diff options
| author | Rene Ladan <rene@FreeBSD.org> | 2024-04-01 13:33:12 +0000 |
|---|---|---|
| committer | Rene Ladan <rene@FreeBSD.org> | 2024-04-01 13:33:12 +0000 |
| commit | 55ba831d1e3093830deab253b6788bfa13c14802 (patch) | |
| tree | 75136615d346c22ec8d9320b76c3710fd5e35745 | |
| parent | abc5940e1553a3b9d425a881e4b8fd83b1bfb04f (diff) | |
| download | ports-55ba831d1e3093830deab253b6788bfa13c14802.tar.gz ports-55ba831d1e3093830deab253b6788bfa13c14802.zip | |
net/samba413: Remove expired port
2024-03-31 net/samba413: Reached its EoL on March 21, 2022
123 files changed, 1 insertions, 38174 deletions
@@ -3133,3 +3133,4 @@ editors/linux-sublime||2024-04-01|Has expired: This is the legacy version Use li irc/pircbot||2024-04-01|Has expired: Abandoned upstream, last release in 2009 and superseded by pircbotx (fork) security/akmos||2024-04-01|Has expired: Last release in 2018, no active development for years and no users in tree sysutils/uefi-edk2-bhyve-csm||2024-04-01|Has expired: Requires old edk2 version and gcc 4.8 +net/samba413||2024-04-01|Has expired: Reached its EoL on March 21, 2022 diff --git a/net/Makefile b/net/Makefile index 4acb2bf212d1..62ea4dca446a 100644 --- a/net/Makefile +++ b/net/Makefile @@ -1438,7 +1438,6 @@ SUBDIR += s5cmd SUBDIR += sacc SUBDIR += sakisafecli - SUBDIR += samba413 SUBDIR += samba416 SUBDIR += samba419 SUBDIR += samplicator diff --git a/net/samba413/Makefile b/net/samba413/Makefile deleted file mode 100644 index 18ac25e41360..000000000000 --- a/net/samba413/Makefile +++ /dev/null @@ -1,729 +0,0 @@ -PORTNAME= ${SAMBA4_BASENAME}413 -PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 9 -CATEGORIES?= net -MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc -DISTNAME= ${SAMBA4_DISTNAME} - -MAINTAINER= timur@FreeBSD.org -COMMENT= Free SMB/CIFS and AD/DC server and client for Unix -WWW= https://www.samba.org/ - -LICENSE= GPLv3+ -LICENSE_FILE= ${WRKSRC}/COPYING - -DEPRECATED= Reached its EoL on March 21, 2022 -EXPIRATION_DATE= 2024-03-31 - -IGNORE_NONTHREAD_PYTHON= needs port lang/python${PYTHON_SUFFIX} to be build with THREADS support -CONFLICTS_INSTALL?= samba4* # bin/cifsdd bin/dbwrap_tool bin/dumpmscat bin/findsmb bin/gentest - -USES= cpe - -EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 \ - ${PATCHDIR}/0001-Compact-and-simplify-modules-build-and-config-genera.patch:-p1 \ - ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 \ - ${PATCHDIR}/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch:-p1 \ - ${PATCHDIR}/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch:-p1 \ - ${PATCHDIR}/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch:-p1 \ - ${PATCHDIR}/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch:-p1 \ - ${PATCHDIR}/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch:-p1 \ - ${PATCHDIR}/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch:-p1 \ - ${PATCHDIR}/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch:-p1 \ - ${PATCHDIR}/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch:-p1 \ - ${PATCHDIR}/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch:-p1 \ - ${PATCHDIR}/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch:-p1 \ - ${PATCHDIR}/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch:-p1 \ - ${PATCHDIR}/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch:-p1 \ - ${PATCHDIR}/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch:-p1 \ - ${PATCHDIR}/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch:-p1 \ - ${PATCHDIR}/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch:-p1 \ - ${PATCHDIR}/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch:-p1 \ - ${PATCHDIR}/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch:-p1 \ - ${PATCHDIR}/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch:-p1 \ - ${PATCHDIR}/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch:-p1 - -# These have been removed from EXTRA_PATCHES because they are empty and patch(1) complains about them -# ${PATCHDIR}/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch:-p1 -# ${PATCHDIR}/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch:-p1 - -SAMBA4_BASENAME= samba -SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.13.17 -SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} - -WRKSRC?= ${WRKDIR}/${DISTNAME} -PLIST?= ${PKGDIR}/pkg-plist - -CPE_VENDOR= samba -CPE_PRODUCT= samba -# Directories -VARDIR= ${DESTDIR}/var -SAMBA4_RUNDIR= ${VARDIR}/run/${SAMBA4_PORTNAME} -SAMBA4_LOGDIR= ${VARDIR}/log/${SAMBA4_PORTNAME} -SAMBA4_LOCKDIR= ${VARDIR}/db/${SAMBA4_PORTNAME} -SAMBA4_BINDDNSDIR= ${SAMBA4_LOCKDIR}/bind-dns -SAMBA4_PRIVATEDIR= ${SAMBA4_LOCKDIR}/private -SAMBA4_PAMDIR= ${PREFIX}/lib -SAMBA4_LIBDIR= ${PREFIX}/lib/${SAMBA4_PORTNAME} -SAMBA4_INCLUDEDIR= ${PREFIX}/include/${SAMBA4_PORTNAME} -SAMBA4_CONFDIR= ${PREFIX}/etc -SAMBA4_CONFIG= smb4.conf -SAMBA4_MODULES_CLASS= auth bind9 gensec gpext idmap ldb nss_info \ - pdb perfcount process_model service vfs - -CONFIGURE_ARGS+= --mandir="${PREFIX}/share/man" \ - --sysconfdir="${SAMBA4_CONFDIR}" \ - --includedir="${SAMBA4_INCLUDEDIR}" \ - --datadir="${DATADIR}" \ - --libdir="${SAMBA4_LIBDIR}" \ - --with-privatelibdir="${SAMBA4_LIBDIR}/private" \ - --with-pammodulesdir="${SAMBA4_PAMDIR}" \ - --with-modulesdir="${SAMBA4_MODULEDIR}" \ - --with-pkgconfigdir="${PKGCONFIGDIR}" \ - --localstatedir="${VARDIR}" \ - --with-piddir="${SAMBA4_RUNDIR}" \ - --with-sockets-dir="${SAMBA4_RUNDIR}" \ - --with-privileged-socket-dir="${SAMBA4_RUNDIR}" \ - --with-lockdir="${SAMBA4_LOCKDIR}" \ - --with-statedir="${SAMBA4_LOCKDIR}" \ - --with-cachedir="${SAMBA4_LOCKDIR}" \ - --with-bind-dns-dir=${SAMBA4_BINDDNSDIR} \ - --with-privatedir="${SAMBA4_PRIVATEDIR}" \ - --with-logfilebase="${SAMBA4_LOGDIR}" -# XXX: Flags -CONFIGURE_ENV+= PTHREAD_LDFLAGS="-lpthread" -MAKE_ENV+= PYTHONHASHSEED=1 - -USES+= compiler:c++11-lang iconv localbase:ldflags \ - perl5 pkgconfig shebangfix waf gettext-runtime -USE_PERL5= build -USE_LDCONFIG= ${SAMBA4_LIBDIR} -WAF_CMD= buildtools/bin/waf -CONFIGURE_LOG= bin/config.log - -# Make sure that the right version of Python is used by the tools -# https://bugzilla.samba.org/show_bug.cgi?id=7305 -SHEBANG_FILES= ${PATCH_WRKSRC}/source4/scripting/bin/* ${PATCH_WRKSRC}/selftest/* - -PKGCONFIGDIR?= ${PREFIX}/libdata/pkgconfig -PKGCONFIGDIR_REL?= ${PKGCONFIGDIR:S,^${PREFIX}/,,} -PLIST_SUB+= PKGCONFIGDIR=${PKGCONFIGDIR_REL} -SUB_LIST+= PKGCONFIGDIR=${PKGCONFIGDIR_REL} -############################################################################## -OPTIONS_SUB= yes - -OPTIONS_DEFINE= AD_DC ADS CLUSTER CUPS DOCS FAM GPGME \ - LDAP MANDOC NTVFS PROFILE PYTHON3 QUOTAS \ - SPOTLIGHT SYSLOG UTMP -#OPTIONS_DEFINE+= DEVELOPER MEMORY_DEBUG - -OPTIONS_GROUP= VFS -OPTIONS_GROUP_VFS= FRUIT GLUSTERFS - -OPTIONS_SINGLE= GSSAPI ZEROCONF - -OPTIONS_SINGLE_GSSAPI= GSSAPI_BUILTIN GSSAPI_MIT -#GSSAPI_HEIMDAL -OPTIONS_SINGLE_ZEROCONF= ZEROCONF_NONE AVAHI MDNSRESPONDER - -OPTIONS_RADIO= DNS -OPTIONS_RADIO_DNS= NSUPDATE BIND916 BIND918 -# Make those default options -OPTIONS_DEFAULT= AD_DC ADS DOCS FAM LDAP \ - PROFILE PYTHON3 QUOTAS SYSLOG UTMP \ - FRUIT GSSAPI_BUILTIN AVAHI -############################################################################## -ADS_DESC= Active Directory client(implies LDAP) -AD_DC_DESC= Active Directory Domain Controller(implies PYTHON3) -CLUSTER_DESC= Clustering support -DEVELOPER_DESC= With developer framework(implies NTVFS) -FAM_DESC= File Alteration Monitor -GPGME_DESC= GpgME support -LDAP_DESC= LDAP client -LIBZFS_DESC= LibZFS -SPOTLIGHT_DESC= Spotlight server-side search support -MANDOC_DESC= Build manpages from DOCBOOK templates -MEMORY_DEBUG_DESC= Debug memory allocator -NTVFS_DESC= Build *DEPRECATED* NTVFS file server -PICKY_DEVELOPER_DESC= Treat compiler warnings as errors(implies DEVELOPER) -PROFILE_DESC= Profiling data -QUOTAS_DESC= Disk quota support -UTMP_DESC= UTMP accounting - -VFS_DESC= VFS modules -GLUSTERFS_DESC= GlusterFS support -FRUIT_DESC= MacOSX and TimeMachine support - -GSSAPI_BUILTIN_DESC= GSSAPI support via bundled Heimdal - -ZEROCONF_DESC= Zero configuration networking -ZEROCONF_NONE_DESC= Zeroconf support is absent - -DNS_DESC= DNS frontend -BIND916_DESC= Use Bind 9.16 as AD DC DNS server frontend -BIND918_DESC= Use Bind 9.18 as AD DC DNS server frontend -NSUPDATE_DESC= Use samba NSUPDATE utility for AD DC -############################################################################## -# XXX: Unconditional dependencies which can't be switched off(if present in -# the system) - -# Iconv(picked up unconditionaly) -LIB_DEPENDS+= libiconv.so:converters/libiconv -# unwind -LIB_DEPENDS+= libunwind.so:devel/libunwind -# Readline(sponsored by Python) -# XXX: USES=readline pollutes CPPFLAGS, so we explicitly put dependency -LIB_DEPENDS+= libreadline.so:devel/readline -# popt -LIB_DEPENDS+= libpopt.so:devel/popt -# inotify -LIB_DEPENDS+= libinotify.so:devel/libinotify -# GNUTLS -LIB_DEPENDS+= libgnutls.so:security/gnutls -LIB_DEPENDS+= libgcrypt.so:security/libgcrypt -# NFSv4 ACL glue -LIB_DEPENDS+= libsunacl.so:sysutils/libsunacl -# Jansson -BUILD_DEPENDS+= jansson>=2.10:devel/jansson -RUN_DEPENDS+= jansson>=2.10:devel/jansson -# tasn1 -BUILD_DEPENDS+= libtasn1>=3.8:security/libtasn1 -RUN_DEPENDS+= libtasn1>=3.8:security/libtasn1 -# External Samba dependencies -# Needed for IDL compiler -BUILD_DEPENDS+= p5-Parse-Yapp>=0:devel/p5-Parse-Yapp -# Libarchive -SAMBA4_BUNDLED_LIBS+= !libarchive -BUILD_DEPENDS+= libarchive>=3.1.2:archivers/libarchive -RUN_DEPENDS+= libarchive>=3.1.2:archivers/libarchive - -### Bundled libraries -SAMBA4_BUNDLED_CMOCKA?= no -SAMBA4_BUNDLED_TALLOC?= no -SAMBA4_BUNDLED_TEVENT?= no -SAMBA4_BUNDLED_TDB?= no -SAMBA4_BUNDLED_LDB?= yes -# cmocka -.if defined(SAMBA4_BUNDLED_CMOCKA) && ${SAMBA4_BUNDLED_CMOCKA} == yes -SAMBA4_BUNDLED_LIBS+= cmocka -CONFLICTS_INSTALL+= cmocka-1.* -PLIST_SUB+= SAMBA4_BUNDLED_CMOCKA="" -SUB_LIST+= SAMBA4_BUNDLED_CMOCKA="" -.else -SAMBA4_BUNDLED_LIBS+= !cmocka -BUILD_DEPENDS+= cmocka>=1.1.3:sysutils/cmocka -TEST_DEPENDS+= cmocka>=1.1.3:sysutils/cmocka -PLIST_SUB+= SAMBA4_BUNDLED_CMOCKA="@comment " -SUB_LIST+= SAMBA4_BUNDLED_CMOCKA="@comment " -.endif -# talloc -.if defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes -SAMBA4_BUNDLED_LIBS+= talloc -CONFLICTS_INSTALL+= talloc-* talloc1-* -PLIST_SUB+= SAMBA4_BUNDLED_TALLOC="" -SUB_LIST+= SAMBA4_BUNDLED_TALLOC="" -.else -SAMBA4_BUNDLED_LIBS+= !talloc -BUILD_DEPENDS+= talloc>=2.3.1:devel/talloc -RUN_DEPENDS+= talloc>=2.3.1:devel/talloc -PLIST_SUB+= SAMBA4_BUNDLED_TALLOC="@comment " -SUB_LIST+= SAMBA4_BUNDLED_TALLOC="@comment " -.endif -# tevent -.if defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes -SAMBA4_BUNDLED_LIBS+= tevent -CONFLICTS_INSTALL+= tevent-* tevent1-* -PLIST_SUB+= SAMBA4_BUNDLED_TEVENT="" -SUB_LIST+= SAMBA4_BUNDLED_TEVENT="" -.else -SAMBA4_BUNDLED_LIBS+= !tevent -BUILD_DEPENDS+= tevent>=0.10.2:devel/tevent -RUN_DEPENDS+= tevent>=0.10.2:devel/tevent -PLIST_SUB+= SAMBA4_BUNDLED_TEVENT="@comment " -SUB_LIST+= SAMBA4_BUNDLED_TEVENT="@comment " -.endif -# tdb -.if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes -SAMBA4_BUNDLED_LIBS+= tdb -CONFLICTS_INSTALL+= tdb-* tdb1-* -PLIST_SUB+= SAMBA4_BUNDLED_TDB="" -SUB_LIST+= SAMBA4_BUNDLED_TDB="" -.else -SAMBA4_BUNDLED_LIBS+= !tdb -BUILD_DEPENDS+= tdb>=1.4.3:databases/tdb -RUN_DEPENDS+= tdb>=1.4.3:databases/tdb -PLIST_SUB+= SAMBA4_BUNDLED_TDB="@comment " -SUB_LIST+= SAMBA4_BUNDLED_TDB="@comment " -.endif -# ldb -.if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes -SAMBA4_BUNDLED_LDB= yes -SAMBA4_BUNDLED_LIBS+= ldb -PLIST_SUB+= SAMBA4_BUNDLED_LDB="" -SUB_LIST+= SAMBA4_BUNDLED_LDB="" -SAMBA4_MODULEDIR= ${SAMBA4_LIBDIR}/modules -.else -SAMBA4_BUNDLED_LIBS+= !ldb -BUILD_DEPENDS+= ldb22>=2.2.0:databases/ldb22 -RUN_DEPENDS+= ldb22>=2.2.0:databases/ldb22 -PLIST_SUB+= SAMBA4_BUNDLED_LDB="@comment " -SUB_LIST+= SAMBA4_BUNDLED_LDB="@comment " -SAMBA4_MODULEDIR= ${PREFIX}/lib/shared-modules -.endif - -.if (defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes) \ - || (defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes) \ - || (defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes) \ - || (defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes) -SAMBA4_BUNDLED_LIBS+= replace -.endif -# Don't use external libcom_err -SAMBA4_BUNDLED_LIBS+= com_err -# Set the test environment variables -TEST_USES= python -TEST_ENV+= PYTHON="${PYTHON_CMD}" \ - SHA1SUM=/sbin/sha1 \ - SHA256SUM=/sbin/sha256 \ - MD5SUM=/sbin/md5 \ - PYTHONDONTWRITEBYTECODE=1 - -TEST_DEPENDS+= bash:shells/bash \ - tshark:net/wireshark@nox11 -# External Python modules -TEST_BUILD_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11:devel/py-iso8601@${PY_FLAVOR} -TEST_RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}iso8601>=0.1.11:devel/py-iso8601@${PY_FLAVOR} -############################################################################## -CONFIGURE_ARGS+= \ - --with-pam \ - --with-iconv \ - --with-winbind \ - --with-regedit \ - --disable-rpath \ - --without-lttng \ - --without-gettext \ - --enable-pthreadpool \ - --without-fake-kaserver \ - --without-systemd \ - --with-libarchive \ - --with-acl-support \ - --with-sendfile-support \ - --disable-ctdb-tests -# ${ICONV_CONFIGURE_BASE} -############################################################################## -FRUIT_PREVENTS= ZEROCONF_NONE -FRUIT_PREVENTS_MSG= MacOSX support requires Zeroconf(AVAHI or MDNSRESPONDER) -FRUIT_VARS= SAMBA4_MODULES+=vfs_fruit -FRUIT_PLIST_FILES= share/man/man8/vfs_fruit.8.gz - -GLUSTERFS_CONFIGURE_ENABLE= glusterfs -GLUSTERFS_LIB_DEPENDS= libglusterfs.so:net/glusterfs -GLUSTERFS_VARS= SAMBA4_MODULES+=vfs_glusterfs -GLUSTERFS_PLIST_FILES= share/man/man8/vfs_glusterfs.8.gz - -ZEROCONF_NONE_MAKE_ENV= ZEROCONF=none -############################################################################## -AVAHI_CONFIGURE_ENABLE= avahi -AVAHI_LIB_DEPENDS= libavahi-client.so:net/avahi-app -AVAHI_VARS= SAMBA4_SERVICES+=avahi_daemon - -MDNSRESPONDER_CONFIGURE_ENABLE= dnssd -MDNSRESPONDER_LIB_DEPENDS= libdns_sd.so:net/mDNSResponder -MDNSRESPONDER_VARS= SAMBA4_SERVICES+=mdnsd -############################################################################## -BIND916_RUN_DEPENDS= bind916>=9.16.0.0:dns/bind916 -BIND918_RUN_DEPENDS= bind918>=9.18.0.0:dns/bind918 -NSUPDATE_RUN_DEPENDS= samba-nsupdate:dns/samba-nsupdate -############################################################################## -MEMORY_DEBUG_IMPLIES= DEBUG -MEMORY_DEBUG_CONFIGURE_ENV= ADDITIONAL_CFLAGS="-DENABLE_JEMALLOC `pkg-config --cflags jemalloc`" ADDITIONAL_LDFLAGS="`pkg-config --libs jemalloc`" -MEMORY_DEBUG_LIB_DEPENDS= libjemalloc.so.2:devel/jemalloc -# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194046 -GDB_CMD?= ${LOCALBASE}/bin/gdb -# https://bugzilla.samba.org/show_bug.cgi?id=8969 -PICKY_DEVELOPER_IMPLIES= DEVELOPER -PICKY_DEVELOPER_CONFIGURE_ON= --picky-developer - -DEVELOPER_IMPLIES= NTVFS -DEVELOPER_CONFIGURE_ON= --enable-developer --enable-selftest --abi-check-disable -DEVELOPER_CONFIGURE_ENV= WAF_CMD_FORMAT=string -DEVELOPER_RUN_DEPENDS= ${SAMBA4_LMDB_DEPENDS} -DEVELOPER_BUILD_DEPENDS= ${GDB_CMD}:devel/gdb \ - ${SAMBA4_LMDB_DEPENDS} -DEVELOPER_TEST_DEPENDS= ${GDB_CMD}:devel/gdb -DEVELOPER_VARS_OFF= GDB_CMD=true -# XXX: Mostly used in conjuction with the DEVELOPER option, don't enable it -# if you don't know what you are doing -NTVFS_IMPLIES= AD_DC -NTVFS_CONFIGURE_WITH= ntvfs-fileserver -NTVFS_VARS= SAMBA4_MODULES+=service_smb -NTVFS_PLIST_FILES= lib/samba4/private/libntvfs-samba4.so -############################################################################## -AD_DC_IMPLIES= PYTHON3 -AD_DC_CONFIGURE_OFF= --without-ad-dc -AD_DC_BUILD_DEPENDS= ${SAMBA4_LMDB_DEPENDS} -AD_DC_RUN_DEPENDS= ${SAMBA4_LMDB_DEPENDS} -AD_DC_VARS= PLIST+=${PKGDIR}/pkg-plist.ad_dc - -ADS_IMPLIES= LDAP -ADS_CONFIGURE_WITH= ads dnsupdate - -CLUSTER_CONFIGURE_WITH= cluster-support -CLUSTER_VARS= PLIST+=${PKGDIR}/pkg-plist.cluster - -CUPS_CONFIGURE_ENABLE= cups iprint -CUPS_LIB_DEPENDS= libcups.so:print/cups -# https://bugzilla.samba.org/show_bug.cgi?id=9545 -FAM_USES= fam -FAM_CONFIGURE_WITH= fam - -GPGME_CONFIGURE_WITH= gpgme -GPGME_LIB_DEPENDS= libgpgme.so:security/gpgme - -GSSAPI_MIT_CONFIGURE_ON= --with-system-mitkrb5 ${GSSAPIBASEDIR} \ - --with-system-mitkdc=${GSSAPIBASEDIR}/sbin/krb5kdc \ - --with-experimental-mit-ad-dc -GSSAPI_MIT_USES= gssapi:mit - -GSSAPI_HEIMDAL_CONFIGURE_ON= --with-system-heimdalkrb5 ${GSSAPIBASEDIR} -GSSAPI_HEIMDAL_USES= gssapi:heimdal -GSSAPI_HEIMDAL_PREVENTS= AD_DC -GSSAPI_HEIMDAL_PREVENTS_MSG= GSSAPI_HEIMDAL and AD_DC enable conflicting options - -LDAP_CONFIGURE_WITH= ldap -LDAP_CONFIGURE_ON= --with-openldap=${LOCALBASE} -LDAP_USES= ldap -LDAP_VARS= SAMBA4_MODULES+=idmap_ldap - -LIBZFS_CONFIGURE_WITH= libzfs -LIBZFS_VARS= SAMBA4_MODULES+=vfs_zfs_space - -MANDOC_BUILD_DEPENDS= ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:textproc/docbook-xsl \ - xsltproc:textproc/libxslt -MANDOC_CONFIGURE_ENV_OFF= XSLTPROC="true" - -PROFILE_CONFIGURE_WITH= profiling-data - -QUOTAS_CONFIGURE_WITH= quotas - -SPOTLIGHT_CONFIGURE_ENABLE= spotlight -SPOTLIGHT_BUILD_DEPENDS= tracker>=1.4.1:sysutils/tracker -SPOTLIGHT_RUN_DEPENDS= tracker>=1.4.1:sysutils/tracker -# ICU -SPOTLIGHT_LIB_DEPENDS= libicuuc.so:devel/icu -SPOTLIGHT_USES= bison gnome -SPOTLIGHT_USE= gnome=glib20 - -SYSLOG_CONFIGURE_WITH= syslog - -UTMP_CONFIGURE_WITH= utmp - -############################################################################## -.include <bsd.port.options.mk> -############################################################################## - -.if !defined(WANT_EXP_MODULES) || empty(WANT_EXP_MODULES) -WANT_EXP_MODULES= vfs_cacheprime -.endif - -.if ${WANT_EXP_MODULES:Mvfs_snapper} -# snapper needs dbus -LIB_DEPENDS+= libdbus-1.so:devel/dbus -LIB_DEPENDS+= libdbus-glib-1.so:devel/dbus-glib -.endif - -SAMBA4_MODULES+= krb5_winbind_krb5_locator idmap_nss idmap_autorid \ - idmap_rid idmap_hash idmap_tdb idmap_tdb2 idmap_script \ - nss-info_hash -# List of extra modules taken from RHEL build -# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197320 -.if ${PORT_OPTIONS:MADS} -SAMBA4_MODULES+= idmap_ad idmap_rfc2307 nss-info_template \ - nss-info_rfc2307 nss-info_sfu nss-info_sfu20 -.endif -# This kind of special for this distribution -SAMBA4_MODULES+= vfs_freebsd - -SAMBA4_MODULES+= vfs_acl_tdb vfs_acl_xattr vfs_aio_fork vfs_aio_pthread \ - vfs_audit vfs_cap vfs_catia vfs_commit vfs_crossrename \ - vfs_default_quota vfs_dirsort vfs_expand_msdfs \ - vfs_extd_audit vfs_fake_perms vfs_full_audit \ - vfs_linux_xfs_sgid vfs_media_harmony vfs_offline \ - vfs_preopen vfs_readahead vfs_readonly vfs_recycle \ - vfs_shadow_copy vfs_shadow_copy2 vfs_shell_snap \ - vfs_streams_depot vfs_streams_xattr vfs_syncops \ - vfs_time_audit vfs_unityed_media vfs_virusfilter \ - vfs_widelinks vfs_worm vfs_xattr_tdb vfs_zfsacl - -.if ${PORT_OPTIONS:MDEVELOPER} -SAMBA4_MODULES+= auth_skel pdb_test gpext_security gpext_registry \ - gpext_scripts perfcount_test vfs_fake_dfq \ - vfs_skel_opaque vfs_skel_transparent \ - vfs_shadow_copy_test vfs_fake_acls \ - vfs_nfs4acl_xattr vfs_error_inject vfs_delay_inject -.endif -# Python bindings -.if ! ${PORT_OPTIONS:MPYTHON3} || defined(NO_PYTHON) -USES+= python:build,test -CONFIGURE_ARGS+= --disable-python -.else -USES+= python -PLIST+= ${PKGDIR}/pkg-plist.python -# Don't cache Python modules -CONFIGURE_ARGS+= --nopycache -MAKE_ENV+= PYTHONDONTWRITEBYTECODE=1 - -. if defined(SAMBA4_BUNDLED_TALLOC) && ${SAMBA4_BUNDLED_TALLOC} == yes -SAMBA4_BUNDLED_LIBS+= pytalloc-util -. else -SAMBA4_BUNDLED_LIBS+= !pytalloc-util -. endif - -. if defined(SAMBA4_BUNDLED_TEVENT) && ${SAMBA4_BUNDLED_TEVENT} == yes -SAMBA4_BUNDLED_LIBS+= pytevent -. else -SAMBA4_BUNDLED_LIBS+= !pytevent -. endif - -. if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes -SAMBA4_BUNDLED_LIBS+= pytdb -. else -SAMBA4_BUNDLED_LIBS+= !pytdb -. endif - -. if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes -SAMBA4_BUNDLED_LIBS+= pyldb pyldb-util -. else -SAMBA4_BUNDLED_LIBS+= !pyldb !pyldb-util -. endif -# samba-tool requires those for *upgrade -. if ${PORT_OPTIONS:MAD_DC} -RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}dnspython>=1.15.0:dns/py-dnspython@${PY_FLAVOR} -RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}markdown>=2.6.11:textproc/py-markdown@${PY_FLAVOR} -. if ${PORT_OPTIONS:MGPGME} -RUN_DEPENDS+= ${PYTHON_PKGNAMEPREFIX}gpgme>=1.14.0:security/py-gpgme@${PY_FLAVOR} -. endif -. endif -.endif - -.if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) -SAMBA4_MODULES+= ${WANT_EXP_MODULES} -.endif - -.if defined(SAMBA4_BUNDLED_LIBS) && !empty(SAMBA4_BUNDLED_LIBS) -CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C|(\\\\ )+|,|g:S|\\||g}" -.endif - -.if defined(SAMBA4_MODULES) && !empty(SAMBA4_MODULES) -CONFIGURE_ARGS+= --with-shared-modules="${SAMBA4_MODULES:C|-|_|:Q:C|(\\\\ )+|,|g:S|\\||g}" -.endif -# XXX: Hack for nss-info_* -> nss_info/* modules -# Add selected modules to the plist -.for module in ${SAMBA4_MODULES} -PLIST_FILES+= ${SAMBA4_MODULEDIR}/${module:C|_|/|:C|-|_|}.so -.endfor - -.for module_class in ${SAMBA4_MODULES_CLASS} -PLIST_DIRS+= ${SAMBA4_MODULEDIR}/${module_class} -.endfor -PLIST_DIRS+= ${SAMBA4_MODULEDIR} - -.if defined(WITH_DEBUG) -CONFIGURE_ARGS+= --verbose --enable-debug -MAKE_ARGS+= --verbose -DEBUG_FLAGS?= -g -ggdb3 -O0 -.endif - -############################################################################## -.include <bsd.port.pre.mk> -############################################################################## -# Implemented in the gcrypt on AMD64 -.if ${ARCH} == "amd64" -CONFIGURE_ARGS+= --accel-aes=intelaesni -.else -CONFIGURE_ARGS+= --accel-aes=none -.endif - -# Only for 64-bit architectures -.if ${ARCH} != armv6 && ${ARCH} != armv7 && ${ARCH} != i386 && ${ARCH} != mips && ${ARCH} != powerpc && ${ARCH} != powerpcspe -. if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes && (${PORT_OPTIONS:MAD_DC} || ${PORT_OPTIONS:MDEVELOPER}) -# LMDB -SAMBA4_LMDB_DEPENDS= lmdb>=0.9.16:databases/lmdb -PLIST_FILES+= ${SAMBA4_LIBDIR}/private/libldb-mdb-int-samba4.so \ - ${SAMBA4_MODULEDIR}/ldb/mdb.so -. endif -.endif - -.if ${PORT_OPTIONS:MGSSAPI_MIT} -PLIST_FILES+= ${SAMBA4_MODULEDIR}/krb5/winbind_krb5_localauth.so \ - share/man/man8/winbind_krb5_localauth.8.gz -. if ${PORT_OPTIONS:MAD_DC} -PLIST_FILES+= ${SAMBA4_LIBDIR}/krb5/plugins/kdb/samba.so -. endif -.endif -# for libexecinfo: (so that __builtin_frame_address() finds the top of the stack) -CFLAGS_amd64+= -fno-omit-frame-pointer -# No fancy color error messages -CONFIGURE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone)s%(c2)s %(message)s' -MAKE_ENV+= NOCOLOR=yes WAF_LOG_FORMAT='%(c1)s%(zone)s%(c2)s %(message)s' -.if ${CHOSEN_COMPILER_TYPE} == clang -CFLAGS+= -fno-color-diagnostics -.endif -# Allow rpcgen to find proper CPP -MAKE_ENV+= RPCGEN_CPP="${CPP}" -#.if ${readline_ARGS} == port -#CFLAGS+= -D_FUNCTION_DEF -#.endif -# Some symbols in samba's linker version scripts are not defined, but since the -# scripts are generated dynamically, suppress errors with lld >= 17 due to these -# undefined symbols. -LDFLAGS+= -Wl,--undefined-version - -SAMBA4_SUB= SAMBA4_LOGDIR="${SAMBA4_LOGDIR}" \ - SAMBA4_RUNDIR="${SAMBA4_RUNDIR}" \ - SAMBA4_LOCKDIR="${SAMBA4_LOCKDIR}" \ - SAMBA4_LIBDIR="${SAMBA4_LIBDIR}" \ - SAMBA4_MODULEDIR="${SAMBA4_MODULEDIR}" \ - SAMBA4_BINDDNSDIR="${SAMBA4_BINDDNSDIR}" \ - SAMBA4_PRIVATEDIR="${SAMBA4_PRIVATEDIR}" \ - SAMBA4_CONFDIR="${SAMBA4_CONFDIR}" \ - SAMBA4_CONFIG="${SAMBA4_CONFIG}" \ - SAMBA4_SERVICES="${SAMBA4_SERVICES}" - -PLIST_SUB+= ${SAMBA4_SUB} -SUB_LIST+= ${SAMBA4_SUB} - -USE_RC_SUBR= samba_server -SUB_FILES= pkg-message README.FreeBSD - -PORTDOCS= README.FreeBSD - -post-extract: - @${RM} -r ${WRKSRC}/pidl/lib/Parse/Yapp - -post-patch: - @${REINPLACE_CMD} -e 's|$${PKGCONFIGDIR}|${PKGCONFIGDIR}|g' \ - ${PATCH_WRKSRC}/buildtools/wafsamba/pkgconfig.py - @${REINPLACE_CMD} -e 's|%%LOCALBASE%%|${LOCALBASE}|g' \ - ${PATCH_WRKSRC}/buildtools/wafsamba/wafsamba.py - @${REINPLACE_CMD} -e 's|%%GDB_CMD%%|${GDB_CMD}|g' \ - ${PATCH_WRKSRC}/buildtools/scripts/abi_gen.sh - @${REINPLACE_CMD} -e 's|%%SAMBA4_CONFIG%%|${SAMBA4_CONFIG}|g' \ - ${PATCH_WRKSRC}/dynconfig/wscript - -# Use threading (or multiprocessing) but not thread (renamed in python 3+). -pre-configure: -.if !${PORT_OPTIONS:MAD_DC} && ${PORT_OPTIONS:MNTVFS} - @${ECHO_CMD}; \ - ${ECHO_MSG} "===> NTVFS option requires AD_DC to be set"; \ - ${ECHO_CMD}; \ - ${FALSE} -.endif -.if (!${PORT_OPTIONS:MPYTHON3} || defined(NO_PYTHON)) && ${PORT_OPTIONS:MAD_DC} - @${ECHO_CMD}; \ - ${ECHO_MSG} "===> AD_DC option requires PYTHON3 to be set"; \ - ${ECHO_CMD}; \ - ${FALSE} -.endif - @if ! ${PYTHON_CMD} -c "import multiprocessing;" 2>/dev/null; then \ - ${ECHO_CMD}; \ - ${ECHO_MSG} "===> ${PKGNAME} "${IGNORE_NONTHREAD_PYTHON:Q}.; \ - ${ECHO_CMD}; \ - ${FALSE}; \ - fi - -pre-build-MANDOC-off: - ${MKDIR} ${BUILD_WRKSRC}/bin/default/docs-xml/ - ${CP} -rp ${BUILD_WRKSRC}/docs/manpages ${BUILD_WRKSRC}/bin/default/docs-xml/ -.for man in libcli/nbt/man/nmblookup4.1 \ - librpc/tools/ndrdump.1 \ - source4/lib/registry/man/regdiff.1 \ - source4/lib/registry/man/regpatch.1 \ - source4/lib/registry/man/regshell.1 \ - source4/lib/registry/man/regtree.1 \ - source4/scripting/man/samba-gpupdate.8 \ - source4/torture/man/gentest.1 \ - source4/torture/man/locktest.1 \ - source4/torture/man/masktest.1 \ - source4/torture/man/smbtorture.1 \ - source4/utils/man/ntlm_auth4.1 \ - source4/utils/oLschema2ldif/oLschema2ldif.1 \ - lib/tdb/man/tdbdump.8 \ - lib/tdb/man/tdbbackup.8 \ - lib/tdb/man/tdbtool.8 \ - lib/talloc/man/talloc.3 \ - lib/tdb/man/tdbrestore.8 \ - lib/ldb/man/ldbadd.1 \ - lib/ldb/man/ldbsearch.1 \ - lib/ldb/man/ldbmodify.1 \ - lib/ldb/man/ldbrename.1 \ - lib/ldb/man/ldbdel.1 \ - lib/ldb/man/ldbedit.1 \ - docs-xml/manpages/vfs_freebsd.8 - ${MKDIR} `dirname ${BUILD_WRKSRC}/bin/default/${man}` - ${INSTALL_MAN} ${FILESDIR}/man/`basename ${man}` ${BUILD_WRKSRC}/bin/default/${man} -.endfor -.if ${PORT_OPTIONS:MCLUSTER} - ${MKDIR} ${BUILD_WRKSRC}/bin/default/ctdb/ -. for man in ctdb_diagnostics.1 ctdb.1 ctdbd_wrapper.1 ctdbd.1 ltdbtool.1 onnode.1 ping_pong.1 \ - ctdb.conf.5 ctdb.sysconfig.5 ctdb-script.options.5 \ - ctdb.7 ctdb-statistics.7 ctdb-tunables.7 - ${INSTALL_MAN} ${FILESDIR}/man/${man} ${BUILD_WRKSRC}/bin/default/ctdb/ -. endfor -.endif - -post-install-rm-junk: - ${RM} -r ${STAGEDIR}${PYTHON_SITELIBDIR}/samba/third_party - ${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name __pycache__ \ - -type d -print0 | ${XARGS} -0 -n 1 -t ${RM} -r - -post-install-fix-manpages: -.for f in vfs_aio_linux.8 vfs_btrfs.8 vfs_ceph.8 vfs_gpfs.8 - ${RM} ${STAGEDIR}${PREFIX}/share/man/man8/${f} -.endfor -.if defined(SAMBA4_BUNDLED_LDB) && ${SAMBA4_BUNDLED_LDB} == yes -. for f in ldbadd.1 ldbdel.1 ldbedit.1 ldbmodify.1 ldbrename.1 ldbsearch.1 - ${MV} ${STAGEDIR}${PREFIX}/share/man/man1/${f} ${STAGEDIR}${PREFIX}/share/man/man1/samba-${f} -. endfor -.endif -.if defined(SAMBA4_BUNDLED_TDB) && ${SAMBA4_BUNDLED_TDB} == yes -. for f in tdbbackup.8 tdbdump.8 tdbrestore.8 tdbtool.8 - ${MV} ${STAGEDIR}${PREFIX}/share/man/man8/${f} ${STAGEDIR}${PREFIX}/share/man/man8/samba-${f} -. endfor -.endif - -post-install: post-install-rm-junk post-install-fix-manpages - ${LN} -sf smb.conf.5.gz ${STAGEDIR}${PREFIX}/share/man/man5/smb4.conf.5.gz -# Run post-install script -.for dir in ${SAMBA4_LOGDIR} ${SAMBA4_RUNDIR} ${SAMBA4_LOCKDIR} ${SAMBA4_MODULEDIR} - ${INSTALL} -d -m 0755 "${STAGEDIR}${dir}" -.endfor - ${INSTALL} -d -m 0750 "${STAGEDIR}${SAMBA4_BINDDNSDIR}" - ${INSTALL} -d -m 0750 "${STAGEDIR}${SAMBA4_PRIVATEDIR}" -.for module_class in ${SAMBA4_MODULES_CLASS} - ${INSTALL} -d -m 0755 "${STAGEDIR}${SAMBA4_MODULEDIR}/${module_class}" -.endfor -.if !defined(WITH_DEBUG) - -${FIND} ${STAGEDIR}${PREFIX}/bin ${STAGEDIR}${PREFIX}/sbin ${STAGEDIR}${PREFIX}/libexec \ - -type f -print0 | ${XARGS} -0 -n 1 -t ${STRIP_CMD} - -${FIND} ${STAGEDIR}${PREFIX}/lib -name '*.so*' \ - -type f -print0 | ${XARGS} -0 -n 1 -t ${STRIP_CMD} -.endif - -post-install-FRUIT-off: - ${RM} ${STAGEDIR}${SAMBA4_MODULEDIR}/vfs/fruit.so - ${RM} ${STAGEDIR}${PREFIX}/share/man/man8/vfs_fruit.8 - -post-install-DOCS-on: - ${MKDIR} ${STAGEDIR}${DOCSDIR} -.for doc in ${PORTDOCS} - ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR} -.endfor - -post-install-CLUSTER-on: - ${LN} -nfs ../../../../share/ctdb/events/legacy/00.ctdb.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/00.ctdb.script - ${LN} -nfs ../../../../share/ctdb/events/legacy/10.interface.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/10.interface.script - ${LN} -nfs ../../../../share/ctdb/events/legacy/05.system.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/05.system.script - ${LN} -nfs ../../../../share/ctdb/events/legacy/01.reclock.script ${STAGEDIR}${PREFIX}/etc/ctdb/events/legacy/01.reclock.script - -.include <bsd.port.post.mk> diff --git a/net/samba413/distinfo b/net/samba413/distinfo deleted file mode 100644 index 47b849c2555a..000000000000 --- a/net/samba413/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1643677367 -SHA256 (samba-4.13.17.tar.gz) = 17bdb9ea60d30af22851c8e134d67b43a22fb1e20f159152a647c69dc2a58a68 -SIZE (samba-4.13.17.tar.gz) = 18952829 diff --git a/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch b/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch deleted file mode 100644 index a03539adeede..000000000000 --- a/net/samba413/files/0001-CVE-2022-2127-s3-winbind-Move-big-NTLMv2-blob-checks.patch +++ /dev/null @@ -1,67 +0,0 @@ -From d2a03a12c607e00654b21a91d487c3408b394eaf Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero <scabrero@samba.org> -Date: Thu, 24 Feb 2022 17:48:27 +0100 -Subject: [PATCH 01/21] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks - to parent process - -The winbindd_dual_pam_auth_crap() function will be converted to a local -RPC call handler and it won't receive a winbindd_cli_state struct. Move -the checks accessing this struct to the parent. - -Signed-off-by: Samuel Cabrero <scabrero@samba.org> -Reviewed-by: Jeremy Allison <jra@samba.org> -(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374) ---- - source3/winbindd/winbindd_pam.c | 12 ------------ - source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++ - 2 files changed, 12 insertions(+), 12 deletions(-) - -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 59dd18e27b8..9e799b3a191 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -2698,18 +2698,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, - DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, - name_domain, name_user)); - -- if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp) -- || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) { -- if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) || -- state->request->extra_len != state->request->data.auth_crap.nt_resp_len) { -- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", -- state->request->data.auth_crap.lm_resp_len, -- state->request->data.auth_crap.nt_resp_len)); -- result = NT_STATUS_INVALID_PARAMETER; -- goto done; -- } -- } -- - lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp, - state->request->data.auth_crap.lm_resp_len); - -diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c -index 40cab81b5ea..310d50fdde2 100644 ---- a/source3/winbindd/winbindd_pam_auth_crap.c -+++ b/source3/winbindd/winbindd_pam_auth_crap.c -@@ -138,6 +138,18 @@ struct tevent_req *winbindd_pam_auth_crap_send( - fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); - } - -+ if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) -+ || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { -+ if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || -+ request->extra_len != request->data.auth_crap.nt_resp_len) { -+ DBG_ERR("Invalid password length %u/%u\n", -+ request->data.auth_crap.lm_resp_len, -+ request->data.auth_crap.nt_resp_len); -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ return tevent_req_post(req, ev); -+ } -+ } -+ - subreq = wb_domain_request_send(state, global_event_context(), domain, - request); - if (tevent_req_nomem(subreq, req)) { --- -2.41.0 - diff --git a/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch b/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch deleted file mode 100644 index a73d038290c0..000000000000 --- a/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch +++ /dev/null @@ -1,704 +0,0 @@ -From 05e3cc236406680a55e19b204202b63cdaf48ea1 Mon Sep 17 00:00:00 2001 -From: "Timur I. Bakeyev" <timur@FreeBSD.org> -Date: Mon, 1 Aug 2022 04:15:43 +0200 -Subject: [PATCH 01/28] Compact and simplify modules build and config - generation for Bind 9.x AD DLZ. - -Signed-off-by: Timur I. Bakeyev <timur@FreeBSD.org> ---- - python/samba/provision/sambadns.py | 68 ++++++++++++------------------ - source4/dns_server/dlz_minimal.h | 44 +++++++++---------- - source4/dns_server/wscript_build | 62 +++------------------------ - source4/setup/named.conf.dlz | 25 +---------- - source4/torture/dns/wscript_build | 2 +- - 5 files changed, 55 insertions(+), 146 deletions(-) - -diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py -index 404b346a885..8e5a8ba5f25 100644 ---- a/python/samba/provision/sambadns.py -+++ b/python/samba/provision/sambadns.py -@@ -21,6 +21,7 @@ - """DNS-related provisioning""" - - import os -+import re - import uuid - import shutil - import time -@@ -957,48 +958,37 @@ def create_named_conf(paths, realm, dnsdomain, dns_bac - stderr=subprocess.STDOUT, - cwd='.').communicate()[0] - bind_info = get_string(bind_info) -- bind9_8 = '#' -- bind9_9 = '#' -- bind9_10 = '#' -- bind9_11 = '#' -- bind9_12 = '#' -- bind9_14 = '#' -- bind9_16 = '#' -- if bind_info.upper().find('BIND 9.8') != -1: -- bind9_8 = '' -- elif bind_info.upper().find('BIND 9.9') != -1: -- bind9_9 = '' -- elif bind_info.upper().find('BIND 9.10') != -1: -- bind9_10 = '' -- elif bind_info.upper().find('BIND 9.11') != -1: -- bind9_11 = '' -- elif bind_info.upper().find('BIND 9.12') != -1: -- bind9_12 = '' -- elif bind_info.upper().find('BIND 9.14') != -1: -- bind9_14 = '' -- elif bind_info.upper().find('BIND 9.16') != -1: -- bind9_16 = '' -- elif bind_info.upper().find('BIND 9.7') != -1: -- raise ProvisioningError("DLZ option incompatible with BIND 9.7.") -- elif bind_info.upper().find('BIND_9.13') != -1: -- raise ProvisioningError("Only stable/esv releases of BIND are supported.") -- elif bind_info.upper().find('BIND_9.15') != -1: -- raise ProvisioningError("Only stable/esv releases of BIND are supported.") -- elif bind_info.upper().find('BIND_9.17') != -1: -- raise ProvisioningError("Only stable/esv releases of BIND are supported.") -+ bind9_release = re.search('BIND (9)\.(\d+)\.', bind_info, re.I) -+ if bind9_release: -+ bind9_disabled = '' -+ bind9_version = bind9_release.group(0) + "x" -+ bind9_version_major = int(bind9_release.group(1)) -+ bind9_version_minor = int(bind9_release.group(2)) -+ if bind9_version_minor == 7: -+ raise ProvisioningError("DLZ option incompatible with BIND 9.7.") -+ elif bind9_version_minor == 8: -+ bind9_dlz_version = "9" -+ elif bind9_version_minor in [13, 15, 17]: -+ raise ProvisioningError("Only stable/esv releases of BIND are supported.") -+ else: -+ bind9_dlz_version = "%d_%d" % (bind9_version_major, bind9_version_minor) - else: -+ bind9_disabled = '# ' -+ bind9_version = "BIND z.y.x" -+ bind9_dlz_version = "z_y" - logger.warning("BIND version unknown, please modify %s manually." % paths.namedconf) -+ -+ bind9_dlz = ( -+ ' # For %s\n' -+ ' %sdatabase "dlopen %s/bind9/dlz_bind%s.so";' -+ ) % ( -+ bind9_version, bind9_disabled, samba.param.modules_dir(), bind9_dlz_version -+ ) - setup_file(setup_path("named.conf.dlz"), paths.namedconf, { - "NAMED_CONF": paths.namedconf, - "MODULESDIR": samba.param.modules_dir(), -- "BIND9_8": bind9_8, -- "BIND9_9": bind9_9, -- "BIND9_10": bind9_10, -- "BIND9_11": bind9_11, -- "BIND9_12": bind9_12, -- "BIND9_14": bind9_14, -- "BIND9_16": bind9_16 -- }) -+ "BIND9_DLZ": bind9_dlz -+ }) - - - def create_named_txt(path, realm, dnsdomain, dnsname, binddns_dir, -diff --git a/source4/dns_server/dlz_minimal.h b/source4/dns_server/dlz_minimal.h -index b7e36e7f8e6..bbdb616deb2 100644 ---- a/source4/dns_server/dlz_minimal.h -+++ b/source4/dns_server/dlz_minimal.h -@@ -26,32 +26,31 @@ - #include <stdint.h> - #include <stdbool.h> - --#if defined (BIND_VERSION_9_8) --# define DLZ_DLOPEN_VERSION 1 --#elif defined (BIND_VERSION_9_9) --# define DLZ_DLOPEN_VERSION 2 --# define DNS_CLIENTINFO_VERSION 1 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_10) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 1 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_11) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_12) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 --# define ISC_BOOLEAN_AS_BOOL 0 --#elif defined (BIND_VERSION_9_14) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 --#elif defined (BIND_VERSION_9_16) --# define DLZ_DLOPEN_VERSION 3 --# define DNS_CLIENTINFO_VERSION 2 -+#if defined (BIND_VERSION) -+# if BIND_VERSION == 908 -+# define DLZ_DLOPEN_VERSION 1 -+# elif BIND_VERSION == 909 -+# define DLZ_DLOPEN_VERSION 2 -+# define DNS_CLIENTINFO_VERSION 1 -+# define ISC_BOOLEAN_AS_BOOL 0 -+# elif BIND_VERSION == 910 -+# define DLZ_DLOPEN_VERSION 3 -+# define DNS_CLIENTINFO_VERSION 1 -+# define ISC_BOOLEAN_AS_BOOL 0 -+# elif BIND_VERSION == 911 || BIND_VERSION == 912 -+# define DLZ_DLOPEN_VERSION 3 -+# define DNS_CLIENTINFO_VERSION 2 -+# define ISC_BOOLEAN_AS_BOOL 0 -+# elif BIND_VERSION >= 914 -+# define DLZ_DLOPEN_VERSION 3 -+# define DNS_CLIENTINFO_VERSION 2 -+# define ISC_BOOLEAN_AS_BOOL 1 -+# else -+# error Unsupported BIND version -+# endif - #else - # error Unsupported BIND version -+# error BIND_VERSION undefined - #endif - - #ifndef ISC_BOOLEAN_AS_BOOL -diff --git a/source4/dns_server/wscript_build b/source4/dns_server/wscript_build -index ab0a241b937..3743753504c 100644 ---- a/source4/dns_server/wscript_build -+++ b/source4/dns_server/wscript_build -@@ -18,79 +18,21 @@ bld.SAMBA_MODULE('service_dns', - ) - - # a bind9 dlz module giving access to the Samba DNS SAM --bld.SAMBA_LIBRARY('dlz_bind9', -+for bind_version in (910, 911, 912, 914, 916, 918): -+ string_version='%d_%d' % (bind_version // 100, bind_version % 100) -+ bld.SAMBA_LIBRARY('dlz_bind%s' % (string_version), - source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_8', -+ cflags='-DBIND_VERSION=%d' % bind_version, - private_library=True, -- link_name='modules/bind9/dlz_bind9.so', -- realname='dlz_bind9.so', -+ link_name='modules/bind9/dlz_bind%s.so' % (string_version), -+ realname='dlz_bind%s.so' % (string_version), - install_path='${MODULESDIR}/bind9', - deps='samba-hostconfig samdb-common gensec popt dnsserver_common', - enabled=bld.AD_DC_BUILD_IS_ENABLED()) - --bld.SAMBA_LIBRARY('dlz_bind9_9', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_9', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_9.so', -- realname='dlz_bind9_9.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_10', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_10', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_10.so', -- realname='dlz_bind9_10.