UTC 2024 on atb-devel-224 commit b22c93aca200c6ebfcacf0795fbf207dc59dc717 Author: Andreas Schneider Date: Wed Jul 3 13:05:51 2024 +0200 gitlab-ci: Also add the git directory for pipeline in the main mirror Signed-off-by: Andreas Schneider Reviewed-by: Jo Sutton Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Jul 4 08:08:49 UTC 2024 on atb-devel-224 (cherry picked from commit 93a3dd48d66786cb8765d3ce84ca9f3ad419ac88) --- Summary of changes: .gitlab-ci-main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 1bf4dd0da17..f7dfe890032 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -146,8 +146,7 @@ include: - ccache -z -M 500M - ccache -s # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI -- git config --global --add safe.directory `pwd` -- git config --global --add safe.directory /builds/samba-team/devel/samba/.git +- git config --global --add safe.directory '*' after_script: - mount - df -h -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via f5920ceea32 .gitlab-ci-main.yml: Add safe.directory '*' via 6b0b6d06410 gitlab-ci: Also add the git directory for pipeline in the main mirror from f4604a86fe1 third_party/heimdal: Import lorikeet-heimdal-202407041740 (commit 42ba2a6e5dd1bc14a8b5ada8c9b8ace85956f6a0) https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit f5920ceea328ddf7048b92d71a71adf2c0056670 Author: Pavel Filipenský Date: Thu Jul 4 11:08:03 2024 +0200 .gitlab-ci-main.yml: Add safe.directory '*' This is to fix the error when pushing to personal gitlab repo: 2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba' Cloning into '/builds/samba-testbase/master'... fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git' To add an exception for this directory, call: git config --global --add safe.directory /builds/pfilipen/samba/.git fatal: Could not read from remote repository. Instead of adding more and more explicit repositories we should just allow any, we're in an isolated environment... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Pavel Filipenský Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224 (cherry picked from commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36) Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Thu Jul 11 11:45:35 UTC 2024 on atb-devel-224 commit 6b0b6d06410086bd72644d0f287c429605ee0367 Author: Andreas Schneider Date: Wed Jul 3 13:05:51 2024 +0200 gitlab-ci: Also add the git directory for pipeline in the main mirror Signed-off-by: Andreas Schneider Reviewed-by: Jo Sutton Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Jul 4 08:08:49 UTC 2024 on atb-devel-224 (cherry picked from commit 93a3dd48d66786cb8765d3ce84ca9f3ad419ac88) --- Summary of changes: .gitlab-ci-main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index face2103327..08865ca2c42 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -146,8 +146,7 @@ include: - ccache -z -M 500M - ccache -s # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI -- git config --global --add safe.directory `pwd` -- git config --global --add safe.directory /builds/samba-team/devel/samba/.git +- git config --global --add safe.directory '*' after_script: - mount - df -h -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3a21b7d9a4e .gitlab-ci-main.yml: Add safe.directory '*' from 86843685419 cmdline:burn: list commands to always burn; warn on unknown https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36 Author: Pavel Filipenský Date: Thu Jul 4 11:08:03 2024 +0200 .gitlab-ci-main.yml: Add safe.directory '*' This is to fix the error when pushing to personal gitlab repo: 2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba' Cloning into '/builds/samba-testbase/master'... fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git' To add an exception for this directory, call: git config --global --add safe.directory /builds/pfilipen/samba/.git fatal: Could not read from remote repository. Instead of adding more and more explicit repositories we should just allow any, we're in an isolated environment... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Pavel Filipenský Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224 --- Summary of changes: .gitlab-ci-main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index c70d9a6af41..acca9e0754b 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -146,9 +146,7 @@ include: - ccache -z -M 500M - ccache -s # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI -- git config --global --add safe.directory `pwd` -- git config --global --add safe.directory /builds/samba-team/devel/samba/.git -- git config --global --add safe.directory /builds/samba-team/samba/.git +- git config --global --add safe.directory '*' after_script: - mount - df -h -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via fee232dd9cf third_party: Update socket_wrapper to version 1.4.3 via 9308c3aad44 third_party: Update uid_wrapper to version 1.3.1 via 4180ff4e97b gitlab-ci: Set git safe.directory for devel repo via 374c5ed2f51 bootstrap: Fix building CentOS 8 Stream container images via 8d2c6462442 bootstrap: Set git safe.directory via 179168442a4 bootstrap: Fix runner tags via 0702547d303 [v4-19-only] selftest: support for MIT krb5 1.21 via e5d3231f205 selftest: Allow MIT Krb5 1.21 to still start to fl2000dc via 0c14b0c9533 .gitlab-ci: Allow ext4 jobs to run on shared runners via 37414481259 .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel from 6107f663046 Fix starvation of pending writes in CTDB queues https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit fee232dd9cf80c74edb57e5e65e6cb3a39d9e574 Author: Andreas Schneider Date: Thu Jun 13 07:47:26 2024 +0200 third_party: Update socket_wrapper to version 1.4.3 This fixes issues with bind compiled with jemalloc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Jun 13 08:41:39 UTC 2024 on atb-devel-224 (cherry picked from commit 8ae180e1678fc8565b8074d4886f7d3676a0f950) Autobuild-User(v4-19-test): Stefan Metzmacher Autobuild-Date(v4-19-test): Tue Jul 9 14:24:35 UTC 2024 on atb-devel-224 commit 9308c3aad449ff25c80f354554443b80b035f579 Author: Andreas Schneider Date: Thu Jun 13 07:41:41 2024 +0200 third_party: Update uid_wrapper to version 1.3.1 This fixes issues with bind compiled with jemalloc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit f88e60644e76c6310088934439f9c0da0f63905f) commit 4180ff4e97b6280adf2082c0eaf4df7205ca6464 Author: Andreas Schneider Date: Fri Jun 7 16:20:10 2024 +0200 gitlab-ci: Set git safe.directory for devel repo BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 54fed589cca245c716492bcc78b574c30378b19c) commit 374c5ed2f5139da2feb0b38c2c94795f147dbdb6 Author: Andreas Schneider Date: Mon Jun 10 15:28:30 2024 +0200 bootstrap: Fix building CentOS 8 Stream container images BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit f3af6e860800d0f837cdf6c2d16d1cd12feb08df) commit 8d2c64624426ba5e1bcfb97067a43596cae334ce Author: Andreas Schneider Date: Thu Jun 6 16:10:14 2024 +0200 bootstrap: Set git safe.directory BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit d00e9482a50b5a756f4847cde977c40c80e179c5) commit 179168442a4690090e8de87907337eb371a345be Author: Andreas Schneider Date: Thu Jun 6 14:41:02 2024 +0200 bootstrap: Fix runner tags See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 84fb5cc8451c0af354850f39ae6debf388849ebb) commit 0702547d3034e22f3505948f8b45a09d0ae1e082 Author: Stefan Metzmacher Date: Wed Jul 3 09:55:26 2024 +0200 [v4-19-only] selftest: support for MIT krb5 1.21 This copes with the differences between MIT 1.20 and 1.21 during gitlab pipeline selftest. We need this because Fedora 38 upgraded from 1.20.1 to 1.21. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Stefan Metzmacher commit e5d3231f20511edeba542ee1e24d15056d46056c Author: Andrew Bartlett Date: Tue Jul 18 14:50:55 2023 +1200 selftest: Allow MIT Krb5 1.21 to still start to fl2000dc This is the simplest way to keep this test environment alive. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton (cherry picked from commit 4ae3e9b208d4badee5765eddd832b258e84665b2) commit 0c14b0c95335ad303edea47f081cc842ff8af09b Author: Andrew Bartlett Date: Wed Sep 6 09:37:19 2023 +1200 .gitlab-ci: Allow ext4 jobs to run on shared runners At the time of this commit, GitLab shared runners tagged "gce" were 2x AMD EPYC 7B12 with 8GB ram. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher (cherry p
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2e0c693f78a Revert "pidl: Use non-existent function dissect_ndr_int64()" from 2aca5cfbfa4 smbd: correctly restore ENOENT if fstatfs() modifies it https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2e0c693f78ad3741ac4ed4c21f1faa5d5a72d54a Author: John Thacker Date: Sat Jun 22 07:08:27 2024 -0400 Revert "pidl: Use non-existent function dissect_ndr_int64()" This reverts commit a836b433ed7f0acca546558d2aec359155999f30. Wireshark's NDR dissector dissects both signed and unsigned types of the same size and alignment with the same functions, e.g. see the handling of "udlong" and "dlong." It is passing the FT_UINT64 vs FT_INT64 field type enum value that determines at the last moment whether a value is cast to signed. dissect_ndr_uint64() already has the proper behavior for 8-byte aligned signed 64 bit integers, and a dissect_ndr_int64() function will not need to be introduced. Signed-off-by: John Thacker Reviewed-by: Douglas Bagnall Reviewed-by: Jo Sutton Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 3 14:19:04 UTC 2024 on atb-devel-224 --- Summary of changes: pidl/lib/Parse/Pidl/Wireshark/NDR.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/pidl/lib/Parse/Pidl/Wireshark/NDR.pm b/pidl/lib/Parse/Pidl/Wireshark/NDR.pm index 05ef8b78554..44d81dbabe2 100644 --- a/pidl/lib/Parse/Pidl/Wireshark/NDR.pm +++ b/pidl/lib/Parse/Pidl/Wireshark/NDR.pm @@ -1105,7 +1105,7 @@ sub Initialize($$) $self->register_type("uint3264", "offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_UINT32", "BASE_DEC", 0, "NULL", 8); $self->register_type("hyper", "offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_UINT64", "BASE_DEC", 0, "NULL", 8); - $self->register_type("int64", "offset = dissect_ndr_int64(tvb, offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_INT64", "BASE_DEC", 0, "NULL", 8); + $self->register_type("int64", "offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_INT64", "BASE_DEC", 0, "NULL", 8); $self->register_type("udlong", "offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep, \@HF\@, NULL);", "FT_UINT64", "BASE_DEC", 0, "NULL", 4); $self->register_type("bool8", "offset = PIDL_dissect_uint8(tvb, offset, pinfo, tree, di, drep, \@HF\@, \@PARAM\@);","FT_INT8", "BASE_DEC", 0, "NULL", 1); $self->register_type("char", "offset = PIDL_dissect_uint8(tvb, offset, pinfo, tree, di, drep, \@HF\@, \@PARAM\@);","FT_INT8", "BASE_DEC", 0, "NULL", 1); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2aca5cfbfa4 smbd: correctly restore ENOENT if fstatfs() modifies it from 95420715881 pidl:Wireshark Fix the type of array of pointerse to hf_ values https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2aca5cfbfa45d2fcf00688388688812445123f3f Author: Stefan Metzmacher Date: Wed Jul 3 10:58:33 2024 +0200 smbd: correctly restore ENOENT if fstatfs() modifies it Review with: git show -U5 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 3 11:41:12 UTC 2024 on atb-devel-224 --- Summary of changes: source3/smbd/open.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/open.c b/source3/smbd/open.c index 0c101c19b46..7999b3f082e 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1190,10 +1190,8 @@ static NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, struct statfs sbuf = {}; int ret = fstatfs(old_fd, ); if (ret == -1) { - int saved_errno = errno; DBG_ERR("fstatfs failed: %s\n", strerror(errno)); - errno = saved_errno; } else if (sbuf.f_type == AUTOFS_SUPER_MAGIC) { /* * When reopening an as-yet @@ -1203,6 +1201,8 @@ static NTSTATUS reopen_from_fsp(struct files_struct *dirfsp, */ goto namebased_open; } + /* restore ENOENT if changed in the meantime */ + errno = ENOENT; } #endif status = map_nt_error_from_unix(errno); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via fecc211af0e BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs from 6875787d129 VERSION: Bump version up to Samba 4.19.8... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit fecc211af0edc2f7d6a553df7a07317a2cfe27f6 Author: Stefan Metzmacher Date: Thu Jun 13 15:31:48 2024 +0200 BUG 15569 ldb: add missing ABI/pyldb-util-2.8.1.sigs This should have been in commit: 6ca4df6374136d1d205de689618dc8fce5177d14 Signed-off-by: Stefan Metzmacher Autobuild-User(v4-19-test): Stefan Metzmacher Autobuild-Date(v4-19-test): Wed Jul 3 08:36:32 UTC 2024 on atb-devel-224 --- Summary of changes: lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} | 0 1 file changed, 0 insertions(+), 0 deletions(-) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.8.1.sigs} (100%) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.8.1.sigs similarity index 100% copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs copy to lib/ldb/ABI/pyldb-util-2.8.1.sigs -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5b40cdf6e88 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts via eeb60574b6b auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]() via c715ac5e496 auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper via db2c576f329 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos via cda8beea453 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos via 53b72ea4d25 vfs_recycle: remember resolved config->repository in vfs_recycle_connect() via c229a84b449 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()" via 2175856fef1 vfs_recycle: fix memory hierarchy via b38241da3dd vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA() via cf7a6b521ac vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal() via 220b0e977e2 vfs_recycle: directly allocate smb_fname_final->base_name via 691564f6ca7 vfs_recycle: don't unlink on allocation failure via 6467c47cbe5 TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal() via 2916b6096e1 test_recycle.sh: make sure we don't see panics on the log files from 462b74da79c vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5b40cdf6e8885c9db6c5ffa972112f3516e4130a Author: Stefan Metzmacher Date: Tue Jun 18 20:28:25 2024 +0200 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts We only turn desired into off in the NT4 domain member case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224 commit eeb60574b6bf1a5209b85a8af843b93300550ba7 Author: Stefan Metzmacher Date: Tue Jun 18 19:02:05 2024 +0200 auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit c715ac5e496ddde119212d3b880ff0e68c2da67b Author: Stefan Metzmacher Date: Tue Jun 18 18:53:48 2024 +0200 auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit db2c576f329675e8d66e19c336fe04ccba918b4a Author: Stefan Metzmacher Date: Tue Jun 18 19:34:30 2024 +0200 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos This shows that they are ignored for machine accounts as domain member. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit cda8beea45303a77080c64bb2391d22c59672deb Author: Stefan Metzmacher Date: Tue Jun 18 19:11:09 2024 +0200 testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 53b72ea4d25d4aa6cf8de1c7555456d4cc03b809 Author: Stefan Metzmacher Date: Fri Jun 14 10:07:02 2024 +0200 vfs_recycle: remember resolved config->repository in vfs_recycle_connect() This should not change during the lifetime of the tcon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659 Signed-off-by: Stefan Metzmacher Reviewed-by: Martin Schwenke Reviewed-by: Noel Power Reviewed-by: Volker Lendecke commit c229a84b449b8ba326ee0f6f702d91f101b99ee4 Author: Stefan Metzmacher Date: Tue Jun 18 14:18:17 2024 +0200 Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()" This was only added to demonstrate the problem more reliable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659 Signed-off-by: Stefan Metzmacher Reviewed-by: Martin Schwenke Reviewed-by: Noel Power Reviewed-by: Volker Lendecke commit 2175856fef17964cef7cf8618b39736168219eec Author: Stefan Metzmacher Date: Fri Jun 14 10:07:02 2024 +0200 vfs_recycle: fix memory hierarchy If the configuration is reloaded strings and string lists in recycle_config_data could become stale pointers leading to segmentation faults... BUG: https://bu
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 462b74da79c vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send via 372476aeb00 s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644 from 35f6c3f3d4a ctdb/docs: Include ceph rados namespace support in man page https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 462b74da79c51f9ba6dbd24e603aa904485d5123 Author: Stefan Metzmacher Date: Mon Jun 17 10:41:53 2024 +0200 vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send before vfswrap_offload_read_send. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664 Signed-off-by: Stefan Metzmacher Reviewed-by: Noel Power Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224 commit 372476aeb003e9c608cd2c0a78a9c577b57ba8f4 Author: Stefan Metzmacher Date: Mon Jun 17 11:18:07 2024 +0200 s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664 Signed-off-by: Stefan Metzmacher Reviewed-by: Noel Power --- Summary of changes: source3/modules/vfs_default.c | 6 source4/torture/smb2/ioctl.c | 64 +++ 2 files changed, 70 insertions(+) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c index 48b5dd9e39f..e0ebc7bd1a2 100644 --- a/source3/modules/vfs_default.c +++ b/source3/modules/vfs_default.c @@ -2148,6 +2148,12 @@ static struct tevent_req *vfswrap_offload_write_send( .remaining = to_copy, }; + status = vfs_offload_token_ctx_init(handle->conn->sconn->client, + _offload_ctx); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } + tevent_req_set_cleanup_fn(req, vfswrap_offload_write_cleanup); switch (fsctl) { diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c index 3765dc0c1bd..beceaa5c551 100644 --- a/source4/torture/smb2/ioctl.c +++ b/source4/torture/smb2/ioctl.c @@ -7388,6 +7388,68 @@ static bool test_ioctl_bug14788_NETWORK_INTERFACE(struct torture_context *tortur return true; } +/* + * basic regression test for BUG 15664 + * https://bugzilla.samba.org/show_bug.cgi?id=15664 + */ +static bool test_ioctl_copy_chunk_bug15644(struct torture_context *torture, + struct smb2_tree *tree) +{ + struct smb2_handle dest_h; + NTSTATUS status; + union smb_ioctl ioctl; + TALLOC_CTX *tmp_ctx = talloc_new(tree); + struct srv_copychunk chunk; + struct srv_copychunk_copy cc_copy; + enum ndr_err_code ndr_ret; + bool ok; + + ok = test_setup_create_fill(torture, + tree, + tmp_ctx, + FNAME2, + _h, + 0, + SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "dest file create fill"); + + ZERO_STRUCT(ioctl); + ioctl.smb2.level = RAW_IOCTL_SMB2; + ioctl.smb2.in.file.handle = dest_h; + ioctl.smb2.in.function = FSCTL_SRV_COPYCHUNK; + ioctl.smb2.in.max_output_response = sizeof(struct srv_copychunk_rsp); + ioctl.smb2.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL; + + ZERO_STRUCT(chunk); + ZERO_STRUCT(cc_copy); + /* overwrite the resume key with a bogus value */ + memcpy(cc_copy.source_key, "deadbeefdeadbeefdeadbeef", 24); + cc_copy.chunk_count = 1; + cc_copy.chunks = + cc_copy.chunks[0].source_off = 0; + cc_copy.chunks[0].target_off = 0; + cc_copy.chunks[0].length = 4096; + + ndr_ret = ndr_push_struct_blob(, tmp_ctx, + _copy, + (ndr_push_flags_fn_t)ndr_push_srv_copychunk_copy); + torture_assert_ndr_success(torture, ndr_ret, + "ndr_push_srv_copychunk_copy"); + + /* Server 2k12 returns NT_STATUS_OBJECT_NAME_NOT_FOUND */ + status = smb2_ioctl(tree, tmp_ctx, ); + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_OBJECT_NAME_NOT_FOUND, + "FSCTL_SRV_COPYCHUNK"); + + status = smb2_util_close(tree, dest_h); + torture_assert_ntstatus_ok
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 8b8fef4c9c8 third_party: Update socket_wrapper to version 1.4.3 via 87ac580b40f third_party: Update uid_wrapper to version 1.3.1 via e5293b114b1 gitlab-ci: Set git safe.directory for devel repo via 95c59655141 bootstrap: Fix building CentOS 8 Stream container images via 7edef3c7fb1 bootstrap: Set git safe.directory via e8dc4bb0edf bootstrap: Fix runner tags from e57e35908d5 s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 8b8fef4c9c8d517e40cb860eebb32f8781c43358 Author: Andreas Schneider Date: Thu Jun 13 07:47:26 2024 +0200 third_party: Update socket_wrapper to version 1.4.3 This fixes issues with bind compiled with jemalloc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Jun 13 08:41:39 UTC 2024 on atb-devel-224 (cherry picked from commit 8ae180e1678fc8565b8074d4886f7d3676a0f950) Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Fri Jun 14 12:17:55 UTC 2024 on atb-devel-224 commit 87ac580b40f3205576f06233cedb967b53a63638 Author: Andreas Schneider Date: Thu Jun 13 07:41:41 2024 +0200 third_party: Update uid_wrapper to version 1.3.1 This fixes issues with bind compiled with jemalloc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit f88e60644e76c6310088934439f9c0da0f63905f) commit e5293b114b15d1b20a665eca610c357bd08f21e7 Author: Andreas Schneider Date: Fri Jun 7 16:20:10 2024 +0200 gitlab-ci: Set git safe.directory for devel repo BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 54fed589cca245c716492bcc78b574c30378b19c) commit 95c596551411eacd7de8057a62b61b7d17e97467 Author: Andreas Schneider Date: Mon Jun 10 15:28:30 2024 +0200 bootstrap: Fix building CentOS 8 Stream container images BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit f3af6e860800d0f837cdf6c2d16d1cd12feb08df) commit 7edef3c7fb136e7bb6dbd4d4e47a4d4add0d0dfd Author: Andreas Schneider Date: Thu Jun 6 16:10:14 2024 +0200 bootstrap: Set git safe.directory BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit d00e9482a50b5a756f4847cde977c40c80e179c5) commit e8dc4bb0edfcb7b6622bf236aafe2a8e05290ee9 Author: Andreas Schneider Date: Thu Jun 6 14:41:02 2024 +0200 bootstrap: Fix runner tags See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 84fb5cc8451c0af354850f39ae6debf388849ebb) --- Summary of changes: .gitlab-ci-main.yml | 3 +- bootstrap/.gitlab-ci.yml| 6 +-- bootstrap/config.py | 3 ++ bootstrap/generated-dists/centos8s/bootstrap.sh | 3 ++ bootstrap/sha1sum.txt | 2 +- buildtools/wafsamba/samba_third_party.py| 4 +- third_party/socket_wrapper/socket_wrapper.c | 45 ++- third_party/socket_wrapper/wscript | 3 +- third_party/uid_wrapper/uid_wrapper.c | 58 - third_party/uid_wrapper/wscript | 4 +- 10 files changed, 118 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 26cf07d6fce..face2103327 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 9a406973474a7903fe7fd6215226660911ed73c0 + SAMBA_CI_CONTAINER_TAG: b078783e082ead539940faaa644567bf4ed67f67 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 @@ -147,6 +147,7 @@ include: - ccache -s # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI - git config --global --add safe.directory `pwd` +- git config --global --add
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 9d80c928b01 s4:nbt_server: simulate nmbd and provide unexpected handling via 6a673a35ea0 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs via 82f73dc2312 s4:libcli/dgram: make use of socket_address_copy() via 40fe6480d0d s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages via cf37f9f5272 libcli/nbt: add nbt_name_send_raw() via b440c11ea0f s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL via b0c2389c886 s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}() via 234df77ae0a s3:libsmb/unexpected: don't use talloc_tos() in async code via 2f73d251e0c s3:wscript: LIBNMB requires lp_ functions via 27e4297f4c7 s3:include: split out fstring.h via 260d1bbacf8 s3:include: let nameserv.h be useable on its own via 4257e3b8fef s3:libads: avoid changing ADS->server.workgroup via ba361b11d2e s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 0d0fbf2bb86 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() via 2954489bd56 s3:utils: let smbstatus report anonymous signing/encryption explicitly via 9530c418a38 s3:smbd: allow anonymous encryption after one authenticated session setup via 610e11af858 s3:utils: let smbstatus also report partial tcon signing/encryption via 6fbf5deb559 s3:utils: let smbstatus also report AES-256 encryption types for tcons via c547e0c0ff7 s3:utils: let connections_forall_read() report if the session was authenticated via fe91ed785ed s3:lib: let sessionid_traverse_read() report if the session was authenticated via 716a0443c9f s3:utils: remove unused signing_flags in connections_forall() via cd05e7ed937 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via b945f645732 s4:libcli/smb2: add hack to test anonymous signing and encryption via b7606714959 smbXcli_base: add hacks to test anonymous signing and encryption via dfcbd88504d tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 1b21c09d513 .gitlab-ci-main.yml: debug kernel details of the current runner via d5638013962 .gitlab-ci: Remove tags no longer provided by gitlab.com from 9b6bc91254c VERSION: Bump version up to Samba 4.20.2... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 9d80c928b0196839035c0272c0945aad8a3b461a Author: Stefan Metzmacher Date: Wed Feb 14 12:34:48 2024 +0100 s4:nbt_server: simulate nmbd and provide unexpected handling This is needed in order to let nbt_getdc() work against another AD DC and get back a modern response with DNS based names. Instead of falling back to the ugly name_status_find() that simulates just an NETLOGON_SAM_LOGON_RESPONSE_NT40 response. This way dsgetdcname() can work with just the netbios domain name given and still return an active directory response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 796f33c05a0ca337b675b5d4d127f7c53b22528f) Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Thu May 30 10:57:04 UTC 2024 on atb-devel-224 commit 6a673a35ea0a5d79526b96ed462cd7d0d916abbb Author: Stefan Metzmacher Date: Wed Feb 14 13:49:21 2024 +0100 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1) commit 82f73dc23127c033346604fdfc94d5bf94295375 Author: Stefan Metzmacher Date: Thu Feb 15 17:47:45 2024 +0100 s4:libcli/dgram: make use of socket_address_copy() This avoids talloc_reference... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 77f4f1c7dbaa2bb04d59d908923f6d11fd514da2) commit 40fe6480d0d4c0dc00b05e8c52b234243c4e652b Author: Stefan Metzmacher Date: Thu Feb 15 16:42:16 2024 +0100 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 11861bcfc3054894bc445e631ae03befb4865db8) commit cf37f9f527269ac2d76577dc0df53f1d369f1817 Author: Stefan Metzmacher Date: Thu Feb 15 17:47:13 2024 +0100 libcli/nbt: add nbt_name_send_raw()
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via fab04efa325 s3:libads: avoid changing ADS->server.workgroup via b6253028b30 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 3b922dd5759 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() via 92a0533a9ea s3:utils: let smbstatus report anonymous signing/encryption explicitly via 45b9b63283d s3:smbd: allow anonymous encryption after one authenticated session setup via 1925abda4c4 s3:utils: let smbstatus also report partial tcon signing/encryption via 70969d8da5a s3:utils: let smbstatus also report AES-256 encryption types for tcons via 8cc6ccb54a3 s3:utils: let connections_forall_read() report if the session was authenticated via 8b6b837eb7d s3:lib: let sessionid_traverse_read() report if the session was authenticated via c9c83fb691f s3:utils: remove unused signing_flags in connections_forall() via a6c549db3d8 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via 3f476fd8bf3 s4:libcli/smb2: add hack to test anonymous signing and encryption via 7a75e6bdaf0 smbXcli_base: add hacks to test anonymous signing and encryption via 98adde991bf tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 11edf47d3c3 .gitlab-ci-main.yml: debug kernel details of the current runner via 5502aa893cc .gitlab-ci: Remove tags no longer provided by gitlab.com from b00c09bee3b s3:utils: Fix Inherit-Only flag being automatically propagated to children https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit fab04efa32564a47191c775d1b51362bf0c5658a Author: Stefan Metzmacher Date: Fri Oct 15 03:34:11 2021 +0200 s3:libads: avoid changing ADS->server.workgroup ads_find_dc() uses c_domain = ads->server.workgroup and don't expect it to get out of scope deep in resolve_and_ping_dns(). The result are corrupted domain values in the debug output. Valgrind shows this: Invalid read of size 1 at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688) by 0x609ED49: __vasprintf_internal (vasprintf.c:57) by 0x5D2EC0F: __dbgtext_va (debug.c:1860) by 0x5D2ED3F: dbgtext (debug.c:1881) by 0x4BFFB50: ads_find_dc (ldap.c:570) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4BFF0AF: ads_try_connect (ldap.c:299) by 0x4BFF40E: cldap_ping_list (ldap.c:367) by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468) by 0x4BFFA91: ads_find_dc (ldap.c:556) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Block was alloc'd at at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x60B250E: strdup (strdup.c:42) by 0x4FF1492: smb_xstrdup (util.c:743) by 0x4C10E62: ads_init (ads_struct.c:148) by 0x4C1DB68: ads_dc_name (namequery_dc.c:73) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit ca859e55d28f421196bc2660cfa84595ec5b57c6) Autobuild-User(v4-19-test): Stefan Metzmacher Autobuild-Date(v4-19-test): Wed May 29 19:25:10 UTC 2024 on atb-devel-224 commit b6253028b303f4bd59b399e43417c7b050969363 Author: Stefan Metzmacher Date: Tue May 7 14:53:24 2024 + s3:libsmb: allow store_cldap_reply() to work with a ipv6 response BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 (cherry picked from commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2) commit 3b922dd575919fd08c2b98249691ea11cb7ffe56 Author: Stefan Metzmacher Date: Tue Feb 6 21:09:58 2024 +0100 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() I have customer backtraces showing that 'drsuapi' is NULL in dreplsrv_op_pull_source_get_changes_trigger() called from the WERR_DS_DRA_SCHEMA_MISMATCH retry case of dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was a valid pointer there. From reading the code I don't understand how this can happen, but it does very often on RODCs. And this fix prevents the problem.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5a54c9b28ab s3:utils: let smbstatus report anonymous signing/encryption explicitly via f3ddfb828e6 s3:smbd: allow anonymous encryption after one authenticated session setup via 551756abd2c s3:utils: let smbstatus also report partial tcon signing/encryption via 8119fd6d6a4 s3:utils: let smbstatus also report AES-256 encryption types for tcons via 5089d855064 s3:utils: let connections_forall_read() report if the session was authenticated via 596a10d1079 s3:lib: let sessionid_traverse_read() report if the session was authenticated via a9f84593f44 s3:utils: remove unused signing_flags in connections_forall() via 6c5781b5f15 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}} via 6a89615d781 s4:libcli/smb2: add hack to test anonymous signing and encryption via 14d6e267212 smbXcli_base: add hacks to test anonymous signing and encryption from d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5a54c9b28abb1464c84cb4be15a49718d8ae6795 Author: Stefan Metzmacher Date: Mon Jul 3 15:14:38 2023 +0200 s3:utils: let smbstatus report anonymous signing/encryption explicitly We should mark sessions/tcons with anonymous encryption or signing in a special way, as the value of it is void, all based on a session key with 16 zero bytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224 commit f3ddfb828e66738ca461c3284c423defb774547c Author: Stefan Metzmacher Date: Fri Jun 30 18:05:51 2023 +0200 s3:smbd: allow anonymous encryption after one authenticated session setup I have captures where a client tries smb3 encryption on an anonymous session, we used to allow that before commit da7dcc443f45d07d9963df9daae458fbdd991a47 was released with samba-4.15.0rc1. Testing against Windows Server 2022 revealed that anonymous signing is always allowed (with the session key derived from 16 zero bytes) and anonymous encryption is allowed after one authenticated session setup on the tcp connection. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 551756abd2c9e4922075bc3037db645355542363 Author: Stefan Metzmacher Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report partial tcon signing/encryption We already do that for sessions and also for the json output, but it was missing in the non-json output for tcons. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 8119fd6d6a49b869bd9e8ff653b500e194b070de Author: Stefan Metzmacher Date: Mon Jul 3 15:12:38 2023 +0200 s3:utils: let smbstatus also report AES-256 encryption types for tcons We already do that for sessions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 5089d8550640f72b1e0373f8ac321378ccaa8bd5 Author: Stefan Metzmacher Date: Mon Jul 3 15:10:08 2023 +0200 s3:utils: let connections_forall_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 596a10d1079f5c4a954108c81efc862c22a11f28 Author: Stefan Metzmacher Date: Mon Jul 3 15:08:31 2023 +0200 s3:lib: let sessionid_traverse_read() report if the session was authenticated BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit a9f84593f44f15a19c4cdde1e7ad53cd5e03b4d9 Author: Stefan Metzmacher Date: Mon Jul 3 15:05:59 2023 +0200 s3:utils: remove unused signing_flags in connections_forall() We never use the signing flags from the session, as the tcon has its own signing flags. https://bugzilla.samba.org/show_bug.cgi?id=15412 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Günther Deschner commit 6c5781b5f154857f1454f41133687fba8c4c9df9 Author: Stefan Metzmacher Date: Wed May 15 10:02:00 2024 +0200 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2
[SCM] Samba Shared Repository - branch master updated
