import samba-4.13.3-3.el8

This commit is contained in:
CentOS Sources 2021-05-18 02:37:23 -04:00 committed by Andrew Lukoshko
parent ccb8f09c93
commit 632852dad7
14 changed files with 13368 additions and 3389 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
SOURCES/samba-4.12.3.tar.xz
SOURCES/samba-4.13.3.tar.xz

View File

@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
5e1f1a069527fbb3eba6e484c60348cb84c8433f SOURCES/samba-4.12.3.tar.xz
6a4902df7eddc338c29a0ddf9e6086afdc73bd56 SOURCES/samba-4.13.3.tar.xz

View File

@ -1,986 +0,0 @@
From 881e3b47a17d7d0b3687ef26d782fc3281a8faa3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 29 Nov 2019 13:48:24 +0100
Subject: [PATCH 1/7] s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in
ads_keytab_add_entry()
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos_keytab.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 7d193e1a600..bc35d5edbe4 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -240,11 +240,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
krb5_data password;
krb5_kvno kvno;
krb5_enctype enctypes[6] = {
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
#endif
ENCTYPE_ARCFOUR_HMAC,
0
--
2.24.1
From bc27267b33d989468d7d993e4db2bd9b649bd996 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 16:50:45 +0200
Subject: [PATCH 2/7] Add a test to check dNSHostName with netbios aliases
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/nb_alias_dnshostname | 2 ++
testprogs/blackbox/test_net_ads.sh | 14 ++++++++++++++
2 files changed, 16 insertions(+)
create mode 100644 selftest/knownfail.d/nb_alias_dnshostname
diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
new file mode 100644
index 00000000000..3c14e9931b9
--- /dev/null
+++ b/selftest/knownfail.d/nb_alias_dnshostname
@@ -0,0 +1,2 @@
+^samba4.blackbox.net_ads.nb_alias check dNSHostName
+^samba4.blackbox.net_ads.nb_alias check main SPN
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 95c0cf76f90..6073ea972f9 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac
##Goodbye...
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+# netbios aliases tests
+testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1`
+
+testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1`
+testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1`
+
+##Goodbye...
+testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
#
# Test createcomputer option of 'net ads join'
#
--
2.24.1
From f270db1ce1c0c6efc38fc467c8c0c89b13aaa479 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:52:46 +0200
Subject: [PATCH 3/7] Fix accidental overwrite of dnsHostName by the last
netbios alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/nb_alias_dnshostname | 2 --
source3/libnet/libnet_join.c | 5 +++--
2 files changed, 3 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname
diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname
deleted file mode 100644
index 3c14e9931b9..00000000000
--- a/selftest/knownfail.d/nb_alias_dnshostname
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.blackbox.net_ads.nb_alias check dNSHostName
-^samba4.blackbox.net_ads.nb_alias check main SPN
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index eb8e0ea17f7..22162186f61 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
ADS_STATUS status;
ADS_MODLIST mods;
fstring my_fqdn;
+ fstring my_alias;
const char **spn_array = NULL;
size_t num_spns = 0;
char *spn = NULL;
@@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
/*
* Add HOST/netbiosname.domainname
*/
- fstr_sprintf(my_fqdn, "%s.%s",
+ fstr_sprintf(my_alias, "%s.%s",
*netbios_aliases,
lp_dnsdomain());
- spn = talloc_asprintf(frame, "HOST/%s", my_fqdn);
+ spn = talloc_asprintf(frame, "HOST/%s", my_alias);
if (spn == NULL) {
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
goto done;
--
2.24.1
From 3ab241317947fbb6b75060f67c47e57be6fb1459 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 13:25:17 +0200
Subject: [PATCH 4/7] Refactor ads_keytab_add_entry() to make it iterable
so we can more easily add msDS-AdditionalDnsHostName entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos_keytab.c | 197 +++++++++++++++++--------------
1 file changed, 107 insertions(+), 90 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index bc35d5edbe4..c46e98a4270 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -228,18 +228,16 @@ out:
return ok;
}
-/**********************************************************************
- Adds a single service principal, i.e. 'host' to the system keytab
-***********************************************************************/
-
-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
+static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
+ ADS_STRUCT *ads, const char *salt_princ_s,
+ krb5_keytab keytab, krb5_kvno kvno,
+ const char *srvPrinc, const char *my_fqdn,
+ krb5_data *password, bool update_ads)
{
krb5_error_code ret = 0;
- krb5_context context = NULL;
- krb5_keytab keytab = NULL;
- krb5_data password;
- krb5_kvno kvno;
- krb5_enctype enctypes[6] = {
+ char *princ_s = NULL;
+ char *short_princ_s = NULL;
+ krb5_enctype enctypes[4] = {
#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
#endif
@@ -249,65 +247,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
ENCTYPE_ARCFOUR_HMAC,
0
};
- char *princ_s = NULL;
- char *short_princ_s = NULL;
- char *salt_princ_s = NULL;
- char *password_s = NULL;
- char *my_fqdn;
- TALLOC_CTX *tmpctx = NULL;
- int i;
-
- ret = smb_krb5_init_context_common(&context);
- if (ret) {
- DBG_ERR("kerberos init context failed (%s)\n",
- error_message(ret));
- return -1;
- }
-
- ret = ads_keytab_open(context, &keytab);
- if (ret != 0) {
- goto out;
- }
-
- /* retrieve the password */
- if (!secrets_init()) {
- DEBUG(1, (__location__ ": secrets_init failed\n"));
- ret = -1;
- goto out;
- }
- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (!password_s) {
- DEBUG(1, (__location__ ": failed to fetch machine password\n"));
- ret = -1;
- goto out;
- }
- ZERO_STRUCT(password);
- password.data = password_s;
- password.length = strlen(password_s);
-
- /* we need the dNSHostName value here */
- tmpctx = talloc_init(__location__);
- if (!tmpctx) {
- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
- ret = -1;
- goto out;
- }
-
- my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
- if (!my_fqdn) {
- DEBUG(0, (__location__ ": unable to determine machine "
- "account's dns name in AD!\n"));
- ret = -1;
- goto out;
- }
-
- /* make sure we have a single instance of a the computer account */
- if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
- DEBUG(0, (__location__ ": unable to determine machine "
- "account's short name in AD!\n"));
- ret = -1;
- goto out;
- }
+ size_t i;
/* Construct our principal */
if (strchr_m(srvPrinc, '@')) {
@@ -356,22 +296,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
}
}
- kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
- if (kvno == -1) {
- /* -1 indicates failure, everything else is OK */
- DEBUG(1, (__location__ ": ads_get_machine_kvno failed to "
- "determine the system's kvno.\n"));
- ret = -1;
- goto out;
- }
-
- salt_princ_s = kerberos_secrets_fetch_salt_princ();
- if (salt_princ_s == NULL) {
- DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
- ret = -1;
- goto out;
- }
-
for (i = 0; enctypes[i]; i++) {
/* add the fqdn principal to the keytab */
@@ -381,11 +305,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
princ_s,
salt_princ_s,
enctypes[i],
- &password,
+ password,
false,
false);
if (ret) {
- DEBUG(1, (__location__ ": Failed to add entry to keytab\n"));
+ DBG_WARNING("Failed to add entry to keytab\n");
goto out;
}
@@ -397,16 +321,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
short_princ_s,
salt_princ_s,
enctypes[i],
- &password,
+ password,
false,
false);
if (ret) {
- DEBUG(1, (__location__
- ": Failed to add short entry to keytab\n"));
+ DBG_WARNING("Failed to add short entry to keytab\n");
goto out;
}
}
}
+out:
+ return ret;
+}
+
+/**********************************************************************
+ Adds a single service principal, i.e. 'host' to the system keytab
+***********************************************************************/
+
+int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
+{
+ krb5_error_code ret = 0;
+ krb5_context context = NULL;
+ krb5_keytab keytab = NULL;
+ krb5_data password;
+ krb5_kvno kvno;
+ char *salt_princ_s = NULL;
+ char *password_s = NULL;
+ char *my_fqdn;
+ TALLOC_CTX *tmpctx = NULL;
+
+ ret = smb_krb5_init_context_common(&context);
+ if (ret) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(ret));
+ return -1;
+ }
+
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
+ goto out;
+ }
+
+ /* retrieve the password */
+ if (!secrets_init()) {
+ DBG_WARNING("secrets_init failed\n");
+ ret = -1;
+ goto out;
+ }
+ password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ if (!password_s) {
+ DBG_WARNING("failed to fetch machine password\n");
+ ret = -1;
+ goto out;
+ }
+ ZERO_STRUCT(password);
+ password.data = password_s;
+ password.length = strlen(password_s);
+
+ /* we need the dNSHostName value here */
+ tmpctx = talloc_init(__location__);
+ if (!tmpctx) {
+ DBG_ERR("talloc_init() failed!\n");
+ ret = -1;
+ goto out;
+ }
+
+ my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name());
+ if (!my_fqdn) {
+ DBG_ERR("unable to determine machine account's dns name in "
+ "AD!\n");
+ ret = -1;
+ goto out;
+ }
+
+ /* make sure we have a single instance of a the computer account */
+ if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) {
+ DBG_ERR("unable to determine machine account's short name in "
+ "AD!\n");
+ ret = -1;
+ goto out;
+ }
+
+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name());
+ if (kvno == -1) {
+ /* -1 indicates failure, everything else is OK */
+ DBG_WARNING("ads_get_machine_kvno failed to determine the "
+ "system's kvno.\n");
+ ret = -1;
+ goto out;
+ }
+
+ salt_princ_s = kerberos_secrets_fetch_salt_princ();
+ if (salt_princ_s == NULL) {
+ DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n");
+ ret = -1;
+ goto out;
+ }
+
+ ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab,
+ kvno, srvPrinc, my_fqdn, &password,
+ update_ads);
+ if (ret != 0) {
+ goto out;
+ }
out:
SAFE_FREE(salt_princ_s);
--
2.24.1
From 42936021a1af2214b7a43f56f67d4c130fdde080 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 17:55:12 +0200
Subject: [PATCH 5/7] Add a test for msDS-AdditionalDnsHostName entries in
keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/dns_alias_keytab | 2 ++
testprogs/blackbox/test_net_ads.sh | 9 +++++++++
2 files changed, 11 insertions(+)
create mode 100644 selftest/knownfail.d/dns_alias_keytab
diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
new file mode 100644
index 00000000000..216592e1210
--- /dev/null
+++ b/selftest/knownfail.d/dns_alias_keytab
@@ -0,0 +1,2 @@
+^samba4.blackbox.net_ads.dns alias1 check keytab
+^samba4.blackbox.net_ads.dns alias2 check keytab
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 6073ea972f9..a40b477a173 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
+
+testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+rm -f $dedicated_keytab_file
+
##Goodbye...
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
2.24.1
From f45843d11260e10c88bea1d21314093c77ff07a0 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:36:28 +0200
Subject: [PATCH 6/7] Add msDS-AdditionalDnsHostName entries to the keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/dns_alias_keytab | 2 --
source3/libads/ads_proto.h | 5 +++
source3/libads/kerberos_keytab.c | 21 +++++++++++++
source3/libads/ldap.c | 45 +++++++++++++++++++++++++++
4 files changed, 71 insertions(+), 2 deletions(-)
delete mode 100644 selftest/knownfail.d/dns_alias_keytab
diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab
deleted file mode 100644
index 216592e1210..00000000000
--- a/selftest/knownfail.d/dns_alias_keytab
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.blackbox.net_ads.dns alias1 check keytab
-^samba4.blackbox.net_ads.dns alias2 check keytab
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 495ef5d3325..cd9c1082681 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx,
enum ads_extended_dn_flags flags,
struct dom_sid *sid);
char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***hostnames_array,