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_11', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_11', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_11.so', -- realname='dlz_bind9_11.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_12', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_12', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_12.so', -- realname='dlz_bind9_12.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_14', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_14', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_14.so', -- realname='dlz_bind9_14.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- --bld.SAMBA_LIBRARY('dlz_bind9_16', -- source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_16', -- private_library=True, -- link_name='modules/bind9/dlz_bind9_16.so', -- realname='dlz_bind9_16.so', -- install_path='${MODULESDIR}/bind9', -- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', -- enabled=bld.AD_DC_BUILD_IS_ENABLED()) -- - bld.SAMBA_LIBRARY('dlz_bind9_for_torture', - source='dlz_bind9.c', -- cflags='-DBIND_VERSION_9_8', -+ cflags='-DBIND_VERSION=918', - private_library=True, - deps='samba-hostconfig samdb-common gensec popt dnsserver_common', - enabled=bld.AD_DC_BUILD_IS_ENABLED()) -diff --git a/source4/setup/named.conf.dlz b/source4/setup/named.conf.dlz -index cbe7d805f58..32672768af4 100644 ---- a/source4/setup/named.conf.dlz -+++ b/source4/setup/named.conf.dlz -@@ -10,25 +10,6 @@ - # Uncomment only single database line, depending on your BIND version - # - dlz "AD DNS Zone" { -- # For BIND 9.8.x -- ${BIND9_8} database "dlopen ${MODULESDIR}/bind9/dlz_bind9.so"; -- -- # For BIND 9.9.x -- ${BIND9_9} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_9.so"; -- -- # For BIND 9.10.x -- ${BIND9_10} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_10.so"; -- -- # For BIND 9.11.x -- ${BIND9_11} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_11.so"; -- -- # For BIND 9.12.x -- ${BIND9_12} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_12.so"; -- -- # For BIND 9.14.x -- ${BIND9_14} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_14.so"; -- -- # For BIND 9.16.x -- ${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so"; -+${BIND9_DLZ} - }; - -diff --git a/source4/torture/dns/wscript_build b/source4/torture/dns/wscript_build -index 0b40e03e370..bf7415ff88a 100644 ---- a/source4/torture/dns/wscript_build -+++ b/source4/torture/dns/wscript_build -@@ -5,7 +5,7 @@ if bld.AD_DC_BUILD_IS_ENABLED(): - source='dlz_bind9.c', - subsystem='smbtorture', - init_function='torture_bind_dns_init', -- cflags='-DBIND_VERSION_9_8', -+ cflags='-DBIND_VERSION=918', - deps='torture talloc torturemain dlz_bind9_for_torture', - internal_module=True - ) ---- a/source4/torture/dns/dlz_bind9.c -+++ b/source4/torture/dns/dlz_bind9.c -@@ -19,6 +19,7 @@ - - #include "includes.h" - #include "torture/smbtorture.h" -+#include "system/network.h" - #include "dns_server/dlz_minimal.h" - #include <talloc.h> - #include <ldb.h> -@@ -88,7 +89,8 @@ static bool test_dlz_bind9_create(struct torture_conte - static bool calls_zone_hook = false; - - static isc_result_t dlz_bind9_writeable_zone_hook(dns_view_t *view, -- const char *zone_name) -+ dns_dlzdb_t *dlzdb, -+ const char *zone_name) - { - struct torture_context *tctx = talloc_get_type((void *)view, struct torture_context); - struct ldb_context *samdb = NULL; -@@ -128,7 +130,8 @@ static isc_result_t dlz_bind9_writeable_zone_hook(dns_ - - static bool test_dlz_bind9_configure(struct torture_context *tctx) - { -- void *dbdata; -+ void *dbdata = NULL; -+ dns_dlzdb_t *dlzdb = NULL; - const char *argv[] = { - "samba_dlz", - "-H", -@@ -143,7 +146,9 @@ static bool test_dlz_bind9_configure(struct torture_co - "Failed to create samba_dlz"); - - calls_zone_hook = false; -- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), -+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, -+ dlzdb, -+ dbdata), - ISC_R_SUCCESS, - "Failed to configure samba_dlz"); - -@@ -167,6 +172,7 @@ static bool configure_multiple_dlzs(struct torture_con - void **dbdata, int count) - { - int i, res; -+ dns_dlzdb_t *dlzdb = NULL; - const char *argv[] = { - "samba_dlz", - "-H", -@@ -183,7 +189,7 @@ static bool configure_multiple_dlzs(struct torture_con - torture_assert_int_equal(tctx, res, ISC_R_SUCCESS, - "Failed to create samba_dlz"); - -- res = dlz_configure((void*)tctx, dbdata[i]); -+ res = dlz_configure((void*)tctx, dlzdb, dbdata[i]); - torture_assert_int_equal(tctx, res, ISC_R_SUCCESS, - "Failed to configure samba_dlz"); - } -@@ -195,9 +201,14 @@ static bool test_dlz_bind9_destroy_oldest_first(struct - { - void *dbdata[NUM_DLZS_TO_CONFIGURE]; - int i; -+ bool ret = configure_multiple_dlzs(tctx, -+ dbdata, -+ NUM_DLZS_TO_CONFIGURE); -+ if (ret == false) { -+ /* failure: has already been printed */ -+ return false; -+ } - -- configure_multiple_dlzs(tctx, dbdata, NUM_DLZS_TO_CONFIGURE); -- - /* Reload faults are reported to happen on the first destroy */ - dlz_destroy(dbdata[0]); - -@@ -212,9 +223,14 @@ static bool test_dlz_bind9_destroy_newest_first(struct - { - void *dbdata[NUM_DLZS_TO_CONFIGURE]; - int i; -+ bool ret = configure_multiple_dlzs(tctx, -+ dbdata, -+ NUM_DLZS_TO_CONFIGURE); -+ if (ret == false) { -+ /* failure: has already been printed */ -+ return false; -+ } - -- configure_multiple_dlzs(tctx, dbdata, NUM_DLZS_TO_CONFIGURE); -- - for(i = NUM_DLZS_TO_CONFIGURE - 1; i >= 0; i--) { - dlz_destroy(dbdata[i]); - } -@@ -229,6 +245,7 @@ static bool test_dlz_bind9_destroy_newest_first(struct - static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) - { - NTSTATUS status; -+ dns_dlzdb_t *dlzdb = NULL; - - struct gensec_security *gensec_client_context; - -@@ -248,7 +265,8 @@ static bool test_dlz_bind9_gensec(struct torture_conte - ISC_R_SUCCESS, - "Failed to create samba_dlz"); - -- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), -+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, -+ dlzdb, dbdata), - ISC_R_SUCCESS, - "Failed to configure samba_dlz"); - -@@ -273,6 +291,7 @@ static bool test_dlz_bind9_gensec(struct torture_conte - popt_get_cmdline_credentials()); - torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); - -+ - status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); - torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); - -@@ -414,7 +433,10 @@ static isc_result_t dlz_bind9_putnamedrr_hook(dns_sdlz - static bool test_dlz_bind9_lookup(struct torture_context *tctx) - { - size_t i; -- void *dbdata; -+ void *dbdata = NULL; -+ dns_clientinfomethods_t *methods = NULL; -+ dns_clientinfo_t *clientinfo = NULL; -+ dns_dlzdb_t *dlzdb = NULL; - const char *argv[] = { - "samba_dlz", - "-H", -@@ -434,8 +456,9 @@ static bool test_dlz_bind9_lookup(struct torture_conte - ISC_R_SUCCESS, - "Failed to create samba_dlz"); - -- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), -- ISC_R_SUCCESS, -+ torture_assert_int_equal(tctx, -+ dlz_configure((void*)tctx, dlzdb, dbdata), -+ ISC_R_SUCCESS, - "Failed to configure samba_dlz"); - - expected1 = talloc_zero(tctx, struct test_expected_rr); -@@ -478,7 +501,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte - - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Failed to lookup @"); - for (i = 0; i < expected1->num_records; i++) { -@@ -514,7 +538,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte - - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected2->query_name, dbdata, -- (dns_sdlzlookup_t *)expected2), -+ (dns_sdlzlookup_t *)expected2, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Failed to lookup hostname"); - for (i = 0; i < expected2->num_records; i++) { -@@ -539,7 +564,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte - static bool test_dlz_bind9_zonedump(struct torture_context *tctx) - { - size_t i; -- void *dbdata; -+ void *dbdata = NULL; -+ dns_dlzdb_t *dlzdb = NULL; - const char *argv[] = { - "samba_dlz", - "-H", -@@ -558,7 +584,7 @@ static bool test_dlz_bind9_zonedump(struct torture_con - ISC_R_SUCCESS, - "Failed to create samba_dlz"); - -- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), -+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), - ISC_R_SUCCESS, - "Failed to configure samba_dlz"); - -@@ -650,7 +676,8 @@ static bool test_dlz_bind9_update01(struct torture_con - NTSTATUS status; - struct gensec_security *gensec_client_context; - DATA_BLOB client_to_server, server_to_client; -- void *dbdata; -+ void *dbdata = NULL; -+ dns_dlzdb_t *dlzdb = NULL; - void *version = NULL; - const char *argv[] = { - "samba_dlz", -@@ -664,6 +691,8 @@ static bool test_dlz_bind9_update01(struct torture_con - char *data1 = NULL; - char *data2 = NULL; - bool ret = false; -+ dns_clientinfomethods_t *methods = NULL; -+ dns_clientinfo_t *clientinfo = NULL; - - tctx_static = tctx; - torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, -@@ -675,7 +704,7 @@ static bool test_dlz_bind9_update01(struct torture_con - ISC_R_SUCCESS, - "Failed to create samba_dlz"); - -- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), -+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), - ISC_R_SUCCESS, - "Failed to configure samba_dlz"); - -@@ -813,7 +842,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_NOTFOUND, - "Found hostname"); - torture_assert_int_equal(tctx, expected1->num_rr, 0, -@@ -863,7 +893,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -892,7 +923,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -926,7 +958,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -960,7 +993,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[1].printed, -@@ -989,7 +1023,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_NOTFOUND, - "Found hostname"); - torture_assert_int_equal(tctx, expected1->num_rr, 0, -@@ -1013,7 +1048,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -1042,7 +1078,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -1076,7 +1113,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -1110,7 +1148,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_SUCCESS, - "Not found hostname"); - torture_assert(tctx, expected1->records[0].printed, -@@ -1146,7 +1185,8 @@ static bool test_dlz_bind9_update01(struct torture_con - expected1->records[1].printed = false; - torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), - expected1->query_name, dbdata, -- (dns_sdlzlookup_t *)expected1), -+ (dns_sdlzlookup_t *)expected1, -+ methods, clientinfo), - ISC_R_NOTFOUND, - "Found hostname"); - torture_assert_int_equal(tctx, expected1->num_rr, 0, -@@ -1161,6 +1201,76 @@ cancel_version: - return ret; - } - -+/* -+ * Test zone transfer requests restrictions -+ * -+ * 1: test that zone transfer is denied by default -+ * 2: with an authorized list of IPs set in smb.conf, test that zone transfer -+ * is accepted only for selected IPs. -+ */ -+static bool test_dlz_bind9_allowzonexfr(struct torture_context *tctx) -+{ -+ void *dbdata; -+ const char *argv[] = { -+ "samba_dlz", -+ "-H", -+ test_dlz_bind9_binddns_dir(tctx, "dns/sam.ldb"), -+ NULL -+ }; -+ isc_result_t ret; -+ dns_dlzdb_t *dlzdb = NULL; -+ bool ok; -+ -+ tctx_static = tctx; -+ torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, -+ "log", dlz_bind9_log_wrapper, -+ "writeable_zone", dlz_bind9_writeable_zone_hook, -+ "putrr", dlz_bind9_putrr_hook, -+ "putnamedrr", dlz_bind9_putnamedrr_hook, -+ NULL), -+ ISC_R_SUCCESS, -+ "Failed to create samba_dlz"); -+ -+ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), -+ ISC_R_SUCCESS, -+ "Failed to configure samba_dlz"); -+ -+ /* Ask for zone transfer with no specific config => expect denied */ -+ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1"); -+ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, -+ "Zone transfer accepted with default settings"); -+ -+ /* Ask for zone transfer with authorizations set */ -+ ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients allow=127.0.0.1,1234:5678::1,192.168.0."); -+ torture_assert(tctx, ok, "Failed to set dns zone transfer clients allow option."); -+ -+ ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients deny=192.168.0.2"); -+ torture_assert(tctx, ok, "Failed to set dns zone transfer clients deny option."); -+ -+ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1"); -+ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, -+ "Zone transfer refused for authorized IPv4 address"); -+ -+ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "1234:5678::1"); -+ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, -+ "Zone transfer refused for authorized IPv6 address."); -+ -+ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "10.0.0.1"); -+ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, -+ "Zone transfer accepted for unauthorized IP"); -+ -+ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.1"); -+ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, -+ "Zone transfer refused for address in authorized IPv4 subnet."); -+ -+ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.2"); -+ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, -+ "Zone transfer allowed for denied client."); -+ -+ dlz_destroy(dbdata); -+ return true; -+} -+ - static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) - { - struct torture_suite *suite = torture_suite_create(ctx, "dlz_bind9"); -@@ -1182,6 +1292,7 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CT - torture_suite_add_simple_test(suite, "lookup", test_dlz_bind9_lookup); - torture_suite_add_simple_test(suite, "zonedump", test_dlz_bind9_zonedump); - torture_suite_add_simple_test(suite, "update01", test_dlz_bind9_update01); -+ torture_suite_add_simple_test(suite, "allowzonexfr", test_dlz_bind9_allowzonexfr); - return suite; - } - --- -2.37.1 - diff --git a/net/samba413/files/0001-Zfs-provision-1.patch b/net/samba413/files/0001-Zfs-provision-1.patch deleted file mode 100644 index 3bc27a7e0839..000000000000 --- a/net/samba413/files/0001-Zfs-provision-1.patch +++ /dev/null @@ -1,369 +0,0 @@ -From 2664c997587416a2c8c911a75158485a5c98b70b Mon Sep 17 00:00:00 2001 -From: John Hixon <john@ixsystems.com> -Date: Sat, 20 May 2017 04:39:37 +0200 -Subject: [PATCH] Zfs provision (#1) - -Cherry-pick ZFS provisioning code by iXsystems Inc. - -* Check if sysvol is on filesystem with NFSv4 ACL's -(cherry picked from commit ca86f52b78a7b6e7537454a69cf93e7b96210cba) - -* Only check targetdir if it is defined (I had assumed it was) -(cherry picked from commit a29050cb2978ce23e3c04a859340dc2664c77a8a) - -* Kick samba a little bit into understanding NFSv4 ACL's -(cherry picked from commit 1c7542ff4904b729e311e17464ee76582760c219) - -Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com> ---- - python/samba/provision/__init__.py | 25 ++++-- - source3/lib/sysacls.c | 10 +++ - source3/param/loadparm.c | 7 ++ - source3/smbd/pysmbd.c | 156 ++++++++++++++++++++++++++++++++++++- - 4 files changed, 191 insertions(+), 7 deletions(-) - -diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py -index 5de986463a5..cd3b91f41b9 100644 ---- a/python/samba/provision/__init__.py -+++ b/python/samba/provision/__init__.py -@@ -1695,19 +1695,25 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, do - s3conf = s3param.get_context() - s3conf.load(lp.configfile) - -- file = tempfile.NamedTemporaryFile(dir=os.path.abspath(sysvol)) -+ sysvol_dir = os.path.abspath(sysvol) -+ -+ set_simple_acl = smbd.set_simple_acl -+ if smbd.has_nfsv4_acls(sysvol_dir): -+ set_simple_acl = smbd.set_simple_nfsv4_acl -+ -+ file = tempfile.NamedTemporaryFile(dir=sysvol_dir) - try: - try: -- smbd.set_simple_acl(file.name, 0o755, system_session_unix(), gid) -+ set_simple_acl(file.name, 0o755, system_session_unix(), gid) - except OSError: -- if not smbd.have_posix_acls(): -+ if not smbd.have_posix_acls() and not smbd.have_nfsv4_acls(): - # This clue is only strictly correct for RPM and - # Debian-like Linux systems, but hopefully other users - # will get enough clue from it. -- raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. " -+ raise ProvisioningError("Samba was compiled without the ACL support that s3fs requires. " - "Try installing libacl1-dev or libacl-devel, then re-run configure and make.") - -- raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. " -+ raise ProvisioningError("Your filesystem or build does not support ACLs, which s3fs requires. " - "Try the mounting the filesystem with the 'acl' option.") - try: - smbd.chown(file.name, uid, gid, system_session_unix()) -@@ -1984,6 +1990,9 @@ def provision_fill(samdb, secrets_ldb, logger, names, - samdb.transaction_commit() - - if serverrole == "active directory domain controller": -+ if targetdir and smbd.have_nfsv4_acls() and smbd.has_nfsv4_acls(targetdir): -+ smbd.set_nfsv4_defaults() -+ - # Continue setting up sysvol for GPO. This appears to require being - # outside a transaction. - if not skip_sysvolacl: -@@ -2340,6 +2349,9 @@ def provision(logger, session_info, smbconf=None, - - if not os.path.isdir(paths.netlogon): - os.makedirs(paths.netlogon, 0o755) -+ -+ if smbd.have_nfsv4_acls() and smbd.has_nfsv4_acls(paths.sysvol): -+ smbd.set_nfsv4_defaults() - - if adminpass is None: - adminpass = samba.generate_random_password(12, 32) -diff --git a/source3/lib/sysacls.c b/source3/lib/sysacls.c -index 0bf3c37edfa..786cd39b5bc 100644 ---- a/source3/lib/sysacls.c -+++ b/source3/lib/sysacls.c -@@ -38,6 +38,16 @@ - #include "modules/vfs_hpuxacl.h" - #endif - -+/* -+ * NFSv4 ACL's should be understood and a first class citizen. Work -+ * needs to be done in librpc/idl/smb_acl.idl for this to occur. -+ */ -+#if defined(HAVE_LIBSUNACL) && defined(FREEBSD) -+#if 0 -+#include "modules/nfs4_acls.h" -+#endif -+#endif -+ - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_ACLS - -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index a2fcc4246c9..4b676897fc1 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -2801,9 +2801,29 @@ static void init_locals(void) - } else { - if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) { - lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb"); -+ /* -+ * By default, the samba sysvol is located in the statedir. Provisioning will fail in setntacl -+ * unless we have zfacl enabled. Unfortunately, at this point the smb.conf has not been generated. -+ * This workaround is freebsd-specific. -+ */ -+#if defined(_PC_ACL_EXTENDED) -+ } else if (pathconf(lp_state_directory(), _PC_ACL_EXTENDED) == 1) { -+ lp_do_parameter(-1, "vfs objects", "dfs_samba4 freebsd"); -+#endif -+#if defined(_PC_ACL_NFS4) -+ } else if (pathconf(lp_state_directory(), _PC_ACL_NFS4) == 1) { -+ lp_do_parameter(-1, "vfs objects", "dfs_samba4 zfsacl"); -+#endif - } else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) { - lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr posix_eadb"); - } else { -+ /* -+ * This should only set dfs_samba4 and leave acl_xattr -+ * to be set later (or zfsacl). The only reason the decision -+ * can't be made here to load acl_xattr or zfsacl is -+ * that we don't have access to what the target -+ * directory is. -+ */ - lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr"); - } - } -diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c -index 63fc5d68c33..f5a536ee186 100644 ---- a/source3/smbd/pysmbd.c -+++ b/source3/smbd/pysmbd.c -@@ -419,6 +419,20 @@ static SMB_ACL_T make_simple_acl(TALLOC_CTX *mem_ctx, - return acl; - } - -+static SMB_ACL_T make_simple_nfsv4_acl(TALLOC_CTX *mem_ctx, -+ gid_t gid, -+ mode_t chmod_mode) -+{ -+ /* -+ * This function needs to create an NFSv4 ACL. Currently, the only way -+ * to do so is to use the operating system interface, or to use the -+ * functions in source3/modules/nfs4_acls.c. These seems ugly and -+ * hacky. NFSv4 ACL's should be a first class citizen and -+ * librpc/idl/smb_acl.idl should be modified accordingly. -+ */ -+ return NULL; -+} -+ - /* - set a simple ACL on a file, as a test - */ -@@ -491,7 +505,85 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self - Py_RETURN_NONE; - } - -+ - /* -+ set a simple NFSv4 ACL on a file, as a test -+ */ -+static PyObject *py_smbd_set_simple_nfsv4_acl(PyObject *self, PyObject *args, PyObject *kwargs) -+{ -+ const char * const kwnames[] = { -+ "fname", -+ "mode", -+ "session_info", -+ "gid", -+ "service", -+ NULL -+ }; -+ char *fname, *service = NULL; -+ PyObject *py_session = Py_None; -+ struct auth_session_info *session_info = NULL; -+ int ret; -+ int mode, gid = -1; -+ SMB_ACL_T acl; -+ TALLOC_CTX *frame; -+ connection_struct *conn; -+ -+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "siO|iz", -+ discard_const_p(char *, kwnames), -+ &fname, -+ &mode, -+ &py_session, -+ &gid, -+ &service)) -+ return NULL; -+ -+ if (!py_check_dcerpc_type(py_session, -+ "samba.dcerpc.auth", -+ "session_info")) { -+ return NULL; -+ } -+ session_info = pytalloc_get_type(py_session, -+ struct auth_session_info); -+ if (session_info == NULL) { -+ PyErr_Format(PyExc_TypeError, -+ "Expected auth_session_info for session_info argument got %s", -+ pytalloc_get_name(py_session)); -+ return NULL; -+ } -+ -+ frame = talloc_stackframe(); -+ -+ acl = make_simple_nfsv4_acl(frame, gid, mode); -+ if (acl == NULL) { -+ TALLOC_FREE(frame); -+ Py_RETURN_NONE; -+ } -+ -+ conn = get_conn_tos(service, session_info); -+ if (!conn) { -+ TALLOC_FREE(frame); -+ Py_RETURN_NONE; -+ } -+ -+ /* -+ * SMB_ACL_TYPE_ACCESS -> ACL_TYPE_ACCESS -> Not valid for NFSv4 ACL -+ */ -+ ret = 0; -+ -+ /* ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn); */ -+ -+ if (ret != 0) { -+ TALLOC_FREE(frame); -+ errno = ret; -+ return PyErr_SetFromErrno(PyExc_OSError); -+ } -+ -+ TALLOC_FREE(frame); -+ -+ Py_RETURN_NONE; -+} -+ -+/* - chown a file - */ - static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) -@@ -665,7 +757,7 @@ static PyObject *py_smbd_unlink(PyObject *self, PyObje - } - - /* -- check if we have ACL support -+ check if we have POSIX.1e ACL support - */ - static PyObject *py_smbd_have_posix_acls(PyObject *self, - PyObject *Py_UNUSED(ignored)) -@@ -677,7 +769,84 @@ static PyObject *py_smbd_have_posix_acls(PyObject *sel - #endif - } - -+static PyObject *py_smbd_has_posix_acls(PyObject *self, PyObject *args, PyObject *kwargs) -+{ -+ const char * const kwnames[] = { "path", NULL }; -+ char *path = NULL; -+ TALLOC_CTX *frame; -+ struct statfs fs; -+ int ret = false; -+ -+ frame = talloc_stackframe(); -+ -+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z", -+ discard_const_p(char *, kwnames), &path)) { -+ TALLOC_FREE(frame); -+ return NULL; -+ } -+ -+ if (statfs(path, &fs) != 0) { -+ TALLOC_FREE(frame); -+ return NULL; -+ } -+ -+ if (fs.f_flags & MNT_ACLS) -+ ret = true; -+ -+ TALLOC_FREE(frame); -+ return PyBool_FromLong(ret); -+} -+ - /* -+ check if we have NFSv4 ACL support -+ */ -+static PyObject *py_smbd_have_nfsv4_acls(PyObject *self) -+{ -+#ifdef HAVE_LIBSUNACL -+ return PyBool_FromLong(true); -+#else -+ return PyBool_FromLong(false); -+#endif -+} -+ -+static PyObject *py_smbd_has_nfsv4_acls(PyObject *self, PyObject *args, PyObject *kwargs) -+{ -+ const char * const kwnames[] = { "path", NULL }; -+ char *path = NULL; -+ TALLOC_CTX *frame; -+ struct statfs fs; -+ int ret = false; -+ -+ frame = talloc_stackframe(); -+ -+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "s|z", -+ discard_const_p(char *, kwnames), &path)) { -+ TALLOC_FREE(frame); -+ return NULL; -+ } -+ -+ if (statfs(path, &fs) != 0) { -+ TALLOC_FREE(frame); -+ return NULL; -+ } -+ -+ if (fs.f_flags & MNT_NFS4ACLS) -+ ret = true; -+ -+ TALLOC_FREE(frame); -+ return PyBool_FromLong(ret); -+} -+ -+ -+static PyObject *py_smbd_set_nfsv4_defaults(PyObject *self) -+{ -+ /* -+ * It is really be done in source3/param/loadparm.c -+ */ -+ Py_RETURN_NONE; -+} -+ -+/* - set the NT ACL on a file - */ - static PyObject *py_smbd_set_nt_acl(PyObject *self, PyObject *args, PyObject *kwargs) -@@ -1124,8 +1296,26 @@ static PyMethodDef py_smbd_methods[] = { - { "have_posix_acls", - (PyCFunction)py_smbd_have_posix_acls, METH_NOARGS, - NULL }, -+ { "has_posix_acls", -+ PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_has_posix_acls), -+ METH_VARARGS|METH_KEYWORDS, -+ NULL }, -+ { "have_nfsv4_acls", -+ (PyCFunction)py_smbd_have_nfsv4_acls, METH_NOARGS, -+ NULL }, -+ { "has_nfsv4_acls", -+ PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_has_nfsv4_acls), -+ METH_VARARGS|METH_KEYWORDS, -+ NULL }, -+ { "set_nfsv4_defaults", -+ (PyCFunction)py_smbd_set_nfsv4_defaults, METH_NOARGS, -+ NULL }, - { "set_simple_acl", - PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_simple_acl), -+ METH_VARARGS|METH_KEYWORDS, -+ NULL }, -+ { "set_simple_nfsv4_acl", -+ PY_DISCARD_FUNC_SIG(PyCFunction, py_smbd_set_simple_nfsv4_acl), - METH_VARARGS|METH_KEYWORDS, - NULL }, - { "set_nt_acl", --- -2.14.2 - diff --git a/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch b/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch deleted file mode 100644 index 06b7472df4db..000000000000 --- a/net/samba413/files/0002-CVE-2022-2127-winbindd-Fix-WINBINDD_PAM_AUTH_CRAP-le.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 5c6a46d21cc247ed38e70925b2d849d4e807ca0a Mon Sep 17 00:00:00 2001 -From: Volker Lendecke <vl@samba.org> -Date: Fri, 20 May 2022 10:55:23 +0200 -Subject: [PATCH 02/21] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP - length checks - -With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you -can crash winbind. We don't independently check lm_resp_len -sufficiently. - -Discovered via Coverity ID 1504444 Out-of-bounds access - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 - -Signed-off-by: Volker Lendecke <vl@samba.org> ---- - source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- - 1 file changed, 21 insertions(+), 10 deletions(-) - -diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c -index 310d50fdde2..19e295f50b3 100644 ---- a/source3/winbindd/winbindd_pam_auth_crap.c -+++ b/source3/winbindd/winbindd_pam_auth_crap.c -@@ -40,6 +40,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( - struct winbindd_pam_auth_crap_state *state; - struct winbindd_domain *domain; - const char *auth_domain = NULL; -+ bool lmlength_ok = false; -+ bool ntlength_ok = false; -+ bool pwlength_ok = false; - - req = tevent_req_create(mem_ctx, &state, - struct winbindd_pam_auth_crap_state); -@@ -138,16 +141,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( - fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); - } - -- if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) -- || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { -- if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || -- request->extra_len != request->data.auth_crap.nt_resp_len) { -- DBG_ERR("Invalid password length %u/%u\n", -- request->data.auth_crap.lm_resp_len, -- request->data.auth_crap.nt_resp_len); -- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -- return tevent_req_post(req, ev); -- } -+ lmlength_ok = (request->data.auth_crap.lm_resp_len <= -+ sizeof(request->data.auth_crap.lm_resp)); -+ -+ ntlength_ok = (request->data.auth_crap.nt_resp_len <= -+ sizeof(request->data.auth_crap.nt_resp)); -+ -+ ntlength_ok |= -+ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && -+ (request->extra_len == request->data.auth_crap.nt_resp_len)); -+ -+ pwlength_ok = lmlength_ok && ntlength_ok; -+ -+ if (!pwlength_ok) { -+ DBG_ERR("Invalid password length %u/%u\n", -+ request->data.auth_crap.lm_resp_len, -+ request->data.auth_crap.nt_resp_len); -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ return tevent_req_post(req, ev); - } - - subreq = wb_domain_request_send(state, global_event_context(), domain, --- -2.41.0 - diff --git a/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch b/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch deleted file mode 100644 index a1f873366172..000000000000 --- a/net/samba413/files/0003-CVE-2022-2127-ntlm_auth-cap-lanman-response-length-v.patch +++ /dev/null @@ -1,40 +0,0 @@ -From de6bd24d80ec4af9d618911cc42d10e109d1d121 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Fri, 16 Jun 2023 12:28:47 +0200 -Subject: [PATCH 03/21] CVE-2022-2127: ntlm_auth: cap lanman response length - value - -We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the -lm_resp buffer, but we don't cap the length indicator. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 - -Signed-off-by: Ralph Boehme <slow@samba.org> ---- - source3/utils/ntlm_auth.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 5541c58350b..def8cdef6fa 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -573,10 +573,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, - memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); - - if (lm_response && lm_response->length) { -+ size_t capped_lm_response_len = MIN( -+ lm_response->length, -+ sizeof(request.data.auth_crap.lm_resp)); -+ - memcpy(request.data.auth_crap.lm_resp, - lm_response->data, -- MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); -- request.data.auth_crap.lm_resp_len = lm_response->length; -+ capped_lm_response_len); -+ request.data.auth_crap.lm_resp_len = capped_lm_response_len; - } - - if (nt_response && nt_response->length) { --- -2.41.0 - diff --git a/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch b/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch deleted file mode 100644 index 9b96a50e84cc..000000000000 --- a/net/samba413/files/0004-CVE-2023-34966-CI-test-for-sl_unpack_loop.patch +++ /dev/null @@ -1,135 +0,0 @@ -From b8a534a3d9b98cc70b2535f3fca31983e3617275 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Wed, 31 May 2023 15:34:26 +0200 -Subject: [PATCH 04/21] CVE-2023-34966: CI: test for sl_unpack_loop() - -Send a maliciously crafted packet where a nil type has a subcount of 0. This -triggers an endless loop in mdssvc sl_unpack_loop(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 - -Signed-off-by: Ralph Boehme <slow@samba.org> ---- - source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++ - 1 file changed, 100 insertions(+) - -diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c -index 507a4a1d2e4..f5f59395241 100644 ---- a/source4/torture/rpc/mdssvc.c -+++ b/source4/torture/rpc/mdssvc.c -@@ -570,6 +570,102 @@ done: - return ok; - } - -+static uint8_t test_sl_unpack_loop_buf[] = { -+ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d, -+ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00, -+ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00, -+ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74, -+ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a, -+ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72, -+ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74, -+ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea, -+ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00, -+ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, -+ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00, -+ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50, -+ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00, -+ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00, -+ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b, -+ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, -+ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, -+ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, -+ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00, -+ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00, -+ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00, -+ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00 -+}; -+ -+static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, -+ void *data) -+{ -+ struct torture_mdsscv_state *state = talloc_get_type_abort( -+ data, struct torture_mdsscv_state); -+ struct dcerpc_binding_handle *b = state->p->binding_handle; -+ struct mdssvc_blob request_blob; -+ struct mdssvc_blob response_blob; -+ uint32_t device_id; -+ uint32_t unkn2; -+ uint32_t unkn9; -+ uint32_t fragment; -+ uint32_t flags; -+ NTSTATUS status; -+ bool ok = true; -+ -+ device_id = UINT32_C(0x2f000045); -+ unkn2 = 23; -+ unkn9 = 0; -+ fragment = 0; -+ flags = UINT32_C(0x6b000001); -+ -+ request_blob.spotlight_blob = test_sl_unpack_loop_buf; -+ request_blob.size = sizeof(test_sl_unpack_loop_buf); -+ request_blob.length = sizeof(test_sl_unpack_loop_buf); -+ -+ response_blob.spotlight_blob = talloc_array(state, -+ uint8_t, -+ 0); -+ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, -+ ok, done, "dalloc_zero failed\n"); -+ response_blob.size = 0; -+ -+ status = dcerpc_mdssvc_cmd(b, -+ state, -+ &state->ph, -+ 0, -+ device_id, -+ unkn2, -+ 0, -+ flags, -+ request_blob, -+ 0, -+ 64 * 1024, -+ 1, -+ 64 * 1024, -+ 0, -+ 0, -+ &fragment, -+ &response_blob, -+ &unkn9); -+ torture_assert_ntstatus_ok_goto( -+ tctx, status, ok, done, -+ "dcerpc_mdssvc_unknown1 failed\n"); -+ -+done: -+ return ok; -+} -+ - static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, - void *data) - { -@@ -841,5 +937,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) - "fetch_unknown_cnid", - test_mdssvc_fetch_attr_unknown_cnid); - -+ torture_tcase_add_simple_test(tcase, -+ "mdssvc_sl_unpack_loop", -+ test_mdssvc_sl_unpack_loop); -+ - return suite; - } --- -2.41.0 - diff --git a/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch b/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch deleted file mode 100644 index 771731aa49fc..000000000000 --- a/net/samba413/files/0005-CVE-2023-34966-mdssvc-harden-sl_unpack_loop.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 3bdbf83c365a5bcd339aaa5e894797fe0e610c69 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Fri, 26 May 2023 13:06:19 +0200 -Subject: [PATCH 05/21] CVE-2023-34966: mdssvc: harden sl_unpack_loop() - -A malicious client could send a packet where subcount is zero, leading to a busy -loop because - - count -= subcount -=> count -= 0 -=> while (count > 0) - -loops forever. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 - -Signed-off-by: Ralph Boehme <slow@samba.org> ---- - source3/rpc_server/mdssvc/marshalling.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c -index 1aa750413cd..441d41160f1 100644 ---- a/source3/rpc_server/mdssvc/marshalling.c -+++ b/source3/rpc_server/mdssvc/marshalling.c -@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, - sl_nil_t nil = 0; - - subcount = tag.count; -- if (subcount > count) { -+ if (subcount < 1 || subcount > count) { - return -1; - } - for (i = 0; i < subcount; i++) { -@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, - - case SQ_TYPE_INT64: - subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding); -- if (subcount == -1 || subcount > count) { -+ if (subcount < 1 || subcount > count) { - return -1; - } - offset += tag.size; -@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, - - case SQ_TYPE_UUID: - subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding); -- if (subcount == -1 || subcount > count) { -+ if (subcount < 1 || subcount > count) { - return -1; - } - offset += tag.size; -@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, - - case SQ_TYPE_FLOAT: - subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding); -- if (subcount == -1 || subcount > count) { -+ if (subcount < 1 || subcount > count) { - return -1; - } - offset += tag.size; -@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, - - case SQ_TYPE_DATE: - subcount = sl_unpack_date(query, buf, offset, bufsize, encoding); -- if (subcount == -1 || subcount > count) { -+ if (subcount < 1 || subcount > count) { - return -1; - } - offset += tag.size; --- -2.41.0 - diff --git a/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch b/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch deleted file mode 100644 index 5d488a71cbec..000000000000 --- a/net/samba413/files/0006-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch +++ /dev/null @@ -1,172 +0,0 @@ -From b1a0a1574ae0db083e917c13777abb4b113d6383 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Wed, 31 May 2023 16:26:14 +0200 -Subject: [PATCH 06/21] CVE-2023-34967: CI: add a test for type checking of - dalloc_value_for_key() - -Sends a maliciously crafted packet where the value in a key/value style -dictionary for the "scope" key is a simple string object whereas the server -expects an array. As the server doesn't perform type validation on the value, it -crashes when trying to use the "simple" object as a "complex" one. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 - -Signed-off-by: Ralph Boehme <slow@samba.org> ---- - source4/torture/rpc/mdssvc.c | 134 +++++++++++++++++++++++++++++++++++ - 1 file changed, 134 insertions(+) - -diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c -index f5f59395241..20b903f93fa 100644 ---- a/source4/torture/rpc/mdssvc.c -+++ b/source4/torture/rpc/mdssvc.c -@@ -666,6 +666,136 @@ done: - return ok; - } - -+static bool test_sl_dict_type_safety(struct torture_context *tctx, -+ void *data) -+{ -+ struct torture_mdsscv_state *state = talloc_get_type_abort( -+ data, struct torture_mdsscv_state); -+ struct dcerpc_binding_handle *b = state->p->binding_handle; -+ struct mdssvc_blob request_blob; -+ struct mdssvc_blob response_blob; -+ uint64_t ctx1 = 0xdeadbeef; -+ uint64_t ctx2 = 0xcafebabe; -+ uint32_t device_id; -+ uint32_t unkn2; -+ uint32_t unkn9; -+ uint32_t fragment; -+ uint32_t flags; -+ DALLOC_CTX *d = NULL; -+ sl_array_t *array1 = NULL, *array2 = NULL; -+ sl_dict_t *arg = NULL; -+ int result; -+ NTSTATUS status; -+ bool ok = true; -+ -+ device_id = UINT32_C(0x2f000045); -+ unkn2 = 23; -+ unkn9 = 0; -+ fragment = 0; -+ flags = UINT32_C(0x6b000001); -+ -+ d = dalloc_new(tctx); -+ torture_assert_not_null_goto(tctx, d, -+ ok, done, "dalloc_new failed\n"); -+ -+ array1 = dalloc_zero(d, sl_array_t); -+ torture_assert_not_null_goto(tctx, array1, -+ ok, done, "dalloc_zero failed\n"); -+ -+ array2 = dalloc_zero(d, sl_array_t); -+ torture_assert_not_null_goto(tctx, array2, -+ ok, done, "dalloc_new failed\n"); -+ -+ result = dalloc_stradd(array2, "openQueryWithParams:forContext:"); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ result = dalloc_add_copy(array2, &ctx1, uint64_t); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ result = dalloc_add_copy(array2, &ctx2, uint64_t); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ arg = dalloc_zero(array1, sl_dict_t); -+ torture_assert_not_null_goto(tctx, d, -+ ok, done, "dalloc_zero failed\n"); -+ -+ result = dalloc_stradd(arg, "kMDQueryString"); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ result = dalloc_stradd(arg, "*"); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ result = dalloc_stradd(arg, "kMDScopeArray"); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ result = dalloc_stradd(arg, "AAAABBBB"); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_stradd failed\n"); -+ -+ result = dalloc_add(array1, array2, sl_array_t); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_add failed\n"); -+ -+ result = dalloc_add(array1, arg, sl_dict_t); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_add failed\n"); -+ -+ result = dalloc_add(d, array1, sl_array_t); -+ torture_assert_goto(tctx, result == 0, -+ ok, done, "dalloc_add failed\n"); -+ -+ torture_comment(tctx, "%s", dalloc_dump(d, 0)); -+ -+ request_blob.spotlight_blob = talloc_array(tctx, -+ uint8_t, -+ 64 * 1024); -+ torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, -+ ok, done, "dalloc_new failed\n"); -+ request_blob.size = 64 * 1024; -+ -+ request_blob.length = sl_pack(d, -+ (char *)request_blob.spotlight_blob, -+ request_blob.size); -+ torture_assert_goto(tctx, request_blob.length > 0, -+ ok, done, "sl_pack failed\n"); -+ -+ response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); -+ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, -+ ok, done, "dalloc_zero failed\n"); -+ response_blob.size = 0; -+ -+ status = dcerpc_mdssvc_cmd(b, -+ state, -+ &state->ph, -+ 0, -+ device_id, -+ unkn2, -+ 0, -+ flags, -+ request_blob, -+ 0, -+ 64 * 1024, -+ 1, -+ 64 * 1024, -+ 0, -+ 0, -+ &fragment, -+ &response_blob, -+ &unkn9); -+ torture_assert_ntstatus_ok_goto( -+ tctx, status, ok, done, -+ "dcerpc_mdssvc_cmd failed\n"); -+ -+done: -+ return ok; -+} -+ - static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, - void *data) - { -@@ -941,5 +1071,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) - "mdssvc_sl_unpack_loop", - test_mdssvc_sl_unpack_loop); - -+ torture_tcase_add_simple_test(tcase, -+ "sl_dict_type_safety", -+ test_sl_dict_type_safety); -+ - return suite; - } --- -2.41.0 - diff --git a/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch b/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch deleted file mode 100644 index ec117f36d997..000000000000 --- a/net/samba413/files/0007-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 91350e1dddc2e5418a3aa0caf22e86b193e46610 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Fri, 26 May 2023 15:06:38 +0200 -Subject: [PATCH 07/21] CVE-2023-34967: mdssvc: add type checking to - dalloc_value_for_key() - -Change the dalloc_value_for_key() function to require an additional final -argument which denotes the expected type of the value associated with a key. If -the types don't match, return NULL. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 - -Signed-off-by: Ralph Boehme <slow@samba.org> ---- - source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++---- - source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++---- - 2 files changed, 23 insertions(+), 8 deletions(-) - -diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c -index 2e13203c4c6..5169c822357 100644 ---- a/source3/rpc_server/mdssvc/dalloc.c -+++ b/source3/rpc_server/mdssvc/dalloc.c -@@ -164,7 +164,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) - int result = 0; - void *p = NULL; - va_list args; -- const char *type; -+ const char *type = NULL; - int elem; - size_t array_len; - -@@ -175,7 +175,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) - array_len = talloc_array_length(d->dd_talloc_array); - elem = va_arg(args, int); - if (elem >= array_len) { -- va_end(args); - result = -1; - goto done; - } -@@ -183,8 +182,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) - type = va_arg(args, const char *); - } - -- va_end(args); -- - array_len = talloc_array_length(d->dd_talloc_array); - - for (elem = 0; elem + 1 < array_len; elem += 2) { -@@ -197,8 +194,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) - break; - } - } -+ if (p == NULL) { -+ goto done; -+ } -+ -+ type = va_arg(args, const char *); -+ if (strcmp(talloc_get_name(p), type) != 0) { -+ p = NULL; -+ } - - done: -+ va_end(args); - if (result != 0) { - p = NULL; - } -diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c -index 2b243d64e99..b04a80c37ba 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.c -+++ b/source3/rpc_server/mdssvc/mdssvc.c -@@ -888,7 +888,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, - - querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, - "DALLOC_CTX", 1, -- "kMDQueryString"); -+ "kMDQueryString", -+ "char *"); - if (querystring == NULL) { - DEBUG(1, ("missing kMDQueryString\n")); - goto error; -@@ -928,8 +929,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, - slq->ctx2 = *uint64p; - - path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0, -- "DALLOC_CTX", 1, "kMDScopeArray"); -+ "DALLOC_CTX", 1, -+ "kMDScopeArray", -+ "sl_array_t"); - if (path_scope == NULL) { -+ DBG_ERR("missing kMDScopeArray\n"); - goto error; - } - -@@ -944,8 +948,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, - } - - reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0, -- "DALLOC_CTX", 1, "kMDAttributeArray"); -+ "DALLOC_CTX", 1, -+ "kMDAttributeArray", -+ "sl_array_t"); - if (reqinfo == NULL) { -+ DBG_ERR("missing kMDAttributeArray\n"); - goto error; - } - -@@ -953,7 +960,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, - DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0))); - - cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0, -- "DALLOC_CTX", 1, "kMDQueryItemArray"); -+ "DALLOC_CTX", 1, -+ "kMDQueryItemArray", -+ "sl_array_t"); - if (cnids) { - ok = sort_cnids(slq, cnids->ca_cnids); - if (!ok) { --- -2.41.0 - diff --git a/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch b/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch deleted file mode 100644 index 5df69c398ccf..000000000000 --- a/net/samba413/files/0008-CVE-2023-34967-CI-add-a-test-for-type-checking-of-da.patch +++ /dev/null @@ -1,17 +0,0 @@ -From 8fe2c97c416d4a53bac971ac6bf20f125563f20f Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Wed, 31 May 2023 16:26:14 +0200 -Subject: [PATCH 08/21] CVE-2023-34967: CI: add a test for type checking of - dalloc_value_for_key() - -Sends a maliciously crafted packet where the value in a key/value style -dictionary for the "scope" key is a simple string object whereas the server -expects an array. As the server doesn't perform type validation on the value, it -crashes when trying to use the "simple" object as a "complex" one. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 - -Signed-off-by: Ralph Boehme <slow@samba.org> --- -2.41.0 - diff --git a/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch b/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch deleted file mode 100644 index 6a2dcf4db6c2..000000000000 --- a/net/samba413/files/0009-CVE-2023-34967-mdssvc-add-type-checking-to-dalloc_va.patch +++ /dev/null @@ -1,16 +0,0 @@ -From 388ea72b933b23e043a271288cd58e2d18ab01c8 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Fri, 26 May 2023 15:06:38 +0200 -Subject: [PATCH 09/21] CVE-2023-34967: mdssvc: add type checking to - dalloc_value_for_key() - -Change the dalloc_value_for_key() function to require an additional final -argument which denotes the expected type of the value associated with a key. If -the types don't match, return NULL. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 - -Signed-off-by: Ralph Boehme <slow@samba.org> --- -2.41.0 - diff --git a/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch b/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch deleted file mode 100644 index 3486dd12b101..000000000000 --- a/net/samba413/files/0010-CVE-2023-34968-lib-Move-subdir_of-to-source3-lib-uti.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 617bc2ee68d2213517c32f1c5cd44edc32817e41 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke <vl@samba.org> -Date: Sat, 15 Oct 2022 13:29:14 +0200 -Subject: [PATCH 10/21] CVE-2023-34968: lib: Move subdir_of() to - source3/lib/util_path.c - -Make it available for other components - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207 -Signed-off-by: Volker Lendecke <vl@samba.org> -(backported from commit d905dbddf8d2655e6c91752b750cbe9c15837ee5) -[slow@samba.org: subdir_of() didn't exist yet in 4.16 so this just adds it] ---- - source3/lib/util_path.c | 52 +++++++++++++++++++++++++++++++++++++++++ - source3/lib/util_path.h | 4 ++++ - 2 files changed, 56 insertions(+) - -diff --git a/source3/lib/util_path.c b/source3/lib/util_path.c -index c34b734384c..e6bed724551 100644 ---- a/source3/lib/util_path.c -+++ b/source3/lib/util_path.c -@@ -23,6 +23,8 @@ - - #include "replace.h" - #include <talloc.h> -+#include "lib/util/debug.h" -+#include "lib/util/fault.h" - #include "lib/util/samba_util.h" - #include "lib/util_path.h" - -@@ -210,3 +212,53 @@ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *pathname_in) - *p++ = '\0'; - return pathname; - } -+ -+/* -+ * Take two absolute paths, figure out if "subdir" is a proper -+ * subdirectory of "parent". Return the component relative to the -+ * "parent" without the potential "/". Take care of "parent" -+ * possibly ending in "/". -+ */ -+bool subdir_of(const char *parent, -+ size_t parent_len, -+ const char *subdir, -+ const char **_relative) -+{ -+ const char *relative = NULL; -+ bool matched; -+ -+ SMB_ASSERT(parent[0] == '/'); -+ SMB_ASSERT(subdir[0] == '/'); -+ -+ if (parent_len == 1) { -+ /* -+ * Everything is below "/" -+ */ -+ *_relative = subdir+1; -+ return true; -+ } -+ -+ if (parent[parent_len-1] == '/') { -+ parent_len -= 1; -+ } -+ -+ matched = (strncmp(subdir, parent, parent_len) == 0); -+ if (!matched) { -+ return false; -+ } -+ -+ relative = &subdir[parent_len]; -+ -+ if (relative[0] == '\0') { -+ *_relative = relative; /* nothing left */ -+ return true; -+ } -+ -+ if (relative[0] == '/') { -+ /* End of parent must match a '/' in subdir. */ -+ *_relative = relative+1; -+ return true; -+ } -+ -+ return false; -+} -diff --git a/source3/lib/util_path.h b/source3/lib/util_path.h -index 3e7d04de550..0ea508bf5bb 100644 ---- a/source3/lib/util_path.h -+++ b/source3/lib/util_path.h -@@ -31,5 +31,9 @@ char *lock_path(TALLOC_CTX *mem_ctx, const char *name); - char *state_path(TALLOC_CTX *mem_ctx, const char *name); - char *cache_path(TALLOC_CTX *mem_ctx, const char *name); - char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path); -+bool subdir_of(const char *parent, -+ size_t parent_len, -+ const char *subdir, -+ const char **_relative); - - #endif --- -2.41.0 - diff --git a/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch b/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch deleted file mode 100644 index 6408fdcf2402..000000000000 --- a/net/samba413/files/0011-CVE-2023-34968-mdssvc-cache-and-reuse-stat-info-in-s.patch +++ /dev/null @@ -1,93 +0,0 @@ -From e7662921b82d331fa79fa503e3dd3c7ceed25026 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 6 Jun 2023 15:17:26 +0200 -Subject: [PATCH 11/21] CVE-2023-34968: mdssvc: cache and reuse stat info in - struct sl_inode_path_map - -Prepare for the "path" being a fake path and not the real server-side -path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already -got stat info for the object in mds_add_result() so we can just pass stat info -from there. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_server/mdssvc/mdssvc.c | 26 +++++++------------------- - source3/rpc_server/mdssvc/mdssvc.h | 1 + - 2 files changed, 8 insertions(+), 19 deletions(-) - -diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c -index b04a80c37ba..32380bf904a 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.c -+++ b/source3/rpc_server/mdssvc/mdssvc.c -@@ -445,7 +445,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry) - * entries by calling talloc_free() on the query slq handles. - **/ - --static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path) -+static bool inode_map_add(struct sl_query *slq, -+ uint64_t ino, -+ const char *path, -+ struct stat_ex *st) - { - NTSTATUS status; - struct sl_inode_path_map *entry; -@@ -492,6 +495,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path) - - entry->ino = ino; - entry->mds_ctx = slq->mds_ctx; -+ entry->st = *st; - entry->path = talloc_strdup(entry, path); - if (entry->path == NULL) { - DEBUG(1, ("talloc failed\n")); -@@ -633,7 +637,7 @@ bool mds_add_result(struct sl_query *slq, const char *path) - return false; - } - -- ok = inode_map_add(slq, ino64, path); -+ ok = inode_map_add(slq, ino64, path, &sb); - if (!ok) { - DEBUG(1, ("inode_map_add error\n")); - slq->state = SLQ_STATE_ERROR; -@@ -1350,23 +1354,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx, - elem = talloc_get_type_abort(p, struct sl_inode_path_map); - path = elem->path; - -- smb_fname = synthetic_smb_fname(talloc_tos(), -- path, -- NULL, -- NULL, -- 0, -- 0); -- if (smb_fname == NULL) { -- DBG_ERR("synthetic_smb_fname() failed\n"); -- goto error; -- } -- -- result = SMB_VFS_STAT(mds_ctx->conn, smb_fname); -- if (result != 0) { -- goto error; -- } -- -- sp = &smb_fname->st; -+ sp = &elem->st; - } - - ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp); -diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h -index 392482767dd..a09799130f5 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.h -+++ b/source3/rpc_server/mdssvc/mdssvc.h -@@ -105,6 +105,7 @@ struct sl_inode_path_map { - struct mds_ctx *mds_ctx; - uint64_t ino; - char *path; -+ struct stat_ex st; - }; - - /* Per process state */ --- -2.41.0 - diff --git a/net/samba413/files/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch b/net/samba413/files/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch deleted file mode 100644 index d2a97f6bab61..000000000000 --- a/net/samba413/files/0012-CVE-2023-34968-mdssvc-add-missing-kMDSStoreMetaScope.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 93c02d8987828dea902888229fc8a4693c1daba7 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Sat, 17 Jun 2023 13:39:55 +0200 -Subject: [PATCH 12/21] CVE-2023-34968: mdssvc: add missing - "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties() - -We were adding the value, but not the key. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_server/mdssvc/mdssvc.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c -index 32380bf904a..199a1d5a89a 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.c -+++ b/source3/rpc_server/mdssvc/mdssvc.c -@@ -746,6 +746,10 @@ static bool slrpc_fetch_properties(struct mds_ctx *mds_ctx, - } - - /* kMDSStoreMetaScopes array */ -+ result = dalloc_stradd(dict, "kMDSStoreMetaScopes"); -+ if (result != 0) { -+ return false; -+ } - array = dalloc_zero(dict, sl_array_t); - if (array == NULL) { - return NULL; --- -2.41.0 - diff --git a/net/samba413/files/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch b/net/samba413/files/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch deleted file mode 100644 index fc820d0bdec4..000000000000 --- a/net/samba413/files/0013-CVE-2023-34968-mdscli-use-correct-TALLOC-memory-cont.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 78131d2a8e5c9cfd054bcaa5754df11875d5b331 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Mon, 19 Jun 2023 17:14:38 +0200 -Subject: [PATCH 13/21] CVE-2023-34968: mdscli: use correct TALLOC memory - context when allocating spotlight_blob - -d is talloc_free()d at the end of the functions and the buffer was later used -after beeing freed in the DCERPC layer when sending the packet. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_client/cli_mdssvc_util.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c -index fe5092c3790..892a844e71a 100644 ---- a/source3/rpc_client/cli_mdssvc_util.c -+++ b/source3/rpc_client/cli_mdssvc_util.c -@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(d, -+ blob->spotlight_blob = talloc_array(mem_ctx, - uint8_t, - ctx->max_fragment_size); - if (blob->spotlight_blob == NULL) { -@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(d, -+ blob->spotlight_blob = talloc_array(mem_ctx, - uint8_t, - ctx->max_fragment_size); - if (blob->spotlight_blob == NULL) { -@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(d, -+ blob->spotlight_blob = talloc_array(mem_ctx, - uint8_t, - ctx->max_fragment_size); - if (blob->spotlight_blob == NULL) { -@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(d, -+ blob->spotlight_blob = talloc_array(mem_ctx, - uint8_t, - ctx->max_fragment_size); - if (blob->spotlight_blob == NULL) { --- -2.41.0 - diff --git a/net/samba413/files/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch b/net/samba413/files/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch deleted file mode 100644 index d3fca1c92d72..000000000000 --- a/net/samba413/files/0014-CVE-2023-34968-mdscli-remove-response-blob-allocatio.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 842c888b48b3244d30410b7f7df16e2356b0f5a2 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Mon, 19 Jun 2023 18:28:41 +0200 -Subject: [PATCH 14/21] CVE-2023-34968: mdscli: remove response blob allocation - -This is handled by the NDR code transparently. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_client/cli_mdssvc.c | 36 --------------------------------- - 1 file changed, 36 deletions(-) - -diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c -index 82d14372fe4..07c19b51dd4 100644 ---- a/source3/rpc_client/cli_mdssvc.c -+++ b/source3/rpc_client/cli_mdssvc.c -@@ -276,15 +276,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx, - return tevent_req_post(req, ev); - } - -- state->response_blob.spotlight_blob = talloc_array( -- state, -- uint8_t, -- mdscli_ctx->max_fragment_size); -- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { -- return tevent_req_post(req, ev); -- } -- state->response_blob.size = mdscli_ctx->max_fragment_size; -- - subreq = dcerpc_mdssvc_cmd_send(state, - ev, - mdscli_ctx->bh, -@@ -457,15 +448,6 @@ struct tevent_req *mdscli_get_results_send( - return tevent_req_post(req, ev); - } - -- state->response_blob.spotlight_blob = talloc_array( -- state, -- uint8_t, -- mdscli_ctx->max_fragment_size); -- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { -- return tevent_req_post(req, ev); -- } -- state->response_blob.size = mdscli_ctx->max_fragment_size; -- - subreq = dcerpc_mdssvc_cmd_send(state, - ev, - mdscli_ctx->bh, -@@ -681,15 +663,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX *mem_ctx, - return tevent_req_post(req, ev); - } - -- state->response_blob.spotlight_blob = talloc_array( -- state, -- uint8_t, -- mdscli_ctx->max_fragment_size); -- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { -- return tevent_req_post(req, ev); -- } -- state->response_blob.size = mdscli_ctx->max_fragment_size; -- - subreq = dcerpc_mdssvc_cmd_send(state, - ev, - mdscli_ctx->bh, -@@ -852,15 +825,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX *mem_ctx, - return tevent_req_post(req, ev); - } - -- state->response_blob.spotlight_blob = talloc_array( -- state, -- uint8_t, -- mdscli_ctx->max_fragment_size); -- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { -- return tevent_req_post(req, ev); -- } -- state->response_blob.size = mdscli_ctx->max_fragment_size; -- - subreq = dcerpc_mdssvc_cmd_send(state, - ev, - mdscli_ctx->bh, --- -2.41.0 - diff --git a/net/samba413/files/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch b/net/samba413/files/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch deleted file mode 100644 index d253d8436d5e..000000000000 --- a/net/samba413/files/0015-CVE-2023-34968-smbtorture-remove-response-blob-alloc.patch +++ /dev/null @@ -1,77 +0,0 @@ -From d4ba49e029be14287661d4c7a6899b50d3881f7b Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 20 Jun 2023 11:28:47 +0200 -Subject: [PATCH 15/21] CVE-2023-34968: smbtorture: remove response blob - allocation in mdssvc.c - -This is alreay done by NDR for us. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source4/torture/rpc/mdssvc.c | 26 -------------------------- - 1 file changed, 26 deletions(-) - -diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c -index 20b903f93fa..76a740c41db 100644 ---- a/source4/torture/rpc/mdssvc.c -+++ b/source4/torture/rpc/mdssvc.c -@@ -537,13 +537,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx, - request_blob.length = 0; - request_blob.size = 0; - -- response_blob.spotlight_blob = talloc_array(state, -- uint8_t, -- 0); -- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, -- ok, done, "dalloc_zero failed\n"); -- response_blob.size = 0; -- - status = dcerpc_mdssvc_cmd(b, - state, - &ph, -@@ -633,13 +626,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, - request_blob.size = sizeof(test_sl_unpack_loop_buf); - request_blob.length = sizeof(test_sl_unpack_loop_buf); - -- response_blob.spotlight_blob = talloc_array(state, -- uint8_t, -- 0); -- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, -- ok, done, "dalloc_zero failed\n"); -- response_blob.size = 0; -- - status = dcerpc_mdssvc_cmd(b, - state, - &state->ph, -@@ -765,11 +751,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx, - torture_assert_goto(tctx, request_blob.length > 0, - ok, done, "sl_pack failed\n"); - -- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); -- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, -- ok, done, "dalloc_zero failed\n"); -- response_blob.size = 0; -- - status = dcerpc_mdssvc_cmd(b, - state, - &state->ph, -@@ -927,13 +908,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, - ret, done, "dalloc_zero failed\n"); - request_blob.size = max_fragment_size; - -- response_blob.spotlight_blob = talloc_array(state, -- uint8_t, -- max_fragment_size); -- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, -- ret, done, "dalloc_zero failed\n"); -- response_blob.size = max_fragment_size; -- - len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); - torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n"); - --- -2.41.0 - diff --git a/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch b/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch deleted file mode 100644 index 1d33496d35b0..000000000000 --- a/net/samba413/files/0016-CVE-2023-34968-rpcclient-remove-response-blob-alloca.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 041ee143748bad9117112bcdd0200e1da9127034 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 20 Jun 2023 11:35:41 +0200 -Subject: [PATCH 16/21] CVE-2023-34968: rpcclient: remove response blob - allocation - -This is alreay done by NDR for us. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpcclient/cmd_spotlight.c | 16 ---------------- - 1 file changed, 16 deletions(-) - -diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c -index 661ada7efb8..a0a1d10c45f 100644 ---- a/source3/rpcclient/cmd_spotlight.c -+++ b/source3/rpcclient/cmd_spotlight.c -@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties( - } - request_blob.size = max_fragment_size; - -- response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size); -- if (response_blob.spotlight_blob == NULL) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } -- response_blob.size = max_fragment_size; -- - len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); - if (len == -1) { - status = NT_STATUS_INTERNAL_ERROR; -@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( - } - request_blob.size = max_fragment_size; - -- response_blob.spotlight_blob = talloc_array(mem_ctx, -- uint8_t, -- max_fragment_size); -- if (response_blob.spotlight_blob == NULL) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } -- response_blob.size = max_fragment_size; -- - len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); - if (len == -1) { - status = NT_STATUS_INTERNAL_ERROR; --- -2.41.0 - diff --git a/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch b/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch deleted file mode 100644 index 881a76c66c55..000000000000 --- a/net/samba413/files/0017-CVE-2023-34968-mdssvc-remove-response-blob-allocatio.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 88aff628e6ec80622e960796073775651f602134 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 20 Jun 2023 11:42:10 +0200 -Subject: [PATCH 17/21] CVE-2023-34968: mdssvc: remove response blob allocation - -This is alreay done by NDR for us. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 9 --------- - 1 file changed, 9 deletions(-) - -diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -index 40e37cb3b85..f89a187bd3f 100644 ---- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -@@ -208,7 +208,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r) - void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) - { - bool ok; -- char *rbuf; - struct mds_ctx *mds_ctx; - NTSTATUS status; - -@@ -265,14 +264,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) - return; - } - -- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1); -- if (rbuf == NULL) { -- p->fault_state = DCERPC_FAULT_CANT_PERFORM; -- return; -- } -- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf; -- r->out.response_blob->size = r->in.max_fragment_size1; -- - /* We currently don't use fragmentation at the mdssvc RPC layer */ - *r->out.fragment = 0; - --- -2.41.0 - diff --git a/net/samba413/files/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch b/net/samba413/files/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch deleted file mode 100644 index 7a5348749291..000000000000 --- a/net/samba413/files/0018-CVE-2023-34968-mdssvc-switch-to-doing-an-early-retur.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 60f6d69f42818c5c49c35390db9a88d79ff10d8b Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 20 Jun 2023 11:05:22 +0200 -Subject: [PATCH 18/21] CVE-2023-34968: mdssvc: switch to doing an early return - -Just reduce indentation of the code handling the success case. No change in -behaviour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_server/mdssvc/mdssvc.c | 26 ++++++++++++++------------ - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c -index 199a1d5a89a..82d46987e40 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.c -+++ b/source3/rpc_server/mdssvc/mdssvc.c -@@ -1797,19 +1797,21 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, - } - - ok = slcmd->function(mds_ctx, query, reply); -- if (ok) { -- DBG_DEBUG("%s", dalloc_dump(reply, 0)); -- -- len = sl_pack(reply, -- (char *)response_blob->spotlight_blob, -- response_blob->size); -- if (len == -1) { -- DBG_ERR("error packing Spotlight RPC reply\n"); -- ok = false; -- goto cleanup; -- } -- response_blob->length = len; -+ if (!ok) { -+ goto cleanup; -+ } -+ -+ DBG_DEBUG("%s", dalloc_dump(reply, 0)); -+ -+ len = sl_pack(reply, -+ (char *)response_blob->spotlight_blob, -+ response_blob->size); -+ if (len == -1) { -+ DBG_ERR("error packing Spotlight RPC reply\n"); -+ ok = false; -+ goto cleanup; - } -+ response_blob->length = len; - - cleanup: - talloc_free(query); --- -2.41.0 - diff --git a/net/samba413/files/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch b/net/samba413/files/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch deleted file mode 100644 index deeddcd15eb6..000000000000 --- a/net/samba413/files/0019-CVE-2023-34968-mdssvc-introduce-an-allocating-wrappe.patch +++ /dev/null @@ -1,456 +0,0 @@ -From 731763209a35e3c410ab8a1ff40fa88140f6519a Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Mon, 19 Jun 2023 18:16:57 +0200 -Subject: [PATCH 19/21] CVE-2023-34968: mdssvc: introduce an allocating wrapper - to sl_pack() - -sl_pack_alloc() does the buffer allocation that previously all callers of -sl_pack() did themselves. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_client/cli_mdssvc_util.c | 80 +++++------------------ - source3/rpc_server/mdssvc/marshalling.c | 35 ++++++++-- - source3/rpc_server/mdssvc/marshalling.h | 9 ++- - source3/rpc_server/mdssvc/mdssvc.c | 18 ++--- - source3/rpc_server/mdssvc/mdssvc.h | 3 +- - source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 5 +- - source3/rpcclient/cmd_spotlight.c | 32 ++------- - source4/torture/rpc/mdssvc.c | 24 ++----- - 8 files changed, 79 insertions(+), 127 deletions(-) - -diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c -index 892a844e71a..a39202d0c99 100644 ---- a/source3/rpc_client/cli_mdssvc_util.c -+++ b/source3/rpc_client/cli_mdssvc_util.c -@@ -42,7 +42,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, - sl_array_t *scope_array = NULL; - double dval; - uint64_t uint64val; -- ssize_t len; -+ NTSTATUS status; - int ret; - - d = dalloc_new(mem_ctx); -@@ -209,23 +209,11 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(mem_ctx, -- uint8_t, -- ctx->max_fragment_size); -- if (blob->spotlight_blob == NULL) { -- TALLOC_FREE(d); -- return NT_STATUS_NO_MEMORY; -- } -- blob->size = ctx->max_fragment_size; -- -- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); -+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); - TALLOC_FREE(d); -- if (len == -1) { -- return NT_STATUS_NO_MEMORY; -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } -- -- blob->length = len; -- blob->size = len; - return NT_STATUS_OK; - } - -@@ -238,7 +226,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, - uint64_t *uint64p = NULL; - sl_array_t *array = NULL; - sl_array_t *cmd_array = NULL; -- ssize_t len; -+ NTSTATUS status; - int ret; - - d = dalloc_new(mem_ctx); -@@ -293,23 +281,11 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(mem_ctx, -- uint8_t, -- ctx->max_fragment_size); -- if (blob->spotlight_blob == NULL) { -- TALLOC_FREE(d); -- return NT_STATUS_NO_MEMORY; -- } -- blob->size = ctx->max_fragment_size; -- -- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); -+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); - TALLOC_FREE(d); -- if (len == -1) { -- return NT_STATUS_NO_MEMORY; -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } -- -- blob->length = len; -- blob->size = len; - return NT_STATUS_OK; - } - -@@ -325,7 +301,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, - sl_array_t *cmd_array = NULL; - sl_array_t *attr_array = NULL; - sl_cnids_t *cnids = NULL; -- ssize_t len; -+ NTSTATUS status; - int ret; - - d = dalloc_new(mem_ctx); -@@ -426,23 +402,11 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(mem_ctx, -- uint8_t, -- ctx->max_fragment_size); -- if (blob->spotlight_blob == NULL) { -- TALLOC_FREE(d); -- return NT_STATUS_NO_MEMORY; -- } -- blob->size = ctx->max_fragment_size; -- -- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); -+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); - TALLOC_FREE(d); -- if (len == -1) { -- return NT_STATUS_NO_MEMORY; -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } -- -- blob->length = len; -- blob->size = len; - return NT_STATUS_OK; - } - -@@ -455,7 +419,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, - uint64_t *uint64p = NULL; - sl_array_t *array = NULL; - sl_array_t *cmd_array = NULL; -- ssize_t len; -+ NTSTATUS status; - int ret; - - d = dalloc_new(mem_ctx); -@@ -510,22 +474,10 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- blob->spotlight_blob = talloc_array(mem_ctx, -- uint8_t, -- ctx->max_fragment_size); -- if (blob->spotlight_blob == NULL) { -- TALLOC_FREE(d); -- return NT_STATUS_NO_MEMORY; -- } -- blob->size = ctx->max_fragment_size; -- -- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); -+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); - TALLOC_FREE(d); -- if (len == -1) { -- return NT_STATUS_NO_MEMORY; -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } -- -- blob->length = len; -- blob->size = len; - return NT_STATUS_OK; - } -diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c -index 441d41160f1..34bfda5eca6 100644 ---- a/source3/rpc_server/mdssvc/marshalling.c -+++ b/source3/rpc_server/mdssvc/marshalling.c -@@ -78,6 +78,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, const char *buf, - ssize_t offset, size_t bufsize, - int count, ssize_t toc_offset, - int encoding); -+static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize); - - /****************************************************************************** - * Wrapper functions for the *VAL macros with bound checking -@@ -1190,11 +1191,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, - return offset; - } - --/****************************************************************************** -- * Global functions for packing und unpacking -- ******************************************************************************/ -- --ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) -+static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) - { - ssize_t result; - char *toc_buf; -@@ -1274,6 +1271,34 @@ ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) - return len; - } - -+/****************************************************************************** -+ * Global functions for packing und unpacking -+ ******************************************************************************/ -+ -+NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx, -+ DALLOC_CTX *d, -+ struct mdssvc_blob *b, -+ size_t max_fragment_size) -+{ -+ ssize_t len; -+ -+ b->spotlight_blob = talloc_zero_array(mem_ctx, -+ uint8_t, -+ max_fragment_size); -+ if (b->spotlight_blob == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ len = sl_pack(d, (char *)b->spotlight_blob, max_fragment_size); -+ if (len == -1) { -+ return NT_STATUS_DATA_ERROR; -+ } -+ -+ b->length = len; -+ b->size = len; -+ return NT_STATUS_OK; -+} -+ - bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize) - { - ssize_t result; -diff --git a/source3/rpc_server/mdssvc/marshalling.h b/source3/rpc_server/mdssvc/marshalling.h -index 086ca740604..2cc1b44712c 100644 ---- a/source3/rpc_server/mdssvc/marshalling.h -+++ b/source3/rpc_server/mdssvc/marshalling.h -@@ -22,6 +22,9 @@ - #define _MDSSVC_MARSHALLING_H - - #include "dalloc.h" -+#include "libcli/util/ntstatus.h" -+#include "lib/util/data_blob.h" -+#include "librpc/gen_ndr/mdssvc.h" - - #define MAX_SL_FRAGMENT_SIZE 0xFFFFF - -@@ -49,7 +52,11 @@ typedef struct { - * Function declarations - ******************************************************************************/ - --extern ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize); -+extern NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx, -+ DALLOC_CTX *d, -+ struct mdssvc_blob *b, -+ size_t max_fragment_size); -+ - extern bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize); - - #endif -diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c -index 82d46987e40..b75fb7812ed 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.c -+++ b/source3/rpc_server/mdssvc/mdssvc.c -@@ -1725,11 +1725,11 @@ error: - **/ - bool mds_dispatch(struct mds_ctx *mds_ctx, - struct mdssvc_blob *request_blob, -- struct mdssvc_blob *response_blob) -+ struct mdssvc_blob *response_blob, -+ size_t max_fragment_size) - { - bool ok; - int ret; -- ssize_t len; - DALLOC_CTX *query = NULL; - DALLOC_CTX *reply = NULL; - char *rpccmd; -@@ -1737,6 +1737,7 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, - const struct smb_filename conn_basedir = { - .base_name = mds_ctx->conn->connectpath, - }; -+ NTSTATUS status; - - if (CHECK_DEBUGLVL(10)) { - const struct sl_query *slq; -@@ -1803,15 +1804,14 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, - - DBG_DEBUG("%s", dalloc_dump(reply, 0)); - -- len = sl_pack(reply, -- (char *)response_blob->spotlight_blob, -- response_blob->size); -- if (len == -1) { -- DBG_ERR("error packing Spotlight RPC reply\n"); -- ok = false; -+ status = sl_pack_alloc(response_blob, -+ reply, -+ response_blob, -+ max_fragment_size); -+ if (!NT_STATUS_IS_OK(status)) { -+ DBG_ERR("sl_pack_alloc() failed\n"); - goto cleanup; - } -- response_blob->length = len; - - cleanup: - talloc_free(query); -diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h -index a09799130f5..2ff717dd7ff 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.h -+++ b/source3/rpc_server/mdssvc/mdssvc.h -@@ -159,7 +159,8 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx, - const char *path); - extern bool mds_dispatch(struct mds_ctx *query_ctx, - struct mdssvc_blob *request_blob, -- struct mdssvc_blob *response_blob); -+ struct mdssvc_blob *response_blob, -+ size_t max_fragment_size); - bool mds_add_result(struct sl_query *slq, const char *path); - - #endif /* _MDSSVC_H */ -diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -index f89a187bd3f..bba16118a51 100644 ---- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -@@ -267,7 +267,10 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) - /* We currently don't use fragmentation at the mdssvc RPC layer */ - *r->out.fragment = 0; - -- ok = mds_dispatch(mds_ctx, &r->in.request_blob, r->out.response_blob); -+ ok = mds_dispatch(mds_ctx, -+ &r->in.request_blob, -+ r->out.response_blob, -+ r->in.max_fragment_size1); - if (ok) { - *r->out.unkn9 = 0; - } else { -diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c -index a0a1d10c45f..e006bb84b43 100644 ---- a/source3/rpcclient/cmd_spotlight.c -+++ b/source3/rpcclient/cmd_spotlight.c -@@ -43,7 +43,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties( - uint32_t unkn3; /* server always returns 0 ? */ - struct mdssvc_blob request_blob; - struct mdssvc_blob response_blob; -- ssize_t len; - uint32_t max_fragment_size = 64 * 1024; - DALLOC_CTX *d, *mds_reply; - uint64_t *uint64var; -@@ -137,20 +136,10 @@ static NTSTATUS cmd_mdssvc_fetch_properties( - goto done; - } - -- request_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size); -- if (request_blob.spotlight_blob == NULL) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } -- request_blob.size = max_fragment_size; -- -- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); -- if (len == -1) { -- status = NT_STATUS_INTERNAL_ERROR; -+ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size); -+ if (!NT_STATUS_IS_OK(status)) { - goto done; - } -- request_blob.length = len; -- request_blob.size = len; - - status = dcerpc_mdssvc_cmd(b, mem_ctx, - &share_handle, -@@ -204,7 +193,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( - uint32_t unkn3; /* server always returns 0 ? */ - struct mdssvc_blob request_blob; - struct mdssvc_blob response_blob; -- ssize_t len; - uint32_t max_fragment_size = 64 * 1024; - DALLOC_CTX *d, *mds_reply; - uint64_t *uint64var; -@@ -352,22 +340,10 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( - goto done; - } - -- request_blob.spotlight_blob = talloc_array(mem_ctx, -- uint8_t, -- max_fragment_size); -- if (request_blob.spotlight_blob == NULL) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } -- request_blob.size = max_fragment_size; -- -- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); -- if (len == -1) { -- status = NT_STATUS_INTERNAL_ERROR; -+ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size); -+ if (!NT_STATUS_IS_OK(status)) { - goto done; - } -- request_blob.length = len; -- request_blob.size = len; - - status = dcerpc_mdssvc_cmd(b, mem_ctx, - &share_handle, -diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c -index 76a740c41db..e670eb9bfca 100644 ---- a/source4/torture/rpc/mdssvc.c -+++ b/source4/torture/rpc/mdssvc.c -@@ -745,11 +745,9 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx, - ok, done, "dalloc_new failed\n"); - request_blob.size = 64 * 1024; - -- request_blob.length = sl_pack(d, -- (char *)request_blob.spotlight_blob, -- request_blob.size); -- torture_assert_goto(tctx, request_blob.length > 0, -- ok, done, "sl_pack failed\n"); -+ status = sl_pack_alloc(tctx, d, &request_blob, 64 * 1024); -+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, -+ "sl_pack_alloc() failed\n"); - - status = dcerpc_mdssvc_cmd(b, - state, -@@ -836,7 +834,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, - const char *path_type = NULL; - uint64_t ino64; - NTSTATUS status; -- ssize_t len; - int ret; - bool ok = true; - -@@ -901,18 +898,9 