a97abd545e s3:libads: we only need to gensec_expire_time()... via ce1ad21ce63 s3:libads: remove unused ads->auth.renewable via fcd47a49660 s3:winbindd: remove useless 'renewable' argument to ads_cached_connection_connect() via bb8b7be74a7 s3:libads: let ads_sasl_spnego_bind() really use spnego to negotiate krb5/ntlmssp via 1474f9c5de3 testprogs/blackbox: add better testnames in test_weak_disable_ntlmssp_ldap.sh via cff7656e665 s3:net_ads: make use of ads_connect_cldap_only() and ADS_AUTH_GENERATE_KRB5_CONFIG in net_ads_password() via f024063aec9 s3:winbindd: make use of ads_connect_cldap_only() in dcip_check_name_ads() via e8250f16240 s3:net_ads: make use of ads_connect_cldap_only() in net_ads_check_int() via fdd34b57c41 s3:libsmb: make use of ads_connect_cldap_only() via f34e64baf6c s3:libads: add ads_connect_cldap_only() helper via 36748002f01 s3:libads: also avoid ADS_AUTH_GENERATE_KRB5_CONFIG for ADS_AUTH_ANON_BIND via 9ea1ea16290 s3:libads: add ADS_AUTH_GENERATE_KRB5_CONFIG to generate a custom krb5.conf via b3110ec049b s3:libads: split out ads_connect_internal() and call it with ads_legacy_creds() via be771670eb3 s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_unparsed_name() via 4d42574c542 s3:libads: let ads_sasl_spnego_bind() reset krb5_state at the end via f7ab92ea7e0 s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state() via b98f9a341f4 s3:libads: split out ads_legacy_creds() via 6f33e46c19f s3:libads: remove unused LIBADS_CCACHE_NAME define via a70c62a78e4 s3:libads: make use of talloc_stackframe() in ads_setup_tls_wrapping() via d26e4c6e272 s3:libsmb: remove unused cli_session_creds_prepare_krb5() via ef205f6b52e s3:gse: get an explicit ccache_name from creds and kinit if required via 98ee5ca7e83 s3:gse: Pass down the mech to gse_context_init() via bc2a2399e52 s3:gse: Implement gensec_gse_security_by_oid() via 2ec3e59f58b s3:gse: Use smb_gss_mech_import_cred() in gse_init_server() via ca90f213a27 lib:krb5_wrap: Implement smb_gss_mech_import_cred() via 2fd2d28b8fe s3:libsmb: fix lpcfg_gensec_settings() no memory check in auth_generic_client_prepare() via fb7e19826af s3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password via 2dc76cc84c1 s3:ntlm_auth: explicitly include default krb5 ccache if no explicit username/password are given via 52715b461a8 tests/ntlm_auth: Do not set a client_password via a6b94a690b5 tests/ntlm_auth_krb5: don't test that a krb5ccache work with an explicit username via 3ea605d8af2 blackbox/test_kinit.sh: verify that --use-krb5-ccache= works without KRB5CCNAME via e47f9415b77 s3:libads: don't allow ads_kdestroy(NULL) anymore via 4959f932279 s3:winbindd: don't use ads_kdestroy(NULL) in winbindd_raw_kerberos_login() from 712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1ca6fb563b0bf25b36a2961754d94cc54d3d9292 Author: Stefan Metzmacher Date: Sat May 11 02:38:21 2024 +0200 lib/replace: make sure krb5_cc_default[_name]() is no longer used directly Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue May 14 11:22:28 UTC 2024 on atb-devel-224 commit afcd53b8d09c8cdba0e23980567920e399ff62f5 Author: Stefan Metzmacher Date: Sat May 11 02:38:21 2024 +0200 auth/credentials_krb5: let cli_credentials_set_ccache() use smb_force_krb5_cc_default() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit a5d46f69d12dde94caac5a7472157205081f6e0e Author: Stefan Metzmacher Date: Sat May 11 02:38:21 2024 +0200 auth/credentials_krb5: use system/{gssapi,kerberos}.h Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 845a2aae6f0d9efc1913e85e91f8f52e92e6b211 Author: Stefan Metzmacher Date: Sat May 11 02:38:21 2024 +0200 smbspool: let kerberos_ccache_is_valid() use smb_force_krb5_cc_default_name() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 4514fb5f43988f080e55a3a9278dfce75876d475 Author: Stefan Metzmacher Date: Sat May 11 02:38:21 2024 +0200 smbspool_krb5_wrapper: let kerberos_get_default_ccache() use smb_force_krb5_cc_default_name() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit a8da9de9f4ac37b6bb9fb95aa8b2767251188cbb Author: Stefan Metzmacher Date: Sat May 11 02:38:21 2024 +0200 smbspool_krb5_wrapper: remove unused includes Signed-off-by: Stefan Metzmache
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com from 87e31f88f28 s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d58a72c572f63619111f43f6ea39ff84ae0df16e Author: Andrew Bartlett Date: Tue May 7 22:32:08 2024 +1200 .gitlab-ci: Remove tags no longer provided by gitlab.com GitLab.com removed a number of tags from their hosted runners and this meant our CI was being redirected to our private runners at a larger cost to the Samba Team. The new infrastructure is much larger than when we last selected runners so we can just use the default, even for the code coverage build. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15638 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue May 7 13:40:55 UTC 2024 on atb-devel-224 --- Summary of changes: .gitlab-ci-coverage-runners.yml | 8 +--- .gitlab-ci-default-runners.yml | 44 +++-- 2 files changed, 12 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-coverage-runners.yml b/.gitlab-ci-coverage-runners.yml index 0f6b2ec1581..331c5d2399c 100644 --- a/.gitlab-ci-coverage-runners.yml +++ b/.gitlab-ci-coverage-runners.yml @@ -1,10 +1,4 @@ include: - /.gitlab-ci-default-runners.yml -.shared_runner_test: - # We need the more powerful n1-standard-2 runners - # in order to handle the lcov overhead. - # - # See .gitlab-ci-default-runners.yml for more details - tags: -- gitlab-org-docker +# Currently we're happy with the defaults diff --git a/.gitlab-ci-default-runners.yml b/.gitlab-ci-default-runners.yml index f73f868d39c..bdc504aff21 100644 --- a/.gitlab-ci-default-runners.yml +++ b/.gitlab-ci-default-runners.yml @@ -1,48 +1,26 @@ -# From https://docs.gitlab.com/ee/user/gitlab_com/#shared-runners: +# From https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html # # ... # -# All your CI/CD jobs run on n1-standard-1 instances with 3.75GB of RAM, CoreOS -# and the latest Docker Engine installed. Instances provide 1 vCPU and 25GB of -# HDD disk space. The default region of the VMs is US East1. Each instance is -# used only for one job, this ensures any sensitive data left on the system can’t -# be accessed by other people their CI jobs. -# -# The gitlab-shared-runners-manager-X.gitlab.com fleet of runners are dedicated -# for GitLab projects as well as community forks of them. They use a slightly -# larger machine type (n1-standard-2) and have a bigger SSD disk size. They don’t -# run untagged jobs and unlike the general fleet of shared runners, the instances -# are re-used up to 40 times. -# -# ... -# -# The n1-standard-1 runners seem to be tagged with 'docker' together with 'gce'. -# -# The more powerful n1-standard-2 runners seem to be tagged with -# 'gitlab-org-docker' or some with just 'gitlab-org'. -# +# Runner Tag vCPUs Memory Storage +# saas-linux-small-amd64 2 8 GB 25 GB # # Our current private runner 'docker', 'samba-ci-private', 'shared' and # 'ubuntu2204'. It runs with an ubuntu2204 kernel (5.15) and provides an -# ext4 filesystem and similar RAM as the n1-standard-2 runners. +# ext4 filesystem, 2 CPU and 4 GB (shared tag) 8G (samba-ci-private tag) RAM. # .shared_runner_build: - # We use n1-standard-1 shared runners by default. - # - # There are currently 5 shared runners with 'docker' and 'gce', - # while there are only 2 provising 'docker' together with 'shared'. + # We use saas-linux-small-amd64 shared runners by default. + # We avoid adding explicit tags for them in order + # to work with potential changes in future # - # We used to fallback to our private runner if the docker+shared runners - # were busy, but now that we use the 5 docker+gce runners, we try to only - # use shared runners without a fallback to our private runner! - # Lets see how that will work out. - tags: -- docker -- gce + # In order to generate valid yaml, we define a dummy variable... + variables: +SAMBA_SHARED_RUNNER_BUILD_DUMMY_VARIABLE: shared_runner_build .shared_runner_test: - # Currently we're fine using the n1-standard-1 runners also for testing + # We use saas-linux-small-amd64 shared runners by default. extends: .shared_runner_build .private_runner_test: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 87e31f88f28 s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos' via e6c693b7056 s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache via 147565232dc s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac() via 16a5279e291 auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_new_ccache() via 176c55efb20 auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_shallow_ccache() via 5d385ab691f auth/credentials: use smb_krb5_cc_new_unique_memory() in smb_gss_krb5_copy_ccache() via 92bebeb58ef auth/credentials: use smb_krb5_cc_new_unique_memory() in krb5_cc_remove_cred_wrap() via 21b96f010a4 lib/krb5_wrap: make use of smb_krb5_cc_new_unique_memory() in smb_krb5_kinit_s4u2_ccache() via 48bcc218c98 lib/krb5_wrap: add smb_krb5_cc_new_unique_memory() via e3f97f35b18 s3:gse: don't call krb5_cc_resolve() as server via 6ced3c6af22 s3:gse: avoid prompting for a password that we don't use in the end via ce05fe3b718 s3:gse: make use of gensec_kerberos_possible() via 4dd2468d5bc s4:gensec_gssapi: make use of gensec_kerberos_possible() via a3c87bf4404 auth/gensec: add gensec_get_unparsed_target_principal() helper via 996fd13949b auth/gensec: add gensec_kerberos_possible() helper via 1275e77933f s3:client: avoid cli_credentials_get_password() to check for a specified password via b9cf6c8dd4d auth:creds: Add test for cli_credentials_get_username_obtained() via f9afd24c907 auth/credentials: add cli_credentials_get_username_obtained() via 7f0aff46825 auth:creds: Add test for cli_credentials_get_password_obtained() via c14366cce45 auth/credentials: add cli_credentials_get_password_obtained() via a85f1b6facd lib/cmdline: skip the password prompt if we have a valid krb5 ccache via c7d3946659f auth/credentials: add cli_credentials_get_ccache_name_obtained() via 4723d695608 auth:creds: Add test for cli_credentials_get_principal_obtained() via 1e5546748cd auth/credentials: add cli_credentials_get_principal_obtained() from 5edd1e7c3ee smbd: Implement FSCTL_DELETE_REPARSE_POINT https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 87e31f88f28210dc6b7033182435f55204098368 Author: Stefan Metzmacher Date: Thu Mar 7 15:31:39 2024 +0100 s3:libsmb: let cli_session_creds_init() keep the value from 'client use kerberos' Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue May 7 12:33:29 UTC 2024 on atb-devel-224 commit e6c693b705686a590d2fa8f434ff015d8926a349 Author: Stefan Metzmacher Date: Wed Feb 28 17:28:43 2024 +0100 s3:winbindd: pass a NULL ccache to kerberos_return_pac() for a MEMORY ccache It means kerberos_return_pac() will use smb_krb5_cc_new_unique_memory(). Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 147565232dc7cc3127e09268000723c5a3eea62b Author: Stefan Metzmacher Date: Wed Feb 28 17:27:39 2024 +0100 s3:libads: use smb_krb5_cc_new_unique_memory() in kerberos_return_pac() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 16a5279e2918e7348f1695629bf3fa61c9007424 Author: Stefan Metzmacher Date: Tue Feb 27 16:38:42 2024 +0100 auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_new_ccache() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 176c55efb202f1f218c6c4ddf69d2d357488e25f Author: Stefan Metzmacher Date: Tue Feb 27 16:21:02 2024 +0100 auth/credentials: use smb_krb5_cc_new_unique_memory() in cli_credentials_shallow_ccache() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 5d385ab691f21bdd4524c41560c7f53653cf179d Author: Stefan Metzmacher Date: Tue Feb 27 16:19:58 2024 +0100 auth/credentials: use smb_krb5_cc_new_unique_memory() in smb_gss_krb5_copy_ccache() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 92bebeb58ef5ab91937d29640bf7a3c7929518ca Author: Stefan Metzmacher Date: Tue Feb 27 15:49:09 2024 +0100 auth/credentials: use smb_krb5_cc_new_unique_memory() in krb5_cc_remove_cred_wrap() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 21b96f010a4f9472a03aca5f4c1ed5a658530f52 Author: Stefan Metzmacher Date: Tue Feb 27 15:47:15 2024 +0100 lib/krb5_wrap: make use of smb_krb5_cc_new_unique_memory() in smb_krb5_kinit_s4u2_ccache() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 48bcc218c980e9478e2a3479e889766e6ca7f1dd
Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove)
Am 03.05.24 um 23:24 schrieb Linus Torvalds: On Fri, 3 May 2024 at 14:11, Al Viro wrote: What we need is * promise that ep_item_poll() won't happen after eventpoll_release_file(). AFAICS, we do have that. * ->poll() not playing silly buggers. No. That is not enough at all. Because even with perfectly normal "->poll()", and even with the ep_item_poll() happening *before* eventpoll_release_file(), you have this trivial race: ep_item_poll() ->poll() and *between* those two operations, another CPU does "close()", and that causes eventpoll_release_file() to be called, and now f_count goes down to zero while ->poll() is running. So you do need to increment the file count around the ->poll() call, I feel. Or, alternatively, you'd need to serialize with eventpoll_release_file(), but that would need to be some sleeping lock held over the ->poll() call. As it is, dma_buf ->poll() is very suspicious regardless of that mess - it can grab reference to file for unspecified interval. I think that's actually much preferable to what epoll does, which is to keep using files without having reference counts to them (and then relying on magically not racing with eventpoll_release_file(). I think it's a very important detail that epoll does not take real references. Otherwise an application level 'close()' on a socket would not trigger a tcp disconnect, when an fd is still registered with epoll. I noticed that some parts of Samba currently rely on this when I tried to convert tevent from epoll to IORING_OP_POLL_ADD (which takes a longer term reference) And I guess there will be other applications also relying on the current epoll behavior. That a closed fs automatically removes itself from epoll. A short term reference just around ->poll() might be fine, but please no reference via EPOLL_CTL_ADD. Changing that can cause security problems in user space. I haven't followed all details of this thread, please ignore me if that's all clear already :-) Thanks! metze
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via daf6d371f36 s3:rpc_client: implement bind time feature negotiation via 713a8022573 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context via 6548ccb31bf s3:rpc_client: pass struct rpc_pipe_client to check_bind_response() via 0cc0970d359 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags() from 2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit daf6d371f3639cbd64f9ac9f8a3be5b7d37393a7 Author: Stefan Metzmacher Date: Fri Apr 19 01:22:17 2024 +0200 s3:rpc_client: implement bind time feature negotiation This is not strictly needed as we don't use any of the optional features yet. But it will make it easier to add bind time features we'll actually use later. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224 commit 713a8022573a1b917422d888e4bb901539d20a91 Author: Stefan Metzmacher Date: Fri Apr 19 01:17:46 2024 +0200 s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE. It's also not needed to require a single array element. We already checked above that we have at least one. The next patch will all bind time feature negotiation and that means we'll have 2 array elements... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6548ccb31bfefdfa5d4ddd14ced900c64a68224e Author: Stefan Metzmacher Date: Fri Apr 19 01:15:52 2024 +0200 s3:rpc_client: pass struct rpc_pipe_client to check_bind_response() This prepares adding bind time feature negotiation in the next commits. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0cc0970d359f6521b1621c87149291c597f4b0d6 Author: Stefan Metzmacher Date: Tue Oct 13 15:43:05 2015 +0200 dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags() dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length(). Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: librpc/rpc/dcesrv_reply.c | 2 -- source3/rpc_client/cli_pipe.c | 49 +++-- source3/rpc_client/rpc_client.h | 7 ++ 3 files changed, 44 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/rpc/dcesrv_reply.c b/librpc/rpc/dcesrv_reply.c index 6d605168176..4890169c98b 100644 --- a/librpc/rpc/dcesrv_reply.c +++ b/librpc/rpc/dcesrv_reply.c @@ -130,8 +130,6 @@ NTSTATUS dcesrv_fault_with_flags(struct dcesrv_call_state *call, return status; } - dcerpc_set_frag_length(>blob, rep->blob.length); - DLIST_ADD_END(call->replies, rep); dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index b4289e9d35d..cf551f6f548 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1130,17 +1130,28 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx, { uint16_t auth_len = auth_info->length; NTSTATUS status; - struct dcerpc_ctx_list ctx_list = { - .context_id = 0, - .num_transfer_syntaxes = 1, - .abstract_syntax = *abstract, - .transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer), + struct ndr_syntax_id bind_time_features = dcerpc_construct_bind_time_features( + DCERPC_BIND_TIME_SECURITY_CONTEXT_MULTIPLEXING | + DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN); + struct dcerpc_ctx_list ctx_list[2] = { + [0] = { + .context_id = 0, + .num_transfer_syntaxes = 1, + .abstract_syntax = *abstract, + .transfer_syntaxes = (struct ndr_syntax_id *)discard_const(transfer), + }, + [1] = { + .context_id = 1, + .num_transfer_syntaxes = 1, + .abstract_syntax = *abstract, + .transfer_syntaxes = _time_features, + }, }; union dcerpc_payload u = { .bind.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN, .bind.max_recv_frag = RPC_MAX_
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2674df4cc0e s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed via aff2932c420 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... via 0ba9e5dacbb lib/cmdline: only call cli_credentials_get_password_and_obtained if needed via 994e12e8f7a lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST via e2170431f1d s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() via 5af5bf26457 auth/credentials: don't call talloc_free(ccache_name) on callers memory via d221f930efc auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() via 126357e2e73 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime via e58f83d3958 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings via e6f92edba69 s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND from c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2674df4cc0e124d74eb9d764c29a07c9c84b94d6 Author: Stefan Metzmacher Date: Thu Apr 14 15:36:51 2022 +0200 s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed Only legacy protocols need a password for share level authentication, so avoid triggering the password prompt for the common case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224 commit aff2932c420fd102c077063b8d1f66cdd8a777cb Author: Stefan Metzmacher Date: Fri Mar 8 14:14:34 2024 +0100 python/samba/getopt: don't prompt for a password for --use-krb5-ccache=... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 0ba9e5dacbb4e5bf94600e0a4a1cbd9f7a9c5d9e Author: Stefan Metzmacher Date: Thu Apr 14 13:31:20 2022 +0200 lib/cmdline: only call cli_credentials_get_password_and_obtained if needed BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 994e12e8f7a6b089342a32a6c3269048bfef1545 Author: Stefan Metzmacher Date: Thu Apr 14 13:30:56 2022 +0200 lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e2170431f1d4a6f4ce7e3e6949282d5bc60b5d08 Author: Stefan Metzmacher Date: Thu Mar 7 00:11:26 2024 +0100 s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 5af5bf264571b732b5236e6db2061b523e603c05 Author: Stefan Metzmacher Date: Tue Feb 27 16:22:14 2024 +0100 auth/credentials: don't call talloc_free(ccache_name) on callers memory The internally allocated ccache_name has ccc as parent, so we don't need to cleanup explicitly. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit d221f930efcff09a9b5dc18c5dfb6475ade1312a Author: Stefan Metzmacher Date: Tue Feb 27 16:07:22 2024 +0100 auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy() A simple krb5_cc_close() doesn't remove it from the global memory list. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit 126357e2e7302eb219fda80e3cfbef3da02c1d6d Author: Stefan Metzmacher Date: Fri Mar 8 11:39:35 2024 +0100 lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime If the ccache doesn't have a intial TGT the shortest lifetime of service tickets should be returned. This is needed in order to work with special ccaches used for things like S2U4Self/S4U2Proxy tickets or other things where the caller only wants to pass a single service ticket. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e58f83d3958d7b6a16d7d75a7a266cead4befb48 Author: Stefan Metzmacher Date: Wed Apr 3 16:00:41 2024 +0200 s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider commit e6f92edba690923ec8ef427bc6d5b30d609c129a Author: Stefan Metzmacher Date: Wed Apr 3 16:35:35 2024 +0200 s3:notify: don't log
Re: [cifs-protocol] Trying to let a Windows client use MS-SWN against a samba cluster #Q6- TrackingID#2311070040010094
Hello Sreekanth and others, currently I don't have time to follow up on all other questions, but this one is actually important. I would hope that you might forward to the product team. As it would be extremely useful if windows clients could be changed in order to avoid logging Event ID: 30900 and Event ID: 30613 for each open if the server announces SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY but not SMB2_GLOBAL_CAP_PERSISTENT_HANDLES. See below for the details. I think in that situation a single log event after a tree connect would be useful as warning, but doing that on every single open (as all opens will downgrade a requested persistent handle to a durable handle) is complete overkill. This will likely make windows client customers very unhappy if they connect to Samba 4.20 based fileserver clusters. Thanks for any possible help. metze below is the answer to your question #6. Let me know your thoughts. Thanks for the response! Please note that section 3.2.4.3.5 did not say MUST. It only uses SHOULD. Also, the wording of the section does NOT imply that when requesting durable handle, one cannot request handle caching if TreeConnect.IsCAShare is FALSE. And in fact I have captures showing that Windows server 2022 acting as a client requests with the SMB2_DHANDLE_FLAG_PERSISTENT and also an RHW leaveV2. A client can request both Persistence and Lease (with handle caching enabled). Protocol(or windows) server does not deny granting both persistence and lease, when the requirements are met. > Protocol says that in order to request durable open, client should either set SMB2_DHANDLE_FLAG_PERSISTENT bit in the Flags field of Durable_V2 create context or request for handle caching with Lease create context. If the share is a CA share (in a Failover Cluster configuration), client can request for handle persistency by setting SMB2_DHANDLE_FLAG_PERSISTENT bit which provides transparent failover. Please look at the doc snip from section 3.3.5.9.10, where both TreeConnect.Share.IsCA (SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY) and SMB2_GLOBAL_CAP_PERSISTENT_HANDLES are required in order to set Open.IsPersistent to TRUE. This is a server requirement though. Yes, the server is clear how our server will behave, but that case is never possible on a windows server (which always implements both features). On the client side, it is imperative that CA shares will require persistence handles to work with. In other words, for the server to grant persistent handle on an open, client must set SMB2_GLOBAL_CAP_PERSISTENT_HANDLES. In the "Successful Open Initialization" phase, if the underlying object store does not grant durability, the server MUST skip the rest of the processing in this section. Otherwise, the server MUST set Open.IsDurable to TRUE. The server MUST also set Open.DurableOwner to a security descriptor accessible only by the user represented by Open.Session.SecurityContext. If the SMB2_DHANDLE_FLAG_PERSISTENT bit is set in the Flags field of the request, TreeConnect.Share.IsCA is TRUE, and Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_PERSISTENT_HANDLES, the server MUST set Open.IsPersistent to TRUE. Yes, that's clear. But it means the client will spam its event log (SMBClient->Operational) with messages like this for every single open: Log Name: Microsoft-Windows-SMBClient/Operational Source: Microsoft-Windows-SMBClient Date: 22.12.2023 13:41:18 Event ID: 30900 Task Category: None Level: Warning Keywords: (16) User: W2022-L7\Administrator Computer: w2022-118.w2022-l7.base Description: The handle was created without persistence. File ID: 0xB90243FF:0x5367F848 CreateGUID: {80c941d9-a0bd-11ee-81fc-00090118} Path: \ubcluster.w2022-l7.base\shm Guidance: The server supports Continuous Availability (persistent handles) and the request to create the handle succeeded. However, the server did not grant persistence. You should verify that the Resume Key Filter is running on the server and is attached to the target volume. Event Xml: http://schemas.microsoft.com/win/2004/08/events/event;> 30900 2 3 0 0 0x2010 335 Microsoft-Windows-SMBClient/Operational w2022-118.w2022-l7.base 0xb68432192080 3103933439 1399322696 {80c941d9-a0bd-11ee-81fc-00090118} 3 0 0 0 28 \ubcluster.w2022-l7.base\shm 0 0 0 And/or: Log Name: Microsoft-Windows-SMBClient/Operational Source: Microsoft-Windows-SMBClient Date: 22.12.2023 18:28:09 Event ID: 30613 Task Category: None Level: Error Keywords: (16) User: W2022-L7\Administrator Computer: w2022-118.w2022-l7.base Description: Failed to open a persistent handle. Error: The network path cannot be located. FileId: 0x:0x CreateGUID:
Re: [cifs-protocol] [EXTERNAL] Re: [MS-KILE] PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 - TrackingID#2404100040000280
Am 12.04.24 um 19:59 schrieb Jeff McCashland (He/him) via cifs-protocol: Hi Andrew, Also, our security updates team would like to talk with you about the changes. Do you have some availability next week to meet? Teams or Zoom? I'd like to participate... metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 814ae222ca1 s3:winbindd: use better debug messages than 'talloc_strdup failed' via 72a4d3ad5a9 s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages via ca859e55d28 s3:libads: avoid changing ADS->server.workgroup via 796f33c05a0 s4:nbt_server: simulate nmbd and provide unexpected handling via bfb10774b65 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs via 77f4f1c7dba s4:libcli/dgram: make use of socket_address_copy() via 11861bcfc30 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages via cca373b806e libcli/nbt: add nbt_name_send_raw() via 2b3c75c s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL via 696505a1efb s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}() via f90cf0822d6 s3:libsmb/unexpected: don't use talloc_tos() in async code via 011f68ae5dd s3:wscript: LIBNMB requires lp_ functions via 105247c9000 s3:include: split out fstring.h via 7f96c21029e s3:include: let nameserv.h be useable on its own from f8b72aa1f72 tests: Add a test for "all_groups=no" to test_idmap_ad.sh https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 814ae222ca15ff7093a71639cdcc97b9937670ce Author: Stefan Metzmacher Date: Fri Jan 26 09:25:11 2024 +0100 s3:winbindd: use better debug messages than 'talloc_strdup failed' Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Apr 5 13:28:42 UTC 2024 on atb-devel-224 commit 72a4d3ad5a9d1ea5cd0b2a940893727f0283879a Author: Stefan Metzmacher Date: Fri Jan 26 09:21:03 2024 +0100 s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages Otherwise it's completely unclear where the messages come from Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit ca859e55d28f421196bc2660cfa84595ec5b57c6 Author: Stefan Metzmacher Date: Fri Oct 15 03:34:11 2021 +0200 s3:libads: avoid changing ADS->server.workgroup ads_find_dc() uses c_domain = ads->server.workgroup and don't expect it to get out of scope deep in resolve_and_ping_dns(). The result are corrupted domain values in the debug output. Valgrind shows this: Invalid read of size 1 at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688) by 0x609ED49: __vasprintf_internal (vasprintf.c:57) by 0x5D2EC0F: __dbgtext_va (debug.c:1860) by 0x5D2ED3F: dbgtext (debug.c:1881) by 0x4BFFB50: ads_find_dc (ldap.c:570) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4BFF0AF: ads_try_connect (ldap.c:299) by 0x4BFF40E: cldap_ping_list (ldap.c:367) by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468) by 0x4BFFA91: ads_find_dc (ldap.c:556) by 0x4C001F4: ads_connect (ldap.c:704) by 0x4C1DC12: ads_dc_name (namequery_dc.c:84) Block was alloc'd at at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x60B250E: strdup (strdup.c:42) by 0x4FF1492: smb_xstrdup (util.c:743) by 0x4C10E62: ads_init (ads_struct.c:148) by 0x4C1DB68: ads_dc_name (namequery_dc.c:73) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 796f33c05a0ca337b675b5d4d127f7c53b22528f Author: Stefan Metzmacher Date: Wed Feb 14 12:34:48 2024 +0100 s4:nbt_server: simulate nmbd and provide unexpected handling This is needed in order to let nbt_getdc() work against another AD DC and get back a modern response with DNS based names. Instead of falling back to the ugly name_status_find() that simulates just an NETLOGON_SAM_LOGON_RESPONSE_NT40 response. This way dsgetdcname() can work with just the netbios domain name given and still return an active directory response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit bfb10774b65af65f9c438a5d3e87529b1fcf46a1 Author: Stefan Metzmacher Date: Wed Feb 14 13:49:21 2024 +0100 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620 Signed-off-by
[SCM] Samba Shared Repository - branch v4-20-test updated
The branch, v4-20-test has been updated via 99b6feac932 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options from 69b69bb2085 libgpo: Do not segfault if we don't have a valid security descriptor https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test - Log - commit 99b6feac9326673d0ce0d01172f8180c1f2232e7 Author: Stefan Metzmacher Date: Fri Mar 15 23:17:36 2024 +0100 WHATSNEW: announce Service Witness Protocol [MS-SWN] and related options Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(v4-20-test): Stefan Metzmacher Autobuild-Date(v4-20-test): Tue Mar 19 13:30:31 UTC 2024 on atb-devel-224 --- Summary of changes: WHATSNEW.txt | 68 +++- 1 file changed, 67 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index dd80f116a10..9385a05f99e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -191,6 +191,68 @@ The Security Descriptor Definition Language has extensions for conditional ACEs and resource attribute ACEs; these are now supported by Samba. +Service Witness Protocol [MS-SWN] +- + +In a ctdb cluster it is now possible to provide +the SMB witness service that allows clients to +monitor their current smb connection to cluster +node A by asking cluster node B to notify the +client if the ip address from node A or the +whole node A becomes unavailable. + +For disk shares in a ctdb cluster +SMB2_SHARE_CAP_SCALEOUT is now always returned +for SMB3 tree connect responses. + +If the witness service is active +SMB2_SHARE_CAP_CLUSTER is now also returned. + +In order to activate the witness service +"rpc start on demand helpers = no" needs to +be configured in the global section. +At the same time the 'samba-dcerpcd' service +needs to be started explicitly, typically +with the '--libexec-rpcds' option in order +to make all available services usable. +One important aspect is that tcp ports +135 (for the endpoint mapper) and various +ports in the 'rpc server dynamic port range' +will be used to provide the witness service +(rpcd_witness). + +ctdb provides a '47.samba-dcerpcd.script' in order +to manage the samba-dcerpcd.service. +Typically as systemd service, but that's up +to the packager and/or admin. + +Please note that current windows client +requires SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +in addition to SMB2_SHARE_CAP_CLUSTER in order +to make use of the witness service. +But SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY implies +the windows clients always ask for persistent handle +(which are not implemented in samba yet), so +that every open generates a warning in the +windows smb client event log. +That's why SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY +is not returned by default. +An explicit 'smb3 share cap:CONTINUOUS AVAILABILITY = yes' +is needed. + +There are also new 'net witness' commands in order +to let the admin list active client registrations +or ask specific clients to move their smb connection +to another cluster node. These are available: + + net witness list + net witness client-move + net witness share-move + net witness force-unregister + net witness force-response + +Consult 'man net' or 'net witness help' for further details. + REMOVED FEATURES @@ -210,8 +272,12 @@ smb.conf changes Parameter Name Description Default -- --- --- - smb3 unix extensionsPer share - acl claims evaluation new AD DC only + smb3 unix extensionsPer share - + smb3 share cap:ASYMMETRIC new no + smb3 share cap:CLUSTER new see 'man smb.conf' + smb3 share cap:CONTINUOUS AVAILABILITY new no + smb3 share cap:SCALE OUTnew see 'man smb.conf' CHANGES SINCE 4.20.0rc3 -- Samba Shared Repository
Re: [cifs-protocol] MS-SWM Q9b - CLIENT_MOVE_NOTIFICATION is ignored if the address list includes the ip that was given to Register[Ex]() - TrackingID#2401060040000027