+ size_t *num_hostnames);
char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name );
ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name,
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index c46e98a4270..da363741d10 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -349,6 +349,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
char *password_s = NULL;
char *my_fqdn;
TALLOC_CTX *tmpctx = NULL;
+ char **hostnames_array = NULL;
+ size_t num_hostnames = 0;
ret = smb_krb5_init_context_common(&context);
if (ret) {
@@ -425,6 +427,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
goto out;
}
+ if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads,
+ lp_netbios_name(),
+ &hostnames_array,
+ &num_hostnames))) {
+ size_t i;
+
+ for (i = 0; i < num_hostnames; i++) {
+
+ ret = add_kt_entry_etypes(context, tmpctx, ads,
+ salt_princ_s, keytab,
+ kvno, srvPrinc,
+ hostnames_array[i],
+ &password, update_ads);
+ if (ret != 0) {
+ goto out;
+ }
+ }
+ }
+
out:
SAFE_FREE(salt_princ_s);
TALLOC_FREE(tmpctx);
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index f0fcf9fcd56..f6fde5e19e1 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn)
"unicodePwd",
/* Additional attributes Samba checks */
+ "msDS-AdditionalDnsHostName",
"msDS-SupportedEncryptionTypes",
"nTSecurityDescriptor",
@@ -3668,6 +3669,50 @@ out:
/********************************************************************
********************************************************************/
+ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***hostnames_array,
+ size_t *num_hostnames)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ int count;
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+ *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
+ "msDS-AdditionalDnsHostName",
+ num_hostnames);
+ if (*hostnames_array == NULL) {
+ DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
+ machine_name));
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+done:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/********************************************************************
+********************************************************************/
+
char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name )
{
LDAPMessage *res = NULL;
--
2.24.1
From f039d0ae9f1a2f110d1b73dc4ee41aa030efe06e Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:54:12 +0200
Subject: [PATCH 7/7] Add net-ads-join dnshostname=fqdn option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
---
docs-xml/manpages/net.8.xml | 7 ++++++-
source3/libnet/libnet_join.c | 7 ++++++-
source3/librpc/idl/libnet_join.idl | 1 +
source3/utils/net_ads.c | 9 ++++++++-
testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++
5 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 37dd30b7864..cbab9c63a5e 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -481,7 +481,7 @@ The remote server must be specified with the -S option.
<refsect2>
<title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
-[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
+[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS]
[osName=string osVer=string] [options]</title>
<para>
@@ -496,6 +496,11 @@ be created.</para>
joining the domain.
</para>
+<para>
+[FQDN] (ADS only) set the dnsHosName attribute during the join.
+The default format is netbiosname.dnsdomain.
+</para>
+
<para>
[UPN] (ADS only) set the principalname attribute during the join. The default
format is host/netbiosname@REALM.
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 22162186f61..a087587bba7 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
goto done;
}
- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain());
+ if (r->in.dnshostname != NULL) {
+ fstr_sprintf(my_fqdn, "%s", r->in.dnshostname);
+ } else {
+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
+ lp_dnsdomain());
+ }
if (!strlower_m(my_fqdn)) {
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
index e45034d40da..03d919863b5 100644
--- a/source3/librpc/idl/libnet_join.idl
+++ b/source3/librpc/idl/libnet_join.idl
@@ -37,6 +37,7 @@ interface libnetjoin
[in] string os_servicepack,
[in] boolean8 create_upn,
[in] string upn,
+ [in] string dnshostname,
[in] boolean8 modify_config,
[in,unique] ads_struct *ads,
[in] boolean8 debug,
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 95a6ed74b78..dd3c650be8b 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
{
d_printf(_("net ads join [--no-dns-updates] [options]\n"
"Valid options:\n"));
+ d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n"
+ " The default is in the form netbiosname.dnsdomain\n"));
d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n"
" The default UPN is in the form host/netbiosname@REALM.\n"));
d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n"
@@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
const char *domain = lp_realm();
WERROR werr = WERR_NERR_SETUPNOTJOINED;
bool createupn = false;
+ const char *dnshostname = NULL;
const char *machineupn = NULL;
const char *machine_password = NULL;
const char *create_in_ou = NULL;
@@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
/* process additional command line args */
for ( i=0; i<argc; i++ ) {
- if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
+ if ( !strncasecmp_m(argv[i], "dnshostname", strlen("dnshostname")) ) {
+ dnshostname = get_string_param(argv[i]);
+ }
+ else if ( !strncasecmp_m(argv[i], "createupn", strlen("createupn")) ) {
createupn = true;
machineupn = get_string_param(argv[i]);
}
@@ -1938,6 +1944,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
r->in.domain_name_type = domain_name_type;
r->in.create_upn = createupn;
r->in.upn = machineupn;
+ r->in.dnshostname = dnshostname;
r->in.account_ou = create_in_ou;
r->in.os_name = os_name;
r->in.os_version = os_version;
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index a40b477a173..85257f445d8 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file
testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+#
+# Test dnshostname option of 'net ads join'
+#
+testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1`
+
+testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
+
+testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+rm -f $dedicated_keytab_file
+
+testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
rm -rf $BASEDIR/$WORKDIR
exit $failed
--
2.24.1
From e5fde8987d365631c5c8b5efc1f5d1a0fc73861d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 21:05:07 +0300
Subject: [PATCH 1/4] Fix a typo in recent net man page changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
docs-xml/manpages/net.8.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index cbab9c63a5e..951ddcd7c3a 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -497,7 +497,7 @@ joining the domain.
</para>
<para>
-[FQDN] (ADS only) set the dnsHosName attribute during the join.
+[FQDN] (ADS only) set the dnsHostName attribute during the join.
The default format is netbiosname.dnsdomain.
</para>
--
2.25.4
From 626fe6a01845692b652fb3ae2119d9defbc6f173 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 16 Jun 2020 22:01:49 +0300
Subject: [PATCH 2/4] selftest: add tests for binary msDS-AdditionalDnsHostName
Like the short names added implicitly by Windows DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/binary_addl_hostname | 3 +++
testprogs/blackbox/test_net_ads.sh | 22 ++++++++++++++++++++++
2 files changed, 25 insertions(+)
create mode 100644 selftest/knownfail.d/binary_addl_hostname
diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
new file mode 100644
index 00000000000..559db1df507
--- /dev/null
+++ b/selftest/knownfail.d/binary_addl_hostname
@@ -0,0 +1,3 @@
+^samba4.blackbox.net_ads.dns alias1 check keytab
+^samba4.blackbox.net_ads.dns alias2 check keytab
+^samba4.blackbox.net_ads.addl short check keytab
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 85257f445d8..eef4a31a6a7 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -41,6 +41,11 @@ if [ -x "$BINDIR/ldbdel" ]; then
ldbdel="$BINDIR/ldbdel"
fi
+ldbmodify="ldbmodify"
+if [ -x "$BINDIR/ldbmodify" ]; then
+ ldbmodify="$BINDIR/ldbmodify"
+fi
+
# Load test functions
. `dirname $0`/subunit.sh
@@ -217,12 +222,29 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc
testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
+short_alias_file="$PREFIX_ABS/short_alias_file"
+printf 'short_alias\0$' > $short_alias_file
+cat > $PREFIX_ABS/tmpldbmodify <<EOF
+dn: CN=$HOSTNAME,$computers_dn
+changetype: modify
+add: msDS-AdditionalDnsHostName
+msDS-AdditionalDnsHostName:< file://$short_alias_file
+EOF
+
+testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1`
+
+testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
+
+rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file
+
dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_grep "addl short check keytab" "host/short_alias@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
rm -f $dedicated_keytab_file
--
2.25.4
From f28264208b50507c7dc0605b5ad3084ffe9e1785 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 16:51:27 +0300
Subject: [PATCH 3/4] Properly handle msDS-AdditionalDnsHostName returned from
Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
attribute, but these have a suffix of "\0$" and thus fail with
ldap_get_values(), use ldap_get_values_len() instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/binary_addl_hostname | 3 --
source3/libads/ldap.c | 38 +++++++++++++++++++++--
2 files changed, 35 insertions(+), 6 deletions(-)
delete mode 100644 selftest/knownfail.d/binary_addl_hostname
diff --git a/selftest/knownfail.d/binary_addl_hostname b/selftest/knownfail.d/binary_addl_hostname
deleted file mode 100644
index 559db1df507..00000000000
--- a/selftest/knownfail.d/binary_addl_hostname
+++ /dev/null
@@ -1,3 +0,0 @@
-^samba4.blackbox.net_ads.dns alias1 check keytab
-^samba4.blackbox.net_ads.dns alias2 check keytab
-^samba4.blackbox.net_ads.addl short check keytab
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index f6fde5e19e1..ed52d4a969e 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -3669,6 +3669,40 @@ out:
/********************************************************************
********************************************************************/
+static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
+ LDAPMessage *msg, size_t *num_values)
+{
+ const char *field = "msDS-AdditionalDnsHostName";
+ struct berval **values = NULL;
+ char **ret = NULL;
+ size_t i, converted_size;
+
+ values = ldap_get_values_len(ads->ldap.ld, msg, field);
+ if (values == NULL) {
+ return NULL;
+ }
+
+ *num_values = ldap_count_values_len(values);
+
+ ret = talloc_array(mem_ctx, char *, *num_values + 1);
+ if (ret == NULL) {
+ ldap_value_free_len(values);
+ return NULL;
+ }
+
+ for (i = 0; i < *num_values; i++) {
+ if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
+ &converted_size)) {
+ ldap_value_free_len(values);
+ return NULL;
+ }
+ }
+ ret[i] = NULL;
+
+ ldap_value_free_len(values);
+ return ret;
+}
+
ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
ADS_STRUCT *ads,
const char *machine_name,
@@ -3694,9 +3728,7 @@ ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx,
goto done;
}
- *hostnames_array = ads_pull_strings(ads, mem_ctx, res,
- "msDS-AdditionalDnsHostName",
- num_hostnames);
+ *hostnames_array = get_addl_hosts(ads, mem_ctx, res, num_hostnames);
if (*hostnames_array == NULL) {
DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
machine_name));
--
2.25.4
From bb712cccd55b8a68865f72ebe48bdceae9995a94 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 20 Jun 2020 17:17:33 +0200
Subject: [PATCH 4/4] Fix usage of ldap_get_values_len for
msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
---
source3/libads/ldap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index ed52d4a969e..7ef7e7e8420 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -3691,8 +3691,12 @@ static char **get_addl_hosts(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
}
for (i = 0; i < *num_values; i++) {
- if (!pull_utf8_talloc(mem_ctx, &ret[i], values[i]->bv_val,
- &converted_size)) {
+ ret[i] = NULL;
+ if (!convert_string_talloc(mem_ctx, CH_UTF8, CH_UNIX,
+ values[i]->bv_val,
+ strnlen(values[i]->bv_val,
+ values[i]->bv_len),
+ &ret[i], &converted_size)) {
ldap_value_free_len(values);
return NULL;
}
--
2.25.4