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, - ret = dalloc_add(array, cnids, sl_cnids_t); - torture_assert_goto(tctx, ret == 0, ret, done, "dalloc_add failed\n"); - -- request_blob.spotlight_blob = talloc_array(state, -- uint8_t, -- max_fragment_size); -- torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, -- ret, done, "dalloc_zero failed\n"); -- request_blob.size = max_fragment_size; -- -- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); -- torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n"); -- -- request_blob.length = len; -- request_blob.size = len; -+ status = sl_pack_alloc(tctx, d, &request_blob, max_fragment_size); -+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, -+ "sl_pack_alloc() failed\n"); - - status = dcerpc_mdssvc_cmd(b, - state, --- -2.41.0 - diff --git a/net/samba413/files/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch b/net/samba413/files/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch deleted file mode 100644 index 59be69ef07da..000000000000 --- a/net/samba413/files/0020-CVE-2023-34968-mdscli-return-share-relative-paths.patch +++ /dev/null @@ -1,504 +0,0 @@ -From 6a5e5daf6901a6e963b19f2697656ac0c54b2553 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Sat, 17 Jun 2023 13:53:27 +0200 -Subject: [PATCH 20/21] CVE-2023-34968: mdscli: return share relative paths -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The next commit will change the Samba Spotlight server to return absolute paths -that start with the sharename as "/SHARENAME/..." followed by the share path -relative appended. - -So given a share - - [spotlight] - path = /foo/bar - spotlight = yes - -and a file inside this share with a full path of - - /foo/bar/dir/file - -previously a search that matched this file would returns the absolute -server-side pato of the file, ie - - /foo/bar/dir/file - -This will be change to - - /spotlight/dir/file - -As currently the mdscli library and hence the mdsearch tool print out these -paths returned from the server, we have to change the output to accomodate these -fake paths. The only way to do this sensibly is by makeing the paths relative to -the containing share, so just - - dir/file - -in the example above. - -The client learns about the share root path prefix – real server-side of fake in -the future – in an initial handshake in the "share_path" out argument of the -mdssvc_open() RPC call, so the client can use this path to convert the absolute -path to relative. - -There is however an additional twist: the macOS Spotlight server prefixes this -absolute path with another prefix, typically "/System/Volumes/Data", so in the -example above the full path for the same search would be - - /System/Volumes/Data/foo/bar/dir/file - -So macOS does return the full server-side path too, just prefixed with an -additional path. This path prefixed can be queried by the client in the -mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:" -and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba -just returns "/" for this. - -Currently the mdscli library doesn't issue this Spotlight RPC -request (fetchPropertiesForContext), so this is added in this commit. In the -end, all search result paths are stripped of the combined prefix - - kMDSStorePathScopes + share_path (from mdssvc_open). - -eg - - kMDSStorePathScopes = /System/Volumes/Data - share_path = /foo/bar - search result = /System/Volumes/Data/foo/bar/dir/file - relative path returned by mdscli = dir/file - -Makes sense? :) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - python/samba/tests/blackbox/mdfind.py | 8 +- - python/samba/tests/dcerpc/mdssvc.py | 26 ++-- - source3/rpc_client/cli_mdssvc.c | 155 +++++++++++++++++++++++- - source3/rpc_client/cli_mdssvc_private.h | 4 + - source3/rpc_client/cli_mdssvc_util.c | 68 +++++++++++ - source3/rpc_client/cli_mdssvc_util.h | 4 + - 6 files changed, 245 insertions(+), 20 deletions(-) - -diff --git a/python/samba/tests/blackbox/mdfind.py b/python/samba/tests/blackbox/mdfind.py -index 5c1c0c3d155..62f4d38f17d 100644 ---- a/python/samba/tests/blackbox/mdfind.py -+++ b/python/samba/tests/blackbox/mdfind.py -@@ -76,10 +76,7 @@ class MdfindBlackboxTests(BlackboxTestCase): - self.t.start() - time.sleep(1) - -- pipe = mdssvc.mdssvc('ncacn_np:fileserver[/pipe/mdssvc]', self.get_loadparm()) -- conn = mdscli.conn(pipe, 'spotlight', '/foo') -- self.sharepath = conn.sharepath() -- conn.disconnect(pipe) -+ self.sharepath = os.environ["LOCAL_PATH"] - - for file in testfiles: - f = open("%s/%s" % (self.sharepath, file), "w") -@@ -126,5 +123,4 @@ class MdfindBlackboxTests(BlackboxTestCase): - output = self.check_output("mdfind -s %s -U %s%%%s fileserver spotlight '*==\"samba*\"'" % (config, username, password)) - - actual = output.decode('utf-8').splitlines() -- expected = ["%s/%s" % (self.sharepath, file) for file in testfiles] -- self.assertEqual(expected, actual) -+ self.assertEqual(testfiles, actual) -diff --git a/python/samba/tests/dcerpc/mdssvc.py b/python/samba/tests/dcerpc/mdssvc.py -index b0df509ddc7..5002e5d26d6 100644 ---- a/python/samba/tests/dcerpc/mdssvc.py -+++ b/python/samba/tests/dcerpc/mdssvc.py -@@ -84,10 +84,11 @@ class MdssvcTests(RpcInterfaceTestCase): - self.t = threading.Thread(target=MdssvcTests.http_server, args=(self,)) - self.t.setDaemon(True) - self.t.start() -+ self.sharepath = os.environ["LOCAL_PATH"] - time.sleep(1) - - conn = mdscli.conn(self.pipe, 'spotlight', '/foo') -- self.sharepath = conn.sharepath() -+ self.fakepath = conn.sharepath() - conn.disconnect(self.pipe) - - for file in testfiles: -@@ -105,12 +106,11 @@ class MdssvcTests(RpcInterfaceTestCase): - self.server.serve_forever() - - def run_test(self, query, expect, json_in, json_out): -- expect = [s.replace("%BASEPATH%", self.sharepath) for s in expect] - self.server.json_in = json_in.replace("%BASEPATH%", self.sharepath) - self.server.json_out = json_out.replace("%BASEPATH%", self.sharepath) - - self.conn = mdscli.conn(self.pipe, 'spotlight', '/foo') -- search = self.conn.search(self.pipe, query, self.sharepath) -+ search = self.conn.search(self.pipe, query, self.fakepath) - - # Give it some time, the get_results() below returns immediately - # what's available, so if we ask to soon, we might get back no results -@@ -141,7 +141,7 @@ class MdssvcTests(RpcInterfaceTestCase): - ] - } - }''' -- exp_results = ["%BASEPATH%/foo", "%BASEPATH%/bar"] -+ exp_results = ["foo", "bar"] - self.run_test('*=="samba*"', exp_results, exp_json_query, fake_json_response) - - def test_mdscli_search_escapes(self): -@@ -181,14 +181,14 @@ class MdssvcTests(RpcInterfaceTestCase): - } - }''' - exp_results = [ -- r"%BASEPATH%/x+x", -- r"%BASEPATH%/x*x", -- r"%BASEPATH%/x=x", -- r"%BASEPATH%/x'x", -- r"%BASEPATH%/x?x", -- r"%BASEPATH%/x x", -- r"%BASEPATH%/x(x", -- "%BASEPATH%/x\"x", -- r"%BASEPATH%/x\x", -+ r"x+x", -+ r"x*x", -+ r"x=x", -+ r"x'x", -+ r"x?x", -+ r"x x", -+ r"x(x", -+ "x\"x", -+ r"x\x", - ] - self.run_test(sl_query, exp_results, exp_json_query, fake_json_response) -diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c -index 07c19b51dd4..03aed61c00c 100644 ---- a/source3/rpc_client/cli_mdssvc.c -+++ b/source3/rpc_client/cli_mdssvc.c -@@ -43,10 +43,12 @@ char *mdscli_get_basepath(TALLOC_CTX *mem_ctx, - struct mdscli_connect_state { - struct tevent_context *ev; - struct mdscli_ctx *mdscli_ctx; -+ struct mdssvc_blob response_blob; - }; - - static void mdscli_connect_open_done(struct tevent_req *subreq); - static void mdscli_connect_unknown1_done(struct tevent_req *subreq); -+static void mdscli_connect_fetch_props_done(struct tevent_req *subreq); - - struct tevent_req *mdscli_connect_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -@@ -111,6 +113,7 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) - struct mdscli_connect_state *state = tevent_req_data( - req, struct mdscli_connect_state); - struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; -+ size_t share_path_len; - NTSTATUS status; - - status = dcerpc_mdssvc_open_recv(subreq, state); -@@ -120,6 +123,18 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) - return; - } - -+ share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path); -+ if (share_path_len < 1 || share_path_len > UINT16_MAX) { -+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); -+ return; -+ } -+ mdscli_ctx->mdscmd_open.share_path_len = share_path_len; -+ -+ if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') { -+ mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0'; -+ mdscli_ctx->mdscmd_open.share_path_len--; -+ } -+ - subreq = dcerpc_mdssvc_unknown1_send( - state, - state->ev, -@@ -146,6 +161,8 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq) - subreq, struct tevent_req); - struct mdscli_connect_state *state = tevent_req_data( - req, struct mdscli_connect_state); -+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; -+ struct mdssvc_blob request_blob; - NTSTATUS status; - - status = dcerpc_mdssvc_unknown1_recv(subreq, state); -@@ -154,6 +171,108 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq) - return; - } - -+ status = mdscli_blob_fetch_props(state, -+ state->mdscli_ctx, -+ &request_blob); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } -+ -+ subreq = dcerpc_mdssvc_cmd_send(state, -+ state->ev, -+ mdscli_ctx->bh, -+ &mdscli_ctx->ph, -+ 0, -+ mdscli_ctx->dev, -+ mdscli_ctx->mdscmd_open.unkn2, -+ 0, -+ mdscli_ctx->flags, -+ request_blob, -+ 0, -+ mdscli_ctx->max_fragment_size, -+ 1, -+ mdscli_ctx->max_fragment_size, -+ 0, -+ 0, -+ &mdscli_ctx->mdscmd_cmd.fragment, -+ &state->response_blob, -+ &mdscli_ctx->mdscmd_cmd.unkn9); -+ if (tevent_req_nomem(subreq, req)) { -+ return; -+ } -+ tevent_req_set_callback(subreq, mdscli_connect_fetch_props_done, req); -+ mdscli_ctx->async_pending++; -+ return; -+} -+ -+static void mdscli_connect_fetch_props_done(struct tevent_req *subreq) -+{ -+ struct tevent_req *req = tevent_req_callback_data( -+ subreq, struct tevent_req); -+ struct mdscli_connect_state *state = tevent_req_data( -+ req, struct mdscli_connect_state); -+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; -+ DALLOC_CTX *d = NULL; -+ sl_array_t *path_scope_array = NULL; -+ char *path_scope = NULL; -+ NTSTATUS status; -+ bool ok; -+ -+ status = dcerpc_mdssvc_cmd_recv(subreq, state); -+ TALLOC_FREE(subreq); -+ state->mdscli_ctx->async_pending--; -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } -+ -+ d = dalloc_new(state); -+ if (tevent_req_nomem(d, req)) { -+ return; -+ } -+ -+ ok = sl_unpack(d, -+ (char *)state->response_blob.spotlight_blob, -+ state->response_blob.length); -+ if (!ok) { -+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); -+ return; -+ } -+ -+ path_scope_array = dalloc_value_for_key(d, -+ "DALLOC_CTX", 0, -+ "kMDSStorePathScopes", -+ "sl_array_t"); -+ if (path_scope_array == NULL) { -+ DBG_ERR("Missing kMDSStorePathScopes\n"); -+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); -+ return; -+ } -+ -+ path_scope = dalloc_get(path_scope_array, "char *", 0); -+ if (path_scope == NULL) { -+ DBG_ERR("Missing path in kMDSStorePathScopes\n"); -+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); -+ return; -+ } -+ -+ mdscli_ctx->path_scope_len = strlen(path_scope); -+ if (mdscli_ctx->path_scope_len < 1 || -+ mdscli_ctx->path_scope_len > UINT16_MAX) -+ { -+ DBG_ERR("Bad path_scope: %s\n", path_scope); -+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); -+ return; -+ } -+ mdscli_ctx->path_scope = talloc_strdup(mdscli_ctx, path_scope); -+ if (tevent_req_nomem(mdscli_ctx->path_scope, req)) { -+ return; -+ } -+ -+ if (mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] == '/') { -+ mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] = '\0'; -+ mdscli_ctx->path_scope_len--; -+ } -+ - tevent_req_done(req); - } - -@@ -697,7 +816,10 @@ static void mdscli_get_path_done(struct tevent_req *subreq) - struct mdscli_get_path_state *state = tevent_req_data( - req, struct mdscli_get_path_state); - DALLOC_CTX *d = NULL; -+ size_t pathlen; -+ size_t prefixlen; - char *path = NULL; -+ const char *p = NULL; - NTSTATUS status; - bool ok; - -@@ -732,7 +854,38 @@ static void mdscli_get_path_done(struct tevent_req *subreq) - tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); - return; - } -- state->path = talloc_move(state, &path); -+ -+ /* Path is prefixed by /PATHSCOPE/SHARENAME/, strip it */ -+ pathlen = strlen(path); -+ -+ /* -+ * path_scope_len and share_path_len are already checked to be smaller -+ * then UINT16_MAX so this can't overflow -+ */ -+ prefixlen = state->mdscli_ctx->path_scope_len -+ + state->mdscli_ctx->mdscmd_open.share_path_len; -+ -+ if (pathlen < prefixlen) { -+ DBG_DEBUG("Bad path: %s\n", path); -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ return; -+ } -+ -+ p = path + prefixlen; -+ while (*p == '/') { -+ p++; -+ } -+ if (*p == '\0') { -+ DBG_DEBUG("Bad path: %s\n", path); -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ return; -+ } -+ -+ state->path = talloc_strdup(state, p); -+ if (state->path == NULL) { -+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY); -+ return; -+ } - DBG_DEBUG("path: %s\n", state->path); - - tevent_req_done(req); -diff --git a/source3/rpc_client/cli_mdssvc_private.h b/source3/rpc_client/cli_mdssvc_private.h -index 031af85bf58..77f300c09cc 100644 ---- a/source3/rpc_client/cli_mdssvc_private.h -+++ b/source3/rpc_client/cli_mdssvc_private.h -@@ -42,6 +42,7 @@ struct mdscli_ctx { - /* cmd specific or unknown fields */ - struct { - char share_path[1025]; -+ size_t share_path_len; - uint32_t unkn2; - uint32_t unkn3; - } mdscmd_open; -@@ -56,6 +57,9 @@ struct mdscli_ctx { - struct { - uint32_t status; - } mdscmd_close; -+ -+ char *path_scope; -+ size_t path_scope_len; - }; - - struct mdscli_search_ctx { -diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c -index a39202d0c99..1eaaca715a8 100644 ---- a/source3/rpc_client/cli_mdssvc_util.c -+++ b/source3/rpc_client/cli_mdssvc_util.c -@@ -28,6 +28,74 @@ - #include "rpc_server/mdssvc/dalloc.h" - #include "rpc_server/mdssvc/marshalling.h" - -+NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx, -+ struct mdscli_ctx *ctx, -+ struct mdssvc_blob *blob) -+{ -+ DALLOC_CTX *d = NULL; -+ uint64_t *uint64p = NULL; -+ sl_array_t *array = NULL; -+ sl_array_t *cmd_array = NULL; -+ NTSTATUS status; -+ int ret; -+ -+ d = dalloc_new(mem_ctx); -+ if (d == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ array = dalloc_zero(d, sl_array_t); -+ if (array == NULL) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ ret = dalloc_add(d, array, sl_array_t); -+ if (ret != 0) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ cmd_array = dalloc_zero(d, sl_array_t); -+ if (cmd_array == NULL) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ ret = dalloc_add(array, cmd_array, sl_array_t); -+ if (ret != 0) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ ret = dalloc_stradd(cmd_array, "fetchPropertiesForContext:"); -+ if (ret != 0) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ uint64p = talloc_zero_array(cmd_array, uint64_t, 2); -+ if (uint64p == NULL) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ talloc_set_name(uint64p, "uint64_t *"); -+ -+ ret = dalloc_add(cmd_array, uint64p, uint64_t *); -+ if (ret != 0) { -+ TALLOC_FREE(d); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); -+ TALLOC_FREE(d); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ return NT_STATUS_OK; -+} -+ - NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, - struct mdscli_search_ctx *search, - struct mdssvc_blob *blob) -diff --git a/source3/rpc_client/cli_mdssvc_util.h b/source3/rpc_client/cli_mdssvc_util.h -index 7a98c854526..3f324758c70 100644 ---- a/source3/rpc_client/cli_mdssvc_util.h -+++ b/source3/rpc_client/cli_mdssvc_util.h -@@ -21,6 +21,10 @@ - #ifndef _MDSCLI_UTIL_H_ - #define _MDSCLI_UTIL_H_ - -+NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx, -+ struct mdscli_ctx *ctx, -+ struct mdssvc_blob *blob); -+ - NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, - struct mdscli_search_ctx *search, - struct mdssvc_blob *blob); --- -2.41.0 - diff --git a/net/samba413/files/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch b/net/samba413/files/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch deleted file mode 100644 index d33138fa2212..000000000000 --- a/net/samba413/files/0021-CVE-2023-34968-mdssvc-return-a-fake-share-path.patch +++ /dev/null @@ -1,222 +0,0 @@ -From 7aa1e167ee35e2e2f07e83156ee8e7d54bdd4989 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Mon, 5 Jun 2023 18:02:20 +0200 -Subject: [PATCH 21/21] CVE-2023-34968: mdssvc: return a fake share path - -Instead of returning the real server-side absolute path of shares and search -results, return a fake absolute path replacing the path of the share with the -share name, iow for a share "test" with a server-side path of "/foo/bar", we -previously returned - - /foo/bar and - /foo/bar/search/result - -and now return - - /test and - /test/search/result - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - source3/rpc_server/mdssvc/mdssvc.c | 61 +++++++++++++++++++++-- - source3/rpc_server/mdssvc/mdssvc.h | 1 + - source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 23 +++++++-- - 3 files changed, 78 insertions(+), 7 deletions(-) - -diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c -index b75fb7812ed..e9d464527b3 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.c -+++ b/source3/rpc_server/mdssvc/mdssvc.c -@@ -519,11 +519,14 @@ static bool inode_map_add(struct sl_query *slq, - bool mds_add_result(struct sl_query *slq, const char *path) - { - struct smb_filename *smb_fname = NULL; -+ const char *relative = NULL; -+ char *fake_path = NULL; - struct stat_ex sb; - uint32_t attr; - uint64_t ino64; - int result; - NTSTATUS status; -+ bool sub; - bool ok; - - smb_fname = synthetic_smb_fname(talloc_tos(), -@@ -614,6 +617,17 @@ bool mds_add_result(struct sl_query *slq, const char *path) - } - } - -+ sub = subdir_of(slq->mds_ctx->spath, -+ slq->mds_ctx->spath_len, -+ path, -+ &relative); -+ if (!sub) { -+ DBG_ERR("[%s] is not inside [%s]\n", -+ path, slq->mds_ctx->spath); -+ slq->state = SLQ_STATE_ERROR; -+ return false; -+ } -+ - /* - * Add inode number and filemeta to result set, this is what - * we return as part of the result set of a query -@@ -626,18 +640,30 @@ bool mds_add_result(struct sl_query *slq, const char *path) - slq->state = SLQ_STATE_ERROR; - return false; - } -+ -+ fake_path = talloc_asprintf(slq, -+ "/%s/%s", -+ slq->mds_ctx->sharename, -+ relative); -+ if (fake_path == NULL) { -+ slq->state = SLQ_STATE_ERROR; -+ return false; -+ } -+ - ok = add_filemeta(slq->mds_ctx, - slq->reqinfo, - slq->query_results->fm_array, -- path, -+ fake_path, - &sb); - if (!ok) { - DBG_ERR("add_filemeta error\n"); -+ TALLOC_FREE(fake_path); - slq->state = SLQ_STATE_ERROR; - return false; - } - -- ok = inode_map_add(slq, ino64, path, &sb); -+ ok = inode_map_add(slq, ino64, fake_path, &sb); -+ TALLOC_FREE(fake_path); - if (!ok) { - DEBUG(1, ("inode_map_add error\n")); - slq->state = SLQ_STATE_ERROR; -@@ -844,6 +870,32 @@ static void slq_close_timer(struct tevent_context *ev, - } - } - -+/** -+ * Translate a fake scope from the client like /sharename/dir -+ * to the real server-side path, replacing the "/sharename" part -+ * with the absolute server-side path of the share. -+ **/ -+static bool mdssvc_real_scope(struct sl_query *slq, const char *fake_scope) -+{ -+ size_t sname_len = strlen(slq->mds_ctx->sharename); -+ size_t fake_scope_len = strlen(fake_scope); -+ -+ if (fake_scope_len < sname_len + 1) { -+ DBG_ERR("Short scope [%s] for share [%s]\n", -+ fake_scope, slq->mds_ctx->sharename); -+ return false; -+ } -+ -+ slq->path_scope = talloc_asprintf(slq, -+ "%s%s", -+ slq->mds_ctx->spath, -+ fake_scope + sname_len + 1); -+ if (slq->path_scope == NULL) { -+ return false; -+ } -+ return true; -+} -+ - /** - * Begin a search query - **/ -@@ -950,8 +1002,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, - goto error; - } - -- slq->path_scope = talloc_strdup(slq, scope); -- if (slq->path_scope == NULL) { -+ ok = mdssvc_real_scope(slq, scope); -+ if (!ok) { - goto error; - } - -@@ -1660,6 +1712,7 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx, - if (mds_ctx->spath == NULL) { - goto error; - } -+ mds_ctx->spath_len = strlen(path); - - mds_ctx->snum = snum; - mds_ctx->pipe_session_info = session_info; -diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h -index 2ff717dd7ff..2f12f4f9f84 100644 ---- a/source3/rpc_server/mdssvc/mdssvc.h -+++ b/source3/rpc_server/mdssvc/mdssvc.h -@@ -127,6 +127,7 @@ struct mds_ctx { - int snum; - const char *sharename; - const char *spath; -+ size_t spath_len; - struct connection_struct *conn; - struct sl_query *query_list; /* list of active queries */ - struct db_context *ino_path_map; /* dbwrap rbt for storing inode->path mappings */ -diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -index bba16118a51..08ba3ad0c76 100644 ---- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -+++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c -@@ -120,6 +120,7 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) - loadparm_s3_global_substitution(); - int snum; - char *outpath = discard_const_p(char, r->out.share_path); -+ char *fake_path = NULL; - char *path; - NTSTATUS status; - -@@ -137,8 +138,17 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) - - path = lp_path(talloc_tos(), lp_sub, snum); - if (path == NULL) { -- DBG_ERR("Couldn't create policy handle for %s\n", -+ DBG_ERR("Couldn't create path for %s\n", -+ r->in.share_name); -+ p->fault_state = DCERPC_FAULT_CANT_PERFORM; -+ return; -+ } -+ -+ fake_path = talloc_asprintf(p->mem_ctx, "/%s", r->in.share_name); -+ if (fake_path == NULL) { -+ DBG_ERR("Couldn't create fake share path for %s\n", - r->in.share_name); -+ talloc_free(path); - p->fault_state = DCERPC_FAULT_CANT_PERFORM; - return; - } -@@ -148,16 +158,23 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) - r->in.share_name, - path, - r->out.handle); -+ if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_VOLUME)) { -+ ZERO_STRUCTP(r->out.handle); -+ talloc_free(path); -+ talloc_free(fake_path); -+ return; -+ } - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("Couldn't create policy handle for %s\n", - r->in.share_name); - talloc_free(path); -+ talloc_free(fake_path); - p->fault_state = DCERPC_FAULT_CANT_PERFORM; - return; - } - -- strlcpy(outpath, path, 1024); -- talloc_free(path); -+ strlcpy(outpath, fake_path, 1024); -+ talloc_free(fake_path); - return; - } - --- -2.41.0 - diff --git a/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch b/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch deleted file mode 100644 index 1d1a538a9cbd..000000000000 --- a/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch +++ /dev/null @@ -1,1897 +0,0 @@ -From e63b31932441b6213ace55f4e627d098682965c3 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:56:08 +1300 -Subject: [PATCH 01/11] CVE-2022-3437 source4/heimdal: Remove __func__ - compatibility workaround - -As described by the C standard, __func__ is a variable, not a macro. -Hence this #ifndef check does not work as intended, and only serves to -unconditionally disable __func__. A nonoperating __func__ prevents -cmocka operating correctly, so remove this definition. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - source4/heimdal/lib/krb5/krb5_locl.h | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h -index 49c614d5efe..d3360c556ce 100644 ---- a/source4/heimdal/lib/krb5/krb5_locl.h -+++ b/source4/heimdal/lib/krb5/krb5_locl.h -@@ -188,10 +188,6 @@ struct _krb5_krb_auth_data; - #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) - #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) - --#ifndef __func__ --#define __func__ "unknown-function" --#endif -- - #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) - - #ifndef PATH_SEP --- -2.25.1 - - -From f11ebd82b4b6e04433907a8fe15d0a8df11fac8a Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:55:51 +1300 -Subject: [PATCH 02/11] CVE-2022-3437 source4/heimdal_build: Add - gssapi-subsystem subsystem - -This allows us to access (and so test) functions internal to GSSAPI by -depending on this subsystem. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> - -[jsutton@samba.org Adapted to older wscript_build file] ---- - source4/heimdal_build/wscript_build | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build -index f151788dcfd..396656e0727 100644 ---- a/source4/heimdal_build/wscript_build -+++ b/source4/heimdal_build/wscript_build -@@ -556,8 +556,8 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"): - HEIMDAL_AUTOPROTO_PRIVATE('lib/gssapi/krb5/gsskrb5-private.h', - HEIMDAL_GSSAPI_KRB5_SOURCE) - -- HEIMDAL_LIBRARY('gssapi', -- HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + ''' -+ HEIMDAL_SUBSYSTEM('gssapi-subsystem', -+ HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + ''' - lib/gssapi/mech/context.c lib/gssapi/mech/gss_krb5.c lib/gssapi/mech/gss_mech_switch.c - lib/gssapi/mech/gss_process_context_token.c lib/gssapi/mech/gss_buffer_set.c - lib/gssapi/mech/gss_aeap.c lib/gssapi/mech/gss_add_cred.c lib/gssapi/mech/gss_cred.c -@@ -582,10 +582,16 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"): - lib/gssapi/mech/gss_set_cred_option.c lib/gssapi/mech/gss_pseudo_random.c ../heimdal_build/gssapi-glue.c''', - includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech', - deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind', -- vnum='2.0.0', -- version_script='lib/gssapi/version-script.map', - ) - -+ HEIMDAL_LIBRARY('gssapi', -+ '', -+ includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech', -+ deps='gssapi-subsystem', -+ vnum='2.0.0', -+ version_script='lib/gssapi/version-script.map', -+ ) -+ - if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): - # expand_path.c needs some of the install paths - HEIMDAL_SUBSYSTEM('HEIMDAL_CONFIG', --- -2.25.1 - - -From 04e71e8e5398f42c329db2a9a51c7f76a62a18b0 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:55:39 +1300 -Subject: [PATCH 03/11] CVE-2022-3437 s4/auth/tests: Add unit tests for - unwrap_des3() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -[jsutton@samba.org Adapted to lack of 'samba.unittests.auth.sam' test, - renamed 'third_party' to 'source4' in paths, defined - HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE to fix compiler - error] -[abartlet@samba.org backported to 4.12 required fixing merge conflicts - in wscript_build subsystem conversion (different deps) and tests.py test addition - (unrelated changes in context)] ---- - selftest/knownfail.d/heimdal-des-overflow | 9 + - selftest/tests.py | 5 + - source4/auth/tests/heimdal_unwrap_des.c | 1247 +++++++++++++++++++++ - source4/auth/wscript_build | 21 + - 4 files changed, 1282 insertions(+) - create mode 100644 selftest/knownfail.d/heimdal-des-overflow - create mode 100644 source4/auth/tests/heimdal_unwrap_des.c - -diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow -new file mode 100644 -index 00000000000..23acbb43d31 ---- /dev/null -+++ b/selftest/knownfail.d/heimdal-des-overflow -@@ -0,0 +1,9 @@ -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none -+^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none -diff --git a/selftest/tests.py b/selftest/tests.py -index 10648b19155..721c36ae4c3 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -46,6 +46,8 @@ have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) - with_pam = ("WITH_PAM" in config_hash) - pam_wrapper_so_path = config_hash["LIBPAM_WRAPPER_SO_PATH"] - pam_set_items_so_path = config_hash["PAM_SET_ITEMS_SO_PATH"] -+have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash -+using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash - - planpythontestsuite("none", "samba.tests.source") - if have_man_pages_support: -@@ -409,5 +411,8 @@ plantestsuite("samba.unittests.test_registry_regfio", "none", - [os.path.join(bindir(), "default/source3/test_registry_regfio")]) - plantestsuite("samba.unittests.test_oLschema2ldif", "none", - [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) -+if have_heimdal_support and not using_system_gssapi: -+ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none", -+ [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))]) - plantestsuite("samba.unittests.mdsparser_es", "none", - [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration]) -diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c -new file mode 100644 -index 00000000000..dc31e9d0ad1 ---- /dev/null -+++ b/source4/auth/tests/heimdal_unwrap_des.c -@@ -0,0 +1,1247 @@ -+/* -+ * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c -+ * -+ * Copyright (C) Catalyst.NET Ltd 2022 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see <http://www.gnu.org/licenses/>. -+ * -+ */ -+ -+/* -+ * from cmocka.c: -+ * These headers or their equivalents should be included prior to -+ * including -+ * this header file. -+ * -+ * #include <stdarg.h> -+ * #include <stddef.h> -+ * #include <setjmp.h> -+ * -+ * This allows test applications to use custom definitions of C standard -+ * library functions and types. -+ * -+ */ -+ -+#include <stdarg.h> -+#include <stddef.h> -+#include <setjmp.h> -+ -+#include <cmocka.h> -+ -+#include "includes.h" -+#include "replace.h" -+ -+#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_ -+#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x) -+ -+#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h" -+#include "gsskrb5_locl.h" -+ -+/****************************************************************************** -+ * Helper functions -+ ******************************************************************************/ -+ -+const uint8_t *valid_range_begin; -+const uint8_t *valid_range_end; -+const uint8_t *invalid_range_end; -+ -+/* -+ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to -+ * report in the resulting buffer. -+ */ -+static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx, -+ const uint8_t array[], -+ const size_t array_len, -+ const size_t buffer_len) -+{ -+ gss_buffer_desc buf; -+ -+ /* Add some padding to catch invalid memory accesses. */ -+ const size_t padding = 0x100; -+ const size_t padded_len = array_len + padding; -+ -+ uint8_t *data = talloc_size(mem_ctx, padded_len); -+ assert_non_null(data); -+ -+ memcpy(data, array, array_len); -+ memset(data + array_len, 0, padding); -+ -+ assert_in_range(buffer_len, 0, array_len); -+ -+ buf.value = data; -+ buf.length = buffer_len; -+ -+ valid_range_begin = buf.value; -+ valid_range_end = valid_range_begin + buf.length; -+ invalid_range_end = valid_range_begin + padded_len; -+ -+ return buf; -+} -+ -+static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len) -+{ -+ /* Ensure we've set up the range pointers properly. */ -+ assert_non_null(valid_range_begin); -+ assert_non_null(valid_range_end); -+ assert_non_null(invalid_range_end); -+ -+ /* -+ * Ensure the length isn't excessively large (a symptom of integer -+ * underflow). -+ */ -+ assert_in_range(len, 0, 0x1000); -+ -+ /* Ensure the memory is in our valid range. */ -+ assert_in_range(ptr, valid_range_begin, valid_range_end); -+ assert_in_range(ptr + len, valid_range_begin, valid_range_end); -+} -+ -+/* -+ * This function takes a pointer to volatile to allow it to be called from the -+ * ct_memcmp() wrapper. -+ */ -+static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr, -+ const size_t len) -+{ -+ const LargestIntegralType _valid_range_end -+ = cast_ptr_to_largest_integral_type(valid_range_end); -+ const LargestIntegralType _invalid_range_end -+ = cast_ptr_to_largest_integral_type(invalid_range_end); -+ const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr); -+ const LargestIntegralType _len = cast_to_largest_integral_type(len); -+ -+ /* Ensure we've set up the range pointers properly. */ -+ assert_non_null(valid_range_begin); -+ assert_non_null(valid_range_end); -+ assert_non_null(invalid_range_end); -+ -+ /* -+ * Ensure the length isn't excessively large (a symptom of integer -+ * underflow). -+ */ -+ assert_in_range(len, 0, 0x1000); -+ -+ /* Ensure the memory is outside the invalid range. */ -+ if (_ptr < _invalid_range_end && _ptr + _len > _valid_range_end) { -+ fail(); -+ } -+} -+ -+/***************************************************************************** -+ * wrapped functions -+ *****************************************************************************/ -+ -+krb5_keyblock dummy_key; -+ -+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context, -+ krb5_auth_context auth_context, -+ krb5_keyblock **keyblock); -+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context, -+ krb5_auth_context auth_context, -+ krb5_keyblock **keyblock) -+{ -+ *keyblock = &dummy_key; -+ return 0; -+} -+ -+void __wrap_krb5_free_keyblock(krb5_context context, -+ krb5_keyblock *keyblock); -+void __wrap_krb5_free_keyblock(krb5_context context, -+ krb5_keyblock *keyblock) -+{ -+ assert_ptr_equal(&dummy_key, keyblock); -+} -+ -+struct krb5_crypto_data dummy_crypto; -+ -+krb5_error_code __wrap_krb5_crypto_init(krb5_context context, -+ const krb5_keyblock *key, -+ krb5_enctype etype, -+ krb5_crypto *crypto); -+krb5_error_code __wrap_krb5_crypto_init(krb5_context context, -+ const krb5_keyblock *key, -+ krb5_enctype etype, -+ krb5_crypto *crypto) -+{ -+ static const LargestIntegralType etypes[] = {ETYPE_DES3_CBC_NONE, 0}; -+ -+ assert_ptr_equal(&dummy_key, key); -+ assert_in_set(etype, etypes, ARRAY_SIZE(etypes)); -+ -+ *crypto = &dummy_crypto; -+ -+ return 0; -+} -+ -+krb5_error_code __wrap_krb5_decrypt(krb5_context context, -+ krb5_crypto crypto, -+ unsigned usage, -+ void *data, -+ size_t len, -+ krb5_data *result); -+krb5_error_code __wrap_krb5_decrypt(krb5_context context, -+ krb5_crypto crypto, -+ unsigned usage, -+ void *data, -+ size_t len, -+ krb5_data *result) -+{ -+ assert_ptr_equal(&dummy_crypto, crypto); -+ assert_int_equal(KRB5_KU_USAGE_SEAL, usage); -+ -+ assert_mem_in_valid_range(data, len); -+ -+ check_expected(len); -+ check_expected_ptr(data); -+ -+ result->data = malloc(len); -+ assert_non_null(result->data); -+ result->length = len; -+ -+ memcpy(result->data, data, len); -+ -+ return 0; -+} -+ -+krb5_error_code __wrap_krb5_decrypt_ivec(krb5_context context, -+ krb5_crypto crypto, -+ unsigned usage, -+ void *data, -+ size_t len, -+ krb5_data *result, -+ void *ivec); -+krb5_error_code __wrap_krb5_decrypt_ivec(krb5_context context, -+ krb5_crypto crypto, -+ unsigned usage, -+ void *data, -+ size_t len, -+ krb5_data *result, -+ void *ivec) -+{ -+ assert_ptr_equal(&dummy_crypto, crypto); -+ assert_int_equal(KRB5_KU_USAGE_SEQ, usage); -+ -+ assert_mem_in_valid_range(data, len); -+ -+ assert_int_equal(8, len); -+ check_expected_ptr(data); -+ check_expected_ptr(ivec); -+ -+ result->data = malloc(len); -+ assert_non_null(result->data); -+ result->length = len; -+ -+ memcpy(result->data, data, len); -+ -+ return 0; -+} -+ -+krb5_error_code __wrap_krb5_verify_checksum(krb5_context context, -+ krb5_crypto crypto, -+ krb5_key_usage usage, -+ void *data, -+ size_t len, -+ Checksum *cksum); -+krb5_error_code __wrap_krb5_verify_checksum(krb5_context context, -+ krb5_crypto crypto, -+ krb5_key_usage usage, -+ void *data, -+ size_t len, -+ Checksum *cksum) -+{ -+ assert_ptr_equal(&dummy_crypto, crypto); -+ assert_int_equal(KRB5_KU_USAGE_SIGN, usage); -+ -+ assert_mem_in_valid_range(data, len); -+ -+ check_expected(len); -+ check_expected_ptr(data); -+ -+ assert_non_null(cksum); -+ assert_int_equal(CKSUMTYPE_HMAC_SHA1_DES3, cksum->cksumtype); -+ assert_int_equal(20, cksum->checksum.length); -+ check_expected_ptr(cksum->checksum.data); -+ -+ return 0; -+} -+ -+krb5_error_code __wrap_krb5_crypto_destroy(krb5_context context, -+ krb5_crypto crypto); -+krb5_error_code __wrap_krb5_crypto_destroy(krb5_context context, -+ krb5_crypto crypto) -+{ -+ assert_ptr_equal(&dummy_crypto, crypto); -+ -+ return 0; -+} -+ -+ -+int __wrap_der_get_length(const unsigned char *p, -+ size_t len, -+ size_t *val, -+ size_t *size); -+int __real_der_get_length(const unsigned char *p, -+ size_t len, -+ size_t *val, -+ size_t *size); -+int __wrap_der_get_length(const unsigned char *p, -+ size_t len, -+ size_t *val, -+ size_t *size) -+{ -+ assert_mem_in_valid_range(p, len); -+ -+ return __real_der_get_length(p, len, val, size); -+} -+ -+int __wrap_ct_memcmp(const volatile void * volatile p1, -+ const volatile void * volatile p2, -+ size_t len); -+int __real_ct_memcmp(const volatile void * volatile p1, -+ const volatile void * volatile p2, -+ size_t len); -+int __wrap_ct_memcmp(const volatile void * volatile p1, -+ const volatile void * volatile p2, -+ size_t len) -+{ -+ assert_mem_outside_invalid_range(p1, len); -+ assert_mem_outside_invalid_range(p2, len); -+ -+ return __real_ct_memcmp(p1, p2, len); -+} -+ -+void *__wrap_malloc(size_t size); -+void *__real_malloc(size_t size); -+void *__wrap_malloc(size_t size) -+{ -+ /* -+ * Ensure the length isn't excessively large (a symptom of integer -+ * underflow). -+ */ -+ assert_in_range(size, 0, 0x10000); -+ -+ return __real_malloc(size); -+} -+ -+/***************************************************************************** -+ * Mock implementations -+ *****************************************************************************/ -+ -+/* -+ * Set the globals used by the mocked functions to a known and consistent state -+ * -+ */ -+static void init_mock_results(TALLOC_CTX *mem_ctx) -+{ -+ dummy_key.keytype = KRB5_ENCTYPE_DES3_CBC_MD5; -+ dummy_key.keyvalue.data = NULL; -+ dummy_key.keyvalue.length = 0; -+ -+ dummy_crypto = (struct krb5_crypto_data) {0}; -+ -+ valid_range_begin = NULL; -+ valid_range_end = NULL; -+ invalid_range_end = NULL; -+} -+ -+/***************************************************************************** -+ * Unit test set up and tear down -+ *****************************************************************************/ -+ -+struct context { -+ gss_ctx_id_t context_handle; -+}; -+ -+static int setup(void **state) { -+ struct context *ctx = NULL; -+ krb5_context context = NULL; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ krb5_error_code code; -+ -+ ctx = talloc_zero(NULL, struct context); -+ assert_non_null(ctx); -+ -+ init_mock_results(ctx); -+ -+ code = _gsskrb5_init(&context); -+ assert_int_equal(0, code); -+ -+ major_status = _gsskrb5_create_ctx(&minor_status, -+ &ctx->context_handle, -+ context, -+ GSS_C_NO_CHANNEL_BINDINGS, -+ ACCEPTOR_START); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ *state = ctx; -+ return 0; -+} -+ -+static int teardown(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ -+ major_status = _gsskrb5_delete_sec_context(&minor_status, -+ &ctx->context_handle, -+ GSS_C_NO_BUFFER); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ TALLOC_FREE(ctx); -+ return 0; -+} -+ -+/***************************************************************************** -+ * _gsskrb5_unwrap unit tests -+ *****************************************************************************/ -+ -+static void test_unwrap_dce_style_missing_payload(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gsskrb5_ctx