Hi Jeff, I hope to find the time to collect the required stuff. In addition to the traces below, could you also upload any Events from the appropriate time range? > In Event Viewer, navigate to Application and Services Logs > Microsoft > Windows > SMBWitnessSService (from the cluster), and SMBWitnessClient from the client. But note I was talking about samba being the server and windows server 2022 being the client, so SMBWitnessSService is not relevant. But I'll include SMBClient in addition to SMBWitnessClient from the client. To help troubleshoot this issue, I would like to collect ETL (t.cab) traces as well as the network capture you offered. Please find attached t.cmd.txt, which can be renamed to t.cmd and copied to any folder on your server. To collect traces: 1. From an elevated command prompt on the Server, execute the command ‘t.cmd srvon’ Is this really correct as I only have windows as a client not a server. Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 447e131ebf2 smb2_tcon: add "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" options via 941f53f0c93 python:tests/rpcd_witness_samba_only: add tests for 'net witness force-response' via 946bf100685 s3:utils: add 'net witness force-response' via 8a643fea95c python:tests/rpcd_witness_samba_only: add tests for 'net witness force-unregister' via 8536a217922 s3:utils: add 'net witness force-unregister' via 290ef547d86 python:tests/rpcd_witness_samba_only: add tests for 'net witness {client,share}-move' via df3b5f93390 s3:utils: add 'net witness client-move' and 'net witness share-move' via 4fba5bcaad7 s3:rpc_server/witness: add handling of MSG_RPCD_WITNESS_REGISTRATION_UPDATE messages via b722dc74f86 s3:rpcd_witness.idl: add rpcd_witness_registration_updateB message definitions via 0744d55be03 messaging.idl: add MSG_RPCD_WITNESS_REGISTRATION_UPDATE via 3e70b31f013 python:tests/rpcd_witness_samba_only: add tests for 'net witness list' via 46fdeca696e s3:utils: add 'net witness list' command via fcc8e0978b6 s3:rpc_server/witness: let Register[Ex] store rpcd_witness_registration.tdb records via a9829ce6cf3 s3:rpcd_witness.idl: introduce definitions for rpcd_witness_registration.tdb records via b17e090e7c1 python/blackbox: add rpcd_witness_samba_only.py test via b3c51c4b825 python/tests: add TestCase.get_loadparm(s3=True) support via ea1ec424ad0 script/autobuild.py: also pass PYTHONPATH to make test of 'samba-ctdb' via 3ede69552ca selftest/Samba: export CTDB_PREFIX in clusteredmember testenv via 2f9dfaae448 selftest/Samba3: start samba_dcerpcd in clusteredmember via 15b17f1fffc selftest/Samba3: remove unused variable in setup_clusteredmember via bc2a77373a0 selftest/Samba3: get NETBIOSNAME correct for clusteredmember via cb1d711e25a s3:rpc_server/witness: add implementation based on CTDB_SRVID_IPREALLOCATED and ctdbd_all_ip_foreach() via 85f30bcf0b6 s3:rpc_server: add basic rpcd_witness template via 9083f49e767 s3:ctdbd_conn: add ctdbd_all_ip_foreach() helper via 3106709c891 s3:ctdbd_conn: split out ctdbd_control_get_nodemap() via ceda79b6cc0 s3:ctdbd_conn: pass vnn to ctdbd_control_get_public_ips() via f21e3800644 witness.idl: make witness_interfaceList public to that ndr_print works in python via b9bd7e89f28 smbstatus: let --json include session.{creation,expiration,auth}_time from fe8d866d2c6 vfs_ceph: Implement SMB_VFS_FSTATAT https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 447e131ebf2b7bb02e7dfbb0ee38c2d656632856 Author: Stefan Metzmacher Date: Tue Jul 31 08:55:20 2012 +0200 smb2_tcon: add "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" options Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jan 26 18:04:10 UTC 2024 on atb-devel-224 commit 941f53f0c937fa75562183e9a4e1c95adf5d9524 Author: Stefan Metzmacher Date: Mon Jan 22 19:27:03 2024 +0100 python:tests/rpcd_witness_samba_only: add tests for 'net witness force-response' Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 946bf100685da22cebbc38bcf96139c02ea35921 Author: Stefan Metzmacher Date: Fri Dec 15 14:49:37 2023 +0100 s3:utils: add 'net witness force-response' This allows generating any possible AsyncNotify response for the specified selection of witness registrations from rpcd_witness_registration.tdb. This can be used by developers to test the (windows) client behavior to specific AsyncNotify responses. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 8a643fea95c2d7d4f6709a10ff798bf3f9e210aa Author: Stefan Metzmacher Date: Mon Jan 15 14:20:00 2024 +0100 python:tests/rpcd_witness_samba_only: add tests for 'net witness force-unregister' Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 8536a217922f7a2c5545b8f87084d08ea955ac61 Author: Stefan Metzmacher Date: Fri Dec 15 14:49:37 2023 +0100 s3:utils: add 'net witness force-unregister' This allows removing of the specified selection of witness registrations from rpcd_witness_registration.tdb. Any pending AsyncNotify will get WERR_NOT_FOUND. Typically this triggers a clean re-registration on the client. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner commit 290ef547d869100bdea42784b8a8783085eed805 Author: Stefan Metzmacher Date: Mon Jan 15 14:20:00 2024 +0100 python:tests/rpcd_witness_samba_only: add tests for '
[SCM] Samba Shared Repository - branch master updated
of r->out.domains->array and r->out.domains->count to the end of the function ensures we don't return inconsistent state in case of an error. Also, r->out.domains is already set by the NDR layer, no need to create and assign a struct netr_DomainTrustList object. Using talloc_move() ensures we don't leave dangling pointers. Better to crash reliably on accessing NULL, then accessing some unknown memory via a wild pointer. As talloc_move() can't fail, there's no need to check the return value. And using a struct initializer ensures all members are properly initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224 commit 000bbede59e4ca78427fa57b56fa251d4d779adb Author: Ralph Boehme Date: Thu Jan 18 17:42:33 2024 +0100 selftest: test listing trusted domains that includes an NT4 domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 53ca19851dbfc3cab7345424c029a7c90745e24a Author: Ralph Boehme Date: Thu Jan 18 19:12:34 2024 +0100 s4/rpc_server: return NULL dns_name for NT4 trusts That's what Windows returns for an NT4 trust: array: struct netr_DomainTrust netbios_name : * netbios_name : 'NT4TRUST' dns_name : NULL trust_flags : 0x0020 (32) 0: NETR_TRUST_FLAG_IN_FOREST 0: NETR_TRUST_FLAG_OUTBOUND 0: NETR_TRUST_FLAG_TREEROOT 0: NETR_TRUST_FLAG_PRIMARY 0: NETR_TRUST_FLAG_NATIVE 1: NETR_TRUST_FLAG_INBOUND 0: NETR_TRUST_FLAG_MIT_KRB5 0: NETR_TRUST_FLAG_AES parent_index : 0x (0) trust_type : LSA_TRUST_TYPE_DOWNLEVEL (1) trust_attributes : 0x (0) 0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY 0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN 0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION 0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST 0: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL 0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION 0: LSA_TRUST_ATTRIBUTE_PIM_TRUST 0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION sid : * sid : S-1-5-21-4267984555-3675415144-1682400025 guid : ---- Even though when creating the trust the DNS name must not be NULL and the trustPartner and name attributes are set to the flatName in the trustedDomain object: dn: CN=NT4TRUST,CN=System,DC=wdom2,DC=site objectClass: top objectClass: leaf objectClass: trustedDomain cn: NT4TRUST distinguishedName: CN=NT4TRUST,CN=System,DC=wdom2,DC=site instanceType: 4 whenCreated: 20240118175040.0Z whenChanged: 20240118175040.0Z uSNCreated: 4939915 uSNChanged: 4939916 showInAdvancedViewOnly: TRUE name: NT4TRUST objectGUID: c2273b74-19ff-4f5a-b528-9e5ae21960dd securityIdentifier: S-1-5-21-4267984555-3675415144-1682400025 trustDirection: 1 trustPartner: NT4TRUST trustPosixOffset: 0 trustType: 1 trustAttributes: 0 flatName: NT4TRUST objectCategory: CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=wdom2,DC=site isCriticalSystemObject: TRUE dSCorePropagationData: 1601010100.0Z BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 3a95e135472a495a90637e5dc0f9e3c8de052ff9 Author: Ralph Boehme Date: Wed Jan 10 14:50:05 2024 +0100 selftest: add a test for NT4 trusts BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 645a725603ca03f27c1347b1e2ed9fea94a6319d Author: Ralph Boehme Date: Sat Jan 13 08:48:54 2024 +0100 selftest: create trust between fl2008r2dc and nt4_dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit 9725aa932e24622566baf208586d1fe03885da9f Author: Ralph Boehme Date: Thu Jan 18 16:04:34 2024 +0100 selftest: rename a variable in setup_fl2008r2dc() Prepares f
Re: [cifs-protocol] [EXTERNAL] Re: [MS-LSAD] LsarCreateTrustedDomainEx3 requires cbCipher 520 for Auth information - TrackingID#2312150040008317
Hi Jeff, We have updated [MS-LSAD] for the next release to address this issue: 2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure communicates authentication material. The cleartext password data is in the form of a LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16). The following structure corresponds to the TrustedDomainAuthInformationInternalAes information class (section 2.2.7.2). 3.1.4.7.17 LsarCreateTrustedDomainEx3 (Opnum 129) AuthenticationInformation: A structure containing encrypted LSAPR_TRUSTED_DOMAIN_AUTH_BLOB (section 2.2.7.16) authentication information for the trusted domain. If the length of cbCipher in AuthenticationInformation is less than (512 + IncomingAuthInfoSize + OutgoingAuthInfoSize) the server MUST return STATUS_INVALID_PARAMETER. Please note that LSAPR_TRUSTED_DOMAIN_AUTH_BLOB is not strictly correct. Maybe it would be useful to define a new separate structure for the content of LSAPR_TRUSTED_DOMAIN_AUTH_BLOB.AuthBlob. As that's what is used in LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES.Cipher metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1b6ef968d83 dcesrv_reply: just drop responses if the connection is already terminating via e829f5d8ec3 dcesrv_core: add dcesrv_call_state->subreq in order to allow tevent_req_cancel() on termination via 87e37e73a9b witness.idl: add flag(NDR_PAHEX) to some hex based enums via 290b0b04ae4 witness.idl: make some types public in order to be used elsewhere via 5beef87816d witness.idl: Set cifs as auth service name for the witness interface via 78ec47a6674 tdb: fix python/tdbdump.py example via 3c73d201d45 examples/scripts: add smbXsrvdump via 8e850685a10 smbXsrv.idl: add python bindings via b96ce32f826 smbstatus: let --json dump also session channels via 3f92a684abb smbstatus: let --json report the client_guid a session belongs to via c1c326ebccb smbXsrv_session: store session_global->client_guid via 88b1c8723b3 s3:sessionid: export smbXsrv_session_global via sessionid->global via d52f7279063 lib/util: let is_zero_addr() return true for AF_UNSPEC via 10b084f824f s3:smbd multichannel: improve smbXsrv_connection_dbg() via 475784d63e9 s3:smbd multichannel: let a cross-node session binding NT_STATUS_REQUEST_NOT_ACCEPTED via 8a3707e3ed9 s3:smbd multichannel: always allow multichannel to the ip of the queried connection via f94d2ed13e6 libcli/security: remove PRIMARY_{USER,GROUP}_SID_INDEX defines from security.h via 6331d33ae49 libcli/smb: add new SMB2_SHAREFLAG_ defines in smb2_constants.h from f14a7065690 smbd: move access override for previous versions to the SMB layer https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1b6ef968d8370757cb472a1e3bfe030f8066c50d Author: Stefan Metzmacher Date: Fri Nov 24 14:42:35 2023 +0100 dcesrv_reply: just drop responses if the connection is already terminating There's no reason to waste resources... Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jan 9 11:26:55 UTC 2024 on atb-devel-224 commit e829f5d8ec3a77acb52a22d45e61dcce03762a10 Author: Stefan Metzmacher Date: Fri Nov 24 14:02:02 2023 +0100 dcesrv_core: add dcesrv_call_state->subreq in order to allow tevent_req_cancel() on termination Requests might be cancelled if the connection got disconnected, we got an ORPHANED or CO_CANCEL pdu. But this is all opt-in for the backends to choose. Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 87e37e73a9ba13ed92a33a385a387b225b2b9190 Author: Stefan Metzmacher Date: Fri Dec 29 10:20:02 2023 +0100 witness.idl: add flag(NDR_PAHEX) to some hex based enums Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 290b0b04ae41b835f864bba02b1320693ef199d3 Author: Stefan Metzmacher Date: Fri Nov 24 16:38:06 2023 +0100 witness.idl: make some types public in order to be used elsewhere Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 5beef87816d103a729508ce88368c30c87b1fa4e Author: Samuel Cabrero Date: Wed Oct 21 18:30:29 2020 +0200 witness.idl: Set cifs as auth service name for the witness interface Windows clients use the 'cifs' service name to bind to the witness interface. Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 78ec47a6674db65d738305cf00861aa711886a43 Author: Stefan Metzmacher Date: Fri Nov 24 16:28:38 2023 +0100 tdb: fix python/tdbdump.py example Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 3c73d201d454a88135757065a2b238e6d94a1ac9 Author: Ralph Boehme Date: Sun Jan 28 15:35:44 2018 +0100 examples/scripts: add smbXsrvdump A simple python tool to dump smbXsrv TDB databases. Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit 8e850685a1052a16bea402df3e8057218080c373 Author: Stefan Metzmacher Date: Fri Nov 24 16:09:58 2023 +0100 smbXsrv.idl: add python bindings This is useful for some scripting examples and debugging... Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner Reviewed-by: Andreas Schneider commit b96ce32f826ba03384e6a7535200d7e18354fc4b Author: Stefan Metzmacher Date: Fri Dec 15 16:46:50 2023 +0100 smbstatus: let --json dump also session channels This makes if easier to
[SCM] Samba Shared Repository - branch v4-19-test updated
The branch, v4-19-test has been updated via 50f74d04884 s3:smbd multichannel: always refresh the network information from 8c63b219a26 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-test - Log - commit 50f74d0488438e722eaeb492ae40f07432eb4530 Author: Jones Syue Date: Thu Jan 4 09:42:15 2024 +0800 s3:smbd multichannel: always refresh the network information To maintain SMB Multichannel, windows client might periodically query with FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information, in my case windows server 2022 would do this every 10 minutes (600 seconds). Consider a scenario: the network information might have changed between these queries, some become link down, new interface is link up, network speed is changed, and etc. So far smbd might not aware of these changes and still report out-of-date network information to windows client, until we manually send a SIGHUP to smbd in order to trigger load_interfaces(): smbd_sig_hup_handler() > reload_services () > load_interfaces() This might be a bit inconvenient because it is hard to decide when should we manually send a SIGHUP to smbd for refreshing network information. This patch adds load_interfaces() at fsctl_network_iface_info(), while smbd received FSCTL_QUERY_NETWORK_INTERFACE_INFO would go through this and refresh local_interfaces, then respond to client with up-to-date network information; also refresh num_ifaces to make sure interfaces count is consistent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15547 Signed-off-by: Jones Syue Reviewed-by: Stefan Metzmacher Reviewed-by: Björn Jacke (cherry picked from commit 318fd95d5ea63724798592eb6b4eebaecfa0cbfb) Autobuild-User(v4-19-test): Stefan Metzmacher Autobuild-Date(v4-19-test): Fri Jan 5 13:47:03 UTC 2024 on atb-devel-224 --- Summary of changes: source3/smbd/smb2_ioctl_network_fs.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index 5b396855ca6..9ef99dca90f 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -366,7 +366,7 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, struct fsctl_net_iface_info *first = NULL; struct fsctl_net_iface_info *last = NULL; size_t i; - size_t num_ifaces = iface_count(); + size_t num_ifaces; enum ndr_err_code ndr_err; struct cluster_movable_ips *cluster_movable_ips = NULL; int ret; @@ -375,6 +375,16 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + /* +* The list of probed interfaces might have changed, we might need to +* refresh local_interfaces to get up-to-date network information, and +* respond to clients which sent FSCTL_QUERY_NETWORK_INTERFACE_INFO. +* For example, network speed is changed, interfaces count is changed +* (some link down or link up), and etc. +*/ + load_interfaces(); + num_ifaces = iface_count(); + *out_output = data_blob_null; array = talloc_zero_array(mem_ctx, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-18-test updated
The branch, v4-18-test has been updated via 9f8a73d7cc4 s3:smbd multichannel: always refresh the network information from c2c111688c4 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log - commit 9f8a73d7cc4bc0662aa527b045bc9925b9b4c71a Author: Jones Syue Date: Thu Jan 4 09:42:15 2024 +0800 s3:smbd multichannel: always refresh the network information To maintain SMB Multichannel, windows client might periodically query with FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information, in my case windows server 2022 would do this every 10 minutes (600 seconds). Consider a scenario: the network information might have changed between these queries, some become link down, new interface is link up, network speed is changed, and etc. So far smbd might not aware of these changes and still report out-of-date network information to windows client, until we manually send a SIGHUP to smbd in order to trigger load_interfaces(): smbd_sig_hup_handler() > reload_services () > load_interfaces() This might be a bit inconvenient because it is hard to decide when should we manually send a SIGHUP to smbd for refreshing network information. This patch adds load_interfaces() at fsctl_network_iface_info(), while smbd received FSCTL_QUERY_NETWORK_INTERFACE_INFO would go through this and refresh local_interfaces, then respond to client with up-to-date network information; also refresh num_ifaces to make sure interfaces count is consistent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15547 Signed-off-by: Jones Syue Reviewed-by: Stefan Metzmacher Reviewed-by: Björn Jacke (cherry picked from commit 318fd95d5ea63724798592eb6b4eebaecfa0cbfb) Autobuild-User(v4-18-test): Stefan Metzmacher Autobuild-Date(v4-18-test): Fri Jan 5 13:46:39 UTC 2024 on atb-devel-224 --- Summary of changes: source3/smbd/smb2_ioctl_network_fs.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/smb2_ioctl_network_fs.c b/source3/smbd/smb2_ioctl_network_fs.c index 5b396855ca6..9ef99dca90f 100644 --- a/source3/smbd/smb2_ioctl_network_fs.c +++ b/source3/smbd/smb2_ioctl_network_fs.c @@ -366,7 +366,7 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, struct fsctl_net_iface_info *first = NULL; struct fsctl_net_iface_info *last = NULL; size_t i; - size_t num_ifaces = iface_count(); + size_t num_ifaces; enum ndr_err_code ndr_err; struct cluster_movable_ips *cluster_movable_ips = NULL; int ret; @@ -375,6 +375,16 @@ static NTSTATUS fsctl_network_iface_info(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } + /* +* The list of probed interfaces might have changed, we might need to +* refresh local_interfaces to get up-to-date network information, and +* respond to clients which sent FSCTL_QUERY_NETWORK_INTERFACE_INFO. +* For example, network speed is changed, interfaces count is changed +* (some link down or link up), and etc. +*/ + load_interfaces(); + num_ifaces = iface_count(); + *out_output = data_blob_null; array = talloc_zero_array(mem_ctx, -- Samba Shared Repository
Re: [cifs-protocol] [EXTERNAL] Trying to let a Windows client use MS-SWN against a samba cluster
Am 11.12.23 um 22:15 schrieb Kristian Smith: Hi Metze, I'm reaching out with regard to question 10 from your mail below. - Question 10: MS-SWM 3.1.6.1 Server Application Notifies of an Interface Being Enabled or Disabled The calling application provides the interface group name, IPv4 and/or IPv6 addresses, and state. ... Then for each entry in the WitnessRegistrationList where WitnessRegistration.NetworkName matches the application-provided interface group name ... This seems to indicate that there's actually just a single InterfaceGroupName matching the single NetworkName. - WitnessRegistration.NetworkName is the NetName provided by the client when registering. InterfaceGroupName is provided by the Server Cluster application. That's also my understanding. But on a windows 2012 cluster I saw that the interfaceGroupNames in the GetInterfaceList() response are the per node netbios names (something like node0, node1, node2) that hold the related ip address. But the NetworkName in th Register[Ex]() request from the client gets the sofs cluster name, something like "sofs-cluster" or "sofs-cluster.example.com" (which has to match ServerGlobalName (See Question 11). With that the statement: Then for each entry in the WitnessRegistrationList where WitnessRegistration.NetworkName matches the application-provided interface group name ... would never be true and no registration in the list will ever get any notification... So it seems to be a documentation bug. In my code I'm comparing WitnessRegistration.IpAddress being equal to the ip address of the changed interface. If there are no current registered witnesses (clients), the Interface.InterfaceGroupName would still exist, but there would be no WitnessRegistration.NetworkName This check (referenced in your question) compares the server-application-provided InterfaceGroupName (the one that underwent a state change) to those in the list of registered witnesses. This ensures that the client receives a message about the state change. It would mean on windows that it compares "node0" to match "sofs-cluster.example.com", which can't work. Please let me know if there are lingering concerns with Question 10 and I'd be happy to dig back in. Please do :-) Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] Q.8 Durability without SMB2_GLOBAL_CAP_PERSISTENT_HANDLES- TrackingID#2311070040010257
Hi Sreekanth, section "3.3.5.9.10 Handling the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create Context" has following text If the SMB2_DHANDLE_FLAG_PERSISTENT bit is set in the Flags field of the request, TreeConnect.Share.IsCA is TRUE, and Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_PERSISTENT_HANDLES, the server MUST set Open.IsPersistent to TRUE We clearly see that establishing durable handle as per sections 3.2.4.28/3.2.4.29 (from Question 8) cannot disregard SMB2_GLOBAL_CAP_PERSISTENT_HANDLES. So it is necessary to have both SMB2_GLOBAL_CAP_PERSISTENT_HANDLES and SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY (which sets .IsCA property of network share) If you think I misunderstood your question, please clarify. Question 8: The impact of SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY without SMB2_GLOBAL_CAP_PERSISTENT_HANDLES is a very important part of this. I guess this related to Question 6. I guess we can close Question 8. Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [EXTERNAL] Trying to let a Windows client use MS-SWN against a samba cluster - TrackingID#2311070040010486
Hi Kristian, With regard to your 11th question (quoted below), I've done code research and the server only compares against one ServerGlobalName, but it does strip the domain of the client-provided cluster netname when making the comparison to the value present on the server. This would make sense why you are able to pass a netname with or without FQDN from the client and get the same result. Question 11: I'm also wondering if ServerGlobalName is really a single name, as I can the client can use a dns or netbios name of the server! If I'm misunderstanding your question or if you have any additional concerns regarding question 11, please let me know and I'll be happy to look into it. Ok, it would be good to have this documented. But it's not possible to have multiple "virtual" clusters or aliases in a Windows cluster? The answer is not very urgent... Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] MS-SWN Q9: Section 3.2.4.27-3.2.4.29 seems to actions triggered when the client receives an RESP_ASYNC_NOTIFY - TrackingID#2311070040010334
Hi Jeff, I didn't see a response to my previous request. It's not clear to us what you are looking for here. Having a single netname for multiple nodes sounds similar to a SOFS configuration. We use DNS to enumerate the IP addresses. Windows uses witness for the following: - If networking interface on the server has changed then hint client about that so it can query list of new interfaces sooner than default 10 minutes poling interval. Do you mean the witness GetInterfaceList() call or the FSCTL_QUERY_NETWORK_INTERFACE_INFO used for smb3 multichannel? - If cluster node is down then notify client about that so it can disconnect from the downer and connect to some other node, before TCP/IP timeout expires. Would work only of cluster can detect downer faster than TCP/IP timeout. I'll refer to this below with RESOURCE_CHANGE. - If cluster has asymmetric storage (one node can process IOs faster than the others) then hint client that it should move to that node. In Windows if Direct IO is possible then storage connectivity is considered symmetrical and we prefer load balancing clients across all cluster nodes. If we are in File System Redirected IO (same blog) then storage connectivity is asymmetrical and client is advised to move to the node that has file system mounted to avoid double hop.. I'll refer to this below with CLIENT_MOVE_NOTIFICATION. All notifications are advisory. Could you clarify your expectations for the doc and tell us more about what you're trying to accomplish? I'll try... This is in regards to your question: Question 9: Section 3.2.4.27-3.2.4.29 seems to actions triggered when the client receives an RESP_ASYNC_NOTIFY, but there's no specification on how the individual witness registrations handle specific notification events. E.g. based on the different posibilities for RESOURCE_CHANGE.ResourceName So far I found this in my testing: A RESOURCE_CHANGE message with WITNESS_RESOURCE_STATE_UNAVAILABLE will trigger a reconnect, but the RESOURCE_CHANGE.name content is completely ignored, currently I'm sending the ip address string that's no longer available, it's mainly in order to make it easier to read wireshark traces or logs. It could also be "SoME RandOM-StriNg!!!". A RESOURCE_CHANGE message with WITNESS_RESOURCE_STATE_AVAILABLE also doesn't have any notable effect. I think this should be documented somewhere. If needed I an create network captures for it. Is a CLIENT_MOVE_NOTIFICATION a better choice when using a single InterfaceGroupName for all nodes? The line/question above is no longer useful, as I found how to get the client react on RESOURCE_CHANGE with WITNESS_RESOURCE_STATE_UNAVAILABLE. But by testing I found that a CLIENT_MOVE_NOTIFICATION is ignored if the list of ip addresses if the also contains the ip address that was given to the Register[Ex]() call. I have only tested the case where all ip addresses have IPADDR_ONLINE set, but I haven't tested if it's needed or what happens with IPADDR_OFFLINE or when the given ip address if not part of the set that is resolved by dns and/or isn't available. I think this should be documented somewhere. If needed I an create network captures for it. I'm ready to file document change requests to explain the processing, but I don't fully understand your example question. I hope the above makes it clearer. Resource Change notifications are used when resources such as disks change status The point is that as noted above it seems RESOURCE_CHANGE.name seems to be completely ignored. while Client Move notifications are used when a node has gone down and the client needs to move to another node. Yes, I found what I needed, but these details should be documented somewhere in order to let server implementers know how to drive a windows client to a desired/expected behavior. They aren't interchangeable. Could you clarify your question? I got it thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] Trying to let a Windows client use MS-SWN against a samba cluster #Q6- TrackingID#2311070040010094
Hello Sreekanth, below is the answer to your question #6. Let me know your thoughts. Thanks for the response! Please note that section 3.2.4.3.5 did not say MUST. It only uses SHOULD. Also, the wording of the section does NOT imply that when requesting durable handle, one cannot request handle caching if TreeConnect.IsCAShare is FALSE. And in fact I have captures showing that Windows server 2022 acting as a client requests with the SMB2_DHANDLE_FLAG_PERSISTENT and also an RHW leaveV2. A client can request both Persistence and Lease (with handle caching enabled). Protocol(or windows) server does not deny granting both persistence and lease, when the requirements are met. > Protocol says that in order to request durable open, client should either set SMB2_DHANDLE_FLAG_PERSISTENT bit in the Flags field of Durable_V2 create context or request for handle caching with Lease create context. If the share is a CA share (in a Failover Cluster configuration), client can request for handle persistency by setting SMB2_DHANDLE_FLAG_PERSISTENT bit which provides transparent failover. Please look at the doc snip from section 3.3.5.9.10, where both TreeConnect.Share.IsCA (SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY) and SMB2_GLOBAL_CAP_PERSISTENT_HANDLES are required in order to set Open.IsPersistent to TRUE. This is a server requirement though. Yes, the server is clear how our server will behave, but that case is never possible on a windows server (which always implements both features). On the client side, it is imperative that CA shares will require persistence handles to work with. In other words, for the server to grant persistent handle on an open, client must set SMB2_GLOBAL_CAP_PERSISTENT_HANDLES. In the "Successful Open Initialization" phase, if the underlying object store does not grant durability, the server MUST skip the rest of the processing in this section. Otherwise, the server MUST set Open.IsDurable to TRUE. The server MUST also set Open.DurableOwner to a security descriptor accessible only by the user represented by Open.Session.SecurityContext. If the SMB2_DHANDLE_FLAG_PERSISTENT bit is set in the Flags field of the request, TreeConnect.Share.IsCA is TRUE, and Connection.ServerCapabilities includes SMB2_GLOBAL_CAP_PERSISTENT_HANDLES, the server MUST set Open.IsPersistent to TRUE. Yes, that's clear. But it means the client will spam its event log (SMBClient->Operational) with messages like this for every single open: Log Name: Microsoft-Windows-SMBClient/Operational Source:Microsoft-Windows-SMBClient Date: 22.12.2023 13:41:18 Event ID: 30900 Task Category: None Level: Warning Keywords: (16) User: W2022-L7\Administrator Computer: w2022-118.w2022-l7.base Description: The handle was created without persistence. File ID: 0xB90243FF:0x5367F848 CreateGUID: {80c941d9-a0bd-11ee-81fc-00090118} Path: \ubcluster.w2022-l7.base\shm Guidance: The server supports Continuous Availability (persistent handles) and the request to create the handle succeeded. However, the server did not grant persistence. You should verify that the Resume Key Filter is running on the server and is attached to the target volume. Event Xml: http://schemas.microsoft.com/win/2004/08/events/event;> 30900 2 3 0 0 0x2010 335 Microsoft-Windows-SMBClient/Operational w2022-118.w2022-l7.base 0xb68432192080 3103933439 1399322696 {80c941d9-a0bd-11ee-81fc-00090118} 3 0 0 0 28 \ubcluster.w2022-l7.base\shm 0 0 0 And/or: Log Name: Microsoft-Windows-SMBClient/Operational Source:Microsoft-Windows-SMBClient Date: 22.12.2023 18:28:09 Event ID: 30613 Task Category: None Level: Error Keywords: (16) User: W2022-L7\Administrator Computer: w2022-118.w2022-l7.base Description: Failed to open a persistent handle. Error: The network path cannot be located. FileId: 0x:0x CreateGUID: {80c94430-a0bd-11ee-81fc-00090118} Path: \ubcluster.w2022-l7.base\shm Reason: Smb2DiagReasonNetworkConnect Guidance: A persistent handle allows transparent failover on Windows File Server clusters. This event has many causes and does not always indicate an issue with SMB. Review online documentation for troubleshooting information. Event Xml: http://schemas.microsoft.com/win/2004/08/events/event;> 30613 0 2 0 0 0x2010 345 Microsoft-Windows-SMBClient/Operational w2022-118.w2022-l7.base 0xb6842f0241d0 18446744073709551615 18446744073709551615 {80c94430-a0bd-11ee-81fc-00090118} 3 9 3221225662 4 28 \ubcluster.w2022-l7.base\shm 0 0 0 Once people will make use of Samba servers
Re: [SCM] Samba Shared Repository - branch master updated
Am 04.01.24 um 15:36 schrieb Brown, James William: On 1/4/2024 7:46 AM, Stefan Metzmacher wrote: @@ -3905,7 +3937,24 @@ static int moveip(TALLOC_CTX *mem_ctx, struct ctdb_context *ctdb, return ret; } - return 0; + /* +* It isn't strictly necessary to wait until takeover runs are +* re-enabled but doing so can't hurt. +*/ + ret = disable_takeover_runs(mem_ctx, + ctdb, + 0, + connected_pnn, + connected_count); + if (ret != 0) { + fprintf(stderr, "Failed to enable takeover runs\n"); + return ret; + } Message should be "Failed to disable takeover runs\n" like previous change at 3886. This is a bit confusing but correct, the function name is strange. We have "disable" with a timeout of 2*options.timelimit and "enable" with a timeout of 0. metze
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 16d802f9c1f script/autobuild.py: add some --private-libraries=ALL testing via 6da49582c21 wafsamba: fix the usage of --private-extension-exception via f22df59b065 wscript: use opt.PRIVATE_EXTENSION_DEFAULT('private-samba') via 3ae5afa6ad0 script/autobuild.py: nonshared-test works now via a80614fe309 third_party/*_wrapper: use SAMBA_LIBRARY(force_unversioned=True) via 533e5daf772 wafsamba: introduce SAMBA_LIBRARY(force_unversioned=False) via 318fd95d5ea s3:smbd multichannel: always refresh the network information via 62654f0aeb1 ctdb: add comments to "addip"/"delip" when CTDB_{CONTROL,EVENT,SRVID}_IPREALLOCATED happens via 589ebabc95e ctdb: let "moveip" end with CTDB_CONTROL_IPREALLOCATED to all connected nodes via 2c6b455bd76 ctdb: remove unused ctdb_message_disable_ip_check() via cad1969b171 ctdb: let "moveip" also use disable_takeover_runs() via b1d0d5d5142 ctdb: send a CTDB_SRVID_IPREALLOCATED message after CTDB_EVENT_IPREALLOCATED from 1134c4f3a63 s3:utils: Fix the auth function to print correct values to the user https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 16d802f9c1f61cebb3699942242fbd3717f0dc4e Author: Stefan Metzmacher Date: Fri Dec 29 15:28:37 2023 + script/autobuild.py: add some --private-libraries=ALL testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jan 4 12:45:58 UTC 2024 on atb-devel-224 commit 6da49582c212aefe859c71688a2d7beb72125fa9 Author: Stefan Metzmacher Date: Fri Dec 29 10:05:18 2023 + wafsamba: fix the usage of --private-extension-exception It was completely unused... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit f22df59b0655f9bb812c39734782b0ff3c71c954 Author: Stefan Metzmacher Date: Fri Dec 29 10:04:59 2023 + wscript: use opt.PRIVATE_EXTENSION_DEFAULT('private-samba') The problem was that we used opt.PRIVATE_EXTENSION_DEFAULT('samba4') and libndr as private will become libndr-samba4 and that already exists as libndr-samba4 as we don't append the extension if it's already there. So meant with --private-libraries=ALL we hit the following problem: $ ./configure --private-libraries=ALL $ make smbd/smbd Waf: Leaving directory `/samba/bin/default' Task dependency cycle in "run_after" constraints: {task ...: cshlib dcerpc-samba4.empty.c.12.o,ndr_winbind_c.c.229.o -> libdcerpc-samba4.so} make: *** [Makefile:131: smbd/smbd] Error 1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit 3ae5afa6ad0421f479c5fe63ed692593eaed7078 Author: Stefan Metzmacher Date: Fri Dec 29 15:27:38 2023 + script/autobuild.py: nonshared-test works now I guess the problem was related to wrapper libraries... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit a80614fe3098be42f330a73c5af28e646a86a042 Author: Stefan Metzmacher Date: Fri Dec 29 14:32:51 2023 + third_party/*_wrapper: use SAMBA_LIBRARY(force_unversioned=True) This prevents --private-libraries=ALL from creating unuseable wrapper libraries, as they can't work with symbol versioning. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit 533e5daf772b38e21830251d779f083da7197058 Author: Stefan Metzmacher Date: Fri Dec 29 14:32:02 2023 + wafsamba: introduce SAMBA_LIBRARY(force_unversioned=False) This can be used in order to avoid a library to be catched by --private-libraries=ALL. It is needed for our wrapper libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15545 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Ralph Boehme commit 318fd95d5ea63724798592eb6b4eebaecfa0cbfb Author: Jones Syue Date: Thu Jan 4 09:42:15 2024 +0800 s3:smbd multichannel: always refresh the network information To maintain SMB Multichannel, windows client might periodically query with FSCTL_QUERY_NETWORK_INTERFACE_INFO to get SMB server's network information, in my case windows server 2022 would do this every 10 minutes (600 seconds).
