diff -Nru samba-4.5.4+dfsg/auth/credentials/credentials_secrets.c samba-4.5.8+dfsg/auth/credentials/credentials_secrets.c --- samba-4.5.4+dfsg/auth/credentials/credentials_secrets.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/auth/credentials/credentials_secrets.c 2017-03-09 09:21:43.000000000 +0000 @@ -39,7 +39,7 @@ #include "dbwrap/dbwrap.h" #include "dbwrap/dbwrap_open.h" #include "lib/util/util_tdb.h" - +#include "libds/common/roles.h" /** * Fill in credentials for the machine trust account, from the secrets database. @@ -276,6 +276,8 @@ char *secrets_tdb_password = NULL; char *secrets_tdb_old_password = NULL; uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; + int server_role = lpcfg_server_role(lp_ctx); + int security = lpcfg_security(lp_ctx); char *keystr; char *keystr_upper = NULL; TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); @@ -354,13 +356,26 @@ } if (secrets_tdb_password_more_recent) { + enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); if (strequal(domain, lpcfg_workgroup(lp_ctx))) { cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + + switch (server_role) { + case ROLE_DOMAIN_MEMBER: + if (security != SEC_ADS) { + break; + } + /* fall through */ + case ROLE_ACTIVE_DIRECTORY_DC: + use_kerberos = CRED_AUTO_USE_KERBEROS; + break; + } } + cli_credentials_set_kerberos_state(cred, use_kerberos); cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); diff -Nru samba-4.5.4+dfsg/ctdb/common/comm.c samba-4.5.8+dfsg/ctdb/common/comm.c --- samba-4.5.4+dfsg/ctdb/common/comm.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/common/comm.c 2017-03-09 09:21:43.000000000 +0000 @@ -251,14 +251,22 @@ * Write packets */ +struct comm_write_entry { + struct comm_context *comm; + struct tevent_queue_entry *qentry; + struct tevent_req *req; +}; + struct comm_write_state { struct tevent_context *ev; struct comm_context *comm; + struct comm_write_entry *entry; struct tevent_req *subreq; uint8_t *buf; size_t buflen, nwritten; }; +static int comm_write_entry_destructor(struct comm_write_entry *entry); static void comm_write_trigger(struct tevent_req *req, void *private_data); static void comm_write_done(struct tevent_req *subreq); @@ -269,6 +277,7 @@ { struct tevent_req *req; struct comm_write_state *state; + struct comm_write_entry *entry; req = tevent_req_create(mem_ctx, &state, struct comm_write_state); if (req == NULL) { @@ -280,15 +289,38 @@ state->buf = buf; state->buflen = buflen; - if (!tevent_queue_add_entry(comm->queue, ev, req, - comm_write_trigger, NULL)) { - talloc_free(req); - return NULL; + entry = talloc_zero(state, struct comm_write_entry); + if (tevent_req_nomem(entry, req)) { + return tevent_req_post(req, ev); + } + + entry->comm = comm; + entry->req = req; + entry->qentry = tevent_queue_add_entry(comm->queue, ev, req, + comm_write_trigger, NULL); + if (tevent_req_nomem(entry->qentry, req)) { + return tevent_req_post(req, ev); } + state->entry = entry; + talloc_set_destructor(entry, comm_write_entry_destructor); + return req; } +static int comm_write_entry_destructor(struct comm_write_entry *entry) +{ + struct comm_context *comm = entry->comm; + + if (comm->write_req == entry->req) { + comm->write_req = NULL; + TEVENT_FD_NOT_WRITEABLE(comm->fde); + } + + TALLOC_FREE(entry->qentry); + return 0; +} + static void comm_write_trigger(struct tevent_req *req, void *private_data) { struct comm_write_state *state = tevent_req_data( @@ -333,6 +365,8 @@ } state->nwritten = nwritten; + state->entry->qentry = NULL; + TALLOC_FREE(state->entry); tevent_req_done(req); } @@ -382,8 +416,8 @@ struct comm_write_state *write_state; if (comm->write_req == NULL) { - /* This should never happen */ - abort(); + TEVENT_FD_NOT_WRITEABLE(comm->fde); + return; } write_state = tevent_req_data(comm->write_req, diff -Nru samba-4.5.4+dfsg/ctdb/config/events.d/10.interface samba-4.5.8+dfsg/ctdb/config/events.d/10.interface --- samba-4.5.4+dfsg/ctdb/config/events.d/10.interface 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/config/events.d/10.interface 2017-01-30 09:56:26.000000000 +0000 @@ -215,7 +215,7 @@ # 2) remove the IP from the old interface (and new interface, to be sure) # 3) add the IP to the new interface # 4) remove the firewall rule - # 5) use ctdb gratiousarp to propagate the new mac address + # 5) use ctdb gratarp to propagate the new mac address # 6) use netstat -tn to find existing connections, and tickle them _oiface=$2 niface=$3 @@ -240,7 +240,7 @@ flush_route_cache # propagate the new mac address - $CTDB gratiousarp "$ip" "$niface" + $CTDB gratarp "$ip" "$niface" # tickle all existing connections, so that dropped packets # are retransmited and the tcp streams work diff -Nru samba-4.5.4+dfsg/ctdb/config/events.d/13.per_ip_routing samba-4.5.8+dfsg/ctdb/config/events.d/13.per_ip_routing --- samba-4.5.4+dfsg/ctdb/config/events.d/13.per_ip_routing 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/config/events.d/13.per_ip_routing 2017-01-30 09:56:26.000000000 +0000 @@ -184,8 +184,8 @@ -v pre="$table_id_prefix" \ '/^#/ || !(min <= $1 && $1 <= max) && - !(index($2, pre) == 1) - { print $0 }' "$rt_tables" >"$_tmp" + !(index($2, pre) == 1) { + print $0 }' "$rt_tables" >"$_tmp" mv "$_tmp" "$rt_tables" ) 9>"$rt_tables_lock" @@ -398,7 +398,7 @@ # flush our route cache set_proc sys/net/ipv4/route/flush 1 - $CTDB gratiousarp "$ip" "$iface" + $CTDB gratarp "$ip" "$iface" ;; updateip) @@ -416,7 +416,7 @@ # flush our route cache set_proc sys/net/ipv4/route/flush 1 - $CTDB gratiousarp "$ip" "$niface" + $CTDB gratarp "$ip" "$niface" tickle_tcp_connections "$ip" ;; diff -Nru samba-4.5.4+dfsg/ctdb/config/events.d/91.lvs samba-4.5.8+dfsg/ctdb/config/events.d/91.lvs --- samba-4.5.4+dfsg/ctdb/config/events.d/91.lvs 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/config/events.d/91.lvs 2017-01-30 09:56:26.000000000 +0000 @@ -110,7 +110,7 @@ ipvsadm -a -t "$CTDB_LVS_PUBLIC_IP" -r 127.0.0.1 ipvsadm -a -u "$CTDB_LVS_PUBLIC_IP" -r 127.0.0.1 - $CTDB gratiousarp \ + $CTDB gratarp \ "$CTDB_LVS_PUBLIC_IP" "$CTDB_LVS_PUBLIC_IFACE" >/dev/null 2>&1 flush_route_cache diff -Nru samba-4.5.4+dfsg/ctdb/config/statd-callout samba-4.5.8+dfsg/ctdb/config/statd-callout --- samba-4.5.4+dfsg/ctdb/config/statd-callout 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/config/statd-callout 2017-03-09 09:21:43.000000000 +0000 @@ -128,6 +128,7 @@ # where the lock manager will respond "strangely" immediately # after restarting it, which causes clients to fail to reclaim # their locks. + nfs_callout_init "$CTDB_NFS_CALLOUT" "stop" "nlockmgr" >/dev/null 2>&1 sleep 2 "$CTDB_NFS_CALLOUT" "start" "nlockmgr" >/dev/null 2>&1 diff -Nru samba-4.5.4+dfsg/ctdb/doc/ctdb.1 samba-4.5.8+dfsg/ctdb/doc/ctdb.1 --- samba-4.5.4+dfsg/ctdb/doc/ctdb.1 2016-10-24 19:44:53.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/doc/ctdb.1 2017-01-30 10:15:39.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: ctdb .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 10/24/2016 +.\" Date: 01/30/2017 .\" Manual: CTDB - clustered TDB database .\" Source: ctdb .\" Language: English .\" -.TH "CTDB" "1" "10/24/2016" "ctdb" "CTDB \- clustered TDB database" +.TH "CTDB" "1" "01/30/2017" "ctdb" "CTDB \- clustered TDB database" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -1227,9 +1227,9 @@ .SS "gettickles \fIIPADDR\fR" .PP Show TCP connections that are registered with CTDB to be "tickled" if there is a failover\&. -.SS "gratiousarp \fIIPADDR\fR \fIINTERFACE\fR" +.SS "gratarp \fIIPADDR\fR \fIINTERFACE\fR" .PP -Send out a gratious ARP for the specified interface through the specified interface\&. This command is mainly used by the ctdb eventscripts\&. +Send out a gratuitous ARP for the specified interface through the specified interface\&. This command is mainly used by the ctdb eventscripts\&. .SS "pdelete \fIDB\fR \fIKEY\fR" .PP Delete KEY from DB\&. diff -Nru samba-4.5.4+dfsg/ctdb/doc/ctdb.1.html samba-4.5.8+dfsg/ctdb/doc/ctdb.1.html --- samba-4.5.4+dfsg/ctdb/doc/ctdb.1.html 2016-10-24 19:44:53.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/doc/ctdb.1.html 2017-01-30 10:15:40.000000000 +0000 @@ -1,4 +1,4 @@ -ctdb

Name

ctdb — CTDB management utility

Synopsis

ctdb [OPTION...] {COMMAND} [COMMAND-ARGS]

DESCRIPTION

+ctdb

Name

ctdb — CTDB management utility

Synopsis

ctdb [OPTION...] {COMMAND} [COMMAND-ARGS]

DESCRIPTION

ctdb is a utility to view and manage a CTDB cluster.

The following terms are used when referring to nodes in a @@ -21,7 +21,7 @@ A space separated list of at least one DB.

-

OPTIONS

-n PNN-LIST

+

OPTIONS

-n PNN-LIST

The nodes specified by PNN-LIST should be queried for the requested information. Default is to query the daemon running on the local host. @@ -59,21 +59,21 @@ socket to use when connecting to the local CTDB daemon. The default is /usr/local/var/run/ctdb/ctdbd.socket. -

ADMINISTRATIVE COMMANDS

+

ADMINISTRATIVE COMMANDS

These are commands used to monitor and administer a CTDB cluster. -

pnn

+

pnn

This command displays the PNN of the current node. -

status

+

status

This command shows the current status of all CTDB nodes based on information from the queried node.

Note: If the the queried node is INACTIVE then the status might not be current. -

Node status

+

Node status

This includes the number of physical nodes and the status of each node. See ctdb(7) for information about node states. -

Generation

+

Generation

The generation id is a number that indicates the current generation of a cluster instance. Each time a cluster goes through a reconfiguration or a recovery its generation id will be changed. @@ -94,13 +94,13 @@ All nodes start with generation "INVALID" and are not assigned a real generation id until they have successfully been merged with a cluster through a recovery. -

Virtual Node Number (VNN) map

+

Virtual Node Number (VNN) map

Consists of the number of virtual nodes and mapping from virtual node numbers to physical node numbers. Virtual nodes host CTDB databases. Only nodes that are participating in the VNN map can become lmaster or dmaster for database records. -

Recovery mode

+

Recovery mode

This is the current recovery mode of the cluster. There are two possible modes:

NORMAL - The cluster is fully operational. @@ -120,13 +120,13 @@ databases have been recovered, the node mode will change into NORMAL mode and the databases will be "thawed", allowing samba to access the databases again. -

Recovery master

+

Recovery master

This is the cluster node that is currently designated as the recovery master. This node is responsible of monitoring the consistency of the cluster and to perform the actual recovery process when reqired.

Only one node at a time can be the designated recovery master. Which node is designated the recovery master is decided by an election process in the recovery daemons running on each node. -

Example

+

Example

 # ctdb status
 Number of nodes:4
 pnn:0 192.168.2.200       OK (THIS NODE)
@@ -141,7 +141,7 @@
 hash:3 lmaster:3
 Recovery mode:NORMAL (0)
 Recovery master:0
-

nodestatus [PNN-LIST]

+

nodestatus [PNN-LIST]

This command is similar to the status command. It displays the "node status" subset of output. The main differences are: @@ -159,7 +159,7 @@ A common invocation in scripts is ctdb nodestatus all to check whether all nodes in a cluster are healthy. -

Example

+      
Example
 # ctdb nodestatus
 pnn:0 10.0.0.30        OK (THIS NODE)
 
@@ -167,28 +167,28 @@
 Number of nodes:2
 pnn:0 10.0.0.30        OK (THIS NODE)
 pnn:1 10.0.0.31        OK
-

recmaster

+

recmaster

This command shows the pnn of the node which is currently the recmaster.

Note: If the the queried node is INACTIVE then the status might not be current. -

uptime

+

uptime

This command shows the uptime for the ctdb daemon. When the last recovery or ip-failover completed and how long it took. If the "duration" is shown as a negative number, this indicates that there is a recovery/failover in progress and it started that many seconds ago. -

Example

+      
Example
 # ctdb uptime
 Current time of node          :                Thu Oct 29 10:38:54 2009
 Ctdbd start time              : (000 16:54:28) Wed Oct 28 17:44:26 2009
 Time of last recovery/failover: (000 16:53:31) Wed Oct 28 17:45:23 2009
 Duration of last recovery/failover: 2.248552 seconds
-

listnodes

+

listnodes

This command shows lists the ip addresses of all the nodes in the cluster. -

Example

+      
Example
 # ctdb listnodes
 192.168.2.200
 192.168.2.201
 192.168.2.202
 192.168.2.203
-

natgw {master|list|status}

+

natgw {master|list|status}

This command shows different aspects of NAT gateway status. For an overview of CTDB's NAT gateway functionality please see the NAT GATEWAY section in @@ -220,16 +220,16 @@ pnn:1 192.168.2.201 OK pnn:2 192.168.2.202 OK pnn:3 192.168.2.203 OK -

ping

+

ping

This command will "ping" specified CTDB nodes in the cluster to verify that they are running. -

Example

+      
Example
 # ctdb ping
 response from 0 time=0.000054 sec  (3 clients)
-

ifaces

+

ifaces

This command will display the list of network interfaces, which could host public addresses, along with their status. -

Example

+      
Example
 # ctdb ifaces
 Interfaces on node 0
 name:eth5 link:up references:2
@@ -243,9 +243,9 @@
 |eth4|0|0|
 |eth3|1|1|
 |eth2|1|1|
-

ip

+

ip

This command will display the list of public addresses that are provided by the cluster and which physical node is currently serving this ip. By default this command will ONLY show those public addresses that are known to the node itself. To see the full list of all public ips across the cluster you must use "ctdb ip all". -

Example

+      
Example
 # ctdb ip -v
 Public IPs on node 0
 172.31.91.82 node[1] active[] available[eth2,eth3] configured[eth2,eth3]
@@ -267,9 +267,9 @@
 |172.31.92.83|0|eth5|eth5|eth4,eth5|
 |172.31.92.84|1||eth5|eth4,eth5|
 |172.31.92.85|0|eth5|eth5|eth4,eth5|
-

ipinfo IP

+

ipinfo IP

This command will display details about the specified public addresses. -

Example

+      
Example
 # ctdb ipinfo 172.31.92.85
 Public IP[172.31.92.85] info on node 0
 IP:172.31.92.85
@@ -277,9 +277,9 @@
 NumInterfaces:2
 Interface[1]: Name:eth4 Link:down References:0
 Interface[2]: Name:eth5 Link:up References:2 (active)
-

scriptstatus

+

scriptstatus

This command displays which scripts where run in the previous monitoring cycle and the result of each script. If a script failed with an error, causing the node to become unhealthy, the output from that script is also shown. -

Example

+      
Example
 # ctdb scriptstatus
 7 scripts were executed last monitoring cycle
 00.ctdb              Status:OK    Duration:0.056 Tue Mar 24 18:56:57 2009
@@ -291,19 +291,19 @@
 41.httpd             Status:OK    Duration:0.039 Tue Mar 24 18:56:57 2009
 50.samba             Status:ERROR    Duration:0.082 Tue Mar 24 18:56:57 2009
 OUTPUT:ERROR: Samba tcp port 445 is not responding
-

disablescript SCRIPT

+

disablescript SCRIPT

This command is used to disable an eventscript.

This will take effect the next time the eventscripts are being executed so it can take a short while until this is reflected in 'scriptstatus'. -

enablescript SCRIPT

+

enablescript SCRIPT

This command is used to enable an eventscript.

This will take effect the next time the eventscripts are being executed so it can take a short while until this is reflected in 'scriptstatus'. -

listvars

+

listvars

List all tuneable variables, except the values of the obsolete tunables like VacuumMinInterval. The obsolete tunables can be retrieved only explicitly with the "ctdb getvar" command. -

Example

+      
Example
 # ctdb listvars
 SeqnumInterval          = 1000
 ControlTimeout          = 60
@@ -359,16 +359,16 @@
 Samba3AvoidDeadlocks    = 0
 TDBMutexEnabled         = 0
 LockProcessesPerDB      = 200
-

getvar NAME

+

getvar NAME

Get the runtime value of a tuneable variable. -

Example

+      
Example
 # ctdb getvar MonitorInterval
 MonitorInterval         = 15
-

setvar NAME VALUE

+

setvar NAME VALUE

Set the runtime value of a tuneable variable. -

Example

+      
Example
 # ctdb setvar MonitorInterval 20
-

lvs {master|list|status}

+

lvs {master|list|status}

This command shows different aspects of LVS status. For an overview of CTDB's LVS functionality please see the LVS section in @@ -395,7 +395,7 @@ pnn:1 10.0.0.12 UNHEALTHY pnn:2 10.0.0.13 OK pnn:3 10.0.0.14 OK -

getcapabilities

+

getcapabilities

This command shows the capabilities of the current node. See the CAPABILITIES section in ctdb(7) for more details. @@ -404,12 +404,12 @@ 

 RECMASTER: YES
 LMASTER: YES
-

statistics

+

statistics

Collect statistics from the CTDB daemon about how many calls it has served. Information about various fields in statistics can be found in ctdb-statistics(7). -

Example

+      
Example
 # ctdb statistics
 CTDB version 1
 Current time of statistics  :                Tue Mar  8 15:18:51 2016
@@ -461,15 +461,15 @@
  reclock_recd       MIN/AVG/MAX     0.000000/0.000000/0.000000 sec out of 0
  call_latency       MIN/AVG/MAX     0.000044/0.002142/0.011702 sec out of 15
  childwrite_latency MIN/AVG/MAX     0.000000/0.000000/0.000000 sec out of 0
-

statisticsreset

+

statisticsreset

This command is used to clear all statistics counters in a node.

Example: ctdb statisticsreset -

dbstatistics DB

+

dbstatistics DB

Display statistics about the database DB. Information about various fields in dbstatistics can be found in ctdb-statistics(7). -

Example

+      
Example
 # ctdb dbstatistics locking.tdb
 DB Statistics: locking.tdb
  ro_delegations                     0
@@ -485,13 +485,13 @@
  vacuum_latency     MIN/AVG/MAX     0.000472/0.002207/15.243570 sec out of 224530
  Num Hot Keys:     1
      Count:8 Key:ff5bd7cb3ee3822edc1f0000000000000000000000000000
-

getreclock

+

getreclock

Show details of the recovery lock, if any.

Example output: 

 	/clusterfs/.ctdb/recovery.lock
-

getdebug

+

getdebug

Get the current debug level for the node. the debug level controls what information is written to the log file.

The debug levels are mapped to the corresponding syslog levels. @@ -501,29 +501,29 @@ The list of debug levels from highest to lowest are :

ERROR WARNING NOTICE INFO DEBUG -

setdebug DEBUGLEVEL

+

setdebug DEBUGLEVEL

Set the debug level of a node. This controls what information will be logged.

The debuglevel is one of ERROR WARNING NOTICE INFO DEBUG -

getpid

+

getpid

This command will return the process id of the ctdb daemon. -

disable

+

disable

This command is used to administratively disable a node in the cluster. A disabled node will still participate in the cluster and host clustered TDB records but its public ip address has been taken over by a different node and it no longer hosts any services. -

enable

+

enable

Re-enable a node that has been administratively disabled. -

stop

+

stop

This command is used to administratively STOP a node in the cluster. A STOPPED node is connected to the cluster but will not host any public ip addresse, nor does it participate in the VNNMAP. The difference between a DISABLED node and a STOPPED node is that a STOPPED node does not host any parts of the database which means that a recovery is required to stop/continue nodes. -

continue

+

continue

Re-start a node that has been administratively stopped. -

addip IPADDR/mask IFACE

+

addip IPADDR/mask IFACE

This command is used to add a new public ip to a node during runtime. It should be followed by a ctdb ipreallocate. This allows public addresses to be @@ -533,7 +533,7 @@ changes will be lost next time ctdb is restarted and the public addresses file is re-read. If you want this change to be permanent you must also update the public addresses file manually. -

delip IPADDR

+

delip IPADDR

This command flags IPADDR for deletion from a node at runtime. It should be followed by a ctdb ipreallocate. If IPADDR is currently hosted by the @@ -546,7 +546,7 @@ public addresses file is re-read. If you want this change to be permanent you must also update the public addresses file manually. -

moveip IPADDR PNN

+

moveip IPADDR PNN

This command can be used to manually fail a public ip address to a specific node.

@@ -557,9 +557,9 @@ DeterministicIPs = 0

NoIPFailback = 1 -

shutdown

+

shutdown

This command will shutdown a specific CTDB daemon. -

setlmasterrole on|off

+

setlmasterrole on|off

This command is used ot enable/disable the LMASTER capability for a node at runtime. This capability determines whether or not a node can be used as an LMASTER for records in the database. A node that does not have the LMASTER capability will not show up in the vnnmap.

Nodes will by default have this capability, but it can be stripped off nodes by the setting in the sysconfig file or by using this command. @@ -567,13 +567,13 @@ Once this setting has been enabled/disabled, you need to perform a recovery for it to take effect.

See also "ctdb getcapabilities" -

setrecmasterrole on|off

+

setrecmasterrole on|off

This command is used ot enable/disable the RECMASTER capability for a node at runtime. This capability determines whether or not a node can be used as an RECMASTER for the cluster. A node that does not have the RECMASTER capability can not win a recmaster election. A node that already is the recmaster for the cluster when the capability is stripped off the node will remain the recmaster until the next cluster election.

Nodes will by default have this capability, but it can be stripped off nodes by the setting in the sysconfig file or by using this command.

See also "ctdb getcapabilities" -

reloadnodes

+

reloadnodes

This command is used when adding new nodes, or removing existing nodes from an existing cluster.

@@ -622,7 +622,7 @@

  • Use ctdb status on all nodes and verify that the deleted nodes are no longer listed. -

    • +

    reloadips [PNN-LIST]

    @@ -635,7 +635,7 @@ Such changes must be made in 2 steps by deleting addresses in question and re-adding then. Unfortunately this will disrupt connections to the changed addresses. -

    getdbmap

    +

    getdbmap

    This command lists all clustered TDB databases that the CTDB daemon has attached to. Some databases are flagged as PERSISTENT, this means that the database stores data persistently and the data will remain across reboots. One example of such a database is secrets.tdb where information about how the cluster was joined to the domain is stored.

    If a PERSISTENT database is not in a healthy state the database is @@ -649,7 +649,7 @@ and (if samba or tdb-utils are installed) "tdbtool check".

    Most databases are not persistent and only store the state information that the currently running samba daemons need. These databases are always wiped when ctdb/samba starts and when a node is rebooted. -

    Example

    +      
    Example
     # ctdb getdbmap
 Number of databases:10
 dbid:0x435d3410 name:notify.tdb path:/usr/local/var/lib/ctdb/notify.tdb.0
@@ -670,7 +670,7 @@
 # ctdb -X getdbmap
 |ID|Name|Path|Persistent|Unhealthy|
 |0x7bbbd26c|passdb.tdb|/usr/local/var/lib/ctdb/persistent/passdb.tdb.0|1|0|
-

    +

    backupdb DB FILE @@ -679,7 +679,7 @@ read back using restoredb. This is mainly useful for backing up persistent databases such as secrets.tdb and similar. -

    +

    restoredb FILE [DB] @@ -689,45 +689,45 @@ be restored back into the same database as it was created from. By specifying dbname you can restore the data into a different database. -

    setdbreadonly DB

    +

    setdbreadonly DB

    This command will enable the read-only record support for a database. This is an experimental feature to improve performance for contended records primarily in locking.tdb and brlock.tdb. When enabling this feature you must set it on all nodes in the cluster. -

    setdbsticky DB

    +

    setdbsticky DB

    This command will enable the sticky record support for the specified database. This is an experimental feature to improve performance for contended records primarily in locking.tdb and brlock.tdb. When enabling this feature you must set it on all nodes in the cluster. -

    INTERNAL COMMANDS

    +

    INTERNAL COMMANDS

    Internal commands are used by CTDB's scripts and are not required for managing a CTDB cluster. Their parameters and behaviour are subject to change. -

    gettickles IPADDR

    +

    gettickles IPADDR

    Show TCP connections that are registered with CTDB to be "tickled" if there is a failover. -

    gratiousarp IPADDR INTERFACE

    - Send out a gratious ARP for the specified interface through +

    gratarp IPADDR INTERFACE

    + Send out a gratuitous ARP for the specified interface through the specified interface. This command is mainly used by the ctdb eventscripts. -

    +

    pdelete DB KEY

    Delete KEY from DB. -

    +

    pfetch DB KEY

    Print the value associated with KEY in DB. -

    +

    pstore DB KEY FILE

    Store KEY in DB with contents of FILE as the associated value. -

    +

    ptrans DB [FILE] @@ -739,7 +739,7 @@ The key and value should be separated by spaces or tabs. Each key/value should be a printable string enclosed in double-quotes. -

    runstate [setup|first_recovery|startup|running]

    +

    runstate [setup|first_recovery|startup|running]

    Print the runstate of the specified node. Runstates are used to serialise important state transitions in CTDB, particularly during startup. @@ -747,16 +747,16 @@ If one or more optional runstate arguments are specified then the node must be in one of these runstates for the command to succeed. -

    Example

    +      
    Example
     # ctdb runstate
 RUNNING
-

    setifacelink IFACE up|down

    +

    setifacelink IFACE up|down

    Set the internal state of network interface IFACE. This is typically used in the 10.interface script in the "monitor" event.

    Example: ctdb setifacelink eth0 up -

    tickle

    +

    tickle

    Read a list of TCP connections, one per line, from standard input and send a TCP tickle to the source host for each connection. A connection is specified as: @@ -776,12 +776,12 @@ TCP connection has been disrupted and that the client will need to reestablish. This greatly speeds up the time it takes for a client to detect and reestablish after an IP failover in the ctdb cluster. -

    version

    +

    version

    Display the CTDB version. -

    DEBUGGING COMMANDS

    +

    DEBUGGING COMMANDS

    These commands are primarily used for CTDB development and testing and should not be used for normal administration. -

    OPTIONS

    --print-emptyrecords

    +

    OPTIONS

    --print-emptyrecords

    This enables printing of empty records when dumping databases with the catdb, cattbd and dumpdbbackup commands. Records with empty data segment are considered deleted by ctdb and cleaned @@ -799,11 +799,11 @@ This lets catdb and dumpdbbackup print the record flags for each record. Note that cattdb always prints the flags. -

    process-exists PID

    +

    process-exists PID

    This command checks if a specific process exists on the CTDB host. This is mainly used by Samba to check if remote instances of samba are still running or not. -

    getdbstatus DB

    +

    getdbstatus DB

    This command displays more details about a database. -

    Example

    +      
    Example
     # ctdb getdbstatus test.tdb.0
 dbid: 0x122224da
 name: test.tdb
@@ -817,28 +817,28 @@
 path: /usr/local/var/lib/ctdb/persistent/registry.tdb.0
 PERSISTENT: yes
 HEALTH: NO-HEALTHY-NODES - ERROR - Backup of corrupted TDB in '/usr/local/var/lib/ctdb/persistent/registry.tdb.0.corrupted.20091208091949.0Z'
-

    catdb DB

    +

    catdb DB

    Print a dump of the clustered TDB database DB. -

    cattdb DB

    +

    cattdb DB

    Print a dump of the contents of the local TDB database DB. -

    dumpdbbackup FILE

    +

    dumpdbbackup FILE

    Print a dump of the contents from database backup FILE, similar to catdb. -

    wipedb DB

    +

    wipedb DB

    Remove all contents of database DB. -

    recover

    +

    recover

    This command will trigger the recovery daemon to do a cluster recovery. -

    ipreallocate, sync

    +

    ipreallocate, sync

    This command will force the recovery master to perform a full ip reallocation process and redistribute all ip addresses. This is useful to "reset" the allocations back to its default state if they have been changed using the "moveip" command. While a "recover" will also perform this reallocation, a recovery is much more hevyweight since it will also rebuild all the databases. -

    getmonmode

    +

    getmonmode

    This command prints the monitoring mode of a node. This indicates when CTDB is monitoring services on the node. The monitoring mode is either ENABLED or DISABLED. -

    attach DBNAME [persistent]

    +

    attach DBNAME [persistent]

    Create a new CTDB database called DBNAME and attach to it on all nodes. -

    detach DB-LIST

    +

    detach DB-LIST

    Detach specified non-persistent database(s) from the cluster. This command will disconnect specified database(s) on all nodes in the cluster. This command should only be used when none of the @@ -846,16 +846,16 @@

    All nodes should be active and tunable AllowClientDBAccess should be disabled on all nodes before detaching databases. -

    dumpmemory

    +

    dumpmemory

    This is a debugging command. This command will make the ctdb daemon to write a fill memory allocation map to standard output. -

    rddumpmemory

    +

    rddumpmemory

    This is a debugging command. This command will dump the talloc memory allocation tree for the recovery daemon to standard output. -

    eventscript ARGUMENTS

    +

    eventscript ARGUMENTS

    This is a debugging command. This command can be used to manually invoke and run the eventscritps with arbitrary arguments. -

    ban BANTIME

    +

    ban BANTIME

    Administratively ban a node for BANTIME seconds. The node will be unbanned after BANTIME seconds have elapsed.

    @@ -869,21 +869,21 @@

    To administratively exclude a node from a cluster use the stop command. -

    unban

    +

    unban

    This command is used to unban a node that has either been administratively banned using the ban command or has been automatically banned. -

    check_srvids SRVID ...

    +

    check_srvids SRVID ...

    This command checks whether a set of srvid message ports are registered on the node or not. The command takes a list of values to check. -

    Example

    +      
    Example
     # ctdb check_srvids 1 2 3 14765
 Server id 0:1 does not exist
 Server id 0:2 does not exist
 Server id 0:3 does not exist
 Server id 0:14765 exists
-