gss_ctx; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 22); -+ -+ gss_ctx = (gsskrb5_ctx) ctx->context_handle; -+ gss_ctx->flags |= GSS_C_DCE_STYLE; -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_dce_style_valid(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gsskrb5_ctx gss_ctx; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0xbc, 0xbd, 0xbe, -+ 0x00, /* padding byte */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 57); -+ -+ gss_ctx = (gsskrb5_ctx) ctx->context_handle; -+ gss_ctx->flags |= GSS_C_DCE_STYLE; -+ -+ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); -+ expect_memory(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); -+ -+ expect_value(__wrap_krb5_verify_checksum, len, 16); -+ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); -+ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ assert_int_equal(0, conf_state); -+ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); -+ -+ assert_int_equal(output.length, 0); -+ -+ major_status = gss_release_buffer(&minor_status, &output); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+} -+ -+static void test_unwrap_dce_style_with_seal_missing_payload(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gsskrb5_ctx gss_ctx; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 22); -+ -+ gss_ctx = (gsskrb5_ctx) ctx->context_handle; -+ gss_ctx->flags |= GSS_C_DCE_STYLE; -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_dce_style_with_seal_valid(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gsskrb5_ctx gss_ctx; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0xbc, 0xbd, 0xbe, -+ 0x00, /* padding byte */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 57); -+ -+ gss_ctx = (gsskrb5_ctx) ctx->context_handle; -+ gss_ctx->flags |= GSS_C_DCE_STYLE; -+ -+ expect_value(__wrap_krb5_decrypt, len, 8); -+ expect_value(__wrap_krb5_decrypt, data, (uint8_t *)input.value + 49); -+ -+ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); -+ expect_memory(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); -+ -+ expect_value(__wrap_krb5_verify_checksum, len, 16); -+ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); -+ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ assert_int_equal(1, conf_state); -+ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); -+ -+ assert_int_equal(output.length, 0); -+ -+ major_status = gss_release_buffer(&minor_status, &output); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+} -+ -+static void test_unwrap_missing_8_bytes(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x2f, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0x00, /* padding byte */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 49); -+ -+ /* -+ * A fixed unwrap_des3() should fail before these wrappers are called, -+ * but we want the wrappers to have access to any required values in the -+ * event that they are called. Specifying WILL_RETURN_ONCE avoids a test -+ * failure if these values remain unused. -+ */ -+ expect_value_count(__wrap_krb5_decrypt_ivec, data, -+ (uint8_t *)input.value + 21, -+ WILL_RETURN_ONCE); -+ expect_memory_count(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN, -+ WILL_RETURN_ONCE); -+ -+ expect_value_count(__wrap_krb5_verify_checksum, len, 8, WILL_RETURN_ONCE); -+ expect_value_count(__wrap_krb5_verify_checksum, data, -+ (uint8_t *)input.value + 41, -+ WILL_RETURN_ONCE); -+ expect_memory_count(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20, -+ WILL_RETURN_ONCE); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_missing_payload(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x14, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0x00, 0xa1, 0xa2, 0xa3, /* padding byte / encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 22); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_truncated_header_0(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x00, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 2); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_DEFECTIVE_TOKEN, major_status); -+} -+ -+static void test_unwrap_truncated_header_1(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x02, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, 0xee, /* GSS KRB5 mech */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 4); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_valid(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0xbc, 0xbd, 0xbe, -+ 0x00, /* padding byte */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 57); -+ -+ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); -+ expect_memory(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); -+ -+ expect_value(__wrap_krb5_verify_checksum, len, 16); -+ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); -+ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ assert_int_equal(0, conf_state); -+ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); -+ -+ assert_int_equal(output.length, 0); -+ -+ major_status = gss_release_buffer(&minor_status, &output); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+} -+ -+static void test_unwrap_with_padding_truncated_0(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0x04, 0x04, 0x04, 0x04, /* padding bytes */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 57); -+ -+ /* -+ * A fixed unwrap_des3() should fail before these wrappers are called, -+ * but we want the wrappers to have access to any required values in the -+ * event that they are called. Specifying WILL_RETURN_ONCE avoids a test -+ * failure if these values remain unused. -+ */ -+ expect_value_count(__wrap_krb5_decrypt_ivec, data, -+ (uint8_t *)input.value + 21, -+ WILL_RETURN_ONCE); -+ expect_memory_count(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN, -+ WILL_RETURN_ONCE); -+ -+ expect_value_count(__wrap_krb5_verify_checksum, len, 16, WILL_RETURN_ONCE); -+ expect_value_count(__wrap_krb5_verify_checksum, data, -+ (uint8_t *)input.value + 41, -+ WILL_RETURN_ONCE); -+ expect_memory_count(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20, -+ WILL_RETURN_ONCE); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_with_padding_truncated_1(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0x00, 0xa1, 0xa2, 0xa3, /* padding byte / encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* padding bytes */ -+ 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 57); -+ -+ /* -+ * A fixed unwrap_des3() should fail before these wrappers are called, -+ * but we want the wrappers to have access to any required values in the -+ * event that they are called. Specifying WILL_RETURN_ONCE avoids a test -+ * failure if these values remain unused. -+ */ -+ expect_value_count(__wrap_krb5_decrypt_ivec, data, -+ (uint8_t *)input.value + 21, -+ WILL_RETURN_ONCE); -+ expect_memory_count(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN, -+ WILL_RETURN_ONCE); -+ -+ expect_value_count(__wrap_krb5_verify_checksum, len, 16, WILL_RETURN_ONCE); -+ expect_value_count(__wrap_krb5_verify_checksum, data, -+ (uint8_t *)input.value + 41, -+ WILL_RETURN_ONCE); -+ expect_memory_count(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20, -+ WILL_RETURN_ONCE); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_with_padding_valid(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x3f, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0xff, 0xff, /* SEAL_ALG (none) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0xbc, 0xbd, 0xbe, 0xbf, -+ /* padding bytes */ -+ 0x08, 0x08, 0x08, 0x08, -+ 0x08, 0x08, 0x08, 0x08, -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 65); -+ -+ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); -+ expect_memory(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); -+ -+ expect_value(__wrap_krb5_verify_checksum, len, 24); -+ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); -+ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ assert_int_equal(0, conf_state); -+ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); -+ -+ assert_int_equal(output.length, 0); -+ -+ major_status = gss_release_buffer(&minor_status, &output); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+} -+ -+static void test_unwrap_with_seal_empty_token_valid(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x37, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0xbc, 0xbd, 0xbe, -+ 0x00, /* padding byte */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 57); -+ -+ expect_value(__wrap_krb5_decrypt, len, 8); -+ expect_value(__wrap_krb5_decrypt, data, (uint8_t *)input.value + 49); -+ -+ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); -+ expect_memory(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); -+ -+ expect_value(__wrap_krb5_verify_checksum, len, 16); -+ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); -+ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ assert_int_equal(1, conf_state); -+ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); -+ -+ assert_int_equal(output.length, 0); -+ -+ major_status = gss_release_buffer(&minor_status, &output); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+} -+ -+static void test_unwrap_with_seal_missing_payload(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x14, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 22); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_BAD_MECH, major_status); -+} -+ -+static void test_unwrap_with_seal_valid(void **state) { -+ struct context *ctx = *state; -+ OM_uint32 major_status; -+ OM_uint32 minor_status; -+ gss_buffer_desc input = {0}; -+ gss_buffer_desc output = {0}; -+ int conf_state; -+ gss_qop_t qop_state; -+ -+ /* See RFC 1964 for token format. */ -+ static const uint8_t data[] = { -+ 0x60, /* ASN.1 Application tag */ -+ 0x3e, /* total length */ -+ 0x06, /* OBJECT IDENTIFIER */ -+ 0x09, /* mech length */ -+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02, /* GSS KRB5 mech */ -+ 0x02, 0x01, /* TOK_ID */ -+ 0x04, 0x00, /* SGN_ALG (HMAC SHA1 DES3-KD) */ -+ 0x02, 0x00, /* SEAL_ALG (DES3-KD) */ -+ 0xff, 0xff, /* Filler */ -+ 0xa0, 0xa1, 0xa2, 0xa3, /* encrypted sequence number */ -+ 0x00, 0x00, 0x00, 0x00, /* sequence number direction (remote) */ -+ /* checksum */ -+ 0xa4, 0xa5, 0xa6, 0xa7, 0xa8, -+ 0xa9, 0xaa, 0xab, 0xac, 0xad, -+ 0xae, 0xaf, 0xb0, 0xb1, 0xb2, -+ 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, -+ /* unused */ -+ 0xb8, 0xb9, 0xba, 0xbb, -+ 0xbc, 0xbd, 0xbe, 0xbf, -+ 0xc0, 0xc1, 0xc2, 0xc3, -+ 0xc4, 0xc5, -+ 0x00, /* padding byte */ -+ }; -+ -+ input = get_input_buffer(ctx, data, sizeof(data), 64); -+ -+ expect_value(__wrap_krb5_decrypt, len, 15); -+ expect_value(__wrap_krb5_decrypt, data, (uint8_t *)input.value + 49); -+ -+ expect_value(__wrap_krb5_decrypt_ivec, data, (uint8_t *)input.value + 21); -+ expect_memory(__wrap_krb5_decrypt_ivec, ivec, -+ (uint8_t *)input.value + 29, DES_CBLOCK_LEN); -+ -+ expect_value(__wrap_krb5_verify_checksum, len, 23); -+ expect_value(__wrap_krb5_verify_checksum, data, (uint8_t *)input.value + 41); -+ expect_memory(__wrap_krb5_verify_checksum, cksum->checksum.data, -+ (uint8_t *)input.value + 29, 20); -+ -+ major_status = _gsskrb5_unwrap(&minor_status, -+ ctx->context_handle, -+ &input, -+ &output, -+ &conf_state, -+ &qop_state); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+ -+ assert_int_equal(1, conf_state); -+ assert_int_equal(GSS_C_QOP_DEFAULT, qop_state); -+ -+ assert_int_equal(output.length, 7); -+ assert_memory_equal((uint8_t *)input.value + 57, output.value, output.length); -+ -+ major_status = gss_release_buffer(&minor_status, &output); -+ assert_int_equal(GSS_S_COMPLETE, major_status); -+} -+ -+int main(int argc, const char **argv) -+{ -+ static const struct CMUnitTest tests[] = { -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_dce_style_missing_payload, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_dce_style_valid, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_dce_style_with_seal_missing_payload, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_dce_style_with_seal_valid, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_missing_8_bytes, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_missing_payload, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_truncated_header_0, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_truncated_header_1, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_valid, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_with_padding_truncated_0, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_with_padding_truncated_1, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_with_padding_valid, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_with_seal_empty_token_valid, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_with_seal_missing_payload, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_unwrap_with_seal_valid, setup, teardown), -+ }; -+ -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ return cmocka_run_group_tests(tests, NULL, NULL); -+} -diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build -index 381a7b19bf0..01b2f280609 100644 ---- a/source4/auth/wscript_build -+++ b/source4/auth/wscript_build -@@ -49,6 +49,27 @@ bld.SAMBA_BINARY('test_kerberos', - for_selftest=True - ) - -+bld.SAMBA_BINARY('test_heimdal_gensec_unwrap_des', -+ source='tests/heimdal_unwrap_des.c', -+ deps='cmocka talloc gssapi-subsystem', -+ local_include=False, -+ for_selftest=True, -+ enabled=(bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and -+ not bld.CONFIG_SET('USING_SYSTEM_GSSAPI')), -+ ldflags=''' -+ -Wl,--wrap,ct_memcmp -+ -Wl,--wrap,der_get_length -+ -Wl,--wrap,krb5_auth_con_getlocalsubkey -+ -Wl,--wrap,krb5_crypto_destroy -+ -Wl,--wrap,krb5_crypto_init -+ -Wl,--wrap,krb5_decrypt -+ -Wl,--wrap,krb5_decrypt_ivec -+ -Wl,--wrap,krb5_free_keyblock -+ -Wl,--wrap,krb5_verify_checksum -+ -Wl,--wrap,malloc -+ ''' -+) -+ - pytalloc_util = bld.pyembed_libname('pytalloc-util') - pyparam_util = bld.pyembed_libname('pyparam_util') - pyldb_util = bld.pyembed_libname('pyldb-util') --- -2.25.1 - - -From b4eefd391b2511d306637a050807c0d68aaaede1 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:57:13 +1300 -Subject: [PATCH 04/11] CVE-2022-3437 source4/heimdal: Use constant-time - memcmp() for arcfour unwrap - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> - -[jsutton@samba.org Adapted to small differences in comparisons, and - removed erroneous duplicate code in conflicting region] ---- - source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +++++++---------------- - 1 file changed, 7 insertions(+), 17 deletions(-) - -diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c -index a61f7686e95..c6b317ff683 100644 ---- a/source4/heimdal/lib/gssapi/krb5/arcfour.c -+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c -@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, - _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) -- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); -+ cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else -- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); -+ cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - memset(SND_SEQ, 0, sizeof(SND_SEQ)); - if (cmp != 0) { -@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, - _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); - - if (context_handle->more_flags & LOCAL) -- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); -+ cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); - else -- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); -+ cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); - - if (cmp != 0) { - *minor_status = 0; -@@ -1266,19 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, - _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number); - - if (ctx->more_flags & LOCAL) { -- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); -+ cmp = ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); - } else { -- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); -- } -- if (cmp != 0) { -- *minor_status = 0; -- return GSS_S_BAD_MIC; -- } -- -- if (ctx->more_flags & LOCAL) { -- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); -- } else { -- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); -+ cmp = ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); - } - if (cmp != 0) { - *minor_status = 0; -@@ -1353,7 +1343,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, - return GSS_S_FAILURE; - } - -- cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ -+ cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ - if (cmp != 0) { - *minor_status = 0; - return GSS_S_BAD_MIC; --- -2.25.1 - - -From 42b23fee3ad77aa29f6f7cbdcf8573756a68f95e Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:57:55 +1300 -Subject: [PATCH 05/11] CVE-2022-3437 source4/heimdal: Use constant-time - memcmp() in unwrap_des3() - -The surrounding checks all use ct_memcmp(), so this one was presumably -meant to as well. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - source4/heimdal/lib/gssapi/krb5/unwrap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c -index b3da35ee9e2..7111a7944fe 100644 ---- a/source4/heimdal/lib/gssapi/krb5/unwrap.c -+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c -@@ -227,7 +227,7 @@ unwrap_des3 - if (ret) - return ret; - -- if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ -+ if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; - if (ct_memcmp (p, "\x02\x00", 2) == 0) { --- -2.25.1 - - -From 109a01fba88b641c988a04b14d911929ee82db92 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:57:42 +1300 -Subject: [PATCH 06/11] CVE-2022-3437 source4/heimdal: Don't pass NULL pointers - to memcpy() in DES unwrap - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c -index 7111a7944fe..9639091cb3a 100644 ---- a/source4/heimdal/lib/gssapi/krb5/unwrap.c -+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c -@@ -180,9 +180,10 @@ unwrap_des - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; -- memcpy (output_message_buffer->value, -- p + 24, -- output_message_buffer->length); -+ if (output_message_buffer->value != NULL) -+ memcpy (output_message_buffer->value, -+ p + 24, -+ output_message_buffer->length); - return GSS_S_COMPLETE; - } - #endif -@@ -374,9 +375,10 @@ unwrap_des3 - output_message_buffer->value = malloc(output_message_buffer->length); - if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) - return GSS_S_FAILURE; -- memcpy (output_message_buffer->value, -- p + 36, -- output_message_buffer->length); -+ if (output_message_buffer->value != NULL) -+ memcpy (output_message_buffer->value, -+ p + 36, -+ output_message_buffer->length); - return GSS_S_COMPLETE; - } - --- -2.25.1 - - -From d466a7c156b0797ae9d6eaf49b2f4fd5c9e3e7eb Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 15 Aug 2022 16:53:45 +1200 -Subject: [PATCH 07/11] CVE-2022-3437 source4/heimdal: Avoid undefined - behaviour in _gssapi_verify_pad() - -By decrementing 'pad' only when we know it's safe, we ensure we can't -stray backwards past the start of a buffer, which would be undefined -behaviour. - -In the previous version of the loop, 'i' is the number of bytes left to -check, and 'pad' is the current byte we're checking. 'pad' was -decremented at the end of each loop iteration. If 'i' was 1 (so we -checked the final byte), 'pad' could potentially be pointing to the -first byte of the input buffer, and the decrement would put it one -byte behind the buffer. - -That would be undefined behaviour. - -The patch changes it so that 'pad' is the byte we previously checked, -which allows us to ensure that we only decrement it when we know we -have a byte to check. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - source4/heimdal/lib/gssapi/krb5/decapsulate.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c -index 86085f56950..4e3fcd659e9 100644 ---- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c -+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c -@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token, - if (wrapped_token->length < 1) - return GSS_S_BAD_MECH; - -- pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; -- padlength = *pad; -+ pad = (u_char *)wrapped_token->value + wrapped_token->length; -+ padlength = pad[-1]; - - if (padlength > datalen) - return GSS_S_BAD_MECH; - -- for (i = padlength; i > 0 && *pad == padlength; i--, pad--) -+ for (i = padlength; i > 0 && *--pad == padlength; i--) - ; - if (i != 0) - return GSS_S_BAD_MIC; --- -2.25.1 - - -From 73e28ffbce8894c93374feb95c4ed1a87f2e6051 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 15 Aug 2022 16:53:55 +1200 -Subject: [PATCH 08/11] CVE-2022-3437 source4/heimdal: Check the result of - _gsskrb5_get_mech() - -We should make sure that the result of 'total_len - mech_len' won't -overflow, and that we don't memcmp() past the end of the buffer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - selftest/knownfail.d/heimdal-des-overflow | 1 - - source4/heimdal/lib/gssapi/krb5/decapsulate.c | 4 ++++ - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow -index 23acbb43d31..68b304530db 100644 ---- a/selftest/knownfail.d/heimdal-des-overflow -+++ b/selftest/knownfail.d/heimdal-des-overflow -@@ -3,7 +3,6 @@ - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none -diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c -index 4e3fcd659e9..031a621eabc 100644 ---- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c -+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c -@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str, - - if (mech_len != mech->length) - return GSS_S_BAD_MECH; -+ if (mech_len > total_len) -+ return GSS_S_BAD_MECH; -+ if (p - *str > total_len - mech_len) -+ return GSS_S_BAD_MECH; - if (ct_memcmp(p, - mech->elements, - mech->length) != 0) --- -2.25.1 - - -From 3320c411c5cdf8bb9e4bc945e8bbe0947933d5e1 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 15 Aug 2022 16:54:23 +1200 -Subject: [PATCH 09/11] CVE-2022-3437 source4/heimdal: Check buffer length - against overflow for DES{,3} unwrap - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - selftest/knownfail.d/heimdal-des-overflow | 5 ----- - source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++++++++ - 2 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow -index 68b304530db..94a49bbee7f 100644 ---- a/selftest/knownfail.d/heimdal-des-overflow -+++ b/selftest/knownfail.d/heimdal-des-overflow -@@ -1,8 +1,3 @@ --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none -diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c -index 9639091cb3a..70d26a75ccf 100644 ---- a/source4/heimdal/lib/gssapi/krb5/unwrap.c -+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c -@@ -64,6 +64,8 @@ unwrap_des - - if (IS_DCE_STYLE(context_handle)) { - token_len = 22 + 8 + 15; /* 45 */ -+ if (input_message_buffer->length < token_len) -+ return GSS_S_BAD_MECH; - } else { - token_len = input_message_buffer->length; - } -@@ -76,6 +78,11 @@ unwrap_des - if (ret) - return ret; - -+ len = (p - (u_char *)input_message_buffer->value) -+ + 22 + 8; -+ if (input_message_buffer->length < len) -+ return GSS_S_BAD_MECH; -+ - if (memcmp (p, "\x00\x00", 2) != 0) - return GSS_S_BAD_SIG; - p += 2; -@@ -216,6 +223,8 @@ unwrap_des3 - - if (IS_DCE_STYLE(context_handle)) { - token_len = 34 + 8 + 15; /* 57 */ -+ if (input_message_buffer->length < token_len) -+ return GSS_S_BAD_MECH; - } else { - token_len = input_message_buffer->length; - } -@@ -228,6 +237,11 @@ unwrap_des3 - if (ret) - return ret; - -+ len = (p - (u_char *)input_message_buffer->value) -+ + 34 + 8; -+ if (input_message_buffer->length < len) -+ return GSS_S_BAD_MECH; -+ - if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ - return GSS_S_BAD_SIG; - p += 2; --- -2.25.1 - - -From 9eb844370966625733f90d17a5d9ad611002567f Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 10 Oct 2022 20:33:09 +1300 -Subject: [PATCH 10/11] CVE-2022-3437 source4/heimdal: Check for overflow in - _gsskrb5_get_mech() - -If len_len is equal to total_len - 1 (i.e. the input consists only of a -0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', -used as the 'len' parameter to der_get_length(), will overflow to -SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, -whatever data follows in memory. Add a check to ensure that doesn't -happen. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - selftest/knownfail.d/heimdal-des-overflow | 1 - - source4/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++ - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow -index 94a49bbee7f..a7416dc61d9 100644 ---- a/selftest/knownfail.d/heimdal-des-overflow -+++ b/selftest/knownfail.d/heimdal-des-overflow -@@ -1,3 +1,2 @@ --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none - ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none -diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c -index 031a621eabc..d7b75a64222 100644 ---- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c -+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c -@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr, - e = der_get_length (p, total_len - 1, &len, &len_len); - if (e || 1 + len_len + len != total_len) - return -1; -+ if (total_len < 1 + len_len + 1) -+ return -1; - p += len_len; - if (*p++ != 0x06) - return -1; --- -2.25.1 - - -From 4c272bd20bbd512a63889e25f86506324957d232 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 12 Oct 2022 13:57:33 +1300 -Subject: [PATCH 11/11] CVE-2022-3437 source4/heimdal: Pass correct length to - _gssapi_verify_pad() - -We later subtract 8 when calculating the length of the output message -buffer. If padlength is excessively high, this calculation can underflow -and result in a very large positive value. - -Now we properly constrain the value of padlength so underflow shouldn't -be possible. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - selftest/knownfail.d/heimdal-des-overflow | 2 -- - source4/heimdal/lib/gssapi/krb5/unwrap.c | 4 ++-- - 2 files changed, 2 insertions(+), 4 deletions(-) - delete mode 100644 selftest/knownfail.d/heimdal-des-overflow - -diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow -deleted file mode 100644 -index a7416dc61d9..00000000000 ---- a/selftest/knownfail.d/heimdal-des-overflow -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none --^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none -diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c -index 70d26a75ccf..ed8f7d78ffa 100644 ---- a/source4/heimdal/lib/gssapi/krb5/unwrap.c -+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c -@@ -124,7 +124,7 @@ unwrap_des - } else { - /* check pad */ - ret = _gssapi_verify_pad(input_message_buffer, -- input_message_buffer->length - len, -+ input_message_buffer->length - len - 8, - &padlength); - if (ret) - return ret; -@@ -289,7 +289,7 @@ unwrap_des3 - } else { - /* check pad */ - ret = _gssapi_verify_pad(input_message_buffer, -- input_message_buffer->length - len, -+ input_message_buffer->length - len - 8, - &padlength); - if (ret) - return ret; --- -2.25.1 - diff --git a/net/samba413/files/README.FreeBSD.in b/net/samba413/files/README.FreeBSD.in deleted file mode 100644 index 2dc626f71567..000000000000 --- a/net/samba413/files/README.FreeBSD.in +++ /dev/null @@ -1,90 +0,0 @@ - - !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !!! Please read before runing any tools !!! - !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - -Documentation -============= - - o https://wiki.samba.org/index.php/Samba4/HOWTO - - o https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO - - o https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO - -FreeBSD specific information -============================ - -* Your configuration is in: %%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%% - -* All the logs are under: %%SAMBA4_LOGDIR%% - -* All the relevant databases are under: %%SAMBA4_LOCKDIR%% - -* Provisioning script is: %%PREFIX%%/bin/samba-tool - -Samba4 provisioning requires file system(s) with the ACLs support. On -UFS2 you need to enable POSIX ACLs by adding 'acls' option to the mount -flags, on ZFS you need to use NFSv4 ACLs and `zfsacl` VFS module to get -provisioning work. - -There is a hack in the code, that makes provisioning work on UFS2 and in -the jails on the price of using USER extattr(2) namespace, which is less -secure than SYSTEM namespace, as can be edited not only by root user, but -also by the owner of the file. - -For the provisioning on ZFS you need to use additional parameters to the -samba-tool, that would explicitly add `zfsacl` to the default `vfs objects`: - - # samba-tool domain provision --interactive \ - --option="vfs objects"="dfs_samba4 zfsacl" - -To run this port you need to perform the following steps: ---------------------------------------------------------- - -0. If you had Samba3 port installed before, please, *take backups* of -all the relevant files. That includes 'smb.conf' file and all the -content of the '/var/db/samba/' directory. - -1a. Create new '%%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%%' file by running: - - # samba-tool domain provision - -1b. Or upgrade from the Samba3 'smb.conf' file by running: - - # samba-tool domain classicupgrade - -%%NSUPDATE%%1c. You will need to specify location of the 'nsupdate' command in the -%%NSUPDATE%%'%%SAMBA4_CONFIG%%' file: -%%NSUPDATE%% -%%NSUPDATE%% nsupdate command = %%PREFIX%%/bin/samba-nsupdate -g -%%NSUPDATE%% -2. Put string 'samba_server_enable="YES"' into your /etc/rc.conf. - -3. Make sure that your server doesn't run Samba3, OpenLDAP and named. -Stop them, if necessary. - -4. Run '%%PREFIX%%/etc/rc.d/samba_server start' or reboot. - -Please, check archives of samba@lists.samba.org and ask there for help, -if necessary: - - https://lists.samba.org/archive/samba/ - -In case you found a bug which is clearly not related to the port build -process itself, plese file a bug report at: - - https://bugzilla.samba.org/ - -And add me to CC list. - -You may find those tools helpful: ---------------------------------- - -Microsoft Remote Server Administration Tools (RSAT) for: - -* Vista: http://www.microsoft.com/en-us/download/details.aspx?id=21090 -* Windows 7: http://www.microsoft.com/en-us/download/details.aspx?id=7887 - - -FreeBSD Samba4 port maintainer: Timur I. Bakeyev <timur@FreeBSD.org> diff --git a/net/samba413/files/man/ctdb-script.options.5 b/net/samba413/files/man/ctdb-script.options.5 deleted file mode 100644 index e58b2fd99163..000000000000 --- a/net/samba413/files/man/ctdb-script.options.5 +++ /dev/null @@ -1,558 +0,0 @@ -'\" t -.\" Title: ctdb-script.options -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB\-SCRIPT\&.OPTIO" "5" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb-script.options \- CTDB scripts configuration files -.SH "DESCRIPTION" -.PP -Each CTDB script has 2 possible locations for its configuration options: -.PP -/usr/local/etc/ctdb/script\&.options -.RS 4 -This is a catch\-all global file for general purpose scripts and for options that are used in multiple event scripts\&. -.RE -.PP -\fISCRIPT\fR\&.options -.RS 4 -That is, options for -\fISCRIPT\fR -are placed in a file alongside the script, with a "\&.script" suffix added\&. This style is usually recommended for event scripts\&. -.sp -Options in this script\-specific file override those in the global file\&. -.RE -.PP -These files should include simple shell\-style variable assignments and shell\-style comments\&. -.SH "NETWORK CONFIGURATION" -.SS "10\&.interface" -.PP -This event script handles monitoring of interfaces using by public IP addresses\&. -.PP -CTDB_PARTIALLY_ONLINE_INTERFACES=yes|no -.RS 4 -Whether one or more offline interfaces should cause a monitor event to fail if there are other interfaces that are up\&. If this is "yes" and a node has some interfaces that are down then -\fBctdb status\fR -will display the node as "PARTIALLYONLINE"\&. -.sp -Note that CTDB_PARTIALLY_ONLINE_INTERFACES=yes is not generally compatible with NAT gateway or LVS\&. NAT gateway relies on the interface configured by CTDB_NATGW_PUBLIC_IFACE to be up and LVS replies on CTDB_LVS_PUBLIC_IFACE to be up\&. CTDB does not check if these options are set in an incompatible way so care is needed to understand the interaction\&. -.sp -Default is "no"\&. -.RE -.SS "11\&.natgw" -.PP -Provides CTDB\*(Aqs NAT gateway functionality\&. -.PP -NAT gateway is used to configure fallback routing for nodes when they do not host any public IP addresses\&. For example, it allows unhealthy nodes to reliably communicate with external infrastructure\&. One node in a NAT gateway group will be designated as the NAT gateway master node and other (slave) nodes will be configured with fallback routes via the NAT gateway master node\&. For more information, see the -NAT GATEWAY -section in -\fBctdb\fR(7)\&. -.PP -CTDB_NATGW_DEFAULT_GATEWAY=\fIIPADDR\fR -.RS 4 -IPADDR is an alternate network gateway to use on the NAT gateway master node\&. If set, a fallback default route is added via this network gateway\&. -.sp -No default\&. Setting this variable is optional \- if not set that no route is created on the NAT gateway master node\&. -.RE -.PP -CTDB_NATGW_NODES=\fIFILENAME\fR -.RS 4 -FILENAME contains the list of nodes that belong to the same NAT gateway group\&. -.sp -File format: -.sp -.if n \{\ -.RS 4 -.\} -.nf -\fIIPADDR\fR [slave\-only] - -.fi -.if n \{\ -.RE -.\} -.sp -IPADDR is the private IP address of each node in the NAT gateway group\&. -.sp -If "slave\-only" is specified then the corresponding node can not be the NAT gateway master node\&. In this case -\fICTDB_NATGW_PUBLIC_IFACE\fR -and -\fICTDB_NATGW_PUBLIC_IP\fR -are optional and unused\&. -.sp -No default, usually -/usr/local/etc/ctdb/natgw_nodes -when enabled\&. -.RE -.PP -CTDB_NATGW_PRIVATE_NETWORK=\fIIPADDR/MASK\fR -.RS 4 -IPADDR/MASK is the private sub\-network that is internally routed via the NAT gateway master node\&. This is usually the private network that is used for node addresses\&. -.sp -No default\&. -.RE -.PP -CTDB_NATGW_PUBLIC_IFACE=\fIIFACE\fR -.RS 4 -IFACE is the network interface on which the CTDB_NATGW_PUBLIC_IP will be configured\&. -.sp -No default\&. -.RE -.PP -CTDB_NATGW_PUBLIC_IP=\fIIPADDR/MASK\fR -.RS 4 -IPADDR/MASK indicates the IP address that is used for outgoing traffic (originating from CTDB_NATGW_PRIVATE_NETWORK) on the NAT gateway master node\&. This -\fImust not\fR -be a configured public IP address\&. -.sp -No default\&. -.RE -.PP -CTDB_NATGW_STATIC_ROUTES=\fIIPADDR/MASK[@GATEWAY]\fR \&.\&.\&. -.RS 4 -Each IPADDR/MASK identifies a network or host to which NATGW should create a fallback route, instead of creating a single default route\&. This can be used when there is already a default route, via an interface that can not reach required infrastructure, that overrides the NAT gateway default route\&. -.sp -If GATEWAY is specified then the corresponding route on the NATGW master node will be via GATEWAY\&. Such routes are created even if -\fICTDB_NATGW_DEFAULT_GATEWAY\fR -is not specified\&. If GATEWAY is not specified for some networks then routes are only created on the NATGW master node for those networks if -\fICTDB_NATGW_DEFAULT_GATEWAY\fR -is specified\&. -.sp -This should be used with care to avoid causing traffic to unnecessarily double\-hop through the NAT gateway master, even when a node is hosting public IP addresses\&. Each specified network or host should probably have a corresponding automatically created link route or static route to avoid this\&. -.sp -No default\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -CTDB_NATGW_NODES=/usr/local/etc/ctdb/natgw_nodes -CTDB_NATGW_PRIVATE_NETWORK=192\&.168\&.1\&.0/24 -CTDB_NATGW_DEFAULT_GATEWAY=10\&.0\&.0\&.1 -CTDB_NATGW_PUBLIC_IP=10\&.0\&.0\&.227/24 -CTDB_NATGW_PUBLIC_IFACE=eth0 - -.fi -.if n \{\ -.RE -.\} -.PP -A variation that ensures that infrastructure (ADS, DNS, \&.\&.\&.) directly attached to the public network (10\&.0\&.0\&.0/24) is always reachable would look like this: -.sp -.if n \{\ -.RS 4 -.\} -.nf -CTDB_NATGW_NODES=/usr/local/etc/ctdb/natgw_nodes -CTDB_NATGW_PRIVATE_NETWORK=192\&.168\&.1\&.0/24 -CTDB_NATGW_PUBLIC_IP=10\&.0\&.0\&.227/24 -CTDB_NATGW_PUBLIC_IFACE=eth0 -CTDB_NATGW_STATIC_ROUTES=10\&.0\&.0\&.0/24 - -.fi -.if n \{\ -.RE -.\} -.PP -Note that -\fICTDB_NATGW_DEFAULT_GATEWAY\fR -is not specified\&. -.RE -.SS "13\&.per_ip_routing" -.PP -Provides CTDB\*(Aqs policy routing functionality\&. -.PP -A node running CTDB may be a component of a complex network topology\&. In particular, public addresses may be spread across several different networks (or VLANs) and it may not be possible to route packets from these public addresses via the system\*(Aqs default route\&. Therefore, CTDB has support for policy routing via the -13\&.per_ip_routing -eventscript\&. This allows routing to be specified for packets sourced from each public address\&. The routes are added and removed as CTDB moves public addresses between nodes\&. -.PP -For more information, see the -POLICY ROUTING -section in -\fBctdb\fR(7)\&. -.PP -CTDB_PER_IP_ROUTING_CONF=\fIFILENAME\fR -.RS 4 -FILENAME contains elements for constructing the desired routes for each source address\&. -.sp -The special FILENAME value -\fB__auto_link_local__\fR -indicates that no configuration file is provided and that CTDB should generate reasonable link\-local routes for each public IP address\&. -.sp -File format: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \fIIPADDR\fR \fIDEST\-IPADDR/MASK\fR [\fIGATEWAY\-IPADDR\fR] - -.fi -.if n \{\ -.RE -.\} -.sp -No default, usually -/usr/local/etc/ctdb/policy_routing -when enabled\&. -.RE -.PP -CTDB_PER_IP_ROUTING_RULE_PREF=\fINUM\fR -.RS 4 -NUM sets the priority (or preference) for the routing rules that are added by CTDB\&. -.sp -This should be (strictly) greater than 0 and (strictly) less than 32766\&. A priority of 100 is recommended, unless this conflicts with a priority already in use on the system\&. See -\fBip\fR(8), for more details\&. -.RE -.PP -CTDB_PER_IP_ROUTING_TABLE_ID_LOW=\fILOW\-NUM\fR, CTDB_PER_IP_ROUTING_TABLE_ID_HIGH=\fIHIGH\-NUM\fR -.RS 4 -CTDB determines a unique routing table number to use for the routing related to each public address\&. LOW\-NUM and HIGH\-NUM indicate the minimum and maximum routing table numbers that are used\&. -.sp -\fBip\fR(8) -uses some reserved routing table numbers below 255\&. Therefore, CTDB_PER_IP_ROUTING_TABLE_ID_LOW should be (strictly) greater than 255\&. -.sp -CTDB uses the standard file -/etc/iproute2/rt_tables -to maintain a mapping between the routing table numbers and labels\&. The label for a public address -\fIADDR\fR -will look like ctdb\&.\fIaddr\fR\&. This means that the associated rules and routes are easy to read (and manipulate)\&. -.sp -No default, usually 1000 and 9000\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -CTDB_PER_IP_ROUTING_CONF=/usr/local/etc/ctdb/policy_routing -CTDB_PER_IP_ROUTING_RULE_PREF=100 -CTDB_PER_IP_ROUTING_TABLE_ID_LOW=1000 -CTDB_PER_IP_ROUTING_TABLE_ID_HIGH=9000 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "91\&.lvs" -.PP -Provides CTDB\*(Aqs LVS functionality\&. -.PP -For a general description see the -LVS -section in -\fBctdb\fR(7)\&. -.PP -CTDB_LVS_NODES=\fIFILENAME\fR -.RS 4 -FILENAME contains the list of nodes that belong to the same LVS group\&. -.sp -File format: -.sp -.if n \{\ -.RS 4 -.