Commits on Source (89)
-
Karolin Seeger authored
and re-enable GIT_SNAPSHOT. Signed-off-by:Karolin Seeger <kseeger@samba.org>
63547807 -
Karolin Seeger authored
Signed-off-by:88a60f59 -
Stefan Metzmacher authored
The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by:
Stefan Metzmacher <metze@samba.org> Reviewed-by:
Andreas Schneider <asn@samba.org> (cherry picked from commit ead9b93c)
3bcaef67 -
Stefan Metzmacher authored
The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by:
a47fd552 -
Stefan Metzmacher authored
The gensec schannel module already asserts that at least AUTH_LEVEL_INTEGRITY is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by:
948b60d2 -
Tim Beale authored
A 2003 AD DB with functional level set to >= 2008 was non-functional due to the PSO checks. We already check the functional level is >= 2008 before checking for the PSO container. However, users could change their functional level without ensuring their DB conforms to the corresponding base schema. The objectclass DSDB module should prevent the PSO container from ever being deleted. So the only way we should be able to hit this case is through upgrading the functional level (but not the underlying schema objects). If so, log a low-priority message and continue without errors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008 RN: Previously, AD operations such as user authentication could fail completely with the message 'Error 32 determining PSOs in system' logged on the samba server. This problem would only affect a domain that was created using a pre-2008 AD base schema and then had its functional level manually raised to 2008 or greater. This issue has now been resolved. Signed-off-by:
Tim Beale <timbeale@catalyst.net.nz> Reviewed-by:
Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 295bf73e)
00dbe9ff -
Michael Adam authored
The original implementation of the virtual xattr get_real_filename in gluster was misusing the ENOENT errno as the authoritative anwer that the file/dir that we were asking the real filename for does not exist. But since the getxattr call is done on the parent directory, this is a violation of the getxattr API which uses ENOENT for the case that the file/dir that the getxattr call is done against does not exist. Now after a recent regression for fuse-mount re-exports due to gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster implementation is changed to more correctly return ENOATTR if the requested file does not exist. This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT to be fully functional again with latest gluster. - Without this patch, samba against a new gluster will work correctly, but the get_real_filename optimization for a non-existing entry is lost. - With this patch, Samba will not work correctly any more against very old gluster servers: Those (correctly) returned ENOATTR always, which Samba originally interpreted as EOPNOTSUPP, triggering the expensive directory scan. With this patch, ENOATTR is interpreted as ENOENT, the authoritative answer that the requested entry does not exist, which is wrong unless it really does not exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010 Signed-off-by:
Michael Adam <obnox@samba.org> Reviewed-by:
Guenther Deschner <gd@samba.org> (cherry picked from commit 8899eb21)
e126fdaa -
Michael Adam authored
The original implementation of the virtual xattr get_real_filename in gluster was misusing the ENOENT errno as the authoritative anwer that the file/dir that we were asking the real filename for does not exist. But since the getxattr call is done on the parent directory, this is a violation of the getxattr API which uses ENOENT for the case that the file/dir that the getxattr call is done against does not exist. Now after a recent regression for fuse-mount re-exports due to gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster implementation is changed to more correctly return ENOATTR if the requested file does not exist. This patch changes the glusterfs_fuse vfs module to treat ENOATTR as ENOENT to be fully functional again with latest gluster. - Without this patch, samba against a new gluster will work correctly, but the get_real_filename optimization for a non-existing entry is lost. - With this patch, Samba will not work correctly any more against very old gluster servers: Those (correctly) returned ENOATTR always, which Samba originally interpreted as EOPNOTSUPP, triggering the expensive directory scan. With this patch, ENOATTR is interpreted as ENOENT, the authoritative answer that the requested entry does not exist, which is wrong unless it really does not exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010 Signed-off-by:
ea481544 -
Tim Beale authored
From v4.8 onwards, Samba may not be able join a DC older than 2008R2 because the Windows DC doesn't support GET_TGT. If the dsdb repl_md code can't resolve a link target it returns an error, and the calling code (e.g. drs_util.py) should retry with GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later, so if you try to join an earlier Windows DC, the join will throw an error that you can't work-around. We can avoid this problem by setting the same DSDB flag that GET_TGT sets to indicate that the link targets are as up-to-date as possible, and so there's no point retrying. Missing targets are still logged, so this at least allows the admin to fix up any problems after the join completed. I've only done this for the join case (problems during periodic replication are probably still worth escalating to an error). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021 RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD DC may not have worked. When this problem occurred, the following message would be displayed: 'Failed to commit objects: DOS code 0x000021bf' This particular issue has now been resolved. Note that there may still be other potential problems that occur when joining an older Windows DC. Signed-off-by:
f7a5adf0 -
Stefan Metzmacher authored
dbghdrclass() sets the global 'current_msg_class' and for that DEBUGC() should pass the given dbgc_class instead of the per file DBGC_CLASS. This is important with the new per class logfile with: log level = 1 dsdb_audit:10@/var/log/samba/log.dsdb_audit BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915 Signed-off-by:
Ralph Boehme <slow@samba.org> (similar to commit bb0ffbf3)
bdc11a6b -
Stefan Metzmacher authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13915 Signed-off-by:
9af7a1cc -
Stefan Metzmacher authored
If a domain was provisioned by Windows 2000 this value is missing in the database. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13967 Signed-off-by:
4fd604b1 -
Stefan Metzmacher authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969 Signed-off-by:
Garming Sam <garming@catalyst.net.nz> (cherry picked from commit 9a0c3a47)
d9b747c0 -
Stefan Metzmacher authored
In future we should use ipv4address, but that would result in a much larger change. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969 Signed-off-by:
b5956912 -
Stefan Metzmacher authored
The endian changes are needed in order to get the following result from the blobs Windows generated (see the torture test): AddrArray: ARRAY(3) AddrArray: struct dnsp_dns_addr family : 0x0002 (2) port : 0x0035 (53) ipv4 : 172.31.99.33 ipv6 : 0000:0000:0000:0000:0000:0000:0000:0000 [MS-DNSP] states that the port is supposed to be ignored, but it's still good to decode it as port '53' (0x0035) instead of '13568' (0x3500). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969 Signed-off-by:8ce25bdb -
Stefan Metzmacher authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13969 Signed-off-by:
043675f3 -
Björn Baumbach authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by:
Björn Baumbach <bbaumbach@samba.org> Signed-off-by:
cf5002e0 -
Stefan Metzmacher authored
The new role owner need to replicate from the old role owner. Before we told the old role owner to replicate from itself. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973 Signed-off-by:
6b9d7481 -
Björn Baumbach authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973 Signed-off-by:
8fb77c2d -
Stefan Metzmacher authored
We should not risk that we end with no role owner. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973 Signed-off-by:
f1eeb8e6 -
Björn Baumbach authored
On some systems we're seeing this: ERROR(<type 'exceptions.AttributeError'>): uncaught exception - 'module' object has no attribute 'drs_utils' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 533, in run transfer_dns_role(self.outf, sambaopts, credopts, role, samdb) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 136, in transfer_dns_role except samba.drs_utils.drsException as e: E.g. it happens on debian stretch (9.9) with python 2.7.13 (on 4.10.4) While it doesn't happen on ubuntu 18.04 with python 2.7.15rc1 or with python 3.6.7. There were also some reports on the mailing lists, see: https://lists.samba.org/archive/samba-technical/2019-May/133624.html BUG: https://bugzilla.samba.org/show_bug.cgi?id=13973 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by:db44860c -
Ralph Boehme authored
This doesn't cause visible damage in vanilla Samba, but would affect downstream consumers that add additional fields to struct smb_filename. For the same reason there's no test. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14015 RN: Ensure vfs_catia passes stat info to stacked VFS modules Signed-off-by:
Jeremy Allison <jra@samba.org> (cherry picked from commit ae6dd485)
97727eef -
Rafael David Tinoco authoredCTDB should start as a disabled unit (systemd) in most of the distributions and, when trying to enable it for the first time, user should get an unconfigured, or similar, error. Depending on /etc/ctdb/nodes file will give a clear direction to final user on what is needed in order to get cluster up and running. It should work like previous ENABLED=NO variables in SySV like initialization scripts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14017 RN: ctdb.service should only start if /etc/ctdb/nodes is not empty Signed-off-by:
Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
Reviewed-by: Martin Schwenke <martin@meltin.net> Reviewed-by:
Amitay Isaacs <amitay@gmail.com> (cherry picked from commit c5803507)
de909ff8 -
Ralph Boehme authored
Revert "s4:messaging: make sure only imessaging_client_init() can be used with a wrapper tevent_context wrapper" This reverts commit e186d6a0. See the discussion in https://lists.samba.org/archive/samba-technical/2018-December/131731.html for the reasoning behind this revert. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033 Signed-off-by:
Volker Lendecke <vl@samba.org> Reviewed-by:
9daacf18 -
Ralph Boehme authored