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 314eb730833 Happy New Year 2024! from bab0ac776ca s4/ldap_backend: do_call: use modern DBG macros https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 314eb7308338d31baf909b705917fedc9b094069 Author: Stefan Metzmacher Date: Mon Jan 1 00:03:20 2024 + Happy New Year 2024! Signed-off-by: Stefan Metzmacher --- Summary of changes: VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 620024528ad..bde2e90dffc 100644 --- a/VERSION +++ b/VERSION @@ -13,7 +13,7 @@ # # -SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023" +SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2024" # This are the main SAMBA version numbers # -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bab0ac776ca s4/ldap_backend: do_call: use modern DBG macros via 80c2513da4c s4/ldap_backend: abandonrequest: use modern DBG macros via 70a5309bf1f s4/ldap_backend: CompareRequest: use modern DBG macros via 24a01b673cc s4/ldap_backend: modifydnrequest: use modern DBG macros via 2a4d291e824 s4/ldap_backend: delrequest: use modern DBG macros via 9129042eb0a s4/ldap_backend: addrequest: use modern DBG macros via ac3ed2486b7 s4/ldap_backend: modifyrequest: use modern DBG_ macro via 6d4bb12c49c s4/ldap_backend: SearchRequest: use modern DBG_ macro via 54a88491e5f s4/ldap_backend: unwilling: use modern DBG_ macro via 1324732e801 s4/ldap_backend: encode: use modern DBG_ macro via 10002e94009 s4/ldap_backend: change a printf %d to %u for results via d4168fce7b0 s4/ldap_backend: fix a NULL dereference via b41f95f891a winbind_nss_netbsd: fix missing semicolon via b9f32b32e0e docs-xml: use XML_CATALOG_FILES env var if defined via 2073bbf9dca doc-xml: fix name of vfs_linux_xfs man page from 5f5a49d78af lib:crypto: Add tests for GKDI key derivation https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bab0ac776cad50452e42d3c418b60a1635111935 Author: Björn Jacke Date: Mon Dec 25 21:48:35 2023 +0100 s4/ldap_backend: do_call: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 29 13:50:05 UTC 2023 on atb-devel-224 commit 80c2513da4c4f414e4ab88ad1ba3f1e59657391c Author: Björn Jacke Date: Mon Dec 25 21:46:47 2023 +0100 s4/ldap_backend: abandonrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 70a5309bf1f526cd3c00d303570ab7e7d6f15e7a Author: Björn Jacke Date: Mon Dec 25 21:45:55 2023 +0100 s4/ldap_backend: CompareRequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 24a01b673cc1002e16cc806d600acbef0856ea54 Author: Björn Jacke Date: Mon Dec 25 21:37:29 2023 +0100 s4/ldap_backend: modifydnrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 2a4d291e8246058ef8818b56c9861a3eed49cad4 Author: Björn Jacke Date: Mon Dec 25 21:34:28 2023 +0100 s4/ldap_backend: delrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 9129042eb0a19d922ce77e8f51af204fd41ca6bc Author: Björn Jacke Date: Mon Dec 25 21:32:49 2023 +0100 s4/ldap_backend: addrequest: use modern DBG macros Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit ac3ed2486b793865133d2006031ccf4a2c37458b Author: Björn Jacke Date: Mon Dec 25 21:31:27 2023 +0100 s4/ldap_backend: modifyrequest: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 6d4bb12c49cde2bc8d14712e3563b32038c6ae45 Author: Björn Jacke Date: Mon Dec 25 21:26:58 2023 +0100 s4/ldap_backend: SearchRequest: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 54a88491e5fb1ec949960fad426e9ee51a68fe2f Author: Björn Jacke Date: Mon Dec 25 21:24:13 2023 +0100 s4/ldap_backend: unwilling: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 1324732e8013b8ff5833799e86f9fd8f10e3ea41 Author: Björn Jacke Date: Mon Dec 25 21:22:48 2023 +0100 s4/ldap_backend: encode: use modern DBG_ macro Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit 10002e94009dc132867e3100c86fd351ce93bc99 Author: Björn Jacke Date: Mon Dec 25 20:37:38 2023 +0100 s4/ldap_backend: change a printf %d to %u for results Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit d4168fce7b07f417c81c801da0fd664fbb90715a Author: Björn Jacke Date: Mon Dec 25 20:30:43 2023 +0100 s4/ldap_backend: fix a NULL dereference Signed-off-by: Bjoern Jacke > Reviewed-by: Stefan Metzmacher commit b41f95f891ab5b1d1878735a513be5d9a13f63c6 Author: Björn Jacke Date: Mon Dec 25 19:53:30 2023 +0100 winbind_nss_netbsd: fix missing semicolon BUG: https://bugzilla.samba.org/show_bug.cgi?id=15541 Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher commit b9f32b32e0e1463b8ca3e696d682ecf86503464b Author: Björn Jacke Date: Mon Dec 25 19:50:55 2023 +0100 docs-xml: use XML_CATALOG_FILES env var if defined Thanks to Thierry LARONDE for the fix. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15540 Signed-off-by: Björn Jacke Reviewed-by: Stefan Metzmacher com
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 828f3c99122 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses from 31637d40371 WHATSNEW: Add entry for "samba-tool user get-kerberos-ticket" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 828f3c99122fb033ecb79e24ed24821b8510f0f8 Author: Stefan Metzmacher Date: Tue Aug 15 08:57:57 2023 +0200 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses BUG: https://bugzilla.samba.org/show_bug.cgi?id=15534 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Dec 21 11:09:30 UTC 2023 on atb-devel-224 --- Summary of changes: source3/lib/ctdbd_conn.c | 33 - 1 file changed, 28 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c index a739c97f3fd..3698c9d3672 100644 --- a/source3/lib/ctdbd_conn.c +++ b/source3/lib/ctdbd_conn.c @@ -1438,6 +1438,32 @@ static int ctdbd_control_get_public_ips(struct ctdbd_connection *conn, return 0; } +static struct samba_sockaddr ctdbd_sock_addr_to_samba(const ctdb_sock_addr *c) +{ + struct samba_sockaddr s = {}; + + switch (c->sa.sa_family) { + case AF_INET: + s.u.in = c->ip; + break; + case AF_INET6: + /* +* ctdb always requires HAVE_IPV6, +* so we don't need an ifdef here. +*/ + s.u.in6 = c->ip6; + break; + default: + /* +* ctdb_sock_addr only supports ipv4 and ipv6 +*/ + smb_panic(__location__); + break; + } + + return s; +} + int ctdbd_public_ip_foreach(struct ctdbd_connection *conn, int (*cb)(uint32_t total_ip_count, const struct sockaddr_storage *ip, @@ -1457,11 +1483,8 @@ int ctdbd_public_ip_foreach(struct ctdbd_connection *conn, } for (i=0; i < ips->num; i++) { - struct samba_sockaddr tmp = { - .u = { - .sa = ips->ips[i].addr.sa, - }, - }; + const ctdb_sock_addr *addr = >ips[i].addr; + struct samba_sockaddr tmp = ctdbd_sock_addr_to_samba(addr); ret = cb(ips->num, , -- Samba Shared Repository
Re: [cifs-protocol] [EXTERNAL] Trying to let a Windows client use MS-SWN against a samba cluster - TrackingID#2311070040010486
Hi Kristian, As I haven't heard anything back from you on question 11 from last month, I'll move forward with the closure of this case. If you have any follow-up questions feel free to reach out and I'd be happy to look into it. I was out of office for a while. I'll noticed the responses, but I'll have to look at them in more detail in the next days. Happy holidays! Thanks! I wish you the same! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8cfc6ea9232 Revert "rpc_server:srvsvc - retrieve share ACL via root context" via ff3b50034e2 rpcd_classic: Open share_info.tdb as root from 6d3146f94b2 smbd: Modernize a few DEBUG statements https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8cfc6ea92320be4ef26b91fce58fd76bfc7b95eb Author: Volker Lendecke Date: Tue Dec 19 10:30:58 2023 +0100 Revert "rpc_server:srvsvc - retrieve share ACL via root context" This reverts commit 80c0b416892bfacc0d919fe032461748d7962f05. With the previous patch it is no longer required. We open share_info.tdb as root when starting up rpcd_classic and keep it open. Commit 80c0b416892bfacc0d919fe032461748d7962f05 only fixed the problem in one place, but we had it in a lot more places... Bug: https://bugzilla.samba.org/show_bug.cgi?id=15265 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Dec 20 11:20:51 UTC 2023 on atb-devel-224 commit ff3b50034e2821e54633daafc751d3ea3c00f4c3 Author: Volker Lendecke Date: Wed Dec 13 12:07:00 2023 +0100 rpcd_classic: Open share_info.tdb as root srvsvc needs it, but for example NetShareGetInfo() runs as a user. Opening share_info.tdb at that point is too late. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15265 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/rpc_server/rpcd_classic.c | 6 ++ source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 17 +++-- 2 files changed, 9 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/rpc_server/rpcd_classic.c b/source3/rpc_server/rpcd_classic.c index 9766d0a760b..2b7e9398d90 100644 --- a/source3/rpc_server/rpcd_classic.c +++ b/source3/rpc_server/rpcd_classic.c @@ -115,6 +115,12 @@ static NTSTATUS classic_servers( exit(1); } + status = share_info_db_init(); + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("share_info_db_init failed: %s\n", nt_errstr(status)); + exit(1); + } + lp_load_with_shares(get_dyn_CONFIGFILE()); mangle_reset_cache(); diff --git a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c index d6e7bed5949..29d224c427d 100644 --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c @@ -542,7 +542,6 @@ static bool is_hidden_share(int snum) static bool is_enumeration_allowed(struct pipes_struct *p, int snum) { - bool allowed; struct dcesrv_call_state *dce_call = p->dce_call; struct auth_session_info *session_info = dcesrv_call_session_info(dce_call); @@ -559,19 +558,9 @@ static bool is_enumeration_allowed(struct pipes_struct *p, return false; } - - /* -* share_access_check() must be opened as root -* because it ultimately gets a R/W db handle on share_info.tdb -* which has 0o600 permissions -*/ - become_root(); - allowed = share_access_check(session_info->security_token, -lp_servicename(talloc_tos(), lp_sub, snum), -FILE_READ_DATA, NULL); - unbecome_root(); - - return allowed; + return share_access_check(session_info->security_token, + lp_servicename(talloc_tos(), lp_sub, snum), + FILE_READ_DATA, NULL); } / -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4b7329f1582 ctdb-server: Drop unnecessary copy of destination address via 8fc3872557f ctdb-daemon: Use ctdb_connection_to_buf() to simplify via ddf47e7fe31 smbd: Remove callback for release_ip when "state" is free'ed via 082c7df4d04 s3:selftest: add samba3.blackbox.smbXsrv_client_ctdb_registered_ips via 38b74d4ca9a selftest: export/use CTDB related envvars in order to run the ctdb command via 2e784789d78 ctdbd_conn: add ctdbd_passed_ips() via f3a03f3f774 ctdbd_conn: add ctdbd_unregister_ips() via 75aa6693940 ctdbd_conn: Add deregister_from_ctdbd() via 77a559432ff ctdbd_conn: let register_with_ctdbd() call CTDB_CONTROL_REGISTER_SRVID just once via 240139370aa ctdbd_conn: don't use uninitialized memory in ctdbd_register_ips() via 037e8e449de ctdb: add/implement CTDB_CONTROL_TCP_CLIENT_PASSED via c6602b686b4 ctdb: add/implement CTDB_CONTROL_TCP_CLIENT_DISCONNECTED via 8395fd369d3 ctdb: add ctdb_connection_same() helper via 5f52d140f7b ctdb: make use of ctdb_canonicalize_ip_inplace() in ctdb_control_tcp_client() via f2d9c012fc8 ctdb: add ctdb_canonicalize_ip_inplace() helper via 92badd3bdd8 ctdb: remove unused ctdb->client_ip_list and print debug on ctdb_tcp_list instead from d23d6145bf0 VERSION: move COPYRIGHT_STARTUP_MESSAGE as SAMBA_COPYRIGHT_STRING into version.h https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4b7329f15820f1b4d9a7b7f0947719c4217b312a Author: Martin Schwenke Date: Wed Dec 13 10:29:05 2023 +1100 ctdb-server: Drop unnecessary copy of destination address Modernise debug while touching the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Signed-off-by: Martin Schwenke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 15 12:09:21 UTC 2023 on atb-devel-224 commit 8fc3872557f715dc38f9898754a785fd073ace96 Author: Martin Schwenke Date: Wed Dec 13 10:22:04 2023 +1100 ctdb-daemon: Use ctdb_connection_to_buf() to simplify The one case that is no longer handled specially is when the destination address is IPv4 loopback. This may previously have been used to avoid flooding the logs when testing. However, that seems unnecessary - if testing with 127.0.0.1 then make it a public address. Modernise debug while touching the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Signed-off-by: Martin Schwenke Reviewed-by: Stefan Metzmacher commit ddf47e7fe314e0f5bf71ff53e35350e0ba530d08 Author: Volker Lendecke Date: Thu Oct 12 17:19:45 2023 +0200 smbd: Remove callback for release_ip when "state" is free'ed If a client connects to a non-public address first followed by a connect to public address with the same client_guid and a connection to the non-public address gets disconnected first, we hit by a use-after-free talloc_get_type_abort() called from release_ip() as "xconn" is already gone, taking smbd_release_ip_state with it. We need to decide between calling ctdbd_unregister_ips() by default, as it means the tcp connection is really gone and ctdb needs to remove the 'tickle' information. But when a connection was passed to a different smbd process, we need to use ctdbd_passed_ips() as the tcp connection is still alive and the 'tickle' information should not be removed within ctdb. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Volker Lendecke Signed-off-by: Stefan Metzmacher Reviewed-by: Martin Schwenke commit 082c7df4d04c2a94c5413c1d6b7eae7be610f950 Author: Stefan Metzmacher Date: Fri Nov 17 11:46:27 2023 +0100 s3:selftest: add samba3.blackbox.smbXsrv_client_ctdb_registered_ips This demonstrates the crash that happens if a client connects to a non-public address first followed by a connect to public address with the same client_guid and a connection to the non-public address gets disconnected first, we hit by a use-after-free talloc_get_type_abort() called from release_ip() as "xconn" is already gone, taking smbd_release_ip_state with it. Note that we also need to mark some subtests as flapping as there's a 2nd problem that happens in the interaction between smbd processes and ctdb when passing a multichannel connection to an existing process, it means we sometimes loose the 'tickle' information within ctdb to that tcp connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15523 Signed-off-by: Stefan Metzmacher Reviewed-by: Martin Schwenke commit 38b7
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d23d6145bf0 VERSION: move COPYRIGHT_STARTUP_MESSAGE as SAMBA_COPYRIGHT_STRING into version.h from 83e36d97c95 netcmd: add shell command https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d23d6145bf08c4765479951237e697c4b2b11aa2 Author: Stefan Metzmacher Date: Thu Dec 14 11:35:19 2023 +0100 VERSION: move COPYRIGHT_STARTUP_MESSAGE as SAMBA_COPYRIGHT_STRING into version.h We also prodive a samba_copyright_string() helper similar to samba_version_string(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 15 10:44:42 UTC 2023 on atb-devel-224 --- Summary of changes: VERSION | 2 ++ buildtools/wafsamba/samba_patterns.py | 2 +- buildtools/wafsamba/samba_version.py | 1 + lib/param/param.h | 1 + lib/util/copyright.h | 28 source3/include/includes.h| 3 --- source3/include/proto.h | 1 + source3/lib/version.c | 5 + source3/nmbd/nmbd.c | 6 +++--- source3/rpc_server/rpc_host.c | 8 source3/rpc_server/rpc_worker.c | 8 source3/smbd/server.c | 6 +++--- source3/winbindd/winbindd.c | 6 +++--- source3/wscript_build | 3 +-- source4/include/includes.h| 3 --- source4/samba/server.c| 8 16 files changed, 33 insertions(+), 58 deletions(-) delete mode 100644 lib/util/copyright.h Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index f0170b01ce1..620024528ad 100644 --- a/VERSION +++ b/VERSION @@ -13,6 +13,8 @@ # # +SAMBA_COPYRIGHT_STRING="Copyright Andrew Tridgell and the Samba Team 1992-2023" + # This are the main SAMBA version numbers # # # diff --git a/buildtools/wafsamba/samba_patterns.py b/buildtools/wafsamba/samba_patterns.py index a9c5fcc4b4c..41296810e13 100644 --- a/buildtools/wafsamba/samba_patterns.py +++ b/buildtools/wafsamba/samba_patterns.py @@ -15,7 +15,7 @@ def write_version_header(task): return 0 -def SAMBA_MKVERSION(bld, target, source='VERSION'): +def SAMBA_MKVERSION(bld, target, source='VERSION buildtools/wafsamba/samba_version.py'): '''generate the version.h header for Samba''' # We only force waf to re-generate this file if we are installing, diff --git a/buildtools/wafsamba/samba_version.py b/buildtools/wafsamba/samba_version.py index 54ae62f38bd..31103e0f8c4 100644 --- a/buildtools/wafsamba/samba_version.py +++ b/buildtools/wafsamba/samba_version.py @@ -174,6 +174,7 @@ also accepted as dictionary entries here def __str__(self): string="/* Autogenerated by waf */\n" +\ +"#define SAMBA_COPYRIGHT_STRING \"%s\"\n" % self.SAMBA_COPYRIGHT_STRING +\ "#define SAMBA_VERSION_MAJOR %u\n" % self.MAJOR +\ "#define SAMBA_VERSION_MINOR %u\n" % self.MINOR +\ "#define SAMBA_VERSION_RELEASE %u\n" % self.RELEASE diff --git a/lib/param/param.h b/lib/param/param.h index 7ead57f6130..aed48c1660c 100644 --- a/lib/param/param.h +++ b/lib/param/param.h @@ -276,6 +276,7 @@ int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx); /* The following definitions come from lib/version.c */ const char *samba_version_string(void); +const char *samba_copyright_string(void); #endif /* _PARAM_H */ diff --git a/lib/util/copyright.h b/lib/util/copyright.h deleted file mode 100644 index a29f2285d13..000 --- a/lib/util/copyright.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - Unix SMB/CIFS implementation. - - Copyright (C) Björn Jacke 2023 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http:/
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f5c76c3c814 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro" via cd8dcff9e9c lib/util: convert DBG_STARTUP_NOTICE() to use debug_set_forced_log_priority(DBGLVL_NOTICE) via bd21a0cdefb lib/util: add debug_set_forced_log_priority() from 83e8971c0f1 Claims initial black box tests https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f5c76c3c814dac2b0c09026520f75c0b0e22b6b4 Author: Stefan Metzmacher Date: Thu Nov 23 13:20:23 2023 +0100 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro" This reverts commit bb370b9381e5d223ff4ac62f612888f90a63fcc5. We no longer use log level -1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Nov 24 10:34:58 UTC 2023 on atb-devel-224 commit cd8dcff9e9cbfffab8c502c8701c00b0c8e3512b Author: Stefan Metzmacher Date: Wed Nov 22 17:18:29 2023 +0100 lib/util: convert DBG_STARTUP_NOTICE() to use debug_set_forced_log_priority(DBGLVL_NOTICE) Using -1 as log level is not compatible without our infrastructure. As all backends are initialized with .log_level = -1, which means they don't log the message, but now they all try to handle the startup message even if they are not configured. E.g. is means that systemd's journalctl get the message twice now, first via the syslog and also the systemd backend. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett commit bd21a0cdefb30ef5522f81d865c03d11a182a63c Author: Stefan Metzmacher Date: Wed Nov 22 17:03:30 2023 +0100 lib/util: add debug_set_forced_log_priority() By default the priority for syslog/systemd is derived from the log level of the debug message. But for things like startup messages we want to change the priority temporary, like this: debug_set_forced_log_priority(DBGLVL_NOTICE); D_ERR("Startup...\n"); debug_set_forced_log_priority(-1); BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Reviewed-by: Andrew Bartlett --- Summary of changes: README.Coding.md | 11 +-- lib/util/debug.c | 10 ++ lib/util/debug.h | 9 +++-- 3 files changed, 22 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/README.Coding.md b/README.Coding.md index 132f3f4fa58..76f2c70e95a 100644 --- a/README.Coding.md +++ b/README.Coding.md @@ -539,12 +539,11 @@ It should be: Use these following macros instead of DEBUG: ``` -DBG_STARTUP_NOTICE log level -1 startup like notice -DBG_ERR log level 0error conditions -DBG_WARNING log level 1warning conditions -DBG_NOTICE log level 3normal, but significant, condition -DBG_INFOlog level 5informational message -DBG_DEBUG log level 10 debug-level message +DBG_ERR log level 0error conditions +DBG_WARNING log level 1warning conditions +DBG_NOTICE log level 3normal, but significant, condition +DBG_INFOlog level 5informational message +DBG_DEBUG log level 10 debug-level message ``` Example usage: diff --git a/lib/util/debug.c b/lib/util/debug.c index 6872f2dfe46..f1f91ebe7a7 100644 --- a/lib/util/debug.c +++ b/lib/util/debug.c @@ -94,6 +94,7 @@ static struct { char hostname[HOST_NAME_MAX+1]; bool reopening_logs; bool schedule_reopen_logs; + int forced_log_priority; struct debug_settings settings; debug_callback_fn callback; @@ -230,6 +231,10 @@ static int debug_level_to_priority(int level) }; int priority; + if (state.forced_log_priority != -1) { + level = state.forced_log_priority; + } + if (level < 0 || (size_t)level >= ARRAY_SIZE(priority_map)) priority = LOG_DEBUG; else @@ -1133,6 +1138,11 @@ void debug_set_hostname(const char *name) strlcpy(state.hostname, name, sizeof(state.hostname)); } +void debug_set_forced_log_priority(int forced_log_priority) +{ + state.forced_log_priority = forced_log_priority; +} + /** * Ensure debug logs are initialised. * diff --git a/lib/util/debug.h b/lib/util/debug.h index 90230a2d88f..4687ac074b1 100644 --- a/lib/util/debug.h +++ b/lib/util/debug.h @@ -269,14 +269,18 @@ void debugl
Re: [cifs-protocol] MS-SWN Q7: The only place in the whole documentation that references SMB2_SHARE_CAP_SCALEOUT - TrackingID#2311070040010182
Hi Jeff, I'm looking into your question on: Question 7: The above section is the only place in the whole documentation that references SMB2_SHARE_CAP_SCALEOUT, is that really correct? I have not found other references to this bit. Could you provide more context on your question? Is there additional behavior or use of the bit that you're expecting to see documented? My assumption is that section '3.2.4.27 Application Notifies Offline Status of a Server' is only triggered when an witness AsyncNotify reponse comes in. That would mean SMB2_SHARE_CAP_SCALEOUT would only have any meaning if witness is in use and I'm sceptical that this is really the case... Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] Question #3 - Trying to let a Windows client use MS-SWN against a samba cluster
Hi Sreekanth, can we please keep cifs-protocol@lists.samba.org cc'ed? in your question #3 below, are you saying that client requests for witness registration occurs as long as the capability bits SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY and SMB2_SHARE_CAP_CLUSTER are set ? In that case which part of the following section is incorrect ? see the following: Note that we have to know if SMB2_SHARE_CAP_ASYMMETRIC bit is set to determine whether a TREE_CONNECT request needs to be sent as mentioned in this section. 3.2.5.5 Receiving an SMB2 TREE_CONNECT Response ... - TreeConnect.IsCAShare MUST be set to TRUE, if the SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY bit is set in the Capabilities field of the response. I quoted this only to show that SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY has some side effects not related to witness registrations. See section 3.2.4.3.5 Application Requests Creating a File Opened for Durable Operation. ... If Connection.Dialect belongs to the SMB 3.x dialect family and the Capabilities field in the response includes SMB2_SHARE_CAP_CLUSTER bit, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.1 by providing Connection.ServerName as Netname parameter. This states the SMB2_SHARE_CAP_CLUSTER alone triggers the witness registration, but it doesn't happen, the Windows Server 2022 (as client) only tries the witness registration when SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY and SMB2_SHARE_CAP_CLUSTER are both set together. ... If Connection.Dialect belongs to the SMB 3.x dialect family and the Capabilities field in the response includes the SMB2_SHARE_CAP_SCALEOUT bit, the client MUST set TreeConnect.IsScaleoutShare to TRUE. This was mainly quoted to show the interaction with section 3.2.4.27 Application Notifies Offline Status of a Server and question 7... ... If Connection.Dialect is "3.0.2" or "3.1.1" and the Capabilities field in the response includes the SMB2_SHARE_CAP_ASYMMETRIC bit, the client MUST verify whether both of the following conditions are true: I missed the following: - Connection.SessionTable contains only one entry. - Session.TreeConnectTable contains only one entry. If either of the preceding conditions is FALSE, the client MUST perform the following: - Disconnect the tree connection as specified in section 3.2.4.22. ... If the SMB2 TREE_CONNECT request is successful, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.1 by providing Connection.ServerName as the Netname parameter and TreeConnect.ShareName as the ShareName parameter, and by setting the IsShareNameNotificationRequired parameter to TRUE. I only tested with a single share connection. I just retested with connections to more than one share and I'm now seeing witness registrations for each share. So SMB2_SHARE_CAP_ASYMMETRIC does alter the behavior, but it has no effect without SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY and SMB2_SHARE_CAP_CLUSTER. Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] Trying to let a Windows client use MS-SWN against a samba cluster
Hi DocHelp, I'm currently implementing MS-SWN for samba in order to allow clients to move to a different network interface or cluster node if a specific interface or a complete cluster node gets offline. In a Samba cluster we have multiple nodes, but just a single netname for all of them, so there's only a single computer with it's sAMAccountName in active directory. But each node can have multiple ip addresses, which may move around between nodes, but some can be node local. Now my goal is to let a Windows client use the witness service in order to get notified about ip addresses going down, because the interface link or a whole node gets offline. In order to archive that I need to understand the exact client behavior implemented in the Windows clients (also with possible differences of various Windows versions). However this is hard from just reading the existing docs... MS-SWN "3.2 Witness Client Details" doesn't contain any detail for the logical processing, e.g. - 3.2.4.1 Application Requests Witness Register doesn't say that WITNESS_INTERFACE_INFO.InterfaceGroupName is that name used as part of the servicePrincipalName (after being prefixed by 'CIFS/') passed to the authentication layer (spnego, kerberos, ntlm), but I'm seeing this behavior from a Windows 2022 server as client. In older version (Windows 2012) I saw that the principal was requested by the method from MS-RPCE 2.2.1.3.4 rpc_mgmt_inq_princ_name. Question 1: Can you please update this with a product behavior note reflecting the reality with all Windows versions. - 3.2.4.2 Application Requests Witness Event Notification only says: ... The status and any received RESP_ASYNC_NOTIFY result obtained from the server in the previous step MUST be returned to the caller. - 3.2.4.3 Application Requests Witness UnRegister Has the following notable section: ... or if the WitnessRegistration.WitnessNotifyRequest is TRUE, the client MUST stop processing and return an implementation-defined local error to the caller. So it seems with a pending AsyncNotify request the Unregister seems to be skipped. With that I'd expect the core logic/behavior of a Windows client being specified in MS-SMB2, when I look there I found the following 3.2.5.2 Receiving an SMB2 NEGOTIATE Response ... If SMB2_GLOBAL_CAP_PERSISTENT_HANDLES is set in the Capabilities field of the SMB2 NEGOTIATE Response, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.1 by providing Connection.ServerName as Netname parameter. Question 2: I don't see this happening from a Windows Server 2022 acting as client. Can you please update this with a product behavior note reflecting the reality with all Windows versions. 3.2.5.5 Receiving an SMB2 TREE_CONNECT Response ... - TreeConnect.IsCAShare MUST be set to TRUE, if the SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY bit is set in the Capabilities field of the response. ... If Connection.Dialect belongs to the SMB 3.x dialect family and the Capabilities field in the response includes SMB2_SHARE_CAP_CLUSTER bit, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.1 by providing Connection.ServerName as Netname parameter. ... If Connection.Dialect belongs to the SMB 3.x dialect family and the Capabilities field in the response includes the SMB2_SHARE_CAP_SCALEOUT bit, the client MUST set TreeConnect.IsScaleoutShare to TRUE. ... If Connection.Dialect is "3.0.2" or "3.1.1" and the Capabilities field in the response includes the SMB2_SHARE_CAP_ASYMMETRIC bit, the client MUST verify whether both of the following conditions are true: ... If the SMB2 TREE_CONNECT request is successful, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.1 by providing Connection.ServerName as the Netname parameter and TreeConnect.ShareName as the ShareName parameter, and by setting the IsShareNameNotificationRequired parameter to TRUE. Question 3: I don't see this happening from a Windows Server 2022 acting as client. The only relevant flags in order to let the client try a witness connection are SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY together with SMB2_SHARE_CAP_CLUSTER. Can you please update this with a product behavior note reflecting the reality with all Windows versions. 3.2.5.6 Receiving an SMB2 TREE_DISCONNECT Response ... If Connection.Dialect belongs to the SMB 3.x dialect family and if Session.TreeConnectTable is empty in all sessions in the Connection.SessionTable for which Connection.ServerName matches the server name, the client SHOULD invoke the event as specified in [MS-SWN] section 3.2.4.3. Question 4: I don't see this happening from a Windows Server 2022 acting as client. The witness registration stays until a reboot. There's also no new witness registration after a reconnect to a different ip, which means that the smb connection and witness