View File

@ -1,609 +0,0 @@
From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Mon, 10 Feb 2020 19:19:44 +0100
Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Required for working certificate verification.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184
(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72)
---
source3/libads/ldap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 7ef7e7e8420..b7f819d876b 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -669,7 +669,7 @@ got_connection:
/* Otherwise setup the TCP LDAP session */
- ads->ldap.ld = ldap_open_with_timeout(addr,
+ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name,
&ads->ldap.ss,
ads->ldap.port, lp_ldap_timeout());
if (ads->ldap.ld == NULL) {
--
2.25.4
From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Wed, 3 Jun 2020 19:40:59 +0200
Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap
session if possible
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use the known ip address of the ldap server to open the connection and
initialize the ldap session with ldap_init_fd().
This avoid unnecessary DNS lookups which might block or prevent the
successful connection.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0)
---
source3/libads/ldap.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index b7f819d876b..36e73440495 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum)
return NULL;
}
-#ifdef HAVE_LDAP_INITIALIZE
+#ifdef HAVE_LDAP_INIT_FD
+ {
+ int fd = -1;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+
+ status = open_socket_out(ss, port, to, &fd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return NULL;
+ }
+
+/* define LDAP_PROTO_TCP from openldap.h if required */
+#ifndef LDAP_PROTO_TCP
+#define LDAP_PROTO_TCP 1
+#endif
+ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp);
+ }
+#elif defined(HAVE_LDAP_INITIALIZE)
ldap_err = ldap_initialize(&ldp, uri);
#else
ldp = ldap_open(server, port);
--
2.25.4
From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 29 Jun 2020 16:55:33 +0300
Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++
selftest/knownfail.d/net_ads_tls | 1 +
source4/selftest/tests.py | 7 ++
testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++
4 files changed, 94 insertions(+)
create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback
create mode 100644 selftest/knownfail.d/net_ads_tls
create mode 100755 testprogs/blackbox/test_net_ads_base.sh
diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback
new file mode 100644
index 00000000000..b16a39d134d
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_ntlm_fallback
@@ -0,0 +1,10 @@
+# net-ads commands that fail with: --option=gensec:gse_krb5=no
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN
+^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
new file mode 100644
index 00000000000..251c948b6a9
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_tls
@@ -0,0 +1 @@
+^samba4.blackbox.net_ads_tls
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1d965c751a4..a394afa177f 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien
plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18'])
plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
+
+for nomech in ["none", "gse_krb5", "ntlmssp"]:
+ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS
+ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS'])
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS'])
+ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS'])
+
plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
# json tests hook into ``chgdcpass'' to make them run in contributor CI on
# gitlab
diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh
new file mode 100755
index 00000000000..59e3da67a7f
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_base.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_net_ads_base.sh DC_SERVER DC_USERNAME DC_PASSWORD TLS_MODE NO_MECH PREFIX_ABS
+EOF
+exit 1;
+fi
+
+DC_SERVER=$1
+DC_USERNAME=$2
+DC_PASSWORD=$3
+TLS_MODE=$4
+NO_MECH=$5
+BASEDIR=$6
+shift 6
+
+HOSTNAME=`dd if=/dev/urandom bs=1 count=32 2>/dev/null | sha1sum | cut -b 1-10`
+HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'`
+LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'`
+
+RUNDIR=`pwd`
+cd $BASEDIR
+WORKDIR=`mktemp -d -p .`
+WORKDIR=`basename $WORKDIR`
+cp -a client/* $WORKDIR/
+sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf
+sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf
+sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf
+sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf
+rm -f $WORKDIR/private/secrets.tdb
+cd $RUNDIR
+
+failed=0
+
+export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
+
+xoptions=""
+if [ $TLS_MODE != "no" ]; then
+ xoptions="--option=ldapsslads=yes"
+fi
+
+if [ $NO_MECH != "none" ]; then
+ xoptions="$xoptions --option=gensec:$NO_MECH=no"
+fi
+
+if [ $TLS_MODE = "noverify" ]; then
+ export LDAPTLS_REQCERT=allow
+fi
+
+net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions"
+
+# Load test functions
+. `dirname $0`/subunit.sh
+
+testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1`
+
+testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1`
+
+testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1`
+
+tls_log="StartTLS issued: using a TLS connection"
+opt="-d3 --option=ldapssl=off"
+if [ $TLS_MODE != "no" ]; then
+ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1`
+fi
+
+testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1`
+
+testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1`
+
+testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+rm -rf $BASEDIR/$WORKDIR
+
+exit $failed
--
2.25.4
From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 24 Jun 2020 15:28:45 +0300
Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
WHATSNEW.txt | 6 +++++
docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++----
source3/include/smbldap.h | 1 +
source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++
source3/lib/smbldap.c | 19 +++++++++-----
source3/libads/ldap.c | 2 +-
source3/wscript_build | 2 +-
7 files changed, 57 insertions(+), 13 deletions(-)
create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a5b554fe11f..8935876d247 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -557,6 +557,12 @@ CTDB changes
helper exits. This triggers an election.
+The "ldap ssl ads" option no longer depends on "ldap ssl" option:
+-----------------------------------------------------------------
+With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
+is off.
+
+
REMOVED FEATURES
================
diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml
index 98c39651f1e..f99afe5bbad 100644
--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml
+++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml
@@ -7,13 +7,10 @@
<para>This option is used to define whether or not Samba should
use SSL when connecting to the ldap server using
<emphasis>ads</emphasis> methods.
- Rpc methods are not affected by this parameter. Please note, that
- this parameter won't have any effect if <smbconfoption name="ldap ssl"/>
- is set to <parameter>no</parameter>.
+ Rpc methods are not affected by this parameter.
</para>
- <para>See <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
- for more information on <smbconfoption name="ldap ssl"/>.
+ <para>See also <smbconfoption name="ldap ssl"/>.
</para>
</description>
diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h
index 878268aebd6..d063f44afbc 100644
--- a/source3/include/smbldap.h
+++ b/source3/include/smbldap.h
@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state,
const char *dn,
LDAPMod *attrs[]);
int smbldap_start_tls(LDAP *ldap_struct, int version);
+int smbldap_start_tls_start(LDAP *ldap_struct, int version);
int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri);
int smbldap_search(struct smbldap_state *ldap_state,
const char *base, int scope, const char *filter,
diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs
new file mode 100644
index 00000000000..67dcc9a8a78
--- /dev/null
+++ b/source3/lib/ABI/smbldap-2.1.0.sigs
@@ -0,0 +1,33 @@
+smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **)
+smbldap_delete: int (struct smbldap_state *, const char *)
+smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **)
+smbldap_free_struct: void (struct smbldap_state **)
+smbldap_get_ldap: LDAP *(struct smbldap_state *)
+smbldap_get_paged_results: bool (struct smbldap_state *)
+smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int)
+smbldap_has_control: bool (LDAP *, const char *)
+smbldap_has_extension: bool (LDAP *, const char *)
+smbldap_has_naming_context: bool (LDAP *, const char *)
+smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **)
+smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *)
+smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *)
+smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **)
+smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *)
+smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **)
+smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **)
+smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **)
+smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *)
+smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *)
+smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *)
+smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *)
+smbldap_set_paged_results: void (struct smbldap_state *, bool)
+smbldap_setup_full_conn: int (LDAP **, const char *)
+smbldap_start_tls: int (LDAP *, int)
+smbldap_start_tls_start: int (LDAP *, int)
+smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **)
+smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *)
+smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *)
+smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
+smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *)
+smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *)
diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c
index 34c841f9243..4815dd81fc3 100644
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state)
}
/********************************************************************
- start TLS on an existing LDAP connection
+ start TLS on an existing LDAP connection per config
*******************************************************************/
int smbldap_start_tls(LDAP *ldap_struct, int version)
-{
-#ifdef LDAP_OPT_X_TLS
- int rc,tls;
-#endif
-
+{
if (lp_ldap_ssl() != LDAP_SSL_START_TLS) {
return LDAP_SUCCESS;
}
+ return smbldap_start_tls_start(ldap_struct, version);
+}
+
+/********************************************************************
+ start TLS on an existing LDAP connection unconditionally
+*******************************************************************/
+
+int smbldap_start_tls_start(LDAP *ldap_struct, int version)
+{
#ifdef LDAP_OPT_X_TLS
+ int rc,tls;
+
/* check if we use ldaps already */
ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls);
if (tls == LDAP_OPT_X_TLS_HARD) {
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 36e73440495..16c32b2d5a7 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -703,7 +703,7 @@ got_connection:
ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if ( lp_ldap_ssl_ads() ) {
- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version));
+ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version));
if (!ADS_ERR_OK(status)) {
goto out;
}
diff --git a/source3/wscript_build b/source3/wscript_build
index 10d9f71ae76..76d01a78f64 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap',
abi_directory='lib/ABI',
abi_match='smbldap_*',
pc_files=[],
- vnum='2',
+ vnum='2.1.0',
public_headers='include/smbldap.h include/smb_ldap.h')
bld.SAMBA3_LIBRARY('ads',
--
2.25.4
From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 10:59:18 +0200
Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/ads_proto.h | 2 +-
source3/libads/ads_struct.c | 8 ++++++--
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index cd9c1082681..6cdde0cf6eb 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm,
const char *workgroup,
const char *ldap_server,
enum ads_sasl_state_e sasl_state);
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags);
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags);
void ads_destroy(ADS_STRUCT **ads);
/* The following definitions come from libads/disp_sec.c */
diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
index 043a1b21247..67a9a7cf75e 100644
--- a/source3/libads/ads_struct.c
+++ b/source3/libads/ads_struct.c
@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm,
/****************************************************************
****************************************************************/
-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags)
+bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags)
{
+ unsigned other_flags;
+
if (!ads) {
return false;
}
- ads->auth.flags = flags;
+ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL);
+
+ ads->auth.flags = flags | other_flags;
return true;
}
--
2.25.4
From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 2 Jul 2020 09:33:12 +0200
Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
WHATSNEW.txt | 5 +++++
selftest/knownfail.d/net_ads_tls | 1 -
source3/libads/ldap.c | 4 ++++
3 files changed, 9 insertions(+), 1 deletion(-)
delete mode 100644 selftest/knownfail.d/net_ads_tls
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8935876d247..927b9a0fa59 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option:
With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl"
is off.
+The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain:
+-----------------------------------------------------------------------
+This is now done implicitly when over TLS, so "client ldap sasl wrapping"
+does not need to be set to "plain" in order for it to work.
+
REMOVED FEATURES
================
diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls
deleted file mode 100644
index 251c948b6a9..00000000000
--- a/selftest/knownfail.d/net_ads_tls
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.net_ads_tls
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 16c32b2d5a7..3f41e990085 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -707,6 +707,10 @@ got_connection:
if (!ADS_ERR_OK(status)) {
goto out;
}
+ if (!ads_set_sasl_wrap_flags(ads, 0)) {
+ status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
+ goto out;
+ }
}
/* fill in the current time and offsets */
--
2.25.4
From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 11 Jul 2020 05:04:59 +0200
Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over
TLS
From local tests with strace:
socket(AF_UNIX, SOCK_STREAM, 0) = 12
write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
...
write(2, "ads_domain_func_level: 3\n", 25) = 25
write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
+++ killed by SIGPIPE +++
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184
---
source3/utils/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 683b46794e4..e289b2814bc 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c,
POPT_TABLEEND
};
+ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */
+ BlockSignals(True, SIGPIPE);
+
zero_sockaddr(&c->opt_dest_ip);
setup_logging(argv[0], DEBUG_STDERR);
--
2.25.4
From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Jul 2020 22:38:06 +0200
Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124
Signed-off-by: Isaac Boukris <iboukris@samba.org>
---
source3/libads/ldap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 1ffe96d32c9..d431156912f 100755
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum)
{
int fd = -1;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ unsigned timeout_ms = 1000 * to;
- status = open_socket_out(ss, port, to, &fd);
+ status = open_socket_out(ss, port, timeout_ms, &fd);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("open_socket_out: failed to open socket\n"));
return NULL;
}
--
2.25.4