This reverts commit 2b05f109. See the discussion in https://lists.samba.org/archive/samba-technical/2018-December/131731.html for the reasoning behind this revert. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033 Signed-off-by:
116c4a79 -
Ralph Boehme authored
This reverts commit 9dc33206. See the discussion in https://lists.samba.org/archive/samba-technical/2018-December/131731.html for the reasoning behind this revert. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033 Signed-off-by:
a4ad9d6e -
Ralph Boehme authored
Revert "s3:messages: allow messaging_{dgm,ctdb}_register_tevent_context() to use wrapper tevent_context" This reverts commit 660cf866. See the discussion in https://lists.samba.org/archive/samba-technical/2018-December/131731.html for the reasoning behind this revert. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033 Signed-off-by:5a3fa183 -
Ralph Boehme authored
This reverts commit 7f2afc20. See the discussion in https://lists.samba.org/archive/samba-technical/2018-December/131731.html for the reasoning behind this revert. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14033 Signed-off-by:
2627724e -
Alexander Bokovoy authored
Convert torture/rpc/lsa LookupNames/LookupSids code to allow testing different LSA_LOOKUP_NAMES_* levels. Keep existing level 1 (LSA_LOOKUP_NAMES_ALL) for the current set of tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 Signed-off-by:
Alexander Bokovoy <ab@samba.org> Reviewed-by:
4fd7914e -
Alexander Bokovoy authored
In 2007, we've added support for multiple lookup levels for LSA LookupNames family of calls. However, forest-wide lookups, as described in MS-LSAT 2.2.16, never worked because flags passed to lookup_name() were always set to zero, expecting at least default lookup on a DC to apply. lookup_name() was instead treating zero flags as 'skip all checks'. Allow at least own domain lookup in case domain name is the same. This should allow FreeIPA DC to respond to LSA LookupNames3 calls from a trusted AD DC side. For the reference, below is a request Windows Server 2016 domain controller sends to FreeIPA domain controller when attempting to look up a user from a trusted forest root domain that attemps to login to the domain controller. Notice the level in the lsa_LookupNames3 call and resulting flags in lookup_name(). [2019/08/03 07:14:24.156065, 1, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) lsa_LookupNames3: struct lsa_LookupNames3 in: struct lsa_LookupNames3 handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000004c-0000-0000-455d-3018575c0000 num_names : 0x00000001 (1) names: ARRAY(1) names: struct lsa_String length : 0x000a (10) size : 0x000c (12) string : * string : 'XS\ab' sids : * sids: struct lsa_TransSidArray3 count : 0x00000000 (0) sids : NULL level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6) count : * count : 0x00000000 (0) lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0) client_revision : LSA_CLIENT_REVISION_2 (2) [2019/08/03 07:14:24.156189, 6, pid=23639, effective(967001000, 967001000), real(967001000, 0), class=rpc_srv] ../../source3/rpc_server/rpc_handles.c:339(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 4C 00 00 00 00 00 00 00 45 5D 30 18 ....L... ....E]0. [0010] 57 5C 00 00 W\.. [2019/08/03 07:14:24.156228, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx) push_sec_ctx(967001000, 967001000) : sec_ctx_stack_ndx = 2 [2019/08/03 07:14:24.156246, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/uid.c:552(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2019/08/03 07:14:24.156259, 4, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2019/08/03 07:14:24.156273, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2019/08/03 07:14:24.156285, 5, pid=23639, effective(967001000, 967001000), real(967001000, 0)] ../../source3/auth/token_util.c:865(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2019/08/03 07:14:24.156311, 5, pid=23639, effective(0, 0), real(0, 0), class=rpc_srv] ../../source3/rpc_server/lsa/srv_lsa_nt.c:244(lookup_lsa_sids) lookup_lsa_sids: looking up name XS\ab [2019/08/03 07:14:24.156327, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:112(lookup_name) lookup_name: XS\ab => domain=[XS], name=[ab] [2019/08/03 07:14:24.156340, 10, pid=23639, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:114(lookup_name) lookup_name: flags = 0x00 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 Signed-off-by:d89fc30d -
Alexander Bokovoy authored
Add a simple test to resolve DOMAIN\MACHINE$ via LSA LookupNames3 using LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 level. This level would pass zero lookup flags to lookup_name(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14091 Signed-off-by:
bf5ac945 -
Michael Adam authored
Instead of adding a new gluster-specific mode to the fileid module, this patches provides a fileid algorithm as part of the glusterfs_fuse vfs module. This can not be configured further, simply adding the glusterfs_fuse vfs module to the vfs objects configuration will enable the new fileid mode. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972 Signed-off-by:
c7e98332 -
Michael Adam authored
FreeBSD and other platforms that don't have setmntent() and friends can not compile this module. This patch lets changes the build to only compile this module if the setmntent() function is found. This is the a follow-up fix to the actual fix for bug #13972. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13972 Signed-off-by:
3aa131b5 -
Isaac Boukris authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Signed-off-by:
Isaac Boukris <iboukris@gmail.com> Reviewed-by:
1c43f6b1 -
Isaac Boukris authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Signed-off-by:
c20f77fe -
Isaac Boukris authored
This is a simplified version of the original patch by: Felix Botner <botner@univention.de> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11362 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by:
1784a664 -
Volker Lendecke authored
Signed-off-by:
Gary Lockyer <gary@catalyst.net.nz> (cherry picked from commit 59f29acb)
d2b711ae -
Christof Schmitt authored
This reverts commit 5d4f7bfd. That patch broke the case with ID_TYPE_BOTH where a file is owned by a group (e.g. using autorid and having a file owned by BUILTIN\Administrators). In this case, the ACE entry for the group gets mapped a to a user ACL entry and the group no longer has access (as in the user's token the group is not mapped to a uid). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
Christof Schmitt <cs@samba.org> Reviewed-by:
0af50d85 -
Christof Schmitt authored
Only the information whether the ACL is for a file or a directory is required. Replacing the fsp with a flag is clearer and allows for unit testing of the mapping functions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
1db5a290 -
Christof Schmitt authored
Existing smbtorture tests set and query ACLs through SMB, only working with the DACLs in the Security Descriptors, but never check the NFSv4 ACL representation. This patch introduces a unit test to verify the mapping between between Security Descriptors and NFSv4 ACLs. As the mapping code queries id mappings, the id mapping cache is first primed with the mappings used by the tests and those mappings are removed again during teardown. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
c84bdb31 -
Christof Schmitt authored
This is a fairly simple test that ensures the mapping of empty ACLs (without any ACL entries) is always done the same way. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
ee47f743 -
Christof Schmitt authored
Add testcases for mapping the type field (ALLOW or DENY) between NFSv4 ACLs and security descriptors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
7f1c567a -
Christof Schmitt authored
Add testcase for the mapping of inheritance flags when mapping from a NFSv4 ACL to a DACL in the security descriptor. The mapping is different between files and directories, as some inheritance flags should never be present for files. Some defined flags like SUCCESSFUL_ACCESS are also not mapped at this point, also verify this behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
d142e46a -
Christof Schmitt authored
Add testcase for the mapping of inheritance flags from the DACL in the security descriptor to the NFSv4 ACL. The mapping is different for files and directories as some inheritance flags should not be present for files. Also other flags are not mapped at all, verify this behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
0aadba93 -
Christof Schmitt authored
Add testcase for mapping permissions from the NFSv4 ACL to DACL in the security descriptor. The mapping is simple as each permission bit exists on both sides. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
f431a1b7 -
Christof Schmitt authored
Add testcase for mapping the permission flags from the DACL in the Security Descriptor to a NFSv4 ACL. The mapping is straight-forward as the same permission bits exist for Security Descriptors and NFSv4 ACLs. In addition, the code also maps from the generic DACL permissions to a set of NFSv4 permissions, also verify this mapping. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
c9650274 -
Christof Schmitt authored
In addition to entries for users and groups, NFSv4 ACLs have the concept of entries for "special" entries. Only the "owner", "group" and "everyone" entries are currently used in the ACL mapping. Add a testcase that verifies the mapping from NFSv4 "special" entries to the DACL in the security descriptor. Verify that only "owner", "group" and "everyone" are mapped and all other "special" entries are ignored. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
f900a6e1 -
Christof Schmitt authored
Add testcase for mapping from entries in the DACL security descriptor to "special" entries in the NFSv4 ACL. Verify that the WORLD well-known SID maps to "everyone" in the NFSv4 ACL. Verify that the "Unix NFS" SID is ignored, as there is no meaningful mapping for this entry. Verify that SID entries matching the owner or group are mapped to "special owner" or "special group", but only if no inheritance flags are used. "special owner" and "special group" with inheritance flags have the meaning of CREATOR OWNER and CREATOR GROUP and will be tested in another testcase. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
f0581b94 -
Christof Schmitt authored
Add testcase for mapping DACL entries CREATOR OWNER and CREATOR GROUP with inheritance flag in the security descriptor to NFSv4 "special owner" and "special group" entries. This is the correct mapping for these entries as inheriting "special owner" and "special group" grants permissions to the actual owner and owning group of the new file or directory, similar to what CREATOR entries do. The other side is that CREATOR entries without any inheritance flags do not make sense, so these are not mapped to NFSv4 ACL entries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
