Commits on Source (78)
-
Karolin Seeger authored
and re-enable GIT_SNAPSHOT. Signed-off-by:Karolin Seeger <kseeger@samba.org>
-
Andreas Schneider authored
This fixes a segfault in pyglue: ==10142== Process terminating with default action of signal 11 (SIGSEGV) ==10142== Bad permissions for mapped region at address 0x6F00A20 ==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679 Signed-off-by:
Andreas Schneider <asn@samba.org> Reviewed-by:
Jeremy Allison <jra@samba.org> (cherry picked from commit 71ef09c1) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Mon Nov 12 16:04:51 CET 2018 on sn-devel-144
-
Volker Lendecke authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13629 Signed-off-by:
Volker Lendecke <vl@samba.org>
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13677 Signed-off-by:
Ralph Boehme <slow@samba.org> Reviewed-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13677 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13677 Signed-off-by:
-
Volker Lendecke authored
Unfortunately there's no off_t printf specifier as there's one for size_t. So we have to use intmax_t. Signed-off-by:
-
Ralph Boehme authored
The next commit is going to add a testsuite to "smb2.session". Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
The next commit adds a subtest to the smb2.session testsuite that requires Kerberos (ad_dc would work), but where neither SMB2 server or client must require signing (ad_dc, being an AD DC, requires signing). The ad_member environment supports Kerberos with the SMB2 server not mandating signing, that'll do. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
Not used for now, that comes next. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
This allows adding an additional condition to the if check where the condition state may be modified in the "if (opcode == SMB2_OP_SESSSETUP)" case directly above. No change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
This can be used by the upper layers to force checking a response is signed. It will be used to implement verification of session setup reauth responses in a torture test. That comes next. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
Invalidate credential cache before connecting to the server, otherwise we will reuse the credentials from the credential cache populated by the preceeding tests. Also invalidate it at the end, otherwise subsequent tests might run into problems if the credentials expire while authenticating. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
All existing tests using this function require signing, so currently this passes. A subsequent commit adds a test where neither client nor server require signing and that's where this trap will explode. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
Existing callers pass true, so no change in behaviour. The next commit adds an additional test that passes force_signing=false. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
This test checks that a session setup reauth is signed even when neither client nor server require signing. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
-
Ralph Boehme authored
We talloc_move() session_info to session->global->auth_session_info which sets session_info to NULL. This means security_session_user_level(NULL, NULL) will always return SECURITY_ANONYMOUS so we never sign the session setup response. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13661 Signed-off-by:
Stefan Metzmacher <metze@samba.org> Reviewed-by:
-
Martin Schwenke authored
Ideally this would just involve using "test -r". However, operating system security features may mean that kernel stacks are not readable even though they appear to be. Instead, try reading that stack of a process on the test node. If that succeeds then so should reading the stack of the "stuck" sleep process in the test. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13684 Signed-off-by:
Martin Schwenke <martin@meltin.net> Reviewed-by:
Tim Beale <timbeale@catalyst.net.nz> Autobuild-User(master): Tim Beale <timbeale@samba.org> Autobuild-Date(master): Thu Nov 15 08:15:32 CET 2018 on sn-devel-144 (cherry picked from commit c1dd6382) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Tue Nov 20 15:50:33 CET 2018 on sn-devel-144
-
Karolin Seeger authored
and re-enable GIT_SNAPSHOT. Signed-off-by:
-
Aaron Haslett authored
Count number of answers generated by internal DNS query routine and stop at 20 to match Microsoft's loop prevention mechanism. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by:
Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by:
Andrew Bartlett <abartlet@samba.org> Reviewed-by:
Garming Sam <garming@catalyst.net.nz>
-
Andrew Bartlett authoredIn Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free mem_ctx. This was introduced in 9a0263a7 for the MIT KDC effort. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by:
Gary Lockyer <gary@catalyst.net.nz>
-
Andrew Bartlett authored
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 Signed-off-by:
-
Gary Lockyer authored
Tests to verify Bug 13669 - (CVE-2018-16852) NULL pointer de-reference in Samba AD DC DNS management The presence of the ZONE_MASTER_SERVERS property or the ZONE_SCAVENGING_SERVERS property in a zone record causes the server to follow a null pointer and terminate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Reviewed-by: -
Gary Lockyer authored
Fixes for Bug 13669 - (CVE-2018-16852) NULL pointer de-reference in Samba AD DC DNS management The presence of the ZONE_MASTER_SERVERS property or the ZONE_SCAVENGING_SERVERS property in a zone record causes the server to follow a null pointer and terminate. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Signed-off-by: -
Gary Lockyer authored
dnsserver_common.c and dnsutils.c both share similar code to process zone properties. This patch extracts the common code and moves it to dnsserver_common.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669 Signed-off-by:
-
Garming Sam authored
In the case of hitting the talloc ~256MB limit, this causes a crash in the server. Note that you would actually need to load >256MB of data into the LDAP. Although there is some generated/hidden data which would help you reach that limit (descriptors and RMD blobs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 Signed-off-by:
-
Andrew Bartlett authored
This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678 Signed-off-by:
-
Andrew Bartlett authored
This will make it easier to avoid flapping tests. Signed-off-by:
-
Joe Guo authored
Signed-off-by:
Joe Guo <joeg@catalyst.net.nz> Reviewed-by:
Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Partial backport of commit 115f2a71 (only password_lockout.py change) as a dependency for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683
-
Andrew Bartlett authored
This means we can have a long observation window for many of the tests and so make them much more reliable. Many of these cause frustrating flapping failures in our CI systems. Signed-off-by:
-
Joe Guo authored
Signed-off-by:
-
Joe Guo authored
Signed-off-by:
-
Tim Beale authored
Sanity-check that when we use the default lockOutObservationWindow that user lockout actually works. The easiest way to do this is to reuse the _test_login_lockout() test-case, but stop at the point where we wait for the lockout duration to expire (because we don't want the test to wait 30 mins). This highlights a problem currently where the default values don't work. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by:
-
Tim Beale authored
Commit 442a38c9 refactored some code into a new get_lockout_observation_window() function. However, in moving the code, an ldb_msg_find_attr_as_int64() inadvertently got converted to a ldb_msg_find_attr_as_int(). ldb_msg_find_attr_as_int() will only work for values up to -2147483648 (about 3.5 minutes in MS timestamp form). Unfortunately, the automated tests used a low enough timeout that they still worked, however, password lockout would not work with the Samba default settings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by:
-
Tim Beale authored
Fix a remaining place where we were trying to read the msDS-LockoutObservationWindow as an int instead of an int64. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by:
-
Tim Beale authored
Clearly the lockOutObservationWindow value is important, and using a default value of zero doesn't work very well. This patch adds a better default value (the domain default setting of 30 minutes). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683 Signed-off-by:
-
Karolin Seeger authored
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) Signed-off-by: -
Karolin Seeger authored
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server) o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) o CVE-2018-16857 (Bad password count in AD DC not always effective) Signed-off-by: -
Karolin Seeger authored
samba: tag release samba-4.9.3
-
Karolin Seeger authored
Signed-off-by: -
Joe Guo authored
Signed-off-by:
-
Garming Sam authored
The length of the cookie is proportional to the number of DCs ever in the domain (as it stores the uptodateness vector which has stale invocationID). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686 Signed-off-by:
-
Garming Sam authored
Under normal operation, users shouldn't see giant cookies in their logs. We still log the initial cookie retrieved from the cache database, which should still be helpful for identifying corrupt cookies. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686 Signed-off-by:
-
Garming Sam authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13686 Signed-off-by:
-
Ralph Boehme authored
This adds a simple test that verifies that after having set smbXcli_session_set_disconnect_expired() a session gets disconnected when it expires. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175 Signed-off-by:
-
Ralph Boehme authored
The original commit c5cd22b5 from bug 9175 never worked, as the preceeding signing check overwrote the status variable. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9175 Signed-off-by:
-
Isaac Boukris authored
By fixing bindir variable name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by:
Isaac Boukris <iboukris@gmail.com> Reviewed-by:
-
Isaac Boukris authored
This happens when we are called from S4U2Self flow, and in that case kdcreq->client is NULL. Use the name from client entry instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by:
-
Isaac Boukris authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by:
-
Andreas Schneider authored
This can be triggered with FAST but we don't support this yet. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 Signed-off-by:
-
Isaac Boukris authored
When calling encode_krb5_padata_sequence() make sure to pass a null terminated array as required. Fixes expired passowrd case in samba4.blackbox.kinit test. Signed-off-by:
-
Martin Schwenke authored
Since 4.9.0, the log messages can be confusing if a required database directory does not exist. Explicitly check for database directories, logging a clear error and exiting if one is missing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13696 Signed-off-by:
Amitay Isaacs <amitay@gmail.com> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Mon Dec 3 06:56:41 CET 2018 on sn-devel-144 (cherry picked from commit dd7574af) Autobuild-User(v4-9-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-9-test): Wed Dec 5 13:01:52 CET 2018 on sn-devel-144
-
Aaron Haslett authored
These tests expose the regression described by Stefan Metzmacher in discussion on the bugzilla paged linked below. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by:
-
Stefan Metzmacher authored
The loop prevention should only be done for CNAME records! Otherwise we truncate the answer records for A, AAAA or SRV queries, which is a bad idea if you have more than 20 DCs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 Signed-off-by:
-
Ralph Boehme authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Signed-off-by:
David Mulder <dmulder@suse.com> Reviewed-by:
-
Ralph Boehme authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by:
-
Ralph Boehme authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Signed-off-by:
-
Ralph Boehme authored
Route predefined domains through the BUILTIN domain child, not passdb. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by:
-
Ralph Boehme authored
Without this eg "NT Authority" didn't work: $ bin/wbinfo -n "NT Authority/Authenticated Users" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name NT Authority/Authenticated Users $ bin/wbinfo --group-info="NT Authority/Authenticated Users" failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group NT Authority/Authenticated Users With the patch: $ bin/wbinfo -n "NT Authority/Authenticated Users" S-1-5-11 SID_WKN_GROUP (5) $ bin/wbinfo --group-info="NT Authority/Authenticated Users" NT AUTHORITY\authenticated users:x:10002: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12164 Signed-off-by:
-
Justin Stephenson authored
Add the ability to leave the domain with --keep-account argument to avoid removal of the host machine account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498 Signed-off-by:
Justin Stephenson <jstephen@redhat.com> Reviewed-by:
Alexander Bokovoy <ab@samba.org> (cherry picked from commit d881f0c8)
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Ralph Boehme authored
This test will not be run from the main torture test runner in selftest, as there we don't pass the required arguments 'twrp_file' and 'twrp_snapshot'. The test needs a carefully prepared environment with provisioned snapshot data, so the test will be started from a blackbox test script. That comes next. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Ralph Boehme authored
Not used for now, all existing callers pass NULL. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Ralph Boehme authored
Can be used by callers to determine if a path is in fact pointing at a file in a snapshot. Will be used in the next commit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13688 Signed-off-by:
-
Günther Deschner authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13708 Guenther Signed-off-by:
Guenther Deschner <gd@samba.org> Reviewed-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455 Signed-off-by:
-
Ralph Boehme authored
Not used for now, existing callers pass NULL. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455 Signed-off-by:
-
Ralph Boehme authored
All existing callers pass NULL, no change in behaviour. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455 Signed-off-by:
-
Ralph Boehme authored
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455 Signed-off-by:
-
Ralph Boehme authored
Stacked VFS modules might use the file name, not the file handle. Looking at you, vfs_fruit... Bug: https://bugzilla.samba.org/show_bug.cgi?id=13455 Signed-off-by:
-
Karolin Seeger authored
Signed-off-by: -
Karolin Seeger authored
-
Mathieu Parent authored