View File

@ -1,385 +0,0 @@
From 1fdca16074247707e80295bba65cbb5fbff9e959 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 13:55:10 -0700
Subject: [PATCH 1/7] s3: libsmb: Info level SMB2_FIND_ID_BOTH_DIRECTORY_INFO
encodes attibutes as a uint32, not a uint8.
Fix the SMB2 parsing code.
Cast to a uint16_t for now after pulling the information
as finfo->mode is currently only 16 bits.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3063e1601ad9e2536651a75a47ebf4921ffddbdc)
---
source3/libsmb/cli_smb2_fnum.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 8c8b33f49ed..4edeefc117d 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1236,7 +1236,8 @@ static NTSTATUS parse_finfo_id_both_directory_info(uint8_t *dir_data,
finfo->ctime_ts = interpret_long_date((const char *)dir_data + 32);
finfo->size = IVAL2_TO_SMB_BIG_UINT(dir_data + 40, 0);
finfo->allocated_size = IVAL2_TO_SMB_BIG_UINT(dir_data + 48, 0);
- finfo->mode = CVAL(dir_data + 56, 0);
+ /* NB. We need to enlarge finfo->mode to be 32-bits. */
+ finfo->mode = (uint16_t)IVAL(dir_data + 56, 0);
finfo->ino = IVAL2_TO_SMB_BIG_UINT(dir_data + 96, 0);
namelen = IVAL(dir_data + 60,0);
if (namelen > (dir_data_length - 104)) {
--
2.20.1
From 8d57c6e81986655ccb59189843e0ffa6830eb182 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 11:36:03 -0700
Subject: [PATCH 2/7] s3: libsmb: Info level SMB_FIND_FILE_BOTH_DIRECTORY_INFO
encodes attibutes as a uint32, not a uint8.
Cast to a uint16_t for now after pulling the information
as finfo->mode is currently only 16 bits.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5e3e6c4c0c70e171607f4b5351bd8ec146730f08)
---
source3/libsmb/clilist.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index f9444bc401c..a78678f4532 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -257,7 +257,8 @@ static size_t interpret_long_filename(TALLOC_CTX *ctx,
finfo->size = IVAL2_TO_SMB_BIG_UINT(p,0);
p += 8;
p += 8; /* alloc size */
- finfo->mode = CVAL(p,0);
+ /* NB. We need to enlarge finfo->mode to be 32-bits. */
+ finfo->mode = (uint16_t)IVAL(p,0);
p += 4;
namelen = IVAL(p,0);
p += 4;
--
2.20.1
From 1afa493387e1f8a5f80b9504cf92655d067c9dbc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 12:01:13 -0700
Subject: [PATCH 3/7] s3: libsmb: Info level SMB_FIND_INFO_STANDARD encodes
attibutes as a uint16, not a uint8.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit be52f87c376a8f71b2de4aa52f25818cad2b160e)
---
source3/libsmb/clilist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index a78678f4532..deeb794ffe5 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -152,7 +152,7 @@ static size_t interpret_long_filename(TALLOC_CTX *ctx,
finfo->mtime_ts = convert_time_t_to_timespec(
make_unix_date2(p+12, smb1cli_conn_server_time_zone(cli->conn)));
finfo->size = IVAL(p,16);
- finfo->mode = CVAL(p,24);
+ finfo->mode = SVAL(p,24);
len = CVAL(p, 26);
p += 27;
if (recv_flags2 & FLAGS2_UNICODE_STRINGS) {
--
2.20.1
From 0ebb13959479949bc31c3badade02900973f80d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 11:33:13 -0700
Subject: [PATCH 4/7] s3: libsmb: Info level SMB_FIND_EA_SIZE encodes attibutes
as a uint16, not a uint8.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 6463f2612a662f217af18455206afde122323375)
---
source3/libsmb/clilist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c
index deeb794ffe5..4a32fc45fa6 100644
--- a/source3/libsmb/clilist.c
+++ b/source3/libsmb/clilist.c
@@ -211,7 +211,7 @@ static size_t interpret_long_filename(TALLOC_CTX *ctx,
finfo->mtime_ts = convert_time_t_to_timespec(
make_unix_date2(p+12, smb1cli_conn_server_time_zone(cli->conn)));
finfo->size = IVAL(p,16);
- finfo->mode = CVAL(p,24);
+ finfo->mode = SVAL(p,24);
len = CVAL(p, 30);
p += 31;
/* check for unisys! */
--
2.20.1
From 83d0c3f3d8d838be8e40e7f102aa872302442df4 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 12:08:17 -0700
Subject: [PATCH 5/7] s3: torture: Add a MSDFS-ATTRIBUTE test.
Framework to drive comes next.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 84134812e3447317125ae08b2a98848a2e4bbd65)
---
source3/torture/torture.c | 79 +++++++++++++++++++++++++++++++++++++++
1 file changed, 79 insertions(+)
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index f07a0adf115..56258d3d2ad 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -11405,6 +11405,81 @@ static bool run_large_readx(int dummy)
return correct;
}
+static NTSTATUS msdfs_attribute_list_fn(const char *mnt,
+ struct file_info *finfo,
+ const char *mask,
+ void *private_data)
+{
+ uint16_t *p_mode = (uint16_t *)private_data;
+
+ if (strequal(finfo->name, test_filename)) {
+ *p_mode = finfo->mode;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static bool run_msdfs_attribute(int dummy)
+{
+ static struct cli_state *cli;
+ bool correct = false;
+ uint16_t mode = 0;
+ NTSTATUS status;
+
+ printf("Starting MSDFS-ATTRIBUTE test\n");
+
+ if (test_filename == NULL || test_filename[0] == '\0') {
+ printf("MSDFS-ATTRIBUTE test "
+ "needs -f filename-of-msdfs-link\n");
+ return false;
+ }
+
+ /*
+ * NB. We use torture_open_connection_flags() not
+ * torture_open_connection() as the latter forces
+ * SMB1.
+ */
+ if (!torture_open_connection_flags(&cli, 0, 0)) {
+ return false;
+ }
+
+ smbXcli_conn_set_sockopt(cli->conn, sockops);
+
+ status = cli_list(cli,
+ "*",
+ FILE_ATTRIBUTE_DIRECTORY,
+ msdfs_attribute_list_fn,
+ &mode);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_list failed with %s\n",
+ nt_errstr(status));
+ goto out;
+ }
+ if ((mode & FILE_ATTRIBUTE_REPARSE_POINT) == 0) {
+ printf("file %s should have "
+ "FILE_ATTRIBUTE_REPARSE_POINT set. attr = 0x%x\n",
+ test_filename,
+ (unsigned int)mode);
+ goto out;
+ }
+
+ if ((mode & FILE_ATTRIBUTE_DIRECTORY) == 0) {
+ printf("file %s should have "
+ "FILE_ATTRIBUTE_DIRECTORY set. attr = 0x%x\n",
+ test_filename,
+ (unsigned int)mode);
+ goto out;
+ }
+
+ correct = true;
+
+ out:
+
+ torture_close_connection(cli);
+ return correct;
+}
+
static bool run_cli_echo(int dummy)
{
struct cli_state *cli;
@@ -14539,6 +14614,10 @@ static struct {
.name = "LARGE_READX",
.fn = run_large_readx,
},
+ {
+ .name = "MSDFS-ATTRIBUTE",
+ .fn = run_msdfs_attribute,
+ },
{
.name = "NTTRANS-CREATE",
.fn = run_nttrans_create,
--
2.20.1
From 33fcc76091307005a1ff81b32108dbeefa1a4d28 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 13:45:28 -0700
Subject: [PATCH 6/7] s3: torture: Add test for getting attibutes on an MSDFS
link.
Mark as knownfail for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(back ported from commit 2a4705129d06b91023bc3fc435fccf91d3939553)
---
selftest/knownfail.d/msdfs-attr | 3 +++
source3/selftest/tests.py | 27 +++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
create mode 100644 selftest/knownfail.d/msdfs-attr
diff --git a/selftest/knownfail.d/msdfs-attr b/selftest/knownfail.d/msdfs-attr
new file mode 100644
index 00000000000..a8a77ec2719
--- /dev/null
+++ b/selftest/knownfail.d/msdfs-attr
@@ -0,0 +1,3 @@
+samba3.smbtorture_s3.smb2.MSDFS-ATTRIBUTE
+samba3.smbtorture_s3.smb1.MSDFS-ATTRIBUTE
+
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 72bca263c0b..005d6f453b1 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -162,6 +162,33 @@ plantestsuite("samba3.smbtorture_s3.hidenewfiles(simpleserver)",
"",
"-l $LOCAL_PATH"])
+#
+# MSDFS attribute tests.