    SEE ALSO

    +

    SEE ALSO

    ctdbd(1), onnode(1), diff -Nru samba-4.5.4+dfsg/ctdb/doc/ctdb.1.xml samba-4.5.8+dfsg/ctdb/doc/ctdb.1.xml --- samba-4.5.4+dfsg/ctdb/doc/ctdb.1.xml 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/doc/ctdb.1.xml 2017-01-30 09:56:26.000000000 +0000 @@ -1353,9 +1353,9 @@ - gratiousarp <parameter>IPADDR</parameter> <parameter>INTERFACE</parameter> + gratarp <parameter>IPADDR</parameter> <parameter>INTERFACE</parameter> - Send out a gratious ARP for the specified interface through + Send out a gratuitous ARP for the specified interface through the specified interface. This command is mainly used by the ctdb eventscripts. diff -Nru samba-4.5.4+dfsg/ctdb/server/ctdb_lock.c samba-4.5.8+dfsg/ctdb/server/ctdb_lock.c --- samba-4.5.4+dfsg/ctdb/server/ctdb_lock.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/server/ctdb_lock.c 2017-01-30 09:56:26.000000000 +0000 @@ -192,7 +192,7 @@ lock_ctx->request->lctx = NULL; } if (lock_ctx->child > 0) { - ctdb_kill(lock_ctx->ctdb, lock_ctx->child, SIGKILL); + ctdb_kill(lock_ctx->ctdb, lock_ctx->child, SIGTERM); if (lock_ctx->type == LOCK_RECORD) { DLIST_REMOVE(lock_ctx->ctdb_db->lock_current, lock_ctx); } else { @@ -672,7 +672,7 @@ ctdb_lock_timeout_handler, (void *)lock_ctx); if (lock_ctx->ttimer == NULL) { - ctdb_kill(ctdb, lock_ctx->child, SIGKILL); + ctdb_kill(ctdb, lock_ctx->child, SIGTERM); lock_ctx->child = -1; close(lock_ctx->fd[0]); return; @@ -687,7 +687,7 @@ (void *)lock_ctx); if (lock_ctx->tfd == NULL) { TALLOC_FREE(lock_ctx->ttimer); - ctdb_kill(ctdb, lock_ctx->child, SIGKILL); + ctdb_kill(ctdb, lock_ctx->child, SIGTERM); lock_ctx->child = -1; close(lock_ctx->fd[0]); return; diff -Nru samba-4.5.4+dfsg/ctdb/server/ctdb_lock_helper.c samba-4.5.8+dfsg/ctdb/server/ctdb_lock_helper.c --- samba-4.5.4+dfsg/ctdb/server/ctdb_lock_helper.c 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/server/ctdb_lock_helper.c 2017-01-30 09:56:26.000000000 +0000 @@ -20,8 +20,12 @@ #include "replace.h" #include "system/filesys.h" #include "system/network.h" +#include "system/wait.h" #include +#include + +#include "lib/util/tevent_unix.h" #include "ctdb_private.h" @@ -30,6 +34,11 @@ static char *progname = NULL; static bool realtime = true; +struct lock_state { + struct tdb_context *tdb; + TDB_DATA key; +}; + static void set_priority(void) { const char *ptr; @@ -72,7 +81,7 @@ fprintf(stderr, "\n"); fprintf(stderr, "Usage: %s RECORD \n", progname); - fprintf(stderr, " %s DB [ ...]\n", + fprintf(stderr, " %s DB \n", progname); } @@ -93,10 +102,9 @@ return buffer; } -static int lock_record(const char *dbpath, const char *dbflags, const char *dbkey) +static int lock_record(const char *dbpath, const char *dbflags, + const char *dbkey, struct lock_state *state) { - TDB_DATA key; - struct tdb_context *tdb; int tdb_flags; /* No error checking since CTDB always passes sane values */ @@ -104,23 +112,25 @@ /* Convert hex key to key */ if (strcmp(dbkey, "NULL") == 0) { - key.dptr = NULL; - key.dsize = 0; + state->key.dptr = NULL; + state->key.dsize = 0; } else { - key.dptr = hex_decode_talloc(NULL, dbkey, &key.dsize); + state->key.dptr = hex_decode_talloc(NULL, dbkey, + &state->key.dsize); } - tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600); - if (tdb == NULL) { - fprintf(stderr, "%s: Error opening database %s\n", progname, dbpath); + state->tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600); + if (state->tdb == NULL) { + fprintf(stderr, "%s: Error opening database %s\n", + progname, dbpath); return 1; } set_priority(); - if (tdb_chainlock(tdb, key) < 0) { + if (tdb_chainlock(state->tdb, state->key) < 0) { fprintf(stderr, "%s: Error getting record lock (%s)\n", - progname, tdb_errorstr(tdb)); + progname, tdb_errorstr(state->tdb)); return 1; } @@ -130,26 +140,26 @@ } - -static int lock_db(const char *dbpath, const char *dbflags) +static int lock_db(const char *dbpath, const char *dbflags, + struct lock_state *state) { - struct tdb_context *tdb; int tdb_flags; /* No error checking since CTDB always passes sane values */ tdb_flags = strtol(dbflags, NULL, 0); - tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600); - if (tdb == NULL) { - fprintf(stderr, "%s: Error opening database %s\n", progname, dbpath); + state->tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600); + if (state->tdb == NULL) { + fprintf(stderr, "%s: Error opening database %s\n", + progname, dbpath); return 1; } set_priority(); - if (tdb_lockall(tdb) < 0) { + if (tdb_lockall(state->tdb) < 0) { fprintf(stderr, "%s: Error getting db lock (%s)\n", - progname, tdb_errorstr(tdb)); + progname, tdb_errorstr(state->tdb)); return 1; } @@ -158,13 +168,114 @@ return 0; } +struct wait_for_parent_state { + struct tevent_context *ev; + pid_t ppid; +}; + +static void wait_for_parent_check(struct tevent_req *subreq); + +static struct tevent_req *wait_for_parent_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + pid_t ppid) +{ + struct tevent_req *req, *subreq; + struct wait_for_parent_state *state; + + req = tevent_req_create(mem_ctx, &state, struct wait_for_parent_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->ppid = ppid; + + if (ppid == 1) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + + subreq = tevent_wakeup_send(state, ev, + tevent_timeval_current_ofs(5,0)); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, wait_for_parent_check, req); + + return req; +} + +static void wait_for_parent_check(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct wait_for_parent_state *state = tevent_req_data( + req, struct wait_for_parent_state); + bool status; + + status = tevent_wakeup_recv(subreq); + TALLOC_FREE(subreq); + if (! status) { + /* Ignore error */ + fprintf(stderr, "locking: tevent_wakeup_recv() failed\n"); + } + + if (kill(state->ppid, 0) == -1 && errno == ESRCH) { + tevent_req_done(req); + return; + } + + subreq = tevent_wakeup_send(state, state->ev, + tevent_timeval_current_ofs(5,0)); + if (tevent_req_nomem(subreq, req)) { + return; + } + tevent_req_set_callback(subreq, wait_for_parent_check, req); +} + +static bool wait_for_parent_recv(struct tevent_req *req) +{ + if (tevent_req_is_unix_error(req, NULL)) { + return false; + } + + return true; +} + +static void cleanup(struct lock_state *state) +{ + if (state->tdb != NULL) { + if (state->key.dsize == 0) { + tdb_unlockall(state->tdb); + } else { + tdb_chainunlock(state->tdb, state->key); + } + tdb_close(state->tdb); + } +} + +static void signal_handler(struct tevent_context *ev, + struct tevent_signal *se, + int signum, int count, void *siginfo, + void *private_data) +{ + struct lock_state *state = (struct lock_state *)private_data; + + cleanup(state); + exit(0); +} int main(int argc, char *argv[]) { + struct tevent_context *ev; + struct tevent_signal *se; + struct tevent_req *req; + struct lock_state state = { 0 }; int write_fd, log_fd; char result = 0; int ppid; const char *lock_type; + bool status; reset_scheduler(); @@ -186,6 +297,20 @@ write_fd = atoi(argv[3]); lock_type = argv[4]; + ev = tevent_context_init(NULL); + if (ev == NULL) { + fprintf(stderr, "locking: tevent_context_init() failed\n"); + exit(1); + } + + se = tevent_add_signal(ev, ev, SIGTERM, 0, + signal_handler, &state); + if (se == NULL) { + fprintf(stderr, "locking: tevent_add_signal() failed\n"); + talloc_free(ev); + exit(1); + } + if (strcmp(lock_type, "RECORD") == 0) { if (argc != 8) { fprintf(stderr, "%s: Invalid number of arguments (%d)\n", @@ -193,20 +318,17 @@ usage(); exit(1); } - result = lock_record(argv[5], argv[6], argv[7]); + result = lock_record(argv[5], argv[6], argv[7], &state); } else if (strcmp(lock_type, "DB") == 0) { - int n; - - /* If there are no databases specified, no need for lock */ - if (argc > 5) { - for (n=5; n+1/dev/null 2>&1 sleep 2 "$CTDB_NFS_CALLOUT" "start" "nlockmgr" >/dev/null 2>&1 diff -Nru samba-4.5.4+dfsg/ctdb/tests/eventscripts/stubs/ctdb samba-4.5.8+dfsg/ctdb/tests/eventscripts/stubs/ctdb --- samba-4.5.4+dfsg/ctdb/tests/eventscripts/stubs/ctdb 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/tests/eventscripts/stubs/ctdb 2017-01-30 09:56:26.000000000 +0000 @@ -445,7 +445,7 @@ echo "|${2:-monitor}|${_b}|${_code}|${_status}|${_d1}|${_d2}|${_err_out}|" done ;; - gratiousarp) : ;; # Do nothing for now + gratarp) : ;; # Do nothing for now ip) ctdb_ip "$@" ;; pnn|xpnn) ctdb_pnn ;; enable) ctdb_enable "$@";; diff -Nru samba-4.5.4+dfsg/ctdb/tests/src/comm_test.c samba-4.5.8+dfsg/ctdb/tests/src/comm_test.c --- samba-4.5.4+dfsg/ctdb/tests/src/comm_test.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/tests/src/comm_test.c 2017-03-09 09:21:43.000000000 +0000 @@ -26,7 +26,218 @@ #include "common/pkt_write.c" #include "common/comm.c" -static void dead_handler(void *private_data) +/* + * Test read_handler and dead_handler + */ + +static void test1_read_handler(uint8_t *buf, size_t buflen, + void *private_data) +{ + int *result = (int *)private_data; + + *result = -1; +} + +static void test1_dead_handler(void *private_data) +{ + int *result = (int *)private_data; + + *result = 1; +} + +static void test1(void) +{ + TALLOC_CTX *mem_ctx; + struct tevent_context *ev; + struct comm_context *comm; + int fd[2]; + int result = 0; + uint32_t data[2]; + int ret; + ssize_t n; + + mem_ctx = talloc_new(NULL); + assert(mem_ctx != NULL); + + ev = tevent_context_init(mem_ctx); + assert(ev != NULL); + + ret = pipe(fd); + assert(ret == 0); + + ret = comm_setup(ev, ev, fd[0], test1_read_handler, &result, + test1_dead_handler, &result, &comm); + assert(ret == 0); + + data[0] = 2 * sizeof(uint32_t); + data[1] = 0; + + n = write(fd[1], (void *)&data, data[0]); + assert(n == data[0]); + + while (result == 0) { + tevent_loop_once(ev); + } + + assert(result == -1); + + result = 0; + close(fd[1]); + + while (result == 0) { + tevent_loop_once(ev); + } + + assert(result == 1); + + talloc_free(mem_ctx); +} + +/* + * Test that the tevent_req returned by comm_write_send() can be free'd. + */ + +struct test2_state { + TALLOC_CTX *mem_ctx; + bool done; +}; + +static void test2_read_handler(uint8_t *buf, size_t buflen, + void *private_data) +{ + struct test2_state *state = (struct test2_state *)private_data; + + TALLOC_FREE(state->mem_ctx); +} + +static void test2_dead_handler(void *private_data) +{ + abort(); +} + +struct test2_write_state { + int count; +}; + +static void test2_write_done(struct tevent_req *subreq); + +static struct tevent_req *test2_write_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct comm_context *comm, + uint8_t *buf, size_t buflen) +{ + struct tevent_req *req, *subreq; + struct test2_write_state *state; + int i; + + req = tevent_req_create(mem_ctx, &state, struct test2_write_state); + if (req == NULL) { + return NULL; + } + + state->count = 0; + + for (i=0; i<10; i++) { + subreq = comm_write_send(state, ev, comm, buf, buflen); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, test2_write_done, req); + } + + return req; +} + +static void test2_write_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct test2_write_state *state = tevent_req_data( + req, struct test2_write_state); + bool status; + int ret; + + status = comm_write_recv(subreq, &ret); + TALLOC_FREE(subreq); + if (! status) { + tevent_req_error(req, ret); + return; + } + + state->count += 1; + + if (state->count == 10) { + tevent_req_done(req); + } +} + +static void test2_timer_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval cur_time, + void *private_data) +{ + struct test2_state *state = (struct test2_state *)private_data; + + state->done = true; +} + +static void test2(void) +{ + TALLOC_CTX *mem_ctx; + struct tevent_context *ev; + struct comm_context *comm_reader, *comm_writer; + struct test2_state test2_state; + struct tevent_req *req; + struct tevent_timer *te; + int fd[2]; + uint32_t data[2]; + int ret; + + mem_ctx = talloc_new(NULL); + assert(mem_ctx != NULL); + + test2_state.mem_ctx = talloc_new(mem_ctx); + assert(test2_state.mem_ctx != NULL); + + test2_state.done = false; + + ev = tevent_context_init(mem_ctx); + assert(ev != NULL); + + ret = pipe(fd); + assert(ret == 0); + + ret = comm_setup(ev, ev, fd[0], test2_read_handler, &test2_state, + test2_dead_handler, NULL, &comm_reader); + assert(ret == 0); + + ret = comm_setup(ev, ev, fd[1], NULL, NULL, test2_dead_handler, NULL, + &comm_writer); + assert(ret == 0); + + data[0] = 2 * sizeof(uint32_t); + data[1] = 0; + + req = test2_write_send(test2_state.mem_ctx, ev, comm_writer, + (uint8_t *)data, data[0]); + assert(req != NULL); + + te = tevent_add_timer(ev, ev, tevent_timeval_current_ofs(5,0), + test2_timer_handler, &test2_state); + assert(te != NULL); + + while (! test2_state.done) { + tevent_loop_once(ev); + } + + talloc_free(mem_ctx); +} + +/* + * Test that data is written and read correctly. + */ + +static void test3_dead_handler(void *private_data) { int dead_data = *(int *)private_data; @@ -34,14 +245,14 @@ if (dead_data == 1) { /* reader */ - printf("writer closed pipe\n"); + fprintf(stderr, "writer closed pipe\n"); } else { /* writer */ - printf("reader closed pipe\n"); + fprintf(stderr, "reader closed pipe\n"); } } -struct writer_state { +struct test3_writer_state { struct tevent_context *ev; struct comm_context *comm; uint8_t *buf; @@ -49,15 +260,15 @@ int count, id; }; -static void writer_next(struct tevent_req *subreq); +static void test3_writer_next(struct tevent_req *subreq); -static struct tevent_req *writer_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct comm_context *comm, - size_t *pkt_size, int count) +static struct tevent_req *test3_writer_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct comm_context *comm, + size_t *pkt_size, int count) { struct tevent_req *req, *subreq; - struct writer_state *state; + struct test3_writer_state *state; size_t max_size = 0, buflen; int i; @@ -67,7 +278,7 @@ } } - req = tevent_req_create(mem_ctx, &state, struct writer_state); + req = tevent_req_create(mem_ctx, &state, struct test3_writer_state); if (req == NULL) { return NULL; } @@ -95,16 +306,16 @@ return tevent_req_post(req, ev); } - tevent_req_set_callback(subreq, writer_next, req); + tevent_req_set_callback(subreq, test3_writer_next, req); return req; } -static void writer_next(struct tevent_req *subreq) +static void test3_writer_next(struct tevent_req *subreq) { struct tevent_req *req = tevent_req_callback_data( subreq, struct tevent_req); - struct writer_state *state = tevent_req_data( - req, struct writer_state); + struct test3_writer_state *state = tevent_req_data( + req, struct test3_writer_state); bool ret; int err; size_t buflen; @@ -130,10 +341,10 @@ return; } - tevent_req_set_callback(subreq, writer_next, req); + tevent_req_set_callback(subreq, test3_writer_next, req); } -static void writer_recv(struct tevent_req *req, int *perr) +static void test3_writer_recv(struct tevent_req *req, int *perr) { if (tevent_req_is_unix_error(req, perr)) { return; @@ -141,7 +352,7 @@ *perr = 0; } -static void writer(int fd, size_t *pkt_size, int count) +static void test3_writer(int fd, size_t *pkt_size, int count) { TALLOC_CTX *mem_ctx; struct tevent_context *ev; @@ -157,31 +368,32 @@ assert(ev != NULL); err = comm_setup(mem_ctx, ev, fd, NULL, NULL, - dead_handler, &dead_data, &comm); + test3_dead_handler, &dead_data, &comm); assert(err == 0); assert(comm != NULL); - req = writer_send(mem_ctx, ev, comm, pkt_size, count); + req = test3_writer_send(mem_ctx, ev, comm, pkt_size, count); assert(req != NULL); tevent_req_poll(req, ev); - writer_recv(req, &err); + test3_writer_recv(req, &err); assert(err == 0); talloc_free(mem_ctx); } -struct reader_state { +struct test3_reader_state { size_t *pkt_size; int count, received; bool done; }; -static void reader_handler(uint8_t *buf, size_t buflen, void *private_data) +static void test3_reader_handler(uint8_t *buf, size_t buflen, + void *private_data) { - struct reader_state *state = talloc_get_type_abort( - private_data, struct reader_state); + struct test3_reader_state *state = talloc_get_type_abort( + private_data, struct test3_reader_state); assert(buflen == state->pkt_size[state->received]); printf("%zi ", buflen); @@ -193,12 +405,12 @@ } } -static void reader(int fd, size_t *pkt_size, int count) +static void test3_reader(int fd, size_t *pkt_size, int count) { TALLOC_CTX *mem_ctx; struct tevent_context *ev; struct comm_context *comm; - struct reader_state *state; + struct test3_reader_state *state; int dead_data = 1; int err; @@ -208,7 +420,7 @@ ev = tevent_context_init(mem_ctx); assert(ev != NULL); - state = talloc_zero(mem_ctx, struct reader_state); + state = talloc_zero(mem_ctx, struct test3_reader_state); assert(state != NULL); state->pkt_size = pkt_size; @@ -216,8 +428,8 @@ state->received = 0; state->done = false; - err = comm_setup(mem_ctx, ev, fd, reader_handler, state, - dead_handler, &dead_data, &comm); + err = comm_setup(mem_ctx, ev, fd, test3_reader_handler, state, + test3_dead_handler, &dead_data, &comm); assert(err == 0); assert(comm != NULL); @@ -228,7 +440,7 @@ talloc_free(mem_ctx); } -int main(void) +static void test3(void) { int fd[2]; int ret; @@ -237,7 +449,6 @@ 200, 16384, 300, 32768, 400, 65536, 1024*1024 }; - ret = pipe(fd); assert(ret == 0); @@ -247,14 +458,44 @@ if (pid == 0) { /* Child process */ close(fd[0]); - writer(fd[1], pkt_size, 13); + test3_writer(fd[1], pkt_size, 13); close(fd[1]); exit(0); } close(fd[1]); - reader(fd[0], pkt_size, 13); + test3_reader(fd[0], pkt_size, 13); close(fd[0]); +} + + +int main(int argc, const char **argv) +{ + int num; + + if (argc != 2) { + fprintf(stderr, "%s \n", argv[0]); + exit(1); + } + + num = atoi(argv[1]); + + switch (num) { + case 1: + test1(); + break; + + case 2: + test2(); + break; + + case 3: + test3(); + break; + + default: + fprintf(stderr, "Unknown test number %s\n", argv[1]); + } return 0; } diff -Nru samba-4.5.4+dfsg/ctdb/tests/src/test_mutex_raw.c samba-4.5.8+dfsg/ctdb/tests/src/test_mutex_raw.c --- samba-4.5.4+dfsg/ctdb/tests/src/test_mutex_raw.c 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.5.8+dfsg/ctdb/tests/src/test_mutex_raw.c 2017-03-09 09:21:43.000000000 +0000 @@ -0,0 +1,251 @@ +/* + Robust mutex test + + Copyright (C) Amitay Isaacs 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, see . +*/ + +/* + * Run this test as follows: + * + * 1. Running all processes at normal priority + * + * $ while true ; do ./bin/test_mutex_raw /tmp/foo 10 0 ; done + * + * 2. Running all processes at real-time priority + * + * # while true ; do ./bin/test_mutex_raw /tmp/foo 10 1 ; done + * + * The test will block after few iterations. At this time none of the + * child processes is holding the mutex. + * + * To check which process is holding a lock: + * + * $ ./bin/test_mutex_raw /tmp/foo debug + * + * If no pid is printed, then no process is holding the mutex. + */ + +#include "replace.h" +#include "system/filesys.h" +#include "system/wait.h" +#include "system/shmem.h" +#include "system/threads.h" + +static void set_realtime(void) +{ + struct sched_param p; + int ret; + + p.sched_priority = 1; + + ret = sched_setscheduler(0, SCHED_FIFO, &p); + if (ret == -1) { + fprintf(stderr, "Failed to set scheduler to SCHED_FIFO\n"); + } +} + +static void high_priority(void) +{ + int ret; + + ret = nice(-20); + if (ret == -1) { + fprintf(stderr, "Failed to set high priority\n"); + } +} + +static void run_child(const char *filename) +{ + pthread_mutex_t *mutex; + void *addr; + int ret, fd; + + fd = open(filename, O_RDWR, 0600); + if (fd == -1) { + exit(1); + } + + addr = mmap(NULL, sizeof(pthread_mutex_t), PROT_READ|PROT_WRITE, + MAP_SHARED|MAP_FILE, fd, 0); + if (addr == NULL) { + exit(2); + } + + mutex = (pthread_mutex_t *)addr; + +again: + ret = pthread_mutex_lock(mutex); + if (ret == EOWNERDEAD) { + ret = pthread_mutex_consistent(mutex); + } else if (ret == EAGAIN) { + goto again; + } + if (ret != 0) { + fprintf(stderr, "pid %u lock failed, ret=%d\n", getpid(), ret); + exit(3); + } + + fprintf(stderr, "pid %u locked\n", getpid()); + kill(getpid(), SIGKILL); +} + +#define PRIO_NORMAL 0 +#define PRIO_REALTIME 1 +#define PRIO_NICE_20 2 + +int main(int argc, const char **argv) +{ + pthread_mutexattr_t ma; + pthread_mutex_t *mutex; + int fd, ret, i; + pid_t pid; + void *addr; + int num_children; + int priority = PRIO_NORMAL; + + if (argc < 3 || argc > 4) { + fprintf(stderr, "Usage: %s [0|1|2]\n", argv[0]); + fprintf(stderr, " %s debug\n", argv[0]); + exit(1); + } + + if (argc == 4) { + priority = atoi(argv[3]); + } + + if (priority == PRIO_REALTIME) { + set_realtime(); + } else if (priority == PRIO_NICE_20) { + high_priority(); + } + + fd = open(argv[1], O_CREAT|O_RDWR, 0600); + if (fd == -1) { + fprintf(stderr, "open failed\n"); + exit(1); + } + + ret = lseek(fd, 0, SEEK_SET); + if (ret != 0) { + fprintf(stderr, "lseek failed\n"); + exit(1); + } + + ret = ftruncate(fd, sizeof(pthread_mutex_t)); + if (ret != 0) { + fprintf(stderr, "ftruncate failed\n"); + exit(1); + } + + addr = mmap(NULL, sizeof(pthread_mutex_t), PROT_READ|PROT_WRITE, + MAP_SHARED|MAP_FILE, fd, 0); + if (addr == NULL) { + fprintf(stderr, "mmap failed\n"); + exit(1); + } + + mutex = (pthread_mutex_t *)addr; + + if (strcmp(argv[2], "debug") == 0) { + ret = pthread_mutex_trylock(mutex); + if (ret == EOWNERDEAD) { + ret = pthread_mutex_consistent(mutex); + if (ret == 0) { + pthread_mutex_unlock(mutex); + } + } else if (ret == EBUSY) { + printf("pid=%u\n", mutex->__data.__owner); + } else if (ret == 0) { + pthread_mutex_unlock(mutex); + } + exit(0); + } + + ret = pthread_mutexattr_init(&ma); + if (ret != 0) { + fprintf(stderr, "pthread_mutexattr_init failed\n"); + exit(1); + } + + ret = pthread_mutexattr_settype(&ma, PTHREAD_MUTEX_ERRORCHECK); + if (ret != 0) { + fprintf(stderr, "pthread_mutexattr_settype failed\n"); + exit(1); + } + + ret = pthread_mutexattr_setpshared(&ma, PTHREAD_PROCESS_SHARED); + if (ret != 0) { + fprintf(stderr, "pthread_mutexattr_setpshared failed\n"); + exit(1); + } + + ret = pthread_mutexattr_setrobust(&ma, PTHREAD_MUTEX_ROBUST); + if (ret != 0) { + fprintf(stderr, "pthread_mutexattr_setrobust failed\n"); + exit(1); + } + + ret = pthread_mutex_init(mutex, &ma); + if (ret != 0) { + fprintf(stderr, "pthread_mutex_init failed\n"); + exit(1); + } + + ret = pthread_mutex_lock(mutex); + if (ret != 0) { + fprintf(stderr, "pthread_mutex_lock failed\n"); + exit(1); + } + + setpgid(0, 0); + + fprintf(stderr, "Creating children\n"); + num_children = atoi(argv[2]); + + for (i=0; i Fri, 21 Apr 2017 07:33:25 -0400 + samba (2:4.5.4+dfsg-1ubuntu2) zesty; urgency=medium * d/control: add libcephfs-dev as b-d to build vfs_ceph diff -Nru samba-4.5.4+dfsg/debian/patches/winbind_trusted_domains.patch samba-4.5.8+dfsg/debian/patches/winbind_trusted_domains.patch --- samba-4.5.4+dfsg/debian/patches/winbind_trusted_domains.patch 2017-02-09 00:28:33.000000000 +0000 +++ samba-4.5.8+dfsg/debian/patches/winbind_trusted_domains.patch 2017-04-21 11:33:25.000000000 +0000 @@ -24,9 +24,11 @@ source3/winbindd/winbindd_cm.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -2860,7 +2860,8 @@ +Index: samba-4.5.8/source3/winbindd/winbindd_cm.c +=================================================================== +--- samba-4.5.8.orig/source3/winbindd/winbindd_cm.c 2017-04-21 07:36:38.995912324 -0400 ++++ samba-4.5.8/source3/winbindd/winbindd_cm.c 2017-04-21 07:36:38.991912282 -0400 +@@ -2871,7 +2871,8 @@ anonymous: /* Finally fall back to anonymous. */ @@ -36,7 +38,7 @@ status = NT_STATUS_DOWNGRADE_DETECTED; DEBUG(1, ("Unwilling to make SAMR connection to domain %s " "without connection level security, " -@@ -3159,7 +3160,8 @@ +@@ -3170,7 +3171,8 @@ anonymous: @@ -46,9 +48,9 @@ result = NT_STATUS_DOWNGRADE_DETECTED; DEBUG(1, ("Unwilling to make LSA connection to domain %s " "without connection level security, " -@@ -3340,7 +3342,8 @@ - * from this DC? - */ +@@ -3365,7 +3367,8 @@ + TALLOC_FREE(netlogon_creds); + if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && diff -Nru samba-4.5.4+dfsg/docs/manpages/cifsdd.8 samba-4.5.8+dfsg/docs/manpages/cifsdd.8 --- samba-4.5.4+dfsg/docs/manpages/cifsdd.8 2017-01-17 20:01:50.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/cifsdd.8 2017-03-31 06:29:39.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: cifsdd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "CIFSDD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "CIFSDD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/dbwrap_tool.1 samba-4.5.8+dfsg/docs/manpages/dbwrap_tool.1 --- samba-4.5.4+dfsg/docs/manpages/dbwrap_tool.1 2017-01-17 20:01:50.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/dbwrap_tool.1 2017-03-31 06:29:39.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: dbwrap_tool .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "DBWRAP_TOOL" "1" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "DBWRAP_TOOL" "1" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/eventlogadm.8 samba-4.5.8+dfsg/docs/manpages/eventlogadm.8 --- samba-4.5.4+dfsg/docs/manpages/eventlogadm.8 2017-01-17 20:01:50.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/eventlogadm.8 2017-03-31 06:29:39.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: eventlogadm .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "EVENTLOGADM" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "EVENTLOGADM" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/findsmb.1 samba-4.5.8+dfsg/docs/manpages/findsmb.1 --- samba-4.5.4+dfsg/docs/manpages/findsmb.1 2017-01-17 20:01:50.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/findsmb.1 2017-03-31 06:29:40.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: findsmb .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "FINDSMB" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "FINDSMB" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_ad.8 samba-4.5.8+dfsg/docs/manpages/idmap_ad.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_ad.8 2017-01-17 20:01:51.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_ad.8 2017-03-31 06:29:40.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_ad .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_AD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_AD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_autorid.8 samba-4.5.8+dfsg/docs/manpages/idmap_autorid.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_autorid.8 2017-01-17 20:01:51.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_autorid.8 2017-03-31 06:29:40.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_autorid .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_AUTORID" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_AUTORID" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_hash.8 samba-4.5.8+dfsg/docs/manpages/idmap_hash.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_hash.8 2017-01-17 20:01:51.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_hash.8 2017-03-31 06:29:40.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_hash .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_HASH" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_HASH" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_ldap.8 samba-4.5.8+dfsg/docs/manpages/idmap_ldap.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_ldap.8 2017-01-17 20:01:51.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_ldap.8 2017-03-31 06:29:41.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_ldap .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_LDAP" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_LDAP" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_nss.8 samba-4.5.8+dfsg/docs/manpages/idmap_nss.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_nss.8 2017-01-17 20:01:52.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_nss.8 2017-03-31 06:29:41.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_nss .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_NSS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_NSS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_rfc2307.8 samba-4.5.8+dfsg/docs/manpages/idmap_rfc2307.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_rfc2307.8 2017-01-17 20:01:52.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_rfc2307.8 2017-03-31 06:29:41.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_rfc2307 .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_RFC2307" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_RFC2307" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_rid.8 samba-4.5.8+dfsg/docs/manpages/idmap_rid.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_rid.8 2017-01-17 20:01:52.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_rid.8 2017-03-31 06:29:41.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_rid .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_RID" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_RID" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_script.8 samba-4.5.8+dfsg/docs/manpages/idmap_script.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_script.8 2017-01-17 20:01:52.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_script.8 2017-03-31 06:29:41.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_script .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_SCRIPT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_SCRIPT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_tdb2.8 samba-4.5.8+dfsg/docs/manpages/idmap_tdb2.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_tdb2.8 2017-01-17 20:01:53.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_tdb2.8 2017-03-31 06:29:42.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_tdb2 .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_TDB2" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_TDB2" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/idmap_tdb.8 samba-4.5.8+dfsg/docs/manpages/idmap_tdb.8 --- samba-4.5.4+dfsg/docs/manpages/idmap_tdb.8 2017-01-17 20:01:52.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/idmap_tdb.8 2017-03-31 06:29:42.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: idmap_tdb .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "IDMAP_TDB" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "IDMAP_TDB" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/libsmbclient.7 samba-4.5.8+dfsg/docs/manpages/libsmbclient.7 --- samba-4.5.4+dfsg/docs/manpages/libsmbclient.7 2017-01-17 20:01:53.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/libsmbclient.7 2017-03-31 06:29:42.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: libsmbclient .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: 7 .\" Source: Samba 4.5 .\" Language: English .\" -.TH "LIBSMBCLIENT" "7" "01/17/2017" "Samba 4\&.5" "7" +.TH "LIBSMBCLIENT" "7" "03/31/2017" "Samba 4\&.5" "7" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/lmhosts.5 samba-4.5.8+dfsg/docs/manpages/lmhosts.5 --- samba-4.5.4+dfsg/docs/manpages/lmhosts.5 2017-01-17 20:01:53.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/lmhosts.5 2017-03-31 06:29:42.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: lmhosts .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: File Formats and Conventions .\" Source: Samba 4.5 .\" Language: English .\" -.TH "LMHOSTS" "5" "01/17/2017" "Samba 4\&.5" "File Formats and Conventions" +.TH "LMHOSTS" "5" "03/31/2017" "Samba 4\&.5" "File Formats and Conventions" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/log2pcap.1 samba-4.5.8+dfsg/docs/manpages/log2pcap.1 --- samba-4.5.4+dfsg/docs/manpages/log2pcap.1 2017-01-17 20:01:53.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/log2pcap.1 2017-03-31 06:29:43.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: log2pcap .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "LOG2PCAP" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "LOG2PCAP" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/net.8 samba-4.5.8+dfsg/docs/manpages/net.8 --- samba-4.5.4+dfsg/docs/manpages/net.8 2017-01-17 20:01:54.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/net.8 2017-03-31 06:29:43.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: net .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "NET" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "NET" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/nmbd.8 samba-4.5.8+dfsg/docs/manpages/nmbd.8 --- samba-4.5.4+dfsg/docs/manpages/nmbd.8 2017-01-17 20:01:54.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/nmbd.8 2017-03-31 06:29:43.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: nmbd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "NMBD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "NMBD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/nmblookup.1 samba-4.5.8+dfsg/docs/manpages/nmblookup.1 --- samba-4.5.4+dfsg/docs/manpages/nmblookup.1 2017-01-17 20:01:54.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/nmblookup.1 2017-03-31 06:29:44.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: nmblookup .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "NMBLOOKUP" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "NMBLOOKUP" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/ntlm_auth.1 samba-4.5.8+dfsg/docs/manpages/ntlm_auth.1 --- samba-4.5.4+dfsg/docs/manpages/ntlm_auth.1 2017-01-17 20:01:55.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/ntlm_auth.1 2017-03-31 06:29:44.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: ntlm_auth .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "NTLM_AUTH" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "NTLM_AUTH" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/pam_winbind.8 samba-4.5.8+dfsg/docs/manpages/pam_winbind.8 --- samba-4.5.4+dfsg/docs/manpages/pam_winbind.8 2017-01-17 20:01:55.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/pam_winbind.8 2017-03-31 06:29:44.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: pam_winbind .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: 8 .\" Source: Samba 4.5 .\" Language: English .\" -.TH "PAM_WINBIND" "8" "01/17/2017" "Samba 4\&.5" "8" +.TH "PAM_WINBIND" "8" "03/31/2017" "Samba 4\&.5" "8" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/pam_winbind.conf.5 samba-4.5.8+dfsg/docs/manpages/pam_winbind.conf.5 --- samba-4.5.4+dfsg/docs/manpages/pam_winbind.conf.5 2017-01-17 20:01:55.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/pam_winbind.conf.5 2017-03-31 06:29:44.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: pam_winbind.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: 5 .\" Source: Samba 4.5 .\" Language: English .\" -.TH "PAM_WINBIND\&.CONF" "5" "01/17/2017" "Samba 4\&.5" "5" +.TH "PAM_WINBIND\&.CONF" "5" "03/31/2017" "Samba 4\&.5" "5" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/pdbedit.8 samba-4.5.8+dfsg/docs/manpages/pdbedit.8 --- samba-4.5.4+dfsg/docs/manpages/pdbedit.8 2017-01-17 20:01:55.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/pdbedit.8 2017-03-31 06:29:44.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: pdbedit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "PDBEDIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "PDBEDIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/profiles.1 samba-4.5.8+dfsg/docs/manpages/profiles.1 --- samba-4.5.4+dfsg/docs/manpages/profiles.1 2017-01-17 20:01:56.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/profiles.1 2017-03-31 06:29:45.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: profiles .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "PROFILES" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "PROFILES" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/rpcclient.1 samba-4.5.8+dfsg/docs/manpages/rpcclient.1 --- samba-4.5.4+dfsg/docs/manpages/rpcclient.1 2017-01-17 20:01:56.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/rpcclient.1 2017-03-31 06:29:45.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: rpcclient .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "RPCCLIENT" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "RPCCLIENT" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/samba.7 samba-4.5.8+dfsg/docs/manpages/samba.7 --- samba-4.5.4+dfsg/docs/manpages/samba.7 2017-01-17 20:01:57.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/samba.7 2017-03-31 06:29:46.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: samba .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: Miscellanea .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SAMBA" "7" "01/17/2017" "Samba 4\&.5" "Miscellanea" +.TH "SAMBA" "7" "03/31/2017" "Samba 4\&.5" "Miscellanea" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/samba.8 samba-4.5.8+dfsg/docs/manpages/samba.8 --- samba-4.5.4+dfsg/docs/manpages/samba.8 2017-01-17 20:01:57.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/samba.8 2017-03-31 06:29:46.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: samba .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SAMBA" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SAMBA" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/samba-regedit.8 samba-4.5.8+dfsg/docs/manpages/samba-regedit.8 --- samba-4.5.4+dfsg/docs/manpages/samba-regedit.8 2017-01-17 20:01:56.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/samba-regedit.8 2017-03-31 06:29:45.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: samba-regedit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SAMBA\-REGEDIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SAMBA\-REGEDIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/samba-tool.8 samba-4.5.8+dfsg/docs/manpages/samba-tool.8 --- samba-4.5.4+dfsg/docs/manpages/samba-tool.8 2017-01-17 20:01:56.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/samba-tool.8 2017-03-31 06:29:45.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: samba-tool .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SAMBA\-TOOL" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SAMBA\-TOOL" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/sharesec.1 samba-4.5.8+dfsg/docs/manpages/sharesec.1 --- samba-4.5.4+dfsg/docs/manpages/sharesec.1 2017-01-17 20:01:57.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/sharesec.1 2017-03-31 06:29:46.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: sharesec .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SHARESEC" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SHARESEC" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbcacls.1 samba-4.5.8+dfsg/docs/manpages/smbcacls.1 --- samba-4.5.4+dfsg/docs/manpages/smbcacls.1 2017-01-17 20:02:01.