[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 5442c47dad2 libsmb: increase a debug level when site-aware DC
lookup failed
from 9bab902fc50 CVE-2023-3347: smbd: fix "server signing = mandatory"
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 5442c47dad2d1c018b60a3a1e19c400bd0f4b4ac
Author: Ralph Boehme
Date: Thu Jul 20 17:08:19 2023 +0200
libsmb: increase a debug level when site-aware DC lookup failed
Signed-off-by: Ralph Boehme
Reviewed-by: Noel Power
Autobuild-User(master): Ralph Böhme
Autobuild-Date(master): Fri Jul 21 16:19:35 UTC 2023 on atb-devel-224
---
Summary of changes:
source3/libsmb/namequery.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 4733aaed693..e6c0c7d2a09 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -3472,10 +3472,10 @@ NTSTATUS get_sorted_dc_list(TALLOC_CTX *ctx,
);
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS)
&& sitename) {
- DBG_NOTICE("no server for name %s available"
- " in site %s, fallback to all servers\n",
- domain,
- sitename);
+ DBG_WARNING("No server for domain '%s' available"
+ " in site '%s', fallback to all servers\n",
+ domain,
+ sitename);
status = get_dc_list(ctx,
domain,
NULL,
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9bab902fc50 CVE-2023-3347: smbd: fix "server signing = mandatory" via 5a222ac3718 CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot() via 59131d6c345 CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing() via 1662eeeb7a6 CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing() via a9a2b182df7 CVE-2023-3347: CI: add a test for server-side mandatory signing via 578e434a941 CVE-2023-34968: mdssvc: return a fake share path via 94fcbec8af5 CVE-2023-34968: mdscli: return share relative paths via d402c0cc6ad CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack() via ac9008a20c8 CVE-2023-34968: mdssvc: switch to doing an early return via 33b82c6185b CVE-2023-34968: mdssvc: remove response blob allocation via 5c9efa9604d CVE-2023-34968: rpcclient: remove response blob allocation via 6d77daa3af0 CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c via e85e09eee93 CVE-2023-34968: mdscli: remove response blob allocation via 617fe37cc2a CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob via 70184ef3b40 CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties() via 02552493e37 CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map via 4c60e35add4 CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key() via 3b3c30e2acf CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key() via 38664163fca CVE-2023-34966: mdssvc: harden sl_unpack_loop() via 10b6890d26b CVE-2023-34966: CI: test for sl_unpack_loop() via e067c523b17 CVE-2022-2127: ntlm_auth: cap lanman response length value via b2de71734f0 CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks from 76ad44f446c lib/cmdline: Also redact --newpassword in samba_cmdline_burn() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9bab902fc50f88869b253c4089d83b3e33a1075a Author: Ralph Boehme Date: Tue Jun 20 15:33:02 2023 +0200 CVE-2023-3347: smbd: fix "server signing = mandatory" This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when calling srv_init_signing() very early after accepting the connection in smbd_add_connection(), conn->protocol is still PROTOCOL_NONE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme Autobuild-User(master): Jule Anger Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224 commit 5a222ac37183ba5dd717d81c7e57f78e59695a67 Author: Ralph Boehme Date: Tue Jun 20 18:13:23 2023 +0200 CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot() This is just going to bitrot. Anyone who's interested can just grep for "signing_mandatory" and look up what it does. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Author: Ralph Boehme Date: Wed Jun 21 15:10:58 2023 +0200 CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing() It's now a one-line function, imho the overall code is simpler if that code is just inlined. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Author: Ralph Boehme Date: Wed Jun 21 15:06:12 2023 +0200 CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing() No change in behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit a9a2b182df738fd283f820e162d189d20010ad63 Author: Ralph Boehme Date: Tue Jun 20 12:46:31 2023 +0200 CVE-2023-3347: CI: add a test for server-side mandatory signing BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 Signed-off-by: Ralph Boehme commit 578e434a94147dc2d7dbfc006d2ab84807859c1d Author: Ralph Boehme Date: Mon Jun 5 18:02:20 2023 +0200 CVE-2023-34968: mdssvc: return a fake share path Instead of returning the real server-side absolute path of shares and search results, return a fake absolute path replacing the path of the share with the share name, iow for a share "test" with a server-side path of "/foo/bar", we previously returned /foo/bar and /foo/bar/search/result and now return /test and /test/search/result BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 Signed-off-by: Ralph Boehme Reviewed-by: Stefan Metzmacher commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 76ad44f446c lib/cmdline: Also redact --newpassword in
samba_cmdline_burn()
via 414b3803bb6 lib/cmdline: Also burn the --password2 parameter if
given
via a53ebc288f4 samba-tool: Use samba.glue.get_burnt_cmdline rather
than regex
via 3f9e4558985 python: Add glue.burn_commandline() method
via 5afd206d1d8 python: Remove const from PyList_AsStringList()
via fd81759e2ed python: Move PyList_AsStringList to common code so we
can reuse
via 848fea1a01a lib/cmdline: Return if the commandline was redacted in
samba_cmdline_burn()
from 0da6cc71054 claims.idl: Fix AD claims encoding
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 76ad44f446c42832e87b2c60a4731a8de3a0018f
Author: Andrew Bartlett
Date: Fri Jul 21 15:39:28 2023 +1200
lib/cmdline: Also redact --newpassword in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Fri Jul 21 06:16:30 UTC 2023 on atb-devel-224
commit 414b3803bb6a1b12c44b52ab1ff64a8b7f61fd03
Author: Andrew Bartlett
Date: Fri Jul 21 14:35:20 2023 +1200
lib/cmdline: Also burn the --password2 parameter if given
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit a53ebc288f47329c997d52325eeeb5e91ce43b75
Author: Andrew Bartlett
Date: Fri Jul 21 13:30:39 2023 +1200
samba-tool: Use samba.glue.get_burnt_cmdline rather than regex
This use avoids having two different methods to match on command-line
passwords. We already have a dependency on the setproctitle python
module, and this does not change as the (C) libbsd setproctitle()
can't be run from within a python module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 3f9e455898554b726bf1689f743b2d9cb6b59537
Author: Andrew Bartlett
Date: Fri Jul 21 13:29:22 2023 +1200
python: Add glue.burn_commandline() method
This uses samba_cmdline_burn() to as to have common
command line redaction code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 5afd206d1d8f0344a2f1fa7a238204d1fb164eda
Author: Andrew Bartlett
Date: Fri Jul 21 14:32:46 2023 +1200
python: Remove const from PyList_AsStringList()
The returned strings are not owned by python, so need not be const.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit fd81759e2ed44cac3bc67243a39256f953969103
Author: Andrew Bartlett
Date: Fri Jul 21 14:31:30 2023 +1200
python: Move PyList_AsStringList to common code so we can reuse
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
commit 848fea1a01a4ddc1598150823d5d0784d3ef0be4
Author: Andrew Bartlett
Date: Fri Jul 21 15:27:00 2023 +1200
lib/cmdline: Return if the commandline was redacted in samba_cmdline_burn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289
Signed-off-by: Andrew Bartlett
Reviewed-by: Douglas Bagnall
---
Summary of changes:
lib/cmdline/cmdline.c | 17 +--
lib/cmdline/cmdline.h | 4 ++-
python/modules.c | 35 +
python/modules.h | 7 +
python/pyglue.c| 60
python/samba/getopt.py | 69 --
python/samba/tests/cred_opt.py | 14 ++---
python/wscript | 1 +
source4/auth/pyauth.c | 38 ++-
source4/auth/wscript_build | 4 ++-
10 files changed, 156 insertions(+), 93 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index de34a798aaf..db962146bd2 100644
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -135,8 +135,9 @@ void samba_cmdline_set_machine_account_fn(
cli_credentials_set_machine_account_fn = fn;
}
-void samba_cmdline_burn(int argc, char *argv[])
+bool samba_cmdline_burn(int argc, char *argv[])
{
+ bool burnt = false;
bool found = false;
bool is_user = false;
char *p = NULL;
@@ -146,9 +147,13 @@ void samba_cmdline_burn(int argc, char *argv[])
for (i = 0; i < argc; i++) {
p = argv[i];
if (p == NULL) {
- return;
+