+#
+plantestsuite("samba3.smbtorture_s3.smb2.MSDFS-ATTRIBUTE",
+ "fileserver",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_smbtorture_s3.sh"),
+ 'MSDFS-ATTRIBUTE',
+ '//$SERVER_IP/msdfs-share',
+ '$USERNAME',
+ '$PASSWORD',
+ smbtorture3,
+ "-mSMB2",
+ "-f msdfs-src1"])
+
+plantestsuite("samba3.smbtorture_s3.smb1.MSDFS-ATTRIBUTE",
+ "fileserver",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_smbtorture_s3.sh"),
+ 'MSDFS-ATTRIBUTE',
+ '//$SERVER_IP/msdfs-share',
+ '$USERNAME',
+ '$PASSWORD',
+ smbtorture3,
+ "-mNT1",
+ "-f msdfs-src1"])
+
shares = [
"vfs_aio_pthread_async_dosmode_default1",
"vfs_aio_pthread_async_dosmode_default2",
--
2.20.1
From adecbf7277e580d9a047f588a301733abd7bae68 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 1 Jun 2020 14:09:54 -0700
Subject: [PATCH 7/7] s3: msdfs: Fix missing struct stat return on msdfs links
by doing an LSTAT call.
This (unfortunately) re-exposes the fact the msdfs links are symlinks,
bit fixing this correctly requires a VFS ABI change which we can't
do for a released stream.
Remove the knownfail.d/msdfs-attr file.
Everything now passes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
selftest/knownfail.d/msdfs-attr | 3 ---
source3/smbd/msdfs.c | 7 +++++++
2 files changed, 7 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/msdfs-attr
diff --git a/selftest/knownfail.d/msdfs-attr b/selftest/knownfail.d/msdfs-attr
deleted file mode 100644
index a8a77ec2719..00000000000
--- a/selftest/knownfail.d/msdfs-attr
+++ /dev/null
@@ -1,3 +0,0 @@
-samba3.smbtorture_s3.smb2.MSDFS-ATTRIBUTE
-samba3.smbtorture_s3.smb1.MSDFS-ATTRIBUTE
-
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index cc32ebc9d29..c57866f7939 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -633,6 +633,13 @@ bool is_msdfs_link(connection_struct *conn,
smb_fname,
NULL,
NULL);
+ if (NT_STATUS_IS_OK(status)) {
+ int ret;
+ ret = SMB_VFS_LSTAT(conn, smb_fname);
+ if (ret < 0) {
+ status = map_nt_error_from_unix(errno);
+ }
+ }
return (NT_STATUS_IS_OK(status));
}
--
2.20.1

View File

@ -1,41 +0,0 @@
From 069ba5774a5ccc72dcc3567bc6d17141d68ddff5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 Jul 2020 11:48:26 +0200
Subject: [PATCH] docs: Fix documentation for require_membership_of of
pam_winbind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 10 09:40:37 UTC 2020 on sn-devel-184
(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971)
---
docs-xml/manpages/pam_winbind.8.xml | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index a9a227f1647..a61fb2d58e5 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -84,9 +84,11 @@
If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID
can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the
SID. That name must have the form: <parameter>MYDOMAIN\mygroup</parameter> or
- <parameter>MYDOMAIN\myuser</parameter>. pam_winbind will, in that case, lookup the SID internally. Note that
- NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a
- user is a member of with <command>wbinfo --user-sids=SID</command>.
+ <parameter>MYDOMAIN\myuser</parameter> (where '\' character corresponds to the value of
+ <parameter>winbind separator</parameter> parameter). It is also possible to use a UPN in the form
+ <parameter>user@REALM</parameter> or <parameter>group@REALM</parameter>. pam_winbind will, in that case, lookup
+ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can
+ verify the list of SIDs a user is a member of with <command>wbinfo --user-sids=SID</command>.
</para>
<para>
--
2.27.0

View File

@ -1,130 +0,0 @@
From 3b8312df417b1a1fbd712b9494d5dad495e33f6d Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 8 Jul 2020 15:00:49 +0200
Subject: [PATCH 1/2] winbind: Add test for lookuprids cache problem
When reading entries from gencache, wb_cache_rids_to_names() can
return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle
correctly.
This test enforces this situation by filling gencache with one wbinfo
-R and then erasing the winbindd_cache.tdb. This forces winbind to
enter the domain helper process, which will then read from gencache
filled with the previous wbinfo -R.
Without having the entries cached this does not happen because
wb_cache_rids_to_names() via the do_query: path calls deep inside
calls dcerpc_lsa_lookup_sids_noalloc(), which hides the
STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61)
---
selftest/knownfail.d/lookuprids_cache | 1 +
.../tests/test_wbinfo_lookuprids_cache.sh | 21 +++++++++++++++++++
source3/selftest/tests.py | 5 +++++
3 files changed, 27 insertions(+)
create mode 100644 selftest/knownfail.d/lookuprids_cache
create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh
diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache
new file mode 100644
index 00000000000..d3c40a62b45
--- /dev/null
+++ b/selftest/knownfail.d/lookuprids_cache
@@ -0,0 +1 @@
+^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\)
\ No newline at end of file
diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
new file mode 100755
index 00000000000..0b21ffcd7c9
--- /dev/null
+++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}"
+TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}"
+TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}"
+NET="$VALGRIND ${NET:-$BINDIR/net}"
+
+cache="$LOCK_DIR"/winbindd_cache.tdb
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1`
+testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
+
+key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2)
+
+testit "delete" "$TDBTOOL" "$cache" delete "$key"
+testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index dc44160e50d..b01a3c1aad1 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -332,6 +332,11 @@ env = "nt4_member:local"
plantestsuite("samba3.wbinfo_sids_to_xids", env,
[os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_sids_to_xids.sh")])
+plantestsuite(
+ "samba.wbinfo_lookuprids_cache",
+ env,
+ [os.path.join(samba3srcdir,
+ "script/tests/test_wbinfo_lookuprids_cache.sh")])
env = "ad_member"
t = "WBCLIENT-MULTI-PING"
--
2.20.1
From 7389996f5e04acb79a760cb72b9d5c5a617262b8 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 8 Jul 2020 15:09:45 +0200
Subject: [PATCH 2/2] winbind: Fix lookuprids cache problem
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jul 9 21:40:52 UTC 2020 on sn-devel-184
(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4)
---
selftest/knownfail.d/lookuprids_cache | 1 -
source3/winbindd/winbindd_dual_srv.c | 3 ++-
2 files changed, 2 insertions(+), 2 deletions(-)
delete mode 100644 selftest/knownfail.d/lookuprids_cache
diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache
deleted file mode 100644
index d3c40a62b45..00000000000
--- a/selftest/knownfail.d/lookuprids_cache
+++ /dev/null
@@ -1 +0,0 @@
-^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\)
\ No newline at end of file
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 13345caa41b..63bb614a0ca 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -672,7 +672,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r)
r->in.rids->rids, r->in.rids->num_rids,
&domain_name, &names, &types);
reset_cm_connection_on_error(domain, NULL, status);
- if (!NT_STATUS_IS_OK(status)) {
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) {
return status;
}
--
2.20.1