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbcacls.1 2017-03-31 06:29:50.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbcacls .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBCACLS" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBCACLS" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbclient.1 samba-4.5.8+dfsg/docs/manpages/smbclient.1 --- samba-4.5.4+dfsg/docs/manpages/smbclient.1 2017-01-17 20:02:01.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbclient.1 2017-03-31 06:29:50.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbclient .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBCLIENT" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBCLIENT" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smb.conf.5 samba-4.5.8+dfsg/docs/manpages/smb.conf.5 --- samba-4.5.4+dfsg/docs/manpages/smb.conf.5 2017-01-17 20:02:00.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smb.conf.5 2017-03-31 06:29:49.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smb.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: File Formats and Conventions .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMB\&.CONF" "5" "01/17/2017" "Samba 4\&.5" "File Formats and Conventions" +.TH "SMB\&.CONF" "5" "03/31/2017" "Samba 4\&.5" "File Formats and Conventions" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -10473,7 +10473,9 @@ .\} Setting it to \fIoff\fR -globally will completely disable the encryption feature\&. +globally will completely disable the encryption feature for all connections\&. Setting +\fIsmb encrypt = required\fR +for individual shares (while it\*(Aqs globally off) will deny access to this shares for all clients\&. .RE .sp .RS 4 diff -Nru samba-4.5.4+dfsg/docs/manpages/smbcontrol.1 samba-4.5.8+dfsg/docs/manpages/smbcontrol.1 --- samba-4.5.4+dfsg/docs/manpages/smbcontrol.1 2017-01-17 20:02:01.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbcontrol.1 2017-03-31 06:29:50.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbcontrol .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBCONTROL" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBCONTROL" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbcquotas.1 samba-4.5.8+dfsg/docs/manpages/smbcquotas.1 --- samba-4.5.4+dfsg/docs/manpages/smbcquotas.1 2017-01-17 20:02:01.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbcquotas.1 2017-03-31 06:29:50.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbcquotas .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBCQUOTAS" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBCQUOTAS" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbd.8 samba-4.5.8+dfsg/docs/manpages/smbd.8 --- samba-4.5.4+dfsg/docs/manpages/smbd.8 2017-01-17 20:02:02.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbd.8 2017-03-31 06:29:51.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SMBD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbget.1 samba-4.5.8+dfsg/docs/manpages/smbget.1 --- samba-4.5.4+dfsg/docs/manpages/smbget.1 2017-01-17 20:02:02.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbget.1 2017-03-31 06:29:51.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbget .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBGET" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBGET" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbgetrc.5 samba-4.5.8+dfsg/docs/manpages/smbgetrc.5 --- samba-4.5.4+dfsg/docs/manpages/smbgetrc.5 2017-01-17 20:02:02.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbgetrc.5 2017-03-31 06:29:51.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbgetrc .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: File Formats and Conventions .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBGETRC" "5" "01/17/2017" "Samba 4\&.5" "File Formats and Conventions" +.TH "SMBGETRC" "5" "03/31/2017" "Samba 4\&.5" "File Formats and Conventions" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbpasswd.5 samba-4.5.8+dfsg/docs/manpages/smbpasswd.5 --- samba-4.5.4+dfsg/docs/manpages/smbpasswd.5 2017-01-17 20:02:02.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbpasswd.5 2017-03-31 06:29:51.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbpasswd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: File Formats and Conventions .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBPASSWD" "5" "01/17/2017" "Samba 4\&.5" "File Formats and Conventions" +.TH "SMBPASSWD" "5" "03/31/2017" "Samba 4\&.5" "File Formats and Conventions" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbpasswd.8 samba-4.5.8+dfsg/docs/manpages/smbpasswd.8 --- samba-4.5.4+dfsg/docs/manpages/smbpasswd.8 2017-01-17 20:02:03.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbpasswd.8 2017-03-31 06:29:52.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbpasswd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBPASSWD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SMBPASSWD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbspool.8 samba-4.5.8+dfsg/docs/manpages/smbspool.8 --- samba-4.5.4+dfsg/docs/manpages/smbspool.8 2017-01-17 20:02:03.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbspool.8 2017-03-31 06:29:52.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbspool .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBSPOOL" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SMBSPOOL" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbspool_krb5_wrapper.8 samba-4.5.8+dfsg/docs/manpages/smbspool_krb5_wrapper.8 --- samba-4.5.4+dfsg/docs/manpages/smbspool_krb5_wrapper.8 2017-01-17 20:02:03.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbspool_krb5_wrapper.8 2017-03-31 06:29:52.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbspool_krb5_wrapper .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBSPOOL_KRB5_WRAPPE" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "SMBSPOOL_KRB5_WRAPPE" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbstatus.1 samba-4.5.8+dfsg/docs/manpages/smbstatus.1 --- samba-4.5.4+dfsg/docs/manpages/smbstatus.1 2017-01-17 20:02:03.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbstatus.1 2017-03-31 06:29:52.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbstatus .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBSTATUS" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBSTATUS" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbtar.1 samba-4.5.8+dfsg/docs/manpages/smbtar.1 --- samba-4.5.4+dfsg/docs/manpages/smbtar.1 2017-01-17 20:02:03.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbtar.1 2017-03-31 06:29:52.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbtar .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBTAR" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBTAR" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/smbtree.1 samba-4.5.8+dfsg/docs/manpages/smbtree.1 --- samba-4.5.4+dfsg/docs/manpages/smbtree.1 2017-01-17 20:02:04.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/smbtree.1 2017-03-31 06:29:53.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: smbtree .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "SMBTREE" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "SMBTREE" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/testparm.1 samba-4.5.8+dfsg/docs/manpages/testparm.1 --- samba-4.5.4+dfsg/docs/manpages/testparm.1 2017-01-17 20:02:04.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/testparm.1 2017-03-31 06:29:53.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: testparm .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "TESTPARM" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "TESTPARM" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_acl_tdb.8 samba-4.5.8+dfsg/docs/manpages/vfs_acl_tdb.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_acl_tdb.8 2017-01-17 20:02:04.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_acl_tdb.8 2017-03-31 06:29:53.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_acl_tdb .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_ACL_TDB" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_ACL_TDB" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_acl_xattr.8 samba-4.5.8+dfsg/docs/manpages/vfs_acl_xattr.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_acl_xattr.8 2017-01-17 20:02:04.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_acl_xattr.8 2017-03-31 06:29:53.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_acl_xattr .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_ACL_XATTR" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_ACL_XATTR" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_aio_fork.8 samba-4.5.8+dfsg/docs/manpages/vfs_aio_fork.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_aio_fork.8 2017-01-17 20:02:05.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_aio_fork.8 2017-03-31 06:29:54.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_aio_fork .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_AIO_FORK" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_AIO_FORK" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_aio_linux.8 samba-4.5.8+dfsg/docs/manpages/vfs_aio_linux.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_aio_linux.8 2017-01-17 20:02:05.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_aio_linux.8 2017-03-31 06:29:54.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_aio_linux .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_AIO_LINUX" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_AIO_LINUX" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_aio_pthread.8 samba-4.5.8+dfsg/docs/manpages/vfs_aio_pthread.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_aio_pthread.8 2017-01-17 20:02:05.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_aio_pthread.8 2017-03-31 06:29:54.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_aio_pthread .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_AIO_PTHREAD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_AIO_PTHREAD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_audit.8 samba-4.5.8+dfsg/docs/manpages/vfs_audit.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_audit.8 2017-01-17 20:02:05.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_audit.8 2017-03-31 06:29:54.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_AUDIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_AUDIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_btrfs.8 samba-4.5.8+dfsg/docs/manpages/vfs_btrfs.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_btrfs.8 2017-01-17 20:02:05.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_btrfs.8 2017-03-31 06:29:54.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_btrfs .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_BTRFS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_BTRFS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_cacheprime.8 samba-4.5.8+dfsg/docs/manpages/vfs_cacheprime.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_cacheprime.8 2017-01-17 20:02:06.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_cacheprime.8 2017-03-31 06:29:55.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_cacheprime .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_CACHEPRIME" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_CACHEPRIME" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_cap.8 samba-4.5.8+dfsg/docs/manpages/vfs_cap.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_cap.8 2017-01-17 20:02:06.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_cap.8 2017-03-31 06:29:55.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_cap .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_CAP" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_CAP" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_catia.8 samba-4.5.8+dfsg/docs/manpages/vfs_catia.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_catia.8 2017-01-17 20:02:06.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_catia.8 2017-03-31 06:29:55.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_catia .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_CATIA" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_CATIA" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_ceph.8 samba-4.5.8+dfsg/docs/manpages/vfs_ceph.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_ceph.8 2017-01-17 20:02:06.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_ceph.8 2017-03-31 06:29:55.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_ceph .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_CEPH" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_CEPH" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_commit.8 samba-4.5.8+dfsg/docs/manpages/vfs_commit.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_commit.8 2017-01-17 20:02:07.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_commit.8 2017-03-31 06:29:56.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_commit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_COMMIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_COMMIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_crossrename.8 samba-4.5.8+dfsg/docs/manpages/vfs_crossrename.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_crossrename.8 2017-01-17 20:02:07.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_crossrename.8 2017-03-31 06:29:56.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_crossrename .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_CROSSRENAME" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_CROSSRENAME" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_default_quota.8 samba-4.5.8+dfsg/docs/manpages/vfs_default_quota.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_default_quota.8 2017-01-17 20:02:07.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_default_quota.8 2017-03-31 06:29:56.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_default_quota .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_DEFAULT_QUOTA" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_DEFAULT_QUOTA" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_dirsort.8 samba-4.5.8+dfsg/docs/manpages/vfs_dirsort.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_dirsort.8 2017-01-17 20:02:07.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_dirsort.8 2017-03-31 06:29:56.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_dirsort .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_DIRSORT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_DIRSORT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_extd_audit.8 samba-4.5.8+dfsg/docs/manpages/vfs_extd_audit.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_extd_audit.8 2017-01-17 20:02:07.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_extd_audit.8 2017-03-31 06:29:56.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_extd_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_EXTD_AUDIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_EXTD_AUDIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_fake_perms.8 samba-4.5.8+dfsg/docs/manpages/vfs_fake_perms.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_fake_perms.8 2017-01-17 20:02:08.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_fake_perms.8 2017-03-31 06:29:57.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_fake_perms .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_FAKE_PERMS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_FAKE_PERMS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_fileid.8 samba-4.5.8+dfsg/docs/manpages/vfs_fileid.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_fileid.8 2017-01-17 20:02:08.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_fileid.8 2017-03-31 06:29:57.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_fileid .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_FILEID" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_FILEID" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_fruit.8 samba-4.5.8+dfsg/docs/manpages/vfs_fruit.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_fruit.8 2017-01-17 20:02:08.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_fruit.8 2017-03-31 06:29:57.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_fruit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_FRUIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_FRUIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -306,7 +306,17 @@ .PP fruit:veto_appledouble = yes | no .RS 4 -Whether \&._ AppleDouble files are vetoed which prevents the client from seing and accessing internal AppleDouble files created by vfs_fruit itself for the purpose of storing a Mac resource fork\&. +\fINote:\fR +this option only applies when +\fIfruit:resource\fR +is set to +\fIfile\fR +(the default)\&. +.sp +When +\fIfruit:resource\fR +is set to +\fIfile\fR, vfs_fruit may create \&._ AppleDouble files\&. This options controls whether these \&._ AppleDouble files are vetoed which prevents the client from accessing them\&. .sp Vetoing \&._ files may break some applications, eg extracting Mac ZIP archives from Mac clients failes, because they contain \&._ files\&. Setting this option to false will fix this, but the abstraction leak of exposing the internally created \&._ files may have other unknown side effects\&. .sp diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_full_audit.8 samba-4.5.8+dfsg/docs/manpages/vfs_full_audit.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_full_audit.8 2017-01-17 20:02:08.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_full_audit.8 2017-03-31 06:29:57.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_full_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_FULL_AUDIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_FULL_AUDIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_glusterfs.8 samba-4.5.8+dfsg/docs/manpages/vfs_glusterfs.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_glusterfs.8 2017-01-17 20:02:09.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_glusterfs.8 2017-03-31 06:29:58.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_glusterfs .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_GLUSTERFS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_GLUSTERFS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_gpfs.8 samba-4.5.8+dfsg/docs/manpages/vfs_gpfs.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_gpfs.8 2017-01-17 20:02:09.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_gpfs.8 2017-03-31 06:29:58.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_gpfs .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_GPFS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_GPFS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 samba-4.5.8+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 2017-01-17 20:02:09.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_linux_xfs_sgid.8 2017-03-31 06:29:58.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_syncops .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_SYNCOPS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_SYNCOPS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_media_harmony.8 samba-4.5.8+dfsg/docs/manpages/vfs_media_harmony.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_media_harmony.8 2017-01-17 20:02:09.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_media_harmony.8 2017-03-31 06:29:58.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_media_harmony .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_MEDIA_HARMONY" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_MEDIA_HARMONY" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_netatalk.8 samba-4.5.8+dfsg/docs/manpages/vfs_netatalk.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_netatalk.8 2017-01-17 20:02:09.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_netatalk.8 2017-03-31 06:29:58.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_netatalk .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_NETATALK" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_NETATALK" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_offline.8 samba-4.5.8+dfsg/docs/manpages/vfs_offline.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_offline.8 2017-01-17 20:02:10.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_offline.8 2017-03-31 06:29:59.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_offline .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_OFFLINE" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_OFFLINE" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_prealloc.8 samba-4.5.8+dfsg/docs/manpages/vfs_prealloc.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_prealloc.8 2017-01-17 20:02:10.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_prealloc.8 2017-03-31 06:29:59.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_prealloc .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_PREALLOC" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_PREALLOC" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_preopen.8 samba-4.5.8+dfsg/docs/manpages/vfs_preopen.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_preopen.8 2017-01-17 20:02:10.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_preopen.8 2017-03-31 06:29:59.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_preopen .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_PREOPEN" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_PREOPEN" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_readahead.8 samba-4.5.8+dfsg/docs/manpages/vfs_readahead.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_readahead.8 2017-01-17 20:02:10.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_readahead.8 2017-03-31 06:29:59.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_readahead .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_READAHEAD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_READAHEAD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_readonly.8 samba-4.5.8+dfsg/docs/manpages/vfs_readonly.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_readonly.8 2017-01-17 20:02:11.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_readonly.8 2017-03-31 06:30:00.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_readonly .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_READONLY" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_READONLY" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_recycle.8 samba-4.5.8+dfsg/docs/manpages/vfs_recycle.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_recycle.8 2017-01-17 20:02:11.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_recycle.8 2017-03-31 06:30:00.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_recycle .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_RECYCLE" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_RECYCLE" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_shadow_copy2.8 samba-4.5.8+dfsg/docs/manpages/vfs_shadow_copy2.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_shadow_copy2.8 2017-01-17 20:02:11.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_shadow_copy2.8 2017-03-31 06:30:00.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_shadow_copy2 .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_SHADOW_COPY2" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_SHADOW_COPY2" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_shadow_copy.8 samba-4.5.8+dfsg/docs/manpages/vfs_shadow_copy.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_shadow_copy.8 2017-01-17 20:02:11.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_shadow_copy.8 2017-03-31 06:30:00.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_shadow_copy .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_SHADOW_COPY" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_SHADOW_COPY" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_shell_snap.8 samba-4.5.8+dfsg/docs/manpages/vfs_shell_snap.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_shell_snap.8 2017-01-17 20:02:11.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_shell_snap.8 2017-03-31 06:30:00.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_shell_snap .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_SHELL_SNAP" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_SHELL_SNAP" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_snapper.8 samba-4.5.8+dfsg/docs/manpages/vfs_snapper.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_snapper.8 2017-01-17 20:02:12.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_snapper.8 2017-03-31 06:30:01.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_snapper .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_SNAPPER" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_SNAPPER" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_streams_depot.8 samba-4.5.8+dfsg/docs/manpages/vfs_streams_depot.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_streams_depot.8 2017-01-17 20:02:12.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_streams_depot.8 2017-03-31 06:30:01.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_streams_depot .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_STREAMS_DEPOT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_STREAMS_DEPOT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_streams_xattr.8 samba-4.5.8+dfsg/docs/manpages/vfs_streams_xattr.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_streams_xattr.8 2017-01-17 20:02:12.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_streams_xattr.8 2017-03-31 06:30:01.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_streams_xattr .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_STREAMS_XATTR" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_STREAMS_XATTR" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_syncops.8 samba-4.5.8+dfsg/docs/manpages/vfs_syncops.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_syncops.8 2017-01-17 20:02:12.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_syncops.8 2017-03-31 06:30:01.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_syncops .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_SYNCOPS" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_SYNCOPS" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfstest.1 samba-4.5.8+dfsg/docs/manpages/vfstest.1 --- samba-4.5.4+dfsg/docs/manpages/vfstest.1 2017-01-17 20:02:14.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfstest.1 2017-03-31 06:30:03.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfstest .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFSTEST" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "VFSTEST" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_time_audit.8 samba-4.5.8+dfsg/docs/manpages/vfs_time_audit.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_time_audit.8 2017-01-17 20:02:13.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_time_audit.8 2017-03-31 06:30:02.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_time_audit .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_TIME_AUDIT" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_TIME_AUDIT" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_tsmsm.8 samba-4.5.8+dfsg/docs/manpages/vfs_tsmsm.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_tsmsm.8 2017-01-17 20:02:13.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_tsmsm.8 2017-03-31 06:30:02.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_tsmsm .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_TSMSM" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_TSMSM" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_unityed_media.8 samba-4.5.8+dfsg/docs/manpages/vfs_unityed_media.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_unityed_media.8 2017-01-17 20:02:13.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_unityed_media.8 2017-03-31 06:30:02.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_unityed_media .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_UNITYED_MEDIA" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_UNITYED_MEDIA" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_worm.8 samba-4.5.8+dfsg/docs/manpages/vfs_worm.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_worm.8 2017-01-17 20:02:13.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_worm.8 2017-03-31 06:30:02.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_worm .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_WORM" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_WORM" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_xattr_tdb.8 samba-4.5.8+dfsg/docs/manpages/vfs_xattr_tdb.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_xattr_tdb.8 2017-01-17 20:02:13.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_xattr_tdb.8 2017-03-31 06:30:03.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_xattr_tdb .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_XATTR_TDB" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_XATTR_TDB" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/vfs_zfsacl.8 samba-4.5.8+dfsg/docs/manpages/vfs_zfsacl.8 --- samba-4.5.4+dfsg/docs/manpages/vfs_zfsacl.8 2017-01-17 20:02:14.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/vfs_zfsacl.8 2017-03-31 06:30:03.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: vfs_zfsacl .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "VFS_ZFSACL" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "VFS_ZFSACL" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/wbinfo.1 samba-4.5.8+dfsg/docs/manpages/wbinfo.1 --- samba-4.5.4+dfsg/docs/manpages/wbinfo.1 2017-01-17 20:02:14.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/wbinfo.1 2017-03-31 06:30:03.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: wbinfo .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: User Commands .\" Source: Samba 4.5 .\" Language: English .\" -.TH "WBINFO" "1" "01/17/2017" "Samba 4\&.5" "User Commands" +.TH "WBINFO" "1" "03/31/2017" "Samba 4\&.5" "User Commands" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/winbindd.8 samba-4.5.8+dfsg/docs/manpages/winbindd.8 --- samba-4.5.4+dfsg/docs/manpages/winbindd.8 2017-01-17 20:02:15.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/winbindd.8 2017-03-31 06:30:04.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: winbindd .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: System Administration tools .\" Source: Samba 4.5 .\" Language: English .\" -.TH "WINBINDD" "8" "01/17/2017" "Samba 4\&.5" "System Administration tools" +.TH "WINBINDD" "8" "03/31/2017" "Samba 4\&.5" "System Administration tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs/manpages/winbind_krb5_locator.7 samba-4.5.8+dfsg/docs/manpages/winbind_krb5_locator.7 --- samba-4.5.4+dfsg/docs/manpages/winbind_krb5_locator.7 2017-01-17 20:02:14.000000000 +0000 +++ samba-4.5.8+dfsg/docs/manpages/winbind_krb5_locator.7 2017-03-31 06:30:03.000000000 +0000 @@ -2,12 +2,12 @@ .\" Title: winbind_krb5_locator .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 01/17/2017 +.\" Date: 03/31/2017 .\" Manual: 7 .\" Source: Samba 4.5 .\" Language: English .\" -.TH "WINBIND_KRB5_LOCATOR" "7" "01/17/2017" "Samba 4\&.5" "7" +.TH "WINBIND_KRB5_LOCATOR" "7" "03/31/2017" "Samba 4\&.5" "7" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -Nru samba-4.5.4+dfsg/docs-xml/manpages/vfs_fruit.8.xml samba-4.5.8+dfsg/docs-xml/manpages/vfs_fruit.8.xml --- samba-4.5.4+dfsg/docs-xml/manpages/vfs_fruit.8.xml 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/docs-xml/manpages/vfs_fruit.8.xml 2017-03-09 09:21:43.000000000 +0000 @@ -235,10 +235,14 @@ fruit:veto_appledouble = yes | no - Whether ._ AppleDouble files are vetoed which - prevents the client from seing and accessing internal - AppleDouble files created by vfs_fruit itself for the - purpose of storing a Mac resource fork. + Note: this option only applies when + fruit:resource is set to + file (the default). + + When fruit:resource is set to + file, vfs_fruit may create ._ AppleDouble + files. This options controls whether these ._ AppleDouble files + are vetoed which prevents the client from accessing them. Vetoing ._ files may break some applications, eg extracting Mac ZIP archives from Mac clients failes, because they contain ._ files. Setting this option to diff -Nru samba-4.5.4+dfsg/docs-xml/smbdotconf/security/smbencrypt.xml samba-4.5.8+dfsg/docs-xml/smbdotconf/security/smbencrypt.xml --- samba-4.5.4+dfsg/docs-xml/smbdotconf/security/smbencrypt.xml 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/docs-xml/smbdotconf/security/smbencrypt.xml 2017-03-09 09:21:43.000000000 +0000 @@ -180,7 +180,11 @@ Setting it to off globally will - completely disable the encryption feature. + completely disable the encryption feature for all + connections. Setting smb encrypt = + required for individual shares (while it's + globally off) will deny access to this shares for all + clients. diff -Nru samba-4.5.4+dfsg/lib/krb5_wrap/krb5_samba.c samba-4.5.8+dfsg/lib/krb5_wrap/krb5_samba.c --- samba-4.5.4+dfsg/lib/krb5_wrap/krb5_samba.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/lib/krb5_wrap/krb5_samba.c 2017-03-09 09:21:43.000000000 +0000 @@ -24,6 +24,7 @@ #include "system/filesys.h" #include "krb5_samba.h" #include "lib/util/asn1.h" +#include "lib/crypto/crypto.h" #ifdef HAVE_COM_ERR_H #include @@ -202,6 +203,42 @@ return -1; } + if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) { + TALLOC_CTX *frame = talloc_stackframe(); + uint8_t *utf16 = NULL; + size_t utf16_size = 0; + uint8_t nt_hash[16]; + bool ok; + + ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE, + password->data, password->length, + (void **)&utf16, &utf16_size); + if (!ok) { + if (errno == 0) { + errno = EINVAL; + } + ret = errno; + TALLOC_FREE(frame); + return ret; + } + + mdfour(nt_hash, utf16, utf16_size); + memset(utf16, 0, utf16_size); + ret = smb_krb5_keyblock_init_contents(context, + ENCTYPE_ARCFOUR_HMAC, + nt_hash, + sizeof(nt_hash), + key); + ZERO_STRUCT(nt_hash); + if (ret != 0) { + TALLOC_FREE(frame); + return ret; + } + + TALLOC_FREE(frame); + return 0; + } + #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY) {/* MIT */ krb5_data _salt; diff -Nru samba-4.5.4+dfsg/lib/ldb-samba/ldb_ildap.c samba-4.5.8+dfsg/lib/ldb-samba/ldb_ildap.c --- samba-4.5.4+dfsg/lib/ldb-samba/ldb_ildap.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/lib/ldb-samba/ldb_ildap.c 2017-03-09 09:21:43.000000000 +0000 @@ -863,6 +863,7 @@ return LDB_SUCCESS; failed: + ldb_set_errstring(ldb, ldap_errstr(ildb->ldap, module, status)); talloc_free(module); if (NT_STATUS_IS_LDAP(status)) { return NT_STATUS_LDAP_CODE(status); diff -Nru samba-4.5.4+dfsg/lib/torture/torture.h samba-4.5.8+dfsg/lib/torture/torture.h --- samba-4.5.4+dfsg/lib/torture/torture.h 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/lib/torture/torture.h 2017-03-09 09:21:43.000000000 +0000 @@ -362,7 +362,7 @@ if (memcmp(__got, __expected, len) != 0) { \ torture_result(torture_ctx, TORTURE_FAIL, \ __location__": "#got" of len %d did not match "#expected": %s", (int)len, cmt); \ - return false; \ + ret = false; \ goto label; \ } \ } while(0) diff -Nru samba-4.5.4+dfsg/lib/util/genrand_util.c samba-4.5.8+dfsg/lib/util/genrand_util.c --- samba-4.5.4+dfsg/lib/util/genrand_util.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/lib/util/genrand_util.c 2017-03-09 09:21:43.000000000 +0000 @@ -210,7 +210,7 @@ } /** - * Generate a random text password. + * Generate a random text password (based on printable ascii characters). */ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max) @@ -258,6 +258,172 @@ } /** + * Generate a random machine password (based on random utf16 characters, + * converted to utf8). min must be at least 14, max must be at most 255. + * + * If 'unix charset' is not utf8, the password consist of random ascii + * values! + */ + +_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max) +{ + TALLOC_CTX *frame = NULL; + struct generate_random_machine_password_state { + uint8_t password_buffer[256 * 2]; + uint8_t tmp; + } *state; + char *new_pw = NULL; + size_t len = max; + char *utf8_pw = NULL; + size_t utf8_len = 0; + char *unix_pw = NULL; + size_t unix_len = 0; + size_t diff; + size_t i; + bool ok; + int cmp; + + if (max > 255) { + errno = EINVAL; + return NULL; + } + + if (min < 14) { + errno = EINVAL; + return NULL; + } + + if (min > max) { + errno = EINVAL; + return NULL; + } + + frame = talloc_stackframe_pool(2048); + state = talloc_zero(frame, struct generate_random_machine_password_state); + + diff = max - min; + + if (diff > 0) { + size_t tmp; + + generate_random_buffer((uint8_t *)&tmp, sizeof(tmp)); + + tmp %= diff; + + len = min + tmp; + } + + /* + * Create a random machine account password + * We create a random buffer and convert that to utf8. + * This is similar to what windows is doing. + * + * In future we may store the raw random buffer, + * but for now we need to pass the password as + * char pointer through some layers. + * + * As most kerberos keys are derived from the + * utf8 password we need to fallback to + * ASCII passwords if "unix charset" is not utf8. + */ + generate_secret_buffer(state->password_buffer, len * 2); + for (i = 0; i < len; i++) { + size_t idx = i*2; + uint16_t c; + + /* + * both MIT krb5 and HEIMDAL only + * handle codepoints up to 0xffff. + * + * It means we need to avoid + * 0xD800 - 0xDBFF (high surrogate) + * and + * 0xDC00 - 0xDFFF (low surrogate) + * in the random utf16 data. + * + * 55296 0xD800 0154000 0b1101100000000000 + * 57343 0xDFFF 0157777 0b1101111111111111 + * 8192 0x2000 020000 0b10000000000000 + * + * The above values show that we can check + * for 0xD800 and just add 0x2000 to avoid + * the surrogate ranges. + * + * The rest will be handled by CH_UTF16MUNGED + * see utf16_munged_pull(). + */ + c = SVAL(state->password_buffer, idx); + if (c & 0xD800) { + c |= 0x2000; + } + SSVAL(state->password_buffer, idx, c); + } + ok = convert_string_talloc(frame, + CH_UTF16MUNGED, CH_UTF8, + state->password_buffer, len * 2, + (void *)&utf8_pw, &utf8_len); + if (!ok) { + DEBUG(0, ("%s: convert_string_talloc() failed\n", + __func__)); + TALLOC_FREE(frame); + return NULL; + } + + ok = convert_string_talloc(frame, + CH_UTF16MUNGED, CH_UNIX, + state->password_buffer, len * 2, + (void *)&unix_pw, &unix_len); + if (!ok) { + goto ascii_fallback; + } + + if (utf8_len != unix_len) { + goto ascii_fallback; + } + + cmp = memcmp((const uint8_t *)utf8_pw, + (const uint8_t *)unix_pw, + utf8_len); + if (cmp != 0) { + goto ascii_fallback; + } + + new_pw = talloc_strdup(mem_ctx, utf8_pw); + if (new_pw == NULL) { + TALLOC_FREE(frame); + return NULL; + } + talloc_set_name_const(new_pw, __func__); + TALLOC_FREE(frame); + return new_pw; + +ascii_fallback: + for (i = 0; i < len; i++) { + /* + * truncate to ascii + */ + state->tmp = state->password_buffer[i] & 0x7f; + if (state->tmp == 0) { + state->tmp = state->password_buffer[i] >> 1; + } + if (state->tmp == 0) { + state->tmp = 0x01; + } + state->password_buffer[i] = state->tmp; + } + state->password_buffer[i] = '\0'; + + new_pw = talloc_strdup(mem_ctx, (const char *)state->password_buffer); + if (new_pw == NULL) { + TALLOC_FREE(frame); + return NULL; + } + talloc_set_name_const(new_pw, __func__); + TALLOC_FREE(frame); + return new_pw; +} + +/** * Generate an array of unique text strings all of the same length. * The returned string will be allocated. * Returns NULL if the number of unique combinations cannot be created. diff -Nru samba-4.5.4+dfsg/lib/util/samba_util.h samba-4.5.8+dfsg/lib/util/samba_util.h --- samba-4.5.4+dfsg/lib/util/samba_util.h 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/lib/util/samba_util.h 2017-03-09 09:21:43.000000000 +0000 @@ -103,11 +103,41 @@ _PUBLIC_ bool check_password_quality(const char *s); /** - * Generate a random text password. + * Generate a random text password (based on printable ascii characters). + * This function is designed to provide a password that + * meats the complexity requirements of UF_NORMAL_ACCOUNT objects + * and they should be human readable and writeable on any keyboard layout. + * + * Characters used are: + * ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+_-#.,@$%&!?:;<=>()[]~ */ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max); /** + * Generate a random machine password + * + * min and max are the number of utf16 characters used + * to generate on utf8 compatible password. + * + * Note: if 'unix charset' is not 'utf8' (the default) + * then each utf16 character is only filled with + * values from 0x01 to 0x7f (ascii values without 0x00). + * This is important as the password neets to be + * a valid value as utf8 string and at the same time + * a valid value in the 'unix charset'. + * + * If 'unix charset' is 'utf8' (the default) then + * each utf16 character is a random value from 0x0000 + * 0xFFFF (exluding the surrogate ranges from 0xD800-0xDFFF) + * while the translation from CH_UTF16MUNGED + * to CH_UTF8 replaces invalid values (see utf16_munged_pull()). + * + * Note: these passwords may not pass the complexity requirements + * for UF_NORMAL_ACCOUNT objects (except krbtgt accounts). + */ +_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max); + +/** Use the random number generator to generate a random string. **/ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const char *list); diff -Nru samba-4.5.4+dfsg/libcli/auth/netlogon_creds_cli.c samba-4.5.8+dfsg/libcli/auth/netlogon_creds_cli.c --- samba-4.5.4+dfsg/libcli/auth/netlogon_creds_cli.