e8f8c4c8 -
Christof Schmitt authored
Add testcase for mapping from NFSv4 ACL entries for "special owner" and "special group" to DACL entries in the security descriptor. Each NFSv4 entry here with INHERIT_ONLY maps directly to a CREATOR OWNER or CREATOR GROUP entry in the DACL. Entries without INHERIT_ONLY map to the CREATOR entry and an additional explicit entry granting permission on the current object. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
79f9a501 -
Christof Schmitt authored
"map full control" when enabled adds the DELETE_CHILD permission, when all other permissions are present. This allows Windows clients to display the "FULL CONTROL" permissions. Add a testcase that verifies this mapping when mapping from NFSv4 ACL to the DACL in the security descriptor. Also verify that switching the option off disables this behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
b21c3f38 -
Christof Schmitt authored
The NFSv4 ACL mapping code has a setting nfs4:acedup. Depending on the setting, when mapping from DACLs to NFSv4 ACLs, duplicate ACL entries are either merged, ignored or rejected. Add a testcase that has duplicate ACL entries and verify the expected behavior for all possible settings of the nfs4:acedup option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
5b130cc4 -
Christof Schmitt authored
The NFSv4 mapping code has a config option nfs4:acedup for the mapping path from DACLs to NFSv4 ACLs. Part of this codepath is detecting duplicate ACL entries. Add a testcase with different ACL entries and verify that only exactly matching entries are detected as duplicates and treated accordingly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
92d2e243 -
Christof Schmitt authored
The mapping code between NFSv4 ACLs and security descriptors still has the deprecated config setting "nfs4:mode = special". This should not be used as it has security problems: All entries matching owner or group are mapped to "special owner" or "special group", which can change its meaning when being inherited to a new file or directory with different owner and owning group. This mode should eventually be removed, but as long as it still exists add testcases to verify the expected behavior. This patch adds the testcase for "nfs4:mode = special" when mapping from the DACL in the security descriptor to the NFSv4 ACL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
f6427639 -
Christof Schmitt authored
The mapping code between NFSv4 ACLs and security descriptors still has the deprecated config setting "nfs4:mode = special". This should not be used as it has security problems: All entries matching owner or group are mapped to "special owner" or "special group", which can change its meaning when being inherited to a new file or directory with different owner and owning group. This mode should eventually be removed, but as long as it still exists add testcases to verify the expected behavior. This patch adds the testcase for "nfs4:mode = special" when mapping from the NFS4 ACL to the DACL in the security descriptor. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
c5da1d66 -
Christof Schmitt authored
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not aware whether a particular entry is for a user or a group. The underlying assumption then is that is should not matter, as both the ACL mapping maps everything to NFSv4 ACL group entries and the user's token will contain gid entries for the groups. Add a testcase to verify that when mapping from NFSv4 ACL entries to DACLs with IDMAP_TYPE_BOTH, all entries are mapped as expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
8ad87b9a -
Christof Schmitt authored
When id mappings use IDMAP_TYPE_BOTH, the NFSv4 ACL mapping code is not aware whether a particular entry is for a user or a group. The underlying assumption then is that is should not matter, as both the ACL mapping maps everything to NFSv4 ACL group entries and the user's token will contain gid entries for the groups. Add a testcase to verify that when mapping from DACLS to NFSv4 ACL entries with IDMAP_TYPE_BOTH, all entries are mapped as expected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
9ba27632 -
Christof Schmitt authored
This is the newer API to lookup id mappings and will make it easier to add to the IDMAP_TYPE_BOTH case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
d50b5fc5 -
Christof Schmitt authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
2493a9f8 -
Christof Schmitt authored
uid and gid are members of the same union so this makes no difference, but for type correctness and readability use the gid to check for ownerGID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
10266805 -
Christof Schmitt authored
This avoids some code duplication. Do not make this static, as it will be used in a later patch. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
ff1cee15 -
Christof Schmitt authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
966916da -
Christof Schmitt authored
This is only used for logging of a rejected ACL, but does not provide additional useful information. Remove it to simplify the function a bit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
8c8f09c3 -
Christof Schmitt authored
This static function will be called earlier in later patches. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