\} -.nf -\fIIPADDR\fR [slave\-only] - -.fi -.if n \{\ -.RE -.\} -.sp -IPADDR is the private IP address of each node in the LVS group\&. -.sp -If "slave\-only" is specified then the corresponding node can not be the LVS master node\&. In this case -\fICTDB_LVS_PUBLIC_IFACE\fR -and -\fICTDB_LVS_PUBLIC_IP\fR -are optional and unused\&. -.sp -No default, usually -/usr/local/etc/ctdb/lvs_nodes -when enabled\&. -.RE -.PP -CTDB_LVS_PUBLIC_IFACE=\fIINTERFACE\fR -.RS 4 -INTERFACE is the network interface that clients will use to connection to -\fICTDB_LVS_PUBLIC_IP\fR\&. This is optional for slave\-only nodes\&. No default\&. -.RE -.PP -CTDB_LVS_PUBLIC_IP=\fIIPADDR\fR -.RS 4 -CTDB_LVS_PUBLIC_IP is the LVS public address\&. No default\&. -.RE -.SH "SERVICE CONFIGURATION" -.PP -CTDB can be configured to manage and/or monitor various NAS (and other) services via its eventscripts\&. -.PP -In the simplest case CTDB will manage a service\&. This means the service will be started and stopped along with CTDB, CTDB will monitor the service and CTDB will do any required reconfiguration of the service when public IP addresses are failed over\&. -.SS "20\&.multipathd" -.PP -Provides CTDB\*(Aqs Linux multipathd service management\&. -.PP -It can monitor multipath devices to ensure that active paths are available\&. -.PP -CTDB_MONITOR_MPDEVICES=\fIMP\-DEVICE\-LIST\fR -.RS 4 -MP\-DEVICE\-LIST is a list of multipath devices for CTDB to monitor? -.sp -No default\&. -.RE -.SS "31\&.clamd" -.PP -This event script provide CTDB\*(Aqs ClamAV anti\-virus service management\&. -.PP -This eventscript is not enabled by default\&. Use -\fBctdb enablescript\fR -to enable it\&. -.PP -CTDB_CLAMD_SOCKET=\fIFILENAME\fR -.RS 4 -FILENAME is the socket to monitor ClamAV\&. -.sp -No default\&. -.RE -.SS "49\&.winbind" -.PP -Provides CTDB\*(Aqs Samba winbind service management\&. -.PP -CTDB_SERVICE_WINBIND=\fISERVICE\fR -.RS 4 -Distribution specific SERVICE for managing winbindd\&. -.sp -Default is "winbind"\&. -.RE -.SS "50\&.samba" -.PP -Provides the core of CTDB\*(Aqs Samba file service management\&. -.PP -CTDB_SAMBA_CHECK_PORTS=\fIPORT\-LIST\fR -.RS 4 -When monitoring Samba, check TCP ports in space\-separated PORT\-LIST\&. -.sp -Default is to monitor ports that Samba is configured to listen on\&. -.RE -.PP -CTDB_SAMBA_SKIP_SHARE_CHECK=yes|no -.RS 4 -As part of monitoring, should CTDB skip the check for the existence of each directory configured as share in Samba\&. This may be desirable if there is a large number of shares\&. -.sp -Default is no\&. -.RE -.PP -CTDB_SERVICE_NMB=\fISERVICE\fR -.RS 4 -Distribution specific SERVICE for managing nmbd\&. -.sp -Default is distribution\-dependant\&. -.RE -.PP -CTDB_SERVICE_SMB=\fISERVICE\fR -.RS 4 -Distribution specific SERVICE for managing smbd\&. -.sp -Default is distribution\-dependant\&. -.RE -.SS "60\&.nfs" -.PP -This event script (along with 06\&.nfs) provides CTDB\*(Aqs NFS service management\&. -.PP -This includes parameters for the kernel NFS server\&. Alternative NFS subsystems (such as -\m[blue]\fBNFS\-Ganesha\fR\m[]\&\s-2\u[1]\d\s+2) can be integrated using -\fICTDB_NFS_CALLOUT\fR\&. -.PP -CTDB_NFS_CALLOUT=\fICOMMAND\fR -.RS 4 -COMMAND specifies the path to a callout to handle interactions with the configured NFS system, including startup, shutdown, monitoring\&. -.sp -Default is the included -\fBnfs\-linux\-kernel\-callout\fR\&. -.RE -.PP -CTDB_NFS_CHECKS_DIR=\fIDIRECTORY\fR -.RS 4 -Specifies the path to a DIRECTORY containing files that describe how to monitor the responsiveness of NFS RPC services\&. See the README file for this directory for an explanation of the contents of these "check" files\&. -.sp -CTDB_NFS_CHECKS_DIR can be used to point to different sets of checks for different NFS servers\&. -.sp -One way of using this is to have it point to, say, -/usr/local/etc/ctdb/nfs\-checks\-enabled\&.d -and populate it with symbolic links to the desired check files\&. This avoids duplication and is upgrade\-safe\&. -.sp -Default is -/usr/local/etc/ctdb/nfs\-checks\&.d, which contains NFS RPC checks suitable for Linux kernel NFS\&. -.RE -.PP -CTDB_NFS_SKIP_SHARE_CHECK=yes|no -.RS 4 -As part of monitoring, should CTDB skip the check for the existence of each directory exported via NFS\&. This may be desirable if there is a large number of exports\&. -.sp -Default is no\&. -.RE -.PP -CTDB_RPCINFO_LOCALHOST=\fIIPADDR\fR|\fIHOSTNAME\fR -.RS 4 -IPADDR or HOSTNAME indicates the address that -\fBrpcinfo\fR -should connect to when doing -\fBrpcinfo\fR -check on IPv4 RPC service during monitoring\&. Optimally this would be "localhost"\&. However, this can add some performance overheads\&. -.sp -Default is "127\&.0\&.0\&.1"\&. -.RE -.PP -CTDB_RPCINFO_LOCALHOST6=\fIIPADDR\fR|\fIHOSTNAME\fR -.RS 4 -IPADDR or HOSTNAME indicates the address that -\fBrpcinfo\fR -should connect to when doing -\fBrpcinfo\fR -check on IPv6 RPC service during monitoring\&. Optimally this would be "localhost6" (or similar)\&. However, this can add some performance overheads\&. -.sp -Default is "::1"\&. -.RE -.PP -CTDB_NFS_STATE_FS_TYPE=\fITYPE\fR -.RS 4 -The type of filesystem used for a clustered NFS\*(Aq shared state\&. No default\&. -.RE -.PP -CTDB_NFS_STATE_MNT=\fIDIR\fR -.RS 4 -The directory where a clustered NFS\*(Aq shared state will be located\&. No default\&. -.RE -.SS "70\&.iscsi" -.PP -Provides CTDB\*(Aqs Linux iSCSI tgtd service management\&. -.PP -CTDB_START_ISCSI_SCRIPTS=\fIDIRECTORY\fR -.RS 4 -DIRECTORY on shared storage containing scripts to start tgtd for each public IP address\&. -.sp -No default\&. -.RE -.SH "DATABASE SETUP" -.PP -CTDB checks the consistency of databases during startup\&. -.SS "00\&.ctdb" -.PP -CTDB_MAX_CORRUPT_DB_BACKUPS=\fINUM\fR -.RS 4 -NUM is the maximum number of volatile TDB database backups to be kept (for each database) when a corrupt database is found during startup\&. Volatile TDBs are zeroed during startup so backups are needed to debug any corruption that occurs before a restart\&. -.sp -Default is 10\&. -.RE -.SH "SYSTEM RESOURCE MONITORING" -.SS "05\&.system" -.PP -Provides CTDB\*(Aqs filesystem and memory usage monitoring\&. -.PP -CTDB can experience seemingly random (performance and other) issues if system resources become too constrained\&. Options in this section can be enabled to allow certain system resources to be checked\&. They allows warnings to be logged and nodes to be marked unhealthy when system resource usage reaches the configured thresholds\&. -.PP -Some checks are enabled by default\&. It is recommended that these checks remain enabled or are augmented by extra checks\&. There is no supported way of completely disabling the checks\&. -.PP -CTDB_MONITOR_FILESYSTEM_USAGE=\fIFS\-LIMIT\-LIST\fR -.RS 4 -FS\-LIMIT\-LIST is a space\-separated list of -\fIFILESYSTEM\fR:\fIWARN_LIMIT\fR[:\fIUNHEALTHY_LIMIT\fR] -triples indicating that warnings should be logged if the space used on FILESYSTEM reaches WARN_LIMIT%\&. If usage reaches UNHEALTHY_LIMIT then the node should be flagged unhealthy\&. Either WARN_LIMIT or UNHEALTHY_LIMIT may be left blank, meaning that check will be omitted\&. -.sp -Default is to warn for each filesystem containing a database directory (volatile\ \&database\ \&directory, -persistent\ \&database\ \&directory, -state\ \&database\ \&directory) with a threshold of 90%\&. -.RE -.PP -CTDB_MONITOR_MEMORY_USAGE=\fIMEM\-LIMITS\fR -.RS 4 -MEM\-LIMITS takes the form -\fIWARN_LIMIT\fR[:\fIUNHEALTHY_LIMIT\fR] -indicating that warnings should be logged if memory usage reaches WARN_LIMIT%\&. If usage reaches UNHEALTHY_LIMIT then the node should be flagged unhealthy\&. Either WARN_LIMIT or UNHEALTHY_LIMIT may be left blank, meaning that check will be omitted\&. -.sp -Default is 80, so warnings will be logged when memory usage reaches 80%\&. -.RE -.SH "EVENT SCRIPT DEBUGGING" -.SS "debug\-hung\-script\&.sh" -.PP -CTDB_DEBUG_HUNG_SCRIPT_STACKPAT=\fIREGEXP\fR -.RS 4 -REGEXP specifies interesting processes for which stack traces should be logged when debugging hung eventscripts and those processes are matched in pstree output\&. REGEXP is an extended regexp so choices are separated by pipes (\*(Aq|\*(Aq)\&. However, REGEXP should not contain parentheses\&. See also the -\fBctdb.conf\fR(5) -[event] "debug\ \&script" option\&. -.sp -Default is "exportfs|rpcinfo"\&. -.RE -.SH "FILES" -.RS 4 -/usr/local/etc/ctdb/script\&.options -.RE -.SH "SEE ALSO" -.PP -\fBctdbd\fR(1), -\fBctdb\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp -.SH "NOTES" -.IP " 1." 4 -NFS-Ganesha -.RS 4 -\%https://github.com/nfs-ganesha/nfs-ganesha/wiki -.RE diff --git a/net/samba413/files/man/ctdb-statistics.7 b/net/samba413/files/man/ctdb-statistics.7 deleted file mode 100644 index a70061f0298b..000000000000 --- a/net/samba413/files/man/ctdb-statistics.7 +++ /dev/null @@ -1,550 +0,0 @@ -'\" t -.\" Title: ctdb-statistics -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB\-STATISTICS" "7" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb-statistics \- CTDB statistics output -.SH "OVERALL STATISTICS" -.PP -CTDB maintains information about various messages communicated and some of the important operations per node\&. See the -\fBctdb\fR(1) -commands -\fBstatistics\fR -and -\fBstatisticsreset\fR -for displaying statistics\&. -.SS "Example: ctdb statistics" -.sp -.if n \{\ -.RS 4 -.\} -.nf -CTDB version 1 -Current time of statistics : Fri Sep 12 13:32:32 2014 -Statistics collected since : (000 01:49:20) Fri Sep 12 11:43:12 2014 - num_clients 6 - frozen 0 - recovering 0 - num_recoveries 2 - client_packets_sent 281293 - client_packets_recv 296317 - node_packets_sent 452387 - node_packets_recv 182394 - keepalive_packets_sent 3927 - keepalive_packets_recv 3928 - node - req_call 48605 - reply_call 1 - req_dmaster 23404 - reply_dmaster 24917 - reply_error 0 - req_message 958 - req_control 197513 - reply_control 153705 - client - req_call 130866 - req_message 770 - req_control 168921 - timeouts - call 0 - control 0 - traverse 0 - locks - num_calls 220 - num_current 0 - num_pending 0 - num_failed 0 - total_calls 130866 - pending_calls 0 - childwrite_calls 1 - pending_childwrite_calls 0 - memory_used 334490 - max_hop_count 18 - total_ro_delegations 2 - total_ro_revokes 2 - hop_count_buckets: 42816 5464 26 1 0 0 0 0 0 0 0 0 0 0 0 0 - lock_buckets: 9 165 14 15 7 2 2 0 0 0 0 0 0 0 0 0 - locks_latency MIN/AVG/MAX 0\&.000685/0\&.160302/6\&.369342 sec out of 214 - reclock_ctdbd MIN/AVG/MAX 0\&.004940/0\&.004969/0\&.004998 sec out of 2 - reclock_recd MIN/AVG/MAX 0\&.000000/0\&.000000/0\&.000000 sec out of 0 - call_latency MIN/AVG/MAX 0\&.000006/0\&.000719/4\&.562991 sec out of 126626 - childwrite_latency MIN/AVG/MAX 0\&.014527/0\&.014527/0\&.014527 sec out of 1 - -.fi -.if n \{\ -.RE -.\} -.SS "CTDB version" -.PP -Version of the ctdb protocol used by the node\&. -.SS "Current time of statistics" -.PP -Time when the statistics are generated\&. -.PP -This is useful when collecting statistics output periodically for post\-processing\&. -.SS "Statistics collected since" -.PP -Time when ctdb was started or the last time statistics was reset\&. The output shows the duration and the timestamp\&. -.SS "num_clients" -.PP -Number of processes currently connected to CTDB\*(Aqs unix socket\&. This includes recovery daemon, ctdb tool and samba processes (smbd, winbindd)\&. -.SS "frozen" -.PP -1 if the databases are currently frozen, 0 otherwise\&. -.SS "recovering" -.PP -1 if recovery is active, 0 otherwise\&. -.SS "num_recoveries" -.PP -Number of recoveries since the start of ctdb or since the last statistics reset\&. -.SS "client_packets_sent" -.PP -Number of packets sent to client processes via unix domain socket\&. -.SS "client_packets_recv" -.PP -Number of packets received from client processes via unix domain socket\&. -.SS "node_packets_sent" -.PP -Number of packets sent to the other nodes in the cluster via TCP\&. -.SS "node_packets_recv" -.PP -Number of packets received from the other nodes in the cluster via TCP\&. -.SS "keepalive_packets_sent" -.PP -Number of keepalive messages sent to other nodes\&. -.PP -CTDB periodically sends keepalive messages to other nodes\&. See -KeepaliveInterval -tunable in -\fBctdb-tunables\fR(7) -for more details\&. -.SS "keepalive_packets_recv" -.PP -Number of keepalive messages received from other nodes\&. -.SS "node" -.PP -This section lists various types of messages processed which originated from other nodes via TCP\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_call\fR -.RS 4 -.PP -Number of REQ_CALL messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreply_call\fR -.RS 4 -.PP -Number of REPLY_CALL messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_dmaster\fR -.RS 4 -.PP -Number of REQ_DMASTER messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreply_dmaster\fR -.RS 4 -.PP -Number of REPLY_DMASTER messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreply_error\fR -.RS 4 -.PP -Number of REPLY_ERROR messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_message\fR -.RS 4 -.PP -Number of REQ_MESSAGE messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_control\fR -.RS 4 -.PP -Number of REQ_CONTROL messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreply_control\fR -.RS 4 -.PP -Number of REPLY_CONTROL messages from the other nodes\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_tunnel\fR -.RS 4 -.PP -Number of REQ_TUNNEL messages from the other nodes\&. -.RE -.SS "client" -.PP -This section lists various types of messages processed which originated from clients via unix domain socket\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_call\fR -.RS 4 -.PP -Number of REQ_CALL messages from the clients\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_message\fR -.RS 4 -.PP -Number of REQ_MESSAGE messages from the clients\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_control\fR -.RS 4 -.PP -Number of REQ_CONTROL messages from the clients\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBreq_tunnel\fR -.RS 4 -.PP -Number of REQ_TUNNEL messages from the clients\&. -.RE -.SS "timeouts" -.PP -This section lists timeouts occurred when sending various messages\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBcall\fR -.RS 4 -.PP -Number of timeouts for REQ_CALL messages\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBcontrol\fR -.RS 4 -.PP -Number of timeouts for REQ_CONTROL messages\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBtraverse\fR -.RS 4 -.PP -Number of timeouts for database traverse operations\&. -.RE -.SS "locks" -.PP -This section lists locking statistics\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBnum_calls\fR -.RS 4 -.PP -Number of completed lock calls\&. This includes database locks and record locks\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBnum_current\fR -.RS 4 -.PP -Number of scheduled lock calls\&. This includes database locks and record locks\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBnum_pending\fR -.RS 4 -.PP -Number of queued lock calls\&. This includes database locks and record locks\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBnum_failed\fR -.RS 4 -.PP -Number of failed lock calls\&. This includes database locks and record locks\&. -.RE -.SS "total_calls" -.PP -Number of req_call messages processed from clients\&. This number should be same as client \-\-> req_call\&. -.SS "pending_calls" -.PP -Number of req_call messages which are currently being processed\&. This number indicates the number of record migrations in flight\&. -.SS "childwrite_calls" -.PP -Number of record update calls\&. Record update calls are used to update a record under a transaction\&. -.SS "pending_childwrite_calls" -.PP -Number of record update calls currently active\&. -.SS "memory_used" -.PP -The amount of memory in bytes currently used by CTDB using talloc\&. This includes all the memory used for CTDB\*(Aqs internal data structures\&. This does not include the memory mapped TDB databases\&. -.SS "max_hop_count" -.PP -The maximum number of hops required for a record migration request to obtain the record\&. High numbers indicate record contention\&. -.SS "total_ro_delegations" -.PP -Number of readonly delegations created\&. -.SS "total_ro_revokes" -.PP -Number of readonly delegations that were revoked\&. The difference between total_ro_revokes and total_ro_delegations gives the number of currently active readonly delegations\&. -.SS "hop_count_buckets" -.PP -Distribution of migration requests based on hop counts values\&. Buckets are 0, <\ \&2, <\ \&4, <\ \&8, <\ \&16, <\ \&32, <\ \&64, <\ \&128, <\ \&256, <\ \&512, <\ \&1024, <\ \&2048, <\ \&4096, <\ \&8192, <\ \&16384, ≥\ \&16384\&. -.SS "lock_buckets" -.PP -Distribution of record lock requests based on time required to obtain locks\&. Buckets are <\ \&1ms, <\ \&10ms, <\ \&100ms, <\ \&1s, <\ \&2s, <\ \&4s, <\ \&8s, <\ \&16s, <\ \&32s, <\ \&64s, ≥\ \&64s\&. -.SS "locks_latency" -.PP -The minimum, the average and the maximum time (in seconds) required to obtain record locks\&. -.SS "reclock_ctdbd" -.PP -The minimum, the average and the maximum time (in seconds) required to check if recovery lock is still held by recovery daemon when recovery mode is changed\&. This check is done in ctdb daemon\&. -.SS "reclock_recd" -.PP -The minimum, the average and the maximum time (in seconds) required to check if recovery lock is still held by recovery daemon during recovery\&. This check is done in recovery daemon\&. -.SS "call_latency" -.PP -The minimum, the average and the maximum time (in seconds) required to process a REQ_CALL message from client\&. This includes the time required to migrate a record from remote node, if the record is not available on the local node\&. -.SS "childwrite_latency" -.PP -Default: 0 -.PP -The minimum, the average and the maximum time (in seconds) required to update records under a transaction\&. -.SH "DATABASE STATISTICS" -.PP -CTDB maintains per database statistics about important operations\&. See the -\fBctdb\fR(1) -command -\fBdbstatistics\fR -for displaying database statistics\&. -.SS "Example: ctdb dbstatistics notify_index\&.tdb" -.sp -.if n \{\ -.RS 4 -.\} -.nf -DB Statistics: notify_index\&.tdb - ro_delegations 0 - ro_revokes 0 - locks - total 131 - failed 0 - current 0 - pending 0 - hop_count_buckets: 9890 5454 26 1 0 0 0 0 0 0 0 0 0 0 0 0 - lock_buckets: 4 117 10 0 0 0 0 0 0 0 0 0 0 0 0 0 - locks_latency MIN/AVG/MAX 0\&.000683/0\&.004198/0\&.014730 sec out of 131 - Num Hot Keys: 3 - Count:7 Key:2f636c75737465726673 - Count:18 Key:2f636c757374657266732f64617461 - Count:7 Key:2f636c757374657266732f646174612f636c69656e7473 - -.fi -.if n \{\ -.RE -.\} -.SS "DB Statistics" -.PP -Name of the database\&. -.SS "ro_delegations" -.PP -Number of readonly delegations created in the database\&. -.SS "ro_revokes" -.PP -Number of readonly delegations revoked\&. The difference in ro_delegations and ro_revokes indicates the currently active readonly delegations\&. -.SS "locks" -.PP -This section lists locking statistics\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBtotal\fR -.RS 4 -.PP -Number of completed lock calls\&. This includes database locks and record locks\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBfailed\fR -.RS 4 -.PP -Number of failed lock calls\&. This includes database locks and record locks\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBcurrent\fR -.RS 4 -.PP -Number of scheduled lock calls\&. This includes database locks and record locks\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBpending\fR -.RS 4 -.PP -Number of queued lock calls\&. This includes database locks and record locks\&. -.RE -.SS "hop_count_buckets" -.PP -Distribution of migration requests based on hop counts values\&. Buckets are 0, <\ \&2, <\ \&4, <\ \&8, <\ \&16, <\ \&32, <\ \&64, <\ \&128, <\ \&256, <\ \&512, <\ \&1024, <\ \&2048, <\ \&4096, <\ \&8192, <\ \&16384, ≥\ \&16384\&. -.SS "lock_buckets" -.PP -Distribution of record lock requests based on time required to obtain locks\&. Buckets are <\ \&1ms, <\ \&10ms, <\ \&100ms, <\ \&1s, <\ \&2s, <\ \&4s, <\ \&8s, <\ \&16s, <\ \&32s, <\ \&64s, ≥\ \&64s\&. -.SS "locks_latency" -.PP -The minimum, the average and the maximum time (in seconds) required to obtain record locks\&. -.SS "Num Hot Keys" -.PP -Number of contended records determined by hop count\&. CTDB keeps track of top 10 hot records and the output shows hex encoded keys for the hot records\&. -.SH "SEE ALSO" -.PP -\fBctdb\fR(1), -\fBctdbd\fR(1), -\fBctdb-tunables\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdb-tunables.7 b/net/samba413/files/man/ctdb-tunables.7 deleted file mode 100644 index 2de515b975c5..000000000000 --- a/net/samba413/files/man/ctdb-tunables.7 +++ /dev/null @@ -1,406 +0,0 @@ -'\" t -.\" Title: ctdb-tunables -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB\-TUNABLES" "7" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb-tunables \- CTDB tunable configuration variables -.SH "DESCRIPTION" -.PP -CTDB\*(Aqs behaviour can be configured by setting run\-time tunable variables\&. This lists and describes all tunables\&. See the -\fBctdb\fR(1) -\fBlistvars\fR, -\fBsetvar\fR -and -\fBgetvar\fR -commands for more details\&. -.PP -Unless otherwise stated, tunables should be set to the same value on all nodes\&. Setting tunables to different values across nodes may produce unexpected results\&. Future releases may set (some or most) tunables globally across the cluster but doing so is currently a manual process\&. -.PP -Tunables can be set at startup from the -/usr/local/etc/ctdb/ctdb\&.tunables -configuration file\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -\fITUNABLE\fR=\fIVALUE\fR - -.fi -.if n \{\ -.RE -.\} -.PP -For example: -.sp -.if n \{\ -.RS 4 -.\} -.nf -MonitorInterval=20 - -.fi -.if n \{\ -.RE -.\} -.PP -The available tunable variables are listed alphabetically below\&. -.SS "AllowClientDBAttach" -.PP -Default: 1 -.PP -When set to 0, clients are not allowed to attach to any databases\&. This can be used to temporarily block any new processes from attaching to and accessing the databases\&. This is mainly used for detaching a volatile database using \*(Aqctdb detach\*(Aq\&. -.SS "AllowMixedVersions" -.PP -Default: 0 -.PP -CTDB will not allow incompatible versions to co\-exist in a cluster\&. If a version mismatch is found, then losing CTDB will shutdown\&. To disable the incompatible version check, set this tunable to 1\&. -.PP -For version checking, CTDB uses major and minor version\&. For example, CTDB 4\&.6\&.1 and CTDB 4\&.6\&.2 are matching versions; CTDB 4\&.5\&.x and CTDB 4\&.6\&.y do not match\&. -.PP -CTDB with version check support will lose to CTDB without version check support\&. Between two different CTDB versions with version check support, one running for less time will lose\&. If the running time for both CTDB versions with version check support is equal (to seconds), then the older version will lose\&. The losing CTDB daemon will shutdown\&. -.SS "AllowUnhealthyDBRead" -.PP -Default: 0 -.PP -When set to 1, ctdb allows database traverses to read unhealthy databases\&. By default, ctdb does not allow reading records from unhealthy databases\&. -.SS "ControlTimeout" -.PP -Default: 60 -.PP -This is the default setting for timeout for when sending a control message to either the local or a remote ctdb daemon\&. -.SS "DatabaseHashSize" -.PP -Default: 100001 -.PP -Number of the hash chains for the local store of the tdbs that ctdb manages\&. -.SS "DatabaseMaxDead" -.PP -Default: 5 -.PP -Maximum number of dead records per hash chain for the tdb databses managed by ctdb\&. -.SS "DBRecordCountWarn" -.PP -Default: 100000 -.PP -When set to non\-zero, ctdb will log a warning during recovery if a database has more than this many records\&. This will produce a warning if a database grows uncontrollably with orphaned records\&. -.SS "DBRecordSizeWarn" -.PP -Default: 10000000 -.PP -When set to non\-zero, ctdb will log a warning during recovery if a single record is bigger than this size\&. This will produce a warning if a database record grows uncontrollably\&. -.SS "DBSizeWarn" -.PP -Default: 1000000000 -.PP -When set to non\-zero, ctdb will log a warning during recovery if a database size is bigger than this\&. This will produce a warning if a database grows uncontrollably\&. -.SS "DeferredAttachTO" -.PP -Default: 120 -.PP -When databases are frozen we do not allow clients to attach to the databases\&. Instead of returning an error immediately to the client, the attach request from the client is deferred until the database becomes available again at which stage we respond to the client\&. -.PP -This timeout controls how long we will defer the request from the client before timing it out and returning an error to the client\&. -.SS "ElectionTimeout" -.PP -Default: 3 -.PP -The number of seconds to wait for the election of recovery master to complete\&. If the election is not completed during this interval, then that round of election fails and ctdb starts a new election\&. -.SS "EnableBans" -.PP -Default: 1 -.PP -This parameter allows ctdb to ban a node if the node is misbehaving\&. -.PP -When set to 0, this disables banning completely in the cluster and thus nodes can not get banned, even it they break\&. Don\*(Aqt set to 0 unless you know what you are doing\&. -.SS "EventScriptTimeout" -.PP -Default: 30 -.PP -Maximum time in seconds to allow an event to run before timing out\&. This is the total time for all enabled scripts that are run for an event, not just a single event script\&. -.PP -Note that timeouts are ignored for some events ("takeip", "releaseip", "startrecovery", "recovered") and converted to success\&. The logic here is that the callers of these events implement their own additional timeout\&. -.SS "FetchCollapse" -.PP -Default: 1 -.PP -This parameter is used to avoid multiple migration requests for the same record from a single node\&. All the record requests for the same record are queued up and processed when the record is migrated to the current node\&. -.PP -When many clients across many nodes try to access the same record at the same time this can lead to a fetch storm where the record becomes very active and bounces between nodes very fast\&. This leads to high CPU utilization of the ctdbd daemon, trying to bounce that record around very fast, and poor performance\&. This can improve performance and reduce CPU utilization for certain workloads\&. -.SS "HopcountMakeSticky" -.PP -Default: 50 -.PP -For database(s) marked STICKY (using \*(Aqctdb setdbsticky\*(Aq), any record that is migrating so fast that hopcount exceeds this limit is marked as STICKY record for -\fIStickyDuration\fR -seconds\&. This means that after each migration the sticky record will be kept on the node -\fIStickyPindown\fRmilliseconds and prevented from being migrated off the node\&. -.PP -This will improve performance for certain workloads, such as locking\&.tdb if many clients are opening/closing the same file concurrently\&. -.SS "IPAllocAlgorithm" -.PP -Default: 2 -.PP -Selects the algorithm that CTDB should use when doing public IP address allocation\&. Meaningful values are: -.PP -0 -.RS 4 -Deterministic IP address allocation\&. -.sp -This is a simple and fast option\&. However, it can cause unnecessary address movement during fail\-over because each address has a "home" node\&. Works badly when some nodes do not have any addresses defined\&. Should be used with care when addresses are defined across multiple networks\&. -.RE -.PP -1 -.RS 4 -Non\-deterministic IP address allocation\&. -.sp -This is a relatively fast option that attempts to do a minimise unnecessary address movements\&. Addresses do not have a "home" node\&. Rebalancing is limited but it usually adequate\&. Works badly when addresses are defined across multiple networks\&. -.RE -.PP -2 -.RS 4 -LCP2 IP address allocation\&. -.sp -Uses a heuristic to assign addresses defined across multiple networks, usually balancing addresses on each network evenly across nodes\&. Addresses do not have a "home" node\&. Minimises unnecessary address movements\&. The algorithm is complex, so is slower than other choices for a large number of addresses\&. However, it can calculate an optimal assignment of 900 addresses in under 10 seconds on modern hardware\&. -.RE -.PP -If the specified value is not one of these then the default will be used\&. -.SS "KeepaliveInterval" -.PP -Default: 5 -.PP -How often in seconds should the nodes send keep\-alive packets to each other\&. -.SS "KeepaliveLimit" -.PP -Default: 5 -.PP -After how many keepalive intervals without any traffic should a node wait until marking the peer as DISCONNECTED\&. -.PP -If a node has hung, it can take -\fIKeepaliveInterval\fR -* (\fIKeepaliveLimit\fR -+ 1) seconds before ctdb determines that the node is DISCONNECTED and performs a recovery\&. This limit should not be set too high to enable early detection and avoid any application timeouts (e\&.g\&. SMB1) to kick in before the fail over is completed\&. -.SS "LockProcessesPerDB" -.PP -Default: 200 -.PP -This is the maximum number of lock helper processes ctdb will create for obtaining record locks\&. When ctdb cannot get a record lock without blocking, it creates a helper process that waits for the lock to be obtained\&. -.SS "LogLatencyMs" -.PP -Default: 0 -.PP -When set to non\-zero, ctdb will log if certains operations take longer than this value, in milliseconds, to complete\&. These operations include "process a record request from client", "take a record or database lock", "update a persistent database record" and "vacuum a database"\&. -.SS "MaxQueueDropMsg" -.PP -Default: 1000000 -.PP -This is the maximum number of messages to be queued up for a client before ctdb will treat the client as hung and will terminate the client connection\&. -.SS "MonitorInterval" -.PP -Default: 15 -.PP -How often should ctdb run the \*(Aqmonitor\*(Aq event in seconds to check for a node\*(Aqs health\&. -.SS "MonitorTimeoutCount" -.PP -Default: 20 -.PP -How many \*(Aqmonitor\*(Aq events in a row need to timeout before a node is flagged as UNHEALTHY\&. This setting is useful if scripts can not be written so that they do not hang for benign reasons\&. -.SS "NoIPFailback" -.PP -Default: 0 -.PP -When set to 1, ctdb will not perform failback of IP addresses when a node becomes healthy\&. When a node becomes UNHEALTHY, ctdb WILL perform failover of public IP addresses, but when the node becomes HEALTHY again, ctdb will not fail the addresses back\&. -.PP -Use with caution! Normally when a node becomes available to the cluster ctdb will try to reassign public IP addresses onto the new node as a way to distribute the workload evenly across the clusternode\&. Ctdb tries to make sure that all running nodes have approximately the same number of public addresses it hosts\&. -.PP -When you enable this tunable, ctdb will no longer attempt to rebalance the cluster by failing IP addresses back to the new nodes\&. An unbalanced cluster will therefore remain unbalanced until there is manual intervention from the administrator\&. When this parameter is set, you can manually fail public IP addresses over to the new node(s) using the \*(Aqctdb moveip\*(Aq command\&. -.SS "NoIPTakeover" -.PP -Default: 0 -.PP -When set to 1, ctdb will not allow IP addresses to be failed over to other nodes\&. Any IP addresses already hosted on healthy nodes will remain\&. Any IP addresses hosted on unhealthy nodes will be released by unhealthy nodes and will become un\-hosted\&. -.SS "PullDBPreallocation" -.PP -Default: 10*1024*1024 -.PP -This is the size of a record buffer to pre\-allocate for sending reply to PULLDB control\&. Usually record buffer starts with size of the first record and gets reallocated every time a new record is added to the record buffer\&. For a large number of records, this can be very inefficient to grow the record buffer one record at a time\&. -.SS "QueueBufferSize" -.PP -Default: 1024 -.PP -This is the maximum amount of data (in bytes) ctdb will read from a socket at a time\&. -.PP -For a busy setup, if ctdb is not able to process the TCP sockets fast enough (large amount of data in Recv\-Q for tcp sockets), then this tunable value should be increased\&. However, large values can keep ctdb busy processing packets and prevent ctdb from handling other events\&. -.SS "RecBufferSizeLimit" -.PP -Default: 1000000 -.PP -This is the limit on the size of the record buffer to be sent in various controls\&. This limit is used by new controls used for recovery and controls used in vacuuming\&. -.SS "RecdFailCount" -.PP -Default: 10 -.PP -If the recovery daemon has failed to ping the main daemon for this many consecutive intervals, the main daemon will consider the recovery daemon as hung and will try to restart it to recover\&. -.SS "RecdPingTimeout" -.PP -Default: 60 -.PP -If the main daemon has not heard a "ping" from the recovery daemon for this many seconds, the main daemon will log a message that the recovery daemon is potentially hung\&. This also increments a counter which is checked against -\fIRecdFailCount\fR -for detection of hung recovery daemon\&. -.SS "RecLockLatencyMs" -.PP -Default: 1000 -.PP -When using a reclock file for split brain prevention, if set to non\-zero this tunable will make the recovery daemon log a message if the fcntl() call to lock/testlock the recovery file takes longer than this number of milliseconds\&. -.SS "RecoverInterval" -.PP -Default: 1 -.PP -How frequently in seconds should the recovery daemon perform the consistency checks to determine if it should perform a recovery\&. -.SS "RecoverTimeout" -.PP -Default: 120 -.PP -This is the default setting for timeouts for controls when sent from the recovery daemon\&. We allow longer control timeouts from the recovery daemon than from normal use since the recovery daemon often use controls that can take a lot longer than normal controls\&. -.SS "RecoveryBanPeriod" -.PP -Default: 300 -.PP -The duration in seconds for which a node is banned if the node fails during recovery\&. After this time has elapsed the node will automatically get unbanned and will attempt to rejoin the cluster\&. -.PP -A node usually gets banned due to real problems with the node\&. Don\*(Aqt set this value too small\&. Otherwise, a problematic node will try to re\-join cluster too soon causing unnecessary recoveries\&. -.SS "RecoveryDropAllIPs" -.PP -Default: 120 -.PP -If a node is stuck in recovery, or stopped, or banned, for this many seconds, then ctdb will release all public addresses on that node\&. -.SS "RecoveryGracePeriod" -.PP -Default: 120 -.PP -During recoveries, if a node has not caused recovery failures during the last grace period in seconds, any records of transgressions that the node has caused recovery failures will be forgiven\&. This resets the ban\-counter back to zero for that node\&. -.SS "RepackLimit" -.PP -Default: 10000 -.PP -During vacuuming, if the number of freelist records are more than -\fIRepackLimit\fR, then the database is repacked to get rid of the freelist records to avoid fragmentation\&. -.SS "RerecoveryTimeout" -.PP -Default: 10 -.PP -Once a recovery has completed, no additional recoveries are permitted until this timeout in seconds has expired\&. -.SS "SeqnumInterval" -.PP -Default: 1000 -.PP -Some databases have seqnum tracking enabled, so that samba will be able to detect asynchronously when there has been updates to the database\&. Every time a database is updated its sequence number is increased\&. -.PP -This tunable is used to specify in milliseconds how frequently ctdb will send out updates to remote nodes to inform them that the sequence number is increased\&. -.SS "StatHistoryInterval" -.PP -Default: 1 -.PP -Granularity of the statistics collected in the statistics history\&. This is reported by \*(Aqctdb stats\*(Aq command\&. -.SS "StickyDuration" -.PP -Default: 600 -.PP -Once a record has been marked STICKY, this is the duration in seconds, the record will be flagged as a STICKY record\&. -.SS "StickyPindown" -.PP -Default: 200 -.PP -Once a STICKY record has been migrated onto a node, it will be pinned down on that node for this number of milliseconds\&. Any request from other nodes to migrate the record off the node will be deferred\&. -.SS "TakeoverTimeout" -.PP -Default: 9 -.PP -This is the duration in seconds in which ctdb tries to complete IP failover\&. -.SS "TickleUpdateInterval" -.PP -Default: 20 -.PP -Every -\fITickleUpdateInterval\fR -seconds, ctdb synchronizes the client connection information across nodes\&. -.SS "TraverseTimeout" -.PP -Default: 20 -.PP -This is the duration in seconds for which a database traverse is allowed to run\&. If the traverse does not complete during this interval, ctdb will abort the traverse\&. -.SS "VacuumFastPathCount" -.PP -Default: 60 -.PP -During a vacuuming run, ctdb usually processes only the records marked for deletion also called the fast path vacuuming\&. After finishing -\fIVacuumFastPathCount\fR -number of fast path vacuuming runs, ctdb will trigger a scan of complete database for any empty records that need to be deleted\&. -.SS "VacuumInterval" -.PP -Default: 10 -.PP -Periodic interval in seconds when vacuuming is triggered for volatile databases\&. -.SS "VacuumMaxRunTime" -.PP -Default: 120 -.PP -The maximum time in seconds for which the vacuuming process is allowed to run\&. If vacuuming process takes longer than this value, then the vacuuming process is terminated\&. -.SS "VerboseMemoryNames" -.PP -Default: 0 -.PP -When set to non\-zero, ctdb assigns verbose names for some of the talloc allocated memory objects\&. These names are visible in the talloc memory report generated by \*(Aqctdb dumpmemory\*(Aq\&. -.SH "FILES>" -.RS 4 -/usr/local/etc/ctdb/ctdb\&.tunables -.RE -.SH "SEE ALSO" -.PP -\fBctdb\fR(1), -\fBctdbd\fR(1), -\fBctdb.conf\fR(5), -\fBctdb\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Ronnie Sahlberg, Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdb.1 b/net/samba413/files/man/ctdb.1 deleted file mode 100644 index ad254aa4404e..000000000000 --- a/net/samba413/files/man/ctdb.1 +++ /dev/null @@ -1,1526 +0,0 @@ -'\" t -.