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/libcli/auth/netlogon_creds_cli.c 2017-03-09 09:21:43.000000000 +0000 @@ -484,6 +484,14 @@ return NT_STATUS_OK; } +char *netlogon_creds_cli_debug_string( + const struct netlogon_creds_cli_context *context, + TALLOC_CTX *mem_ctx) +{ + return talloc_asprintf(mem_ctx, "netlogon_creds_cli:%s", + context->db.key_name); +} + enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( struct netlogon_creds_cli_context *context) { @@ -1747,7 +1755,11 @@ /* * netr_ServerPasswordSet */ - E_md4hash(new_password, state->samr_password.hash); + ok = E_md4hash(new_password, state->samr_password.hash); + if (!ok) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); + } /* * netr_ServerPasswordSet2 @@ -2075,11 +2087,24 @@ /* * the read only credentials before we started the operation + * used for netr_LogonSamLogonEx() if required (validation_level = 3). */ struct netlogon_creds_CredentialState *ro_creds; + /* + * The (locked) credentials used for the credential chain + * used for netr_LogonSamLogonWithFlags() or + * netr_LogonSamLogonWith(). + */ struct netlogon_creds_CredentialState *lk_creds; + /* + * While we have locked the global credentials (lk_creds above) + * we operate an a temporary copy, because a server + * may not support netr_LogonSamLogonWithFlags() and + * didn't process our netr_Authenticator, so we need to + * restart from lk_creds. + */ struct netlogon_creds_CredentialState tmp_creds; struct netr_Authenticator req_auth; struct netr_Authenticator rep_auth; @@ -2311,7 +2336,7 @@ return; } - netlogon_creds_encrypt_samlogon_logon(state->ro_creds, + netlogon_creds_encrypt_samlogon_logon(&state->tmp_creds, state->logon_level, state->logon); @@ -2414,8 +2439,10 @@ /* * We got a race, lets retry with on authenticator * protection. + * + * netlogon_creds_cli_LogonSamLogon_start() + * will TALLOC_FREE(state->ro_creds); */ - TALLOC_FREE(state->ro_creds); state->try_logon_ex = false; netlogon_creds_cli_LogonSamLogon_start(req); return; diff -Nru samba-4.5.4+dfsg/libcli/auth/netlogon_creds_cli.h samba-4.5.8+dfsg/libcli/auth/netlogon_creds_cli.h --- samba-4.5.4+dfsg/libcli/auth/netlogon_creds_cli.h 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/libcli/auth/netlogon_creds_cli.h 2017-03-09 09:21:43.000000000 +0000 @@ -52,6 +52,10 @@ TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **_context); +char *netlogon_creds_cli_debug_string( + const struct netlogon_creds_cli_context *context, + TALLOC_CTX *mem_ctx); + enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( struct netlogon_creds_cli_context *context); diff -Nru samba-4.5.4+dfsg/librpc/rpc/dcerpc_error.c samba-4.5.8+dfsg/librpc/rpc/dcerpc_error.c --- samba-4.5.4+dfsg/librpc/rpc/dcerpc_error.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/librpc/rpc/dcerpc_error.c 2017-03-09 09:21:43.000000000 +0000 @@ -50,12 +50,10 @@ _FAULT_STR(DCERPC_NCA_S_FAULT_INT_DIV_BY_ZERO, NT_STATUS_RPC_FP_DIV_ZERO), _FAULT_STR(DCERPC_NCA_S_FAULT_INT_OVERFLOW, NT_STATUS_RPC_FP_OVERFLOW), /* - * What's the difference between NT_STATUS_RPC_INVALID_TAG - * and NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ??? - * - * Our callers expect NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE. + * Our callers expect NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE + * instead of NT_STATUS_RPC_INVALID_TAG. */ - _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE), + _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE), _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_INVALID_TAG), _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_BOUND, NT_STATUS_RPC_INVALID_BOUND), _FAULT_STR(DCERPC_NCA_S_FAULT_RPC_VERSION_MISMATCH, NT_STATUS_RPC_PROTOCOL_ERROR), diff -Nru samba-4.5.4+dfsg/python/pyglue.c samba-4.5.8+dfsg/python/pyglue.c --- samba-4.5.4+dfsg/python/pyglue.c 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/python/pyglue.c 2017-03-09 09:21:43.000000000 +0000 @@ -60,6 +60,23 @@ return ret; } +static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *args) +{ + int min, max; + PyObject *ret; + char *retstr; + if (!PyArg_ParseTuple(args, "ii", &min, &max)) + return NULL; + + retstr = generate_random_machine_password(NULL, min, max); + if (retstr == NULL) { + return NULL; + } + ret = PyUnicode_FromString(retstr); + talloc_free(retstr); + return ret; +} + static PyObject *py_unix2nttime(PyObject *self, PyObject *args) { time_t t; @@ -261,7 +278,14 @@ "Generate random string with specified length." }, { "generate_random_password", (PyCFunction)py_generate_random_password, METH_VARARGS, "generate_random_password(min, max) -> string\n" - "Generate random password with a length >= min and <= max." }, + "Generate random password (based on printable ascii characters) " + "with a length >= min and <= max." }, + { "generate_random_machine_password", (PyCFunction)py_generate_random_machine_password, + METH_VARARGS, "generate_random_machine_password(min, max) -> string\n" + "Generate random password " + "(based on random utf16 characters converted to utf8 or " + "random ascii characters if 'unix charset' is not 'utf8')" + "with a length >= min (at least 14) and <= max (at most 255)." }, { "unix2nttime", (PyCFunction)py_unix2nttime, METH_VARARGS, "unix2nttime(timestamp) -> nttime" }, { "nttime2unix", (PyCFunction)py_nttime2unix, METH_VARARGS, diff -Nru samba-4.5.4+dfsg/python/samba/dbchecker.py samba-4.5.8+dfsg/python/samba/dbchecker.py --- samba-4.5.4+dfsg/python/samba/dbchecker.py 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/dbchecker.py 2017-03-09 09:21:43.000000000 +0000 @@ -59,6 +59,7 @@ self.fix_all_string_dn_component_mismatch = False self.fix_all_GUID_dn_component_mismatch = False self.fix_all_SID_dn_component_mismatch = False + self.fix_all_old_dn_string_component_mismatch = False self.fix_all_metadata = False self.fix_time_metadata = False self.fix_undead_linked_attributes = False @@ -574,6 +575,23 @@ "Failed to fix %s on attribute %s" % (errstr, attrname)): self.report("Fixed %s on attribute %s" % (errstr, attrname)) + def err_dn_string_component_old(self, dn, attrname, val, dsdb_dn, correct_dn): + """handle a DN string being incorrect""" + self.report("NOTE: old (due to rename or delete) DN string component for %s in object %s - %s" % (attrname, dn, val)) + dsdb_dn.dn = correct_dn + + if not self.confirm_all('Change DN to %s?' % str(dsdb_dn), + 'fix_all_old_dn_string_component_mismatch'): + self.report("Not fixing old string component") + return + m = ldb.Message() + m.dn = dn + m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname) + m['new_value'] = ldb.MessageElement(str(dsdb_dn), ldb.FLAG_MOD_ADD, attrname) + if self.do_modify(m, ["show_recycled:1"], + "Failed to fix old DN string on attribute %s" % (attrname)): + self.report("Fixed old DN string on attribute %s" % (attrname)) + def err_dn_component_target_mismatch(self, dn, attrname, val, dsdb_dn, correct_dn, mismatch_type): """handle a DN string being incorrect""" self.report("ERROR: incorrect DN %s component for %s in object %s - %s" % (mismatch_type, attrname, dn, val)) @@ -627,10 +645,9 @@ self.report("Not fixing missing backlink %s" % backlink_name) return m = ldb.Message() - m.dn = obj.dn - m['old_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_DELETE, attrname) - m['new_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_ADD, attrname) - if self.do_modify(m, ["show_recycled:1"], + m.dn = target_dn + m['new_value'] = ldb.MessageElement(val, ldb.FLAG_MOD_ADD, backlink_name) + if self.do_modify(m, ["show_recycled:1", "relax:0"], "Failed to fix missing backlink %s" % backlink_name): self.report("Fixed missing backlink %s" % (backlink_name)) @@ -914,12 +931,16 @@ if rmd_flags & 1: continue - # check the DN matches in string form - if str(res[0].dn) != str(dsdb_dn.dn): - error_count += 1 - self.err_dn_component_target_mismatch(obj.dn, attrname, val, dsdb_dn, - res[0].dn, "string") - continue + # assert the DN matches in string form, where a reverse + # link exists, otherwise (below) offer to fix it as a non-error. + # The string form is essentially only kept for forensics, + # as we always re-resolve by GUID in normal operations. + if reverse_link_name is not None: + if str(res[0].dn) != str(dsdb_dn.dn): + error_count += 1 + self.err_dn_component_target_mismatch(obj.dn, attrname, val, dsdb_dn, + res[0].dn, "string") + continue if res[0].dn.get_extended_component("GUID") != dsdb_dn.dn.get_extended_component("GUID"): error_count += 1 @@ -933,9 +954,18 @@ res[0].dn, "SID") continue + # Now we have checked the GUID and SID, offer to fix old + # DN strings as a non-error (for forward links with no + # backlink). Samba does not maintain this string + # otherwise, so we don't increment error_count. + if reverse_link_name is None: + if str(res[0].dn) != str(dsdb_dn.dn): + self.err_dn_string_component_old(obj.dn, attrname, val, dsdb_dn, + res[0].dn) + continue - # check the reverse_link is correct if there should be one - if reverse_link_name is not None: + else: + # check the reverse_link is correct if there should be one match_count = 0 if reverse_link_name in res[0]: for v in res[0][reverse_link_name]: @@ -943,12 +973,16 @@ if v_guid == obj_guid: match_count += 1 if match_count != 1: - if target_is_deleted: - error_count += 1 - if linkID & 1: - self.err_missing_backlink(obj, attrname, val, reverse_link_name, dsdb_dn.dn) - else: - self.err_orphaned_backlink(obj, attrname, val, reverse_link_name, dsdb_dn.dn) + error_count += 1 + if linkID & 1: + # Backlink exists, but forward link does not + # Delete the hanging backlink + self.err_orphaned_backlink(obj, attrname, val, reverse_link_name, dsdb_dn.dn) + else: + # Forward link exists, but backlink does not + # Add the missing backlink (if the target object is not Deleted Objects?) + if not target_is_deleted: + self.err_missing_backlink(obj, attrname, obj.dn.extended_str(), reverse_link_name, dsdb_dn.dn) continue diff -Nru samba-4.5.4+dfsg/python/samba/__init__.py samba-4.5.8+dfsg/python/samba/__init__.py --- samba-4.5.4+dfsg/python/samba/__init__.py 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/__init__.py 2017-03-09 09:21:43.000000000 +0000 @@ -396,6 +396,7 @@ nttime2unix = _glue.nttime2unix unix2nttime = _glue.unix2nttime generate_random_password = _glue.generate_random_password +generate_random_machine_password = _glue.generate_random_machine_password strcasecmp_m = _glue.strcasecmp_m strstr_m = _glue.strstr_m is_ntvfs_fileserver_built = _glue.is_ntvfs_fileserver_built diff -Nru samba-4.5.4+dfsg/python/samba/join.py samba-4.5.8+dfsg/python/samba/join.py --- samba-4.5.4+dfsg/python/samba/join.py 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/join.py 2017-03-09 09:21:43.000000000 +0000 @@ -104,7 +104,7 @@ if machinepass is not None: ctx.acct_pass = machinepass else: - ctx.acct_pass = samba.generate_random_password(32, 40) + ctx.acct_pass = samba.generate_random_machine_password(128, 255) ctx.dnsdomain = ctx.samdb.domain_dns_name() if clone_only: @@ -667,7 +667,7 @@ pass ctx.net.set_password(account_name=ctx.samname, domain_name=ctx.domain_name, - newpassword=ctx.acct_pass) + newpassword=ctx.acct_pass.encode('utf-8')) res = ctx.samdb.search(base=ctx.acct_dn, scope=ldb.SCOPE_BASE, attrs=["msDS-KeyVersionNumber"]) @@ -691,7 +691,7 @@ {"DNSDOMAIN": ctx.dnsdomain, "DOMAINDN": ctx.base_dn, "HOSTNAME" : ctx.myname, - "DNSPASS_B64": b64encode(ctx.dnspass), + "DNSPASS_B64": b64encode(ctx.dnspass.encode('utf-16-le')), "DNSNAME" : ctx.dnshostname})) for changetype, msg in recs: assert changetype == ldb.CHANGETYPE_NONE @@ -863,7 +863,7 @@ repl_creds.guess(ctx.lp) repl_creds.set_kerberos_state(DONT_USE_KERBEROS) repl_creds.set_username(ctx.samname) - repl_creds.set_password(ctx.acct_pass) + repl_creds.set_password(ctx.acct_pass.encode('utf-8')) else: repl_creds = ctx.creds @@ -1314,7 +1314,8 @@ ctx.domsid = security.random_sid() ctx.acct_dn = None ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain) - ctx.trustdom_pass = samba.generate_random_password(128, 128) + # Windows uses 240 bytes as UTF16 so we do + ctx.trustdom_pass = samba.generate_random_machine_password(120, 120) ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION diff -Nru samba-4.5.4+dfsg/python/samba/netcmd/domain.py samba-4.5.8+dfsg/python/samba/netcmd/domain.py --- samba-4.5.4+dfsg/python/samba/netcmd/domain.py 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/netcmd/domain.py 2017-03-09 09:21:43.000000000 +0000 @@ -2254,33 +2254,14 @@ # needs to pass the NL_PASSWORD_VERSION structure within the # 512 bytes and a 2 bytes confounder is required. # - def random_trust_secret(length, use_aes_keys=True): - secret = [0] * length - - pw1 = samba.generate_random_password(length/2, length/2) - if not use_aes_keys: - # With arcfour-hmac-md5 we have to use valid utf16 - # in order to generate the correct pre-auth key - # based on a utf8 password. - # - # We can remove this once our client libraries - # support using the correct NTHASH. - return string_to_byte_array(pw1.encode('utf-16-le')) - - # We mix characters from generate_random_password - # with random numbers from random.randint() - for i in range(len(secret)): - if len(pw1) > i: - secret[i] = ord(pw1[i]) - else: - secret[i] = random.randint(0, 255) - - return secret + def random_trust_secret(length): + pw = samba.generate_random_machine_password(length/2, length/2) + return string_to_byte_array(pw.encode('utf-16-le')) if local_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_INBOUND: - incoming_secret = random_trust_secret(240, use_aes_keys=use_aes_keys) + incoming_secret = random_trust_secret(240) if local_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_OUTBOUND: - outgoing_secret = random_trust_secret(240, use_aes_keys=use_aes_keys) + outgoing_secret = random_trust_secret(240) remote_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN remote_policy_access |= lsa.LSA_POLICY_CREATE_SECRET diff -Nru samba-4.5.4+dfsg/python/samba/netcmd/user.py samba-4.5.8+dfsg/python/samba/netcmd/user.py --- samba-4.5.4+dfsg/python/samba/netcmd/user.py 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/netcmd/user.py 2017-03-09 09:21:43.000000000 +0000 @@ -670,7 +670,7 @@ self.outf.write("Sorry, passwords do not match.\n") try: - net.change_password(password) + net.change_password(password.encode('utf-8')) except Exception, msg: # FIXME: catch more specific exception raise CommandError("Failed to change password : %s" % msg) diff -Nru samba-4.5.4+dfsg/python/samba/provision/__init__.py samba-4.5.8+dfsg/python/samba/provision/__init__.py --- samba-4.5.4+dfsg/python/samba/provision/__init__.py 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/provision/__init__.py 2017-03-09 09:21:43.000000000 +0000 @@ -877,7 +877,7 @@ msg["msDS-KeyVersionNumber"] = [str(key_version_number)] msg["privateKeytab"] = ["secrets.keytab"] - msg["secret"] = [machinepass] + msg["secret"] = [machinepass.encode('utf-8')] msg["samAccountName"] = ["%s$" % netbiosname] msg["secureChannelType"] = [str(secure_channel_type)] if domainsid is not None: @@ -1768,9 +1768,9 @@ invocationid = str(uuid.uuid4()) if krbtgtpass is None: - krbtgtpass = samba.generate_random_password(128, 255) + krbtgtpass = samba.generate_random_machine_password(128, 255) if machinepass is None: - machinepass = samba.generate_random_password(128, 255) + machinepass = samba.generate_random_machine_password(128, 255) if dnspass is None: dnspass = samba.generate_random_password(128, 255) diff -Nru samba-4.5.4+dfsg/python/samba/provision/sambadns.py samba-4.5.8+dfsg/python/samba/provision/sambadns.py --- samba-4.5.4+dfsg/python/samba/provision/sambadns.py 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/provision/sambadns.py 2017-03-09 09:21:43.000000000 +0000 @@ -661,7 +661,7 @@ "REALM": realm, "DNSDOMAIN": dnsdomain, "DNS_KEYTAB": dns_keytab_path, - "DNSPASS_B64": b64encode(dnspass), + "DNSPASS_B64": b64encode(dnspass.encode('utf-8')), "KEY_VERSION_NUMBER": str(key_version_number), "HOSTNAME": names.hostname, "DNSNAME" : '%s.%s' % ( diff -Nru samba-4.5.4+dfsg/python/samba/samdb.py samba-4.5.8+dfsg/python/samba/samdb.py --- samba-4.5.4+dfsg/python/samba/samdb.py 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/samdb.py 2017-03-09 09:21:43.000000000 +0000 @@ -503,7 +503,7 @@ if len(res) > 1: raise Exception('Matched %u multiple users with filter "%s"' % (len(res), search_filter)) user_dn = res[0].dn - pw = unicode('"' + password + '"', 'utf-8').encode('utf-16-le') + pw = unicode('"' + password.encode('utf-8') + '"', 'utf-8').encode('utf-16-le') setpw = """ dn: %s changetype: modify diff -Nru samba-4.5.4+dfsg/python/samba/upgradehelpers.py samba-4.5.8+dfsg/python/samba/upgradehelpers.py --- samba-4.5.4+dfsg/python/samba/upgradehelpers.py 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/python/samba/upgradehelpers.py 2017-03-09 09:21:43.000000000 +0000 @@ -573,7 +573,7 @@ assert(len(res) == 1) msg = ldb.Message(res[0].dn) - machinepass = samba.generate_random_password(128, 255) + machinepass = samba.generate_random_machine_password(128, 255) mputf16 = machinepass.encode('utf-16-le') msg["clearTextPassword"] = ldb.MessageElement(mputf16, ldb.FLAG_MOD_REPLACE, @@ -648,7 +648,7 @@ assert(len(res) == 1) msg = ldb.Message(res[0].dn) - machinepass = samba.generate_random_password(128, 255) + machinepass = samba.generate_random_machine_password(128, 255) mputf16 = machinepass.encode('utf-16-le') msg["clearTextPassword"] = ldb.MessageElement(mputf16, ldb.FLAG_MOD_REPLACE, diff -Nru samba-4.5.4+dfsg/script/release.sh samba-4.5.8+dfsg/script/release.sh --- samba-4.5.4+dfsg/script/release.sh 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/script/release.sh 2017-01-30 09:56:26.000000000 +0000 @@ -830,7 +830,8 @@ top=$(cat ${TMPDIR}/WHATSNEW.txt | wc -l) } local skip=$(cat ${TMPDIR}/WHATSNEW.txt | grep -n '^[^ ]' | head -1 | cut -d ':' -f1) - local bottom=$(expr ${top} - \( ${skip} - 1 \)) + local headlimit=$(expr ${top} - 1 ) + local taillimit=$(expr ${headlimit} - \( ${skip} - 1 \)) cat "announce.${tagname}.quotation.txt" echo "" @@ -838,7 +839,7 @@ echo "Release Announcements" echo "---------------------" echo "" - head -${top} ${TMPDIR}/WHATSNEW.txt | tail -${bottom} + head -${headlimit} ${TMPDIR}/WHATSNEW.txt | tail -${taillimit} echo "" echo "================" echo "Download Details" diff -Nru samba-4.5.4+dfsg/selftest/skip samba-4.5.8+dfsg/selftest/skip --- samba-4.5.4+dfsg/selftest/skip 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/selftest/skip 2017-03-09 09:21:43.000000000 +0000 @@ -48,6 +48,7 @@ ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-SYMLINK-EA # Fails against the s4 ntvfs server ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-OFD-LOCK # Fails against the s4 ntvfs server ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).POSIX-STREAM-DELETE # Fails against the s4 ntvfs server +^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).WINDOWS-BAD-SYMLINK # Fails against the s4 ntvfs server ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).RENAME-ACCESS # Fails against the s4 ntvfs server ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).OWNER-RIGHTS # Don't test against the s4 ntvfs server anymore ^samba3.smbtorture_s3.plain\(ad_dc_ntvfs\).PIDHIGH # Fails against the s4 ntvfs server diff -Nru samba-4.5.4+dfsg/selftest/target/Samba3.pm samba-4.5.8+dfsg/selftest/target/Samba3.pm --- samba-4.5.4+dfsg/selftest/target/Samba3.pm 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/selftest/target/Samba3.pm 2017-03-31 06:25:18.000000000 +0000 @@ -554,6 +554,7 @@ ntlm auth = yes vfs objects = xattr_tdb streams_depot time_audit full_audit change notify = no + smb encrypt = off full_audit:syslog = no full_audit:success = none @@ -571,6 +572,11 @@ store dos attributes = yes hide files = /hidefile/ hide dot files = yes + +[enc_desired] + path = $prefix_abs/share + vfs objects = + smb encrypt = desired "; my $vars = $self->provision($path, @@ -757,6 +763,8 @@ security = ads username map = $prefix/lib/username.map server signing = required + server min protocol = SMB3_00 + client max protocol = SMB3 "; my $ret = $self->provision($prefix, @@ -1199,6 +1207,9 @@ my $shadow_shrdir="$shadow_basedir/share"; push(@dirs,$shadow_shrdir); + my $nosymlinks_shrdir="$shrdir/nosymlinks"; + push(@dirs,$nosymlinks_shrdir); + # this gets autocreated by winbindd my $wbsockdir="$prefix_abs/winbindd"; my $wbsockprivdir="$lockdir/winbindd_privileged"; @@ -1610,7 +1621,7 @@ path = $shrdir vfs objects = catia fruit streams_xattr acl_xattr ea support = yes - fruit:resource = file + fruit:ressource = file fruit:metadata = netatalk fruit:locking = netatalk fruit:encoding = native @@ -1812,6 +1823,10 @@ copy = tmp acl_xattr:ignore system acls = yes acl_xattr:default acl style = posix +[nosymlinks] + copy = tmp + path = $nosymlinks_shrdir + follow symlinks = no [acl_xattr_ign_sysacl_windows] copy = tmp acl_xattr:ignore system acls = yes diff -Nru samba-4.5.4+dfsg/selftest/target/Samba4.pm samba-4.5.8+dfsg/selftest/target/Samba4.pm --- samba-4.5.4+dfsg/selftest/target/Samba4.pm 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/selftest/target/Samba4.pm 2017-01-30 09:56:26.000000000 +0000 @@ -910,7 +910,7 @@ path = $ctx->{share} vfs objects = catia fruit streams_xattr acl_xattr ea support = yes - fruit:resource = file + fruit:ressource = file fruit:metadata = netatalk fruit:locking = netatalk fruit:encoding = native diff -Nru samba-4.5.4+dfsg/source3/include/proto.h samba-4.5.8+dfsg/source3/include/proto.h --- samba-4.5.4+dfsg/source3/include/proto.h 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/source3/include/proto.h 2017-03-09 09:21:43.000000000 +0000 @@ -880,6 +880,9 @@ struct netlogon_creds_cli_context; struct messaging_context; struct dcerpc_binding_handle; +char *trust_pw_new_value(TALLOC_CTX *mem_ctx, + enum netr_SchannelType sec_channel_type, + int security); NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, struct messaging_context *msg_ctx, struct dcerpc_binding_handle *b, diff -Nru samba-4.5.4+dfsg/source3/include/smb.h samba-4.5.8+dfsg/source3/include/smb.h --- samba-4.5.4+dfsg/source3/include/smb.h 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/include/smb.h 2017-03-09 09:21:43.000000000 +0000 @@ -733,12 +733,6 @@ #define SAFE_NETBIOS_CHARS ". -_" -/* The maximum length of a trust account password. - Used when we randomly create it, 15 char passwords - exceed NT4's max password length */ - -#define DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH 14 - #define PORT_NONE 0 #ifndef LDAP_PORT #define LDAP_PORT 389 diff -Nru samba-4.5.4+dfsg/source3/lib/util_path.c samba-4.5.8+dfsg/source3/lib/util_path.c --- samba-4.5.4+dfsg/source3/lib/util_path.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/lib/util_path.c 2017-03-09 09:21:43.000000000 +0000 @@ -93,3 +93,142 @@ { return xx_path(name, lp_cache_directory()); } + +/** + * @brief Removes any invalid path components in an absolute POSIX path. + * + * @param ctx Talloc context to return string. + * + * @param abs_path Absolute path string to process. + * + * @retval Pointer to a talloc'ed string containing the absolute full path. + **/ + +char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path) +{ + char *destname; + char *d; + const char *s = abs_path; + bool start_of_name_component = true; + + /* Allocate for strlen + '\0' + possible leading '/' */ + destname = (char *)talloc_size(ctx, strlen(abs_path) + 2); + if (destname == NULL) { + return NULL; + } + d = destname; + + *d++ = '/'; /* Always start with root. */ + + while (*s) { + if (*s == '/') { + /* Eat multiple '/' */ + while (*s == '/') { + s++; + } + if ((d > destname + 1) && (*s != '\0')) { + *d++ = '/'; + } + start_of_name_component = true; + continue; + } + + if (start_of_name_component) { + if ((s[0] == '.') && (s[1] == '.') && + (s[2] == '/' || s[2] == '\0')) { + /* Uh oh - "/../" or "/..\0" ! */ + + /* Go past the .. leaving us on the / or '\0' */ + s += 2; + + /* If we just added a '/' - delete it */ + if ((d > destname) && (*(d-1) == '/')) { + *(d-1) = '\0'; + d--; + } + + /* + * Are we at the start ? + * Can't go back further if so. + */ + if (d <= destname) { + *d++ = '/'; /* Can't delete root */ + continue; + } + /* Go back one level... */ + /* + * Decrement d first as d points to + * the *next* char to write into. + */ + for (d--; d > destname; d--) { + if (*d == '/') { + break; + } + } + + /* + * Are we at the start ? + * Can't go back further if so. + */ + if (d <= destname) { + *d++ = '/'; /* Can't delete root */ + continue; + } + + /* + * We're still at the start of a name + * component, just the previous one. + */ + continue; + } else if ((s[0] == '.') && + ((s[1] == '\0') || s[1] == '/')) { + /* + * Component of pathname can't be "." only. + * Skip the '.' . + */ + if (s[1] == '/') { + s += 2; + } else { + s++; + } + continue; + } + } + + if (!(*s & 0x80)) { + *d++ = *s++; + } else { + size_t siz; + /* Get the size of the next MB character. */ + next_codepoint(s,&siz); + switch(siz) { + case 5: + *d++ = *s++; + /*fall through*/ + case 4: + *d++ = *s++; + /*fall through*/ + case 3: + *d++ = *s++; + /*fall through*/ + case 2: + *d++ = *s++; + /*fall through*/ + case 1: + *d++ = *s++; + break; + default: + break; + } + } + start_of_name_component = false; + } + *d = '\0'; + + /* And must not end in '/' */ + if (d > destname + 1 && (*(d-1) == '/')) { + *(d-1) = '\0'; + } + + return destname; +} diff -Nru samba-4.5.4+dfsg/source3/lib/util_path.h samba-4.5.8+dfsg/source3/lib/util_path.h --- samba-4.5.4+dfsg/source3/lib/util_path.h 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/lib/util_path.h 2017-03-09 09:21:43.000000000 +0000 @@ -27,5 +27,6 @@ char *lock_path(const char *name); char *state_path(const char *name); char *cache_path(const char *name); +char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path); #endif diff -Nru samba-4.5.4+dfsg/source3/libads/sasl.c samba-4.5.8+dfsg/source3/libads/sasl.c --- samba-4.5.4+dfsg/source3/libads/sasl.c 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/source3/libads/sasl.c 2017-03-09 09:21:43.000000000 +0000 @@ -703,6 +703,7 @@ #ifdef HAVE_KRB5 bool got_kerberos_mechanism = False; #endif + const char *mech = NULL; rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, "GSS-SPNEGO", NULL, NULL, NULL, &scred); @@ -749,6 +750,8 @@ if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && got_kerberos_mechanism) { + mech = "KRB5"; + if (ads->auth.password == NULL || ads->auth.password[0] == '\0') { @@ -775,7 +778,11 @@ blob); if (!ADS_ERR_OK(status)) { DEBUG(0,("kinit succeeded but " - "ads_sasl_spnego_gensec_bind(KRB5) failed: %s\n", + "ads_sasl_spnego_gensec_bind(KRB5) failed: " + "for %s/%s user[%s] realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, ads_errstr(status))); } } @@ -785,17 +792,33 @@ !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { goto done; } + + DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed for %s/%s " + "with user[%s] realm[%s]: %s, fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); } #endif /* lets do NTLMSSP ... this has the big advantage that we don't need to sync clocks, and we don't rely on special versions of the krb5 library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", CRED_DONT_USE_KERBEROS, p.service, p.hostname, data_blob_null); done: + if (!ADS_ERR_OK(status)) { + DEBUG(1,("ads_sasl_spnego_gensec_bind(%s) failed for %s/%s " + "with user[%s] realm=[%s]: %s\n", mech, + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, + ads_errstr(status))); + } ads_free_service_principal(&p); TALLOC_FREE(frame); if (blob.data != NULL) { diff -Nru samba-4.5.4+dfsg/source3/libads/util.c samba-4.5.8+dfsg/source3/libads/util.c --- samba-4.5.4+dfsg/source3/libads/util.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/libads/util.c 2017-03-09 09:21:43.000000000 +0000 @@ -35,9 +35,12 @@ return ADS_ERROR_SYSTEM(ENOENT); } - new_password = generate_random_password(talloc_tos(), - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + new_password = trust_pw_new_value(talloc_tos(), SEC_CHAN_WKSTA, SEC_ADS); + if (new_password == NULL) { + ret = ADS_ERROR_SYSTEM(errno); + DEBUG(1,("Failed to generate machine password\n")); + goto failed; + } ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset); diff -Nru samba-4.5.4+dfsg/source3/libnet/libnet_join.c samba-4.5.8+dfsg/source3/libnet/libnet_join.c --- samba-4.5.4+dfsg/source3/libnet/libnet_join.c 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/source3/libnet/libnet_join.c 2017-03-09 09:21:43.000000000 +0000 @@ -1138,9 +1138,11 @@ } if (!r->in.machine_password) { - r->in.machine_password = generate_random_password(mem_ctx, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + int security = r->in.ads ? SEC_ADS : SEC_DOMAIN; + + r->in.machine_password = trust_pw_new_value(mem_ctx, + r->in.secure_channel_type, + security); if (r->in.machine_password == NULL) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; @@ -1233,9 +1235,11 @@ } if (!r->in.machine_password) { - r->in.machine_password = generate_random_password(mem_ctx, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + int security = r->in.ads ? SEC_ADS : SEC_DOMAIN; + + r->in.machine_password = trust_pw_new_value(mem_ctx, + r->in.secure_channel_type, + security); NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password); } diff -Nru samba-4.5.4+dfsg/source3/librpc/rpc/dcerpc.h samba-4.5.8+dfsg/source3/librpc/rpc/dcerpc.h --- samba-4.5.4+dfsg/source3/librpc/rpc/dcerpc.h 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/librpc/rpc/dcerpc.h 2017-03-09 09:21:43.000000000 +0000 @@ -61,8 +61,7 @@ DATA_BLOB *blob); NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, - struct ncacn_packet *r, - bool bigendian); + struct ncacn_packet *r); NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx, enum dcerpc_AuthType auth_type, enum dcerpc_AuthLevel auth_level, diff -Nru samba-4.5.4+dfsg/source3/librpc/rpc/dcerpc_helpers.c samba-4.5.8+dfsg/source3/librpc/rpc/dcerpc_helpers.c --- samba-4.5.4+dfsg/source3/librpc/rpc/dcerpc_helpers.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/librpc/rpc/dcerpc_helpers.c 2017-03-09 09:21:43.000000000 +0000 @@ -88,14 +88,12 @@ * elements * @param blob The blob of data to decode * @param r An empty ncacn_packet, must not be NULL -* @param bigendian Whether the packet is bignedian encoded * * @return a NTSTATUS error code */ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, - struct ncacn_packet *r, - bool bigendian) + struct ncacn_packet *r) { enum ndr_err_code ndr_err; struct ndr_pull *ndr; @@ -104,11 +102,12 @@ if (!ndr) { return NT_STATUS_NO_MEMORY; } - if (bigendian) { + + if (!(CVAL(ndr->data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) { ndr->flags |= LIBNDR_FLAG_BIGENDIAN; } - if (CVAL(blob->data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) { + if (CVAL(ndr->data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) { ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT; } diff -Nru samba-4.5.4+dfsg/source3/libsmb/trusts_util.c samba-4.5.8+dfsg/source3/libsmb/trusts_util.c --- samba-4.5.4+dfsg/source3/libsmb/trusts_util.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/libsmb/trusts_util.c 2017-03-09 09:21:43.000000000 +0000 @@ -47,6 +47,62 @@ return 0; } +char *trust_pw_new_value(TALLOC_CTX *mem_ctx, + enum netr_SchannelType sec_channel_type, + int security) +{ + /* + * use secure defaults. + */ + size_t min = 128; + size_t max = 255; + + switch (sec_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_BDC: + if (security == SEC_DOMAIN) { + /* + * The maximum length of a trust account password. + * Used when we randomly create it, 15 char passwords + * exceed NT4's max password length. + */ + min = 14; + max = 14; + } + break; + case SEC_CHAN_DNS_DOMAIN: + /* + * new_len * 2 = 498 bytes is the largest possible length + * NL_PASSWORD_VERSION consumes the rest of the possible 512 bytes + * and a confounder with at least 2 bytes is required. + * + * Windows uses new_len = 120 => 240 bytes (utf16) + */ + min = 120; + max = 120; + break; + /* fall through */ + case SEC_CHAN_DOMAIN: + /* + * The maximum length of a trust account password. + * Used when we randomly create it, 15 char passwords + * exceed NT4's max password length. + */ + min = 14; + max = 14; + break; + default: + break; + } + + /* + * Create a random machine account password + * We create a random buffer and convert that to utf8. + * This is similar to what windows is doing. + */ + return generate_random_machine_password(mem_ctx, min, max); +} + NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, struct messaging_context *msg_ctx, struct dcerpc_binding_handle *b, @@ -54,6 +110,7 @@ bool force) { TALLOC_CTX *frame = talloc_stackframe(); + const char *context_name = NULL; struct trust_pw_change_state *state; struct cli_credentials *creds = NULL; const struct samr_Password *current_nt_hash = NULL; @@ -65,10 +122,7 @@ struct timeval g_timeout = { 0, }; int timeout = 0; struct timeval tv = { 0, }; - size_t new_len = DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH; - uint8_t new_password_buffer[256 * 2] = { 0, }; char *new_trust_passwd = NULL; - size_t len = 0; uint32_t new_version = 0; uint32_t *new_trust_version = NULL; NTSTATUS status; @@ -134,16 +188,6 @@ case SEC_CHAN_BDC: break; case SEC_CHAN_DNS_DOMAIN: - /* - * new_len * 2 = 498 bytes is the largest possible length - * NL_PASSWORD_VERSION consumes the rest of the possible 512 bytes - * and a confounder with at least 2 bytes is required. - * - * Windows uses new_len = 120 => 240 bytes. - */ - new_len = 120; - - /* fall through */ case SEC_CHAN_DOMAIN: status = pdb_get_trusted_domain(frame, domain, &td); if (!NT_STATUS_IS_OK(status)) { @@ -181,19 +225,21 @@ return NT_STATUS_OK; } + context_name = netlogon_creds_cli_debug_string(context, talloc_tos()); + if (context_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + /* * Create a random machine account password * We create a random buffer and convert that to utf8. * This is similar to what windows is doing. */ - generate_secret_buffer(new_password_buffer, new_len * 2); - ok = convert_string_talloc(frame, - CH_UTF16MUNGED, CH_UTF8, - new_password_buffer, new_len * 2, - (void *)&new_trust_passwd, &len); - ZERO_STRUCT(new_password_buffer); - if (!ok) { - DEBUG(0, ("convert_string_talloc failed\n")); + new_trust_passwd = trust_pw_new_value(frame, sec_channel_type, + lp_security()); + if (new_trust_passwd == NULL) { + DEBUG(0, ("trust_pw_new_value() failed\n")); TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; } @@ -215,12 +261,16 @@ *current_nt_hash, previous_nt_hash); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("netlogon_creds_cli_auth for domain %s - %s!\n", - domain, nt_errstr(status))); + DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for old password - %s!\n", + context_name, nt_errstr(status))); TALLOC_FREE(frame); return status; } + DEBUG(0,("%s : %s(%s): Verified old password remotely using %s\n", + current_timestring(talloc_tos(), false), + __func__, domain, context_name)); + /* * Return the result of trying to write the new password * back into the trust account file. @@ -260,22 +310,57 @@ break; } - DEBUG(1,("%s : %s(%s): Changed password locally\n", + DEBUG(0,("%s : %s(%s): Changed password locally\n", current_timestring(talloc_tos(), false), __func__, domain)); status = netlogon_creds_cli_ServerPasswordSet(context, b, new_trust_passwd, new_trust_version); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("%s : %s(%s) remote password change set failed - %s\n", - current_timestring(talloc_tos(), false), __func__, - domain, nt_errstr(status))); + DEBUG(0,("%s : %s(%s) remote password change set with %s failed - %s\n", + current_timestring(talloc_tos(), false), + __func__, domain, context_name, + nt_errstr(status))); TALLOC_FREE(frame); return status; } - DEBUG(1,("%s : %s(%s): Changed password remotely.