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts via cbb8145d0c5 third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) via c99fe118fdf tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account via 97e4aab1a6e CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers via 70586061128 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container via 498542be0bb CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() via 7f8b15faa76 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container via 0c329a0fda3 CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files via 3be190dcf71 CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor() from 6e862bd3690 s4/torture: fix exit status of raw.bench-lookup https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bf79979f847de36db9da9646a396cdfe6b0e1c6f Author: Stefan Metzmacher Date: Wed Oct 11 15:58:22 2023 +0200 s4:kdc: fix user2user tgs-requests for normal user accounts User2User tgs requests use the session key of the additional ticket instead of the long term keys based on the password. In addition User2User also asserts that client and server are the same account (cecked based on the sid). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224 commit cbb8145d0c58b34b76a579afd81f0e19ec7106b6 Author: Stefan Metzmacher Date: Mon Oct 16 12:33:15 2023 +1300 third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-202310152331 (commit a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4)) This allows HDB backends to do special handling for User2User TGS-REQs. The main reason is to let the HDB_F_GET_SERVER lookup to succeed even for non-computer accounts. In Samba these are typically not returned in HDB_F_GET_SERVER in order to avoid generating tickets with the user password. But for User2User the account password is not used, so it is safe to return the server entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett [abart...@samba.org Adapted to be an import from lorikeet-heimdal as requested] commit c99fe118fdf11c641d74a51d33b52ac411db95f5 Author: Stefan Metzmacher Date: Wed Oct 11 15:54:15 2023 +0200 tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566 Author: Stefan Metzmacher Date: Fri Jan 29 23:35:31 2016 +0100 CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 70586061128f90afa33f25e104d4570a1cf778db Author: Stefan Metzmacher Date: Wed Jun 7 18:18:58 2023 +0200 CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 498542be0bbf4f26558573c1f87b77b8e3509371 Author: Stefan Metzmacher Date: Mon Jun 26 15:14:24 2023 +0200 CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry() This makes the next change easier to understand. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47 Author: Stefan Metzmacher Date: Fri Jan 29 23:34:15 2016 +0100 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container This revealed a bug in our dirsync code, so we mark test_search_with_dirsync_deleted_objects as knownfail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0c329a0fda37d87ed737e4b579b6d04ec907604c Author: Stefan Metzmacher Date: Fri Jan 29 23:33:37 2016 +0100 CVE-2018
[SCM] Samba Shared Repository - annotated tag tevent-0.16.0 created
The annotated tag, tevent-0.16.0 has been created at af9580411a92603c958fe83245780fb645bb8172 (tag) tagging acd9248b13cba06d5b748f17aa9bc5d62079d9cc (commit) replaces samba-4.19.0rc1 tagged by Stefan Metzmacher on Mon Oct 16 10:16:27 2023 +0200 - Log - tevent: tag release tevent-0.16.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmUs8VsACgkQR5ORYRMI QCVwuAgArQ9DCWIxmeG3AZ/U6HhadH9FbzmTMen821xZ8bM9MqzRjlqPCd309r3+ SpvdjQc3J5/AGVWJOm4VNMCuUHdKw4/+BNmDDr5Q3P8SNqQYiW+h8NYmj9h5UHZy yJY+zK6kfGqZeuxii98Jo9CdE+tq9K1qnvNq82Gw7u5k/GBoVUZXh+WYEUvooPGD /Vi1n67FpqnWkpayT1vs8z2w+aoZC819V7v8j8+9iNGX7hDapdKOsIzM0SUbB1tO O0h4b0m/uko7+S1LPNiucUH7+JzPLiGZ3ne5ZTU0tkg/S4i987pmG5XRaWvCRhjK 85sddxP8GcrpsR1oXqFKssMKwirBcw== =UhV/ -END PGP SIGNATURE- Andreas Schneider (58): lib:fuzzing: Fix code spelling lib:tevent: Fix code spelling s3:utils: Fix code spelling s3:spoolss: Remove dead code s4:auth: Fix code spelling s4:cldap_server: Fix code spelling s4:client: Fix code spelling s4:dns_server: Fix code spelling s4:dsdb:common: Fix code spelling s4:dsdb:kcc: Fix code spelling s4:dsdb:repl: Fix code spelling s4:dsdb:samdb: Fix code spelling s4:dsdb:schema: Fix trailing white spaces s4:dsdb:schema: Fix code spelling s4:dsdb:tests: Fix code spelling s4:kdc: Fix code spelling bootstrap: Install codespell s4:lib: Fix code spelling s4:libcli: Remove tailing white spaces s4:libcli: Fix code spelling s4:libnet: Fix code spelling s4:librpc: Fix code spelling s4:ntvfs: Fix code spelling s4:rpc_server: Fix code spelling s4:samba: Fix code spelling s4:scripting: Fix code spelling s4:selftest: Fix code spelling s3:ldap_server: Fix code spelling s4:setup: Fix code spelling s4:smb_server: Fix code spelling s4:torture:auth: Fix code spelling s4:torture:dfs: Fix code spelling s4:torture:drs: Fix code spelling s4:torture:basic: Fix code spelling s4:torture:dns: Fix code spelling s4:torture:krb5: Fix code spelling s4:torture:ldap: Remove trailing white spaces s4:torture:ldap: Fix code spelling s4:torture:ldb: Fix code spelling s4:torture:libnetapi: Fix code spelling s4:torture:nbench: Fix code spelling s4:torture:nbt: Fix code spelling s4:torture:raw: Fix code spelling s4:torture:rpc: Fix code spelling s4:torture:smb2: Fix code spelling s4:torture: Fix code spelling s4:wrepl_server: Remove trailing white spaces s4:wrepl_server: Fix code spelling testprogs: Fix code spelling tests: Fix code spelling wintest: Fix code spelling scripts: Add codespell check gitlab-ci: Add running codespell waf: Build nmbd with -Wno-error=stringop-overflow s3:torture: Remove masktest.c s4:samdb: Avoid memory leaks in partition_metadata_get_uint64() s3:client: Use lpcfg_set_cmdline() s3:param: Remove unused lp_set_cmdline() Andrew Bartlett (82): dsdb: Add new function samdb_system_container_dn() dsdb: Use samdb_system_container_dn() in samldb.c dsdb: Use samdb_get_system_container_dn() to get Password Settings Container s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() dsdb: Use samdb_system_container_dn() in dsdb_trust_*() dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c dsdb: Add tracing to dsdb_search() similar to gendb_search_v() dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() selftest: Add test for combination of anr and paged_results dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results dsdb: Make a shallow copy of ldb_parse_tree in operational module s4-rpc_server/drsuapi: Add tmp_highest_usn tracking to replication log s4-rpc_server/drsuapi: Improve debugging of invalid DNs s4-rpc_server/drsuapi: Improve debug message for drs_ObjectIdentifier_to_dn_and_nc_root() failure s4-dsdb: Improve logging for drs_ObjectIdentifier_to_dn_and_nc_root() s4-rpc_server/drsuapi: Remove rudundant check for valid and non-NULL ncRoot_dn s4-torture/drs: Save the server dnsname on the DcConnection object s4-torture/drs: Create temp OU with a unique name per test s4-torture/drs: Use
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 10a4a977baf gitlab-ci: run samba-codecheck on ubuntu22.04 via 9a3c558aa44 bootstrap: install codespell, shfmt and shellcheck also on debian/ubuntu via d60af10e6af .codespellignore: adjust in order to pass on ubuntu 22.04 via 94462dfabf0 s4:torture/smb2: fix typo in acls.c from 6071220fcb1 libcli: Make debug_unix_user_token() use just one DEBUG statement https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 10a4a977bafaf2ca9578d0aeae9760bf5b65b5ff Author: Stefan Metzmacher Date: Wed Oct 11 10:15:42 2023 + gitlab-ci: run samba-codecheck on ubuntu22.04 There's no reason to run it on fedora38 and it makes sure autobuild and gitlab-ci use the same. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Oct 11 12:52:57 UTC 2023 on atb-devel-224 commit 9a3c558aa442aef10d8edcfe811cc23afb9b2b4c Author: Stefan Metzmacher Date: Wed Oct 11 10:15:42 2023 + bootstrap: install codespell, shfmt and shellcheck also on debian/ubuntu Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme commit d60af10e6af97d0a4a69b3282dbfeeb001e669c9 Author: Stefan Metzmacher Date: Wed Oct 11 09:47:09 2023 + .codespellignore: adjust in order to pass on ubuntu 22.04 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme commit 94462dfabf0c14586c00a8161f125b2bd4d18ee1 Author: Ralph Boehme Date: Wed Oct 11 11:17:07 2023 +0200 s4:torture/smb2: fix typo in acls.c This fixes the failing samba-codecheck CI job and is not part of the functional security fix. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher --- Summary of changes: .codespellignore| 6 ++ .gitlab-ci-main.yml | 4 +--- bootstrap/config.py | 11 --- bootstrap/generated-dists/debian11-32bit/bootstrap.sh | 2 ++ bootstrap/generated-dists/debian11-32bit/packages.yml | 2 ++ bootstrap/generated-dists/debian11/bootstrap.sh | 2 ++ bootstrap/generated-dists/debian11/packages.yml | 2 ++ bootstrap/generated-dists/debian12-32bit/bootstrap.sh | 3 +++ bootstrap/generated-dists/debian12-32bit/packages.yml | 3 +++ bootstrap/generated-dists/debian12/bootstrap.sh | 3 +++ bootstrap/generated-dists/debian12/packages.yml | 3 +++ bootstrap/generated-dists/ubuntu1804-32bit/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu1804-32bit/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu1804/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu1804/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu2004/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu2004/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu2204/bootstrap.sh | 3 +++ bootstrap/generated-dists/ubuntu2204/packages.yml | 3 +++ bootstrap/sha1sum.txt | 2 +- source4/torture/smb2/acls.c | 2 +- 21 files changed, 55 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/.codespellignore b/.codespellignore index ee56c0af3ec..c2f4c37feab 100644 --- a/.codespellignore +++ b/.codespellignore @@ -1,11 +1,15 @@ aas afile ags +alloced ans +ba blong browseable +bre bu clen +creat daa ect fo @@ -16,6 +20,7 @@ inout ist keypair mis +msdos nd ois ommit @@ -43,6 +48,7 @@ ue unsecure unx uptodateness +wan ypes som vas diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 9c1ddc69fd5..6614ef74e64 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 21a93787675107f010836bbfa5e8542c272bc4b0 + SAMBA_CI_CONTAINER_TAG: 07a822597b5bce4af9e8e2987856b27eb20bd1b7 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 @@ -391,8 +391,6 @@ samba-fips: samba-codecheck: extends: .shared_template needs: - variables: -SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_fedora38} stage: build_first .private_test_only: diff --git a/bootstrap/config.py b/bootstrap/config.py index d531dfc0e63..cfee5e049ce 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -42,6 +42,7 @@ COMMON = [ 'ccache', 'curl', 'chrpath', +'codespell', 'flex', 'gcc', 'gdb', @@ -58,6 +59,7 @@ COMMON = [ 'rng-tools', 'rsync', 'sed', +'shfmt
Re: [cifs-protocol] LdapEnforceChannelBinding details
Am 28.09.23 um 16:19 schrieb Stefan Metzmacher via cifs-protocol: Hi DocHelp, I'm trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working. MS-NLMP specifies ClientChannelBindingsUnhashed and ServerChannelBindingsUnhashed as input from the application. MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint" channel bindings should be used. Can you please document with examples values how ServerChannelBindingsUnhashed is constructed. I'm getting these 32 bytes from gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT) [] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|.. [0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk <.'].r.. Ok, I've looked at the openldap code and found out that I have to prefix this with "tls-server-end-point:". With that I got it working... However these details would be good to have in MS-ADTS. metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[cifs-protocol] LdapEnforceChannelBinding details
Hi DocHelp, I'm trying to connect to a server with LdapEnforceChannelBinding=2 and can't get it working. MS-NLMP specifies ClientChannelBindingsUnhashed and ServerChannelBindingsUnhashed as input from the application. MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint" channel bindings should be used. Can you please document with examples values how ServerChannelBindingsUnhashed is constructed. I'm getting these 32 bytes from gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT) [] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|.. [0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk <.'].r.. And I'm also getting this when I manually copy the certificate blob from the TLS1.2 Server Certificate message and do a sha256sum on it. I tried the following already. 4-zero bytes for initiator_addrtype 4-zero bytes for initiator_address.length 4-zero bytes for acceptor_addrtype 4-zero bytes for acceptor_address.length 4 little endian bytes for '32' application_data.length 32 bytes for application_data.data [] 00 00 00 00 [] 00 00 00 00 [] 00 00 00 00 [] 00 00 00 00 [] 20 00 00 00 ... [] 84 84 FE 71 87 5F 0E 25 9B 7C 0D AA 40 7C DF D9 ...q._.% .|..@|.. [0010] 57 B4 4C 6B 8B EB 1E FC 3C 84 27 5D CE 72 AD E2 W.Lk <.'].r.. And the resulting MD5 hash over all of this is: [] 00 3D 9C 0F D6 63 38 B1 B0 F8 53 63 A8 0A C8 6D .=...c8. ..Sc...m And I put this into the MTLMv2 exchange: pair: struct AV_PAIR AvId : MsvChannelBindings (0xA) AvLen: 0x0010 (16) Value: union ntlmssp_AvValue(case 0xA) ChannelBindings : 003d9c0fd66338b1b0f85363a80ac86d LDAP error 49 LDAP_INVALID_CREDENTIALS - <80090346: LdapErr: DSID-0C0905E2, comment: AcceptSecurityContext error, data 80090346, v3839> 80090346 is HRES_SEC_E_BAD_BINDINGS Can you please clarify this? Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5b7f9840f76 selftest: add some basic testing for the io_uring vfs module from 96e18e17748 s3:param: Remove unused lp_set_cmdline() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5b7f9840f766eb91f1f9df68e6d2a01898612890 Author: Stefan Metzmacher Date: Sat Sep 16 20:00:33 2023 +0200 selftest: add some basic testing for the io_uring vfs module We're now able to build it on all linux systems and the ci runners have at least a 5.4 kernel. That's all the current vfs_io_uring requires. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Sep 17 18:04:18 UTC 2023 on atb-devel-224 --- Summary of changes: selftest/target/Samba3.pm | 5 + source3/selftest/tests.py | 12 2 files changed, 17 insertions(+) Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 39831afc599..a28e2be0581 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -2010,6 +2010,11 @@ sub setup_fileserver acl_xattr:security_acl_name = user.hackme read only = no +[io_uring] + path = $share_dir + vfs objects = acl_xattr fake_acls xattr_tdb streams_depot time_audit full_audit io_uring + read only = no + [homes] comment = Home directories browseable = No diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index fa51f7fdcbd..5fece702372 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -1391,6 +1391,18 @@ plansmbtorture4testsuite( "simpleserver", '//$SERVER/external_streams_depot -U$USERNAME%$PASSWORD') +vfs_io_uring_tests = { +"smb2.connect", +"smb2.credits", +"smb2.rw", +"smb2.bench", +"smb2.ioctl", +} +for t in vfs_io_uring_tests: +plansmbtorture4testsuite(t, "fileserver", + '//$SERVER_IP/io_uring -U$USERNAME%$PASSWORD', + "vfs_io_uring") + test = 'rpc.lsa.lookupsids' auth_options = ["", "ntlm", "spnego", "spnego,ntlm", "spnego,smb1", "spnego,smb2"] signseal_options = ["", ",connect", ",packet", ",sign", ",seal"] -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4af3faace48 nsswitch/wb_common.c: fix socket fd and memory leaks of global state via 91b30a7261e nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key via 836823e5047 nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx() via 4faf806412c nsswitch/wb_common.c: fix build without HAVE_PTHREAD via 62af25d44e5 nsswitch: add test for pthread_key_delete missuse (bug 15464) via 19fb9a97dff .gitlab-ci: Allow ext4 jobs to run on shared runners via b1e83b6cede .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel via 416ff2c651f .gitlab-ci: restore starting ubuntu2204-samba-o3 for the default pipeline from 0f1443d968c smbd: make vfs_stat_fsp() a no-op on fake file-handles https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4af3faace481d23869b64485b791bdd43d8972c5 Author: Stefan Metzmacher Date: Thu Sep 7 15:59:59 2023 +0200 nsswitch/wb_common.c: fix socket fd and memory leaks of global state When we are called in wb_atfork_child() or winbind_destructor(), wb_thread_ctx_destructor() is not called for the global state of the current nor any other thread, which means we would leak the related memory and socket fds. Now we maintain a global list protected by a global mutex. We traverse the list and close all socket fds, which are no longer used (winbind_destructor) or no longer valid in the current process (wb_atfork_child), in addition we 'autofree' the ones, which are only visible internally as global (per thread) context. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224 commit 91b30a7261e6455d3a4f31728c23e4849e3945b9 Author: Stefan Metzmacher Date: Fri Sep 8 09:56:47 2023 +0200 nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key If nss_winbind is loaded into a process that uses fork multiple times without any further calls into nss_winbind, wb_atfork_child handler was using a wb_global_ctx.key that was no longer registered in the pthread library, so we operated on a slot that was potentially reused by other libraries or the main application. Which is likely to cause memory corruption. So we better don't call pthread_key_delete() in wb_atfork_child(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Reported-by: Krzysztof Piotr Oledzki Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 836823e5047d0eb18e66707386ba03b812adfaf8 Author: Stefan Metzmacher Date: Fri Sep 8 09:53:42 2023 +0200 nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx() The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all required magic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 4faf806412c4408db25448b1f67c09359ec2f81f Author: Stefan Metzmacher Date: Thu Sep 7 16:02:32 2023 +0200 nsswitch/wb_common.c: fix build without HAVE_PTHREAD BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 62af25d44e542548d8cdecb061a6001e0071ee76 Author: Stefan Metzmacher Date: Fri Sep 8 13:57:26 2023 +0200 nsswitch: add test for pthread_key_delete missuse (bug 15464) This is based on https://bugzilla.samba.org/attachment.cgi?id=18081 written by Krzysztof Piotr Oledzki BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 19fb9a97dff2c0222d89a19bc9b0cd27f0306408 Author: Andrew Bartlett Date: Wed Sep 6 09:37:19 2023 +1200 .gitlab-ci: Allow ext4 jobs to run on shared runners At the time of this commit, GitLab shared runners tagged "gce" were 2x AMD EPYC 7B12 with 8GB ram. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit b1e83b6cede6ad50e417a6cff583a9ab25f8c980 Author: Stefan Metzmacher Date: Thu Sep 14 10:42:55 2023 +0200 .gitlab-ci: make it explicit that some tests require ext4/5.15 kernel This is better then requiring private runners, as we'll be able to use shared runners for ext4 soon. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 416ff2c651fcbfae83cdf3b6f3c3317d1c146d3f Author: Stefan Metzmacher Date: Wed Sep 13 17:
Re: [cifs-protocol] [MS-NRPC] DCERPC_NCA_S_FAULT_INVALID_TAG returned instead of STATUS_INVALID_LEVEL - TrackingID#2307200040007944
Hi Jeff, We have updated [MS-NRPC] for the next release to address this issue. We have added the following Behavior Note to section 3.5.4.4.10: <197> Section 3.5.4.4.10: Windows RPC layer may return its own error code instead of STATUS_INVALID_LEVEL. The error code that a client gets depends on where the calling application is getting the error from: 1. If the client is running on Windows and calling Windows RPC APIs, they may get the Win32 error code RPC_S_INVALID_TAG ([MS-ERREF] section 2.2). 2. If the client is running on third-party operating systems or getting the error code from the wire, they may get nca_s_fault_invalid_tag (0x1C06). ([C706-RSCP] DCE 1.1: Remote Procedure Call - Reject Status Codes and Parameters). 3. The conversion between the on-the-wire nca_s_fault_invalid_tag and Win32 error code RPC_S_INVALID_TAG is specified in [MS-RPCE] Section 3.1.1.5.5. I hope that helps. Yes, thanks! In addition I think 3.1.4.1 Session-Key Negotiation could be much more verbose in a way that it would describe how safe downgrade is possible and how an unsafe downgrade is detected. metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 171171565f1 .gitlab-ci: Do builds under /builds as this is never an overlayfs from 0e244ff79b6 s3:torture: Remove masktest.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 171171565f1909592cf728d3f6d78c611c6a30ed Author: Andrew Bartlett Date: Tue Sep 5 20:28:02 2023 +1200 .gitlab-ci: Do builds under /builds as this is never an overlayfs On the GitLab shared runners / is overlayfs, which /builds being ext, so we want this real filesystem, which should be faster in any case. This may allow us to use GitLab shared runners for more jobs. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Sep 5 14:20:48 UTC 2023 on atb-devel-224 --- Summary of changes: .gitlab-ci-main.yml | 54 ++--- 1 file changed, 27 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 729de8654bb..30c1980209f 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -170,7 +170,7 @@ include: script: # gitlab predefines CI_JOB_NAME for each job. The gitlab job usually matches the # autobuild name, which means we can define a default template that runs most autobuild jobs -- script/autobuild.py $AUTOBUILD_JOB_NAME $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase +- script/autobuild.py $AUTOBUILD_JOB_NAME $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase # Ensure when adding a new job below that you also add it to # the dependencies for 'pages' below for the code coverage page @@ -179,14 +179,14 @@ include: others: extends: .shared_template script: -- script/autobuild.py ldb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/ldb -- script/autobuild.py pidl $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/pidl -- script/autobuild.py replace $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/replace -- script/autobuild.py talloc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/talloc -- script/autobuild.py tdb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/tdb -- script/autobuild.py tevent $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/tevent -- script/autobuild.py samba-xc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/samba-xc -- script/autobuild.py docs-xml $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /tmp/samba-testbase/docs-xml +- script/autobuild.py ldb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/ldb +- script/autobuild.py pidl $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/pidl +- script/autobuild.py replace $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/replace +- script/autobuild.py talloc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/talloc +- script/autobuild.py tdb $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/tdb +- script/autobuild.py tevent $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/tevent +- script/autobuild.py samba-xc $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/samba-xc +- script/autobuild.py docs-xml $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose --nocleanup --keeplogs --tail --full-testbase /builds/samba-testbase/docs-xml .shared_template_build_only: extends: .shared_template @@ -203,20 +203,20 @@ others: script: # gitlab predefines CI_JOB_NAME for each job. The gitlab job usually matches the # autobuild name, which means we can define a default template that runs most autobuild jobs -- script/autobuild.py $AUTOBUILD_JOB_NAME $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE --verbose
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5ec660160e4 smbclient3: Get all reparse data for allinfo via a0edab50920 libsmb: Retry with OPEN_REPARSE_POINT on IO_REPARSE_TAG_NOT_HANDLED via eb3e9315fc6 libsmb: Factor out cli_get_reparse_data() from cli_readlink() via 8ad55c382ac libsmb: Move symlink_reparse_buffer_parse() to reparse.c via e99e676bd29 libsmb: Some README.Coding for symlink_reparse_buffer_parse() via e71a6ab5dde pylibsmb: Use reparse_data_buffer_parse() via e20919af5b6 libsmb: Use reparse_data_buffer_parse() to get symlink error resp via 2e20e984e5f libsmb: Use reparse_data_buffer_parse() in cli_readlink() via 97ba7b681f3 libcli: Add general reparse point data parsing via 9831fbeb8f0 libcli: Make symlink_reparse_buffer_parse() more flexible via 874c693b581 smbd: Don't crash in cli_fsctl_send() from f348b84fbcf s3:smbd: fix multichannel connection passing race https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5ec660160e414c18a6ea0e61ef9e7c970dc3d7a1 Author: Volker Lendecke Date: Thu Jul 6 17:53:35 2023 +0200 smbclient3: Get all reparse data for allinfo If we hit a reparse point in point, it might be something but a symlink. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Aug 10 14:36:40 UTC 2023 on atb-devel-224 commit a0edab509206bb0d4aa3ccd87542181bac486207 Author: Volker Lendecke Date: Wed Jul 5 16:38:32 2023 +0200 libsmb: Retry with OPEN_REPARSE_POINT on IO_REPARSE_TAG_NOT_HANDLED Eventually we'll have to make STOPPED_ON_SYMLINK special to handle the symlink response, but for now they are the same. STOPPED_ON_SYMLINK will tell us where the symlink is, REPARSE_TAG_NOT_HANDLED won't. So if there's an unhandled reparse point somewhere in the path, there's no really good way to handle this. We'll get the REPARSE_TAG_NOT_HANDLED the second time as well. Even SMB1 QPATHINFO gets this when you try to cross a NFS reparse point. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit eb3e9315fc6eca6139a89ea25a367aa9d2559565 Author: Volker Lendecke Date: Thu Jul 6 17:34:31 2023 +0200 libsmb: Factor out cli_get_reparse_data() from cli_readlink() Will be used in smbclient's allinfo command: Reparse points are more than just symlinks. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 8ad55c382ac7b76996936adcc73856eaef86b0fb Author: Volker Lendecke Date: Tue Aug 1 15:57:50 2023 +0200 libsmb: Move symlink_reparse_buffer_parse() to reparse.c The goal of this is to eventually remove reparse_symlink.c once we have marshalling routines for symlinks in reparse.c Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit e99e676bd29950c3c7806d7c8e1a5931ee0640a7 Author: Volker Lendecke Date: Tue Aug 1 15:36:15 2023 +0200 libsmb: Some README.Coding for symlink_reparse_buffer_parse() Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit e71a6ab5ddef9bdfff85f677a086e4ab1e03b232 Author: Volker Lendecke Date: Tue Aug 1 15:26:49 2023 +0200 pylibsmb: Use reparse_data_buffer_parse() Remove the last direct caller of symlink_reparse_buffer_parse() Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit e20919af5b65f6e056e1b2b01f58e19cc7f35a33 Author: Volker Lendecke Date: Fri Jul 7 11:55:50 2023 +0200 libsmb: Use reparse_data_buffer_parse() to get symlink error resp Gets a nicer error message Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 2e20e984e5fee41e66b03552fdd921fa4fb7ed2e Author: Volker Lendecke Date: Fri Jul 7 11:40:19 2023 +0200 libsmb: Use reparse_data_buffer_parse() in cli_readlink() Gives the chance of better debug higher up (not used yet) Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 97ba7b681f38793d59d5753830f0cac942120ed8 Author: Volker Lendecke Date: Thu Jul 6 11:51:07 2023 +0200 libcli: Add general reparse point data parsing When we retrieve reparse point data, we don't know before what we get. Right now all we do is expect a symlink, but we could get other types as well. Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 9831fbeb8f08587a36372da653bc78ed2ff0493c Author: Volker Lendecke Date: Thu Jul 6 16:19:06 2023 +0200 libcli: Make symlink_reparse_buffer_parse() more flexible Allow the destination struct to be preallocated Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison commit 874c693b5817f7512cf435be498764fbe329e507 Author: Volker Lendecke