View File

@ -1,342 +0,0 @@
From 2840bd0becee307f4ee896b26e9f29baac03c347 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 15 Jun 2020 11:50:16 +0200
Subject: [PATCH 1/2] s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
---
docs-xml/smbdotconf/security/tlspriority.xml | 10 ++---
lib/param/loadparm.c | 10 ++++-
python/samba/tests/docs.py | 20 ++++++++++
source3/param/loadparm.c | 11 +++++-
source4/lib/tls/tls_tstream.c | 40 +++++++++++++++-----
wscript_configure_system_gnutls | 3 ++
6 files changed, 76 insertions(+), 18 deletions(-)
diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
index d7214a4c1ea..6d1f0dcb912 100644
--- a/docs-xml/smbdotconf/security/tlspriority.xml
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -7,15 +7,15 @@
to be supported in the parts of Samba that use GnuTLS, specifically
the AD DC.
</para>
- <para>The default turns off SSLv3, as this protocol is no longer considered
- secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
- in HTTPS applications.
- </para>
+ <para>The string is appended to the default priority list of GnuTLS.</para>
<para>The valid options are described in the
<ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
</para>
+ <para>By default it will try to find a config file matching "SAMBA", but if
+ that does not exist will use the entry for "SYSTEM" and last fallback to
+ NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
</description>
- <value type="default">NORMAL:-VERS-SSL3.0</value>
+ <value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 63291283905..8fdd844fbaa 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2803,7 +2803,15 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
- lpcfg_do_global_parameter(lp_ctx, "tls priority", "NORMAL:-VERS-SSL3.0");
+#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+ lpcfg_do_global_parameter(lp_ctx,
+ "tls priority",
+ "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+#else
+ lpcfg_do_global_parameter(lp_ctx,
+ "tls priority",
+ "NORMAL:-VERS-SSL3.0");
+#endif
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 32a16a98fbc..789865221cb 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -26,6 +26,21 @@ import os
import subprocess
import xml.etree.ElementTree as ET
+config_h = os.path.join("bin/default/include/config.h")
+config_hash = dict()
+
+if os.path.exists(config_h):
+ config_hash = dict()
+ f = open(config_h, 'r')
+ try:
+ lines = f.readlines()
+ config_hash = dict((x[0], ' '.join(x[1:]))
+ for x in map(lambda line: line.strip().split(' ')[1:],
+ list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
+ finally:
+ f.close()
+
+have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
class TestCase(samba.tests.TestCaseInTempDir):
@@ -127,6 +142,11 @@ class SmbDotConfTests(TestCase):
'smbd max async dosmode',
])
+ # 'tls priority' has a legacy default value if we don't link against a
+ # modern GnuTLS version.
+ if not have_gnutls_system_config_support:
+ special_cases.add('tls priority')
+
def setUp(self):
super(SmbDotConfTests, self).setUp()
# create a minimal smb.conf file for testparm
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d3d81f6ece5..2b1a63998d6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -885,8 +885,15 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
- lpcfg_string_set(Globals.ctx, &Globals.tls_priority,
- "NORMAL:-VERS-SSL3.0");
+#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
+ lpcfg_string_set(Globals.ctx,
+ &Globals.tls_priority,
+ "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
+#else
+ lpcfg_string_set(Globals.ctx,
+ &Globals.tls_priority,
+ "NORMAL!-VERS-SSL3.0");
+#endif
lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index 55bca036776..d984addeec5 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -1035,16 +1035,26 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- ret = gnutls_priority_set_direct(tlss->tls_session,
- tls_params->tls_priority,
- &error_pos);
+ ret = gnutls_set_default_priority(tlss->tls_session);
if (ret != GNUTLS_E_SUCCESS) {
- DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
- __location__, gnutls_strerror(ret), error_pos));
+ DBG_ERR("TLS %s - %s. Failed to set default priorities\n",
+ __location__, gnutls_strerror(ret));
tevent_req_error(req, EINVAL);
return tevent_req_post(req, ev);
}
+ if (strlen(tls_params->tls_priority) > 0) {
+ ret = gnutls_priority_set_direct(tlss->tls_session,
+ tls_params->tls_priority,
+ &error_pos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
+ tevent_req_error(req, EINVAL);
+ return tevent_req_post(req, ev);
+ }
+ }
+
ret = gnutls_credentials_set(tlss->tls_session,
GNUTLS_CRD_CERTIFICATE,
tls_params->x509_cred);
@@ -1284,16 +1294,26 @@ struct tevent_req *_tstream_tls_accept_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- ret = gnutls_priority_set_direct(tlss->tls_session,
- tlsp->tls_priority,
- &error_pos);
+ ret = gnutls_set_default_priority(tlss->tls_session);
if (ret != GNUTLS_E_SUCCESS) {
- DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
- __location__, gnutls_strerror(ret), error_pos));
+ DBG_ERR("TLS %s - %s. Failed to set default priorities\n",
+ __location__, gnutls_strerror(ret));
tevent_req_error(req, EINVAL);
return tevent_req_post(req, ev);
}
+ if (strlen(tlsp->tls_priority) > 0) {
+ ret = gnutls_priority_set_direct(tlss->tls_session,
+ tlsp->tls_priority,
+ &error_pos);
+ if (ret != GNUTLS_E_SUCCESS) {
+ DEBUG(0,("TLS %s - %s. Check 'tls priority' option at '%s'\n",
+ __location__, gnutls_strerror(ret), error_pos));
+ tevent_req_error(req, EINVAL);
+ return tevent_req_post(req, ev);
+ }
+ }
+
ret = gnutls_credentials_set(tlss->tls_session, GNUTLS_CRD_CERTIFICATE,
tlsp->x509_cred);
if (ret != GNUTLS_E_SUCCESS) {
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index b2b955f3c90..631405fa34c 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -20,6 +20,9 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB')
# Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat
conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
+# Check for gnutls_set_default_priority_append (>= 3.6.3)
+conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls')
+
# Check for gnutls_aead_cipher_encryptv2
#
# This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
--
2.26.2
From fdcf9f23f659025f174b32109a273e80b2ad289e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 30 Jun 2020 17:12:17 +0200
Subject: [PATCH 2/2] tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
This seems to be really broken in GnuTLS and the documentation is also
not correct.
This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 1 14:56:33 UTC 2020 on sn-devel-184
---
docs-xml/smbdotconf/security/tlspriority.xml | 6 ++----
lib/param/loadparm.c | 6 ------
python/samba/tests/docs.py | 21 --------------------
source3/param/loadparm.c | 8 +-------
4 files changed, 3 insertions(+), 38 deletions(-)
diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml
index 6d1f0dcb912..471dc25ba3b 100644
--- a/docs-xml/smbdotconf/security/tlspriority.xml
+++ b/docs-xml/smbdotconf/security/tlspriority.xml
@@ -12,10 +12,8 @@
<ulink url="http://gnutls.org/manual/html_node/Priority-Strings.html">GNUTLS
Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html</ulink>
</para>
- <para>By default it will try to find a config file matching "SAMBA", but if
- that does not exist will use the entry for "SYSTEM" and last fallback to
- NORMAL. In all cases the SSL3.0 protocol will be disabled.</para>
+ <para>The SSL3.0 protocol will be disabled.</para>
</description>
- <value type="default">@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0</value>
+ <value type="default">NORMAL:-VERS-SSL3.0</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 8fdd844fbaa..4e7e3f599dd 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2803,15 +2803,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem");
lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem");
lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem");
-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
- lpcfg_do_global_parameter(lp_ctx,
- "tls priority",
- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
-#else
lpcfg_do_global_parameter(lp_ctx,
"tls priority",
"NORMAL:-VERS-SSL3.0");
-#endif
lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 789865221cb..654a192b510 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -26,22 +26,6 @@ import os
import subprocess
import xml.etree.ElementTree as ET
-config_h = os.path.join("bin/default/include/config.h")
-config_hash = dict()
-
-if os.path.exists(config_h):
- config_hash = dict()
- f = open(config_h, 'r')
- try:
- lines = f.readlines()
- config_hash = dict((x[0], ' '.join(x[1:]))
- for x in map(lambda line: line.strip().split(' ')[1:],
- list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines))))
- finally:
- f.close()
-
-have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash)
-
class TestCase(samba.tests.TestCaseInTempDir):
def _format_message(self, parameters, message):
@@ -142,11 +126,6 @@ class SmbDotConfTests(TestCase):
'smbd max async dosmode',
])
- # 'tls priority' has a legacy default value if we don't link against a
- # modern GnuTLS version.
- if not have_gnutls_system_config_support:
- special_cases.add('tls priority')
-
def setUp(self):
super(SmbDotConfTests, self).setUp()
# create a minimal smb.conf file for testparm
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 2b1a63998d6..901f01b1c6a 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -885,15 +885,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem");
lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem");
-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND
lpcfg_string_set(Globals.ctx,
&Globals.tls_priority,
- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0");
-#else
- lpcfg_string_set(Globals.ctx,
- &Globals.tls_priority,
- "NORMAL!-VERS-SSL3.0");
-#endif
+ "NORMAL:-VERS-SSL3.0");
lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic");
--
2.26.2