\n", - current_timestring(talloc_tos(), false), __func__, domain)); + DEBUG(0,("%s : %s(%s): Changed password remotely using %s\n", + current_timestring(talloc_tos(), false), + __func__, domain, context_name)); + + ok = cli_credentials_set_password(creds, new_trust_passwd, CRED_SPECIFIED); + if (!ok) { + DEBUG(0, ("cli_credentials_set_password failed for domain %s!\n", + domain)); + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + current_nt_hash = cli_credentials_get_nt_hash(creds, frame); + if (current_nt_hash == NULL) { + DEBUG(0, ("cli_credentials_get_nt_hash failed for domain %s!\n", + domain)); + TALLOC_FREE(frame); + return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE; + } + + /* + * Now we verify the new password. + */ + status = netlogon_creds_cli_auth(context, b, + *current_nt_hash, + NULL); /* previous_nt_hash */ + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for new password - %s!\n", + context_name, nt_errstr(status))); + TALLOC_FREE(frame); + return status; + } + + DEBUG(0,("%s : %s(%s): Verified new password remotely using %s\n", + current_timestring(talloc_tos(), false), + __func__, domain, context_name)); TALLOC_FREE(frame); return NT_STATUS_OK; diff -Nru samba-4.5.4+dfsg/source3/modules/vfs_catia.c samba-4.5.8+dfsg/source3/modules/vfs_catia.c --- samba-4.5.4+dfsg/source3/modules/vfs_catia.c 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/modules/vfs_catia.c 2017-03-09 09:21:43.000000000 +0000 @@ -4,13 +4,13 @@ * Implement a fixed mapping of forbidden NT characters in filenames that are * used a lot by the CAD package Catia. * - * Yes, this a BAD BAD UGLY INCOMPLETE hack, but it helps quite some people - * out there. Catia V4 on AIX uses characters like "<*$ a *lot*, all forbidden - * under Windows... + * Catia V4 on AIX uses characters like "<*$ a *lot*, all forbidden under + * Windows... * * Copyright (C) Volker Lendecke, 2005 * Copyright (C) Aravind Srinivasan, 2009 * Copyright (C) Guenter Kukkukk, 2013 + * Copyright (C) Ralph Boehme, 2017 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -29,6 +29,8 @@ #include "includes.h" #include "smbd/smbd.h" +#include "lib/util/tevent_unix.h" +#include "lib/util/tevent_ntstatus.h" static int vfs_catia_debug_level = DBGC_VFS; @@ -52,6 +54,15 @@ struct char_mappings **mappings; }; +struct catia_cache { + bool is_fsp_ext; + const struct catia_cache * const *busy; + char *orig_fname; + char *fname; + char *orig_base_fname; + char *base_fname; +}; + struct share_mapping_entry *srt_head = NULL; static bool build_table(struct char_mappings **cmaps, int value) @@ -353,30 +364,305 @@ return ret; } +#define CATIA_DEBUG_CC(lvl, cc, fsp) \ + catia_debug_cc((lvl), (cc), (fsp), __location__); + +static void catia_debug_cc(int lvl, + struct catia_cache *cc, + files_struct *fsp, + const char *location) +{ + DEBUG(lvl, ("%s: cc [0x%p] cc->busy [0x%p] " + "is_fsp_ext [%s] " + "fsp [0x%p] fsp name [%s] " + "orig_fname [%s] " + "fname [%s] " + "orig_base_fname [%s] " + "base_fname [%s]\n", + location, + cc, cc->busy, + cc->is_fsp_ext ? "yes" : "no", + fsp, fsp_str_dbg(fsp), + cc->orig_fname, cc->fname, + cc->orig_base_fname, cc->base_fname)); +} + +static void catia_free_cc(struct catia_cache **_cc, + vfs_handle_struct *handle, + files_struct *fsp) +{ + struct catia_cache *cc = *_cc; + + if (cc->is_fsp_ext) { + VFS_REMOVE_FSP_EXTENSION(handle, fsp); + cc = NULL; + } else { + TALLOC_FREE(cc); + } + + *_cc = NULL; +} + +static struct catia_cache *catia_validate_and_apply_cc( + vfs_handle_struct *handle, + files_struct *fsp, + const struct catia_cache * const *busy, + bool *make_tmp_cache) +{ + struct catia_cache *cc = NULL; + + *make_tmp_cache = false; + + cc = (struct catia_cache *)VFS_FETCH_FSP_EXTENSION(handle, fsp); + if (cc == NULL) { + return NULL; + } + + if (cc->busy != NULL) { + if (cc->busy == busy) { + /* This should never happen */ + CATIA_DEBUG_CC(0, cc, fsp); + smb_panic(__location__); + } + + /* + * Recursion. Validate names, the names in the fsp's should be + * the translated names we had set. + */ + + if ((cc->fname != fsp->fsp_name->base_name) + || + ((fsp->base_fsp != NULL) && + (cc->base_fname != fsp->base_fsp->fsp_name->base_name))) + { + CATIA_DEBUG_CC(10, cc, fsp); + + /* + * Names changed. Setting don't expose the cache on the + * fsp and ask the caller to create a temporary cache. + */ + *make_tmp_cache = true; + return NULL; + } + + /* + * Ok, a validated cache while in a recursion, just let the + * caller detect that cc->busy is != busy and there's + * nothing else to do. + */ + CATIA_DEBUG_CC(10, cc, fsp); + return cc; + } + + /* Not in a recursion */ + + if ((cc->orig_fname != fsp->fsp_name->base_name) + || + ((fsp->base_fsp != NULL) && + (cc->orig_base_fname != fsp->base_fsp->fsp_name->base_name))) + { + /* + * fsp names changed, this can happen in an rename op. + * Trigger recreation as a full fledged fsp extension. + */ + + CATIA_DEBUG_CC(10, cc, fsp); + catia_free_cc(&cc, handle, fsp); + return NULL; + } + + + /* + * Ok, we found a valid cache entry, no recursion. Just set translated + * names from the cache and mark the cc as busy. + */ + fsp->fsp_name->base_name = cc->fname; + if (fsp->base_fsp != NULL) { + fsp->base_fsp->fsp_name->base_name = cc->base_fname; + } + + cc->busy = busy; + CATIA_DEBUG_CC(10, cc, fsp); + return cc; +} + +#define CATIA_FETCH_FSP_PRE_NEXT(mem_ctx, handle, fsp, _cc) \ + catia_fetch_fsp_pre_next((mem_ctx), (handle), (fsp), (_cc), __func__); + +static int catia_fetch_fsp_pre_next(TALLOC_CTX *mem_ctx, + vfs_handle_struct *handle, + files_struct *fsp, + struct catia_cache **_cc, + const char *function) +{ + const struct catia_cache * const *busy = + (const struct catia_cache * const *)_cc; + struct catia_cache *cc = NULL; + NTSTATUS status; + bool make_tmp_cache = false; + + *_cc = NULL; + + DBG_DEBUG("Called from [%s]\n", function); + + cc = catia_validate_and_apply_cc(handle, + fsp, + busy, + &make_tmp_cache); + if (cc != NULL) { + if (cc->busy != busy) { + return 0; + } + *_cc = cc; + return 0; + } + + if (!make_tmp_cache) { + cc = (struct catia_cache *)VFS_ADD_FSP_EXTENSION( + handle, fsp, struct catia_cache, NULL); + if (cc == NULL) { + return -1; + } + *cc = (struct catia_cache) { + .is_fsp_ext = true, + }; + + mem_ctx = VFS_MEMCTX_FSP_EXTENSION(handle, fsp); + if (mem_ctx == NULL) { + DBG_ERR("VFS_MEMCTX_FSP_EXTENSION failed\n"); + catia_free_cc(&cc, handle, fsp); + return -1; + } + } else { + cc = talloc_zero(mem_ctx, struct catia_cache); + if (cc == NULL) { + return -1; + } + mem_ctx = cc; + } + + + status = catia_string_replace_allocate(handle->conn, + fsp->fsp_name->base_name, + &cc->fname, + vfs_translate_to_unix); + if (!NT_STATUS_IS_OK(status)) { + catia_free_cc(&cc, handle, fsp); + errno = map_errno_from_nt_status(status); + return -1; + } + talloc_steal(mem_ctx, cc->fname); + + if (fsp->base_fsp != NULL) { + status = catia_string_replace_allocate( + handle->conn, + fsp->base_fsp->fsp_name->base_name, + &cc->base_fname, + vfs_translate_to_unix); + if (!NT_STATUS_IS_OK(status)) { + catia_free_cc(&cc, handle, fsp); + errno = map_errno_from_nt_status(status); + return -1; + } + talloc_steal(mem_ctx, cc->base_fname); + } + + cc->orig_fname = fsp->fsp_name->base_name; + fsp->fsp_name->base_name = cc->fname; + + if (fsp->base_fsp != NULL) { + cc->orig_base_fname = fsp->base_fsp->fsp_name->base_name; + fsp->base_fsp->fsp_name->base_name = cc->base_fname; + } + + cc->busy = busy; + CATIA_DEBUG_CC(10, cc, fsp); + + *_cc = cc; + + return 0; +} + +#define CATIA_FETCH_FSP_POST_NEXT(_cc, fsp) do { \ + int saved_errno = errno; \ + catia_fetch_fsp_post_next((_cc), (fsp), __func__); \ + errno = saved_errno; \ +} while(0) + +static void catia_fetch_fsp_post_next(struct catia_cache **_cc, + files_struct *fsp, + const char *function) +{ + const struct catia_cache * const *busy = + (const struct catia_cache * const *)_cc; + struct catia_cache *cc = *_cc; + + DBG_DEBUG("Called from [%s]\n", function); + + if (cc == NULL) { + /* + * This can happen when recursing in the VFS on the fsp when the + * pre_next func noticed the recursion and set out cc pointer to + * NULL. + */ + return; + } + + if (cc->busy != busy) { + CATIA_DEBUG_CC(0, cc, fsp); + smb_panic(__location__); + return; + } + + cc->busy = NULL; + *_cc = NULL; + + fsp->fsp_name->base_name = cc->orig_fname; + if (fsp->base_fsp != NULL) { + fsp->base_fsp->fsp_name->base_name = cc->orig_base_fname; + } + + CATIA_DEBUG_CC(10, cc, fsp); + + if (!cc->is_fsp_ext) { + TALLOC_FREE(cc); + } + + return; +} + static int catia_open(vfs_handle_struct *handle, struct smb_filename *smb_fname, files_struct *fsp, int flags, mode_t mode) { - char *name_mapped = NULL; - char *tmp_base_name; - int ret; + struct catia_cache *cc = NULL; + char *orig_smb_fname = smb_fname->base_name; + char *mapped_smb_fname = NULL; NTSTATUS status; + int ret; - tmp_base_name = smb_fname->base_name; status = catia_string_replace_allocate(handle->conn, - smb_fname->base_name, - &name_mapped, vfs_translate_to_unix); + smb_fname->base_name, + &mapped_smb_fname, + vfs_translate_to_unix); if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); return -1; } - smb_fname->base_name = name_mapped; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + TALLOC_FREE(mapped_smb_fname); + return ret; + } + + smb_fname->base_name = mapped_smb_fname; ret = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode); - smb_fname->base_name = tmp_base_name; - TALLOC_FREE(name_mapped); + smb_fname->base_name = orig_smb_fname; + + TALLOC_FREE(mapped_smb_fname); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } @@ -1118,48 +1404,17 @@ files_struct *fsp, SMB_STRUCT_STAT *sbuf) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; - - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } - - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + struct catia_cache *cc = NULL; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; - ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } - -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } @@ -1168,148 +1423,57 @@ files_struct *fsp, void *data, size_t n, off_t offset) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; - - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } - - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + struct catia_cache *cc = NULL; + ssize_t result; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + result = SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); - ret = SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } - -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); - - return ret; + return result; } static ssize_t catia_pwrite(vfs_handle_struct *handle, files_struct *fsp, const void *data, size_t n, off_t offset) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; - - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } - - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + struct catia_cache *cc = NULL; + ssize_t result; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; - - ret = SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset); - - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } + result = SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset); -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - return ret; + return result; } static int catia_ftruncate(struct vfs_handle_struct *handle, struct files_struct *fsp, off_t offset) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; - - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } - - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + struct catia_cache *cc = NULL; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; - ret = SMB_VFS_NEXT_FTRUNCATE(handle, fsp, offset); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } - -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } @@ -1320,733 +1484,773 @@ off_t offset, off_t len) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; - - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } - - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + struct catia_cache *cc = NULL; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; - ret = SMB_VFS_NEXT_FALLOCATE(handle, fsp, mode, offset, len); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } - -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } -static ssize_t catia_fgetxattr(struct vfs_handle_struct *handle, struct files_struct *fsp, const char *name, void *value, size_t size) +static ssize_t catia_fgetxattr(struct vfs_handle_struct *handle, + struct files_struct *fsp, + const char *name, + void *value, + size_t size) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - ssize_t result = -1; + char *mapped_xattr_name = NULL; NTSTATUS status; + ssize_t result; status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); + name, &mapped_xattr_name, + vfs_translate_to_unix); if (!NT_STATUS_IS_OK(status)) { errno = map_errno_from_nt_status(status); - goto done; + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + result = SMB_VFS_NEXT_FGETXATTR(handle, fsp, mapped_xattr_name, + value, size); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } + TALLOC_FREE(mapped_xattr_name); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return result; +} - result = SMB_VFS_NEXT_FGETXATTR(handle, fsp, name, value, size); +static ssize_t catia_flistxattr(struct vfs_handle_struct *handle, + struct files_struct *fsp, + char *list, + size_t size) +{ + struct catia_cache *cc = NULL; + ssize_t result; + int ret; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + result = SMB_VFS_NEXT_FLISTXATTR(handle, fsp, list, size); + + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return result; } -static ssize_t catia_flistxattr(struct vfs_handle_struct *handle, struct files_struct *fsp, char *list, size_t size) +static int catia_fremovexattr(struct vfs_handle_struct *handle, + struct files_struct *fsp, + const char *name) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - ssize_t result = -1; + char *mapped_name = NULL; NTSTATUS status; + int ret; status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); + name, &mapped_name, vfs_translate_to_unix); if (!NT_STATUS_IS_OK(status)) { errno = map_errno_from_nt_status(status); - goto done; + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + ret = SMB_VFS_NEXT_FREMOVEXATTR(handle, fsp, mapped_name); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } + TALLOC_FREE(mapped_name); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return ret; +} - result = SMB_VFS_NEXT_FLISTXATTR(handle, fsp, list, size); +static int catia_fsetxattr(struct vfs_handle_struct *handle, + struct files_struct *fsp, + const char *name, + const void *value, + size_t size, + int flags) +{ + char *mapped_xattr_name = NULL; + NTSTATUS status; + int ret; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + status = catia_string_replace_allocate( + handle->conn, name, &mapped_xattr_name, vfs_translate_to_unix); + if (!NT_STATUS_IS_OK(status)) { + errno = map_errno_from_nt_status(status); + return -1; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ret = SMB_VFS_NEXT_FSETXATTR(handle, fsp, mapped_xattr_name, + value, size, flags); - return result; + TALLOC_FREE(mapped_xattr_name); + + return ret; } -static int catia_fremovexattr(struct vfs_handle_struct *handle, struct files_struct *fsp, const char *name) +static SMB_ACL_T catia_sys_acl_get_fd(vfs_handle_struct *handle, + files_struct *fsp, + TALLOC_CTX *mem_ctx) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; + struct catia_cache *cc = NULL; + struct smb_acl_t *result = NULL; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return NULL; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + result = SMB_VFS_NEXT_SYS_ACL_GET_FD(handle, fsp, mem_ctx); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return result; +} - ret = SMB_VFS_NEXT_FREMOVEXATTR(handle, fsp, name); +static int catia_sys_acl_blob_get_fd(vfs_handle_struct *handle, + files_struct *fsp, + TALLOC_CTX *mem_ctx, + char **blob_description, + DATA_BLOB *blob) +{ + struct catia_cache *cc = NULL; + int ret; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle, fsp, mem_ctx, + blob_description, blob); + + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } -static int catia_fsetxattr(struct vfs_handle_struct *handle, struct files_struct *fsp, const char *name, const void *value, size_t size, int flags) +static int catia_sys_acl_set_fd(vfs_handle_struct *handle, + files_struct *fsp, + SMB_ACL_T theacl) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; + struct catia_cache *cc = NULL; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, fsp, theacl); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return ret; +} - ret = SMB_VFS_NEXT_FSETXATTR(handle, fsp, name, value, size, flags); +static int catia_fchmod_acl(vfs_handle_struct *handle, + files_struct *fsp, + mode_t mode) +{ + struct catia_cache *cc = NULL; + int ret; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ret = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode); + + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } -static SMB_ACL_T catia_sys_acl_get_fd(vfs_handle_struct *handle, - files_struct *fsp, - TALLOC_CTX *mem_ctx) +static NTSTATUS catia_fget_nt_acl(vfs_handle_struct *handle, + files_struct *fsp, + uint32_t security_info, + TALLOC_CTX *mem_ctx, + struct security_descriptor **ppdesc) { - struct smb_acl_t *result = NULL; - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; + struct catia_cache *cc = NULL; NTSTATUS status; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + status = SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, security_info, + mem_ctx, ppdesc); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return status; +} + +static NTSTATUS catia_fset_nt_acl(vfs_handle_struct *handle, + files_struct *fsp, + uint32_t security_info_sent, + const struct security_descriptor *psd) +{ + struct catia_cache *cc = NULL; + NTSTATUS status; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); - result = SMB_VFS_NEXT_SYS_ACL_GET_FD(handle, fsp, mem_ctx); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + return status; +} + +static NTSTATUS catia_fset_dos_attributes(struct vfs_handle_struct *handle, + struct files_struct *fsp, + uint32_t dosmode) +{ + struct catia_cache *cc = NULL; + NTSTATUS status; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + status = SMB_VFS_NEXT_FSET_DOS_ATTRIBUTES(handle, fsp, dosmode); - return result; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return status; } -static int catia_sys_acl_blob_get_fd(vfs_handle_struct *handle, - files_struct *fsp, - TALLOC_CTX *mem_ctx, - char **blob_description, - DATA_BLOB *blob) +static NTSTATUS catia_fget_dos_attributes(struct vfs_handle_struct *handle, + struct files_struct *fsp, + uint32_t *dosmode) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; + struct catia_cache *cc = NULL; NTSTATUS status; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + status = SMB_VFS_NEXT_FGET_DOS_ATTRIBUTES(handle, fsp, dosmode); + + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return status; +} - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; +static int catia_fchown(vfs_handle_struct *handle, + files_struct *fsp, + uid_t uid, + gid_t gid) +{ + struct catia_cache *cc = NULL; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + ret = SMB_VFS_NEXT_FCHOWN(handle, fsp, uid, gid); - ret = SMB_VFS_NEXT_SYS_ACL_BLOB_GET_FD(handle, fsp, mem_ctx, - blob_description, blob); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + return ret; +} + +static int catia_fchmod(vfs_handle_struct *handle, + files_struct *fsp, + mode_t mode) +{ + struct catia_cache *cc = NULL; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return ret; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ret = SMB_VFS_NEXT_FCHMOD(handle, fsp, mode); + + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); return ret; } -static int catia_sys_acl_set_fd(vfs_handle_struct *handle, files_struct *fsp, SMB_ACL_T theacl) +struct catia_pread_state { + ssize_t ret; + struct vfs_aio_state vfs_aio_state; + struct files_struct *fsp; + struct catia_cache *cc; +}; + +static void catia_pread_done(struct tevent_req *subreq); + +static struct tevent_req *catia_pread_send(struct vfs_handle_struct *handle, + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct files_struct *fsp, + void *data, + size_t n, + off_t offset) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; + struct tevent_req *req = NULL, *subreq = NULL; + struct catia_pread_state *state = NULL; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + req = tevent_req_create(mem_ctx, &state, + struct catia_pread_state); + if (req == NULL) { + return NULL; } + state->fsp = fsp; - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + ret = CATIA_FETCH_FSP_PRE_NEXT(state, handle, fsp, &state->cc); + if (ret != 0) { + tevent_req_error(req, errno); + return tevent_req_post(req, ev); + } - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + subreq = SMB_VFS_NEXT_PREAD_SEND(state, ev, handle, fsp, data, + n, offset); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); } + tevent_req_set_callback(subreq, catia_pread_done, req); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return req; +} - ret = SMB_VFS_NEXT_SYS_ACL_SET_FD(handle, fsp, theacl); +static void catia_pread_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct catia_pread_state *state = tevent_req_data( + req, struct catia_pread_state); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } + state->ret = SMB_VFS_PREAD_RECV(subreq, &state->vfs_aio_state); + TALLOC_FREE(subreq); -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + CATIA_FETCH_FSP_POST_NEXT(&state->cc, state->fsp); - return ret; + tevent_req_done(req); } -static int catia_fchmod_acl(vfs_handle_struct *handle, files_struct *fsp, mode_t mode) +static ssize_t catia_pread_recv(struct tevent_req *req, + struct vfs_aio_state *vfs_aio_state) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; + struct catia_pread_state *state = tevent_req_data( + req, struct catia_pread_state); - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) { + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + *vfs_aio_state = state->vfs_aio_state; + return state->ret; +} - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } +struct catia_pwrite_state { + ssize_t ret; + struct vfs_aio_state vfs_aio_state; + struct files_struct *fsp; + struct catia_cache *cc; +}; - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; +static void catia_pwrite_done(struct tevent_req *subreq); - ret = SMB_VFS_NEXT_FCHMOD_ACL(handle, fsp, mode); +static struct tevent_req *catia_pwrite_send(struct vfs_handle_struct *handle, + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct files_struct *fsp, + const void *data, + size_t n, + off_t offset) +{ + struct tevent_req *req = NULL, *subreq = NULL; + struct catia_pwrite_state *state = NULL; + int ret; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + req = tevent_req_create(mem_ctx, &state, + struct catia_pwrite_state); + if (req == NULL) { + return NULL; + } + state->fsp = fsp; + + ret = CATIA_FETCH_FSP_PRE_NEXT(state, handle, fsp, &state->cc); + if (ret != 0) { + tevent_req_error(req, errno); + return tevent_req_post(req, ev); } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + subreq = SMB_VFS_NEXT_PWRITE_SEND(state, ev, handle, fsp, data, + n, offset); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, catia_pwrite_done, req); - return ret; + return req; } -static NTSTATUS catia_fget_nt_acl(vfs_handle_struct *handle, - files_struct *fsp, - uint32_t security_info, - TALLOC_CTX *mem_ctx, - struct security_descriptor **ppdesc) +static void catia_pwrite_done(struct tevent_req *subreq) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - NTSTATUS status; + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct catia_pwrite_state *state = tevent_req_data( + req, struct catia_pwrite_state); - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + state->ret = SMB_VFS_PWRITE_RECV(subreq, &state->vfs_aio_state); + TALLOC_FREE(subreq); + + CATIA_FETCH_FSP_POST_NEXT(&state->cc, state->fsp); + + tevent_req_done(req); +} + +static ssize_t catia_pwrite_recv(struct tevent_req *req, + struct vfs_aio_state *vfs_aio_state) +{ + struct catia_pwrite_state *state = tevent_req_data( + req, struct catia_pwrite_state); + + if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) { + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + *vfs_aio_state = state->vfs_aio_state; + return state->ret; +} + +static off_t catia_lseek(vfs_handle_struct *handle, + files_struct *fsp, + off_t offset, + int whence) +{ + struct catia_cache *cc = NULL; + ssize_t result; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + result = SMB_VFS_NEXT_LSEEK(handle, fsp, offset, whence); - status = SMB_VFS_NEXT_FGET_NT_ACL(handle, fsp, security_info, mem_ctx, ppdesc); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + return result; +} + +static int catia_fsync(vfs_handle_struct *handle, files_struct *fsp) +{ + struct catia_cache *cc = NULL; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ret = SMB_VFS_NEXT_FSYNC(handle, fsp); - return status; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return ret; } -static NTSTATUS catia_fset_nt_acl(vfs_handle_struct *handle, files_struct *fsp, uint32_t security_info_sent, const struct security_descriptor *psd) +struct catia_fsync_state { + int ret; + struct vfs_aio_state vfs_aio_state; + struct files_struct *fsp; + struct catia_cache *cc; +}; + +static void catia_fsync_done(struct tevent_req *subreq); + +static struct tevent_req *catia_fsync_send(struct vfs_handle_struct *handle, + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct files_struct *fsp) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - NTSTATUS status; + struct tevent_req *req = NULL, *subreq = NULL; + struct catia_fsync_state *state = NULL; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + req = tevent_req_create(mem_ctx, &state, + struct catia_fsync_state); + if (req == NULL) { + return NULL; } + state->fsp = fsp; - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + ret = CATIA_FETCH_FSP_PRE_NEXT(state, handle, fsp, &state->cc); + if (ret != 0) { + tevent_req_error(req, errno); + return tevent_req_post(req, ev); + } - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + subreq = SMB_VFS_NEXT_FSYNC_SEND(state, ev, handle, fsp); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); } + tevent_req_set_callback(subreq, catia_fsync_done, req); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return req; +} - status = SMB_VFS_NEXT_FSET_NT_ACL(handle, fsp, security_info_sent, psd); +static void catia_fsync_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct catia_fsync_state *state = tevent_req_data( + req, struct catia_fsync_state); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; - } + state->ret = SMB_VFS_FSYNC_RECV(subreq, &state->vfs_aio_state); + TALLOC_FREE(subreq); -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + CATIA_FETCH_FSP_POST_NEXT(&state->cc, state->fsp); - return status; + tevent_req_done(req); } -static NTSTATUS catia_fset_dos_attributes(struct vfs_handle_struct *handle, - struct files_struct *fsp, - uint32_t dosmode) +static int catia_fsync_recv(struct tevent_req *req, + struct vfs_aio_state *vfs_aio_state) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - NTSTATUS status; + struct catia_fsync_state *state = tevent_req_data( + req, struct catia_fsync_state); - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + if (tevent_req_is_unix_error(req, &vfs_aio_state->error)) { + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + *vfs_aio_state = state->vfs_aio_state; + return state->ret; +} + +static bool catia_lock(vfs_handle_struct *handle, + files_struct *fsp, + int op, + off_t offset, + off_t count, + int type) +{ + struct catia_cache *cc = NULL; + bool ok; + int ret; - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + ok = SMB_VFS_NEXT_LOCK(handle, fsp, op, offset, count, type); - status = SMB_VFS_NEXT_FSET_DOS_ATTRIBUTES(handle, fsp, dosmode); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + return ok; +} + +static int catia_kernel_flock(struct vfs_handle_struct *handle, + struct files_struct *fsp, + uint32_t share_mode, + uint32_t access_mask) +{ + struct catia_cache *cc = NULL; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ret = SMB_VFS_NEXT_KERNEL_FLOCK(handle, fsp, share_mode, access_mask); - return status; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return ret; } -static NTSTATUS catia_fget_dos_attributes(struct vfs_handle_struct *handle, - struct files_struct *fsp, - uint32_t *dosmode) +static int catia_linux_setlease(vfs_handle_struct *handle, + files_struct *fsp, + int leasetype) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - NTSTATUS status; + struct catia_cache *cc = NULL; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + ret = SMB_VFS_NEXT_LINUX_SETLEASE(handle, fsp, leasetype); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return ret; +} - status = SMB_VFS_NEXT_FGET_DOS_ATTRIBUTES(handle, fsp, dosmode); +static bool catia_getlock(vfs_handle_struct *handle, + files_struct *fsp, + off_t *poffset, + off_t *pcount, + int *ptype, + pid_t *ppid) +{ + struct catia_cache *cc = NULL; + int ret; + bool ok; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + ok = SMB_VFS_NEXT_GETLOCK(handle, fsp, poffset, pcount, ptype, ppid); - return status; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return ok; } -static int catia_fchown(vfs_handle_struct *handle, files_struct *fsp, uid_t uid, gid_t gid) +static bool catia_strict_lock(struct vfs_handle_struct *handle, + struct files_struct *fsp, + struct lock_struct *plock) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; + struct catia_cache *cc = NULL; + int ret; + bool ok; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return -1; } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + ok = SMB_VFS_NEXT_STRICT_LOCK(handle, fsp, plock); - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; - } + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + return ok; +} - ret = SMB_VFS_NEXT_FCHOWN(handle, fsp, uid, gid); +static void catia_strict_unlock(struct vfs_handle_struct *handle, + struct files_struct *fsp, + struct lock_struct *plock) +{ + struct catia_cache *cc = NULL; + int ret; - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + smb_panic("CATIA_FETCH_FSP_PRE_NEXT failed\n"); } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + SMB_VFS_NEXT_STRICT_UNLOCK(handle, fsp, plock); - return ret; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); } -static int catia_fchmod(vfs_handle_struct *handle, files_struct *fsp, mode_t mode) +static NTSTATUS catia_fsctl(struct vfs_handle_struct *handle, + struct files_struct *fsp, + TALLOC_CTX *ctx, + uint32_t function, + uint16_t req_flags, + const uint8_t *_in_data, + uint32_t in_len, + uint8_t **_out_data, + uint32_t max_out_len, + uint32_t *out_len) { - char *fname = NULL; - char *tmp_fname = NULL; - char *base_fname = NULL; - char *tmp_base_fname = NULL; - int ret = -1; - NTSTATUS status; + NTSTATUS result; + struct catia_cache *cc = NULL; + int ret; - status = catia_string_replace_allocate(handle->conn, - fsp->fsp_name->base_name, - &fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } - if (fsp->base_fsp != NULL) { - status = catia_string_replace_allocate( - handle->conn, - fsp->base_fsp->fsp_name->base_name, - &base_fname, vfs_translate_to_unix); - if (!NT_STATUS_IS_OK(status)) { - errno = map_errno_from_nt_status(status); - goto done; - } + result = SMB_VFS_NEXT_FSCTL(handle, + fsp, + ctx, + function, + req_flags, + _in_data, + in_len, + _out_data, + max_out_len, + out_len); + + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return result; +} - tmp_base_fname = fsp->base_fsp->fsp_name->base_name; - fsp->base_fsp->fsp_name->base_name = base_fname; +static NTSTATUS catia_get_compression(vfs_handle_struct *handle, + TALLOC_CTX *mem_ctx, + struct files_struct *fsp, + struct smb_filename *smb_fname, + uint16_t *_compression_fmt) +{ + NTSTATUS result; + struct catia_cache *cc = NULL; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } - tmp_fname = fsp->fsp_name->base_name; - fsp->fsp_name->base_name = fname; + result = SMB_VFS_NEXT_GET_COMPRESSION(handle, mem_ctx, fsp, smb_fname, + _compression_fmt); - ret = SMB_VFS_NEXT_FCHMOD(handle, fsp, mode); + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); - fsp->fsp_name->base_name = tmp_fname; - if (fsp->base_fsp != NULL) { - fsp->base_fsp->fsp_name->base_name = tmp_base_fname; + return result; +} + +static NTSTATUS catia_set_compression(vfs_handle_struct *handle, + TALLOC_CTX *mem_ctx, + struct files_struct *fsp, + uint16_t compression_fmt) +{ + NTSTATUS result; + struct catia_cache *cc = NULL; + int ret; + + ret = CATIA_FETCH_FSP_PRE_NEXT(talloc_tos(), handle, fsp, &cc); + if (ret != 0) { + return map_nt_error_from_unix(errno); } -done: - TALLOC_FREE(fname); - TALLOC_FREE(base_fname); + result = SMB_VFS_NEXT_SET_COMPRESSION(handle, mem_ctx, fsp, + compression_fmt); - return ret; + CATIA_FETCH_FSP_POST_NEXT(&cc, fsp); + + return result; } static NTSTATUS catia_readdir_attr(struct vfs_handle_struct *handle, @@ -2145,54 +2349,81 @@ } static struct vfs_fn_pointers vfs_catia_fns = { + /* Directory operations */ .mkdir_fn = catia_mkdir, .rmdir_fn = catia_rmdir, .opendir_fn = catia_opendir, + .readdir_attr_fn = catia_readdir_attr, + + /* File operations */ .open_fn = catia_open, + .pread_fn = catia_pread, + .pread_send_fn = catia_pread_send, + .pread_recv_fn = catia_pread_recv, + .pwrite_fn = catia_pwrite, + .pwrite_send_fn = catia_pwrite_send, + .pwrite_recv_fn = catia_pwrite_recv, + .lseek_fn = catia_lseek, .rename_fn = catia_rename, + .fsync_fn = catia_fsync, + .fsync_send_fn = catia_fsync_send, + .fsync_recv_fn = catia_fsync_recv, .stat_fn = catia_stat, + .fstat_fn = catia_fstat, .lstat_fn = catia_lstat, .unlink_fn = catia_unlink, + .chmod_fn = catia_chmod, + .fchmod_fn = catia_fchmod, .chown_fn = catia_chown, + .fchown_fn = catia_fchown, .lchown_fn = catia_lchown, - .chmod_fn = catia_chmod, .chdir_fn = catia_chdir, .ntimes_fn = catia_ntimes, + .ftruncate_fn = catia_ftruncate, + .fallocate_fn = catia_fallocate, + .lock_fn = catia_lock, + .kernel_flock_fn = catia_kernel_flock, + .linux_setlease_fn = catia_linux_setlease, + .getlock_fn = catia_getlock, .realpath_fn = catia_realpath, .chflags_fn = catia_chflags, .streaminfo_fn = catia_streaminfo, + .strict_lock_fn = catia_strict_lock, + .strict_unlock_fn = catia_strict_unlock, .translate_name_fn = catia_translate_name, + .fsctl_fn = catia_fsctl, + .get_dos_attributes_fn = catia_get_dos_attributes, + .set_dos_attributes_fn = catia_set_dos_attributes, + .fset_dos_attributes_fn = catia_fset_dos_attributes, + .fget_dos_attributes_fn = catia_fget_dos_attributes, + .get_compression_fn = catia_get_compression, + .set_compression_fn = catia_set_compression, + + /* NT ACL operations. */ .get_nt_acl_fn = catia_get_nt_acl, + .fget_nt_acl_fn = catia_fget_nt_acl, + .fset_nt_acl_fn = catia_fset_nt_acl, + + /* POSIX ACL operations. */ .chmod_acl_fn = catia_chmod_acl, + .fchmod_acl_fn = catia_fchmod_acl, + .sys_acl_get_file_fn = catia_sys_acl_get_file, + .sys_acl_get_fd_fn = catia_sys_acl_get_fd, + .sys_acl_blob_get_fd_fn = catia_sys_acl_blob_get_fd, .sys_acl_set_file_fn = catia_sys_acl_set_file, + .sys_acl_set_fd_fn = catia_sys_acl_set_fd, .sys_acl_delete_def_file_fn = catia_sys_acl_delete_def_file, + + /* EA operations. */ .getxattr_fn = catia_getxattr, .listxattr_fn = catia_listxattr, .removexattr_fn = catia_removexattr, .setxattr_fn = catia_setxattr, - .pread_fn = catia_pread, - .pwrite_fn = catia_pwrite, - .fstat_fn = catia_fstat, - .ftruncate_fn = catia_ftruncate, - .fallocate_fn = catia_fallocate, .fgetxattr_fn = catia_fgetxattr, .flistxattr_fn = catia_flistxattr, .fremovexattr_fn = catia_fremovexattr, .fsetxattr_fn = catia_fsetxattr, - .sys_acl_get_fd_fn = catia_sys_acl_get_fd, - .sys_acl_blob_get_fd_fn = catia_sys_acl_blob_get_fd, - .sys_acl_set_fd_fn = catia_sys_acl_set_fd, - .fchmod_acl_fn = catia_fchmod_acl, - .fget_nt_acl_fn = catia_fget_nt_acl, - .fset_nt_acl_fn = catia_fset_nt_acl, - .get_dos_attributes_fn = catia_get_dos_attributes, - .set_dos_attributes_fn = catia_set_dos_attributes, - .fset_dos_attributes_fn = catia_fset_dos_attributes, - .fget_dos_attributes_fn = catia_fget_dos_attributes, - .fchown_fn = catia_fchown, - .fchmod_fn = catia_fchmod, - .readdir_attr_fn = catia_readdir_attr, }; static_decl_vfs; diff -Nru samba-4.5.4+dfsg/source3/modules/vfs_default.c samba-4.5.8+dfsg/source3/modules/vfs_default.c --- samba-4.5.4+dfsg/source3/modules/vfs_default.c 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/source3/modules/vfs_default.c 2017-01-30 09:56:26.000000000 +0000 @@ -1537,7 +1537,7 @@ saved_errno = errno; } - SMB_VFS_STRICT_UNLOCK(src_fsp->conn, src_fsp, &lck); + SMB_VFS_STRICT_UNLOCK(dest_fsp->conn, dest_fsp, &lck); if (ret == -1) { errno = saved_errno; diff -Nru samba-4.5.4+dfsg/source3/modules/vfs_dirsort.c samba-4.5.8+dfsg/source3/modules/vfs_dirsort.c --- samba-4.5.4+dfsg/source3/modules/vfs_dirsort.