02a5fbd0 -
Christof Schmitt authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
7555f121 -
Christof Schmitt authored
Logging flags in case they do not match seems unnecessary. Other log messages should show the flags as well. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
596a4e4d -
Christof Schmitt authored
The previous patch introduced a pointer to a local variable to reduce the amount of lines changed. Remove that pointer and adjust all usage accordingly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
d297f347 -
Christof Schmitt authored
With IDMAP_TYPE_BOTH, all entries have to be mapped to group entries. In order to have the file system reflect the owner permissions in the POSIX modebits, create a second entry for the user. This will be mapped to the "special owner" entry. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
657f79f8 -
Christof Schmitt authored
As this function now maps the ACE and also adds it to the NFSv4 ACE, change the name to better describe its behavior. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
b4b61724 -
Christof Schmitt authored
The previous patch added an additional entry for IDMAP_TYPE_BOTH. When mapping back to a DACL, there should be no additional entry. Add a loop that will check and remove entries that are exact duplicates. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
1f10af9f -
Christof Schmitt authored
The previous patch introduced merging of duplicates on the mapping path from NFS4 ACL entries to DACL entries. Add a testcase to verify the expected behavior of this codepath. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
c5d46911 -
Christof Schmitt authored
After a chown, the cached stat data is obviously no longer valid. The code in smb_set_nt_acl_nfs4 checked the file correctly, but did only use a local buffer for the stat data. So later checks of the stat buffer under the fsp->fsp_name->st would still see the old information. Fix this by removing the local stat buffer and always update the one under fsp->fsp_name->st. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
548cc518 -
Christof Schmitt authored
All supported GPFS versions now support setting WRITE and APPEND in the ACLs independently. Remove this now unused parameter to simplify the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
b3560baa -
Christof Schmitt authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
bba26e38 -
Christof Schmitt authored
This is not functional change. It cleans up the code a bit and makes expanding this codepath in a later patch easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
fe990205 -
Christof Schmitt authored
In GPFS, it is not possible to deny ACL or attribute access through a SPECIAL_OWNER entry. The best that can be done is mapping this to a named user entry, as this one can at least be stored in an ACL. The same cannot be done for inheriting SPECIAL_OWNER entries, as these represent CREATOR OWNER entries, and the limitation of not being able to deny owner access to ACL or attributes remains. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14032 Signed-off-by:
0cb08a23 -
Anoop C S authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14093 Signed-off-by:
Anoop C S <anoopcs@redhat.com> Reviewed-by:
dcff563d -
Karolin Seeger authored
Signed-off-by:1205c5cb -
Karolin Seeger authored
Signed-off-by:53d19bf5 -
Karolin Seeger authored
and re-enable GIT_SNAPSHOT. Signed-off-by:674ef369 -
Jeremy Allison authored
Will be called on elsewhere on successful impersonation. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by:
4772adbe -
Stefan Metzmacher authored
CVE-2019-10197: smbd: make sure that change_to_user_internal() always resets current_user.done_chdir We should not leave current_user.done_chdir as true if we didn't call chdir_current_service() with success. This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when chdir_current_service() worked once on one share but later failed on another share. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by:
5604883d -
Stefan Metzmacher authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by:
104557f2 -
Stefan Metzmacher authored
The next patch will otherwise break the fsrvp related tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by:
1305693d -
Stefan Metzmacher authored
CVE-2019-10197: test_smbclient_s3.sh: add regression test for the no permission on share root problem BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by:
c9852875 -
Stefan Metzmacher authored
This makes sure we always call chdir_current_service() even when we still impersonated the user. Which is important in order to run the SMB* request within the correct working directory and only if the user has permissions to enter that directory. It makes sure we always update conn->lastused_count in chdir_current_service() for each request. Note that vfs_ChDir() (called from chdir_current_service()) maintains its own cache and avoids calling SMB_VFS_CHDIR() if possible. It means we still avoid syscalls if we get a multiple requests for the same session/tcon tuple. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 Signed-off-by:
8e2c37bd -
Karolin Seeger authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 CVE-2019-10197 [SECURITY][EMBARGOED] permissions check deny can allow user to escape from the share. Signed-off-by:
514743b2 -
Karolin Seeger authored
Signed-off-by:1acf30ac -
Mathieu Parent authored93257106