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 00316255984 dsdb: Make a shallow copy of ldb_parse_tree in operational module via 3b51091c20a dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results via 1b68bd977af paged_results: add no memory checks in paged_search() via c67534fe3ff selftest: Add test for combination of anr and paged_results via 8f4c1c67b4f vfs_aio_pthread: fix segfault if samba-tool ntacl get from d23dd3e26c5 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 003162559848ce45d4f5bd3fb66642960538120f Author: Andrew Bartlett Date: Wed Aug 2 14:13:00 2023 +1200 dsdb: Make a shallow copy of ldb_parse_tree in operational module We should not be making modifications to caller memory. In particular, this causes problems for logging of requests if the original request becomes modified. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Aug 2 12:10:20 UTC 2023 on atb-devel-224 commit 3b51091c20a3c807932bcc986ebb8a676e0ffe6a Author: Andrew Bartlett Date: Wed Aug 2 14:12:07 2023 +1200 dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results We should not be stealing caller memory like this, and while a talloc_reference() is not much better, this combined with a shallow copy should be a little better in terms of polite memory management. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 1b68bd977af39263a71af2c6a314c5ccb29e348c Author: Stefan Metzmacher Date: Tue Feb 8 00:41:54 2022 +0100 paged_results: add no memory checks in paged_search() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442 Signed-off-by: Arvid Requate Signed-off-by: Stefan Metzmacher Signed-off-by: Andrew Bartlett [abart...@samba.org combination of two patches by the above authors] commit c67534fe3ff1652dcf95eac2030778b066cdf7a4 Author: Andrew Bartlett Date: Wed Aug 2 13:40:03 2023 +1200 selftest: Add test for combination of anr and paged_results This combination was known to cause a segfault in Samba 4.13, fixed by 5f0590362c5c0c5ee20503a67467f9be2d50e73b in later versions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14970 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2 Author: Jones Syue Date: Wed Aug 2 09:48:40 2023 +0800 vfs_aio_pthread: fix segfault if samba-tool ntacl get If configured as AD DC and aio_pthread appended into 'vfs objects'[1], run these commands would get segfault: 1. sudo samba-tool ntacl get . 2. sudo net vfs getntacl sysvol . gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2], and the fsp->conn->sconn->client is null (0x0). 'sconn->client' memory is allocated when a new connection is accpeted: smbd_accept_connection > smbd_process > smbXsrv_client_create While running local commands looks like it would not go through smbXsrv_client_create so the 'client' is null, segfault might happen. We should not dereference 'client->server_multi_channel_enabled', if 'client' is null. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441 [1] smb.conf example, samba-4.18.5, ubuntu 22.04.2 [global] dns forwarder = 127.0.0.53 netbios name = U22-JONES-88X1 realm = U22-JONES-88X1.X88X1.JONES server role = active directory domain controller workgroup = X88X1 idmap_ldb:use rfc2307 = yes vfs objects = dfs_samba4 acl_xattr aio_pthread [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts read only = No [2] gdb (gdb) run /usr/local/samba/bin/samba-tool ntacl get . Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get . [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x7fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/modules/vfs_aio_pthread.c:467 warning: Source file is more recent than executable. 467 if (fsp->conn->sconn-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d23dd3e26c5 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() via 78669a04589 dsdb: Add tracing to dsdb_search() similar to gendb_search_v() via acf6d89c3e2 dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c via 5cc861603a6 lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern via c58a714232b lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries via 3ef5162dcdd auth:credentials: Fix resource leak in cli_credentials_set_from_ccache() via 256471299ac auth:kerberos: Fix resource leak in smb_krb5_update_keytab() via f1356805ba5 auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container() via dfc26dc494e auth:kerberos: Fix resource leak in parse_principal() via f374da1dd91 s4:auth: Fix trailing whitespaces in kerberos_util.c from 16eaf7fd52e gp: Cleanup some unused code https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d23dd3e26c5291a381f3576e3a864d8b697ec5ae Author: Andrew Bartlett Date: Mon Jul 31 16:07:46 2023 +1200 dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v() The aim of this tracing is to make it simple to follow the requests made from the RPC server and similar to LDB now that gendb_search_v() is no longer the dominant interface. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 31 11:49:19 UTC 2023 on atb-devel-224 commit 78669a0458985175da6330c726f2da202db249ae Author: Andrew Bartlett Date: Mon Jul 31 16:03:53 2023 +1200 dsdb: Add tracing to dsdb_search() similar to gendb_search_v() The aim of this tracing is to make it simple to follow the requests made from the RPC server and similar to LDB now that gendb_search_v() is no longer the dominant interface. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit acf6d89c3e2c18784a8d0ba7c9bf0c07502ae000 Author: Andrew Bartlett Date: Mon Jul 31 16:02:25 2023 +1200 dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c This will be useful when adding debugging to other routines. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 5cc861603a6b27a5a16ea4e0201953c65c1309d9 Author: Andrew Bartlett Date: Mon Jul 31 14:02:12 2023 +1200 lib/util: Move DEBUG() calls in gendb_search_v to common levels and new DBG_*() pattern This moves success logs 6 -> 10, failure logs 4 -> 5. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher commit c58a714232b1c904359d623e28ac53ed6ef0f30e Author: Pavel Filipenský Date: Wed Jul 26 22:37:51 2023 +0200 lib:krb5_wrap: Fix resource leak in smb_krb5_kt_seek_and_delete_old_entries Reported by Red Hat internal covscan leaked_storage: Variable "cursor" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 3ef5162dcdd1a89497163cd361a2b61d6e1a1540 Author: Pavel Filipenský Date: Wed Jul 26 16:28:36 2023 +0200 auth:credentials: Fix resource leak in cli_credentials_set_from_ccache() Reported by Red Hat internal covscan leaked_storage: Variable "princ" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 256471299ac2c19d813f98f513ac1a444bad7fca Author: Pavel Filipenský Date: Wed Jul 26 16:25:26 2023 +0200 auth:kerberos: Fix resource leak in smb_krb5_update_keytab() Reported by Red Hat internal covscan leaked_storage: Variable "keytab" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit f1356805ba505e28b2daccd18b044b3c7255064c Author: Pavel Filipenský Date: Wed Jul 26 16:28:36 2023 +0200 auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container() Reported by Red Hat internal covscan leaked_storage: Variable "keytab" going out of scope leaks the storage it points to. Signed-off-by: Pavel Filipenský Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit dfc26dc494eb9d80fe5b19b0ed41cedd0e187dbd Author: Pavel Filipenský Date: Wed Jul 26 16:28:36 2023 +0200 auth:kerberos: Fix resource leak in parse_principal() Reported by Red Hat internal covscan leaked_storage: Variable "princ" going out of scope leaks the storage
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5571ce9619d dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() via 4250d07e4dc dsdb: Use samdb_system_container_dn() in dsdb_trust_*() via 9b4f3f3cb4e s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() via 13eed1e0e7d s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() via a900f6aa5d9 s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() via 4e18066fa24 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() via 3669caa97f7 dsdb: Use samdb_get_system_container_dn() to get Password Settings Container via 97b682e0eb0 dsdb: Use samdb_system_container_dn() in samldb.c via 25b0e1102e1 dsdb: Add new function samdb_system_container_dn() via 2d461844a20 Bug #9959: Don't search for CN=System via b6e80733c3a For Bug #9959: local talloc frame for next commit from 0bf8b25aacd s3/modules: Fix DFS links when widelinks = yes https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5571ce9619d856d3c9545099366f4e0259aee8ef Author: Andrew Bartlett Date: Thu Jul 27 17:18:45 2023 +1200 dsdb: Use samdb_system_container_dn() in pdb_samba_dsdb_*() This makes more calls to add children, but avoids the cn=system string in the codebase which makes it easier to audit that this is always being built correctly. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 31 07:20:21 UTC 2023 on atb-devel-224 commit 4250d07e4dcd43bf7450b1ae603ff46fdc892d02 Author: Andrew Bartlett Date: Thu Jul 27 17:14:30 2023 +1200 dsdb: Use samdb_system_container_dn() in dsdb_trust_*() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 9b4f3f3cb4ed17bb233d3b5ccd191be63f01f3f4 Author: Andrew Bartlett Date: Thu Jul 27 17:11:39 2023 +1200 s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 13eed1e0e7d0bdef6b5cdb6b858f124b812adbea Author: Andrew Bartlett Date: Thu Jul 27 17:09:31 2023 +1200 s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit a900f6aa5d909d912ee3ca529baa4047c9c4da87 Author: Andrew Bartlett Date: Thu Jul 27 17:00:21 2023 +1200 s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 4e18066fa243da1c505f782ba87187c3bb1078ee Author: Andrew Bartlett Date: Thu Jul 27 16:58:13 2023 +1200 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state() This is now exactly the same actions, but just uses common code to do it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 3669caa97f76d3e893ac6a1ab88341057929ee6a Author: Andrew Bartlett Date: Thu Jul 27 16:44:10 2023 +1200 dsdb: Use samdb_get_system_container_dn() to get Password Settings Container By doing this we use the common samdb_get_system_container_dn() routine and we avoid doing a linerize and parse step on the main DN, instead using the already stored parse of the DN. This is more hygenic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 97b682e0eb0450513dcecb74be672e18e84fe7a2 Author: Andrew Bartlett Date: Thu Jul 27 16:29:34 2023 +1200 dsdb: Use samdb_system_container_dn() in samldb.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959 Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 25b0e1102e1a502152d2695aeddf7c6b16fb Author: Andrew Bartlett Date: Thu Jul 27 16:12:11 2023 +1200 dsdb: Add new function samdb_system_container_dn() This will replace many calls crafting or searching for this DN elsewhere in the code
[SCM] Samba Shared Repository - annotated tag ldb-2.8.0 created
The annotated tag, ldb-2.8.0 has been created at 36364505dcb1edd614a732b93bd6479ac9958da6 (tag) tagging 94f11c3c21bc3b8a34d376ab99becd2c6260af62 (commit) replaces tevent-0.15.0 tagged by Stefan Metzmacher on Fri Jul 28 14:09:13 2023 +0200 - Log - ldb: tag release ldb-2.8.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmTDr+kACgkQR5ORYRMI QCWW3wf9HgIHhgkhNfjpcqYtnNUv7YayXZQl7Lw9ZTQzyLZHllfZeydSv67BdUoO XzuZeYLVSxBGQB6B/66MK5Rgpw36uKIGs3+MTGyQ0jvgI33OtujOnvHFHRK01YIB xEXgTdNeQRj7HgG5e5yHA+mhCFcb4aRjegy4abD3IyBmX2Z0V0bzdWI0JS+hSCwm 2uaoMoW3Y7kLSlH7hzavxWAUOuLqwZ2iRTliHaMYRo9FnZqyDXXIXtZnMYJ4wK0r 6OLymDZpX/l3akl2wUksA5P5kyV6b4WYMQAJNnDBZmmPjxw5l6cSPHSQlcFcdIFJ 3+86BARD/dd+TEJw8pLf8WoflOzXPA== =qtS9 -END PGP SIGNATURE- Andreas Schneider (19): s3:param: Rename bLoaded global variable s3:param: Fix code spelling s3:passdb: Fix code spelling s3:printing: Fix trailing white spaces in print_iprint.c s3:printing: Fix code spelling s3:printing: Rename variably to dummy to make codespell happy s3:registry: Fix code spelling s3:rpc_client: Fix code spelling s3:rpc_server: Fix code spelling s3:script: Fix code spelling s3:selftest: Fix code spelling s3:smbd: Fix trailing white spaces in dmapi.c s3:smbd: Fix trailing white spaces in quotas.c s3:smbd: Fix code spelling s3:torture: Fix code spelling s3:utils: Fix code spelling s3:winbindd: Fix code spelling s3:waf: Fix code spelling Revert "s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon" Andrew Bartlett (21): WHATSNEW: Add text on PKINIT Certificate Revocation WHATSNEW: Include info on new samba-tool features WHATSNEW: PKINIT testing WHATSNEW: Expand detail on what of 2012, 2012R2 and 2016 support is implemented WHATSNEW: Mention Heimdal updates WHATSNEW: FAST support, Claims compression, SID compression WHATSNEW: mention KDC auditing WHATSNEW: Mention new unicodePwd only over encrypted LDAP restriction lib/fault: During smb_panic() print process comment and setprocname() title lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn() python: Move PyList_AsStringList to common code so we can reuse python: Remove const from PyList_AsStringList() python: Add glue.burn_commandline() method samba-tool: Use samba.glue.get_burnt_cmdline rather than regex lib/cmdline: Also burn the --password2 parameter if given lib/cmdline: Also redact --newpassword in samba_cmdline_burn() docs-xml: Fix invalid XML in smbcontrol manpage doc-xml: Add entry for reload-certs for new LDAP certificate reload function WHATSNEW: Add TLS cert reload feature dcom: Remove remainder of DCOM test client code librpc/idl: Remove DCOM and WMI IDL Dmitry Antipov (1): s4:param: replace calls to deprecated Python methods Jeremy Allison (2): s3: torture: Add test to show an SMB1 DFS path of "\\x//\\/" crashes smbd. s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators. Joseph Sutton (1): claims.idl: Fix AD claims encoding Jule Anger (9): s4:process_prefork: avoid memory leaks caused by messaging_post_self s4:process: add method called before entering the tevent_loop_wait s4:process_prefork: create new messaging context for the master process s4:tls_tstream: create tstream_tls_params_internal s4:ldap_server: don't store task_server in ldapsrv_service s4:ldap_server: remember dns_host_name in ldap_service s4:ldap_server: reload tls certificates on smbcontrol reload-certs testprogs/blackbox: add test_ldap_tls_reload.sh ldb: release 2.8.0 for use in Samba 4.19.x Martin Schwenke (10): ctdb-utils: Drop unused scsi_io.c source file ctdb-doc: Correct bit-rotted documenation ctdb: Do not use egrep ctdb-recoverd: CID 1509028 - Use of 32-bit time_t (Y2K38_SAFETY) ctdb-scripts: Reformat with "shfmt -w -p -i 0 -fn" ctdb-scripts: Avoid ShellCheck warning SC2162 ctdb-scripts: Support script logging to stderr ctdb-tests: Log to stderr in statd-callout tests ctdb-tools: Always print script output in event status ctdb-tools: Improve printing of multi-line event script output Noel Power (1): python/samba: Adjust tarfile extraction filter Pavel Filipenský (13): s3:winbind: Add callback winbind_call_flow() s3:winbind: Update winbind to tevent 0.15.0 API s3:winbind: Set/unset the winbind_call_flow callback if log level changes s3:winbindd: Change the TALLOC_CTX to fix the tevent call depth tracking docs-xml:manpages: Fix tabs in samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7319c7596ea ldb: change the version to 2.9.0 for Samba 4.20 via 1771ee694f4 WHATSNEW: Start release notes for Samba 4.20.0pre1. via c403201af33 VERSION: Bump version up to 4.20.0pre1... via 4f12024cafa VERSION: Disable GIT_SNAPSHOT for the Samba 4.19.0rc1 release. via 6943c1e3cde WHATSNEW: Up to Samba 4.19.0rc1. via 94f11c3c21b ldb: release 2.8.0 for use in Samba 4.19.x via 7920d2ff627 ctdb-tools: Improve printing of multi-line event script output via e3c0b72c340 ctdb-tools: Always print script output in event status via e36a4149d80 librpc/idl: Remove DCOM and WMI IDL via abc3d58e1cc dcom: Remove remainder of DCOM test client code via 959dc9068d1 librpc:crypto: SAFE_FREE() -> krb5_free_enctypes() via 05056775eae librpc:crypto: SAFE_FREE() -> krb5_free_string() via ec121eb831d auth:credentials: SAFE_FREE() -> krb5_free_string() via cd60e3fdef4 auth:credentials: SAFE_FREE() -> krb5_free_enctypes() via c5778a0fbdd krb5_wrap: add krb5_free_string() via 75139445c20 krb5_wrap: add krb5_free_enctypes() via 9338d1b17c4 smbd: move tevent_req_post() out of smbd_smb2_create_after_exec() from 20df26b9081 s3: smbd: Sanitize any "server" and "share" components of SMB1 DFS paths to remove UNIX separators. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7319c7596ea93b06c0c8e7b0926ebdbf08851d11 Author: Jule Anger Date: Tue Jul 25 15:56:59 2023 +0200 ldb: change the version to 2.9.0 for Samba 4.20 Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jul 28 11:49:02 UTC 2023 on atb-devel-224 commit 1771ee694f47db03d24712e75ded55244ffe2418 Author: Stefan Metzmacher Date: Fri Jul 28 11:52:19 2023 +0200 WHATSNEW: Start release notes for Samba 4.20.0pre1. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit c403201af33bc7b5510e2249e1c395a869ed3949 Author: Stefan Metzmacher Date: Fri Jul 28 11:53:50 2023 +0200 VERSION: Bump version up to 4.20.0pre1... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 4f12024cafa0aa50325b390418407419a46423ac Author: Stefan Metzmacher Date: Fri Jul 28 11:49:28 2023 +0200 VERSION: Disable GIT_SNAPSHOT for the Samba 4.19.0rc1 release. Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 6943c1e3cde5359f5c2ebdf90e8985bf97a40ea5 Author: Jule Anger Date: Tue Jul 25 15:59:19 2023 +0200 WHATSNEW: Up to Samba 4.19.0rc1. Signed-off-by: Jule Anger commit 94f11c3c21bc3b8a34d376ab99becd2c6260af62 Author: Jule Anger Date: Tue Jul 18 10:48:57 2023 +0200 ldb: release 2.8.0 for use in Samba 4.19.x * CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270) * pyldb: Raise an exception if ldb_dn_get_parent() fails * Implement ldap_whoami in pyldb and add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition * Documentation and spelling fixes * Add ldb_val -> bool,uint64,int64 parsing functions * Split out ldb_val_as_dn() helper function * add LDB_CHANGETYPE_MODRDN support to ldb_ldif_to_pyobject() * add LDB_CHANGETYPE_DELETE support to ldb_ldif_to_pyobject() * let ldb_ldif_parse_modrdn() handle names without 'rdn_name=' prefix * Don't create error string if there is no error * Avoid allocation and memcpy() for every wildcard match candidate * Make ldb_msg_remove_attr O(n) * pyldb: Throw error on invalid controls * pyldb: remove py2 ifdefs * Call tevent_set_max_debug_level(TEVENT_DEBUG_TRACE) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270 Signed-off-by: Jule Anger Signed-off-by: Stefan Metzmacher commit 7920d2ff627c6ef252e59b428236919ed0abb6ba Author: Martin Schwenke Date: Wed Jul 12 10:39:06 2023 +1000 ctdb-tools: Improve printing of multi-line event script output Multi-line output currently prints like this: OUTPUT: aaa bbb ccc This is less beautiful than it could be. Instead, print multi-line output with no inlining and each line indented: OUTPUT: aaa bbb ccc However, continue to inline single line output: OUTPUT: foo Signed-off-by: Martin Schwenke Reviewed-by: Amitay Isaacs commit e3c0b72c340f86b1d6e4fd009d1082c7e477fd04 Author: Martin Schwenke Date: Wed Jul 12 10:39:06 2023 +1000 ctdb-tools: Always print script output in event status When event scripts succeed they generally produce no output. However, when a script succeeds and produces outpu
[SCM] Samba Shared Repository - annotated tag tevent-0.15.0 created
The annotated tag, tevent-0.15.0 has been created at 4d0ff32238d0c395cd4ec3644822726cd2f81f44 (tag) tagging 6a80d170bca0c938f78ab12e37481b52792a9d83 (commit) replaces tdb-1.4.9 tagged by Stefan Metzmacher on Thu Jul 20 12:49:15 2023 +0200 - Log - tevent: tag release tevent-0.15.0 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5ESsACgkQR5ORYRMI QCW+HAf/YmdVwBVMpd6tY1cIrbArgeYOfTl1/LYTDnu449tDbx1gFJwhHWliepmo gVBXYih98ApWKxqvtUBdnmFpN2AbYKvdmvAFU7TRQdu4snH8akjYhwymWWpLu6/q be1jgGRWltTURUTsCwNkfDFXjSsLYfyzVv90brO6krNMynmcn1X6avUNAlfDELu3 aDqULU6hT0nXmlOwc/DloATHLOa/xujiUgtDhF+JXuSProQK3ZnX8ggezuQifJQN ZxUBzmtCDD8fK7SdcSZmdy2g5ohVyOw3HY9bzTDIi8OgOdNGGUqnlBgEyLEf4/m0 ti4lhBQx8iGdKZ55mQzFxwWz9p4qSQ== =IplR -END PGP SIGNATURE- Dmitry Antipov (2): lib:replace: rely on epoll_create1() for epoll interface tevent: rely on epoll_create1() for epoll interface Pavel Filipenský (6): tevent: Move definition of _DEPRECATED_ to the top of tevent.h tevent: Deprecate some tevent_thread_call_depth_*() functions tevent: Flow: pass function name to tevent_req_create() tevent: Flow: store callback function name in tevent_req tevent: Flow: store trigger function name in tevent_queue_entry tevent: Flow: add tevent_thread_call_depth_set_callback() Stefan Metzmacher (16): ldb: remove trailing whitespaces from include/dlinklist.h ldb: clarify LGPL scope of include/dlinklist.h lib/util: dlinklist.h sync with LGPL copy from lib/ldb/include/dlinklist.h tevent: add tevent_dlinklist.h as copy from lib/util/dlinklist.h s3:winbindd: set TEVENT_DEPRECATED as tevent_thread_call_depth_*() api will change soon tevent: Flow: store cancel function name in tevent_req tevent: Flow: store cleanup function name in tevent_req tevent: add fd_speed test tevent: introduce tevent_set_max_debug_level() (default TEVENT_DEBUG_WARNING) tevent: add TEVENT_DEBUG() avoid argument overhead when log is not active... tevent: make use of TEVENT_DEBUG() when using TEVENT_DEBUG_TRACE tevent: avoid epoll_check_reopen() overhead unless required tevent: let epoll_check_reopen() clear all events before reopening them tevent: avoid calling epoll_update_event() again if epoll_check_reopen() already did it tevent: add tevent_common_fd_str() helper tevent: version 0.15.0 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag tdb-1.4.9 created
The annotated tag, tdb-1.4.9 has been created at 95e54247fd93a9172437dabc75d5bf6cd424b049 (tag) tagging b649c7d3c2b1e13e900c80ff7a20959a70b1c528 (commit) replaces talloc-2.4.1 tagged by Stefan Metzmacher on Thu Jul 20 12:48:38 2023 +0200 - Log - tdb: tag release tdb-1.4.9 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5EQYACgkQR5ORYRMI QCUKPAf/Yqsy0hBvkvcBemxt/HI5V0DFVRnty8R9ot6grZ46qZ/67EGC93mMRDlK 304V+TW2bjtQkPVfPxp5eErc+FDKRfvRNIsqsVLxaK9qAKsOpw54Ik7+7BnPXQu9 xfMN4hoYvTWKEbjXc0Agsu7hL0hOeLT8dThSFEUspzFOOKlTMNXh6NcZEotsw0aQ +IEWjpe+bPVFjFqg4wtdzMRjlmWX3BQ50LHriRrN4okCZ9oHuefiabp7IzsKYJp6 ndhQAYwvnqPTfsWNjtKlXAmJNkoWnO/JHmzoibw03LXPiSLB9yUBPtUVluypT4kk 6B6mOV6EnGcq7Urh7qRyRrvtAsno1A== =I0wR -END PGP SIGNATURE- Stefan Metzmacher (1): tdb: release 1.4.9 --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag talloc-2.4.1 created
The annotated tag, talloc-2.4.1 has been created at 07be14a36896de8f1a31e768853c3b8e1dcb306e (tag) tagging 791e2817e1318237590313f7e372a27c1d48 (commit) replaces tevent-0.14.1 tagged by Stefan Metzmacher on Thu Jul 20 12:47:51 2023 +0200 - Log - talloc: tag release talloc-2.4.1 -BEGIN PGP SIGNATURE- iQEzBAABCgAdFiEEkUejOXGVGO6QEby1R5ORYRMIQCUFAmS5ENcACgkQR5ORYRMI QCWEHAgAtXcN3rjitPAt42/P2i0t1d58H/pK3K+aju6R4a8AEtavzFQCUq0A95jU UQvp1e3xzu2T7MUqC+x8TCbCk7ggmnq7WN+UHtkJrcTJ9xTnnzVQvsI8TEAJ2Ccc UFtuxfLre/MDfHni+HMI5qiRvOuh/0zvYPaMWZZHPT9450kdt2FuxzqS6yl9Al6L TeP32fB+cXy5ZqVh01MmlkSUnfmWYsBtb4mjr4l7tX5aAjO3uyY1n+qvQD3MpVgh 7JiZZLD4UXmoTKjwLf+jvdS8TWDnFhFHr+9zh0QyYYjVIUDncnvT3dwDMWefISxQ ihNjlET+Ct64y73vdvFAmFk7cGNksA== =GEZE -END PGP SIGNATURE- Alexander Bokovoy (2): Add ROLE_IPA_DC into two more places wafsamba: Normalize strings in gdb output when comparing ABI Amir Goldstein (4): s4:torture:basic: fix SET_INFO_* macros in delayed_write_update* lib: add NTTIME_[U|m]SEC macros s4:torture:basic: use milliseconds granularity in delayed_write_update7 torture/smb2: do not use client time in delayed timestamp updates test Andreas Schneider (266): s3:libsmb: Remove unused variable 'i' s3:smbd: Don't assign variable to itself s3:rpcsrv:eventlog: Remove unused variable s3:winbind: Remove unused variable s4:samdb: Remove trailing whitespaces s4:samdb: Remove unused variable nsswitch: Fix getting data out of pam_get_data() lib:ldb-samba: Correctly handle search scope s3:printing: Remove trailing whitespaces in vlp.c s3:printing: Remove unused variable s3:modules: Ignore -Wunused-but-set-variable for autogenerated code s4:modules: Move structs with dynamic arrays to end of struct s3:modules: Initialize pointer with NULL s3:netapi: Remove unused variables s3:utils: Remove unused variable s3:torture: Remove unused variable waf: Add support for MemorySanitizer lib:ldb: Add the location to ldb_kv_parse_data_unpack() debug output lib:ldb: Print a debug message in case we have a corrupted MDB testprogs: Use random usernames for kinit tests testprogs: Use random usernames for export keytab tests testprogs: Use random user names for kpasswd tests python:tests: Correctly escape $ in user_edit.sh python:tests: Use a random username for user_edit.sh tests python:tests: Correctly escape $ in contact_edit.sh python:tests: Use a random username for contact_edit.sh test python:tests: Correctly escape $ in computer_edit.sh python:tests: Use a random machine name for computer_edit.sh test python:tests: Make sure we do not run into issues with already existing users python:tests: Fix domain_backup test with Python 3.11 python:tests: Tell dns.resolver to not read /etc/resolv.conf python:tests: Add missing result checks for samba_tool.gpo tests python:tests: Make sure we delete the OU for movetest s3:utils: Check if the autorid rangesize is a multiple of the range s3:winbind: Improve warning message if we are out of autorid ranges python:netcmd: Decode return value of find_netbios() from bytes into string lib:ldb: Correctly cast pointers for assert_string_equal() ctdb:client: Fix code spelling ctdb:common: Fix code spelling ctdb:include: Remove trailing whitespaces in ctdb_protocol.h ctdb:include: Fix code spelling ctdb:server: Remove trailing whitespaces in ctdb_recover.c ctdb:server: Remove trailing whitespaces in ctdb_server.c ctdb:server: Fix code spelling ctdb:tcp: Fix code spelling ctdb:tests: Fix code spelling ctdb:tool: Fix code spelling ctdb:utils: Remove trailing whitespaces in scsi_io.c ctdb:utils: Fix code spelling s3:utils: Fix grammar in testparm auth: Fix code spelling buildtools: Fix code spelling examples: Remove trailing whitespaces in ol-schema-migrate.pl examples: Remove trailing whitespaces in mklogon.conf examples: Fix code spelling examples: Remove trailing whitespaces in smb.conf.default examples: Improve comment in smb.conf.default s3:libsmb: Remove trailing whitespaces in clientgen.c s3:libsmb: Fix conflicting declaration/implementation s3:waf: Fix One Definition Rule (ODR) violation of libsecrets3 Add .clangd configuration file buildtools: Remove compile_commands.json symlink lib:talloc: Move talloc_get_size() out of the talloc reference group lib:addns: Rename additionals to additional lib:addns: Fix code spelling lib:audit_logging: Fix code spelling lib:cmdline: Fix code spelling lib:compression: Fix code spelling lib:crypto: Improve comment about weak
Re: [cifs-protocol] [EXTERNAL] Re: KB5028166 introduced undocumented changes to MS-NRPC? - TrackingID#2307130040007086
Hi Jeff, As I mentioned in the thread for the other issue, the updates have been published in an Errata document for later inclusion in [MS-NRPC]: Windows Protocols Errata: [MS-NRPC]: Netlogon Remote Protocol https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/69ffd0ac-a0dd-49f2-96ad-6720441b0a93 Please let us know if this does not address the issue below. I guess the documentation should clarify that DCERPC_NCA_S_FAULT_INVALID_TAG in returned on the wire instead of STATUS_INVALID_LEVEL. metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dfeabce44fb s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels via d5f1097b622 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels via 404ce08e908 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels via 5f87888ed53 netlogon.idl: add support for netr_LogonGetCapabilities response level 2 from 5a5e24e s3:libsmb: Fix code spelling https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Author: Stefan Metzmacher Date: Sat Jul 15 16:11:48 2023 +0200 s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels This is important as Windows clients with KB5028166 seem to call netr_LogonGetCapabilities with query_level=2 after a call with query_level=1. An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG for query_level values other than 1. While Samba tries to return NT_STATUS_NOT_SUPPORTED, but later fails to marshall the response, which results in DCERPC_FAULT_BAD_STUB_DATA instead. Because we don't have any documentation for level 2 yet, we just try to behave like an unpatched server and generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of DCERPC_FAULT_BAD_STUB_DATA. Which allows patched Windows clients to keep working against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 commit d5f1097b6220676d56ed5fc6707acf667b704518 Author: Stefan Metzmacher Date: Sat Jul 15 16:11:48 2023 +0200 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels This is important as Windows clients with KB5028166 seem to call netr_LogonGetCapabilities with query_level=2 after a call with query_level=1. An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG for query_level values other than 1. While Samba tries to return NT_STATUS_NOT_SUPPORTED, but later fails to marshall the response, which results in DCERPC_FAULT_BAD_STUB_DATA instead. Because we don't have any documentation for level 2 yet, we just try to behave like an unpatched server and generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of DCERPC_FAULT_BAD_STUB_DATA. Which allows patched Windows clients to keep working against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 404ce08e9088968311c714e756f5d58ce2cef715 Author: Stefan Metzmacher Date: Sat Jul 15 17:25:05 2023 +0200 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG for unsupported query_levels, we allow it to work with servers with or without support for query_level=2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 5f87888ed53320538cf773d64868390d8641a40e Author: Stefan Metzmacher Date: Sat Jul 15 17:20:32 2023 +0200 netlogon.idl: add support for netr_LogonGetCapabilities response level 2 We don't have any documentation about this yet, but tests against a Windows Server 2022 patched with KB5028166 revealed that the response for query_level=2 is exactly the same as for querey_level=1. Until we know the reason for query_level=2 we won't use it as client nor support it in the server, but we want ndrdump to work. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: librpc/idl/netlogon.idl | 1 + source3/rpc_server/netlogon/srv_netlog_nt.c | 29 -- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 -- source4/torture/rpc/netlogon.c| 77 ++- 4 files changed, 126 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl index 48a8c8f9310..85dd73ee7e4 100644 --- a/librpc/idl/netlogon.idl +++ b/librpc/idl/netlogon.idl @@ -1236,6 +1236,7 @@ interface netlogon /* Function 0x15 */ typedef [switch_type(uint32)] union { [case(1)] netr_NegotiateFlags server_capabilities
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 083fe1c28c6 smbd: call exit_server_cleanly() to avoid panicking via 50e771c12f8 s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS via b317b10dffd s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop() via 0cb6de4b1d5 s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1 via 4ad5a35a3f6 s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}() via cb59fd43bbf s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list() from d2940694c6a ctdb-tests: Run ShellCheck on event-script unit test support scripts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 083fe1c28c6ec69cbd15d8cc2f7f06b1b630f2bc Author: Ralph Boehme Date: Wed Jul 5 11:33:58 2023 +0200 smbd: call exit_server_cleanly() to avoid panicking The parent smdb forwards SIGTERM to its process group in order to kill all children like the scavenger. This happens from a function registered via atexit() which means the signal forwarding is happening very briefly before the main smbd process exits. When exiting the pipe between smbd and scavenger is closed which triggers a file event in the scavenger. However, due to kernel sheduling it is possible that the file descriptor event is received before the signal, where we call exit_server() which call smb_panic() at the end. Change the exit to exit_server_cleanly() and just log this event at level 2 which we already do. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15275 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jul 5 13:14:08 UTC 2023 on atb-devel-224 commit 50e771c12f84f9268c2e9ddeef0965f79f85de3d Author: Stefan Metzmacher Date: Tue Jul 4 14:12:03 2023 +0200 s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS When we were not able to get a valid response from any DC we should report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1. This matches what windows does. In a chain of transitive trusts the ACCESS_DENIED/authoritative=0 is not propagated, instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is passed along the chain if there's no other DC is available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit b317b10dffd99d1add3ff0b85b958edd9639abc8 Author: Stefan Metzmacher Date: Tue Jul 4 13:01:24 2023 +0200 s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop() Note this is more than a simple invalidate_cm_connection() as it may set domain->conn.netlogon_force_reauth = true, which is important in order to recover from NT_STATUS_RPC_SEC_PKG_ERROR errors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit 0cb6de4b1d5410f3699172952be81c6eb75c2c86 Author: Stefan Metzmacher Date: Wed Feb 16 14:19:16 2022 +0100 s3:winbindd: let winbind_samlogon_retry_loop() always start with authoritative = 1 Otherwise we could treat a local problem as non-authoritative. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit 4ad5a35a3f67860aa7a1345efcfc92fe40578e31 Author: Stefan Metzmacher Date: Tue Jul 4 12:32:34 2023 +0200 s3:winbindd: make use of reset_cm_connection_on_error() for winbindd_lookup_{names,sids}() Note this is more than a simple invalidate_cm_connection() as it may set domain->conn.netlogon_force_reauth = true. This is not strictly needed as the callers call reset_cm_connection_on_error() via reconnect_need_retry(). But it might avoid one roundtrip. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke commit cb59fd43bbf758e4bad774cfc19ef87b157052c2 Author: Stefan Metzmacher Date: Tue Jul 4 12:32:34 2023 +0200 s3:winbindd: call reset_cm_connection_on_error() in wb_cache_query_user_list() This is mostly for consistency, every remote call should call reset_cm_connection_on_error(). Note this is more than a simple invalidate_cm_connection() as it may set domain->conn.netlogon_force_reauth = true. BUG: https://bugzilla.samba.org/show_bug.cgi