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/modules/vfs_dirsort.c 2017-03-09 09:21:43.000000000 +0000 @@ -65,8 +65,10 @@ static bool open_and_sort_dir(vfs_handle_struct *handle, struct dirsort_privates *data) { - unsigned int i = 0; - unsigned int total_count = 0; + uint32_t total_count = 0; + /* This should be enough for most use cases */ + uint32_t dirent_allocated = 64; + struct dirent *dp; data->number_of_entries = 0; @@ -74,38 +76,51 @@ return false; } - while (SMB_VFS_NEXT_READDIR(handle, data->source_directory, NULL) - != NULL) { - total_count++; - } - - if (total_count == 0) { + dp = SMB_VFS_NEXT_READDIR(handle, data->source_directory, NULL); + if (dp == NULL) { return false; } - /* Open the underlying directory and count the number of entries - Skip back to the beginning as we'll read it again */ - SMB_VFS_NEXT_REWINDDIR(handle, data->source_directory); - /* Set up an array and read the directory entries into it */ TALLOC_FREE(data->directory_list); /* destroy previous cache if needed */ data->directory_list = talloc_zero_array(data, - struct dirent, - total_count); - if (!data->directory_list) { + struct dirent, + dirent_allocated); + if (data->directory_list == NULL) { return false; } - for (i = 0; i < total_count; i++) { - struct dirent *dp = SMB_VFS_NEXT_READDIR(handle, - data->source_directory, - NULL); - if (dp == NULL) { - break; + + do { + if (total_count >= dirent_allocated) { + struct dirent *dlist; + + /* + * Be memory friendly. + * + * We should not double the amount of memory. With a lot + * of files we reach easily 50MB, and doubling will + * get much bigger just for a few files more. + * + * For 200k files this means 50 memory reallocations. + */ + dirent_allocated += 4096; + + dlist = talloc_realloc(data, + data->directory_list, + struct dirent, + dirent_allocated); + if (dlist == NULL) { + break; + } + data->directory_list = dlist; } - data->directory_list[i] = *dp; - } + data->directory_list[total_count] = *dp; + + total_count++; + dp = SMB_VFS_NEXT_READDIR(handle, data->source_directory, NULL); + } while (dp != NULL); - data->number_of_entries = i; + data->number_of_entries = total_count; /* Sort the directory entries by name */ TYPESAFE_QSORT(data->directory_list, data->number_of_entries, compare_dirent); @@ -138,6 +153,10 @@ return NULL; } + if (ISDOT(data->smb_fname->base_name)) { + data->smb_fname->base_name = vfs_GetWd(data, handle->conn); + } + /* Open the underlying directory and count the number of entries */ data->source_directory = SMB_VFS_NEXT_OPENDIR(handle, smb_fname, mask, attr); diff -Nru samba-4.5.4+dfsg/source3/modules/vfs_fruit.c samba-4.5.8+dfsg/source3/modules/vfs_fruit.c --- samba-4.5.4+dfsg/source3/modules/vfs_fruit.c 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/modules/vfs_fruit.c 2017-03-09 09:21:43.000000000 +0000 @@ -68,7 +68,7 @@ * * The AFP_Resource stream is stored in an AppleDouble file prepending * "._" to the filename. On Solaris with ZFS the stream is optionally - * stored in an EA "org.netatalk.resource". + * stored in an EA "org.netatalk.ressource". * * * Extended Attributes @@ -94,6 +94,11 @@ static int vfs_fruit_debug_level = DBGC_VFS; +static struct global_fruit_config { + bool nego_aapl; /* client negotiated AAPL */ + +} global_fruit_config; + #undef DBGC_CLASS #define DBGC_CLASS vfs_fruit_debug_level @@ -126,7 +131,6 @@ enum fruit_locking locking; enum fruit_encoding encoding; bool use_aapl; /* config from smb.conf */ - bool nego_aapl; /* client negotiated AAPL */ bool use_copyfile; bool readdir_attr_enabled; bool unix_info_enabled; @@ -378,7 +382,7 @@ {0, 0, 0} }; -/* AppleDouble resource fork file (the ones prefixed by "._") */ +/* AppleDouble ressource fork file (the ones prefixed by "._") */ static const struct ad_entry_order entry_order_dot_und[ADEID_NUM_DOT_UND + 1] = { {ADEID_FINDERI, ADEDOFF_FINDERI_DOT_UND, ADEDLEN_FINDERI}, @@ -387,8 +391,8 @@ }; /* - * Fake AppleDouble entry oder for resource fork xattr. The xattr - * isn't an AppleDouble file, it simply contains the resource data, + * Fake AppleDouble entry oder for ressource fork xattr. The xattr + * isn't an AppleDouble file, it simply contains the ressource data, * but in order to be able to use some API calls like ad_getentryoff() * we build a fake/helper struct adouble with this entry order struct. */ @@ -1433,9 +1437,11 @@ switch (ad->ad_type) { case ADOUBLE_META: - rc = SMB_VFS_FSETXATTR(fsp, AFPINFO_EA_NETATALK, - ad->ad_data, - AD_DATASZ_XATTR, 0); + rc = SMB_VFS_NEXT_FSETXATTR(ad->ad_handle, + fsp, + AFPINFO_EA_NETATALK, + ad->ad_data, + AD_DATASZ_XATTR, 0); break; case ADOUBLE_RSRC: @@ -1551,9 +1557,12 @@ } config->encoding = (enum fruit_encoding)enumval; - config->veto_appledouble = lp_parm_bool( - SNUM(handle->conn), FRUIT_PARAM_TYPE_NAME, - "veto_appledouble", true); + if (config->rsrc == FRUIT_RSRC_ADFILE) { + config->veto_appledouble = lp_parm_bool(SNUM(handle->conn), + FRUIT_PARAM_TYPE_NAME, + "veto_appledouble", + true); + } config->use_aapl = lp_parm_bool( -1, FRUIT_PARAM_TYPE_NAME, "aapl", true); @@ -2211,7 +2220,7 @@ SMB2_CREATE_TAG_AAPL, blob); if (NT_STATUS_IS_OK(status)) { - config->nego_aapl = true; + global_fruit_config.nego_aapl = true; } return status; @@ -2640,29 +2649,23 @@ written = SMB_VFS_NEXT_PWRITE(handle, fsp, afpinfo_buf, AFP_INFO_SIZE, 0); + fsp->fh->fd = -1; if (written != AFP_INFO_SIZE) { DBG_ERR("bad write [%zd/%d]\n", written, AFP_INFO_SIZE); rc = -1; goto fail; } - /* Reset fd, set above just for SMB_VFS_NEXT_PWRITE() */ - fsp->fh->fd = -1; - rc = 0; + fail: DBG_DEBUG("rc=%d, fd=%d\n", rc, hostfd); if (rc != 0) { int saved_errno = errno; if (hostfd >= 0) { - /* - * BUGBUGBUG -- we would need to call - * fd_close_posix here, but we don't have a - * full fsp yet - */ fsp->fh->fd = hostfd; - SMB_VFS_CLOSE(fsp); + SMB_VFS_NEXT_CLOSE(handle, fsp); } hostfd = -1; errno = saved_errno; @@ -2706,8 +2709,8 @@ baseflags &= ~O_EXCL; baseflags &= ~O_CREAT; - hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp, - baseflags, mode); + hostfd = SMB_VFS_NEXT_OPEN(handle, smb_fname_base, fsp, + baseflags, mode); /* * It is legit to open a stream on a directory, but the base @@ -2716,8 +2719,8 @@ if ((hostfd == -1) && (errno == EISDIR)) { baseflags &= ~O_ACCMODE; baseflags |= O_RDONLY; - hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp, - baseflags, mode); + hostfd = SMB_VFS_NEXT_OPEN(handle, smb_fname_base, fsp, + baseflags, mode); } TALLOC_FREE(smb_fname_base); @@ -2761,7 +2764,7 @@ * full fsp yet */ fsp->fh->fd = hostfd; - SMB_VFS_CLOSE(fsp); + SMB_VFS_NEXT_CLOSE(handle, fsp); } hostfd = -1; errno = saved_errno; @@ -2827,15 +2830,9 @@ SMB_VFS_HANDLE_GET_DATA(handle, config, struct fruit_config_data, return -1); - if (!(flags & O_CREAT) && !VALID_STAT(smb_fname->st)) { - rc = SMB_VFS_NEXT_STAT(handle, smb_fname); - if (rc != 0) { - rc = -1; - goto exit; - } - } - - if (VALID_STAT(smb_fname->st) && S_ISDIR(smb_fname->st.st_ex_mode)) { + if ((!(flags & O_CREAT)) && + S_ISDIR(fsp->base_fsp->fsp_name->st.st_ex_mode)) + { /* sorry, but directories don't habe a resource fork */ rc = -1; goto exit; @@ -2865,8 +2862,8 @@ flags |= O_RDWR; } - hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp, - flags, mode); + hostfd = SMB_VFS_NEXT_OPEN(handle, smb_fname_base, fsp, + flags, mode); if (hostfd == -1) { rc = -1; goto exit; @@ -3230,7 +3227,12 @@ const struct smb_filename *smb_fname, bool force_unlink) { - /* Nothing to do here, removing the file will remove the xattr */ + /* + * OS X ignores resource fork stream delete requests, so nothing to do + * here. Removing the file will remove the xattr anyway, so we don't + * have to take care of removing 0 byte resource forks that could be + * left behind. + */ return 0; } @@ -4236,15 +4238,11 @@ static int fruit_fstat_meta(vfs_handle_struct *handle, files_struct *fsp, - SMB_STRUCT_STAT *sbuf) + SMB_STRUCT_STAT *sbuf, + struct fio *fio) { - struct fio *fio = (struct fio *)VFS_FETCH_FSP_EXTENSION(handle, fsp); int ret; - if (fio == NULL) { - return SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf); - } - DBG_DEBUG("Path [%s]\n", fsp_str_dbg(fsp)); switch (fio->config->meta) { @@ -4310,9 +4308,8 @@ } static int fruit_fstat_rsrc(vfs_handle_struct *handle, files_struct *fsp, - SMB_STRUCT_STAT *sbuf) + SMB_STRUCT_STAT *sbuf, struct fio *fio) { - struct fio *fio = (struct fio *)VFS_FETCH_FSP_EXTENSION(handle, fsp); int ret; switch (fio->config->rsrc) { @@ -4349,9 +4346,9 @@ DBG_DEBUG("Path [%s]\n", fsp_str_dbg(fsp)); if (fio->type == ADOUBLE_META) { - rc = fruit_fstat_meta(handle, fsp, sbuf); + rc = fruit_fstat_meta(handle, fsp, sbuf, fio); } else { - rc = fruit_fstat_rsrc(handle, fsp, sbuf); + rc = fruit_fstat_rsrc(handle, fsp, sbuf, fio); } if (rc == 0) { @@ -4435,6 +4432,13 @@ int i; bool ok; + /* Remove the Netatalk xattr from the list */ + ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, + ":" NETATALK_META_XATTR ":$DATA"); + if (!ok) { + return NT_STATUS_NO_MEMORY; + } + /* * Check if there's a AFPINFO_STREAM from the VFS streams * backend and if yes, remove it from the list @@ -4476,13 +4480,6 @@ return NT_STATUS_NO_MEMORY; } - /* Remove the Netatalk xattr from the list */ - ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, - ":" NETATALK_META_XATTR ":$DATA"); - if (!ok) { - return NT_STATUS_NO_MEMORY; - } - return NT_STATUS_OK; } @@ -4563,9 +4560,33 @@ unsigned int *pnum_streams, struct stream_struct **pstreams) { + struct stream_struct *stream = *pstreams; + unsigned int num_streams = *pnum_streams; struct adouble *ad = NULL; bool ok; size_t rlen; + int i; + + /* + * Check if there's a AFPRESOURCE_STREAM from the VFS streams backend + * and if yes, remove it from the list + */ + for (i = 0; i < num_streams; i++) { + if (strequal_m(stream[i].name, AFPRESOURCE_STREAM)) { + break; + } + } + + if (i < num_streams) { + DBG_WARNING("Unexpected AFPRESOURCE_STREAM on [%s]\n", + smb_fname_str_dbg(smb_fname)); + + ok = del_fruit_stream(mem_ctx, pnum_streams, pstreams, + AFPRESOURCE_STREAM); + if (!ok) { + return NT_STATUS_INTERNAL_ERROR; + } + } ad = ad_get(talloc_tos(), handle, smb_fname->base_name, ADOUBLE_RSRC); @@ -4730,7 +4751,10 @@ return SMB_VFS_FREMOVEXATTR(fsp, AFPRESOURCE_EA_NETATALK); } +#ifdef HAVE_ATTROPEN return SMB_VFS_NEXT_FTRUNCATE(handle, fsp, offset); +#endif + return 0; } static int fruit_ftruncate_rsrc_adouble(struct vfs_handle_struct *handle, @@ -4898,7 +4922,7 @@ fsp = *result; - if (config->nego_aapl) { + if (global_fruit_config.nego_aapl) { if (config->copyfile_enabled) { /* * Set a flag in the fsp. Gets used in @@ -4975,7 +4999,7 @@ struct fruit_config_data, return NT_STATUS_UNSUCCESSFUL); - if (!config->use_aapl) { + if (!global_fruit_config.nego_aapl) { return SMB_VFS_NEXT_READDIR_ATTR(handle, fname, mem_ctx, pattr_data); } diff -Nru samba-4.5.4+dfsg/source3/modules/vfs_shadow_copy2.c samba-4.5.8+dfsg/source3/modules/vfs_shadow_copy2.c --- samba-4.5.4+dfsg/source3/modules/vfs_shadow_copy2.c 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/source3/modules/vfs_shadow_copy2.c 2017-03-09 09:21:43.000000000 +0000 @@ -35,6 +35,7 @@ #include "system/filesys.h" #include "include/ntioctl.h" #include "util_tdb.h" +#include "lib/util_path.h" struct shadow_copy2_config { char *gmt_format; @@ -74,6 +75,11 @@ struct shadow_copy2_private { struct shadow_copy2_config *config; struct shadow_copy2_snaplist_info *snaps; + char *shadow_cwd; /* Absolute $cwd path. */ + /* Absolute connectpath - can vary depending on $cwd. */ + char *shadow_connectpath; + /* malloc'ed realpath return. */ + char *shadow_realpath; }; static int shadow_copy2_get_shadow_copy_data( @@ -404,79 +410,254 @@ return result; } +static char *make_path_absolute(TALLOC_CTX *mem_ctx, + struct shadow_copy2_private *priv, + const char *name) +{ + char *newpath = NULL; + char *abs_path = NULL; + + if (name[0] != '/') { + newpath = talloc_asprintf(mem_ctx, + "%s/%s", + priv->shadow_cwd, + name); + if (newpath == NULL) { + return NULL; + } + name = newpath; + } + abs_path = canonicalize_absolute_path(mem_ctx, name); + TALLOC_FREE(newpath); + return abs_path; +} + +/* Return a $cwd-relative path. */ +static bool make_relative_path(const char *cwd, char *abs_path) +{ + size_t cwd_len = strlen(cwd); + size_t abs_len = strlen(abs_path); + + if (abs_len < cwd_len) { + return false; + } + if (memcmp(abs_path, cwd, cwd_len) != 0) { + return false; + } + if (abs_path[cwd_len] != '/' && abs_path[cwd_len] != '\0') { + return false; + } + if (abs_path[cwd_len] == '/') { + cwd_len++; + } + memmove(abs_path, &abs_path[cwd_len], abs_len + 1 - cwd_len); + return true; +} + +static bool shadow_copy2_snapshot_to_gmt(vfs_handle_struct *handle, + const char *name, + char *gmt, size_t gmt_len); + +/* + * Check if an incoming filename is already a snapshot converted pathname. + * + * If so, it returns the pathname truncated at the snapshot point which + * will be used as the connectpath. + */ + +static int check_for_converted_path(TALLOC_CTX *mem_ctx, + struct vfs_handle_struct *handle, + struct shadow_copy2_private *priv, + char *abs_path, + bool *ppath_already_converted, + char **pconnectpath) +{ + size_t snapdirlen = 0; + char *p = strstr_m(abs_path, priv->config->snapdir); + char *q = NULL; + char *connect_path = NULL; + char snapshot[GMT_NAME_LEN+1]; + + *ppath_already_converted = false; + + if (p == NULL) { + /* Must at least contain shadow:snapdir. */ + return 0; + } + + if (priv->config->snapdir[0] == '/' && + p != abs_path) { + /* Absolute shadow:snapdir must be at the start. */ + return 0; + } + + snapdirlen = strlen(priv->config->snapdir); + if (p[snapdirlen] != '/') { + /* shadow:snapdir must end as a separate component. */ + return 0; + } + + if (p > abs_path && p[-1] != '/') { + /* shadow:snapdir must start as a separate component. */ + return 0; + } + + p += snapdirlen; + p++; /* Move past the / */ + + /* + * Need to return up to the next path + * component after the time. + * This will be used as the connectpath. + */ + q = strchr(p, '/'); + if (q == NULL) { + /* + * No next path component. + * Use entire string. + */ + connect_path = talloc_strdup(mem_ctx, + abs_path); + } else { + connect_path = talloc_strndup(mem_ctx, + abs_path, + q - abs_path); + } + if (connect_path == NULL) { + return ENOMEM; + } + + /* + * Point p at the same offset in connect_path as + * it is in abs_path. + */ + + p = &connect_path[p - abs_path]; + + /* + * Now ensure there is a time string at p. + * The SMB-format @GMT-token string is returned + * in snapshot. + */ + + if (!shadow_copy2_snapshot_to_gmt(handle, + p, + snapshot, + sizeof(snapshot))) { + TALLOC_FREE(connect_path); + return 0; + } + + if (pconnectpath != NULL) { + *pconnectpath = connect_path; + } + + *ppath_already_converted = true; + + DBG_DEBUG("path |%s| is already converted. " + "connect path = |%s|\n", + abs_path, + connect_path); + + return 0; +} + /** - * Strip a snapshot component from a filename as - * handed in via the smb layer. - * Returns the parsed timestamp and the stripped filename. + * This function does two things. + * + * 1). Checks if an incoming filename is already a + * snapshot converted pathname. + * If so, it returns the pathname truncated + * at the snapshot point which will be used + * as the connectpath, and then does an early return. + * + * 2). Checks if an incoming filename contains an + * SMB-layer @GMT- style timestamp. + * If so, it strips the timestamp, and returns + * both the timestamp and the stripped path + * (making it cwd-relative). */ -static bool shadow_copy2_strip_snapshot(TALLOC_CTX *mem_ctx, + +static bool shadow_copy2_strip_snapshot_internal(TALLOC_CTX *mem_ctx, struct vfs_handle_struct *handle, - const char *name, + const char *orig_name, time_t *ptimestamp, - char **pstripped) + char **pstripped, + char **psnappath) { struct tm tm; - time_t timestamp; + time_t timestamp = 0; const char *p; char *q; - char *stripped; + char *stripped = NULL; size_t rest_len, dst_len; struct shadow_copy2_private *priv; - const char *snapdir; - ssize_t snapdirlen; ptrdiff_t len_before_gmt; + const char *name = orig_name; + char *abs_path = NULL; + bool ret = true; + bool already_converted = false; + int err = 0; SMB_VFS_HANDLE_GET_DATA(handle, priv, struct shadow_copy2_private, return false); DEBUG(10, (__location__ ": enter path '%s'\n", name)); + abs_path = make_path_absolute(mem_ctx, priv, name); + if (abs_path == NULL) { + ret = false; + goto out; + } + name = abs_path; + + DEBUG(10, (__location__ ": abs path '%s'\n", name)); + + err = check_for_converted_path(mem_ctx, + handle, + priv, + abs_path, + &already_converted, + psnappath); + if (err != 0) { + /* error in conversion. */ + ret = false; + goto out; + } + + if (already_converted) { + goto out; + } + + /* + * From here we're only looking to strip an + * SMB-layer @GMT- token. + */ + p = strstr_m(name, "@GMT-"); if (p == NULL) { DEBUG(11, ("@GMT not found\n")); - goto no_snapshot; + goto out; } if ((p > name) && (p[-1] != '/')) { /* the GMT-token does not start a path-component */ DEBUG(10, ("not at start, p=%p, name=%p, p[-1]=%d\n", p, name, (int)p[-1])); - goto no_snapshot; + goto out; } - /* - * Figure out whether we got an already converted string. One - * case where this happens is in a smb2 create call with the - * mxac create blob set. We do the get_acl call on - * fsp->fsp_name, which is already converted. We are converted - * if we got a file name of the form ".snapshots/@GMT-", - * i.e. ".snapshots/" precedes "p". - */ - - snapdir = lp_parm_const_string(SNUM(handle->conn), "shadow", "snapdir", - ".snapshots"); - snapdirlen = strlen(snapdir); len_before_gmt = p - name; - if ((len_before_gmt >= (snapdirlen + 1)) && (p[-1] == '/')) { - const char *parent_snapdir = p - (snapdirlen+1); - - DEBUG(10, ("parent_snapdir = %s\n", parent_snapdir)); - - if (strncmp(parent_snapdir, snapdir, snapdirlen) == 0) { - DEBUG(10, ("name=%s is already converted\n", name)); - goto no_snapshot; - } - } q = strptime(p, GMT_FORMAT, &tm); if (q == NULL) { DEBUG(10, ("strptime failed\n")); - goto no_snapshot; + goto out; } tm.tm_isdst = -1; timestamp = timegm(&tm); if (timestamp == (time_t)-1) { DEBUG(10, ("timestamp==-1\n")); - goto no_snapshot; + goto out; } if (q[0] == '\0') { /* @@ -496,12 +677,24 @@ stripped = talloc_strndup(mem_ctx, name, len_before_gmt); if (stripped == NULL) { - return false; + ret = false; + goto out; + } + if (orig_name[0] != '/') { + if (make_relative_path(priv->shadow_cwd, + stripped) == false) { + DEBUG(10, (__location__ ": path '%s' " + "doesn't start with cwd '%s\n", + stripped, priv->shadow_cwd)); + ret = false; + errno = ENOENT; + goto out; + } } *pstripped = stripped; } *ptimestamp = timestamp; - return true; + goto out; } if (q[0] != '/') { /* @@ -509,75 +702,18 @@ * component continues after the gmt-token. */ DEBUG(10, ("q[0] = %d\n", (int)q[0])); - goto no_snapshot; + goto out; } q += 1; rest_len = strlen(q); dst_len = len_before_gmt + rest_len; - if (priv->config->snapdirseverywhere) { - char *insert; - bool have_insert; - insert = shadow_copy2_insert_string(talloc_tos(), handle, - timestamp); - if (insert == NULL) { - errno = ENOMEM; - return false; - } - - DEBUG(10, (__location__ ": snapdirseverywhere mode.\n" - "path '%s'.\n" - "insert string '%s'\n", name, insert)); - - have_insert = (strstr(name, insert+1) != NULL); - DEBUG(10, ("have_insert=%d, name=%s, insert+1=%s\n", - (int)have_insert, name, insert+1)); - if (have_insert) { - DEBUG(10, (__location__ ": insert string '%s' found in " - "path '%s' found in snapdirseverywhere mode " - "==> already converted\n", insert, name)); - TALLOC_FREE(insert); - goto no_snapshot; - } - TALLOC_FREE(insert); - } else { - char *snapshot_path; - char *s; - - snapshot_path = shadow_copy2_snapshot_path(talloc_tos(), - handle, - timestamp); - if (snapshot_path == NULL) { - errno = ENOMEM; - return false; - } - - DEBUG(10, (__location__ " path: '%s'.\n" - "snapshot path: '%s'\n", name, snapshot_path)); - - s = strstr(name, snapshot_path); - if (s == name) { - /* - * this starts with "snapshot_basepath/GMT-Token" - * so it is already a converted absolute - * path. Don't process further. - */ - DEBUG(10, (__location__ ": path '%s' starts with " - "snapshot path '%s' (not in " - "snapdirseverywhere mode) ==> " - "already converted\n", name, snapshot_path)); - talloc_free(snapshot_path); - goto no_snapshot; - } - talloc_free(snapshot_path); - } - if (pstripped != NULL) { stripped = talloc_array(mem_ctx, char, dst_len+1); if (stripped == NULL) { - errno = ENOMEM; - return false; + ret = false; + goto out; } if (p > name) { memcpy(stripped, name, len_before_gmt); @@ -586,13 +722,39 @@ memcpy(stripped + len_before_gmt, q, rest_len); } stripped[dst_len] = '\0'; + if (orig_name[0] != '/') { + if (make_relative_path(priv->shadow_cwd, + stripped) == false) { + DEBUG(10, (__location__ ": path '%s' " + "doesn't start with cwd '%s\n", + stripped, priv->shadow_cwd)); + ret = false; + errno = ENOENT; + goto out; + } + } *pstripped = stripped; } *ptimestamp = timestamp; - return true; -no_snapshot: - *ptimestamp = 0; - return true; + ret = true; + + out: + TALLOC_FREE(abs_path); + return ret; +} + +static bool shadow_copy2_strip_snapshot(TALLOC_CTX *mem_ctx, + struct vfs_handle_struct *handle, + const char *orig_name, + time_t *ptimestamp, + char **pstripped) +{ + return shadow_copy2_strip_snapshot_internal(mem_ctx, + handle, + orig_name, + ptimestamp, + pstripped, + NULL); } static char *shadow_copy2_find_mount_point(TALLOC_CTX *mem_ctx, @@ -646,7 +808,8 @@ char *insert = NULL; char *converted = NULL; size_t insertlen, connectlen = 0; - int i, saved_errno; + int saved_errno = 0; + int i; size_t min_offset; struct shadow_copy2_config *config; struct shadow_copy2_private *priv; @@ -832,12 +995,16 @@ errno = ENOENT; } fail: - saved_errno = errno; + if (result == NULL) { + saved_errno = errno; + } TALLOC_FREE(converted); TALLOC_FREE(insert); TALLOC_FREE(slashes); TALLOC_FREE(path); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return result; } @@ -893,10 +1060,10 @@ const char *mask, uint32_t attr) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; DIR *ret; - int saved_errno; + int saved_errno = 0; char *conv; struct smb_filename *conv_smb_fname = NULL; @@ -925,10 +1092,14 @@ return NULL; } ret = SMB_VFS_NEXT_OPENDIR(handle, conv_smb_fname, mask, attr); - saved_errno = errno; + if (ret == NULL) { + saved_errno = errno; + } TALLOC_FREE(conv); TALLOC_FREE(conv_smb_fname); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -936,16 +1107,19 @@ const struct smb_filename *smb_fname_src, const struct smb_filename *smb_fname_dst) { - time_t timestamp_src, timestamp_dst; + time_t timestamp_src = 0; + time_t timestamp_dst = 0; + char *snappath_src = NULL; + char *snappath_dst = NULL; - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, smb_fname_src->base_name, - ×tamp_src, NULL)) { + ×tamp_src, NULL, &snappath_src)) { return -1; } - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, smb_fname_dst->base_name, - ×tamp_dst, NULL)) { + ×tamp_dst, NULL, &snappath_dst)) { return -1; } if (timestamp_src != 0) { @@ -956,55 +1130,88 @@ errno = EROFS; return -1; } + /* + * Don't allow rename on already converted paths. + */ + if (snappath_src != NULL) { + errno = EXDEV; + return -1; + } + if (snappath_dst != NULL) { + errno = EROFS; + return -1; + } return SMB_VFS_NEXT_RENAME(handle, smb_fname_src, smb_fname_dst); } static int shadow_copy2_symlink(vfs_handle_struct *handle, const char *oldname, const char *newname) { - time_t timestamp_old, timestamp_new; + time_t timestamp_old = 0; + time_t timestamp_new = 0; + char *snappath_old = NULL; + char *snappath_new = NULL; - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, oldname, - ×tamp_old, NULL)) { + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, oldname, + ×tamp_old, NULL, &snappath_old)) { return -1; } - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, newname, - ×tamp_new, NULL)) { + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, newname, + ×tamp_new, NULL, &snappath_new)) { return -1; } if ((timestamp_old != 0) || (timestamp_new != 0)) { errno = EROFS; return -1; } + /* + * Don't allow symlinks on already converted paths. + */ + if ((snappath_old != NULL) || (snappath_new != NULL)) { + errno = EROFS; + return -1; + } return SMB_VFS_NEXT_SYMLINK(handle, oldname, newname); } static int shadow_copy2_link(vfs_handle_struct *handle, const char *oldname, const char *newname) { - time_t timestamp_old, timestamp_new; + time_t timestamp_old = 0; + time_t timestamp_new = 0; + char *snappath_old = NULL; + char *snappath_new = NULL; - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, oldname, - ×tamp_old, NULL)) { + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, oldname, + ×tamp_old, NULL, &snappath_old)) { return -1; } - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, newname, - ×tamp_new, NULL)) { + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, newname, + ×tamp_new, NULL, &snappath_new)) { return -1; } if ((timestamp_old != 0) || (timestamp_new != 0)) { errno = EROFS; return -1; } + /* + * Don't allow links on already converted paths. + */ + if ((snappath_old != NULL) || (snappath_new != NULL)) { + errno = EROFS; + return -1; + } return SMB_VFS_NEXT_LINK(handle, oldname, newname); } static int shadow_copy2_stat(vfs_handle_struct *handle, struct smb_filename *smb_fname) { - time_t timestamp; - char *stripped, *tmp; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + char *tmp; + int saved_errno = 0; + int ret; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, smb_fname->base_name, @@ -1026,7 +1233,9 @@ } ret = SMB_VFS_NEXT_STAT(handle, smb_fname); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(smb_fname->base_name); smb_fname->base_name = tmp; @@ -1034,16 +1243,20 @@ if (ret == 0) { convert_sbuf(handle, smb_fname->base_name, &smb_fname->st); } - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_lstat(vfs_handle_struct *handle, struct smb_filename *smb_fname) { - time_t timestamp; - char *stripped, *tmp; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + char *tmp; + int saved_errno = 0; + int ret; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, smb_fname->base_name, @@ -1065,7 +1278,9 @@ } ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(smb_fname->base_name); smb_fname->base_name = tmp; @@ -1073,14 +1288,16 @@ if (ret == 0) { convert_sbuf(handle, smb_fname->base_name, &smb_fname->st); } - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_fstat(vfs_handle_struct *handle, files_struct *fsp, SMB_STRUCT_STAT *sbuf) { - time_t timestamp; + time_t timestamp = 0; int ret; ret = SMB_VFS_NEXT_FSTAT(handle, fsp, sbuf); @@ -1102,9 +1319,11 @@ struct smb_filename *smb_fname, files_struct *fsp, int flags, mode_t mode) { - time_t timestamp; - char *stripped, *tmp; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + char *tmp; + int saved_errno = 0; + int ret; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, smb_fname->base_name, @@ -1126,21 +1345,26 @@ } ret = SMB_VFS_NEXT_OPEN(handle, smb_fname, fsp, flags, mode); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(smb_fname->base_name); smb_fname->base_name = tmp; - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_unlink(vfs_handle_struct *handle, const struct smb_filename *smb_fname) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; struct smb_filename *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, @@ -1163,9 +1387,13 @@ return -1; } ret = SMB_VFS_NEXT_UNLINK(handle, conv); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -1173,9 +1401,10 @@ const struct smb_filename *smb_fname, mode_t mode) { - time_t timestamp; + time_t timestamp = 0; char *stripped = NULL; - int ret, saved_errno; + int saved_errno = 0; + int ret; char *conv = NULL; struct smb_filename *conv_smb_fname; @@ -1207,10 +1436,14 @@ } ret = SMB_VFS_NEXT_CHMOD(handle, conv_smb_fname, mode); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); TALLOC_FREE(conv_smb_fname); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -1219,9 +1452,10 @@ uid_t uid, gid_t gid) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv = NULL; struct smb_filename *conv_smb_fname = NULL; @@ -1251,37 +1485,96 @@ return -1; } ret = SMB_VFS_NEXT_CHOWN(handle, conv_smb_fname, uid, gid); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); TALLOC_FREE(conv_smb_fname); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } +static void store_cwd_data(vfs_handle_struct *handle, + const char *connectpath) +{ + struct shadow_copy2_private *priv = NULL; + char *cwd = NULL; + + SMB_VFS_HANDLE_GET_DATA(handle, priv, struct shadow_copy2_private, + return); + + TALLOC_FREE(priv->shadow_cwd); + cwd = SMB_VFS_NEXT_GETWD(handle); + if (cwd == NULL) { + smb_panic("getwd failed\n"); + } + DBG_DEBUG("shadow cwd = %s\n", cwd); + priv->shadow_cwd = talloc_strdup(priv, cwd); + SAFE_FREE(cwd); + if (priv->shadow_cwd == NULL) { + smb_panic("talloc failed\n"); + } + TALLOC_FREE(priv->shadow_connectpath); + if (connectpath) { + DBG_DEBUG("shadow conectpath = %s\n", connectpath); + priv->shadow_connectpath = talloc_strdup(priv, connectpath); + if (priv->shadow_connectpath == NULL) { + smb_panic("talloc failed\n"); + } + } +} + static int shadow_copy2_chdir(vfs_handle_struct *handle, const char *fname) { - time_t timestamp; - char *stripped; - int ret, saved_errno; - char *conv; + time_t timestamp = 0; + char *stripped = NULL; + char *snappath = NULL; + int ret = -1; + int saved_errno = 0; + char *conv = NULL; + size_t rootpath_len = 0; - if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, - ×tamp, &stripped)) { + if (!shadow_copy2_strip_snapshot_internal(talloc_tos(), handle, fname, + ×tamp, &stripped, &snappath)) { return -1; } - if (timestamp == 0) { - return SMB_VFS_NEXT_CHDIR(handle, fname); + if (stripped != NULL) { + conv = shadow_copy2_do_convert(talloc_tos(), + handle, + stripped, + timestamp, + &rootpath_len); + TALLOC_FREE(stripped); + if (conv == NULL) { + return -1; + } + fname = conv; } - conv = shadow_copy2_convert(talloc_tos(), handle, stripped, timestamp); - TALLOC_FREE(stripped); - if (conv == NULL) { - return -1; + + ret = SMB_VFS_NEXT_CHDIR(handle, fname); + if (ret == -1) { + saved_errno = errno; } - ret = SMB_VFS_NEXT_CHDIR(handle, conv); - saved_errno = errno; + + if (ret == 0) { + if (conv != NULL && rootpath_len != 0) { + conv[rootpath_len] = '\0'; + } else if (snappath != 0) { + TALLOC_FREE(conv); + conv = snappath; + } + store_cwd_data(handle, conv); + } + + TALLOC_FREE(stripped); TALLOC_FREE(conv); - errno = saved_errno; + + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -1289,9 +1582,10 @@ const struct smb_filename *smb_fname, struct smb_file_time *ft) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; struct smb_filename *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, @@ -1314,18 +1608,23 @@ return -1; } ret = SMB_VFS_NEXT_NTIMES(handle, conv, ft); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_readlink(vfs_handle_struct *handle, const char *fname, char *buf, size_t bufsiz) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -1341,18 +1640,23 @@ return -1; } ret = SMB_VFS_NEXT_READLINK(handle, conv, buf, bufsiz); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_mknod(vfs_handle_struct *handle, const char *fname, mode_t mode, SMB_DEV_T dev) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -1368,20 +1672,24 @@ return -1; } ret = SMB_VFS_NEXT_MKNOD(handle, conv, mode, dev); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static char *shadow_copy2_realpath(vfs_handle_struct *handle, const char *fname) { - time_t timestamp; + time_t timestamp = 0; char *stripped = NULL; char *tmp = NULL; char *result = NULL; - int saved_errno; + int saved_errno = 0; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, ×tamp, &stripped)) { @@ -1399,10 +1707,14 @@ result = SMB_VFS_NEXT_REALPATH(handle, tmp); done: - saved_errno = errno; + if (result == NULL) { + saved_errno = errno; + } TALLOC_FREE(tmp); TALLOC_FREE(stripped); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return result; } @@ -1805,8 +2117,8 @@ TALLOC_CTX *mem_ctx, struct security_descriptor **ppdesc) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; NTSTATUS status; char *conv; struct smb_filename *smb_fname = NULL; @@ -1849,8 +2161,8 @@ TALLOC_CTX *mem_ctx, struct security_descriptor **ppdesc) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; NTSTATUS status; char *conv; struct smb_filename *conv_smb_fname = NULL; @@ -1891,9 +2203,10 @@ const struct smb_filename *smb_fname, mode_t mode) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv; struct smb_filename *conv_smb_fname = NULL; @@ -1922,19 +2235,24 @@ return -1; } ret = SMB_VFS_NEXT_MKDIR(handle, conv_smb_fname, mode); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); TALLOC_FREE(conv_smb_fname); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_rmdir(vfs_handle_struct *handle, const struct smb_filename *smb_fname) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv; struct smb_filename *conv_smb_fname = NULL; @@ -1963,19 +2281,24 @@ return -1; } ret = SMB_VFS_NEXT_RMDIR(handle, conv_smb_fname); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv_smb_fname); TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_chflags(vfs_handle_struct *handle, const char *fname, unsigned int flags) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -1991,9 +2314,13 @@ return -1; } ret = SMB_VFS_NEXT_CHFLAGS(handle, conv, flags); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -2001,10 +2328,10 @@ const char *fname, const char *aname, void *value, size_t size) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; ssize_t ret; - int saved_errno; + int saved_errno = 0; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -2021,9 +2348,13 @@ return -1; } ret = SMB_VFS_NEXT_GETXATTR(handle, conv, aname, value, size); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -2031,10 +2362,10 @@ const char *fname, char *list, size_t size) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; ssize_t ret; - int saved_errno; + int saved_errno = 0; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -2050,18 +2381,23 @@ return -1; } ret = SMB_VFS_NEXT_LISTXATTR(handle, conv, list, size); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static int shadow_copy2_removexattr(vfs_handle_struct *handle, const char *fname, const char *aname) { - time_t timestamp; - char *stripped; - int ret, saved_errno; + time_t timestamp = 0; + char *stripped = NULL; + int saved_errno = 0; + int ret; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -2077,9 +2413,13 @@ return -1; } ret = SMB_VFS_NEXT_REMOVEXATTR(handle, conv, aname); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -2088,10 +2428,10 @@ const char *aname, const void *value, size_t size, int flags) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; ssize_t ret; - int saved_errno; + int saved_errno = 0; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, @@ -2108,9 +2448,13 @@ return -1; } ret = SMB_VFS_NEXT_SETXATTR(handle, conv, aname, value, size, flags); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -2118,10 +2462,10 @@ const struct smb_filename *smb_fname, mode_t mode) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; ssize_t ret; - int saved_errno; + int saved_errno = 0; char *conv = NULL; struct smb_filename *conv_smb_fname = NULL; @@ -2151,10 +2495,14 @@ return -1; } ret = SMB_VFS_NEXT_CHMOD_ACL(handle, conv_smb_fname, mode); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); TALLOC_FREE(conv_smb_fname); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -2164,10 +2512,10 @@ TALLOC_CTX *mem_ctx, char **found_name) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; ssize_t ret; - int saved_errno; + int saved_errno = 0; char *conv; DEBUG(10, ("shadow_copy2_get_real_filename called for path=[%s], " @@ -2194,25 +2542,39 @@ ret = SMB_VFS_NEXT_GET_REAL_FILENAME(handle, conv, name, mem_ctx, found_name); DEBUG(10, ("NEXT_REAL_FILE_NAME returned %d\n", (int)ret)); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } static const char *shadow_copy2_connectpath(struct vfs_handle_struct *handle, const char *fname) { - time_t timestamp; + time_t timestamp = 0; char *stripped = NULL; char *tmp = NULL; char *result = NULL; char *parent_dir = NULL; - int saved_errno; + int saved_errno = 0; size_t rootpath_len = 0; + struct shadow_copy2_private *priv = NULL; + + SMB_VFS_HANDLE_GET_DATA(handle, priv, struct shadow_copy2_private, + return NULL); DBG_DEBUG("Calc connect path for [%s]\n", fname); + if (priv->shadow_connectpath != NULL) { + DBG_DEBUG("cached connect path is [%s]\n", + priv->shadow_connectpath); + return priv->shadow_connectpath; + } + if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, fname, ×tamp, &stripped)) { goto done; @@ -2263,14 +2625,25 @@ goto done; } + /* + * SMB_VFS_NEXT_REALPATH returns a malloc'ed string. + * Don't leak memory. + */ + SAFE_FREE(priv->shadow_realpath); + priv->shadow_realpath = result; + DBG_DEBUG("connect path is [%s]\n", result); done: - saved_errno = errno; + if (result == NULL) { + saved_errno = errno; + } TALLOC_FREE(tmp); TALLOC_FREE(stripped); TALLOC_FREE(parent_dir); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return result; } @@ -2278,10 +2651,10 @@ const char *path, uint64_t *bsize, uint64_t *dfree, uint64_t *dsize) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; ssize_t ret; - int saved_errno; + int saved_errno = 0; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, path, @@ -2301,9 +2674,13 @@ ret = SMB_VFS_NEXT_DISK_FREE(handle, conv, bsize, dfree, dsize); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } @@ -2312,10 +2689,10 @@ enum SMB_QUOTA_TYPE qtype, unid_t id, SMB_DISK_QUOTA *dq) { - time_t timestamp; - char *stripped; + time_t timestamp = 0; + char *stripped = NULL; int ret; - int saved_errno; + int saved_errno = 0; char *conv; if (!shadow_copy2_strip_snapshot(talloc_tos(), handle, path, ×tamp, @@ -2334,13 +2711,23 @@ ret = SMB_VFS_NEXT_GET_QUOTA(handle, conv, qtype, id, dq); - saved_errno = errno; + if (ret == -1) { + saved_errno = errno; + } TALLOC_FREE(conv); - errno = saved_errno; + if (saved_errno != 0) { + errno = saved_errno; + } return ret; } +static int shadow_copy2_private_destructor(struct shadow_copy2_private *priv) +{ + SAFE_FREE(priv->shadow_realpath); + return 0; +} + static int shadow_copy2_connect(struct vfs_handle_struct *handle, const char *service, const char *user) { @@ -2372,6 +2759,8 @@ return -1; } + talloc_set_destructor(priv, shadow_copy2_private_destructor); + priv->snaps = talloc_zero(priv, struct shadow_copy2_snaplist_info); if (priv->snaps == NULL) { DBG_ERR("talloc_zero() failed\n"); @@ -2398,6 +2787,15 @@ return -1; } + /* config->gmt_format must not contain a path separator. */ + if (strchr(config->gmt_format, '/') != NULL) { + DEBUG(0, ("shadow:format %s must not contain a /" + "character. Unable to initialize module.