\" Title: ctdb -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB" "1" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb \- CTDB management utility -.SH "SYNOPSIS" -.HP \w'\fBctdb\fR\ 'u -\fBctdb\fR [\fIOPTION\fR...] {\fICOMMAND\fR} [\fICOMMAND\-ARGS\fR] -.SH "DESCRIPTION" -.PP -ctdb is a utility to view and manage a CTDB cluster\&. -.PP -The following terms are used when referring to nodes in a cluster: -.PP -PNN -.RS 4 -Physical Node Number\&. The physical node number is an integer that describes the node in the cluster\&. The first node has physical node number 0\&. in a cluster\&. -.RE -.PP -PNN\-LIST -.RS 4 -This is either a single PNN, a comma\-separate list of PNNs or "all"\&. -.RE -.PP -Commands that reference a database use the following terms: -.PP -DB -.RS 4 -This is either a database name, such as -locking\&.tdb -or a database ID such as "0x42fe72c5"\&. -.RE -.PP -DB\-LIST -.RS 4 -A space separated list of at least one -\fIDB\fR\&. -.RE -.SH "OPTIONS" -.PP -\-n \fIPNN\fR -.RS 4 -The node specified by PNN should be queried for the requested information\&. Default is to query the daemon running on the local host\&. -.RE -.PP -\-Y -.RS 4 -Produce output in machine readable form for easier parsing by scripts\&. This uses a field delimiter of \*(Aq:\*(Aq\&. Not all commands support this option\&. -.RE -.PP -\-x \fISEPARATOR\fR -.RS 4 -Use SEPARATOR to delimit fields in machine readable output\&. This implies \-Y\&. -.RE -.PP -\-X -.RS 4 -Produce output in machine readable form for easier parsing by scripts\&. This uses a field delimiter of \*(Aq|\*(Aq\&. Not all commands support this option\&. -.sp -This is equivalent to "\-x|" and avoids some shell quoting issues\&. -.RE -.PP -\-t \fITIMEOUT\fR -.RS 4 -Indicates that ctdb should wait up to TIMEOUT seconds for a response to most commands sent to the CTDB daemon\&. The default is 10 seconds\&. -.RE -.PP -\-T \fITIMELIMIT\fR -.RS 4 -Indicates that TIMELIMIT is the maximum run time (in seconds) for the ctdb command\&. When TIMELIMIT is exceeded the ctdb command will terminate with an error\&. The default is 120 seconds\&. -.RE -.PP -\-? \-\-help -.RS 4 -Print some help text to the screen\&. -.RE -.PP -\-\-usage -.RS 4 -Print usage information to the screen\&. -.RE -.PP -\-d \-\-debug=\fIDEBUGLEVEL\fR -.RS 4 -Change the debug level for the command\&. Default is NOTICE\&. -.RE -.SH "ADMINISTRATIVE COMMANDS" -.PP -These are commands used to monitor and administer a CTDB cluster\&. -.SS "pnn" -.PP -This command displays the PNN of the current node\&. -.SS "status" -.PP -This command shows the current status of all CTDB nodes based on information from the queried node\&. -.PP -Note: If the queried node is INACTIVE then the status might not be current\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBNode status\fR -.RS 4 -.PP -This includes the number of physical nodes and the status of each node\&. See -\fBctdb\fR(7) -for information about node states\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBGeneration\fR -.RS 4 -.PP -The generation id is a number that indicates the current generation of a cluster instance\&. Each time a cluster goes through a reconfiguration or a recovery its generation id will be changed\&. -.PP -This number does not have any particular meaning other than to keep track of when a cluster has gone through a recovery\&. It is a random number that represents the current instance of a ctdb cluster and its databases\&. The CTDB daemon uses this number internally to be able to tell when commands to operate on the cluster and the databases was issued in a different generation of the cluster, to ensure that commands that operate on the databases will not survive across a cluster database recovery\&. After a recovery, all old outstanding commands will automatically become invalid\&. -.PP -Sometimes this number will be shown as "INVALID"\&. This only means that the ctdbd daemon has started but it has not yet merged with the cluster through a recovery\&. All nodes start with generation "INVALID" and are not assigned a real generation id until they have successfully been merged with a cluster through a recovery\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBVirtual Node Number (VNN) map\fR -.RS 4 -.PP -Consists of the number of virtual nodes and mapping from virtual node numbers to physical node numbers\&. Only nodes that are participating in the VNN map can become lmaster for database records\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBRecovery mode\fR -.RS 4 -.PP -This is the current recovery mode of the cluster\&. There are two possible modes: -.PP -NORMAL \- The cluster is fully operational\&. -.PP -RECOVERY \- The cluster databases have all been frozen, pausing all services while the cluster awaits a recovery process to complete\&. A recovery process should finish within seconds\&. If a cluster is stuck in the RECOVERY state this would indicate a cluster malfunction which needs to be investigated\&. -.PP -Once the recovery master detects an inconsistency, for example a node becomes disconnected/connected, the recovery daemon will trigger a cluster recovery process, where all databases are remerged across the cluster\&. When this process starts, the recovery master will first "freeze" all databases to prevent applications such as samba from accessing the databases and it will also mark the recovery mode as RECOVERY\&. -.PP -When the CTDB daemon starts up, it will start in RECOVERY mode\&. Once the node has been merged into a cluster and all databases have been recovered, the node mode will change into NORMAL mode and the databases will be "thawed", allowing samba to access the databases again\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBRecovery master\fR -.RS 4 -.PP -This is the cluster node that is currently designated as the recovery master\&. This node is responsible of monitoring the consistency of the cluster and to perform the actual recovery process when reqired\&. -.PP -Only one node at a time can be the designated recovery master\&. Which node is designated the recovery master is decided by an election process in the recovery daemons running on each node\&. -.RE -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb status -Number of nodes:4 -pnn:0 192\&.168\&.2\&.200 OK (THIS NODE) -pnn:1 192\&.168\&.2\&.201 OK -pnn:2 192\&.168\&.2\&.202 OK -pnn:3 192\&.168\&.2\&.203 OK -Generation:1362079228 -Size:4 -hash:0 lmaster:0 -hash:1 lmaster:1 -hash:2 lmaster:2 -hash:3 lmaster:3 -Recovery mode:NORMAL (0) -Recovery master:0 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "nodestatus [\fIPNN\-LIST\fR]" -.PP -This command is similar to the -\fBstatus\fR -command\&. It displays the "node status" subset of output\&. The main differences are: -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -The exit code is the bitwise\-OR of the flags for each specified node, while -\fBctdb status\fR -exits with 0 if it was able to retrieve status for all nodes\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -\fBctdb status\fR -provides status information for all nodes\&. -\fBctdb nodestatus\fR -defaults to providing status for only the current node\&. If PNN\-LIST is provided then status is given for the indicated node(s)\&. -.RE -.PP -A common invocation in scripts is -\fBctdb nodestatus all\fR -to check whether all nodes in a cluster are healthy\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb nodestatus -pnn:0 10\&.0\&.0\&.30 OK (THIS NODE) - -# ctdb nodestatus all -Number of nodes:2 -pnn:0 10\&.0\&.0\&.30 OK (THIS NODE) -pnn:1 10\&.0\&.0\&.31 OK - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "recmaster" -.PP -This command shows the pnn of the node which is currently the recmaster\&. -.PP -Note: If the queried node is INACTIVE then the status might not be current\&. -.SS "uptime" -.PP -This command shows the uptime for the ctdb daemon\&. When the last recovery or ip\-failover completed and how long it took\&. If the "duration" is shown as a negative number, this indicates that there is a recovery/failover in progress and it started that many seconds ago\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb uptime -Current time of node : Thu Oct 29 10:38:54 2009 -Ctdbd start time : (000 16:54:28) Wed Oct 28 17:44:26 2009 -Time of last recovery/failover: (000 16:53:31) Wed Oct 28 17:45:23 2009 -Duration of last recovery/failover: 2\&.248552 seconds - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "listnodes" -.PP -This command shows lists the ip addresses of all the nodes in the cluster\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb listnodes -192\&.168\&.2\&.200 -192\&.168\&.2\&.201 -192\&.168\&.2\&.202 -192\&.168\&.2\&.203 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "natgw {master|list|status}" -.PP -This command shows different aspects of NAT gateway status\&. For an overview of CTDB\*(Aqs NAT gateway functionality please see the -NAT GATEWAY -section in -\fBctdb\fR(7)\&. -.PP -master -.RS 4 -Show the PNN and private IP address of the current NAT gateway master node\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -1 192\&.168\&.2\&.201 - -.fi -.if n \{\ -.RE -.\} -.RE -.PP -list -.RS 4 -List the private IP addresses of nodes in the current NAT gateway group, annotating the master node\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -192\&.168\&.2\&.200 -192\&.168\&.2\&.201 MASTER -192\&.168\&.2\&.202 -192\&.168\&.2\&.203 - -.fi -.if n \{\ -.RE -.\} -.RE -.PP -status -.RS 4 -List the nodes in the current NAT gateway group and their status\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -pnn:0 192\&.168\&.2\&.200 UNHEALTHY (THIS NODE) -pnn:1 192\&.168\&.2\&.201 OK -pnn:2 192\&.168\&.2\&.202 OK -pnn:3 192\&.168\&.2\&.203 OK - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "ping" -.PP -This command will "ping" specified CTDB nodes in the cluster to verify that they are running\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb ping -response from 0 time=0\&.000054 sec (3 clients) - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "ifaces" -.PP -This command will display the list of network interfaces, which could host public addresses, along with their status\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb ifaces -Interfaces on node 0 -name:eth5 link:up references:2 -name:eth4 link:down references:0 -name:eth3 link:up references:1 -name:eth2 link:up references:1 - -# ctdb \-X ifaces -|Name|LinkStatus|References| -|eth5|1|2| -|eth4|0|0| -|eth3|1|1| -|eth2|1|1| - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "ip" -.PP -This command will display the list of public addresses that are provided by the cluster and which physical node is currently serving this ip\&. By default this command will ONLY show those public addresses that are known to the node itself\&. To see the full list of all public ips across the cluster you must use "ctdb ip all"\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb ip \-v -Public IPs on node 0 -172\&.31\&.91\&.82 node[1] active[] available[eth2,eth3] configured[eth2,eth3] -172\&.31\&.91\&.83 node[0] active[eth3] available[eth2,eth3] configured[eth2,eth3] -172\&.31\&.91\&.84 node[1] active[] available[eth2,eth3] configured[eth2,eth3] -172\&.31\&.91\&.85 node[0] active[eth2] available[eth2,eth3] configured[eth2,eth3] -172\&.31\&.92\&.82 node[1] active[] available[eth5] configured[eth4,eth5] -172\&.31\&.92\&.83 node[0] active[eth5] available[eth5] configured[eth4,eth5] -172\&.31\&.92\&.84 node[1] active[] available[eth5] configured[eth4,eth5] -172\&.31\&.92\&.85 node[0] active[eth5] available[eth5] configured[eth4,eth5] - -# ctdb \-X ip \-v -|Public IP|Node|ActiveInterface|AvailableInterfaces|ConfiguredInterfaces| -|172\&.31\&.91\&.82|1||eth2,eth3|eth2,eth3| -|172\&.31\&.91\&.83|0|eth3|eth2,eth3|eth2,eth3| -|172\&.31\&.91\&.84|1||eth2,eth3|eth2,eth3| -|172\&.31\&.91\&.85|0|eth2|eth2,eth3|eth2,eth3| -|172\&.31\&.92\&.82|1||eth5|eth4,eth5| -|172\&.31\&.92\&.83|0|eth5|eth5|eth4,eth5| -|172\&.31\&.92\&.84|1||eth5|eth4,eth5| -|172\&.31\&.92\&.85|0|eth5|eth5|eth4,eth5| - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "ipinfo \fIIP\fR" -.PP -This command will display details about the specified public addresses\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb ipinfo 172\&.31\&.92\&.85 -Public IP[172\&.31\&.92\&.85] info on node 0 -IP:172\&.31\&.92\&.85 -CurrentNode:0 -NumInterfaces:2 -Interface[1]: Name:eth4 Link:down References:0 -Interface[2]: Name:eth5 Link:up References:2 (active) - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "event run|status|script list|script enable|script disable" -.PP -This command is used to control event daemon and to inspect status of various events\&. -.PP -The commands below require a component to be specified\&. In the current version the only valid component is -legacy\&. -.PP -run \fITIMEOUT\fR \fICOMPONENT\fR \fIEVENT\fR [\fIARGUMENTS\fR] -.RS 4 -This command can be used to manually run specified EVENT in COMPONENT with optional ARGUMENTS\&. The event will be allowed to run a maximum of TIMEOUT seconds\&. If TIMEOUT is 0, then there is no time limit for running the event\&. -.RE -.PP -status \fICOMPONENT\fR \fIEVENT\fR -.RS 4 -This command displays the last execution status of the specified EVENT in COMPONENT\&. -.sp -The command will terminate with the exit status corresponding to the overall status of event that is displayed\&. -.sp -The output is the list of event scripts executed\&. Each line shows the name, status, duration and start time for each script\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -00\&.ctdb OK 0\&.014 Sat Dec 17 19:39:11 2016 -01\&.reclock OK 0\&.013 Sat Dec 17 19:39:11 2016 -05\&.system OK 0\&.029 Sat Dec 17 19:39:11 2016 -06\&.nfs OK 0\&.014 Sat Dec 17 19:39:11 2016 -10\&.interface OK 0\&.037 Sat Dec 17 19:39:11 2016 -11\&.natgw OK 0\&.011 Sat Dec 17 19:39:11 2016 -11\&.routing OK 0\&.007 Sat Dec 17 19:39:11 2016 -13\&.per_ip_routing OK 0\&.007 Sat Dec 17 19:39:11 2016 -20\&.multipathd OK 0\&.007 Sat Dec 17 19:39:11 2016 -31\&.clamd OK 0\&.007 Sat Dec 17 19:39:11 2016 -40\&.vsftpd OK 0\&.013 Sat Dec 17 19:39:11 2016 -41\&.httpd OK 0\&.018 Sat Dec 17 19:39:11 2016 -49\&.winbind OK 0\&.023 Sat Dec 17 19:39:11 2016 -50\&.samba OK 0\&.100 Sat Dec 17 19:39:12 2016 -60\&.nfs OK 0\&.376 Sat Dec 17 19:39:12 2016 -70\&.iscsi OK 0\&.009 Sat Dec 17 19:39:12 2016 -91\&.lvs OK 0\&.007 Sat Dec 17 19:39:12 2016 - -.fi -.if n \{\ -.RE -.\} -.RE -.PP -script list \fICOMPONENT\fR -.RS 4 -List the available event scripts in COMPONENT\&. Enabled scripts are flagged with a \*(Aq*\*(Aq\&. -.sp -Generally, event scripts are provided by CTDB\&. However, local or 3rd party event scripts may also be available\&. These are shown in a separate section after those provided by CTDB\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -* 00\&.ctdb -* 01\&.reclock -* 05\&.system -* 06\&.nfs -* 10\&.interface - 11\&.natgw - 11\&.routing - 13\&.per_ip_routing - 20\&.multipathd - 31\&.clamd - 40\&.vsftpd - 41\&.httpd -* 49\&.winbind -* 50\&.samba -* 60\&.nfs - 70\&.iscsi - 91\&.lvs - -* 02\&.local - -.fi -.if n \{\ -.RE -.\} -.RE -.PP -script enable \fICOMPONENT\fR \fISCRIPT\fR -.RS 4 -Enable the specified event SCRIPT in COMPONENT\&. Only enabled scripts will be executed when running any event\&. -.RE -.PP -script disable \fICOMPONENT\fR \fISCRIPT\fR -.RS 4 -Disable the specified event SCRIPT in COMPONENT\&. This will prevent the script from executing when running any event\&. -.RE -.SS "scriptstatus" -.PP -This command displays which event scripts where run in the previous monitoring cycle and the result of each script\&. If a script failed with an error, causing the node to become unhealthy, the output from that script is also shown\&. -.PP -This command is deprecated\&. It\*(Aqs provided for backward compatibility\&. In place of -\fBctdb scriptstatus\fR, use -\fBctdb event status\fR\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb scriptstatus -00\&.ctdb OK 0\&.011 Sat Dec 17 19:40:46 2016 -01\&.reclock OK 0\&.010 Sat Dec 17 19:40:46 2016 -05\&.system OK 0\&.030 Sat Dec 17 19:40:46 2016 -06\&.nfs OK 0\&.014 Sat Dec 17 19:40:46 2016 -10\&.interface OK 0\&.041 Sat Dec 17 19:40:46 2016 -11\&.natgw OK 0\&.008 Sat Dec 17 19:40:46 2016 -11\&.routing OK 0\&.007 Sat Dec 17 19:40:46 2016 -13\&.per_ip_routing OK 0\&.007 Sat Dec 17 19:40:46 2016 -20\&.multipathd OK 0\&.007 Sat Dec 17 19:40:46 2016 -31\&.clamd OK 0\&.007 Sat Dec 17 19:40:46 2016 -40\&.vsftpd OK 0\&.013 Sat Dec 17 19:40:46 2016 -41\&.httpd OK 0\&.015 Sat Dec 17 19:40:46 2016 -49\&.winbind OK 0\&.022 Sat Dec 17 19:40:46 2016 -50\&.samba ERROR 0\&.077 Sat Dec 17 19:40:46 2016 - OUTPUT: ERROR: samba tcp port 445 is not responding - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "listvars" -.PP -List all tuneable variables, except the values of the obsolete tunables like VacuumMinInterval\&. The obsolete tunables can be retrieved only explicitly with the "ctdb getvar" command\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb listvars -SeqnumInterval = 1000 -ControlTimeout = 60 -TraverseTimeout = 20 -KeepaliveInterval = 5 -KeepaliveLimit = 5 -RecoverTimeout = 120 -RecoverInterval = 1 -ElectionTimeout = 3 -TakeoverTimeout = 9 -MonitorInterval = 15 -TickleUpdateInterval = 20 -EventScriptTimeout = 30 -MonitorTimeoutCount = 20 -RecoveryGracePeriod = 120 -RecoveryBanPeriod = 300 -DatabaseHashSize = 100001 -DatabaseMaxDead = 5 -RerecoveryTimeout = 10 -EnableBans = 1 -NoIPFailback = 0 -VerboseMemoryNames = 0 -RecdPingTimeout = 60 -RecdFailCount = 10 -LogLatencyMs = 0 -RecLockLatencyMs = 1000 -RecoveryDropAllIPs = 120 -VacuumInterval = 10 -VacuumMaxRunTime = 120 -RepackLimit = 10000 -VacuumFastPathCount = 60 -MaxQueueDropMsg = 1000000 -AllowUnhealthyDBRead = 0 -StatHistoryInterval = 1 -DeferredAttachTO = 120 -AllowClientDBAttach = 1 -RecoverPDBBySeqNum = 1 -DeferredRebalanceOnNodeAdd = 300 -FetchCollapse = 1 -HopcountMakeSticky = 50 -StickyDuration = 600 -StickyPindown = 200 -NoIPTakeover = 0 -DBRecordCountWarn = 100000 -DBRecordSizeWarn = 10000000 -DBSizeWarn = 100000000 -PullDBPreallocation = 10485760 -LockProcessesPerDB = 200 -RecBufferSizeLimit = 1000000 -QueueBufferSize = 1024 -IPAllocAlgorithm = 2 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "getvar \fINAME\fR" -.PP -Get the runtime value of a tuneable variable\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb getvar MonitorInterval -MonitorInterval = 15 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "setvar \fINAME\fR \fIVALUE\fR" -.PP -Set the runtime value of a tuneable variable\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb setvar MonitorInterval 20 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "lvs {master|list|status}" -.PP -This command shows different aspects of LVS status\&. For an overview of CTDB\*(Aqs LVS functionality please see the -LVS -section in -\fBctdb\fR(7)\&. -.PP -master -.RS 4 -Shows the PNN of the current LVS master node\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -2 - -.fi -.if n \{\ -.RE -.\} -.RE -.PP -list -.RS 4 -Lists the currently usable LVS nodes\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -2 10\&.0\&.0\&.13 -3 10\&.0\&.0\&.14 - -.fi -.if n \{\ -.RE -.\} -.RE -.PP -status -.RS 4 -List the nodes in the current LVS group and their status\&. -.sp -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -pnn:0 10\&.0\&.0\&.11 UNHEALTHY (THIS NODE) -pnn:1 10\&.0\&.0\&.12 UNHEALTHY -pnn:2 10\&.0\&.0\&.13 OK -pnn:3 10\&.0\&.0\&.14 OK - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "getcapabilities" -.PP -This command shows the capabilities of the current node\&. See the -CAPABILITIES -section in -\fBctdb\fR(7) -for more details\&. -.PP -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf -RECMASTER: YES -LMASTER: YES - -.fi -.if n \{\ -.RE -.\} -.SS "statistics" -.PP -Collect statistics from the CTDB daemon about how many calls it has served\&. Information about various fields in statistics can be found in -\fBctdb-statistics\fR(7)\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb statistics -CTDB version 1 -Current time of statistics : Tue Mar 8 15:18:51 2016 -Statistics collected since : (003 21:31:32) Fri Mar 4 17:47:19 2016 - num_clients 9 - frozen 0 - recovering 0 - num_recoveries 2 - client_packets_sent 8170534 - client_packets_recv 7166132 - node_packets_sent 16549998 - node_packets_recv 5244418 - keepalive_packets_sent 201969 - keepalive_packets_recv 201969 - node - req_call 26 - reply_call 0 - req_dmaster 9 - reply_dmaster 12 - reply_error 0 - req_message 1339231 - req_control 8177506 - reply_control 6831284 - client - req_call 15 - req_message 334809 - req_control 6831308 - timeouts - call 0 - control 0 - traverse 0 - locks - num_calls 8 - num_current 0 - num_pending 0 - num_failed 0 - total_calls 15 - pending_calls 0 - childwrite_calls 0 - pending_childwrite_calls 0 - memory_used 394879 - max_hop_count 1 - total_ro_delegations 0 - total_ro_revokes 0 - hop_count_buckets: 8 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - lock_buckets: 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 - locks_latency MIN/AVG/MAX 0\&.010005/0\&.010418/0\&.011010 sec out of 8 - reclock_ctdbd MIN/AVG/MAX 0\&.002538/0\&.002538/0\&.002538 sec out of 1 - reclock_recd MIN/AVG/MAX 0\&.000000/0\&.000000/0\&.000000 sec out of 0 - call_latency MIN/AVG/MAX 0\&.000044/0\&.002142/0\&.011702 sec out of 15 - childwrite_latency MIN/AVG/MAX 0\&.000000/0\&.000000/0\&.000000 sec out of 0 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "statisticsreset" -.PP -This command is used to clear all statistics counters in a node\&. -.PP -Example: ctdb statisticsreset -.SS "dbstatistics \fIDB\fR" -.PP -Display statistics about the database DB\&. Information about various fields in dbstatistics can be found in -\fBctdb-statistics\fR(7)\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb dbstatistics locking\&.tdb -DB Statistics: locking\&.tdb - ro_delegations 0 - ro_revokes 0 - locks - total 14356 - failed 0 - current 0 - pending 0 - hop_count_buckets: 28087 2 1 0 0 0 0 0 0 0 0 0 0 0 0 0 - lock_buckets: 0 14188 38 76 32 19 3 0 0 0 0 0 0 0 0 0 - locks_latency MIN/AVG/MAX 0\&.001066/0\&.012686/4\&.202292 sec out of 14356 - vacuum_latency MIN/AVG/MAX 0\&.000472/0\&.002207/15\&.243570 sec out of 224530 - Num Hot Keys: 1 - Count:8 Key:ff5bd7cb3ee3822edc1f0000000000000000000000000000 - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "getreclock" -.PP -Show details of the recovery lock, if any\&. -.PP -Example output: -.sp -.if n \{\ -.RS 4 -.\} -.nf - /clusterfs/\&.ctdb/recovery\&.lock - -.fi -.if n \{\ -.RE -.\} -.SS "getdebug" -.PP -Get the current debug level for the node\&. the debug level controls what information is written to the log file\&. -.PP -The debug levels are mapped to the corresponding syslog levels\&. When a debug level is set, only those messages at that level and higher levels will be printed\&. -.PP -The list of debug levels from highest to lowest are : -.PP -ERROR WARNING NOTICE INFO DEBUG -.SS "setdebug \fIDEBUGLEVEL\fR" -.PP -Set the debug level of a node\&. This controls what information will be logged\&. -.PP -The debuglevel is one of ERROR WARNING NOTICE INFO DEBUG -.SS "getpid" -.PP -This command will return the process id of the ctdb daemon\&. -.SS "disable" -.PP -This command is used to administratively disable a node in the cluster\&. A disabled node will still participate in the cluster and host clustered TDB records but its public ip address has been taken over by a different node and it no longer hosts any services\&. -.SS "enable" -.PP -Re\-enable a node that has been administratively disabled\&. -.SS "stop" -.PP -This command is used to administratively STOP a node in the cluster\&. A STOPPED node is connected to the cluster but will not host any public ip addresse, nor does it participate in the VNNMAP\&. The difference between a DISABLED node and a STOPPED node is that a STOPPED node does not host any parts of the database which means that a recovery is required to stop/continue nodes\&. -.SS "continue" -.PP -Re\-start a node that has been administratively stopped\&. -.SS "addip \fIIPADDR\fR/\fImask\fR \fIIFACE\fR" -.PP -This command is used to add a new public ip to a node during runtime\&. It should be followed by a -\fBctdb ipreallocate\fR\&. This allows public addresses to be added to a cluster without having to restart the ctdb daemons\&. -.PP -Note that this only updates the runtime instance of ctdb\&. Any changes will be lost next time ctdb is restarted and the public addresses file is re\-read\&. If you want this change to be permanent you must also update the public addresses file manually\&. -.SS "delip \fIIPADDR\fR" -.PP -This command flags IPADDR for deletion from a node at runtime\&. It should be followed by a -\fBctdb ipreallocate\fR\&. If IPADDR is currently hosted by the node it is being removed from, this ensures that the IP will first be failed over to another node, if possible, and that it is then actually removed\&. -.PP -Note that this only updates the runtime instance of CTDB\&. Any changes will be lost next time CTDB is restarted and the public addresses file is re\-read\&. If you want this change to be permanent you must also update the public addresses file manually\&. -.SS "moveip \fIIPADDR\fR \fIPNN\fR" -.PP -This command can be used to manually fail a public ip address to a specific node\&. -.PP -In order to manually override the "automatic" distribution of public ip addresses that ctdb normally provides, this command only works when you have changed the tunables for the daemon to: -.PP -IPAllocAlgorithm != 0 -.PP -NoIPFailback = 1 -.SS "shutdown" -.PP -This command will shutdown a specific CTDB daemon\&. -.SS "setlmasterrole on|off" -.PP -This command is used to enable/disable the LMASTER capability for a node at runtime\&. This capability determines whether or not a node can be used as an LMASTER for records in the database\&. A node that does not have the LMASTER capability will not show up in the vnnmap\&. -.PP -Nodes will by default have this capability, but it can be stripped off nodes by the setting in the sysconfig file or by using this command\&. -.PP -Once this setting has been enabled/disabled, you need to perform a recovery for it to take effect\&. -.PP -See also "ctdb getcapabilities" -.SS "setrecmasterrole on|off" -.PP -This command is used to enable/disable the RECMASTER capability for a node at runtime\&. This capability determines whether or not a node can be used as an RECMASTER for the cluster\&. A node that does not have the RECMASTER capability can not win a recmaster election\&. A node that already is the recmaster for the cluster when the capability is stripped off the node will remain the recmaster until the next cluster election\&. -.PP -Nodes will by default have this capability, but it can be stripped off nodes by the setting in the sysconfig file or by using this command\&. -.PP -See also "ctdb getcapabilities" -.SS "reloadnodes" -.PP -This command is used when adding new nodes, or removing existing nodes from an existing cluster\&. -.PP -Procedure to add nodes: -.sp -.RS 4 -.ie n \{\ -\h'-04' 1.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 1." 4.2 -.\} -To expand an existing cluster, first ensure with -\fBctdb status\fR -that all nodes are up and running and that they are all healthy\&. Do not try to expand a cluster unless it is completely healthy! -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 2.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 2." 4.2 -.\} -On all nodes, edit -/usr/local/etc/ctdb/nodes -and -\fIadd the new nodes at the end of this file\fR\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 3.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 3." 4.2 -.\} -Verify that all the nodes have identical -/usr/local/etc/ctdb/nodes -files after adding the new nodes\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 4.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 4." 4.2 -.\} -Run -\fBctdb reloadnodes\fR -to force all nodes to reload the nodes file\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 5.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 5." 4.2 -.\} -Use -\fBctdb status\fR -on all nodes and verify that they now show the additional nodes\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 6.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 6." 4.2 -.\} -Install and configure the new node and bring it online\&. -.RE -.PP -Procedure to remove nodes: -.sp -.RS 4 -.ie n \{\ -\h'-04' 1.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 1." 4.2 -.\} -To remove nodes from an existing cluster, first ensure with -\fBctdb status\fR -that all nodes, except the node to be deleted, are up and running and that they are all healthy\&. Do not try to remove nodes from a cluster unless the cluster is completely healthy! -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 2.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 2." 4.2 -.\} -Shutdown and power off the node to be removed\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 3.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 3." 4.2 -.\} -On all other nodes, edit the -/usr/local/etc/ctdb/nodes -file and -\fIcomment out\fR -the nodes to be removed\&. -\fIDo not delete the lines for the deleted nodes\fR, just comment them out by adding a \*(Aq#\*(Aq at the beginning of the lines\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 4.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 4." 4.2 -.\} -Run -\fBctdb reloadnodes\fR -to force all nodes to reload the nodes file\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 5.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 5." 4.2 -.\} -Use -\fBctdb status\fR -on all nodes and verify that the deleted nodes are no longer listed\&. -.RE -.SS "reloadips [\fIPNN\-LIST\fR]" -.PP -This command reloads the public addresses configuration file on the specified nodes\&. When it completes addresses will be reconfigured and reassigned across the cluster as necessary\&. -.PP -This command is currently unable to make changes to the netmask or interfaces associated with existing addresses\&. Such changes must be made in 2 steps by deleting addresses in question and re\-adding then\&. Unfortunately this will disrupt connections to the changed addresses\&. -.SS "getdbmap" -.PP -This command lists all clustered TDB databases that the CTDB daemon has attached to\&. Some databases are flagged as PERSISTENT, this means that the database stores data persistently and the data will remain across reboots\&. One example of such a database is secrets\&.tdb where information about how the cluster was joined to the domain is stored\&. Some database are flagged as REPLICATED, this means that the data in that database is replicated across all the nodes\&. But the data will not remain across reboots\&. This type of database is used by CTDB to store it\*(Aqs internal state\&. -.PP -If a PERSISTENT database is not in a healthy state the database is flagged as UNHEALTHY\&. If there\*(Aqs at least one completely healthy node running in the cluster, it\*(Aqs possible that the content is restored by a recovery run automatically\&. Otherwise an administrator needs to analyze the problem\&. -.PP -See also "ctdb getdbstatus", "ctdb backupdb", "ctdb restoredb", "ctdb dumpbackup", "ctdb wipedb", "ctdb setvar AllowUnhealthyDBRead 1" and (if samba or tdb\-utils are installed) "tdbtool check"\&. -.PP -Most databases are not persistent and only store the state information that the currently running samba daemons need\&. These databases are always wiped when ctdb/samba starts and when a node is rebooted\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb getdbmap -Number of databases:10 -dbid:0x435d3410 name:notify\&.tdb path:/var/lib/ctdb/notify\&.tdb\&.0 -dbid:0x42fe72c5 name:locking\&.tdb path:/var/lib/ctdb/locking\&.tdb\&.0 -dbid:0x1421fb78 name:brlock\&.tdb path:/var/lib/ctdb/brlock\&.tdb\&.0 -dbid:0x17055d90 name:connections\&.tdb path:/var/lib/ctdb/connections\&.tdb\&.0 -dbid:0xc0bdde6a name:sessionid\&.tdb path:/var/lib/ctdb/sessionid\&.tdb\&.0 -dbid:0x122224da name:test\&.tdb path:/var/lib/ctdb/test\&.tdb\&.0 -dbid:0x2672a57f name:idmap2\&.tdb path:/var/lib/ctdb/persistent/idmap2\&.tdb\&.0 PERSISTENT -dbid:0xb775fff6 name:secrets\&.tdb path:/var/lib/ctdb/persistent/secrets\&.tdb\&.0 PERSISTENT -dbid:0xe98e08b6 name:group_mapping\&.tdb path:/var/lib/ctdb/persistent/group_mapping\&.tdb\&.0 PERSISTENT -dbid:0x7bbbd26c name:passdb\&.tdb path:/var/lib/ctdb/persistent/passdb\&.tdb\&.0 PERSISTENT - -# ctdb getdbmap # example for unhealthy database -Number of databases:1 -dbid:0xb775fff6 name:secrets\&.tdb path:/var/lib/ctdb/persistent/secrets\&.tdb\&.0 PERSISTENT UNHEALTHY - -# ctdb \-X getdbmap -|ID|Name|Path|Persistent|Unhealthy| -|0x7bbbd26c|passdb\&.tdb|/var/lib/ctdb/persistent/passdb\&.tdb\&.0|1|0| - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "backupdb \fIDB\fR \fIFILE\fR" -.PP -Copy the contents of database DB to FILE\&. FILE can later be read back using -\fBrestoredb\fR\&. This is mainly useful for backing up persistent databases such as -secrets\&.tdb -and similar\&. -.SS "restoredb \fIFILE\fR [\fIDB\fR]" -.PP -This command restores a persistent database that was previously backed up using backupdb\&. By default the data will be restored back into the same database as it was created from\&. By specifying dbname you can restore the data into a different database\&. -.SS "setdbreadonly \fIDB\fR" -.PP -This command will enable the read\-only record support for a database\&. This is an experimental feature to improve performance for contended records primarily in locking\&.tdb and brlock\&.tdb\&. When enabling this feature you must set it on all nodes in the cluster\&. -.SS "setdbsticky \fIDB\fR" -.PP -This command will enable the sticky record support for the specified database\&. This is an experimental feature to improve performance for contended records primarily in locking\&.tdb and brlock\&.tdb\&. When enabling this feature you must set it on all nodes in the cluster\&. -.SH "INTERNAL COMMANDS" -.PP -Internal commands are used by CTDB\*(Aqs scripts and are not required for managing a CTDB cluster\&. Their parameters and behaviour are subject to change\&. -.SS "gettickles \fIIPADDR\fR" -.PP -Show TCP connections that are registered with CTDB to be "tickled" if there is a failover\&. -.SS "gratarp \fIIPADDR\fR \fIINTERFACE\fR" -.PP -Send out a gratuitous ARP for the specified interface through the specified interface\&. This command is mainly used by the ctdb eventscripts\&. -.SS "pdelete \fIDB\fR \fIKEY\fR" -.PP -Delete KEY from DB\&. -.SS "pfetch \fIDB\fR \fIKEY\fR" -.PP -Print the value associated with KEY in DB\&. -.SS "pstore \fIDB\fR \fIKEY\fR \fIFILE\fR" -.PP -Store KEY in DB with contents of FILE as the associated value\&. -.SS "ptrans \fIDB\fR [\fIFILE\fR]" -.PP -Read a list of key\-value pairs, one per line from FILE, and store them in DB using a single transaction\&. An empty value is equivalent to deleting the given key\&. -.PP -The key and value should be separated by spaces or tabs\&. Each key/value should be a printable string enclosed in double\-quotes\&. -.SS "runstate [setup|first_recovery|startup|running]" -.PP -Print the runstate of the specified node\&. Runstates are used to serialise important state transitions in CTDB, particularly during startup\&. -.PP -If one or more optional runstate arguments are specified then the node must be in one of these runstates for the command to succeed\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb runstate -RUNNING - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "setifacelink \fIIFACE\fR up|down" -.PP -Set the internal state of network interface IFACE\&. This is typically used in the -10\&.interface -script in the "monitor" event\&. -.PP -Example: ctdb setifacelink eth0 up -.SS "tickle" -.PP -Read a list of TCP connections, one per line, from standard input and send a TCP tickle to the source host for each connection\&. A connection is specified as: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \fISRC\-IPADDR\fR:\fISRC\-PORT\fR \fIDST\-IPADDR\fR:\fIDST\-PORT\fR - -.fi -.if n \{\ -.RE -.\} -.PP -A single connection can be specified on the command\-line rather than on standard input\&. -.PP -A TCP tickle is a TCP ACK packet with an invalid sequence and acknowledge number and will when received by the source host result in it sending an immediate correct ACK back to the other end\&. -.PP -TCP tickles are useful to "tickle" clients after a IP failover has occurred since this will make the client immediately recognize the TCP connection has been disrupted and that the client will need to reestablish\&. This greatly speeds up the time it takes for a client to detect and reestablish after an IP failover in the ctdb cluster\&. -.SS "version" -.PP -Display the CTDB version\&. -.SH "DEBUGGING COMMANDS" -.PP -These commands are primarily used for CTDB development and testing and should not be used for normal administration\&. -.SS "OPTIONS" -.PP -\-\-print\-emptyrecords -.RS 4 -This enables printing of empty records when dumping databases with the catdb, cattbd and dumpdbbackup commands\&. Records with empty data segment are considered deleted by ctdb and cleaned by the vacuuming mechanism, so this switch can come in handy for debugging the vacuuming behaviour\&. -.RE -.PP -\-\-print\-datasize -.RS 4 -This lets database dumps (catdb, cattdb, dumpdbbackup) print the size of the record data instead of dumping the data contents\&. -.RE -.PP -\-\-print\-lmaster -.RS 4 -This lets catdb print the lmaster for each record\&. -.RE -.PP -\-\-print\-hash -.RS 4 -This lets database dumps (catdb, cattdb, dumpdbbackup) print the hash for each record\&. -.RE -.PP -\-\-print\-recordflags -.RS 4 -This lets catdb and dumpdbbackup print the record flags for each record\&. Note that cattdb always prints the flags\&. -.RE -.SS "process\-exists \fIPID\fR \fI[SRVID]\fR" -.PP -This command checks if a specific process exists on the CTDB host\&. This is mainly used by Samba to check if remote instances of samba are still running or not\&. When the optional SRVID argument is specified, the command check if a specific process exists on the CTDB host and has registered for specified SRVID\&. -.SS "getdbstatus \fIDB\fR" -.PP -This command displays more details about a database\&. -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBExample\fR -.RS 4 -.sp -.if n \{\ -.RS 4 -.\} -.nf -# ctdb getdbstatus test\&.tdb\&.0 -dbid: 0x122224da -name: test\&.tdb -path: /var/lib/ctdb/test\&.tdb\&.0 -PERSISTENT: no -HEALTH: OK - -# ctdb getdbstatus registry\&.tdb # with a corrupted TDB -dbid: 0xf2a58948 -name: registry\&.tdb -path: /var/lib/ctdb/persistent/registry\&.tdb\&.0 -PERSISTENT: yes -HEALTH: NO\-HEALTHY\-NODES \- ERROR \- Backup of corrupted TDB in \*(Aq/var/lib/ctdb/persistent/registry\&.tdb\&.0\&.corrupted\&.20091208091949\&.0Z\*(Aq - -.fi -.if n \{\ -.RE -.