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7b6cedf5385 .gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5 from d720eb2c083 third_party: Update socket_wrapper to version 1.4.2 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7b6cedf5385e0313acc8629c8c9238309fab64c0 Author: Stefan Metzmacher Date: Thu Nov 17 16:14:27 2022 +0100 .gitlab-ci:bootstrap: remove ubuntu1804*, add debian12, upgrade opensuse 15.5 Signed-off-by: Stefan Metzmacher [abart...@samba.org Use Debian 11 for the 32 bit host as the compile currently fails - just exits without information - mid-way on Debian 12] Signed-off-by: Andrew Bartlett Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Jun 30 08:51:17 UTC 2023 on atb-devel-224 --- Summary of changes: .gitlab-ci-main.yml| 34 +++--- bootstrap/.gitlab-ci.yml | 18 +-- bootstrap/config.py| 30 - bootstrap/generated-dists/Vagrantfile | 31 - .../{centos7 => debian11-32bit}/Dockerfile | 2 +- .../{debian11 => debian11-32bit}/bootstrap.sh | 0 .../{f37mit120 => debian11-32bit}/locale.sh| 0 .../{debian11 => debian11-32bit}/packages.yml | 0 .../{centos7 => debian12-32bit}/Dockerfile | 2 +- .../{ubuntu2204 => debian12-32bit}/bootstrap.sh| 1 - .../{fedora37 => debian12-32bit}/locale.sh | 0 .../{ubuntu2204 => debian12-32bit}/packages.yml| 1 - .../{fedora37 => debian12}/Dockerfile | 4 +- .../{ubuntu2204 => debian12}/bootstrap.sh | 1 - .../{opensuse154 => debian12}/locale.sh| 0 .../{ubuntu2204 => debian12}/packages.yml | 1 - bootstrap/generated-dists/f37mit120/bootstrap.sh | 126 - bootstrap/generated-dists/f37mit120/packages.yml | 110 -- bootstrap/generated-dists/fedora37/bootstrap.sh| 123 bootstrap/generated-dists/fedora37/packages.yml| 110 -- bootstrap/generated-dists/opensuse154/Dockerfile | 29 - .../{f37mit120 => opensuse155}/Dockerfile | 4 +- .../{opensuse154 => opensuse155}/bootstrap.sh | 0 .../{centos7 => opensuse155}/locale.sh | 0 .../{opensuse154 => opensuse155}/packages.yml | 0 bootstrap/sha1sum.txt | 2 +- 26 files changed, 85 insertions(+), 544 deletions(-) copy bootstrap/generated-dists/{centos7 => debian11-32bit}/Dockerfile (90%) copy bootstrap/generated-dists/{debian11 => debian11-32bit}/bootstrap.sh (100%) rename bootstrap/generated-dists/{f37mit120 => debian11-32bit}/locale.sh (100%) copy bootstrap/generated-dists/{debian11 => debian11-32bit}/packages.yml (100%) copy bootstrap/generated-dists/{centos7 => debian12-32bit}/Dockerfile (90%) copy bootstrap/generated-dists/{ubuntu2204 => debian12-32bit}/bootstrap.sh (97%) rename bootstrap/generated-dists/{fedora37 => debian12-32bit}/locale.sh (100%) copy bootstrap/generated-dists/{ubuntu2204 => debian12-32bit}/packages.yml (97%) rename bootstrap/generated-dists/{fedora37 => debian12}/Dockerfile (92%) copy bootstrap/generated-dists/{ubuntu2204 => debian12}/bootstrap.sh (97%) rename bootstrap/generated-dists/{opensuse154 => debian12}/locale.sh (100%) copy bootstrap/generated-dists/{ubuntu2204 => debian12}/packages.yml (97%) delete mode 100755 bootstrap/generated-dists/f37mit120/bootstrap.sh delete mode 100644 bootstrap/generated-dists/f37mit120/packages.yml delete mode 100755 bootstrap/generated-dists/fedora37/bootstrap.sh delete mode 100644 bootstrap/generated-dists/fedora37/packages.yml delete mode 100644 bootstrap/generated-dists/opensuse154/Dockerfile rename bootstrap/generated-dists/{f37mit120 => opensuse155}/Dockerfile (91%) rename bootstrap/generated-dists/{opensuse154 => opensuse155}/bootstrap.sh (100%) copy bootstrap/generated-dists/{centos7 => opensuse155}/locale.sh (100%) rename bootstrap/generated-dists/{opensuse154 => opensuse155}/packages.yml (100%) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 798192f9b04..779eedb8255 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: cf0a5476a4f13d449a7542d01d225dc2aef2a333 + SAMBA_CI_CONTAINER_TAG: 190a74ee9628f298961d890ba37fcc7d213daae2 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 @@ -58,12 +58,12 @@ variables:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d720eb2c083 third_party: Update socket_wrapper to version 1.4.2 from afbed653526 s3:utils: smbget fix a memory leak https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d720eb2c083f3d162e93011d69c4b742cd03f3aa Author: Andreas Schneider Date: Wed Jun 21 12:40:16 2023 +0200 third_party: Update socket_wrapper to version 1.4.2 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jun 29 16:06:11 UTC 2023 on atb-devel-224 --- Summary of changes: buildtools/wafsamba/samba_third_party.py| 2 +- third_party/socket_wrapper/socket_wrapper.c | 182 third_party/socket_wrapper/wscript | 7 +- 3 files changed, 189 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py index 356b041a2a9..52898486fd9 100644 --- a/buildtools/wafsamba/samba_third_party.py +++ b/buildtools/wafsamba/samba_third_party.py @@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA @conf def CHECK_SOCKET_WRAPPER(conf): -return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.0') +return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.4.2') Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER @conf diff --git a/third_party/socket_wrapper/socket_wrapper.c b/third_party/socket_wrapper/socket_wrapper.c index bf4a976eaee..c759d350fb1 100644 --- a/third_party/socket_wrapper/socket_wrapper.c +++ b/third_party/socket_wrapper/socket_wrapper.c @@ -44,6 +44,12 @@ #include "config.h" +/* + * Make sure we do not redirect (f)open(at)() or fcntl() to their 64bit + * variants + */ +#undef _FILE_OFFSET_BITS + #include #include #include @@ -94,6 +100,10 @@ #include "socket_wrapper.h" +#ifdef __USE_FILE_OFFSET64 +#error -D_FILE_OFFSET_BITS=64 should not be set for socket_wrapper! +#endif + enum swrap_dbglvl_e { SWRAP_LOG_ERROR = 0, SWRAP_LOG_WARN, @@ -507,6 +517,9 @@ typedef int (*__libc_connect)(int sockfd, typedef int (*__libc_dup)(int fd); typedef int (*__libc_dup2)(int oldfd, int newfd); typedef int (*__libc_fcntl)(int fd, int cmd, ...); +#ifdef HAVE_FCNTL64 +typedef int (*__libc_fcntl64)(int fd, int cmd, ...); +#endif typedef FILE *(*__libc_fopen)(const char *name, const char *mode); #ifdef HAVE_FOPEN64 typedef FILE *(*__libc_fopen64)(const char *name, const char *mode); @@ -531,6 +544,9 @@ typedef int (*__libc_open)(const char *pathname, int flags, ...); #ifdef HAVE_OPEN64 typedef int (*__libc_open64)(const char *pathname, int flags, ...); #endif /* HAVE_OPEN64 */ +#ifdef HAVE_OPENAT64 +typedef int (*__libc_openat64)(int dirfd, const char *pathname, int flags, ...); +#endif /* HAVE_OPENAT64 */ typedef int (*__libc_openat)(int dirfd, const char *path, int flags, ...); typedef int (*__libc_pipe)(int pipefd[2]); typedef int (*__libc_read)(int fd, void *buf, size_t count); @@ -612,6 +628,9 @@ struct swrap_libc_symbols { SWRAP_SYMBOL_ENTRY(dup); SWRAP_SYMBOL_ENTRY(dup2); SWRAP_SYMBOL_ENTRY(fcntl); +#ifdef HAVE_FCNTL64 + SWRAP_SYMBOL_ENTRY(fcntl64); +#endif SWRAP_SYMBOL_ENTRY(fopen); #ifdef HAVE_FOPEN64 SWRAP_SYMBOL_ENTRY(fopen64); @@ -627,6 +646,9 @@ struct swrap_libc_symbols { SWRAP_SYMBOL_ENTRY(open); #ifdef HAVE_OPEN64 SWRAP_SYMBOL_ENTRY(open64); +#endif +#ifdef HAVE_OPENAT64 + SWRAP_SYMBOL_ENTRY(openat64); #endif SWRAP_SYMBOL_ENTRY(openat); SWRAP_SYMBOL_ENTRY(pipe); @@ -983,6 +1005,23 @@ static int libc_vfcntl(int fd, int cmd, va_list ap) return rc; } +#ifdef HAVE_FCNTL64 +DO_NOT_SANITIZE_ADDRESS_ATTRIBUTE +static int libc_vfcntl64(int fd, int cmd, va_list ap) +{ + void *arg; + int rc; + + swrap_bind_symbol_all(); + + arg = va_arg(ap, void *); + + rc = swrap.libc.symbols._libc_fcntl64.f(fd, cmd, arg); + + return rc; +} +#endif + static int libc_getpeername(int sockfd, struct sockaddr *addr, socklen_t *addrlen) @@ -1115,6 +1154,29 @@ static int libc_vopen64(const char *pathname, int flags, va_list ap) } #endif /* HAVE_OPEN64 */ +#ifdef HAVE_OPENAT64 +static int +libc_vopenat64(int dirfd, const char *pathname, int flags, va_list ap) +{ + int mode = 0; + int fd; + + swrap_bind_symbol_all(); + + swrap_inject_o_largefile(); + + if (flags & O_CREAT) { + mode = va_arg(ap, int); + } + fd = swrap.libc.symbols._libc_openat64.f(dirfd, +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b0524830aaf s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing via e9367887123 s4:kdc: Include default groups in security token via 34760dfc89e s4:kdc: Implement Heimdal hook for resource-based constrained delegation via fc33033bacf tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses via fcfdb44381f tests/krb5: Be less strict regarding acceptable delegation error codes via 0e43d11e39b s4:kdc: Remove useless sdb → hdb error code translation via 7e76f36d918 s4:kdc: Initialize pointers with NULL via 3784bca73e0 third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325) from de2738fb9a7 smbd: Don't mask open error if fstatat() fails https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b0524830aaf0ccf7dc2efbe66d2bf38b509c0143 Author: Stefan Metzmacher Date: Fri Jun 23 11:51:47 2023 +0200 s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing We log a warnings if access is not granted from a security descriptor in msDS-AllowedToActOnBehalfOfOtherIdentity, so we should use the same log level if msDS-AllowedToActOnBehalfOfOtherIdentity is not available at all. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jun 27 06:39:08 UTC 2023 on atb-devel-224 commit e9367887123ce43c55a7ab436afe659900bdc532 Author: Joseph Sutton Date: Tue Jun 20 16:50:18 2023 +1200 s4:kdc: Include default groups in security token This is consistent with the behaviour of the existing function _authn_policy_access_check() and of Windows. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 34760dfc89e879a889d64b48c606ccbaf10e8ba3 Author: Joseph Sutton Date: Tue Jun 20 14:22:15 2023 +1200 s4:kdc: Implement Heimdal hook for resource-based constrained delegation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit fc33033bacfe9f800678bd41977d3a20f5072bc0 Author: Joseph Sutton Date: Tue Jun 20 16:48:58 2023 +1200 tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit fcfdb44381f60007679b5cdcff44b4aaf866b376 Author: Joseph Sutton Date: Tue Jun 20 16:46:03 2023 +1200 tests/krb5: Be less strict regarding acceptable delegation error codes Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 0e43d11e39bf57dccebd661e028a717be2b8803c Author: Joseph Sutton Date: Tue Jun 20 16:41:05 2023 +1200 s4:kdc: Remove useless sdb → hdb error code translation samba_kdc_check_s4u2proxy() is never going to return an SDB_* error code, so these conditions can never be hit. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 7e76f36d91866d4e91aabf38c9b97c3cf78e63e2 Author: Joseph Sutton Date: Tue Jun 20 16:40:03 2023 +1200 s4:kdc: Initialize pointers with NULL Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 3784bca73e0f4c14cfcc7d34ec67f25f193747e7 Author: Joseph Sutton Date: Tue Jun 20 16:33:17 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202306200407 (commit fc2894beeaa71897753975154a5f7fd80b923325) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/authn_policy_tests.py | 40 +++- python/samba/tests/krb5/s4u_tests.py | 36 +++ selftest/knownfail_heimdal_kdc| 23 --- source4/kdc/db-glue.c | 12 ++-- source4/kdc/hdb-samba4.c | 50 --- third_party/heimdal/kdc/mssfu.c | 87 +-- third_party/heimdal/lib/hdb/hdb.h | 5 ++ 7 files changed, 171 insertions(+), 82 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index 5ffdba41e99..b2625cc4013 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -5382,18 +5382,24 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): self.discardMessages() # Show that obtaining a service
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7828c6535cd s4:kdc: Don’t overwrite error code via 192024e8403 s4:kdc: Add comment to clarify that we fetch the client claims via fcea53584de s4:kdc: clear client and device claims from trusts via 7a4fa2c5643 s4:kdc: Make [client,device]_claims_blob const pointers via ebc27cf32a6 s4:kdc: Remove unnecessary NULL check via c69174c07c4 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() via 1ffca866c15 s4:kdc: adjust formatting of samba_kdc_update_pac() documentation via b42fbc78395 s4:kdc: Enforce authentication policy service restrictions when getting a PAC via 3240ac4ebef s4:kdc: Check authentication policy server restrictions via 9a9f4799192 s4:kdc: Check authentication policy device restrictions via f3714a3e3a3 s4:kdc: Add comment stating that policies aren’t looked up for S4U clients via 8b1897f02ee tests/krb5: Test that client policies are not enforced with S4U via 8e32075188f tests/krb5: Fix RBCD comments via 456373ac19c tests/krb5: Don’t unnecessarily specify ‘id’ via 620c842da01 s4:kdc: Remove unused ‘server’ parameter in pac_verify() via 67436de3e77 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event via 19f867bc54e s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors via 8425ffc8f3b s4:kdc: Update Samba KDC plugin to match new Heimdal version via 95c02a9794b third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280) via 1abc2543cd4 tests/krb5: Add test for authenticating with disabled account and wrong password via 9d7f1794937 tests/auth_log_pass_change: Fix flapping test via 539cd516004 netcmd: domain: Fix typo from ecff09d75df Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7828c6535cd61ef9ff64417226fcd8ae9dad23e9 Author: Joseph Sutton Date: Mon Jun 26 17:09:22 2023 +1200 s4:kdc: Don’t overwrite error code Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224 commit 192024e840333d99cf7028cb1abfcc9da5af335e Author: Joseph Sutton Date: Fri Jun 23 11:55:24 2023 +1200 s4:kdc: Add comment to clarify that we fetch the client claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit fcea53584deadd41ecd5ce47402eee36168bbc24 Author: Stefan Metzmacher Date: Thu Jun 22 09:08:53 2023 +0200 s4:kdc: clear client and device claims from trusts As we don't support the Claims Transformation Algorithm [MS-CTA] we better clear claims as they have no valid meaning in our domain. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7a4fa2c5643d42bd8caba31e44df94812196fca4 Author: Joseph Sutton Date: Mon Jun 26 11:10:51 2023 +1200 s4:kdc: Make [client,device]_claims_blob const pointers This is so that we can have them point to ‘null_data’ if we so choose. We can’t assign the result of data_blob_talloc() to a const pointer, so we go through an intermediary non-const pointer for the device_claims_blob case. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit ebc27cf32a61d543a1fa2c73ca49e28077904e43 Author: Joseph Sutton Date: Mon Jun 26 11:11:19 2023 +1200 s4:kdc: Remove unnecessary NULL check pac_blobs_add_blob() already checks whether the blob argument is NULL, and skips adding the blob if so. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit c69174c07c49589ed52a67781ed8862ffb47fea3 Author: Stefan Metzmacher Date: Thu Jun 22 09:18:51 2023 +0200 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() For now we only pass in the krbtgt that verified the client pac and optionally the krbtgt that verified the device pac. These can be different depending on the domain of the related principals. If we want to apply SID filtering in future we may also need to pass in the krbtgt that verified the delegated_proxy_pac, but that needs more research and if not required for the following changes. Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1ffca866c1574f340cd56fd8c90d41a528bc649a Author: Stefan Metzmacher Date: Fri Jun 23 11:20:59 2023 +1200 s4:kdc: adjust formatting of samba_kdc_update_pac
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9f5216912e0 vfs_gpfs: Move call to load GPFS library via 25e1e487a5f vfs_gpfs: Check error from gpfswrap_lib_init via 3b72136f678 vfs_gpfs: Register smbd process with GPFS via 34b9c54ff2f gpfswrap: Add wrapper for gpfs_register_cifs_export from a75378e3542 s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9f5216912e0b2f2d0e74d4dbd10f3fb5017de331 Author: Christof Schmitt Date: Wed May 31 11:29:49 2023 -0700 vfs_gpfs: Move call to load GPFS library Load the GPFS library from the connect function and leave the module init for only the module registration. Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jun 25 16:06:37 UTC 2023 on atb-devel-224 commit 25e1e487a5f32ec5ae3cd8e9f49535eae0358e88 Author: Christof Schmitt Date: Wed May 31 11:16:19 2023 -0700 vfs_gpfs: Check error from gpfswrap_lib_init Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher commit 3b72136f6782d9704a197ab7b17201df6ff4d60d Author: Christof Schmitt Date: Wed May 31 11:13:51 2023 -0700 vfs_gpfs: Register smbd process with GPFS Issue API call to tell the file system that this is a Samba process. This fixed the GPFS handling of Samba since the rename of smbd processes in commit 5955dc1e4fd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381 Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher commit 34b9c54ff2f089dbffe65bdc69f3024b5d3efd5c Author: Christof Schmitt Date: Wed May 24 14:06:36 2023 -0700 gpfswrap: Add wrapper for gpfs_register_cifs_export BUG: https://bugzilla.samba.org/show_bug.cgi?id=15381 Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher --- Summary of changes: lib/util/gpfswrap.c| 12 lib/util/gpfswrap.h| 1 + source3/modules/vfs_gpfs.c | 26 ++ 3 files changed, 31 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/util/gpfswrap.c b/lib/util/gpfswrap.c index d05358e141e..2f15bf452cf 100644 --- a/lib/util/gpfswrap.c +++ b/lib/util/gpfswrap.c @@ -28,6 +28,7 @@ static int (*gpfs_putacl_fn)(const char *pathname, int flags, void *acl); static int (*gpfs_get_realfilename_path_fn)(const char *pathname, char *filenamep, int *len); +static int (*gpfs_register_cifs_export_fn)(void); static int (*gpfs_set_winattrs_path_fn)(const char *pathname, int flags, struct gpfs_winattr *attrs); @@ -71,6 +72,7 @@ int gpfswrap_init(void) gpfs_fgetacl_fn = dlsym(l, "gpfs_getacl_fd"); gpfs_putacl_fn= dlsym(l, "gpfs_putacl"); gpfs_get_realfilename_path_fn = dlsym(l, "gpfs_get_realfilename_path"); + gpfs_register_cifs_export_fn = dlsym(l, "gpfs_register_cifs_export"); gpfs_set_winattrs_path_fn = dlsym(l, "gpfs_set_winattrs_path"); gpfs_set_winattrs_fn = dlsym(l, "gpfs_set_winattrs"); gpfs_get_winattrs_fn = dlsym(l, "gpfs_get_winattrs"); @@ -141,6 +143,16 @@ int gpfswrap_get_realfilename_path(const char *pathname, return gpfs_get_realfilename_path_fn(pathname, filenamep, len); } +int gpfswrap_register_cifs_export(void) +{ + if (gpfs_register_cifs_export_fn == NULL) { + errno = ENOSYS; + return -1; + } + + return gpfs_register_cifs_export_fn(); +} + int gpfswrap_set_winattrs_path(const char *pathname, int flags, struct gpfs_winattr *attrs) diff --git a/lib/util/gpfswrap.h b/lib/util/gpfswrap.h index 1e74496c060..e387a56446b 100644 --- a/lib/util/gpfswrap.h +++ b/lib/util/gpfswrap.h @@ -34,6 +34,7 @@ int gpfswrap_putacl(const char *pathname, int flags, void *acl); int gpfswrap_get_realfilename_path(const char *pathname, char *filenamep, int *len); +int gpfswrap_register_cifs_export(void); int gpfswrap_set_winattrs_path(const char *pathname, int flags, struct gpfs_winattr *attrs); diff --git a/source3/modules/vfs_gpfs.c b/source3/modules/vfs_gpfs.c index 969e7744fce..3398879c900 100644 --- a/source3/modules/vfs_gpfs.c +++ b/source3/modules/vfs_gpfs.c @@ -2041,7 +2041,24 @@ static int vfs
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ad98643fbd9 s4:kdc: Replace FAST cookie with dummy string via fc4740426d2 third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) via 53caae00b82 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows from c4e27ae4f69 smbd: Don't set security_descriptor_hash_v4->time https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ad98643fbd914b7fb28d43a36bd51eeb1f8e2e06 Author: Joseph Sutton Date: Fri Jun 9 15:46:33 2023 +1200 s4:kdc: Replace FAST cookie with dummy string All that uses the FAST cookie is the gss-preauth authentication mechanism, which is untested in Samba, and disabled by default. Disabling the FAST cookie code (and sending a dummy string instead) relieves us of the maintenance and testing burden of this untested code. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224 commit fc4740426d2f43ca7703e3e4e6ef71c902ce5cd3 Author: Joseph Sutton Date: Mon Jun 12 12:12:06 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202306112240 (commit c7f4ffe1a6e8dafc86ec3357c498d31c97ece386) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 53caae00b824e1fe67a67978a5ad604964f10c7a Author: Joseph Sutton Date: Mon Jun 12 13:06:21 2023 +1200 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows The cookie produced by Windows differs depending on whether FAST was used. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- Summary of changes: python/samba/tests/krb5/fast_tests.py| 87 +++ selftest/knownfail_heimdal_kdc | 1 + selftest/knownfail_mit_kdc | 3 + source4/kdc/db-glue.c| 19 - source4/kdc/hdb-samba4.c | 117 +-- source4/kdc/kdc-heimdal.c| 29 source4/kdc/samba_kdc.h | 2 - third_party/heimdal/kdc/default_config.c | 9 +++ third_party/heimdal/kdc/fast.c | 72 ++- third_party/heimdal/kdc/kdc.h| 7 ++ third_party/heimdal/kdc/kerberos5.c | 7 +- third_party/heimdal/lib/krb5/krb5.conf.5 | 3 + 12 files changed, 203 insertions(+), 153 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index e57ea5e1c4b..1c4b5256cef 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -1418,6 +1418,86 @@ class FAST_Tests(KDCBaseTest): } ]) +def test_fx_cookie_fast(self): +"""Test that the FAST cookie is present and that its value is as +expected when FAST is used.""" +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': True, +'fast_armor': FX_FAST_ARMOR_AP_REQUEST, +'gen_armor_tgt_fn': self.get_mach_tgt +}, +]) + +cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsoft', cookie) + +def test_fx_cookie_no_fast(self): +"""Test that the FAST cookie is present and that its value is as +expected when FAST is not used.""" +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': False +}, +]) + +cookie = kdc_exchange_dict.get('fast_cookie') +self.assertEqual(b'Microsof\x00', cookie) + +def test_unsolicited_fx_cookie_preauth(self): +"""Test sending an unsolicited FX-COOKIE in an AS-REQ without +pre-authentication data.""" + +# Include a FAST cookie. +fast_cookie = self.create_fast_cookie('Samba-Test') + +kdc_exchange_dict = self._run_test_sequence([ +{ +'rep_type': KRB_AS_REP, +'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, +'use_fast': True, +'fast_armor': FX_FAST_ARMOR_AP_REQUEST, +'gen_armor_tgt_fn': self.get_mach_tgt, +'fast_cookie': fast_cookie, +}, +]) + +got_coo
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fcedf5514b1 smbcacls/smbcquotas: check for valid UNC path via 61f3e16d9f8 bootstrap: Add a note about cleaning bootstrap/ via bb46379845f Configure builtin heimdal to use KEYRING ccache from 198a844ff51 third_party: Fix version of socket_wrapper and uid_wrapper https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fcedf5514b121914483bbc0ffe77580929093ac6 Author: Björn Jacke Date: Tue Jan 10 12:25:35 2023 +0100 smbcacls/smbcquotas: check for valid UNC path we used to strip the first two characters of the path and used that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2312 Signed-off-by: Bjoern Jacke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Jun 6 09:33:47 UTC 2023 on atb-devel-224 commit 61f3e16d9f8d6907b0b8576ae0cf4c4e48c0b37e Author: Łukasz Stelmach Date: Thu May 11 13:33:45 2023 +0200 bootstrap: Add a note about cleaning bootstrap/ Signed-off-by: Łukasz Stelmach Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Reviewed-by: Stefan Metzmacher commit bb46379845fb2b3d4e04dca1a8493a8e2126a6fe Author: Łukasz Stelmach Date: Fri Mar 31 19:42:13 2023 +0200 Configure builtin heimdal to use KEYRING ccache Signed-off-by: Łukasz Stelmach Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Reviewed-by: Stefan Metzmacher --- Summary of changes: .gitlab-ci-main.yml | 2 +- bootstrap/README.md | 9 + bootstrap/config.py | 2 +- bootstrap/generated-dists/debian11/bootstrap.sh | 1 + bootstrap/generated-dists/debian11/packages.yml | 1 + bootstrap/generated-dists/ubuntu1804-32bit/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu1804-32bit/packages.yml | 1 + bootstrap/generated-dists/ubuntu1804/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu1804/packages.yml | 1 + bootstrap/generated-dists/ubuntu2004/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu2004/packages.yml | 1 + bootstrap/generated-dists/ubuntu2204/bootstrap.sh | 1 + bootstrap/generated-dists/ubuntu2204/packages.yml | 1 + bootstrap/sha1sum.txt | 2 +- source3/utils/smbcacls.c| 5 + source3/utils/smbcquotas.c | 5 + third_party/heimdal_build/wscript_build | 8 ++-- third_party/heimdal_build/wscript_configure | 10 ++ wscript | 15 +++ 19 files changed, 63 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 4208cbcc104..279c1087789 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: cfddaa8d36c3f512827bd96fe05c30f7f8337f4b + SAMBA_CI_CONTAINER_TAG: 6f4e1c3f1eb3b3236ae793c11def2135386a0ee9 # # We use the ubuntu2204 image as default as # it matches what we have on atb-devel-224 diff --git a/bootstrap/README.md b/bootstrap/README.md index d9a60878f61..6b3de983728 100644 --- a/bootstrap/README.md +++ b/bootstrap/README.md @@ -34,6 +34,15 @@ Just calculate the sha1sum for consistency checks: The checksum needs to be added as `SAMBA_CI_CONTAINER_TAG` in the toplevel .gitlab-ci-main.yml file. +NOTE: Remember to remove any files not tracked by git from the bootstrap +directory before running bootstrap/template.py. + + git clean -dfx bootstrap + +Otherwise the files will affect the checksum but because they are not +checked in and won't be pushed to CI system the checksum calculated there +won't match. + ## User Stories As a gitlab-ci user, I can use this tool to build new CI docker images: diff --git a/bootstrap/config.py b/bootstrap/config.py index fd1753fb3e1..c67ab9184ab 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -181,7 +181,7 @@ PKGS = [ # rpm has no pkg for docbook-xml ('docbook-xml', 'docbook-dtds'), ('docbook-xsl', 'docbook-style-xsl'), -('', 'keyutils-libs-devel'), +('libkeyutils-dev', 'keyutils-libs-devel'), ('', 'which'), ('xz-utils', 'xz') ] diff --git a/bootstrap/generated-dists/debian11/bootstrap.sh b/bootstrap/generated-dists/debian11/bootstrap.sh index 1f9cddfe8ee..1aac852e83e 100755 --- a/bootstrap/generated-dists/debian11/bootstrap.sh +++ b/bootstrap/generated-dists/debian11/bootstrap.sh @@ -57,6 +57,7 @@ apt-get -y
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 22ab42c1007 s3/utils: avoid erronous NO MEMORY detection from 9c24f853a84 smbd: remove comments about deprecated 'write cache size' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 22ab42c1007775abca0b578744d4c18a85cda627 Author: Noel Power Date: Fri Jun 2 14:27:55 2023 +0100 s3/utils: avoid erronous NO MEMORY detection since 5cc3c1b5f6b0289f91c01b20989558badc28fd61 if we don't have a realm specified either on cmdline or in conf file we try to copy (talloc_strdup) a NULL variable which triggers a NO_MEMORY error when we check the result of the copy BUG: https://bugzilla.samba.org/show_bug.cgi?id=15384 Signed-off-by: Noel Power Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sun Jun 4 12:42:16 UTC 2023 on atb-devel-224 --- Summary of changes: source3/utils/net_ads.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 9a3ee73567e..f0e5e0afe92 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -753,10 +753,12 @@ retry: } else if (ads->auth.realm == NULL) { const char *c_realm = cli_credentials_get_realm(c->creds); - ads->auth.realm = talloc_strdup(ads, c_realm); - if (ads->auth.realm == NULL) { - TALLOC_FREE(ads); - return ADS_ERROR(LDAP_NO_MEMORY); + if (c_realm != NULL) { + ads->auth.realm = talloc_strdup(ads, c_realm); + if (ads->auth.realm == NULL) { + TALLOC_FREE(ads); + return ADS_ERROR(LDAP_NO_MEMORY); + } } } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5303f6f7fd1 s4:torture/smb2: add smb2.bench.read test via 56488363862 s4:torture/smb2: add --option="torture:looplimit=15" to smb2.bench.echo via d01db89d905 s4:torture/smb2: move benchmarking tests to bench.c via e03ccb5b12b smb2_negprot: add CALLGRIND_START_INSTRUMENTATION after SMB2 negprot via 77c925681dc lib/replace: check for valgrind/callgrind.h via bfb1494e818 lib/util: use RUNNING_ON_VALGRIND to check if valgrind is used via be5e4d164df smb2_server: use MSG_DONTWAIT to get non-blocking send/recvmsg via 6e848f9d22f s3:smbd: only do profiling overhead in smbd_tevent_trace_callback() when needed via ff259bd1b70 smbprofile: add smbprofile_active() helper via a08f8b2a2cc smb2_server: optimize SMB2_OP_KEEPALIVE (SMB2 Echo) from 9aa440d52d7 s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5303f6f7fd1ddccdfa6b752b20f712237850527c Author: Stefan Metzmacher Date: Thu Sep 22 15:49:41 2022 +0200 s4:torture/smb2: add smb2.bench.read test This test opens one file for each loop (for nprocs * qdepth loops) and for each file it loops in read requests for the first io_size bytes. time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.read \ --option="torture:timelimit=600" \ --option="torture:nprocs=1" \ --option="torture:qdepth=4" \ --option="torture:io_size=4096" In order to generate constant load for profiles --option="torture:looplimit=15" can be used to stop after the given number of loops before the timelimit hits. Sometimes the bottleneck is the smbtorture process. In order to bring the smbd process to 100% cpu, you can use '--option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4"' and run multiple instances of the test at the same time, which both talk to the same smbd process. Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Jun 1 08:14:23 UTC 2023 on atb-devel-224 commit 56488363862aeeeacbdd675c09603c5624675d2b Author: Stefan Metzmacher Date: Fri Apr 28 08:02:39 2023 + s4:torture/smb2: add --option="torture:looplimit=15" to smb2.bench.echo Also see the commit message of 23988f19e7cc2823d6c0c0f40af0195d0a3b81bf for other examples... This test calls SMB2_Echo in a loop per connection. time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.echo \ --option="torture:timelimit=600" \ --option="torture:looplimit=15" \ --option="torture:nprocs=1" \ --option="torture:qdepth=1" This is a very useful test to show how many requests are possible at the raw SMB2 layer. In order to do profiling and being able to compare the profiles between runs, it is important to produce the exact same load in each run, which is not possible with the typical --option="torture:timelimit=600". E.g. when the server runs under 'valgrind --tool=callgrind bin/smbd' I typically run without "torture:looplimit" first in order to see, which rate is possible per second, then I'll add a "torture:looplimit" in order to run about half of the timelimit. Then the looplimit should run for some time, but finish before the timelimit. Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit d01db89d905eb85b014e2d9b701a507d41cd2dff Author: Stefan Metzmacher Date: Thu Sep 22 15:02:04 2022 +0200 s4:torture/smb2: move benchmarking tests to bench.c I'll add more tests there soon Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit e03ccb5b12bca8588baca70c4d45702833c7bdd5 Author: Stefan Metzmacher Date: Tue Apr 25 15:38:30 2023 + smb2_negprot: add CALLGRIND_START_INSTRUMENTATION after SMB2 negprot This allows us to support starting smbd under callgrind and only start the overhead and instrumentation after the SMB2 negprot, this allows us to profile only useful stuff and not all the smbd startup, forking and multichannel handling. This will do the trick: valgrind --tool=callgrind --instr-atstart=no smbd Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit 77c925681dc964adc67aa866ae47149dabd576e9 Author: Stefan Metzmacher Date: Wed May 31 12:59:47 2023 +0200 lib/replace: check for valgrind/callgrind.h Signed-off-by: Stefan