\n", + config->gmt_format)); + errno = EINVAL; + return -1; + } + config->use_sscanf = lp_parm_bool(SNUM(handle->conn), "shadow", "sscanf", false); @@ -2582,7 +2980,7 @@ } if (config->rel_connectpath == NULL && - strlen(basedir) != strlen(handle->conn->connectpath)) { + strlen(basedir) < strlen(handle->conn->connectpath)) { config->rel_connectpath = talloc_strdup(config, handle->conn->connectpath + strlen(basedir)); if (config->rel_connectpath == NULL) { @@ -2620,6 +3018,11 @@ } } + trim_string(config->mount_point, NULL, "/"); + trim_string(config->rel_connectpath, "/", "/"); + trim_string(config->snapdir, NULL, "/"); + trim_string(config->snapshot_basepath, NULL, "/"); + DEBUG(10, ("shadow_copy2_connect: configuration:\n" " share root: '%s'\n" " mountpoint: '%s'\n" diff -Nru samba-4.5.4+dfsg/source3/modules/vfs_streams_xattr.c samba-4.5.8+dfsg/source3/modules/vfs_streams_xattr.c --- samba-4.5.4+dfsg/source3/modules/vfs_streams_xattr.c 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/modules/vfs_streams_xattr.c 2017-03-09 09:21:43.000000000 +0000 @@ -264,7 +264,7 @@ return -1; } - sbuf->st_ex_size = get_xattr_size(handle->conn, fsp->base_fsp, + sbuf->st_ex_size = get_xattr_size(handle->conn, fsp, io->base, io->xattr_name); if (sbuf->st_ex_size == -1) { return -1; @@ -399,6 +399,7 @@ char *xattr_name = NULL; int baseflags; int hostfd = -1; + int ret; DEBUG(10, ("streams_xattr_open called for %s with flags 0x%x\n", smb_fname_str_dbg(smb_fname), flags)); @@ -410,7 +411,6 @@ /* If the default stream is requested, just open the base file. */ if (is_ntfs_default_stream_smb_fname(smb_fname)) { char *tmp_stream_name; - int ret; tmp_stream_name = smb_fname->stream_name; smb_fname->stream_name = NULL; @@ -449,8 +449,8 @@ baseflags &= ~O_EXCL; baseflags &= ~O_CREAT; - hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp, - baseflags, mode); + hostfd = SMB_VFS_NEXT_OPEN(handle, smb_fname_base, fsp, + baseflags, mode); /* It is legit to open a stream on a directory, but the base * fd has to be read-only. @@ -458,8 +458,8 @@ if ((hostfd == -1) && (errno == EISDIR)) { baseflags &= ~O_ACCMODE; baseflags |= O_RDONLY; - hostfd = SMB_VFS_OPEN(handle->conn, smb_fname_base, fsp, baseflags, - mode); + hostfd = SMB_VFS_NEXT_OPEN(handle, smb_fname_base, fsp, baseflags, + mode); } TALLOC_FREE(smb_fname_base); @@ -500,20 +500,13 @@ DEBUG(10, ("creating or truncating attribute %s on file %s\n", xattr_name, smb_fname->base_name)); - if (fsp->base_fsp->fh->fd != -1) { - if (SMB_VFS_FSETXATTR( - fsp->base_fsp, xattr_name, + fsp->fh->fd = hostfd; + ret = SMB_VFS_FSETXATTR(fsp, xattr_name, &null, sizeof(null), - flags & O_EXCL ? XATTR_CREATE : 0) == -1) { - goto fail; - } - } else { - if (SMB_VFS_SETXATTR( - handle->conn, smb_fname->base_name, - xattr_name, &null, sizeof(null), - flags & O_EXCL ? XATTR_CREATE : 0) == -1) { - goto fail; - } + flags & O_EXCL ? XATTR_CREATE : 0); + fsp->fh->fd = -1; + if (ret != 0) { + goto fail; } } @@ -527,8 +520,15 @@ sio->xattr_name = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp), xattr_name); + /* + * so->base needs to be a copy of fsp->fsp_name->base_name, + * making it identical to streams_xattr_recheck(). If the + * open is changing directories, fsp->fsp_name->base_name + * will be the full path from the share root, whilst + * smb_fname will be relative to the $cwd. + */ sio->base = talloc_strdup(VFS_MEMCTX_FSP_EXTENSION(handle, fsp), - smb_fname->base_name); + fsp->fsp_name->base_name); sio->fsp_name_ptr = fsp->fsp_name; sio->handle = handle; sio->fsp = fsp; @@ -547,7 +547,7 @@ * we don't have a full fsp yet */ fsp->fh->fd = hostfd; - SMB_VFS_CLOSE(fsp); + SMB_VFS_NEXT_CLOSE(handle, fsp); } return -1; @@ -961,7 +961,7 @@ return -1; } - status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp, + status = get_ea_value(talloc_tos(), handle->conn, fsp, sio->base, sio->xattr_name, &ea); if (!NT_STATUS_IS_OK(status)) { return -1; @@ -985,13 +985,13 @@ memcpy(ea.value.data + offset, data, n); - if (fsp->base_fsp->fh->fd != -1) { - ret = SMB_VFS_FSETXATTR(fsp->base_fsp, + if (fsp->fh->fd != -1) { + ret = SMB_VFS_FSETXATTR(fsp, sio->xattr_name, ea.value.data, ea.value.length, 0); } else { ret = SMB_VFS_SETXATTR(fsp->conn, - fsp->base_fsp->fsp_name->base_name, + fsp->fsp_name->base_name, sio->xattr_name, ea.value.data, ea.value.length, 0); } @@ -1025,7 +1025,7 @@ return -1; } - status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp, + status = get_ea_value(talloc_tos(), handle->conn, fsp, sio->base, sio->xattr_name, &ea); if (!NT_STATUS_IS_OK(status)) { return -1; @@ -1070,7 +1070,7 @@ return -1; } - status = get_ea_value(talloc_tos(), handle->conn, fsp->base_fsp, + status = get_ea_value(talloc_tos(), handle->conn, fsp, sio->base, sio->xattr_name, &ea); if (!NT_STATUS_IS_OK(status)) { return -1; @@ -1095,13 +1095,13 @@ ea.value.length = offset + 1; ea.value.data[offset] = 0; - if (fsp->base_fsp->fh->fd != -1) { - ret = SMB_VFS_FSETXATTR(fsp->base_fsp, + if (fsp->fh->fd != -1) { + ret = SMB_VFS_FSETXATTR(fsp, sio->xattr_name, ea.value.data, ea.value.length, 0); } else { ret = SMB_VFS_SETXATTR(fsp->conn, - fsp->base_fsp->fsp_name->base_name, + fsp->fsp_name->base_name, sio->xattr_name, ea.value.data, ea.value.length, 0); } diff -Nru samba-4.5.4+dfsg/source3/passdb/passdb.c samba-4.5.8+dfsg/source3/passdb/passdb.c --- samba-4.5.4+dfsg/source3/passdb/passdb.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/passdb/passdb.c 2017-03-09 09:21:43.000000000 +0000 @@ -2621,6 +2621,19 @@ status = NT_STATUS_NO_MEMORY; goto fail; } + + /* + * It's not possible to use NTLMSSP with a domain trust account. + */ + cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); + } else { + /* + * We can't use kerberos against an NT4 domain. + * + * We should have a mode that also disallows NTLMSSP here, + * as only NETLOGON SCHANNEL is possible. + */ + cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); } ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); @@ -2635,6 +2648,10 @@ status = NT_STATUS_NO_MEMORY; goto fail; } + /* + * We currently can't do kerberos just with an NTHASH. + */ + cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); goto done; } diff -Nru samba-4.5.4+dfsg/source3/rpc_client/cli_pipe.c samba-4.5.8+dfsg/source3/rpc_client/cli_pipe.c --- samba-4.5.4+dfsg/source3/rpc_client/cli_pipe.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/rpc_client/cli_pipe.c 2017-03-09 09:21:43.000000000 +0000 @@ -948,8 +948,7 @@ status = dcerpc_pull_ncacn_packet(state->pkt, &state->incoming_frag, - state->pkt, - !state->endianess); + state->pkt); if (!NT_STATUS_IS_OK(status)) { /* * TODO: do a real async disconnect ... diff -Nru samba-4.5.4+dfsg/source3/rpc_server/mdssvc/sparql_mapping.c samba-4.5.8+dfsg/source3/rpc_server/mdssvc/sparql_mapping.c --- samba-4.5.4+dfsg/source3/rpc_server/mdssvc/sparql_mapping.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/rpc_server/mdssvc/sparql_mapping.c 2017-03-09 09:21:43.000000000 +0000 @@ -133,6 +133,11 @@ .type = ssmt_type, .sparql_attr = NULL, }, + { + .spotlight_attr = "kMDItemContentType", + .type = ssmt_type, + .sparql_attr = NULL, + }, /* Image metadata */ { diff -Nru samba-4.5.4+dfsg/source3/rpc_server/rpc_service_setup.c samba-4.5.8+dfsg/source3/rpc_server/rpc_service_setup.c --- samba-4.5.4+dfsg/source3/rpc_server/rpc_service_setup.c 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/source3/rpc_server/rpc_service_setup.c 2017-03-09 09:21:43.000000000 +0000 @@ -535,18 +535,15 @@ /* Initialize shared modules */ mod_init_fns = load_samba_modules(tmp_ctx, "rpc"); - if (mod_init_fns == NULL) { - if (errno != ENOENT) { - /* - * ENOENT means the directory doesn't exist - * which can happen if all modules are - * static. So ENOENT is ok, everything else is - * not ok. - */ - DBG_ERR("Loading shared RPC modules failed [%s]\n", - strerror(errno)); - ok = false; - } + if ((mod_init_fns == NULL) && (errno != ENOENT)) { + /* + * ENOENT means the directory doesn't exist which can happen if + * all modules are static. So ENOENT is ok, everything else is + * not ok. + */ + DBG_ERR("Loading shared RPC modules failed [%s]\n", + strerror(errno)); + ok = false; goto done; } diff -Nru samba-4.5.4+dfsg/source3/rpc_server/wscript_build samba-4.5.8+dfsg/source3/rpc_server/wscript_build --- samba-4.5.4+dfsg/source3/rpc_server/wscript_build 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/rpc_server/wscript_build 2017-03-09 09:21:43.000000000 +0000 @@ -39,6 +39,10 @@ NDR_NAMED_PIPE_AUTH ''') +bld.SAMBA3_SUBSYSTEM('RPC_MODULES', + source='rpc_modules.c', + deps='samba-util') + ### RPC_SERVICES bld.SAMBA3_SUBSYSTEM('RPC_DSSETUP', source='''dssetup/srv_dssetup_nt.c @@ -150,11 +154,12 @@ deps='samba-util') bld.SAMBA3_SUBSYSTEM('RPC_SERVICE', - source='rpc_service_setup.c rpc_modules.c', + source='rpc_service_setup.c', deps=''' rpc RPC_SERVER RPC_SERVER_REGISTER + RPC_MODULES RPC_SAMR RPC_LSARPC RPC_WINREG @@ -192,6 +197,6 @@ deps='samba-util') bld.SAMBA3_SUBSYSTEM('MDSSD', - source='mdssd.c rpc_modules.c', - deps='RPC_SOCK_HELPER samba-util', + source='mdssd.c', + deps='RPC_SOCK_HELPER RPC_MODULES samba-util', enabled=bld.env.with_spotlight) diff -Nru samba-4.5.4+dfsg/source3/script/tests/test_smbclient_encryption_off.sh samba-4.5.8+dfsg/source3/script/tests/test_smbclient_encryption_off.sh --- samba-4.5.4+dfsg/source3/script/tests/test_smbclient_encryption_off.sh 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.5.8+dfsg/source3/script/tests/test_smbclient_encryption_off.sh 2017-03-09 09:21:43.000000000 +0000 @@ -0,0 +1,65 @@ +#!/bin/sh + +if [ $# -lt 4 ]; then +cat < $tmpfile < $tmpfile < $tmpfile <conn = conn; - dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); + dirp->dir = SMB_VFS_OPENDIR(conn, smb_dname, mask, attr); - dirp->dir_smb_fname = cp_smb_filename(dirp, smb_dname); - if (!dirp->dir_smb_fname) { - errno = ENOMEM; + if (!dirp->dir) { + DEBUG(5,("OpenDir: Can't open %s. %s\n", + smb_dname->base_name, + strerror(errno) )); goto fail; } + dirp->conn = conn; + dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); + if (sconn && !sconn->using_smb2) { sconn->searches.dirhandles_open++; } talloc_set_destructor(dirp, smb_Dir_destructor); - dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_smb_fname, mask, attr); - - if (!dirp->dir) { - DEBUG(5,("OpenDir: Can't open %s. %s\n", - dirp->dir_smb_fname->base_name, - strerror(errno) )); - goto fail; - } - return dirp; fail: @@ -1672,6 +1667,87 @@ return NULL; } +/**************************************************************************** + Open a directory handle by pathname, ensuring it's under the share path. +****************************************************************************/ + +static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx, + connection_struct *conn, + const struct smb_filename *smb_dname, + const char *wcard, + uint32_t attr) +{ + struct smb_Dir *dir_hnd = NULL; + struct smb_filename *smb_fname_cwd = NULL; + char *saved_dir = vfs_GetWd(ctx, conn); + NTSTATUS status; + + if (saved_dir == NULL) { + return NULL; + } + + if (vfs_ChDir(conn, smb_dname->base_name) == -1) { + goto out; + } + + smb_fname_cwd = synthetic_smb_fname(talloc_tos(), + ".", + NULL, + NULL, + smb_dname->flags); + if (smb_fname_cwd == NULL) { + goto out; + } + + /* + * Now the directory is pinned, use + * REALPATH to ensure we can access it. + */ + status = check_name(conn, "."); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + dir_hnd = OpenDir_internal(ctx, + conn, + smb_fname_cwd, + wcard, + attr); + + if (dir_hnd == NULL) { + goto out; + } + + /* + * OpenDir_internal only gets "." as the dir name. + * Store the real dir name here. + */ + + dir_hnd->dir_smb_fname = cp_smb_filename(dir_hnd, smb_dname); + if (!dir_hnd->dir_smb_fname) { + TALLOC_FREE(dir_hnd); + errno = ENOMEM; + } + + out: + + vfs_ChDir(conn, saved_dir); + TALLOC_FREE(saved_dir); + return dir_hnd; +} + +struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, + const struct smb_filename *smb_dname, + const char *mask, + uint32_t attr) +{ + return open_dir_safely(mem_ctx, + conn, + smb_dname, + mask, + attr); +} + /******************************************************************* Open a directory from an fsp. ********************************************************************/ @@ -1685,7 +1761,17 @@ struct smbd_server_connection *sconn = conn->sconn; if (!dirp) { - return NULL; + goto fail; + } + + if (!fsp->is_directory) { + errno = EBADF; + goto fail; + } + + if (fsp->fh->fd == -1) { + errno = EBADF; + goto fail; } dirp->conn = conn; @@ -1697,40 +1783,33 @@ goto fail; } - if (sconn && !sconn->using_smb2) { - sconn->searches.dirhandles_open++; - } - talloc_set_destructor(dirp, smb_Dir_destructor); - - if (fsp->is_directory && fsp->fh->fd != -1) { - dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); - if (dirp->dir != NULL) { - dirp->fsp = fsp; - } else { - DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " - "NULL (%s)\n", - dirp->dir_smb_fname->base_name, - strerror(errno))); - if (errno != ENOSYS) { - return NULL; - } + dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); + if (dirp->dir != NULL) { + dirp->fsp = fsp; + } else { + DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " + "NULL (%s)\n", + dirp->dir_smb_fname->base_name, + strerror(errno))); + if (errno != ENOSYS) { + goto fail; } } if (dirp->dir == NULL) { - /* FDOPENDIR didn't work. Use OPENDIR instead. */ - dirp->dir = SMB_VFS_OPENDIR(conn, - dirp->dir_smb_fname, + /* FDOPENDIR is not supported. Use OPENDIR instead. */ + TALLOC_FREE(dirp); + return open_dir_safely(mem_ctx, + conn, + fsp->fsp_name, mask, attr); } - if (!dirp->dir) { - DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", - dirp->dir_smb_fname->base_name, - strerror(errno) )); - goto fail; + if (sconn && !sconn->using_smb2) { + sconn->searches.dirhandles_open++; } + talloc_set_destructor(dirp, smb_Dir_destructor); return dirp; diff -Nru samba-4.5.4+dfsg/source3/smbd/filename.c samba-4.5.8+dfsg/source3/smbd/filename.c --- samba-4.5.4+dfsg/source3/smbd/filename.c 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/filename.c 2017-03-31 06:25:18.000000000 +0000 @@ -220,6 +220,148 @@ return NT_STATUS_OK; } +/* + * Re-order a known good @GMT-token path. + */ + +static NTSTATUS rearrange_snapshot_path(struct smb_filename *smb_fname, + char *startp, + char *endp) +{ + size_t endlen = 0; + size_t gmt_len = endp - startp; + char gmt_store[gmt_len + 1]; + char *parent = NULL; + const char *last_component = NULL; + char *newstr; + bool ret; + + DBG_DEBUG("|%s| -> ", smb_fname->base_name); + + /* Save off the @GMT-token. */ + memcpy(gmt_store, startp, gmt_len); + gmt_store[gmt_len] = '\0'; + + if (*endp == '/') { + /* Remove any trailing '/' */ + endp++; + } + + if (*endp == '\0') { + /* + * @GMT-token was at end of path. + * Remove any preceeding '/' + */ + if (startp > smb_fname->base_name && startp[-1] == '/') { + startp--; + } + } + + /* Remove @GMT-token from the path. */ + endlen = strlen(endp); + memmove(startp, endp, endlen + 1); + + /* Split the remaining path into components. */ + ret = parent_dirname(smb_fname, + smb_fname->base_name, + &parent, + &last_component); + if (ret == false) { + /* Must terminate debug with \n */ + DBG_DEBUG("NT_STATUS_NO_MEMORY\n"); + return NT_STATUS_NO_MEMORY; + } + + if (ISDOT(parent)) { + if (last_component[0] == '\0') { + newstr = talloc_strdup(smb_fname, + gmt_store); + } else { + newstr = talloc_asprintf(smb_fname, + "%s/%s", + gmt_store, + last_component); + } + } else { + newstr = talloc_asprintf(smb_fname, + "%s/%s/%s", + gmt_store, + parent, + last_component); + } + + TALLOC_FREE(parent); + TALLOC_FREE(smb_fname->base_name); + smb_fname->base_name = newstr; + + DBG_DEBUG("|%s|\n", newstr); + + return NT_STATUS_OK; +} + +/* + * Canonicalize any incoming pathname potentially containining + * a @GMT-token into a path that looks like: + * + * @GMT-YYYY-MM-DD-HH-MM-SS/path/name/components/last_component + * + * Leaves single path @GMT-token -component alone: + * + * @GMT-YYYY-MM-DD-HH-MM-SS -> @GMT-YYYY-MM-DD-HH-MM-SS + * + * Eventually when struct smb_filename is updated and the VFS + * ABI is changed this will remove the @GMT-YYYY-MM-DD-HH-MM-SS + * and store in the struct smb_filename as a struct timeval field + * instead. + */ + +static NTSTATUS canonicalize_snapshot_path(struct smb_filename *smb_fname) +{ + char *startp = strchr_m(smb_fname->base_name, '@'); + char *endp = NULL; + struct tm tm; + + if (startp == NULL) { + /* No @ */ + return NT_STATUS_OK; + } + + startp = strstr_m(startp, "@GMT-"); + if (startp == NULL) { + /* No @ */ + return NT_STATUS_OK; + } + + if ((startp > smb_fname->base_name) && (startp[-1] != '/')) { + /* the GMT-token does not start a path-component */ + return NT_STATUS_OK; + } + + endp = strptime(startp, GMT_FORMAT, &tm); + if (endp == NULL) { + /* Not a valid timestring. */ + return NT_STATUS_OK; + } + + if ( endp[0] == '\0') { + return rearrange_snapshot_path(smb_fname, + startp, + endp); + } + + if (endp[0] != '/') { + /* + * It is not a complete path component, i.e. the path + * component continues after the gmt-token. + */ + return NT_STATUS_OK; + } + + return rearrange_snapshot_path(smb_fname, + startp, + endp); +} + /**************************************************************************** This routine is called to convert names from the dos namespace to unix namespace. It needs to handle any case conversions, mangling, format changes, @@ -356,6 +498,14 @@ goto err; } + /* Canonicalize any @GMT- paths. */ + if (posix_pathnames == false) { + status = canonicalize_snapshot_path(smb_fname); + if (!NT_STATUS_IS_OK(status)) { + goto err; + } + } + /* * Large directory fix normalization. If we're case sensitive, and * the case preserving parameters are set to "no", normalize the case of @@ -1092,7 +1242,7 @@ } if (!lp_widelinks(SNUM(conn)) || !lp_follow_symlinks(SNUM(conn))) { - status = check_reduced_name(conn,name); + status = check_reduced_name(conn, NULL, name); if (!NT_STATUS_IS_OK(status)) { DEBUG(5,("check_name: name %s failed with %s\n",name, nt_errstr(status))); diff -Nru samba-4.5.4+dfsg/source3/smbd/negprot.c samba-4.5.8+dfsg/source3/smbd/negprot.c --- samba-4.5.4+dfsg/source3/smbd/negprot.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/negprot.c 2017-03-09 09:21:43.000000000 +0000 @@ -544,6 +544,8 @@ struct smbXsrv_connection *xconn = req->xconn; struct smbd_server_connection *sconn = req->sconn; bool signing_required = true; + int max_proto; + int min_proto; START_PROFILE(SMBnegprot); @@ -688,11 +690,28 @@ FLAG_MSG_GENERAL|FLAG_MSG_SMBD |FLAG_MSG_PRINT_GENERAL); + /* + * Anything higher than PROTOCOL_SMB2_10 still + * needs to go via "SMB 2.???", which is marked + * as PROTOCOL_SMB2_10. + * + * The real negotiation happens via reply_smb20ff() + * using SMB2 Negotiation. + */ + max_proto = lp_server_max_protocol(); + if (max_proto > PROTOCOL_SMB2_10) { + max_proto = PROTOCOL_SMB2_10; + } + min_proto = lp_server_min_protocol(); + if (min_proto > PROTOCOL_SMB2_10) { + min_proto = PROTOCOL_SMB2_10; + } + /* Check for protocols, most desirable first */ for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) { i = 0; - if ((supported_protocols[protocol].protocol_level <= lp_server_max_protocol()) && - (supported_protocols[protocol].protocol_level >= lp_server_min_protocol())) + if ((supported_protocols[protocol].protocol_level <= max_proto) && + (supported_protocols[protocol].protocol_level >= min_proto)) while (i < num_cliprotos) { if (strequal(cliprotos[i],supported_protocols[protocol].proto_name)) { choice = i; diff -Nru samba-4.5.4+dfsg/source3/smbd/open.c samba-4.5.8+dfsg/source3/smbd/open.c --- samba-4.5.4+dfsg/source3/smbd/open.c 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/open.c 2017-03-31 06:25:18.000000000 +0000 @@ -355,6 +355,269 @@ } /**************************************************************************** + Handle differing symlink errno's +****************************************************************************/ + +static int link_errno_convert(int err) +{ +#if defined(ENOTSUP) && defined(OSF1) + /* handle special Tru64 errno */ + if (err == ENOTSUP) { + err = ELOOP; + } +#endif /* ENOTSUP */ +#ifdef EFTYPE + /* fix broken NetBSD errno */ + if (err == EFTYPE) { + err = ELOOP; + } +#endif /* EFTYPE */ + /* fix broken FreeBSD errno */ + if (err == EMLINK) { + err = ELOOP; + } + return err; +} + +static int non_widelink_open(struct connection_struct *conn, + const char *conn_rootdir, + files_struct *fsp, + struct smb_filename *smb_fname, + int flags, + mode_t mode, + unsigned int link_depth); + +/**************************************************************************** + Follow a symlink in userspace. +****************************************************************************/ + +static int process_symlink_open(struct connection_struct *conn, + const char *conn_rootdir, + files_struct *fsp, + struct smb_filename *smb_fname, + int flags, + mode_t mode, + unsigned int link_depth) +{ + int fd = -1; + char *link_target = NULL; + int link_len = -1; + char *oldwd = NULL; + size_t rootdir_len = 0; + char *resolved_name = NULL; + bool matched = false; + int saved_errno = 0; + + /* + * Ensure we don't get stuck in a symlink loop. + */ + link_depth++; + if (link_depth >= 20) { + errno = ELOOP; + goto out; + } + + /* Allocate space for the link target. */ + link_target = talloc_array(talloc_tos(), char, PATH_MAX); + if (link_target == NULL) { + errno = ENOMEM; + goto out; + } + + /* Read the link target. */ + link_len = SMB_VFS_READLINK(conn, + smb_fname->base_name, + link_target, + PATH_MAX - 1); + if (link_len == -1) { + goto out; + } + + /* Ensure it's at least null terminated. */ + link_target[link_len] = '\0'; + + /* Convert to an absolute path. */ + resolved_name = SMB_VFS_REALPATH(conn, link_target); + if (resolved_name == NULL) { + goto out; + } + + /* + * We know conn_rootdir starts with '/' and + * does not end in '/'. FIXME ! Should we + * smb_assert this ? + */ + rootdir_len = strlen(conn_rootdir); + + matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0); + if (!matched) { + errno = EACCES; + goto out; + } + + /* + * Turn into a path relative to the share root. + */ + if (resolved_name[rootdir_len] == '\0') { + /* Link to the root of the share. */ + smb_fname->base_name = talloc_strdup(talloc_tos(), "."); + if (smb_fname->base_name == NULL) { + errno = ENOMEM; + goto out; + } + } else if (resolved_name[rootdir_len] == '/') { + smb_fname->base_name = &resolved_name[rootdir_len+1]; + } else { + errno = EACCES; + goto out; + } + + oldwd = vfs_GetWd(talloc_tos(), conn); + if (oldwd == NULL) { + goto out; + } + + /* Ensure we operate from the root of the share. */ + if (vfs_ChDir(conn, conn_rootdir) == -1) { + goto out; + } + + /* And do it all again.. */ + fd = non_widelink_open(conn, + conn_rootdir, + fsp, + smb_fname, + flags, + mode, + link_depth); + if (fd == -1) { + saved_errno = errno; + } + + out: + + SAFE_FREE(resolved_name); + TALLOC_FREE(link_target); + if (oldwd != NULL) { + int ret = vfs_ChDir(conn, oldwd); + if (ret == -1) { + smb_panic("unable to get back to old directory\n"); + } + TALLOC_FREE(oldwd); + } + if (saved_errno != 0) { + errno = saved_errno; + } + return fd; +} + +/**************************************************************************** + Non-widelink open. +****************************************************************************/ + +static int non_widelink_open(struct connection_struct *conn, + const char *conn_rootdir, + files_struct *fsp, + struct smb_filename *smb_fname, + int flags, + mode_t mode, + unsigned int link_depth) +{ + NTSTATUS status; + int fd = -1; + struct smb_filename *smb_fname_rel = NULL; + int saved_errno = 0; + char *oldwd = NULL; + char *parent_dir = NULL; + const char *final_component = NULL; + + if (!parent_dirname(talloc_tos(), + smb_fname->base_name, + &parent_dir, + &final_component)) { + goto out; + } + + oldwd = vfs_GetWd(talloc_tos(), conn); + if (oldwd == NULL) { + goto out; + } + + /* Pin parent directory in place. */ + if (vfs_ChDir(conn, parent_dir) == -1) { + goto out; + } + + /* Ensure the relative path is below the share. */ + status = check_reduced_name(conn, parent_dir, final_component); + if (!NT_STATUS_IS_OK(status)) { + saved_errno = map_errno_from_nt_status(status); + goto out; + } + + smb_fname_rel = synthetic_smb_fname(talloc_tos(), + final_component, + smb_fname->stream_name, + &smb_fname->st, + smb_fname->flags); + + flags |= O_NOFOLLOW; + + { + struct smb_filename *tmp_name = fsp->fsp_name; + fsp->fsp_name = smb_fname_rel; + fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode); + fsp->fsp_name = tmp_name; + } + + if (fd == -1) { + saved_errno = link_errno_convert(errno); + if (saved_errno == ELOOP) { + if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) { + /* Never follow symlinks on posix open. */ + goto out; + } + if (!lp_follow_symlinks(SNUM(conn))) { + /* Explicitly no symlinks. */ + goto out; + } + /* + * We have a symlink. Follow in userspace + * to ensure it's under the share definition. + */ + fd = process_symlink_open(conn, + conn_rootdir, + fsp, + smb_fname_rel, + flags, + mode, + link_depth); + if (fd == -1) { + saved_errno = + link_errno_convert(errno); + } + } + } + + out: + + TALLOC_FREE(parent_dir); + TALLOC_FREE(smb_fname_rel); + + if (oldwd != NULL) { + int ret = vfs_ChDir(conn, oldwd); + if (ret == -1) { + smb_panic("unable to get back to old directory\n"); + } + TALLOC_FREE(oldwd); + } + if (saved_errno != 0) { + errno = saved_errno; + } + return fd; +} + +/**************************************************************************** fd support routines - attempt to do a dos_open. ****************************************************************************/ @@ -366,8 +629,7 @@ struct smb_filename *smb_fname = fsp->fsp_name; NTSTATUS status = NT_STATUS_OK; -#ifdef O_NOFOLLOW - /* + /* * Never follow symlinks on a POSIX client. The * client should be doing this. */ @@ -375,29 +637,31 @@ if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) { flags |= O_NOFOLLOW; } -#endif - fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); - if (fsp->fh->fd == -1) { - int posix_errno = errno; -#ifdef O_NOFOLLOW -#if defined(ENOTSUP) && defined(OSF1) - /* handle special Tru64 errno */ - if (errno == ENOTSUP) { - posix_errno = ELOOP; - } -#endif /* ENOTSUP */ -#ifdef EFTYPE - /* fix broken NetBSD errno */ - if (errno == EFTYPE) { - posix_errno = ELOOP; - } -#endif /* EFTYPE */ - /* fix broken FreeBSD errno */ - if (errno == EMLINK) { - posix_errno = ELOOP; + /* Ensure path is below share definition. */ + if (!lp_widelinks(SNUM(conn))) { + const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn, + smb_fname->base_name); + if (conn_rootdir == NULL) { + return NT_STATUS_NO_MEMORY; } -#endif /* O_NOFOLLOW */ + /* + * Only follow symlinks within a share + * definition. + */ + fsp->fh->fd = non_widelink_open(conn, + conn_rootdir, + fsp, + smb_fname, + flags, + mode, + 0); + } else { + fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); + } + + if (fsp->fh->fd == -1) { + int posix_errno = link_errno_convert(errno); status = map_nt_error_from_unix(posix_errno); if (errno == EMFILE) { static time_t last_warned = 0L; @@ -639,7 +903,9 @@ bool *file_created) { NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS retry_status; bool file_existed = VALID_STAT(fsp->fsp_name->st); + int curr_flags; *file_created = false; @@ -671,59 +937,65 @@ * we can never call O_CREAT without O_EXCL. So if * we think the file existed, try without O_CREAT|O_EXCL. * If we think the file didn't exist, try with - * O_CREAT|O_EXCL. Keep bouncing between these two - * requests until either the file is created, or - * opened. Either way, we keep going until we get - * a returnable result (error, or open/create). + * O_CREAT|O_EXCL. + * + * The big problem here is dangling symlinks. Opening + * without O_NOFOLLOW means both bad symlink + * and missing path return -1, ENOENT from open(). As POSIX + * is pathname based it's not possible to tell + * the difference between these two cases in a + * non-racy way, so change to try only two attempts before + * giving up. + * + * We don't have this problem for the O_NOFOLLOW + * case as it just returns NT_STATUS_OBJECT_PATH_NOT_FOUND + * mapped from the ELOOP POSIX error. */ - while(1) { - int curr_flags = flags; + curr_flags = flags; - if (file_existed) { - /* Just try open, do not create. */ - curr_flags &= ~(O_CREAT); - status = fd_open(conn, fsp, curr_flags, mode); - if (NT_STATUS_EQUAL(status, - NT_STATUS_OBJECT_NAME_NOT_FOUND)) { - /* - * Someone deleted it in the meantime. - * Retry with O_EXCL. - */ - file_existed = false; - DEBUG(10,("fd_open_atomic: file %s existed. " - "Retry.\n", - smb_fname_str_dbg(fsp->fsp_name))); - continue; - } - } else { - /* Try create exclusively, fail if it exists. */ - curr_flags |= O_EXCL; - status = fd_open(conn, fsp, curr_flags, mode); - if (NT_STATUS_EQUAL(status, - NT_STATUS_OBJECT_NAME_COLLISION)) { - /* - * Someone created it in the meantime. - * Retry without O_CREAT. - */ - file_existed = true; - DEBUG(10,("fd_open_atomic: file %s " - "did not exist. Retry.\n", - smb_fname_str_dbg(fsp->fsp_name))); - continue; - } - if (NT_STATUS_IS_OK(status)) { - /* - * Here we've opened with O_CREAT|O_EXCL - * and got success. We *know* we created - * this file. - */ - *file_created = true; - } + if (file_existed) { + curr_flags &= ~(O_CREAT); + retry_status = NT_STATUS_OBJECT_NAME_NOT_FOUND; + } else { + curr_flags |= O_EXCL; + retry_status = NT_STATUS_OBJECT_NAME_COLLISION; + } + + status = fd_open(conn, fsp, curr_flags, mode); + if (NT_STATUS_IS_OK(status)) { + if (!file_existed) { + *file_created = true; } - /* Create is done, or failed. */ - break; + return NT_STATUS_OK; + } + if (!NT_STATUS_EQUAL(status, retry_status)) { + return status; } + + curr_flags = flags; + + /* + * Keep file_existed up to date for clarity. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + file_existed = false; + curr_flags |= O_EXCL; + DBG_DEBUG("file %s did not exist. Retry.\n", + smb_fname_str_dbg(fsp->fsp_name)); + } else { + file_existed = true; + curr_flags &= ~(O_CREAT); + DBG_DEBUG("file %s existed. Retry.\n", + smb_fname_str_dbg(fsp->fsp_name)); + } + + status = fd_open(conn, fsp, curr_flags, mode); + + if (NT_STATUS_IS_OK(status) && (!file_existed)) { + *file_created = true; + } + return status; } @@ -2274,6 +2546,12 @@ uint32_t orig_access_mask = access_mask; uint32_t rejected_share_access; + if (access_mask & SEC_MASK_INVALID) { + DBG_DEBUG("access_mask [%8x] contains invalid bits\n", + access_mask); + return NT_STATUS_ACCESS_DENIED; + } + /* * Convert GENERIC bits to specific bits. */ diff -Nru samba-4.5.4+dfsg/source3/smbd/posix_acls.c samba-4.5.8+dfsg/source3/smbd/posix_acls.c --- samba-4.5.4+dfsg/source3/smbd/posix_acls.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/posix_acls.c 2017-03-09 09:21:43.000000000 +0000 @@ -2700,9 +2700,9 @@ .attr = ALLOW_ACE, .trustee = sid, .unix_ug = unix_ug, - .owner_type = owner_type, - .ace_flags = get_pai_flags(pal, ace, is_default_acl) + .owner_type = owner_type }; + ace->ace_flags = get_pai_flags(pal, ace, is_default_acl); DLIST_ADD(l_head, ace); } diff -Nru samba-4.5.4+dfsg/source3/smbd/proto.h samba-4.5.8+dfsg/source3/smbd/proto.h --- samba-4.5.4+dfsg/source3/smbd/proto.h 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/proto.h 2017-03-31 06:25:18.000000000 +0000 @@ -1227,7 +1227,9 @@ SMB_STRUCT_STAT *sbuf, char **talloced); int vfs_ChDir(connection_struct *conn, const char *path); char *vfs_GetWd(TALLOC_CTX *ctx, connection_struct *conn); -NTSTATUS check_reduced_name(connection_struct *conn, const char *fname); +NTSTATUS check_reduced_name(connection_struct *conn, + const char *cwd_name, + const char *fname); NTSTATUS check_reduced_name_with_privilege(connection_struct *conn, const char *fname, struct smb_request *smbreq); diff -Nru samba-4.5.4+dfsg/source3/smbd/service.c samba-4.5.8+dfsg/source3/smbd/service.c --- samba-4.5.4+dfsg/source3/smbd/service.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/service.c 2017-03-09 09:21:43.000000000 +0000 @@ -31,6 +31,7 @@ #include "lib/param/loadparm.h" #include "messages.h" #include "lib/afs/afs_funcs.h" +#include "lib/util_path.h" static bool canonicalize_connect_path(connection_struct *conn) { @@ -47,118 +48,20 @@ /**************************************************************************** Ensure when setting connectpath it is a canonicalized (no ./ // or ../) absolute path stating in / and not ending in /. - Observent people will notice a similarity between this and check_path_syntax :-). ****************************************************************************/ bool set_conn_connectpath(connection_struct *conn, const char *connectpath) { char *destname; - char *d; - const char *s = connectpath; - bool start_of_name_component = true; if (connectpath == NULL || connectpath[0] == '\0') { return false; } - /* Allocate for strlen + '\0' + possible leading '/' */ - destname = (char *)talloc_size(conn, strlen(connectpath) + 2); - if (!destname) { + destname = canonicalize_absolute_path(conn, connectpath); + if (destname == NULL) { return false; } - d = destname; - - *d++ = '/'; /* Always start with root. */ - - while (*s) { - if (*s == '/') { - /* Eat multiple '/' */ - while (*s == '/') { - s++; - } - if ((d > destname + 1) && (*s != '\0')) { - *d++ = '/'; - } - start_of_name_component = True; - continue; - } - - if (start_of_name_component) { - if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) { - /* Uh oh - "/../" or "/..\0" ! */ - - /* Go past the ../ or .. */ - if (s[2] == '/') { - s += 3; - } else { - s += 2; /* Go past the .. */ - } - - /* If we just added a '/' - delete it */ - if ((d > destname) && (*(d-1) == '/')) { - *(d-1) = '\0'; - d--; - } - - /* Are we at the start ? Can't go back further if so. */ - if (d <= destname) { - *d++ = '/'; /* Can't delete root */ - continue; - } - /* Go back one level... */ - /* Decrement d first as d points to the *next* char to write into. */ - for (d--; d > destname; d--) { - if (*d == '/') { - break; - } - } - /* We're still at the start of a name component, just the previous one. */ - continue; - } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) { - /* Component of pathname can't be "." only - skip the '.' . */ - if (s[1] == '/') { - s += 2; - } else { - s++; - } - continue; - } - } - - if (!(*s & 0x80)) { - *d++ = *s++; - } else { - size_t siz; - /* Get the size of the next MB character. */ - next_codepoint(s,&siz); - switch(siz) { - case 5: - *d++ = *s++; - /*fall through*/ - case 4: - *d++ = *s++; - /*fall through*/ - case 3: - *d++ = *s++; - /*fall through*/ - case 2: - *d++ = *s++; - /*fall through*/ - case 1: - *d++ = *s++; - break; - default: - break; - } - } - start_of_name_component = false; - } - *d = '\0'; - - /* And must not end in '/' */ - if (d > destname + 1 && (*(d-1) == '/')) { - *(d-1) = '\0'; - } DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n", lp_servicename(talloc_tos(), SNUM(conn)), destname )); @@ -623,6 +526,18 @@ conn->short_case_preserve = lp_short_preserve_case(snum); conn->encrypt_level = lp_smb_encrypt(snum); + if (conn->encrypt_level > SMB_SIGNING_OFF) { + if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) { + if (conn->encrypt_level == SMB_SIGNING_REQUIRED) { + DBG_ERR("Service [%s] requires encryption, but " + "it is disabled globally!\n", + lp_servicename(talloc_tos(), snum)); + status = NT_STATUS_ACCESS_DENIED; + goto err_root_exit; + } + conn->encrypt_level = SMB_SIGNING_OFF; + } + } conn->veto_list = NULL; conn->hide_list = NULL; diff -Nru samba-4.5.4+dfsg/source3/smbd/smb2_negprot.c samba-4.5.8+dfsg/source3/smbd/smb2_negprot.c --- samba-4.5.4+dfsg/source3/smbd/smb2_negprot.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/smb2_negprot.c 2017-03-09 09:21:43.000000000 +0000 @@ -441,7 +441,7 @@ req->preauth = &req->xconn->smb2.preauth; } - if (in_cipher != NULL) { + if ((capabilities & SMB2_CAP_ENCRYPTION) && (in_cipher != NULL)) { size_t needed = 2; uint16_t cipher_count; const uint8_t *p; diff -Nru samba-4.5.4+dfsg/source3/smbd/smb2_query_directory.c samba-4.5.8+dfsg/source3/smbd/smb2_query_directory.c --- samba-4.5.4+dfsg/source3/smbd/smb2_query_directory.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/smb2_query_directory.c 2017-03-22 09:48:05.000000000 +0000 @@ -24,6 +24,7 @@ #include "../libcli/smb/smb_common.h" #include "trans2.h" #include "../lib/util/tevent_ntstatus.h" +#include "system/filesys.h" static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -322,7 +323,23 @@ } if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) { + int flags; + dptr_CloseDir(fsp); + + /* + * dptr_CloseDir() will close and invalidate the fsp's file + * descriptor, we have to reopen it. + */ + + flags = O_RDONLY; +#ifdef O_DIRECTORY + flags |= O_DIRECTORY; +#endif + status = fd_open(conn, fsp, flags, 0); + if (tevent_req_nterror(req, status)) { + return tevent_req_post(req, ev); + } } if (!smbreq->posix_pathnames) { diff -Nru samba-4.5.4+dfsg/source3/smbd/smb2_server.c samba-4.5.8+dfsg/source3/smbd/smb2_server.c --- samba-4.5.4+dfsg/source3/smbd/smb2_server.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/smb2_server.c 2017-03-09 09:21:43.000000000 +0000 @@ -3566,6 +3566,7 @@ int ret; int err; bool retry; + NTSTATUS status; if (xconn->smb2.send_queue == NULL) { TEVENT_FD_NOT_WRITEABLE(xconn->transport.fde); @@ -3577,11 +3578,12 @@ bool ok; if (e->sendfile_header != NULL) { - NTSTATUS status = NT_STATUS_INTERNAL_ERROR; size_t size = 0; size_t i = 0; uint8_t *buf; + status = NT_STATUS_INTERNAL_ERROR; + for (i=0; i < e->count; i++) { size += e->vector[i].iov_len; } @@ -3653,6 +3655,16 @@ talloc_free(e->mem_ctx); } + /* + * Restart reads if we were blocked on + * draining the send queue. + */ + + status = smbd_smb2_request_next_incoming(xconn); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + return NT_STATUS_OK; } diff -Nru samba-4.5.4+dfsg/source3/smbd/smb2_tcon.c samba-4.5.8+dfsg/source3/smbd/smb2_tcon.c --- samba-4.5.4+dfsg/source3/smbd/smb2_tcon.