View File

@ -1,478 +0,0 @@
From 3dbdb8c3d8cd0498e1afb47758fea700f5061435 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 May 2020 12:25:24 +0200
Subject: [PATCH 1/4] lib:util: Add path_expand_tilde()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1)
---
lib/util/util_paths.c | 72 +++++++++++++++++++++++++++++++++++++++++++
lib/util/util_paths.h | 9 ++++++
2 files changed, 81 insertions(+)
diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
index 0473557dfc6..c05246a7407 100644
--- a/lib/util/util_paths.c
+++ b/lib/util/util_paths.c
@@ -6,6 +6,7 @@
Copyright (C) Simo Sorce 2001
Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
Copyright (C) James Peach 2006
+ Copyright (c) 2020 Andreas Schneider <asn@samba.org>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -24,6 +25,7 @@
#include "includes.h"
#include "dynconfig/dynconfig.h"
#include "lib/util/util_paths.h"
+#include "system/passwd.h"
/**
* @brief Returns an absolute path to a file in the Samba modules directory.
@@ -62,3 +64,73 @@ const char *shlib_ext(void)
return get_dyn_SHLIBEXT();
}
+static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
+{
+ struct passwd pwd = {0};
+ struct passwd *pwdbuf = NULL;
+ char buf[NSS_BUFLEN_PASSWD] = {0};
+ int rc;
+
+ rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
+ if (rc != 0 || pwdbuf == NULL ) {
+ const char *szPath = getenv("HOME");
+ if (szPath == NULL) {
+ return NULL;
+ }
+ snprintf(buf, sizeof(buf), "%s", szPath);
+
+ return talloc_strdup(mem_ctx, buf);
+ }
+
+ return talloc_strdup(mem_ctx, pwd.pw_dir);
+}
+
+char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d)
+{
+ char *h = NULL, *r = NULL;
+ const char *p = NULL;
+ struct stat sb = {0};
+ int rc;
+
+ if (d[0] != '~') {
+ return talloc_strdup(mem_ctx, d);
+ }
+ d++;
+
+ /* handle ~user/path */
+ p = strchr(d, '/');
+ if (p != NULL && p > d) {
+ struct passwd *pw;
+ size_t s = p - d;
+ char u[128];
+
+ if (s >= sizeof(u)) {
+ return NULL;
+ }
+ memcpy(u, d, s);
+ u[s] = '\0';
+
+ pw = getpwnam(u);
+ if (pw == NULL) {
+ return NULL;
+ }
+ h = talloc_strdup(mem_ctx, pw->pw_dir);
+ } else {
+ p = d;
+ h = get_user_home_dir(mem_ctx);
+ }
+ if (h == NULL) {
+ return NULL;
+ }
+
+ rc = stat(h, &sb);
+ if (rc != 0) {
+ TALLOC_FREE(h);
+ return NULL;
+ }
+
+ r = talloc_asprintf(mem_ctx, "%s%s", h, p);
+ TALLOC_FREE(h);
+
+ return r;
+}
diff --git a/lib/util/util_paths.h b/lib/util/util_paths.h
index 80e8aaac6e9..cf34f691e5f 100644
--- a/lib/util/util_paths.h
+++ b/lib/util/util_paths.h
@@ -51,4 +51,13 @@ char *data_path(TALLOC_CTX *mem_ctx, const char *name);
**/
const char *shlib_ext(void);
+/**
+ * @brief Expand a directory starting with a tilde '~'
+ *
+ * @param[in] d The directory to expand.
+ *
+ * @return The expanded directory, NULL on error.
+ */
+char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d);
+
#endif
--
2.26.2
From d43c586576353cba5082ba396c521dde1cde4929 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 11 May 2020 12:50:11 +0200
Subject: [PATCH 2/4] lib:util: Add test for path_expand_tilde()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a)
---
lib/util/tests/test_util_paths.c | 127 +++++++++++++++++++++++++++++++
lib/util/wscript_build | 6 ++
selftest/tests.py | 2 +
3 files changed, 135 insertions(+)
create mode 100644 lib/util/tests/test_util_paths.c
diff --git a/lib/util/tests/test_util_paths.c b/lib/util/tests/test_util_paths.c
new file mode 100644
index 00000000000..b89abf0aea1
--- /dev/null
+++ b/lib/util/tests/test_util_paths.c
@@ -0,0 +1,127 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2020 Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include <talloc.h>
+
+#include "lib/replace/replace.h"
+#include "lib/util/util_paths.c"
+
+static int setup(void **state)
+{
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+
+ assert_non_null(mem_ctx);
+ *state = mem_ctx;
+
+ return 0;
+}
+
+static int teardown(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ TALLOC_FREE(mem_ctx);
+
+ return 0;
+}
+
+static void test_get_user_home_dir(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ struct passwd *pwd = getpwuid(getuid());
+ char *user;
+
+ user = get_user_home_dir(mem_ctx);
+ assert_non_null(user);
+ assert_string_equal(user, pwd->pw_dir);
+
+ TALLOC_FREE(user);
+}
+
+static void test_path_expand_tilde(void **state)
+{
+ TALLOC_CTX *mem_ctx = *state;
+ char h[256] = {0};
+ char *d = NULL;
+ const char *user = NULL;
+ char *home = NULL;
+
+ user = getenv("USER");
+ if (user == NULL){
+ user = getenv("LOGNAME");
+ }
+
+ /* In certain CIs there no such variables */
+ if (user == NULL) {
+ struct passwd *pw = getpwuid(getuid());
+ if (pw){
+ user = pw->pw_name;
+ }
+ }
+
+ home = getenv("HOME");
+ assert_non_null(home);
+ snprintf(h, sizeof(h), "%s/.cache", home);
+
+ d = path_expand_tilde(mem_ctx, "~/.cache");
+ assert_non_null(d);
+ assert_string_equal(d, h);
+ TALLOC_FREE(d);
+
+ snprintf(h, sizeof(h), "%s/.cache/X~", home);
+ d = path_expand_tilde(mem_ctx, "~/.cache/X~");
+ assert_string_equal(d, h);
+ TALLOC_FREE(d);
+
+ d = path_expand_tilde(mem_ctx, "/guru/meditation");
+ assert_non_null(d);
+ assert_string_equal(d, "/guru/meditation");
+ TALLOC_FREE(d);
+
+ snprintf(h, sizeof(h), "~%s/.cache", user);
+ d = path_expand_tilde(mem_ctx, h);
+ assert_non_null(d);
+
+ snprintf(h, sizeof(h), "%s/.cache", home);
+ assert_string_equal(d, h);
+ TALLOC_FREE(d);
+}
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(test_get_user_home_dir),
+ cmocka_unit_test(test_path_expand_tilde),
+ };
+
+ if (argc == 2) {
+ cmocka_set_test_filter(argv[1]);
+ }
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+ rc = cmocka_run_group_tests(tests, setup, teardown);
+
+ return rc;
+}
diff --git a/lib/util/wscript_build b/lib/util/wscript_build
index a827eea3ed9..608f7b3dd73 100644
--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
@@ -288,3 +288,9 @@ else:
deps='cmocka replace samba-util',
local_include=False,
for_selftest=True)
+
+ bld.SAMBA_BINARY('test_util_paths',
+ source='tests/test_util_paths.c',
+ deps='cmocka replace talloc samba-util',
+ local_include=False,
+ for_selftest=True)
diff --git a/selftest/tests.py b/selftest/tests.py
index 96d3f8d6317..b72a6fb65eb 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -389,6 +389,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none",
[os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])
plantestsuite("samba.unittests.byteorder", "none",
[os.path.join(bindir(), "default/lib/util/test_byteorder")])
+plantestsuite("samba.unittests.util_paths", "none",
+ [os.path.join(bindir(), "default/lib/util/test_util_paths")])
plantestsuite("samba.unittests.ntlm_check", "none",
[os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
plantestsuite("samba.unittests.gnutls", "none",
--
2.26.2
From 133edb95814adc43072fd33876caf9d720eaac1f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 May 2020 17:10:51 +0200
Subject: [PATCH 3/4] s3:gencache: Allow to open gencache as read-only
This allows client tools to access the cache for ready-only operations
as a normal user.
Example:
net ads status
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184
(cherry picked from commit 04f0c45475de383a0be4ca355ab9aa7784e61c27)
---
source3/lib/gencache.c | 63 ++++++++++++++++++++++++++++++++++++++++--
1 file changed, 60 insertions(+), 3 deletions(-)
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index 9ad85bbf55f..896bf50cbd7 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -29,10 +29,13 @@
#include "tdb_wrap/tdb_wrap.h"
#include "zlib.h"
#include "lib/util/strv.h"
+#include "lib/util/util_paths.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_TDB
+#define GENCACHE_USER_PATH "~/.cache/samba/gencache.tdb"
+
static struct tdb_wrap *cache;
/**
@@ -68,6 +71,7 @@ static bool gencache_init(void)
{
char* cache_fname = NULL;
int open_flags = O_RDWR|O_CREAT;
+ int tdb_flags = TDB_INCOMPATIBLE_HASH|TDB_NOSYNC|TDB_MUTEX_LOCKING;
int hash_size;
/* skip file open if it's already opened */
@@ -85,10 +89,63 @@ static bool gencache_init(void)
DEBUG(5, ("Opening cache file at %s\n", cache_fname));
cache = tdb_wrap_open(NULL, cache_fname, hash_size,
- TDB_INCOMPATIBLE_HASH|
- TDB_NOSYNC|
- TDB_MUTEX_LOCKING,
+ tdb_flags,
open_flags, 0644);
+ /*
+ * Allow client tools to create a gencache in the home directory
+ * as a normal user.
+ */
+ if (cache == NULL && errno == EACCES && geteuid() != 0) {
+ char *cache_dname = NULL, *tmp = NULL;
+ bool ok;
+
+ TALLOC_FREE(cache_fname);
+
+ cache_fname = path_expand_tilde(talloc_tos(),
+ GENCACHE_USER_PATH);
+ if (cache_fname == NULL) {
+ DBG_ERR("Failed to expand path: %s\n",
+ GENCACHE_USER_PATH);
+ return false;
+ }
+
+ tmp = talloc_strdup(talloc_tos(), cache_fname);
+ if (tmp == NULL) {
+ DBG_ERR("No memory!\n");
+ TALLOC_FREE(cache_fname);
+ return false;
+ }
+
+ cache_dname = dirname(tmp);
+ if (cache_dname == NULL) {
+ DBG_ERR("Invalid path: %s\n", cache_fname);
+ TALLOC_FREE(tmp);
+ TALLOC_FREE(cache_fname);
+ return false;
+ }
+
+ ok = directory_create_or_exist(cache_dname, 0700);
+ if (!ok) {
+ DBG_ERR("Failed to create directory: %s - %s\n",
+ cache_dname, strerror(errno));
+ TALLOC_FREE(tmp);
+ TALLOC_FREE(cache_fname);
+ return false;
+ }
+ TALLOC_FREE(tmp);
+
+ cache = tdb_wrap_open(NULL,
+ cache_fname,
+ hash_size,
+ tdb_flags,
+ open_flags,
+ 0644);
+ if (cache != NULL) {
+ DBG_INFO("Opening user cache file %s.\n",
+ cache_fname);
+ }
+ }
+
if (cache == NULL) {
DEBUG(5, ("Opening %s failed: %s\n", cache_fname,
strerror(errno)));
--
2.26.2
From de71248d86e29ca7d1d2df0f197b930ae8472d5b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 May 2020 12:18:02 -0700
Subject: [PATCH 4/4] s3: lib: Paranoia around use of snprintf copying into a
fixed-size buffer from a getenv() pointer.
Post checks for overflow/error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184
(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7)
---
lib/util/util_paths.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c
index c05246a7407..c0ee5c32c30 100644
--- a/lib/util/util_paths.c
+++ b/lib/util/util_paths.c
@@ -73,12 +73,16 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx)
rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf);
if (rc != 0 || pwdbuf == NULL ) {
+ int len_written;
const char *szPath = getenv("HOME");
if (szPath == NULL) {
return NULL;
}
- snprintf(buf, sizeof(buf), "%s", szPath);
-
+ len_written = snprintf(buf, sizeof(buf), "%s", szPath);
+ if (len_written >= sizeof(buf) || len_written < 0) {
+ /* Output was truncated or an error. */
+ return NULL;
+ }
return talloc_strdup(mem_ctx, buf);
}
--
2.26.2