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via eafcef18584 s3:locking: fix debug level for NT_STATUS_NOT_FOUND messanges in get_static_share_mode_data from 24dd45613a6 python:tests: Skip the source_chars test if not a git dir https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit eafcef18584c264dc68dd95fbd8aa39218199446 Author: Stefan Metzmacher Date: Mon Apr 24 15:08:42 2023 +0200 s3:locking: fix debug level for NT_STATUS_NOT_FOUND messanges in get_static_share_mode_data BUG: https://bugzilla.samba.org/show_bug.cgi?id=15362 Signed-off-by: Stefan Metzmacher Reviewed-by: Björn Jacke Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Apr 24 14:13:35 UTC 2023 on atb-devel-224 --- Summary of changes: source3/locking/share_mode_lock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c index 09a02853511..3fc7d56562a 100644 --- a/source3/locking/share_mode_lock.c +++ b/source3/locking/share_mode_lock.c @@ -885,7 +885,7 @@ static NTSTATUS get_static_share_mode_data( return status; } if (!NT_STATUS_IS_OK(state.status)) { - DBG_GET_SHARE_MODE_LOCK(status, + DBG_GET_SHARE_MODE_LOCK(state.status, "get_static_share_mode_data_fn failed: %s\n", nt_errstr(state.status)); return state.status; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 53f0a292f80 selftest:Samba3: use the correct NSS_WRAPPER_HOSTNAME from 2ff55b3da71 selftest: Catch error codes from failing testsuites https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 53f0a292f8057a63ddee951058e380b43b9d2916 Author: Stefan Metzmacher Date: Wed Apr 12 17:22:02 2023 +0200 selftest:Samba3: use the correct NSS_WRAPPER_HOSTNAME The value of NSS_WRAPPER_HOSTNAME needs to match value we put into the NSS_WRAPPER_HOSTS file. We had a mismatch of idmapridmember.samba.example.com vs. idmapridmember.addom.samba.example.com This causes getaddrinfo() in nss_wrapper to fallback to the libc version, which talks to a dns server. It's not clear if recent glibc code will reach resolve/socket wrapper. So it's not unlikely that idmapridmember.samba.example.com will be passed via the internet, which causes delays up to 20 seconds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15355 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Apr 12 20:29:05 UTC 2023 on atb-devel-224 --- Summary of changes: selftest/target/Samba3.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index ab0b61279ef..717091cc8cf 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -3677,7 +3677,7 @@ jacknomappergroup:x:$gid_jacknomapper:jacknomapper $createuser_env{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd; $createuser_env{NSS_WRAPPER_GROUP} = $nss_wrapper_group; $createuser_env{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts; - $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com"; + $createuser_env{NSS_WRAPPER_HOSTNAME} = "${hostname}.${dns_domain}"; if ($ENV{SAMBA_DNS_FAKING}) { $createuser_env{RESOLV_WRAPPER_HOSTS} = $dns_host_file; } else { @@ -3731,7 +3731,7 @@ jacknomappergroup:x:$gid_jacknomapper:jacknomapper $ret{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd; $ret{NSS_WRAPPER_GROUP} = $nss_wrapper_group; $ret{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts; - $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com"; + $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.${dns_domain}"; $ret{NSS_WRAPPER_MODULE_SO_PATH} = Samba::nss_wrapper_winbind_so_path($self); $ret{NSS_WRAPPER_MODULE_FN_PREFIX} = "winbind"; if ($ENV{SAMBA_DNS_FAKING}) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 52c78466bdb vfs_fruit: avoid using 'conn->tcon->compat', we can just use 'conn'! via e0e58ed0e24 smbXsrv_tcon: avoid storing temporary (invalid!) records. from d788d3d974a s3-client: Provide more information on protocol negotiation failures https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 52c78466bdb136998fa9d28b46ffbf18cd9b61a7 Author: Stefan Metzmacher Date: Wed Apr 5 16:59:28 2023 +0200 vfs_fruit: avoid using 'conn->tcon->compat', we can just use 'conn'! Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Apr 12 13:51:50 UTC 2023 on atb-devel-224 commit e0e58ed0e2429f01265d544b444bf0e4075549e2 Author: Stefan Metzmacher Date: Wed Apr 5 16:59:44 2023 +0200 smbXsrv_tcon: avoid storing temporary (invalid!) records. We used to store smbXsrv_tcon_global.tdb records in two steps, first we created a record in order to allocate the tcon id. The temporary record had a NULL share_name, which translated into 0 bytes for the string during ndr_push_smbXsrv_tcon_global0. The problem is that ndr_pull_smbXsrv_tcon_global0 fails on this with something like: Invalid record in smbXsrv_tcon_global.tdb:key '2CA0ED4A' ndr_pull_struct_blob(length=85) - Buffer Size Error The blob looks like this: [] 00 00 00 00 01 00 00 00 00 00 00 00 00 00 02 00 [0010] 00 00 00 00 4A ED A0 2C 4A ED A0 2C 00 00 00 00 J.., J.., [0020] F8 4B 00 00 00 00 00 00 00 00 00 00 FF FF FF FF .K.. [0030] 4D 59 9B 9F 83 F4 35 20 36 D2 B0 82 62 68 D9 01 MY5 6...bh.. [0040] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [0050] 00 00 00 00 00 . The reason for having a temporary entry was just based on the fact, that it was easier to keep the logic in make_connection_snum() untouched. But we have all information available in order to store the final record directly. We only need to do the "max connections" check first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15353 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/modules/vfs_fruit.c | 4 ++-- source3/smbd/globals.h | 5 source3/smbd/smb1_service.c | 48 +++-- source3/smbd/smb2_service.c | 15 source3/smbd/smb2_tcon.c| 58 ++--- source3/smbd/smbXsrv_tcon.c | 29 +-- 6 files changed, 97 insertions(+), 62 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_fruit.c b/source3/modules/vfs_fruit.c index 4058d4834e7..637e2a1a6ed 100644 --- a/source3/modules/vfs_fruit.c +++ b/source3/modules/vfs_fruit.c @@ -849,7 +849,7 @@ static NTSTATUS check_aapl(vfs_handle_struct *handle, if (req_bitmap & SMB2_CRTCTX_AAPL_SERVER_CAPS) { if ((client_caps & SMB2_CRTCTX_AAPL_SUPPORTS_READ_DIR_ATTR) && - (handle->conn->tcon->compat->fs_capabilities & FILE_NAMED_STREAMS)) { + (handle->conn->fs_capabilities & FILE_NAMED_STREAMS)) { server_caps |= SMB2_CRTCTX_AAPL_SUPPORTS_READ_DIR_ATTR; config->readdir_attr_enabled = true; } @@ -875,7 +875,7 @@ static NTSTATUS check_aapl(vfs_handle_struct *handle, } if (req_bitmap & SMB2_CRTCTX_AAPL_VOLUME_CAPS) { - int val = lp_case_sensitive(SNUM(handle->conn->tcon->compat)); + int val = lp_case_sensitive(SNUM(handle->conn)); uint64_t caps = 0; switch (val) { diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index ff69d95ddfb..837d3c8acd2 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -645,6 +645,8 @@ NTSTATUS smbXsrv_tcon_update(struct smbXsrv_tcon *tcon); NTSTATUS smbXsrv_tcon_disconnect(struct smbXsrv_tcon *tcon, uint64_t vuid); NTSTATUS smb1srv_tcon_table_init(struct smbXsrv_connection *conn); NTSTATUS smb1srv_tcon_create(struct smbXsrv_connection *conn, +uint32_t session_global_id, +const char *share_name, NTTIME now, struct smbXsrv_tcon **_tcon); NTSTATUS smb1srv_tcon_lookup(struct smbXsrv_connection *conn, @@ -653,6 +655,9 @@ NTSTATUS smb1srv_tcon_lookup(struct smbXsrv_connection *conn, NTSTATUS smb1srv_tcon_disconnect_all(struct smbXsrv_client *cli
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ca7b7bde391 selftest: Use "debug syslog format = always" in selftest via 83fe7a0316d lib/util: Add "debug syslog format = always", which logs to stdout in syslog style via 33effa76d6b s4:torture: Extend smb2 session requested_life_time via e69453fc417 s4:torture: Fix warning messages for smb2.session via 6dc7ae8b143 s4:torture: Fix warning messages for smb.raw.session via 67535ac2259 s4:torture: Remove trailing white spaces via 938cbe07db8 s3:tests: Add exit code with failed tests via d163d1ba7aa s3:tests: Use CONFIGURATION passed down to the test via fa591f52234 s3:tests: Correctly implement tests for forceuser/forcegroup via bfae4262036 s3:tests: Use the CONFIGURATION passed down to the test via d8acec0caf8 s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain via e5ef368fb61 lib:ldb:tests: Fix signedness build error via 0ef53b948e1 net_ads: fill ads->auth.realm from c->creds via 3b585f9e8cc testprogs/blackbox: add test_net_ads_search_server.sh from 112faff82f9 dsdb: modify unicodePwd requires encrypted connection https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ca7b7bde3915a821b1b9911abf18d2d441665382 Author: Andrew Bartlett Date: Thu Apr 6 12:28:12 2023 +1200 selftest: Use "debug syslog format = always" in selftest Some of the most difficult to debug issues in Samba development are around timing, so this changes our default logging format in the selftest system to include a high-resolution timestamp to help correlate bad events with what else is going on at the same time. This fits in well with the timestamps already logged into st/subunit and may assist with correlation. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Apr 6 13:44:47 UTC 2023 on atb-devel-224 commit 83fe7a0316d3e5867a56cfdc51ec17f36ea03889 Author: Andrew Bartlett Date: Thu Apr 6 12:26:11 2023 +1200 lib/util: Add "debug syslog format = always", which logs to stdout in syslog style Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher commit 33effa76d6bdb53ecfc1e77c6706d765e34716be Author: Andreas Schneider Date: Wed Apr 5 10:04:57 2023 +0200 s4:torture: Extend smb2 session requested_life_time It also only waits for the required amount of time elapsed. Hopefully this should avoid running into timeouts. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit e69453fc41767fe99ed95b624d3fb25dc17b1ad6 Author: Andreas Schneider Date: Wed Apr 5 10:04:34 2023 +0200 s4:torture: Fix warning messages for smb2.session Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 6dc7ae8b143bdd9d9573426d7ad6e753e1ff960e Author: Andreas Schneider Date: Wed Apr 5 10:00:15 2023 +0200 s4:torture: Fix warning messages for smb.raw.session Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 67535ac22594b7b7558871b8d582aa768925a144 Author: Andreas Schneider Date: Wed Apr 5 09:59:14 2023 +0200 s4:torture: Remove trailing white spaces Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit 938cbe07db8eb4784b40c961857707a31108793e Author: Andreas Schneider Date: Wed Apr 5 09:23:41 2023 +0200 s3:tests: Add exit code with failed tests Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit d163d1ba7aa1c511fadd69c39aa0df155e71b4d0 Author: Andreas Schneider Date: Wed Apr 5 09:21:24 2023 +0200 s3:tests: Use CONFIGURATION passed down to the test Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit fa591f5223434b63429c5505ffbe948b4d6d6847 Author: Andreas Schneider Date: Wed Apr 5 08:48:29 2023 +0200 s3:tests: Correctly implement tests for forceuser/forcegroup They used the tmp share ... Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit bfae42620365e8caf41f181286268e8f18470aaa Author: Andreas Schneider Date: Wed Apr 5 08:47:16 2023 +0200 s3:tests: Use the CONFIGURATION passed down to the test Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit d8acec0caf820429c4e81b8c99b87d26105568e0 Author: Andreas Schneider Date: Wed Apr 5 08:57:49 2023 +0200 s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain There is no need to run it against this environment and saves resources. Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher commit e5ef368fb61dd81dcdbd10dc2009cbbd96c399ca Author: Andreas Sc
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6241380bc52 samba-tool: rewrite dsacl.py to use the new sd_utils helpers via a1109a9bf12 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers via 8411e6d302e python:sd_utils: introduce update_aces_in_dacl() helper via 4627997ddae python/samba/ndr: add ndr_deepcopy() helper via 9ea06aaf9f5 py_security: allow idx argument to descriptor.[s|d]acl_add() via 2c02378029f libcli/security: add security_descriptor_[s|d]acl_insert() helpers via c3cb915a67a libcli/security: prepare security_descriptor_acl_add() to place the ace at a position via 9d8ff0d1e0b replace: add ARRAY_INSERT_ELEMENT() helper via 9053862b892 lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() from be1aae77b76 libcli/security: Reorder SDDL access flags table to match Windows https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6241380bc52e41744d134e31d77ab900e604e0d1 Author: Stefan Metzmacher Date: Thu Mar 16 18:32:49 2023 +0100 samba-tool: rewrite dsacl.py to use the new sd_utils helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Mar 22 15:57:15 UTC 2023 on atb-devel-224 commit a1109a9bf12e020636b8d66fc54984aac58bfe6b Author: Stefan Metzmacher Date: Thu Mar 16 18:03:10 2023 +0100 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers They better represent what they are doing, we keep dacl_add_ace() as wrapper of dacl_prepend_aces() in order to let existing callers work as before. In future it would be good to have a dacl_insert_aces() that would canonicalize the ace order before storing, but that a task for another day. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8411e6d302e25d10f1035ebbdcbde7308566e930 Author: Stefan Metzmacher Date: Fri Mar 10 18:25:18 2023 +0100 python:sd_utils: introduce update_aces_in_dacl() helper This is a more generic api that can be re-used in other places as well in future. It operates on a security descriptor object instead of SDDL. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 4627997ddae44265ad35b3234232eb74458c6c34 Author: Stefan Metzmacher Date: Fri Mar 17 14:08:34 2023 +0100 python/samba/ndr: add ndr_deepcopy() helper This uses ndr_pack/unpack in order to create a deep copy of the given object. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9ea06aaf9f57e3c7094553d9ac40fb73057a9b74 Author: Stefan Metzmacher Date: Thu Mar 16 10:11:05 2023 +0100 py_security: allow idx argument to descriptor.[s|d]acl_add() Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 2c02378029fff6636b8f19e45af78b265f2210ed Author: Stefan Metzmacher Date: Thu Mar 16 10:03:44 2023 +0100 libcli/security: add security_descriptor_[s|d]acl_insert() helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c3cb915a67aff6739b72b86d7d139609df309ada Author: Stefan Metzmacher Date: Thu Mar 16 10:00:11 2023 +0100 libcli/security: prepare security_descriptor_acl_add() to place the ace at a position Often it is important to insert an ace at a specific position in the ACL. As a default we still append by default by using -1, which is the generic version of passing the number of existing aces. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9d8ff0d1e0b2ba7c84af36e1931f5bc99902a44b Author: Stefan Metzmacher Date: Thu Mar 16 09:57:43 2023 +0100 replace: add ARRAY_INSERT_ELEMENT() helper Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 9053862b89258850c22735cc4123fe5bc0d2e6fa Author: Stefan Metzmacher Date: Mon May 17 17:14:34 2021 +0200 lib/ldb-samba: let ldif_read_ntSecurityDescriptor() only try sddl if isupper() Trying ndr_pull_security_descriptor on SDDL produces just strange debug messages, which can cause confusion. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- Summary of changes: lib/ldb-samba/ldif_handlers.c | 24 -- lib/replace/replace.h | 15 libcli/security/security_descriptor.c | 55 ++-- libcli/security
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via be1aae77b76 libcli/security: Reorder SDDL access flags table to match Windows from 35380fa6a5b gpupdate: Use winbind separator in PAM Access Policies https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit be1aae77b7610933b1121f207e0a4df523c2d278 Author: Joseph Sutton Date: Tue Mar 15 14:01:13 2022 +1300 libcli/security: Reorder SDDL access flags table to match Windows This means that encoding an ACE in string form will now match Windows. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Joseph Sutton Signed-off-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224 --- Summary of changes: libcli/security/sddl.c | 18 +- python/samba/tests/upgradeprovision.py | 20 ++-- source4/dsdb/tests/python/sec_descriptor.py | 12 ++-- source4/torture/ldb/ldb.c | 18 +- 4 files changed, 34 insertions(+), 34 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index dad5ce8f413..508ac3e5666 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -258,23 +258,23 @@ static const struct flag_map ace_flags[] = { }; static const struct flag_map ace_access_mask[] = { - { "RP", SEC_ADS_READ_PROP }, - { "WP", SEC_ADS_WRITE_PROP }, - { "CR", SEC_ADS_CONTROL_ACCESS }, { "CC", SEC_ADS_CREATE_CHILD }, { "DC", SEC_ADS_DELETE_CHILD }, { "LC", SEC_ADS_LIST }, + { "SW", SEC_ADS_SELF_WRITE }, + { "RP", SEC_ADS_READ_PROP }, + { "WP", SEC_ADS_WRITE_PROP }, + { "DT", SEC_ADS_DELETE_TREE }, { "LO", SEC_ADS_LIST_OBJECT }, + { "CR", SEC_ADS_CONTROL_ACCESS }, + { "SD", SEC_STD_DELETE }, { "RC", SEC_STD_READ_CONTROL }, - { "WO", SEC_STD_WRITE_OWNER }, { "WD", SEC_STD_WRITE_DAC }, - { "SD", SEC_STD_DELETE }, - { "DT", SEC_ADS_DELETE_TREE }, - { "SW", SEC_ADS_SELF_WRITE }, + { "WO", SEC_STD_WRITE_OWNER }, { "GA", SEC_GENERIC_ALL }, - { "GR", SEC_GENERIC_READ }, - { "GW", SEC_GENERIC_WRITE }, { "GX", SEC_GENERIC_EXECUTE }, + { "GW", SEC_GENERIC_WRITE }, + { "GR", SEC_GENERIC_READ }, { NULL, 0 } }; diff --git a/python/samba/tests/upgradeprovision.py b/python/samba/tests/upgradeprovision.py index 5f77a777fc9..b281ad8722f 100644 --- a/python/samba/tests/upgradeprovision.py +++ b/python/samba/tests/upgradeprovision.py @@ -64,21 +64,21 @@ class UpgradeProvisionTestCase(TestCaseInTempDir): def test_get_diff_sds(self): domsid = security.dom_sid('S-1-5-21') -sddl = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl1 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl1 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl2 = "O:BAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl2 = "O:BAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl3 = "O:SAG:BAD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl3 = "O:SAG:BAD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl4 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;BA)\ +sddl4 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;BA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)" -sddl5 = "O:SAG:DUD:AI(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl5 = "O:SAG:DUD:AI(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" -sddl6 = "O:SAG:DUD:AI(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)\ +sddl6 = "O:SAG:DUD:AI(A;CIID;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CIID;RP LCLORC;;;AU)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)\ -(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)\ +(A;CI;CCLCSWRPWPLOCRRCWDWO;;;SA)\ (A;CI;RP LCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CISA;WP;;;WD)(AU;CIIDSA;WP;;;WD)" self.assertEqual(get_diff_sd
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f3fad5a189f libcli/security: prepare sddl machine/forest_sid handling via bd327f7d7a0 libcli/security: simplify sddl_encode_sid() via 8f4aced3653 libcli/security: simplify rid-based SDDL sid strings via 7d466a913f2 libcli/security: introduce struct sddl_transition_state from 3e2eb1b0236 s4:kdc: Add client claims blob if it is present https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f3fad5a189f73615360510ac61266c9fffa58edc Author: Stefan Metzmacher Date: Thu Jan 14 11:02:10 2016 +0100 libcli/security: prepare sddl machine/forest_sid handling In future we need to pass in 3 sids to sddl_encode() Once we pass in a machine_sid from the caller we need to have a test on a Windows member if the .machine_rid values really belong to the local machine sid. At least [MS-DTYP] 2.4.2.4 Well-Known SID Structures pretents "LA" and "LG" are relative to the local machine sid. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Mar 20 10:53:41 UTC 2023 on atb-devel-224 commit bd327f7d7a0d5f3377129ceb7f74e9dcf40587f3 Author: Stefan Metzmacher Date: Fri Mar 25 14:23:45 2022 +0100 libcli/security: simplify sddl_encode_sid() We should walk the sid_codes array just once. This makes further changes easier... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 8f4aced365381cae70fa33f9f0641f33ab3db1fb Author: Stefan Metzmacher Date: Fri Mar 25 13:28:48 2022 +0100 libcli/security: simplify rid-based SDDL sid strings Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 7d466a913f2c0038b30424403a7355db849fee7a Author: Stefan Metzmacher Date: Thu Apr 30 19:49:12 2020 +0200 libcli/security: introduce struct sddl_transition_state In future we'll need more than 'domain_sid' in order to do the correct transition of SDDL to/from security_descriptor. In the end we most likely add an sddl_transition_{create,encode,decode}() api in order to allow the caller to create an sddl_transition_state once and then pass it to multiple calls to encode/decode. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: libcli/security/sddl.c | 186 + 1 file changed, 127 insertions(+), 59 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 076f040cfb8..dad5ce8f413 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -25,6 +25,12 @@ #include "librpc/gen_ndr/ndr_misc.h" #include "system/locale.h" +struct sddl_transition_state { + const struct dom_sid *machine_sid; + const struct dom_sid *domain_sid; + const struct dom_sid *forest_sid; +}; + struct flag_map { const char *name; uint32_t flag; @@ -87,7 +93,9 @@ static bool sddl_map_flags(const struct flag_map *map, const char *str, static const struct { const char *code; const char *sid; - uint32_t rid; + uint32_t machine_rid; + uint32_t domain_rid; + uint32_t forest_rid; } sid_codes[] = { { .code = "WD", .sid = SID_WORLD }, @@ -147,28 +155,28 @@ static const struct { { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY }, { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY }, - { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS }, + { .code = "RO", .forest_rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS }, - { .code = "LA", .sid = NULL, .rid = DOMAIN_RID_ADMINISTRATOR }, - { .code = "LG", .sid = NULL, .rid = DOMAIN_RID_GUEST }, + { .code = "LA", .machine_rid = DOMAIN_RID_ADMINISTRATOR }, + { .code = "LG", .machine_rid = DOMAIN_RID_GUEST }, - { .code = "DA", .sid = NULL, .rid = DOMAIN_RID_ADMINS }, - { .code = "DU", .sid = NULL, .rid = DOMAIN_RID_USERS }, - { .code = "DG", .sid = NULL, .rid = DOMAIN_RID_GUESTS }, - { .code = "DC", .sid = NULL, .rid = DOMAIN_RID_DOMAIN_MEMBERS }, - { .code = "DD", .sid = NULL, .rid = DOMAIN_RID_DCS }, - { .code = "CA", .sid = NULL, .rid = DOMAIN_RID_CERT_ADMINS }, - { .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS }, - { .code = &quo
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7ee725f2860 idmap_hash: remember new domain sids in idmap_hash_sid_to_id() via ee820553fd2 idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache via ede88d9f83f idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet via 42dcb3db055 idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later via c158b075b0b idmap_hash: split out a idmap_hash_sid_to_id() helper function via 57150b463fb idmap_hash: split out a idmap_hash_id_to_sid() helper function via 14102b05f37 idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid via 0da13ab3ad7 idmap_hash: we don't need to call idmap_hash_initialize() over an over again via 2cfcff3101f idmap_hash: remove unused error checks via 0f96c4b419a idmap_hash: fix comments about the algorithm via 9a24570d3d6 idmap_hash: provide ID_TYPE_BOTH mappings also for unixids_to_sids via a9583b5f96f idmap_autorid: fix ID_REQUIRE_TYPE for more than one SID for an unknown domain via ad242a20643 winbindd: don't call set_domain_online_request() in the idmap child from 78635d55fb8 audit_logging: Use `json_int_t` instead of `int` for `json_add_int` value type https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7ee725f2860d835e9619fa594a2ee6faedbc6d21 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: remember new domain sids in idmap_hash_sid_to_id() This change means that idmap_hash_id_to_sid() can return mappings for new domains learned in idmap_hash_sid_to_id(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 10 11:35:06 UTC 2023 on atb-devel-224 commit ee820553fd2c6ada966a0160cbb0240049f9d9f7 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit ede88d9f83fb77fa8eff226fb6a85ac71e415098 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: only return ID_REQUIRE_TYPE if we don't know about the domain yet BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 42dcb3db05530179a991fe58e7b96b52bbbcc607 Author: Stefan Metzmacher Date: Thu Mar 21 16:54:31 2019 +0100 idmap_hash: return ID_REQUIRE_TYPE only if there's a chance to get a mapping later If we are going to return ID_UNMAPPED later anyway, there's no need to defer that decision by returning ID_REQUIRE_TYPE first. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit c158b075b0b5035615fa8848f1f3d8ef27696861 Author: Stefan Metzmacher Date: Thu Mar 21 14:05:13 2019 +0100 idmap_hash: split out a idmap_hash_sid_to_id() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 57150b463fb8e27c048670f7b4902bd091ee3ae9 Author: Stefan Metzmacher Date: Thu Mar 21 14:05:13 2019 +0100 idmap_hash: split out a idmap_hash_id_to_sid() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 14102b05f3744c67178bd719d41e67fc3e049ee4 Author: Stefan Metzmacher Date: Thu Mar 21 14:00:16 2019 +0100 idmap_hash: mirror the NT_STATUS_NONE_MAPPED/STATUS_SOME_UNMAPPED logic from idmap_autorid BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 0da13ab3ad7278eafdcd988f39e891242eb46d37 Author: Stefan Metzmacher Date: Thu Mar 21 10:54:49 2019 +0100 idmap_hash: we don't need to call idmap_hash_initialize() over an over again It's always the first function that's called from idmap_methods. This also demonstrates that we currently always return NT_STATUS_OK, even if we haven't mapped all map entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison commit 2cfcff3101fce94b365eccde114432dfa980bbd0 Author: Stefan Metzmacher Date: Thu Mar 21 13:54:10 2019 +0100 idmap_hash: remove unused error checks id_map_ptrs_init() is used in the callers in order
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cc4e11d0282 smbd: Remove smbXsrv_open_global0->db_rec via 1bd16bc6d45 smbd: Use dbwrap_do_locked() in smb2srv_open_recreate() via fede6b9f465 smbd: rename 'op' into 'global' in smbXsrv_open_cleanup_fn() via ca872ad6ba1 smbd: let smbXsrv_open_cleanup() delete broken records via a69950db4a7 smbd: Use dbwrap_do_locked() in smbXsrv_open_cleanup() via 62a66331934 smbd: Use dbwrap_do_locked() in smbXsrv_open_close() via 26b29ecbb9d smbd: Use dbwrap_do_locked() in smbXsrv_open_update() via bfede670bd4 smbd: Use dbwrap_do_locked() in smbXsrv_open_global_allocate() via 84d22dc5f57 smbd: Make smbXsrv_open_global_allocate() store the record via 95e3ad7e437 smbd: Simplify smbXsrv_open_global_store() via fafebc46c8b smbd: Move smbXsrv_open_global_verify_record() down in smbXsrv_open.c via a93d93a97df smbd: Use generate_nonce_buffer() in smbXsrv_open_global_allocate() from e8abe52df2d s3: smbd: Fix log spam. Change a normal error message from DBG_ERR (level 0) to DBG_INFO (level 5). https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cc4e11d02826526e61e85e1a939c515d01323dcb Author: Volker Lendecke Date: Wed Jan 11 11:02:11 2023 +0100 smbd: Remove smbXsrv_open_global0->db_rec The only user by now was net serverid wipedbs, and there it was easy to replace Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Feb 13 10:49:43 UTC 2023 on atb-devel-224 commit 1bd16bc6d451e810dc215e7638de483a6e2d04a6 Author: Volker Lendecke Date: Wed Jan 11 10:54:37 2023 +0100 smbd: Use dbwrap_do_locked() in smb2srv_open_recreate() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit fede6b9f4652588825fdd4b458fcf23250339e79 Author: Stefan Metzmacher Date: Tue Jan 31 12:39:06 2023 +0100 smbd: rename 'op' into 'global' in smbXsrv_open_cleanup_fn() Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke commit ca872ad6ba1c7f84af5a9be89de5d2973d2cd87e Author: Volker Lendecke Date: Tue Jan 10 12:29:18 2023 +0100 smbd: let smbXsrv_open_cleanup() delete broken records Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Volker Lendecke Signed-off-by: Stefan Metzmacher commit a69950db4a7344ee1bec8fc7b66a402597f578a2 Author: Volker Lendecke Date: Tue Jan 10 12:29:18 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_cleanup() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 62a66331934b298f9df1e661b61cb4c193d1a5a0 Author: Volker Lendecke Date: Tue Jan 10 11:59:07 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_close() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 26b29ecbb9dbc518856cd59629e1d291540e4ba7 Author: Volker Lendecke Date: Sun Jan 8 21:04:25 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_update() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit bfede670bd4152d22897ee52a176dd6e620974e6 Author: Volker Lendecke Date: Thu Jan 26 09:08:27 2023 +0100 smbd: Use dbwrap_do_locked() in smbXsrv_open_global_allocate() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 84d22dc5f57393baf5a914815eedd9536e398026 Author: Volker Lendecke Date: Fri Jan 6 17:12:23 2023 +0100 smbd: Make smbXsrv_open_global_allocate() store the record Micro-step towards using dbwrap_do_locked() Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit 95e3ad7e4378e1d82da8eb745147539a96a28f8c Author: Volker Lendecke Date: Thu Jan 5 16:18:37 2023 +0100 smbd: Simplify smbXsrv_open_global_store() Avoid the dependency on global->db_rec. This makes the callers more verbose, but it makes the data dependencies much more obvious. This will enable removing smbXsrv_open_global0->db_rec at some point. Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit fafebc46c8bf624736995f3a87819b3c075cb383 Author: Volker Lendecke Date: Thu Jan 26 08:46:31 2023 +0100 smbd: Move smbXsrv_open_global_verify_record() down in smbXsrv_open.c Avoid prototypes Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher commit a93d93a97df9ffb1c76c9923e147743d6865ff6a Author: Volker Lendecke Date: Fri Jan 6 16:46:11 2023 +0100 smbd: Use generate_nonce_buffer() in smbXsrv_open_global_allocate() We don't need anything cryptographic for persistent file handle ids Signed-off-by: Volker Lendecke Reviewed-by: Stefa