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/smb2_tcon.c 2017-03-09 09:21:43.000000000 +0000 @@ -268,7 +268,8 @@ } if ((lp_smb_encrypt(snum) >= SMB_SIGNING_DESIRED) && - (conn->smb2.client.capabilities & SMB2_CAP_ENCRYPTION)) { + (conn->smb2.server.cipher != 0)) + { encryption_desired = true; } diff -Nru samba-4.5.4+dfsg/source3/smbd/vfs.c samba-4.5.8+dfsg/source3/smbd/vfs.c --- samba-4.5.4+dfsg/source3/smbd/vfs.c 2016-09-13 08:21:35.000000000 +0000 +++ samba-4.5.8+dfsg/source3/smbd/vfs.c 2017-03-31 06:25:18.000000000 +0000 @@ -1179,11 +1179,20 @@ /******************************************************************* Reduce a file name, removing .. elements and checking that it is below dir in the heirachy. This uses realpath. + + If cwd_name == NULL then fname is a client given path relative + to the root path of the share. + + If cwd_name != NULL then fname is a client given path relative + to cwd_name. cwd_name is relative to the root path of the share. ********************************************************************/ -NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) +NTSTATUS check_reduced_name(connection_struct *conn, + const char *cwd_name, + const char *fname) { char *resolved_name = NULL; + char *new_fname = NULL; bool allow_symlinks = true; bool allow_widelinks = false; @@ -1307,8 +1316,11 @@ /* fname can't have changed in resolved_path. */ const char *p = &resolved_name[rootdir_len]; - /* *p can be '\0' if fname was "." */ - if (*p == '\0' && ISDOT(fname)) { + /* + * UNIX filesystem semantics, names consisting + * only of "." or ".." CANNOT be symlinks. + */ + if (ISDOT(fname) || ISDOTDOT(fname)) { goto out; } @@ -1322,11 +1334,32 @@ } p++; + + /* + * If cwd_name is present and not ".", + * then fname is relative to that, not + * the root of the share. Make sure the + * path we check is the one the client + * sent (cwd_name+fname). + */ + if (cwd_name != NULL && !ISDOT(cwd_name)) { + new_fname = talloc_asprintf(talloc_tos(), + "%s/%s", + cwd_name, + fname); + if (new_fname == NULL) { + SAFE_FREE(resolved_name); + return NT_STATUS_NO_MEMORY; + } + fname = new_fname; + } + if (strcmp(fname, p)!=0) { DEBUG(2, ("check_reduced_name: Bad access " "attempt: %s is a symlink to %s\n", fname, p)); SAFE_FREE(resolved_name); + TALLOC_FREE(new_fname); return NT_STATUS_ACCESS_DENIED; } } @@ -1336,6 +1369,7 @@ DBG_INFO("%s reduced to %s\n", fname, resolved_name); SAFE_FREE(resolved_name); + TALLOC_FREE(new_fname); return NT_STATUS_OK; } diff -Nru samba-4.5.4+dfsg/source3/torture/torture.c samba-4.5.8+dfsg/source3/torture/torture.c --- samba-4.5.4+dfsg/source3/torture/torture.c 2017-01-17 19:55:44.000000000 +0000 +++ samba-4.5.8+dfsg/source3/torture/torture.c 2017-03-09 09:21:43.000000000 +0000 @@ -9501,6 +9501,106 @@ return success; } +/* + Test Windows open on a bad POSIX symlink. + */ +static bool run_symlink_open_test(int dummy) +{ + static struct cli_state *cli; + const char *fname = "non_existant_file"; + const char *sname = "dangling_symlink"; + uint16_t fnum = (uint16_t)-1; + bool correct = false; + NTSTATUS status; + TALLOC_CTX *frame = NULL; + + frame = talloc_stackframe(); + + printf("Starting Windows bad symlink open test\n"); + + if (!torture_open_connection(&cli, 0)) { + TALLOC_FREE(frame); + return false; + } + + smbXcli_conn_set_sockopt(cli->conn, sockops); + + status = torture_setup_unix_extensions(cli); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return false; + } + + /* Ensure nothing exists. */ + cli_setatr(cli, fname, 0, 0); + cli_posix_unlink(cli, fname); + cli_setatr(cli, sname, 0, 0); + cli_posix_unlink(cli, sname); + + /* Create a symlink pointing nowhere. */ + status = cli_posix_symlink(cli, fname, sname); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_posix_symlink of %s -> %s failed (%s)\n", + sname, + fname, + nt_errstr(status)); + goto out; + } + + /* Now ensure that a Windows open doesn't hang. */ + status = cli_ntcreate(cli, + sname, + 0, + FILE_READ_DATA|FILE_WRITE_DATA, + 0, + FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, + FILE_OPEN_IF, + 0x0, + 0x0, + &fnum, + NULL); + + /* + * We get either NT_STATUS_OBJECT_NAME_NOT_FOUND or + * NT_STATUS_OBJECT_PATH_NOT_FOUND depending on if + * we use O_NOFOLLOW on the server or not. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) || + NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_PATH_NOT_FOUND)) + { + correct = true; + } else { + printf("cli_ntcreate of %s returned %s - should return" + " either (%s) or (%s)\n", + sname, + nt_errstr(status), + nt_errstr(NT_STATUS_OBJECT_NAME_NOT_FOUND), + nt_errstr(NT_STATUS_OBJECT_PATH_NOT_FOUND)); + goto out; + } + + correct = true; + + out: + + if (fnum != (uint16_t)-1) { + cli_close(cli, fnum); + fnum = (uint16_t)-1; + } + + cli_setatr(cli, sname, 0, 0); + cli_posix_unlink(cli, sname); + cli_setatr(cli, fname, 0, 0); + cli_posix_unlink(cli, fname); + + if (!torture_close_connection(cli)) { + correct = false; + } + + TALLOC_FREE(frame); + return correct; +} + static bool run_local_substitute(int dummy) { bool ok = true; @@ -10878,6 +10978,49 @@ return true; } +static bool run_local_canonicalize_path(int dummy) +{ + const char *src[] = { + "/foo/..", + "/..", + "/foo/bar/../baz", + "/foo/././", + "/../foo", + ".././././", + ".././././../../../boo", + "./..", + NULL + }; + const char *dst[] = { + "/", + "/", + "/foo/baz", + "/foo", + "/foo", + "/", + "/boo", + "/", + NULL + }; + unsigned int i; + + for (i = 0; src[i] != NULL; i++) { + char *d = canonicalize_absolute_path(talloc_tos(), src[i]); + if (d == NULL) { + perror("talloc fail\n"); + return false; + } + if (strcmp(d, dst[i]) != 0) { + d_fprintf(stderr, + "canonicalize missmatch %s -> %s != %s", + src[i], d, dst[i]); + return false; + } + talloc_free(d); + } + return true; +} + static double create_procs(bool (*fn)(int), bool *result) { int i, status; @@ -11020,6 +11163,7 @@ {"POSIX-SYMLINK-EA", run_ea_symlink_test, 0}, {"POSIX-STREAM-DELETE", run_posix_stream_delete, 0}, {"POSIX-OFD-LOCK", run_posix_ofd_lock_test, 0}, + {"WINDOWS-BAD-SYMLINK", run_symlink_open_test, 0}, {"CASE-INSENSITIVE-CREATE", run_case_insensitive_create, 0}, {"ASYNC-ECHO", run_async_echo, 0}, { "UID-REGRESSION-TEST", run_uid_regression_test, 0}, @@ -11112,6 +11256,7 @@ { "local-tdb-writer", run_local_tdb_writer, 0 }, { "LOCAL-DBWRAP-CTDB", run_local_dbwrap_ctdb, 0 }, { "LOCAL-BENCH-PTHREADPOOL", run_bench_pthreadpool, 0 }, + { "LOCAL-CANONICALIZE-PATH", run_local_canonicalize_path, 0 }, { "qpathinfo-bufsize", run_qpathinfo_bufsize, 0 }, {NULL, NULL, 0}}; diff -Nru samba-4.5.4+dfsg/source3/utils/net_rpc_trust.c samba-4.5.8+dfsg/source3/utils/net_rpc_trust.c --- samba-4.5.4+dfsg/source3/utils/net_rpc_trust.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/utils/net_rpc_trust.c 2017-03-09 09:21:43.000000000 +0000 @@ -518,9 +518,9 @@ } DEBUG(0, ("Using random trust password.\n")); - trust_pw = generate_random_password(mem_ctx, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + trust_pw = trust_pw_new_value(mem_ctx, + SEC_CHAN_DOMAIN, + SEC_DOMAIN); if (trust_pw == NULL) { DEBUG(0, ("generate_random_password failed.\n")); goto done; diff -Nru samba-4.5.4+dfsg/source3/winbindd/idmap_ad.c samba-4.5.8+dfsg/source3/winbindd/idmap_ad.c --- samba-4.5.4+dfsg/source3/winbindd/idmap_ad.c 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/source3/winbindd/idmap_ad.c 2017-03-09 09:21:43.000000000 +0000 @@ -22,7 +22,7 @@ #include "idmap.h" #include "tldap_gensec_bind.h" #include "tldap_util.h" -#include "secrets.h" +#include "passdb.h" #include "lib/param/param.h" #include "utils/net.h" #include "auth/gensec/gensec.h" @@ -243,7 +243,6 @@ const char *domname, struct tldap_context **pld) { - struct db_context *db_ctx; struct netr_DsRGetDCNameInfo *dcinfo; struct sockaddr_storage dcaddr; struct cli_credentials *creds; @@ -294,11 +293,19 @@ return NT_STATUS_NO_MEMORY; } - creds = cli_credentials_init(dcinfo); - if (creds == NULL) { - DBG_DEBUG("cli_credentials_init failed\n"); + /* + * Here we use or own machine account as + * we run as domain member. + */ + status = pdb_get_trust_credentials(lp_workgroup(), + lp_realm(), + dcinfo, + &creds); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("pdb_get_trust_credentials() failed - %s\n", + nt_errstr(status)); TALLOC_FREE(dcinfo); - return NT_STATUS_NO_MEMORY; + return status; } lp_ctx = loadparm_init_s3(dcinfo, loadparm_s3_helpers()); @@ -308,23 +315,6 @@ return NT_STATUS_NO_MEMORY; } - cli_credentials_set_conf(creds, lp_ctx); - - db_ctx = secrets_db_ctx(); - if (db_ctx == NULL) { - DBG_DEBUG("Failed to open secrets.tdb.\n"); - return NT_STATUS_INTERNAL_ERROR; - } - - status = cli_credentials_set_machine_account_db_ctx(creds, lp_ctx, - db_ctx); - if (!NT_STATUS_IS_OK(status)) { - DBG_DEBUG("cli_credentials_set_machine_account " - "failed: %s\n", nt_errstr(status)); - TALLOC_FREE(dcinfo); - return status; - } - rc = tldap_gensec_bind(ld, creds, "ldap", dcinfo->dc_unc, NULL, lp_ctx, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL); if (!TLDAP_RC_IS_SUCCESS(rc)) { diff -Nru samba-4.5.4+dfsg/source3/winbindd/winbindd_ads.c samba-4.5.8+dfsg/source3/winbindd/winbindd_ads.c --- samba-4.5.4+dfsg/source3/winbindd/winbindd_ads.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/winbindd/winbindd_ads.c 2017-03-09 09:21:43.000000000 +0000 @@ -119,6 +119,8 @@ ads->auth.renewable = renewable; ads->auth.password = password; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + ads->auth.realm = SMB_STRDUP(auth_realm); if (!strupper_m(ads->auth.realm)) { ads_destroy(&ads); @@ -1700,6 +1702,14 @@ } TALLOC_FREE(parent); + /* + * We need to pass the modified properties + * to the caller. + */ + trust->trust_flags = d.domain_flags; + trust->trust_type = d.domain_type; + trust->trust_attributes = d.domain_trust_attribs; + wcache_tdc_add_domain( &d ); ret_count++; } diff -Nru samba-4.5.4+dfsg/source3/winbindd/winbindd_cm.c samba-4.5.8+dfsg/source3/winbindd/winbindd_cm.c --- samba-4.5.4+dfsg/source3/winbindd/winbindd_cm.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source3/winbindd/winbindd_cm.c 2017-03-09 09:21:43.000000000 +0000 @@ -903,7 +903,6 @@ struct cli_credentials *creds; NTSTATUS status; bool force_machine_account = false; - bool ok; /* If we are a DC and this is not our own domain */ @@ -937,24 +936,7 @@ goto ipc_fallback; } - if (domain->primary && lp_security() == SEC_ADS) { - cli_credentials_set_kerberos_state(creds, - CRED_AUTO_USE_KERBEROS); - } else if (domain->active_directory) { - cli_credentials_set_kerberos_state(creds, - CRED_MUST_USE_KERBEROS); - } else { - cli_credentials_set_kerberos_state(creds, - CRED_DONT_USE_KERBEROS); - } - - /* - * When we contact our own domain and get a list of the trusted domain - * we have the information if we are able to contact the DC with - * with our machine account password. - */ - ok = winbindd_can_contact_domain(domain); - if (!ok) { + if (creds_domain != domain) { /* * We can only use schannel against a direct trust */ @@ -1002,6 +984,8 @@ struct named_mutex *mutex; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + NTSTATUS tmp_status; + NTSTATUS tcon_status = NT_STATUS_NETWORK_NAME_DELETED; enum smb_signing_setting smb_sign_client_connections = lp_client_ipc_signing(); @@ -1103,6 +1087,10 @@ } } + if (cli_credentials_is_anonymous(creds)) { + goto anon_fallback; + } + krb5_state = cli_credentials_get_kerberos_state(creds); machine_krb5_principal = cli_credentials_get_principal(creds, @@ -1138,8 +1126,10 @@ goto session_setup_done; } - DEBUG(4,("failed kerberos session setup with %s\n", - nt_errstr(result))); + DEBUG(1, ("Failed to use kerberos connecting to %s from %s " + "with kerberos principal [%s]\n", + controller, lp_netbios_name(), + machine_krb5_principal)); } if (krb5_state != CRED_MUST_USE_KERBEROS) { @@ -1157,10 +1147,15 @@ machine_password, strlen(machine_password)+1, machine_domain); - } - if (NT_STATUS_IS_OK(result)) { - goto session_setup_done; + if (NT_STATUS_IS_OK(result)) { + goto session_setup_done; + } + + DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " + "with username [%s]\\[%s]\n", + controller, lp_netbios_name(), + machine_domain, machine_account)); } /* @@ -1174,10 +1169,6 @@ || NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) || NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE)) { - if (cli_credentials_is_anonymous(creds)) { - goto done; - } - if (!cm_is_ipc_credentials(creds)) { goto ipc_fallback; } @@ -1189,19 +1180,22 @@ goto anon_fallback; } - DEBUG(4, ("authenticated session setup failed with %s\n", - nt_errstr(result))); + DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", + controller, + cli_credentials_get_unparsed_name(creds, talloc_tos()), + nt_errstr(result))); goto done; ipc_fallback: - result = cm_get_ipc_credentials(talloc_tos(), &creds); - if (!NT_STATUS_IS_OK(result)) { + TALLOC_FREE(creds); + tmp_status = cm_get_ipc_credentials(talloc_tos(), &creds); + if (!NT_STATUS_IS_OK(tmp_status)) { + result = tmp_status; goto done; } if (cli_credentials_is_anonymous(creds)) { - TALLOC_FREE(creds); goto anon_fallback; } @@ -1228,6 +1222,11 @@ goto session_setup_done; } + DEBUG(1, ("Failed to use NTLMSSP connecting to %s from %s " + "with username " + "[%s]\\[%s]\n", controller, lp_netbios_name(), + machine_domain, machine_account)); + /* * If we are not going to validiate the conneciton * with SMB signing, then allow us to fall back to @@ -1242,19 +1241,22 @@ goto anon_fallback; } - DEBUG(4, ("authenticated session setup failed with %s\n", - nt_errstr(result))); + DEBUG(1, ("authenticated session setup to %s using %s failed with %s\n", + controller, + cli_credentials_get_unparsed_name(creds, talloc_tos()), + nt_errstr(result))); goto done; anon_fallback: + TALLOC_FREE(creds); if (smb_sign_client_connections == SMB_SIGNING_REQUIRED) { goto done; } /* Fall back to anonymous connection, this might fail later */ - DEBUG(10,("cm_prepare_connection: falling back to anonymous " + DEBUG(5,("cm_prepare_connection: falling back to anonymous " "connection for DC %s\n", controller )); @@ -1266,6 +1268,9 @@ goto session_setup_done; } + DEBUG(1, ("anonymous session setup to %s failed with %s\n", + controller, nt_errstr(result))); + /* We can't session setup */ goto done; @@ -1283,11 +1288,11 @@ } result = cli_tree_connect(*cli, "IPC$", "IPC", "", 0); - if (!NT_STATUS_IS_OK(result)) { DEBUG(1,("failed tcon_X with %s\n", nt_errstr(result))); goto done; } + tcon_status = result; /* cache the server name for later connections */ @@ -1306,7 +1311,13 @@ done: TALLOC_FREE(mutex); + if (NT_STATUS_IS_OK(result)) { + result = tcon_status; + } + if (!NT_STATUS_IS_OK(result)) { + DEBUG(1, ("Failed to prepare SMB connection to %s: %s\n", + controller, nt_errstr(result))); winbind_add_failed_connection_entry(domain, controller, result); if ((*cli) != NULL) { cli_shutdown(*cli); @@ -3293,9 +3304,28 @@ sec_chan_type = cli_credentials_get_secure_channel_type(creds); if (sec_chan_type == SEC_CHAN_NULL) { - DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", - domain->name); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + if (transport == NCACN_IP_TCP) { + DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " + " deny NCACN_IP_TCP and let the caller fallback to NCACN_NP.\n", + domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + DBG_NOTICE("get_secure_channel_type gave SEC_CHAN_NULL for %s, " + "fallback to noauth on NCACN_NP.\n", + domain->name); + + result = cli_rpc_pipe_open_noauth_transport(conn->cli, + transport, + &ndr_table_netlogon, + &conn->netlogon_pipe); + if (!NT_STATUS_IS_OK(result)) { + invalidate_cm_connection(domain); + return result; + } + + *cli = conn->netlogon_pipe; + return NT_STATUS_OK; } result = rpccli_create_netlogon_creds_with_creds(creds, @@ -3334,11 +3364,6 @@ conn->netlogon_flags = netlogon_creds->negotiate_flags; TALLOC_FREE(netlogon_creds); - /* - * FIXME: Document in which case we are not able to contact - * a DC without schannel. Which information do we try to get - * from this DC? - */ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { result = NT_STATUS_DOWNGRADE_DETECTED; diff -Nru samba-4.5.4+dfsg/source3/winbindd/winbindd_util.c samba-4.5.8+dfsg/source3/winbindd/winbindd_util.c --- samba-4.5.4+dfsg/source3/winbindd/winbindd_util.c 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/source3/winbindd/winbindd_util.c 2017-03-09 09:21:43.000000000 +0000 @@ -345,6 +345,20 @@ char *p; struct winbindd_tdc_domain trust_params = {0}; ptrdiff_t extra_len; + bool within_forest = false; + + /* + * Only when we enumerate our primary domain + * or our forest root domain, we should keep + * the NETR_TRUST_FLAG_IN_FOREST flag, in + * all other cases we need to clear it as the domain + * is not part of our forest. + */ + if (state->domain->primary) { + within_forest = true; + } else if (domain_is_forest_root(state->domain)) { + within_forest = true; + } res = wb_domain_request_recv(req, state, &response, &err); if ((res == -1) || (response->result != WINBINDD_OK)) { @@ -430,6 +444,14 @@ trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10); + if (!within_forest) { + trust_params.trust_flags &= ~NETR_TRUST_FLAG_IN_FOREST; + } + + if (!state->domain->primary) { + trust_params.trust_flags &= ~NETR_TRUST_FLAG_PRIMARY; + } + /* * We always call add_trusted_domain() cause on an existing * domain structure, it will update the SID if necessary. diff -Nru samba-4.5.4+dfsg/source3/wscript_build samba-4.5.8+dfsg/source3/wscript_build --- samba-4.5.4+dfsg/source3/wscript_build 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/source3/wscript_build 2017-03-09 09:21:43.000000000 +0000 @@ -455,7 +455,7 @@ libads/ldap_schema.c libads/util.c libads/ndr.c''', - deps='cli-ldap-common krb5samba ldap lber KRBCLIENT param LIBNMB libsmb DCUTIL smbldap', + deps='cli-ldap-common krb5samba ldap lber KRBCLIENT param LIBNMB libsmb DCUTIL smbldap trusts_util', private_library=True) bld.SAMBA3_SUBSYSTEM('LIBADS_SERVER', diff -Nru samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c --- samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c 2017-03-09 09:21:43.000000000 +0000 @@ -35,6 +35,7 @@ #include "includes.h" #include "ldb_module.h" #include "libcli/auth/libcli_auth.h" +#include "libcli/security/dom_sid.h" #include "system/kerberos.h" #include "auth/kerberos/kerberos.h" #include "dsdb/samdb/samdb.h" @@ -125,6 +126,7 @@ const char *sAMAccountName; const char *user_principal_name; bool is_computer; + bool is_krbtgt; uint32_t restrictions; } u; @@ -2793,6 +2795,8 @@ ldb_get_opaque(ldb, "loadparm"), struct loadparm_context); int ret; const struct ldb_message *info_msg = NULL; + struct dom_sid *account_sid = NULL; + int rodc_krbtgt = 0; ZERO_STRUCTP(io); @@ -2837,6 +2841,26 @@ "userPrincipalName", NULL); io->u.is_computer = ldb_msg_check_string_attribute(info_msg, "objectClass", "computer"); + /* Ensure it has an objectSID too */ + account_sid = samdb_result_dom_sid(ac, info_msg, "objectSid"); + if (account_sid != NULL) { + NTSTATUS status; + uint32_t rid = 0; + + status = dom_sid_split_rid(account_sid, account_sid, NULL, &rid); + if (NT_STATUS_IS_OK(status)) { + if (rid == DOMAIN_RID_KRBTGT) { + io->u.is_krbtgt = true; + } + } + } + + rodc_krbtgt = ldb_msg_find_attr_as_int(info_msg, + "msDS-SecondaryKrbTgtNumber", 0); + if (rodc_krbtgt != 0) { + io->u.is_krbtgt = true; + } + if (io->u.sAMAccountName == NULL) { ldb_asprintf_errstring(ldb, "setup_io: sAMAccountName attribute is missing on %s for attempted password set/change", @@ -2867,6 +2891,12 @@ & (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT | UF_SERVER_TRUST_ACCOUNT)); + if (io->u.is_krbtgt) { + io->u.restrictions = 0; + io->ac->status->domain_data.pwdHistoryLength = + MAX(io->ac->status->domain_data.pwdHistoryLength, 3); + } + if (ac->userPassword) { ret = msg_find_old_and_new_pwd_val(client_msg, "userPassword", ac->req->operation, @@ -3172,6 +3202,59 @@ return ldb_operr(ldb); } + if (io->u.is_krbtgt) { + size_t min = 196; + size_t max = 255; + size_t diff = max - min; + size_t len = max; + struct ldb_val *krbtgt_utf16 = NULL; + + if (!ac->pwd_reset) { + return dsdb_module_werror(ac->module, + LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS, + WERR_DS_ATT_ALREADY_EXISTS, + "Password change on krbtgt not permitted!"); + } + + if (io->n.cleartext_utf16 == NULL) { + return dsdb_module_werror(ac->module, + LDB_ERR_UNWILLING_TO_PERFORM, + WERR_DS_INVALID_ATTRIBUTE_SYNTAX, + "Password reset on krbtgt requires UTF16!"); + } + + /* + * Instead of taking the callers value, + * we just generate a new random value here. + * + * Include null termination in the array. + */ + if (diff > 0) { + size_t tmp; + + generate_random_buffer((uint8_t *)&tmp, sizeof(tmp)); + + tmp %= diff; + + len = min + tmp; + } + + krbtgt_utf16 = talloc_zero(io->ac, struct ldb_val); + if (krbtgt_utf16 == NULL) { + return ldb_oom(ldb); + } + + *krbtgt_utf16 = data_blob_talloc_zero(krbtgt_utf16, + (len+1)*2); + if (krbtgt_utf16->data == NULL) { + return ldb_oom(ldb); + } + krbtgt_utf16->length = len * 2; + generate_secret_buffer(krbtgt_utf16->data, + krbtgt_utf16->length); + io->n.cleartext_utf16 = krbtgt_utf16; + } + if (existing_msg != NULL) { NTSTATUS status; @@ -4055,6 +4138,7 @@ "badPasswordTime", "badPwdCount", "lockoutTime", + "msDS-SecondaryKrbTgtNumber", NULL }; struct ldb_request *search_req; int ret; diff -Nru samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/repl_meta_data.c samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/repl_meta_data.c --- samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/repl_meta_data.c 2016-10-24 19:37:30.000000000 +0000 +++ samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/repl_meta_data.c 2017-03-09 09:21:43.000000000 +0000 @@ -1446,15 +1446,21 @@ NTTIME now, bool is_schema_nc) { + const char *rdn_name = ldb_dn_get_rdn_name(msg->dn); + const struct dsdb_attribute *rdn_attr = + dsdb_attribute_by_lDAPDisplayName(ar->schema, rdn_name); + const char *attr_name = rdn_attr != NULL ? + rdn_attr->lDAPDisplayName : + rdn_name; struct ldb_message_element new_el = { .flags = LDB_FLAG_MOD_REPLACE, - .name = ldb_dn_get_rdn_name(msg->dn), + .name = attr_name, .num_values = 1, .values = discard_const_p(struct ldb_val, rdn_new) }; struct ldb_message_element old_el = { .flags = LDB_FLAG_MOD_REPLACE, - .name = ldb_dn_get_rdn_name(msg->dn), + .name = attr_name, .num_values = rdn_old ? 1 : 0, .values = discard_const_p(struct ldb_val, rdn_old) }; diff -Nru samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/samba_dsdb.c samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/samba_dsdb.c --- samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/samba_dsdb.c 2016-08-11 07:51:04.000000000 +0000 +++ samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/samba_dsdb.c 2017-03-09 09:21:43.000000000 +0000 @@ -231,7 +231,7 @@ static int samba_dsdb_init(struct ldb_module *module) { struct ldb_context *ldb = ldb_module_get_ctx(module); - int ret, len, i; + int ret, len, i, j; TALLOC_CTX *tmp_ctx = talloc_new(module); struct ldb_result *res; struct ldb_message *rootdse_msg = NULL, *partition_msg; @@ -317,11 +317,15 @@ static const char *openldap_backend_modules[] = { "dsdb_flags_ignore", "entryuuid", "simple_dn", NULL }; - static const char *samba_dsdb_attrs[] = { "backendType", NULL }; + static const char *samba_dsdb_attrs[] = { "backendType", + SAMBA_COMPATIBLE_FEATURES_ATTR, + SAMBA_REQUIRED_FEATURES_ATTR, NULL }; static const char *partition_attrs[] = { "ldapBackend", NULL }; const char *backendType, *backendUrl; bool use_sasl_external = false; + const char *current_supportedFeatures[] = {}; + if (!tmp_ctx) { return ldb_oom(ldb); } @@ -357,7 +361,77 @@ if (ret == LDB_ERR_NO_SUCH_OBJECT) { backendType = "ldb"; } else if (ret == LDB_SUCCESS) { + struct ldb_message_element *requiredFeatures; + struct ldb_message_element *old_compatibleFeatures; + backendType = ldb_msg_find_attr_as_string(res->msgs[0], "backendType", "ldb"); + + requiredFeatures = ldb_msg_find_element(res->msgs[0], SAMBA_REQUIRED_FEATURES_ATTR); + if (requiredFeatures != NULL) { + ldb_set_errstring(ldb, "This Samba database was created with " + "a newer Samba version and is marked with " + "requiredFeatures in @SAMBA_DSDB. " + "This database can not safely be read by this Samba version"); + return LDB_ERR_OPERATIONS_ERROR; + } + + old_compatibleFeatures = ldb_msg_find_element(res->msgs[0], + SAMBA_COMPATIBLE_FEATURES_ATTR); + + if (old_compatibleFeatures) { + struct ldb_message *features_msg; + struct ldb_message_element *features_el; + + features_msg = ldb_msg_new(res); + if (features_msg == NULL) { + return ldb_module_operr(module); + } + features_msg->dn = samba_dsdb_dn; + + ldb_msg_add_empty(features_msg, SAMBA_COMPATIBLE_FEATURES_ATTR, + LDB_FLAG_MOD_DELETE, &features_el); + + for (i = 0; + old_compatibleFeatures && i < old_compatibleFeatures->num_values; + i++) { + for (j = 0; + j < ARRAY_SIZE(current_supportedFeatures); j++) { + if (strcmp((char *)old_compatibleFeatures->values[i].data, + current_supportedFeatures[j]) == 0) { + break; + } + } + if (j == ARRAY_SIZE(current_supportedFeatures)) { + /* + * Add to list of features to remove + * (rather than all features) + */ + ret = ldb_msg_add_value(features_msg, SAMBA_COMPATIBLE_FEATURES_ATTR, + &old_compatibleFeatures->values[i], + NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + if (features_el->num_values > 0) { + /* Delete by list */ + ret = ldb_next_start_trans(module); + if (ret != LDB_SUCCESS) { + return ret; + } + ret = dsdb_module_modify(module, features_msg, DSDB_FLAG_NEXT_MODULE, NULL); + if (ret != LDB_SUCCESS) { + ldb_next_del_trans(module); + return ret; + } + ret = ldb_next_end_trans(module); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + } else { talloc_free(tmp_ctx); return ret; diff -Nru samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/samldb.c samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/samldb.c --- samba-4.5.4+dfsg/source4/dsdb/samdb/ldb_modules/samldb.c 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/source4/dsdb/samdb/ldb_modules/samldb.c 2017-03-09 09:21:43.000000000 +0000 @@ -386,7 +386,6 @@ struct ldb_context *ldb = ldb_module_get_ctx(ac->module); uint32_t krbtgt_number, i_start, i; int ret; - char *newpass; struct ldb_val newpass_utf16; /* find a unused msDC-SecondaryKrbTgtNumber */ @@ -432,21 +431,17 @@ return ldb_operr(ldb); } - newpass = generate_random_password(ac->msg, 128, 255); - if (newpass == NULL) { - return ldb_operr(ldb); - } - - if (!convert_string_talloc(ac, - CH_UNIX, CH_UTF16, - newpass, strlen(newpass), - (void *)&newpass_utf16.data, - &newpass_utf16.length)) { - ldb_asprintf_errstring(ldb, - "samldb_rodc_add: " - "failed to generate UTF16 password from random password"); - return LDB_ERR_OPERATIONS_ERROR; - } + newpass_utf16 = data_blob_talloc_zero(ac->module, 256); + if (newpass_utf16.data == NULL) { + return ldb_oom(ldb); + } + /* + * Note that the password_hash module will ignore + * this value and use it's own generate_secret_buffer() + * that's why we can just use generate_random_buffer() + * here. + */ + generate_random_buffer(newpass_utf16.data, newpass_utf16.length); ret = ldb_msg_add_steal_value(ac->msg, "clearTextPassword", &newpass_utf16); if (ret != LDB_SUCCESS) { return ldb_operr(ldb); diff -Nru samba-4.5.4+dfsg/source4/dsdb/samdb/samdb.h samba-4.5.8+dfsg/source4/dsdb/samdb/samdb.h --- samba-4.5.4+dfsg/source4/dsdb/samdb/samdb.h 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/source4/dsdb/samdb/samdb.h 2017-03-09 09:21:43.000000000 +0000 @@ -314,4 +314,6 @@ */ #define DSDB_FLAG_INTERNAL_FORCE_META_DATA 0x10000 +#define SAMBA_COMPATIBLE_FEATURES_ATTR "compatibleFeatures" +#define SAMBA_REQUIRED_FEATURES_ATTR "requiredFeatures" #endif /* __SAMDB_H__ */ diff -Nru samba-4.5.4+dfsg/source4/ldap_server/ldap_bind.c samba-4.5.8+dfsg/source4/ldap_server/ldap_bind.c --- samba-4.5.4+dfsg/source4/ldap_server/ldap_bind.c 2016-08-11 07:51:05.000000000 +0000 +++ samba-4.5.8+dfsg/source4/ldap_server/ldap_bind.c 2017-03-09 09:21:43.000000000 +0000 @@ -29,6 +29,37 @@ #include "param/param.h" #include "../lib/util/tevent_ntstatus.h" +static char *ldapsrv_bind_error_msg(TALLOC_CTX *mem_ctx, + HRESULT hresult, + uint32_t DSID, + NTSTATUS status) +{ + WERROR werr; + char *msg = NULL; + + status = nt_status_squash(status); + werr = ntstatus_to_werror(status); + + /* + * There are 4 lower case hex digits following 'v' at the end, + * but different Windows Versions return different values: + * + * Windows 2008R2 uses 'v1db1' + * Windows 2012R2 uses 'v2580' + * + * We just match Windows 2008R2 as that's what was referenced + * in https://bugzilla.samba.org/show_bug.cgi?id=9048 + */ + msg = talloc_asprintf(mem_ctx, "%08X: LdapErr: DSID-%08X, comment: " + "AcceptSecurityContext error, data %x, v1db1", + (unsigned)HRES_ERROR_V(hresult), + (unsigned)DSID, + (unsigned)W_ERROR_V(werr)); + + return msg; +} + + static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) { struct ldap_BindRequest *req = &call->request->r.BindRequest; @@ -95,7 +126,8 @@ status = nt_status_squash(status); result = LDAP_INVALID_CREDENTIALS; - errstr = talloc_asprintf(reply, "Simple Bind Failed: %s", nt_errstr(status)); + errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_INVALID_TOKEN, + 0x0C0903A9, status); } do_reply: @@ -346,7 +378,8 @@ status = nt_status_squash(status); if (result == 0) { result = LDAP_INVALID_CREDENTIALS; - errstr = talloc_asprintf(reply, "SASL:[%s]: %s", req->creds.SASL.mechanism, nt_errstr(status)); + errstr = ldapsrv_bind_error_msg(reply, HRES_SEC_E_LOGON_DENIED, + 0x0C0904DC, status); } talloc_unlink(conn, conn->gensec); conn->gensec = NULL; diff -Nru samba-4.5.4+dfsg/source4/libcli/raw/smb.h samba-4.5.8+dfsg/source4/libcli/raw/smb.h --- samba-4.5.4+dfsg/source4/libcli/raw/smb.h 2016-08-11 07:51:05.000000000 +0000 +++ samba-4.5.8+dfsg/source4/libcli/raw/smb.h 2017-03-09 09:21:43.000000000 +0000 @@ -297,13 +297,6 @@ #define UID_FIELD_INVALID 0 -/* The maximum length of a trust account password. - Used when we randomly create it, 15 char passwords - exceed NT4's max password length */ - -#define DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH 14 - - /* filesystem attribute bits */ diff -Nru samba-4.5.4+dfsg/source4/libnet/libnet_vampire.c samba-4.5.8+dfsg/source4/libnet/libnet_vampire.c --- samba-4.5.4+dfsg/source4/libnet/libnet_vampire.c 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/source4/libnet/libnet_vampire.c 2017-03-09 09:21:43.000000000 +0000 @@ -160,7 +160,7 @@ settings.realm = s->realm; settings.domain = s->domain_name; settings.server_dn_str = p->dest_dsa->server_dn_str; - settings.machine_password = generate_random_password(s, 16, 255); + settings.machine_password = generate_random_machine_password(s, 128, 255); settings.targetdir = s->targetdir; settings.use_ntvfs = true; status = provision_bare(s, s->lp_ctx, &settings, &result); diff -Nru samba-4.5.4+dfsg/source4/scripting/bin/renamedc samba-4.5.8+dfsg/source4/scripting/bin/renamedc --- samba-4.5.4+dfsg/source4/scripting/bin/renamedc 2016-08-11 07:51:05.000000000 +0000 +++ samba-4.5.8+dfsg/source4/scripting/bin/renamedc 2017-03-09 09:21:43.000000000 +0000 @@ -95,7 +95,7 @@ # Then change password and samaccountname and dnshostname msg = ldb.Message(newdn) - machinepass = samba.generate_random_password(128, 255) + machinepass = samba.generate_random_machine_password(128, 255) mputf16 = machinepass.encode('utf-16-le') account = "%s$" % opts.newname.upper() diff -Nru samba-4.5.4+dfsg/source4/selftest/tests.py samba-4.5.8+dfsg/source4/selftest/tests.py --- samba-4.5.4+dfsg/source4/selftest/tests.py 2016-12-05 08:18:44.000000000 +0000 +++ samba-4.5.8+dfsg/source4/selftest/tests.py 2017-03-09 09:21:43.000000000 +0000 @@ -625,6 +625,11 @@ plantestsuite("samba4.blackbox.samba3dump", "none", [os.path.join(samba4srcdir, "selftest/test_samba3dump.sh")]) plantestsuite("samba4.blackbox.upgrade", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_s3upgrade.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.provision.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_provision.sh"), '$PREFIX/provision']) +plantestsuite("samba4.blackbox.supported_features", "none", + ["PYTHON=%s" % python, + os.path.join(samba4srcdir, + "setup/tests/blackbox_supported_features.sh"), + '$PREFIX/provision']) plantestsuite("samba4.blackbox.upgradeprovision.current", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_upgradeprovision.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.setpassword.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_setpassword.sh"), '$PREFIX/provision']) plantestsuite("samba4.blackbox.newuser.py", "none", ["PYTHON=%s" % python, os.path.join(samba4srcdir, "setup/tests/blackbox_newuser.sh"), '$PREFIX/provision']) diff -Nru samba-4.5.4+dfsg/source4/setup/tests/blackbox_supported_features.sh samba-4.5.8+dfsg/source4/setup/tests/blackbox_supported_features.sh --- samba-4.5.4+dfsg/source4/setup/tests/blackbox_supported_features.sh 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.5.8+dfsg/source4/setup/tests/blackbox_supported_features.sh 2017-03-09 09:21:43.000000000 +0000 @@ -0,0 +1,86 @@ +#!/bin/sh + +if [ $# -lt 1 ]; then +cat < + * BUG 12721: Fix regression with "follow symlinks = no". + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= + Release Notes for Samba 4.5.7 + March 23, 2017 + ============================= + + +This is a security release in order to address the following defect: + +o CVE-2017-2619 (Symlink race allows access outside share definition) + +======= +Details +======= + +o CVE-2017-2619: + All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to + a malicious client using a symlink race to allow access to areas of + the server file system not exported under the share definition. + + Samba uses the realpath() system call to ensure when a client requests + access to a pathname that it is under the exported share path on the + server file system. + + Clients that have write access to the exported part of the file system + via SMB1 unix extensions or NFS to create symlinks can race the server + by renaming a realpath() checked path and then creating a symlink. If + the client wins the race it can cause the server to access the new + symlink target after the exported share path check has been done. This + new symlink target can point to anywhere on the server file system. + + This is a difficult race to win, but theoretically possible. Note that + the proof of concept code supplied wins the race reliably only when + the server is slowed down using the strace utility running on the + server. Exploitation of this bug has not been seen in the wild. + + +Changes since 4.5.6: +-------------------- + +o Jeremy Allison + * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share + directory. + +o Ralph Boehme + * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share + directory. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================= + Release Notes for Samba 4.5.6 + March 9, 2017 + ============================= + + +This is the latest stable release of the Samba 4.5 release series. + + +Changes since 4.5.5: +-------------------- + +o Jeremy Allison + * BUG 12499: s3: vfs: dirsort doesn't handle opendir of "." correctly. + * BUG 12531: vfs_shadow_copy2 doesn't cope with server changing directories. + * BUG 12546: vfs_streams_xattr doesn't cope with server changing directories. + * BUG 12572: s3: smbd: Don't loop infinitely on bad-symlink resolution. + * BUG 12608: s3: smbd: Restart reading the incoming SMB2 fd when the send + queue is drained. + +o Andrew Bartlett + * BUG 12573: Samba < 4.7 does not know about compatibleFeatures and + requiredFeatures. + +o Ralph Boehme + * BUG 12184: s3/rpc_server: Shared rpc modules loading. + * BUG 12427: vfs_fruit doesn't work with fruit:metadata=stream. + * BUG 12520: Ensure global "smb encrypt = off" is effective. + * BUG 12524: s3/rpc_server: move rpc_modules.c to its own subsystem. + * BUG 12536: s3/smbd: check for invalid access_mask + smbd_calculate_access_mask(). + * BUG 12541: vfs_fruit: checks wrong AAPL config state and so always uses + readdirattr. + * BUG 12545: s3/rpc_server/mdssvc: add attribute "kMDItemContentType". + * BUG 12591: vfs_streams_xattr: use fsp, not base_fsp. + * BUG 12604: vfs_fruit: Enabling AAPL extensions must be a global switch. + +o Amitay Isaacs + * BUG 12469: ctdb-tests: Use replace headers instead of system headers. + * BUG 12547: ctdb-build: Install CTDB tests correctly from toplevel. + * BUG 12580: ctdb-common: Fix use-after-free error in comm_fd_handler(). + +o Volker Lendecke + * BUG 12551: smbd: Fix "map acl inherit" = yes. + +o Stefan Metzmacher + * BUG 9048: s4:ldap_server: Match Windows in the error messages of failing + LDAP Bind requests. + * BUG 11830: s3:winbindd: Try a NETLOGON connection with noauth over NCACN_NP + against trusted domains. + * BUG 12262: 'net ads testjoin' and smb access fails after winbindd changed the + trust password. + * BUG 12399: s4:repl_meta_data: Normalize rdn attribute name via the schema. + * BUG 12540: s3:smbd: Allow "server min protocol = SMB3_00" to go via "SMB + 2.???" negprot. + * BUG 12581: smbclient fails on bad endianess when listing shares from + Solaris kernel SMB server on SPARC. + * BUG 12585: librpc/rpc: fix regression in + NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping. + * BUG 12586: libcli/auth: Use the correct creds value against servers without + LogonSamLogonEx. + * BUG 12587: winbindd child segfaults on connect to an NT4 domain. + * BUG 12588: cm_prepare_connection may return NT_STATUS_OK without a valid + connection. + * BUG 12598: winbindd (as member) requires Kerberos against trusted ad + domain, while it shouldn't. + * BUG 12605: s3:winbindd: Fix endless forest trust scan. + +o Garming Sam + * BUG 12577: dbcheck-links: Test that dbcheck against one-way links does not + error. + * BUG 12600: dbchecker: Stop ignoring linked cases where both objects are + alive. + +o Andreas Schneider + * BUG 12571: s3-vfs: Only walk the directory once in open_and_sort_dir(). + +o Martin Schwenke + * BUG 12589: ctdb-scripts: Initialise CTDB_NFS_CALLOUT in statd-callout. + +o Uri Simchoni + * BUG 12529: waf: backport finding of pkg-config. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================= + Release Notes for Samba 4.5.5 + January 30, 2017 + ============================= + + +This is the latest stable release of the Samba 4.5 release series. + +Samba 4.5.4 erroneously included a rewrite of the vfs_fruit module. +This patchset will be reverted with this release, because it needs to pass the +review process first. If you are using the vfs_fruit module, please do not use +Samba 4.5.4. + +Changes since 4.5.4: +-------------------- + +o Amitay Isaacs + * BUG 12469: ctdb-locking: Explicitly unlock record/db in lock helper. + +o Björn Jacke + * BUG 12535: vfs_default: Unlock the right file in copy chunk. + +o Martin Schwenke + * BUG 12512: ctdb-scripts: Fix remaining uses of "ctdb gratiousarp". + * BUG 12516: ctdb-scripts: /etc/iproute2/rt_tables gets populated with multiple + 'default' entries. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================= Release Notes for Samba 4.5.4 January 18, 2017 ============================= @@ -68,8 +338,8 @@ ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.5.3