View File

@ -1,203 +0,0 @@
From 222b16ac61329dc819ab5b9ccd3276c5a1a01c8f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 2 Jul 2020 14:32:34 +0200
Subject: [PATCH 1/3] s4:torture/smb2: add smb2.delete-on-close-perms.BUG14427
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bcba4bb210d9482be4c2c8dadfb5cc185046cbaa)
---
selftest/knownfail.d/bug14427 | 1 +
source4/torture/smb2/delete-on-close.c | 43 +++++++++++++++++++++++++-
2 files changed, 43 insertions(+), 1 deletion(-)
create mode 100644 selftest/knownfail.d/bug14427
diff --git a/selftest/knownfail.d/bug14427 b/selftest/knownfail.d/bug14427
new file mode 100644
index 00000000000..e136465ef87
--- /dev/null
+++ b/selftest/knownfail.d/bug14427
@@ -0,0 +1 @@
+^samba3.smb2.delete-on-close-perms.BUG14427
diff --git a/source4/torture/smb2/delete-on-close.c b/source4/torture/smb2/delete-on-close.c
index 3c495750f43..05242876dcb 100644
--- a/source4/torture/smb2/delete-on-close.c
+++ b/source4/torture/smb2/delete-on-close.c
@@ -698,6 +698,46 @@ static bool test_doc_read_only(struct torture_context *tctx,
return ret;
}
+/*
+ * This is a regression test for
+ * https://bugzilla.samba.org/show_bug.cgi?id=14427
+ *
+ * It's not really a delete-on-close specific test.
+ */
+static bool test_doc_bug14427(struct torture_context *tctx, struct smb2_tree *tree1)
+{
+ struct smb2_tree *tree2 = NULL;
+ NTSTATUS status;
+ char fname[256];
+ bool ret = false;
+ bool ok;
+
+ /* Add some random component to the file name. */
+ snprintf(fname, sizeof(fname), "doc_bug14427_%s.dat",
+ generate_random_str(tctx, 8));
+
+ ok = torture_smb2_tree_connect(tctx, tree1->session, tctx, &tree2);
+ torture_assert_goto(tctx, ok, ret, done,
+ "torture_smb2_tree_connect() failed.\n");
+
+ status = torture_setup_simple_file(tctx, tree1, fname);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "torture_setup_simple_file() failed on tree1.\n");
+
+ status = smb2_util_unlink(tree2, fname);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_util_unlink() failed on tree2.\n");
+ TALLOC_FREE(tree2);
+ ret = true;
+done:
+ if (tree2 != NULL) {
+ TALLOC_FREE(tree2);
+ smb2_util_unlink(tree1, fname);
+ }
+
+ TALLOC_FREE(tree1);
+ return ret;
+}
/*
* Extreme testing of Delete On Close and permissions
@@ -713,7 +753,8 @@ struct torture_suite *torture_smb2_doc_init(TALLOC_CTX *ctx)
torture_suite_add_1smb2_test(suite, "CREATE_IF", test_doc_create_if);
torture_suite_add_1smb2_test(suite, "CREATE_IF Existing", test_doc_create_if_exist);
torture_suite_add_1smb2_test(suite, "FIND_and_set_DOC", test_doc_find_and_set_doc);
- torture_suite_add_1smb2_test(suite, "READONLY", test_doc_read_only);
+ torture_suite_add_1smb2_test(suite, "READONLY", test_doc_read_only);
+ torture_suite_add_1smb2_test(suite, "BUG14427", test_doc_bug14427);
suite->description = talloc_strdup(suite, "SMB2-Delete-on-Close-Perms tests");
--
2.26.2
From a6005fb5155a7c7886b179e7672b198a55e69380 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 2 Jul 2020 12:06:28 +0200
Subject: [PATCH 2/3] s3:smbd: reformat if statement for caching in vfs_ChDir()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b2b5ae090ee8796609eb0b5794bc4e62c24414ef)
---
source3/smbd/vfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index 96067e45005..7c8f99bbd41 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -879,8 +879,9 @@ int vfs_ChDir(connection_struct *conn, const struct smb_filename *smb_fname)
return 0;
}
- if (*smb_fname->base_name == '/' &&
- strcsequal(LastDir,smb_fname->base_name)) {
+ if (smb_fname->base_name[0] == '/' &&
+ strcsequal(LastDir,smb_fname->base_name))
+ {
return 0;
}
--
2.26.2
From 735fd5fe21b4c365946806e79df668cec22b3210 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 1 Jul 2020 09:38:58 +0200
Subject: [PATCH 3/3] s3:smbd: make sure vfs_ChDir() always sets
conn->cwd_fsp->fh->fd = AT_FDCWD
This is what all consumers of conn->cwd_fsp->fh->fd expect!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f3f330f61db983f6d213a097d9a4d91b1057ecb1)
---
selftest/knownfail.d/bug14427 | 1 -
source3/smbd/vfs.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
delete mode 100644 selftest/knownfail.d/bug14427
diff --git a/selftest/knownfail.d/bug14427 b/selftest/knownfail.d/bug14427
deleted file mode 100644
index e136465ef87..00000000000
--- a/selftest/knownfail.d/bug14427
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.delete-on-close-perms.BUG14427
diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
index 7c8f99bbd41..411999c3856 100644
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -876,12 +876,47 @@ int vfs_ChDir(connection_struct *conn, const struct smb_filename *smb_fname)
}
if (ISDOT(smb_fname->base_name)) {
+ /*
+ * passing a '.' is a noop,
+ * and we only expect this after
+ * everything is initialized.
+ *
+ * So the first vfs_ChDir() on a given
+ * connection_struct must not be '.'.
+ *
+ * Note: conn_new() sets
+ * conn->cwd_fsp->fh->fd = -1
+ * and vfs_ChDir() leaves with
+ * conn->cwd_fsp->fh->fd = AT_FDCWD
+ * on success!
+ */
+ if (conn->cwd_fsp->fh->fd != AT_FDCWD) {
+ /*
+ * This should never happen and
+ * we might change this to
+ * SMB_ASSERT() in future.
+ */
+ DBG_ERR("Called with '.' as first operation!\n");
+ log_stack_trace();
+ errno = EINVAL;
+ return -1;
+ }
return 0;
}
if (smb_fname->base_name[0] == '/' &&
strcsequal(LastDir,smb_fname->base_name))
{
+ /*
+ * conn->cwd_fsp->fsp_name and the kernel
+ * are already correct, but conn->cwd_fsp->fh->fd
+ * might still be -1 as initialized in conn_new().
+ *
+ * This can happen when a client made a 2nd
+ * tree connect to a share with the same underlying
+ * path (may or may not the same share).
+ */
+ conn->cwd_fsp->fh->fd = AT_FDCWD;
return 0;
}
--
2.26.2

View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXsOxqhUcc2FtYmEtYnVn
c0BzYW1iYS5vcmcACgkQbzORW2Vot+qdhwCdFYBB+shlPkgPHklKcr7s0gzg0k0A
nRkKiNJ0zpNWUNY67XzoRvYWf3ys
=5Y06
-----END PGP SIGNATURE-----

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCX9hrxBUcc2FtYmEtYnVn
c0BzYW1iYS5vcmcACgkQbzORW2Vot+rknACeNaNLylUGp3BdSHXLNdjG4PeCjLwA
nA8WUntBNLH1pDewFd9PGRvKTv8W
=Kn7L
-----END PGP SIGNATURE-----

File diff suppressed because it is too large Load Diff