[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via dab828f63c0 pytest/source_char: check for mixed direction text
via 0f7e58b0e29 samba-tool domain backup: backup but do not follow
symlinks
via 697abc15ea5 samba-tool domain backup: cope better with dangling
symlinks
from 5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit dab828f63c0a6bf0bb96920fd36383f6cbe43179
Author: Douglas Bagnall
Date: Wed Nov 17 20:17:53 2021 +
pytest/source_char: check for mixed direction text
As pointed out in https://lwn.net/Articles/875964, forbidding bidi
marker characters is not always going to be enough to avoid
right-to-left vs left-to-right confusion. Consider this:
$ python -c's = "b = x # 2 * n * m"; print(s); print(s.replace("x",
"א").replace("n", "ח"))'
b = x # 2 * n * m
b = א # 2 * ח * m
Those two lines are semantically the same, with the Hebrew letters
"א" and "ח" replacing "x" and "n". But they look like they mean
different things.
It is not enough to say we only allow these scripts (or indeed
non-ascii) in strings and comments, as demonstrated in this example:
$ python -c's = "b = \"x#\" # n"; print(s); print(s.replace("x",
"א").replace("n", "ח"))'
b = "x#" # n
b = "א#" # ח
where the second line is visually disordered but looks valid. Any series
of neutral characters between teo RTL characters will be reversed (and
possibly mirrored).
In practice this affects one file, which is a text file for testing
unicode normalisation.
I think, for the reasons shown above, we are unlikely to see legitimate
RTL code outside perhaps of documentation files — but if we do, we can
add those files to the allow-list.
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Dec 3 18:53:43 UTC 2021 on sn-devel-184
commit 0f7e58b0e29778711d3385adbba957c175c3bdef
Author: Douglas Bagnall
Date: Wed Dec 1 10:20:48 2021 +1300
samba-tool domain backup: backup but do not follow symlinks
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
commit 697abc15ea50e9069eb483fdd734588281bae123
Author: Douglas Bagnall
Date: Thu Nov 25 09:26:54 2021 +1300
samba-tool domain backup: cope better with dangling symlinks
Our previous behaviour was to try to os.stat() the non-existent
target.
The new code greatly improves efficiency for this little task.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14918
Signed-off-by: Douglas Bagnall
Reviewed-by: Andrew Bartlett
---
Summary of changes:
python/samba/netcmd/domain_backup.py | 10 +-
python/samba/tests/source_chars.py | 29 +
testdata/source-chars-bidi.py| 24
3 files changed, 62 insertions(+), 1 deletion(-)
create mode 100644 testdata/source-chars-bidi.py
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/domain_backup.py
b/python/samba/netcmd/domain_backup.py
index 81738196385..6cb0e512595 100644
--- a/python/samba/netcmd/domain_backup.py
+++ b/python/samba/netcmd/domain_backup.py
@@ -1109,6 +1109,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
# Recursively get all file paths in the backup directories
all_files = []
+all_stats = set()
for backup_dir in backup_dirs:
for (working_dir, _, filenames) in os.walk(backup_dir):
if working_dir.startswith(paths.sysvol):
@@ -1126,7 +1127,13 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
# Ignore files that have already been added. This prevents
# duplicates if one backup dir is a subdirectory of
another,
# or if backup dirs contain hardlinks.
-if any(os.path.samefile(full_path, file) for file in
all_files):
+try:
+s = os.stat(full_path, follow_symlinks=False)
+except FileNotFoundError:
+logger.warning(f"{full_path} does not exist!")
+continue
+
+if (s.st_ino, s.st_dev) in all_stats:
continue
# Assume existing backup files are from a previous backup.
@@ -1140,6 +1147,7 @@ class cmd_domain_backup_offline(samba.netcmd.Command):
continue
all_files.append(full_path)
+all_stats.add((s.st_ino, s.st_dev))
# We would prefer to
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5e3df5f9ee6 smbd: s3-dsgetdcname: handle num_ips == 0
via 1e61de83066 CVE-2020-25717: s3-auth: fix MIT Realm regression
via f621317e3b2 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
for the local replicated object
from d1ea9c5aaba libcli:auth: Allow to connect to netlogon server
offering only AES
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5e3df5f9ee64a80898f73585b19113354f463c44
Author: Ralph Boehme
Date: Fri Nov 26 11:59:45 2021 +0100
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
Reviewed-by: Guenther Deschner
Reviewed-by: Jeremy Allison
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
commit 1e61de8306604a0d3858342df8a1d2412d8d418b
Author: Ralph Boehme
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're
not
sure this behaves identical, but it might work in the standalone server
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
commit f621317e3b25a8925ab6e448068264488a0a47c7
Author: Andrew Bartlett
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
---
Summary of changes:
source3/auth/user_krb5.c| 9 +
source3/libsmb/dsgetdcname.c| 4
source4/dsdb/samdb/ldb_modules/operational.c| 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
4 files changed, 26 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, , true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, , true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index f8ae96109b7..5954e48d747 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
for (i = 0; i < numdcs; i++) {
size_t j;
+ if (dcs[i].num_ips == 0) {
+ continue;
+ }
+
dclist[ret_count].hostname =
talloc_move(dclist, [i].hostname);
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c
b/source4/dsdb/samdb/ldb_modules/operational.c
index 11b87bdf5ca..2b3cd2d7954 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1408,7 +1408,7 @@ static const struct op_attributes_replace search_sub[] = {
{ "tokenGroups", "primaryGroupID",