\} -.RE -.SS "catdb \fIDB\fR" -.PP -Print a dump of the clustered TDB database DB\&. -.SS "cattdb \fIDB\fR" -.PP -Print a dump of the contents of the local TDB database DB\&. -.SS "dumpdbbackup \fIFILE\fR" -.PP -Print a dump of the contents from database backup FILE, similar to -\fBcatdb\fR\&. -.SS "wipedb \fIDB\fR" -.PP -Remove all contents of database DB\&. -.SS "recover" -.PP -This command will trigger the recovery daemon to do a cluster recovery\&. -.SS "ipreallocate, sync" -.PP -This command will force the recovery master to perform a full ip reallocation process and redistribute all ip addresses\&. This is useful to "reset" the allocations back to its default state if they have been changed using the "moveip" command\&. While a "recover" will also perform this reallocation, a recovery is much more hevyweight since it will also rebuild all the databases\&. -.SS "attach \fIDBNAME\fR [persistent|replicated]" -.PP -Create a new CTDB database called DBNAME and attach to it on all nodes\&. -.SS "detach \fIDB\-LIST\fR" -.PP -Detach specified non\-persistent database(s) from the cluster\&. This command will disconnect specified database(s) on all nodes in the cluster\&. This command should only be used when none of the specified database(s) are in use\&. -.PP -All nodes should be active and tunable AllowClientDBAccess should be disabled on all nodes before detaching databases\&. -.SS "dumpmemory" -.PP -This is a debugging command\&. This command will make the ctdb daemon to write a fill memory allocation map to standard output\&. -.SS "rddumpmemory" -.PP -This is a debugging command\&. This command will dump the talloc memory allocation tree for the recovery daemon to standard output\&. -.SS "ban \fIBANTIME\fR" -.PP -Administratively ban a node for BANTIME seconds\&. The node will be unbanned after BANTIME seconds have elapsed\&. -.PP -A banned node does not participate in the cluster\&. It does not host any records for the clustered TDB and does not host any public IP addresses\&. -.PP -Nodes are automatically banned if they misbehave\&. For example, a node may be banned if it causes too many cluster recoveries\&. -.PP -To administratively exclude a node from a cluster use the -\fBstop\fR -command\&. -.SS "unban" -.PP -This command is used to unban a node that has either been administratively banned using the ban command or has been automatically banned\&. -.SH "SEE ALSO" -.PP -\fBctdbd\fR(1), -\fBonnode\fR(1), -\fBctdb\fR(7), -\fBctdb-statistics\fR(7), -\fBctdb-tunables\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Ronnie Sahlberg, Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdb.7 b/net/samba413/files/man/ctdb.7 deleted file mode 100644 index b0f2df9f960e..000000000000 --- a/net/samba413/files/man/ctdb.7 +++ /dev/null @@ -1,783 +0,0 @@ -'\" t -.\" Title: ctdb -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB" "7" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb \- Clustered TDB -.SH "DESCRIPTION" -.PP -CTDB is a clustered database component in clustered Samba that provides a high\-availability load\-sharing CIFS server cluster\&. -.PP -The main functions of CTDB are: -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -Provide a clustered version of the TDB database with automatic rebuild/recovery of the databases upon node failures\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -Monitor nodes in the cluster and services running on each node\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -Manage a pool of public IP addresses that are used to provide services to clients\&. Alternatively, CTDB can be used with LVS\&. -.RE -.PP -Combined with a cluster filesystem CTDB provides a full high\-availablity (HA) environment for services such as clustered Samba, NFS and other services\&. -.SH "ANATOMY OF A CTDB CLUSTER" -.PP -A CTDB cluster is a collection of nodes with 2 or more network interfaces\&. All nodes provide network (usually file/NAS) services to clients\&. Data served by file services is stored on shared storage (usually a cluster filesystem) that is accessible by all nodes\&. -.PP -CTDB provides an "all active" cluster, where services are load balanced across all nodes\&. -.SH "RECOVERY LOCK" -.PP -CTDB uses a -\fIrecovery lock\fR -to avoid a -\fIsplit brain\fR, where a cluster becomes partitioned and each partition attempts to operate independently\&. Issues that can result from a split brain include file data corruption, because file locking metadata may not be tracked correctly\&. -.PP -CTDB uses a -\fIcluster leader and follower\fR -model of cluster management\&. All nodes in a cluster elect one node to be the leader\&. The leader node coordinates privileged operations such as database recovery and IP address failover\&. CTDB refers to the leader node as the -\fIrecovery master\fR\&. This node takes and holds the recovery lock to assert its privileged role in the cluster\&. -.PP -By default, the recovery lock is implemented using a file (specified by -\fIrecovery lock\fR -in the -[cluster] -section of -\fBctdb.conf\fR(5)) residing in shared storage (usually) on a cluster filesystem\&. To support a recovery lock the cluster filesystem must support lock coherence\&. See -\fBping_pong\fR(1) -for more details\&. -.PP -The recovery lock can also be implemented using an arbitrary cluster mutex call\-out by using an exclamation point (\*(Aq!\*(Aq) as the first character of -\fIrecovery lock\fR\&. For example, a value of -\fB!/usr/local/bin/myhelper recovery\fR -would run the given helper with the specified arguments\&. See the source code relating to cluster mutexes for clues about writing call\-outs\&. -.PP -If a cluster becomes partitioned (for example, due to a communication failure) and a different recovery master is elected by the nodes in each partition, then only one of these recovery masters will be able to take the recovery lock\&. The recovery master in the "losing" partition will not be able to take the recovery lock and will be excluded from the cluster\&. The nodes in the "losing" partition will elect each node in turn as their recovery master so eventually all the nodes in that partition will be excluded\&. -.PP -CTDB does sanity checks to ensure that the recovery lock is held as expected\&. -.PP -CTDB can run without a recovery lock but this is not recommended as there will be no protection from split brains\&. -.SH "PRIVATE VS PUBLIC ADDRESSES" -.PP -Each node in a CTDB cluster has multiple IP addresses assigned to it: -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -A single private IP address that is used for communication between nodes\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -One or more public IP addresses that are used to provide NAS or other services\&. -.RE -.sp -.SS "Private address" -.PP -Each node is configured with a unique, permanently assigned private address\&. This address is configured by the operating system\&. This address uniquely identifies a physical node in the cluster and is the address that CTDB daemons will use to communicate with the CTDB daemons on other nodes\&. -.PP -Private addresses are listed in the file -/usr/local/etc/ctdb/nodes)\&. This file contains the list of private addresses for all nodes in the cluster, one per line\&. This file must be the same on all nodes in the cluster\&. -.PP -Some users like to put this configuration file in their cluster filesystem\&. A symbolic link should be used in this case\&. -.PP -Private addresses should not be used by clients to connect to services provided by the cluster\&. -.PP -It is strongly recommended that the private addresses are configured on a private network that is separate from client networks\&. This is because the CTDB protocol is both unauthenticated and unencrypted\&. If clients share the private network then steps need to be taken to stop injection of packets to relevant ports on the private addresses\&. It is also likely that CTDB protocol traffic between nodes could leak sensitive information if it can be intercepted\&. -.PP -Example -/usr/local/etc/ctdb/nodes -for a four node cluster: -.sp -.if n \{\ -.RS 4 -.\} -.nf -192\&.168\&.1\&.1 -192\&.168\&.1\&.2 -192\&.168\&.1\&.3 -192\&.168\&.1\&.4 - -.fi -.if n \{\ -.RE -.\} -.SS "Public addresses" -.PP -Public addresses are used to provide services to clients\&. Public addresses are not configured at the operating system level and are not permanently associated with a particular node\&. Instead, they are managed by CTDB and are assigned to interfaces on physical nodes at runtime\&. -.PP -The CTDB cluster will assign/reassign these public addresses across the available healthy nodes in the cluster\&. When one node fails, its public addresses will be taken over by one or more other nodes in the cluster\&. This ensures that services provided by all public addresses are always available to clients, as long as there are nodes available capable of hosting this address\&. -.PP -The public address configuration is stored in -/usr/local/etc/ctdb/public_addresses -on each node\&. This file contains a list of the public addresses that the node is capable of hosting, one per line\&. Each entry also contains the netmask and the interface to which the address should be assigned\&. If this file is missing then no public addresses are configured\&. -.PP -Some users who have the same public addresses on all nodes like to put this configuration file in their cluster filesystem\&. A symbolic link should be used in this case\&. -.PP -Example -/usr/local/etc/ctdb/public_addresses -for a node that can host 4 public addresses, on 2 different interfaces: -.sp -.if n \{\ -.RS 4 -.\} -.nf -10\&.1\&.1\&.1/24 eth1 -10\&.1\&.1\&.2/24 eth1 -10\&.1\&.2\&.1/24 eth2 -10\&.1\&.2\&.2/24 eth2 - -.fi -.if n \{\ -.RE -.\} -.PP -In many cases the public addresses file will be the same on all nodes\&. However, it is possible to use different public address configurations on different nodes\&. -.PP -Example: 4 nodes partitioned into two subgroups: -.sp -.if n \{\ -.RS 4 -.\} -.nf -Node 0:/usr/local/etc/ctdb/public_addresses - 10\&.1\&.1\&.1/24 eth1 - 10\&.1\&.1\&.2/24 eth1 - -Node 1:/usr/local/etc/ctdb/public_addresses - 10\&.1\&.1\&.1/24 eth1 - 10\&.1\&.1\&.2/24 eth1 - -Node 2:/usr/local/etc/ctdb/public_addresses - 10\&.1\&.2\&.1/24 eth2 - 10\&.1\&.2\&.2/24 eth2 - -Node 3:/usr/local/etc/ctdb/public_addresses - 10\&.1\&.2\&.1/24 eth2 - 10\&.1\&.2\&.2/24 eth2 - -.fi -.if n \{\ -.RE -.\} -.PP -In this example nodes 0 and 1 host two public addresses on the 10\&.1\&.1\&.x network while nodes 2 and 3 host two public addresses for the 10\&.1\&.2\&.x network\&. -.PP -Public address 10\&.1\&.1\&.1 can be hosted by either of nodes 0 or 1 and will be available to clients as long as at least one of these two nodes are available\&. -.PP -If both nodes 0 and 1 become unavailable then public address 10\&.1\&.1\&.1 also becomes unavailable\&. 10\&.1\&.1\&.1 can not be failed over to nodes 2 or 3 since these nodes do not have this public address configured\&. -.PP -The -\fBctdb ip\fR -command can be used to view the current assignment of public addresses to physical nodes\&. -.SH "NODE STATUS" -.PP -The current status of each node in the cluster can be viewed by the -\fBctdb status\fR -command\&. -.PP -A node can be in one of the following states: -.PP -OK -.RS 4 -This node is healthy and fully functional\&. It hosts public addresses to provide services\&. -.RE -.PP -DISCONNECTED -.RS 4 -This node is not reachable by other nodes via the private network\&. It is not currently participating in the cluster\&. It -\fIdoes not\fR -host public addresses to provide services\&. It might be shut down\&. -.RE -.PP -DISABLED -.RS 4 -This node has been administratively disabled\&. This node is partially functional and participates in the cluster\&. However, it -\fIdoes not\fR -host public addresses to provide services\&. -.RE -.PP -UNHEALTHY -.RS 4 -A service provided by this node has failed a health check and should be investigated\&. This node is partially functional and participates in the cluster\&. However, it -\fIdoes not\fR -host public addresses to provide services\&. Unhealthy nodes should be investigated and may require an administrative action to rectify\&. -.RE -.PP -BANNED -.RS 4 -CTDB is not behaving as designed on this node\&. For example, it may have failed too many recovery attempts\&. Such nodes are banned from participating in the cluster for a configurable time period before they attempt to rejoin the cluster\&. A banned node -\fIdoes not\fR -host public addresses to provide services\&. All banned nodes should be investigated and may require an administrative action to rectify\&. -.RE -.PP -STOPPED -.RS 4 -This node has been administratively exclude from the cluster\&. A stopped node does no participate in the cluster and -\fIdoes not\fR -host public addresses to provide services\&. This state can be used while performing maintenance on a node\&. -.RE -.PP -PARTIALLYONLINE -.RS 4 -A node that is partially online participates in a cluster like a healthy (OK) node\&. Some interfaces to serve public addresses are down, but at least one interface is up\&. See also -\fBctdb ifaces\fR\&. -.RE -.SH "CAPABILITIES" -.PP -Cluster nodes can have several different capabilities enabled\&. These are listed below\&. -.PP -RECMASTER -.RS 4 -Indicates that a node can become the CTDB cluster recovery master\&. The current recovery master is decided via an election held by all active nodes with this capability\&. -.sp -Default is YES\&. -.RE -.PP -LMASTER -.RS 4 -Indicates that a node can be the location master (LMASTER) for database records\&. The LMASTER always knows which node has the latest copy of a record in a volatile database\&. -.sp -Default is YES\&. -.RE -.PP -The RECMASTER and LMASTER capabilities can be disabled when CTDB is used to create a cluster spanning across WAN links\&. In this case CTDB acts as a WAN accelerator\&. -.SH "LVS" -.PP -LVS is a mode where CTDB presents one single IP address for the entire cluster\&. This is an alternative to using public IP addresses and round\-robin DNS to loadbalance clients across the cluster\&. -.PP -This is similar to using a layer\-4 loadbalancing switch but with some restrictions\&. -.PP -One extra LVS public address is assigned on the public network to each LVS group\&. Each LVS group is a set of nodes in the cluster that presents the same LVS address public address to the outside world\&. Normally there would only be one LVS group spanning an entire cluster, but in situations where one CTDB cluster spans multiple physical sites it might be useful to have one LVS group for each site\&. There can be multiple LVS groups in a cluster but each node can only be member of one LVS group\&. -.PP -Client access to the cluster is load\-balanced across the HEALTHY nodes in an LVS group\&. If no HEALTHY nodes exists then all nodes in the group are used, regardless of health status\&. CTDB will, however never load\-balance LVS traffic to nodes that are BANNED, STOPPED, DISABLED or DISCONNECTED\&. The -\fBctdb lvs\fR -command is used to show which nodes are currently load\-balanced across\&. -.PP -In each LVS group, one of the nodes is selected by CTDB to be the LVS master\&. This node receives all traffic from clients coming in to the LVS public address and multiplexes it across the internal network to one of the nodes that LVS is using\&. When responding to the client, that node will send the data back directly to the client, bypassing the LVS master node\&. The command -\fBctdb lvs master\fR -will show which node is the current LVS master\&. -.PP -The path used for a client I/O is: -.sp -.RS 4 -.ie n \{\ -\h'-04' 1.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 1." 4.2 -.\} -Client sends request packet to LVSMASTER\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 2.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 2." 4.2 -.\} -LVSMASTER passes the request on to one node across the internal network\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 3.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 3." 4.2 -.\} -Selected node processes the request\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04' 4.\h'+01'\c -.\} -.el \{\ -.sp -1 -.IP " 4." 4.2 -.\} -Node responds back to client\&. -.RE -.PP -This means that all incoming traffic to the cluster will pass through one physical node, which limits scalability\&. You can send more data to the LVS address that one physical node can multiplex\&. This means that you should not use LVS if your I/O pattern is write\-intensive since you will be limited in the available network bandwidth that node can handle\&. LVS does work very well for read\-intensive workloads where only smallish READ requests are going through the LVSMASTER bottleneck and the majority of the traffic volume (the data in the read replies) goes straight from the processing node back to the clients\&. For read\-intensive i/o patterns you can achieve very high throughput rates in this mode\&. -.PP -Note: you can use LVS and public addresses at the same time\&. -.PP -If you use LVS, you must have a permanent address configured for the public interface on each node\&. This address must be routable and the cluster nodes must be configured so that all traffic back to client hosts are routed through this interface\&. This is also required in order to allow samba/winbind on the node to talk to the domain controller\&. This LVS IP address can not be used to initiate outgoing traffic\&. -.PP -Make sure that the domain controller and the clients are reachable from a node -\fIbefore\fR -you enable LVS\&. Also ensure that outgoing traffic to these hosts is routed out through the configured public interface\&. -.SS "Configuration" -.PP -To activate LVS on a CTDB node you must specify the -\fICTDB_LVS_PUBLIC_IFACE\fR, -\fICTDB_LVS_PUBLIC_IP\fR -and -\fICTDB_LVS_NODES\fR -configuration variables\&. -\fICTDB_LVS_NODES\fR -specifies a file containing the private address of all nodes in the current node\*(Aqs LVS group\&. -.PP -Example: -.sp -.if n \{\ -.RS 4 -.\} -.nf -CTDB_LVS_PUBLIC_IFACE=eth1 -CTDB_LVS_PUBLIC_IP=10\&.1\&.1\&.237 -CTDB_LVS_NODES=/usr/local/etc/ctdb/lvs_nodes - -.fi -.if n \{\ -.RE -.\} -.PP -Example -/usr/local/etc/ctdb/lvs_nodes: -.sp -.if n \{\ -.RS 4 -.\} -.nf -192\&.168\&.1\&.2 -192\&.168\&.1\&.3 -192\&.168\&.1\&.4 - -.fi -.if n \{\ -.RE -.\} -.PP -Normally any node in an LVS group can act as the LVS master\&. Nodes that are highly loaded due to other demands maybe flagged with the "slave\-only" option in the -\fICTDB_LVS_NODES\fR -file to limit the LVS functionality of those nodes\&. -.PP -LVS nodes file that excludes 192\&.168\&.1\&.4 from being the LVS master node: -.sp -.if n \{\ -.RS 4 -.\} -.nf -192\&.168\&.1\&.2 -192\&.168\&.1\&.3 -192\&.168\&.1\&.4 slave\-only - -.fi -.if n \{\ -.RE -.\} -.SH "TRACKING AND RESETTING TCP CONNECTIONS" -.PP -CTDB tracks TCP connections from clients to public IP addresses, on known ports\&. When an IP address moves from one node to another, all existing TCP connections to that IP address are reset\&. The node taking over this IP address will also send gratuitous ARPs (for IPv4, or neighbour advertisement, for IPv6)\&. This allows clients to reconnect quickly, rather than waiting for TCP timeouts, which can be very long\&. -.PP -It is important that established TCP connections do not survive a release and take of a public IP address on the same node\&. Such connections can get out of sync with sequence and ACK numbers, potentially causing a disruptive ACK storm\&. -.SH "NAT GATEWAY" -.PP -NAT gateway (NATGW) is an optional feature that is used to configure fallback routing for nodes\&. This allows cluster nodes to connect to external services (e\&.g\&. DNS, AD, NIS and LDAP) when they do not host any public addresses (e\&.g\&. when they are unhealthy)\&. -.PP -This also applies to node startup because CTDB marks nodes as UNHEALTHY until they have passed a "monitor" event\&. In this context, NAT gateway helps to avoid a "chicken and egg" situation where a node needs to access an external service to become healthy\&. -.PP -Another way of solving this type of problem is to assign an extra static IP address to a public interface on every node\&. This is simpler but it uses an extra IP address per node, while NAT gateway generally uses only one extra IP address\&. -.SS "Operation" -.PP -One extra NATGW public address is assigned on the public network to each NATGW group\&. Each NATGW group is a set of nodes in the cluster that shares the same NATGW address to talk to the outside world\&. Normally there would only be one NATGW group spanning an entire cluster, but in situations where one CTDB cluster spans multiple physical sites it might be useful to have one NATGW group for each site\&. -.PP -There can be multiple NATGW groups in a cluster but each node can only be member of one NATGW group\&. -.PP -In each NATGW group, one of the nodes is selected by CTDB to be the NATGW master and the other nodes are consider to be NATGW slaves\&. NATGW slaves establish a fallback default route to the NATGW master via the private network\&. When a NATGW slave hosts no public IP addresses then it will use this route for outbound connections\&. The NATGW master hosts the NATGW public IP address and routes outgoing connections from slave nodes via this IP address\&. It also establishes a fallback default route\&. -.SS "Configuration" -.PP -NATGW is usually configured similar to the following example configuration: -.sp -.if n \{\ -.RS 4 -.\} -.nf -CTDB_NATGW_NODES=/usr/local/etc/ctdb/natgw_nodes -CTDB_NATGW_PRIVATE_NETWORK=192\&.168\&.1\&.0/24 -CTDB_NATGW_PUBLIC_IP=10\&.0\&.0\&.227/24 -CTDB_NATGW_PUBLIC_IFACE=eth0 -CTDB_NATGW_DEFAULT_GATEWAY=10\&.0\&.0\&.1 - -.fi -.if n \{\ -.RE -.\} -.PP -Normally any node in a NATGW group can act as the NATGW master\&. Some configurations may have special nodes that lack connectivity to a public network\&. In such cases, those nodes can be flagged with the "slave\-only" option in the -\fICTDB_NATGW_NODES\fR -file to limit the NATGW functionality of those nodes\&. -.PP -See the -NAT GATEWAY -section in -\fBctdb-script.options\fR(5) -for more details of NATGW configuration\&. -.SS "Implementation details" -.PP -When the NATGW functionality is used, one of the nodes is selected to act as a NAT gateway for all the other nodes in the group when they need to communicate with the external services\&. The NATGW master is selected to be a node that is most likely to have usable networks\&. -.PP -The NATGW master hosts the NATGW public IP address -\fICTDB_NATGW_PUBLIC_IP\fR -on the configured public interfaces -\fICTDB_NATGW_PUBLIC_IFACE\fR -and acts as a router, masquerading outgoing connections from slave nodes via this IP address\&. If -\fICTDB_NATGW_DEFAULT_GATEWAY\fR -is set then it also establishes a fallback default route to the configured this gateway with a metric of 10\&. A metric 10 route is used so it can co\-exist with other default routes that may be available\&. -.PP -A NATGW slave establishes its fallback default route to the NATGW master via the private network -\fICTDB_NATGW_PRIVATE_NETWORK\fRwith a metric of 10\&. This route is used for outbound connections when no other default route is available because the node hosts no public addresses\&. A metric 10 routes is used so that it can co\-exist with other default routes that may be available when the node is hosting public addresses\&. -.PP -\fICTDB_NATGW_STATIC_ROUTES\fR -can be used to have NATGW create more specific routes instead of just default routes\&. -.PP -This is implemented in the -11\&.natgw -eventscript\&. Please see the eventscript file and the -NAT GATEWAY -section in -\fBctdb-script.options\fR(5) -for more details\&. -.SH "POLICY ROUTING" -.PP -Policy routing is an optional CTDB feature to support complex network topologies\&. Public addresses may be spread across several different networks (or VLANs) and it may not be possible to route packets from these public addresses via the system\*(Aqs default route\&. Therefore, CTDB has support for policy routing via the -13\&.per_ip_routing -eventscript\&. This allows routing to be specified for packets sourced from each public address\&. The routes are added and removed as CTDB moves public addresses between nodes\&. -.SS "Configuration variables" -.PP -There are 4 configuration variables related to policy routing: -\fICTDB_PER_IP_ROUTING_CONF\fR, -\fICTDB_PER_IP_ROUTING_RULE_PREF\fR, -\fICTDB_PER_IP_ROUTING_TABLE_ID_LOW\fR, -\fICTDB_PER_IP_ROUTING_TABLE_ID_HIGH\fR\&. See the -POLICY ROUTING -section in -\fBctdb-script.options\fR(5) -for more details\&. -.SS "Configuration" -.PP -The format of each line of -\fICTDB_PER_IP_ROUTING_CONF\fR -is: -.sp -.if n \{\ -.RS 4 -.\} -.nf -<public_address> <network> [ <gateway> ] - -.fi -.if n \{\ -.RE -.\} -.PP -Leading whitespace is ignored and arbitrary whitespace may be used as a separator\&. Lines that have a "public address" item that doesn\*(Aqt match an actual public address are ignored\&. This means that comment lines can be added using a leading character such as \*(Aq#\*(Aq, since this will never match an IP address\&. -.PP -A line without a gateway indicates a link local route\&. -.PP -For example, consider the configuration line: -.sp -.if n \{\ -.RS 4 -.\} -.nf - 192\&.168\&.1\&.99 192\&.168\&.1\&.1/24 - -.fi -.if n \{\ -.RE -.\} -.PP -If the corresponding public_addresses line is: -.sp -.if n \{\ -.RS 4 -.\} -.nf - 192\&.168\&.1\&.99/24 eth2,eth3 - -.fi -.if n \{\ -.RE -.\} -.PP -\fICTDB_PER_IP_ROUTING_RULE_PREF\fR -is 100, and CTDB adds the address to eth2 then the following routing information is added: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ip rule add from 192\&.168\&.1\&.99 pref 100 table ctdb\&.192\&.168\&.1\&.99 - ip route add 192\&.168\&.1\&.0/24 dev eth2 table ctdb\&.192\&.168\&.1\&.99 - -.fi -.if n \{\ -.RE -.\} -.PP -This causes traffic from 192\&.168\&.1\&.1 to 192\&.168\&.1\&.0/24 go via eth2\&. -.PP -The -\fBip rule\fR -command will show (something like \- depending on other public addresses and other routes on the system): -.sp -.if n \{\ -.RS 4 -.\} -.nf - 0: from all lookup local - 100: from 192\&.168\&.1\&.99 lookup ctdb\&.192\&.168\&.1\&.99 - 32766: from all lookup main - 32767: from all lookup default - -.fi -.if n \{\ -.RE -.\} -.PP -\fBip route show table ctdb\&.192\&.168\&.1\&.99\fR -will show: -.sp -.if n \{\ -.RS 4 -.\} -.nf - 192\&.168\&.1\&.0/24 dev eth2 scope link - -.fi -.if n \{\ -.RE -.\} -.PP -The usual use for a line containing a gateway is to add a default route corresponding to a particular source address\&. Consider this line of configuration: -.sp -.if n \{\ -.RS 4 -.\} -.nf - 192\&.168\&.1\&.99 0\&.0\&.0\&.0/0 192\&.168\&.1\&.1 - -.fi -.if n \{\ -.RE -.\} -.PP -In the situation described above this will cause an extra routing command to be executed: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ip route add 0\&.0\&.0\&.0/0 via 192\&.168\&.1\&.1 dev eth2 table ctdb\&.192\&.168\&.1\&.99 - -.fi -.if n \{\ -.RE -.\} -.PP -With both configuration lines, -\fBip route show table ctdb\&.192\&.168\&.1\&.99\fR -will show: -.sp -.if n \{\ -.RS 4 -.\} -.nf - 192\&.168\&.1\&.0/24 dev eth2 scope link - default via 192\&.168\&.1\&.1 dev eth2 - -.fi -.if n \{\ -.RE -.\} -.SS "Sample configuration" -.PP -Here is a more complete example configuration\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -/usr/local/etc/ctdb/public_addresses: - - 192\&.168\&.1\&.98 eth2,eth3 - 192\&.168\&.1\&.99 eth2,eth3 - -/usr/local/etc/ctdb/policy_routing: - - 192\&.168\&.1\&.98 192\&.168\&.1\&.0/24 - 192\&.168\&.1\&.98 192\&.168\&.200\&.0/24 192\&.168\&.1\&.254 - 192\&.168\&.1\&.98 0\&.0\&.0\&.0/0 192\&.168\&.1\&.1 - 192\&.168\&.1\&.99 192\&.168\&.1\&.0/24 - 192\&.168\&.1\&.99 192\&.168\&.200\&.0/24 192\&.168\&.1\&.254 - 192\&.168\&.1\&.99 0\&.0\&.0\&.0/0 192\&.168\&.1\&.1 - -.fi -.if n \{\ -.RE -.\} -.PP -The routes local packets as expected, the default route is as previously discussed, but packets to 192\&.168\&.200\&.0/24 are routed via the alternate gateway 192\&.168\&.1\&.254\&. -.SH "NOTIFICATIONS" -.PP -When certain state changes occur in CTDB, it can be configured to perform arbitrary actions via notifications\&. For example, sending SNMP traps or emails when a node becomes unhealthy or similar\&. -.PP -The notification mechanism runs all executable files ending in "\&.script" in -/usr/local/etc/ctdb/events/notification/, ignoring any failures and continuing to run all files\&. -.PP -CTDB currently generates notifications after CTDB changes to these states: -.RS 4 -init -.RE -.RS 4 -setup -.RE -.RS 4 -startup -.RE -.RS 4 -healthy -.RE -.RS 4 -unhealthy -.RE -.SH "LOG LEVELS" -.PP -Valid log levels, in increasing order of verbosity, are: -.RS 4 -ERROR -.RE -.RS 4 -WARNING -.RE -.RS 4 -NOTICE -.RE -.RS 4 -INFO -.RE -.RS 4 -DEBUG -.RE -.SH "REMOTE CLUSTER NODES" -.PP -It is possible to have a CTDB cluster that spans across a WAN link\&. For example where you have a CTDB cluster in your datacentre but you also want to have one additional CTDB node located at a remote branch site\&. This is similar to how a WAN accelerator works but with the difference that while a WAN\-accelerator often acts as a Proxy or a MitM, in the ctdb remote cluster node configuration the Samba instance at the remote site IS the genuine server, not a proxy and not a MitM, and thus provides 100% correct CIFS semantics to clients\&. -.PP -See the cluster as one single multihomed samba server where one of the NICs (the remote node) is very far away\&. -.PP -NOTE: This does require that the cluster filesystem you use can cope with WAN\-link latencies\&. Not all cluster filesystems can handle WAN\-link latencies! Whether this will provide very good WAN\-accelerator performance or it will perform very poorly depends entirely on how optimized your cluster filesystem is in handling high latency for data and metadata operations\&. -.PP -To activate a node as being a remote cluster node you need to set the following two parameters in /usr/local/etc/ctdb/ctdb\&.conf for the remote node: -.sp -.if n \{\ -.RS 4 -.\} -.nf -[legacy] - lmaster capability = false - recmaster capability = false - -.fi -.if n \{\ -.RE -.\} -.PP -Verify with the command "ctdb getcapabilities" that that node no longer has the recmaster or the lmaster capabilities\&. -.SH "SEE ALSO" -.PP -\fBctdb\fR(1), -\fBctdbd\fR(1), -\fBctdbd_wrapper\fR(1), -\fBctdb_diagnostics\fR(1), -\fBltdbtool\fR(1), -\fBonnode\fR(1), -\fBping_pong\fR(1), -\fBctdb.conf\fR(5), -\fBctdb-script.options\fR(5), -\fBctdb.sysconfig\fR(5), -\fBctdb-statistics\fR(7), -\fBctdb-tunables\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Ronnie Sahlberg, Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdb.conf.5 b/net/samba413/files/man/ctdb.conf.5 deleted file mode 100644 index ee36a518e920..000000000000 --- a/net/samba413/files/man/ctdb.conf.5 +++ /dev/null @@ -1,359 +0,0 @@ -'\" t -.\" Title: ctdb.conf -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB\&.CONF" "5" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb.conf \- CTDB configuration file -.SH "DESCRIPTION" -.PP -This file contains CTDB configuration options that affect the operation of CTDB daemons and command\-line tools\&. The default location of this file is -/usr/local/etc/ctdb/ctdb\&.conf\&. -.PP -Note that this is a Samba\-style configuration file, so it has a very different syntax to previous CTDB configuration files\&. -.PP -For event script options please see -\fBctdb-script.options\fR(5)\&. -.PP -Configuration options are grouped into several sections below\&. There are only a few options in each section, allowing them to be ordered (approximately) in decreasing order of importance\&. -.SH "LOGGING CONFIGURATION" -.PP -Options in this section control CTDB\*(Aqs logging\&. They are valid within the -\fIlogging\fR -section of file, indicated by -[logging]\&. -.PP -log level = \fILOGLEVEL\fR -.RS 4 -LOGLEVEL is a string that controls the verbosity of ctdbd\*(Aqs logging\&. See the -LOG LEVELS -section in -\fBctdb\fR(7) -for more details\&. -.sp -Default: -NOTICE -.RE -.PP -location = \fISTRING\fR -.RS 4 -STRING specifies where ctdbd will write its log\&. -.sp -Valid values are: -.PP -file:\fIFILENAME\fR -.RS 4 -FILENAME where ctdbd will write its log\&. This is usually -/var/log/log\&.ctdb\&. -.RE -.PP -syslog[:\fIMETHOD\fR] -.RS 4 -CTDB will log to syslog\&. By default this will use the syslog(3) API\&. -.sp -If METHOD is specified then it specifies an extension that causes logging to be done in a non\-blocking fashion\&. This can be useful under heavy loads that might cause the syslog daemon to dequeue messages too slowly, which would otherwise cause CTDB to block when logging\&. METHOD must be one of: -.PP -nonblocking -.RS 4 -CTDB will log to syslog via -/dev/log -in non\-blocking mode\&. -.RE -.PP -udp -.RS 4 -CTDB will log to syslog via UDP to localhost:514\&. The syslog daemon must be configured to listen on (at least) localhost:514\&. Most implementations will log the messages against hostname "localhost" \- this is a limit of the implementation for compatibility with more syslog daemon implementations\&. -.RE -.PP -udp\-rfc5424 -.RS 4 -As with "udp" but messages are sent in RFC5424 format\&. This method will log the correct hostname but is not as widely implemented in syslog daemons\&. -.RE -.RE -.sp -Default: file:/var/log/log\&.ctdb -.RE -.SH "CLUSTER CONFIGURATION" -.PP -Options in this section affect the CTDB cluster setup\&. They are valid within the -\fIcluster\fR -section of file, indicated by -[cluster]\&. -.PP -recovery lock = \fILOCK\fR -.RS 4 -LOCK specifies the cluster\-wide mutex used to detect and prevent a partitioned cluster (or "split brain")\&. -.sp -For information about the recovery lock please see the -RECOVERY LOCK -section in -\fBctdb\fR(7)\&. -.sp -Default: NONE\&. However, uses of a recovery lock is -\fIstrongly recommended\fR\&. -.RE -.PP -node address = \fIIPADDR\fR -.RS 4 -IPADDR is the private IP address that ctdbd will bind to\&. -.sp -This option is only required when automatic address detection can not be used\&. This can be the case when running multiple ctdbd daemons/nodes on the same physical host (usually for testing), using InfiniBand for the private network or on Linux when sysctl net\&.ipv4\&.ip_nonlocal_bind=1\&. -.sp -Default: CTDB selects the first address from the nodes list that it can bind to\&. See also the -PRIVATE ADDRESS -section in -\fBctdb\fR(7)\&. -.RE -.PP -transport = tcp|ib -.RS 4 -This option specifies which transport to use for ctdbd internode communications on the private network\&. -.sp -ib -means InfiniBand\&. The InfiniBand support is not regularly tested\&. If it is known to be broken then it may be disabled so that a value of -ib -is considered invalid\&. -.sp -Default: -tcp -.RE -.SH "DATABASE CONFIGURATION" -.PP -Options in this section affect the CTDB database setup\&. They are valid within the -\fIdatabase\fR -section of file, indicated by -[database]\&. -.PP -volatile database directory = \fIDIRECTORY\fR -.RS 4 -DIRECTORY on local storage where CTDB keeps a local copy of volatile TDB databases\&. This directory is local for each node and should not be stored on the shared cluster filesystem\&. -.sp -Mounting a tmpfs (or similar memory filesystem) on this directory can provide a significant performance improvement when there is I/O contention on the local disk\&. -.sp -Default: -/var/lib/ctdb/volatile -.RE -.PP -persistent database directory=\fIDIRECTORY\fR -.RS 4 -DIRECTORY on local storage where CTDB keeps a local copy of persistent TDB databases\&. This directory is local for each node and should not be stored on the shared cluster filesystem\&. -.sp -Default: -/var/lib/ctdb/persistent -.RE -.PP -state database directory = \fIDIRECTORY\fR -.RS 4 -DIRECTORY on local storage where CTDB keeps a local copy of internal state TDB databases\&. This directory is local for each node and should not be stored on the shared cluster filesystem\&. -.sp -Default: -/var/lib/ctdb/state -.RE -.PP -tdb mutexes = true|false -.RS 4 -This parameter enables TDB_MUTEX_LOCKING feature on volatile databases if the robust mutexes are supported\&. This optimizes the record locking using robust mutexes and is much more efficient that using posix locks\&. -.sp -If robust mutexes are unreliable on the platform being used then they can be disabled by setting this to -false\&. -.RE -.PP -lock debug script = \fIFILENAME\fR -.RS 4 -FILENAME is a script used by CTDB\*(Aqs database locking code to attempt to provide debugging information when CTDB is unable to lock an entire database or a record\&. -.sp -This script should be a bare filename relative to the CTDB configuration directory (/usr/local/etc/ctdb/)\&. Any directory prefix is ignored and the path is calculated relative to this directory\&. -.sp -CTDB provides a lock debugging script and installs it as -/usr/local/etc/ctdb/debug_locks\&.sh\&. -.sp -Default: NONE -.RE -.SH "EVENT HANDLING CONFIGURATION" -.PP -Options in this section affect CTDB event handling\&. They are valid within the -\fIevent\fR -section of file, indicated by -[event]\&. -.PP -debug script = \fIFILENAME\fR -.RS 4 -FILENAME is a script used by CTDB\*(Aqs event handling code to attempt to provide debugging information when an event times out\&. -.sp -This script should be a bare filename relative to the CTDB configuration directory (/usr/local/etc/ctdb/)\&. Any directory prefix is ignored and the path is calculated relative to this directory\&. -.sp -CTDB provides a script for debugging timed out event scripts and installs it as -/usr/local/etc/ctdb/debug\-hung\-script\&.sh\&. -.sp -Default: NONE -.RE -.SH "FAILOVER CONFIGURATION" -.PP -Options in this section affect CTDB failover\&. They are valid within the -\fIfailover\fR -section of file, indicated by -[failover]\&. -.PP -disabled = true|false -.RS 4 -If set to -true -then public IP failover is disabled\&. -.sp -Default: -false -.RE -.SH "LEGACY CONFIGURATION" -.PP -Options in this section affect legacy CTDB setup\&. They are valid within the -\fIlegacy\fR -section of file, indicated by -[legacy]\&. -.PP -ctdb start as stopped = true|false -.RS 4 -If set to -true -CTDB starts in the STOPPED state\&. -.sp -To allow the node to take part in the cluster it must be manually continued with the -\fBctdb continue\fR -command\&. -.sp -Please see the -NODE STATES -section in -\fBctdb\fR(7) -for more information about the STOPPED state\&. -.sp -Default: -false -.RE -.PP -start as disabled = true|false -.RS 4 -If set to -true -CTDB starts in the DISABLED state\&. -.sp -To allow the node to host public IP addresses and services, it must be manually enabled using the -\fBctdb enable\fR -command\&. -.sp -Please see the -NODE STATES -section in -\fBctdb\fR(7) -for more information about the DISABLED state\&. -.sp -Default: -false -.RE -.PP -realtime scheduling = true|false -.RS 4 -Usually CTDB runs with real\-time priority\&. This helps it to perform effectively on a busy system, such as when there are thousands of Samba clients\&. If you are running CTDB on a platform that does not support real\-time priority, you can set this to -false\&. -.sp -Default: -true -.RE -.PP -recmaster capability = true|false -.RS 4 -Indicates whether a node can become the recovery master for the cluster\&. If this is set to -false -then the node will not be able to become the recovery master for the cluster\&. This feature is primarily used for making a cluster span across a WAN link and use CTDB as a WAN\-accelerator\&. -.sp -Please see the -REMOTE CLUSTER NODES -section in -\fBctdb\fR(7) -for more information\&. -.sp -Default: -true -.RE -.PP -lmaster capability = true|false -.RS 4 -Indicates whether a node can become a location master for records in a database\&. If this is set to -false -then the node will not be part of the vnnmap\&. This feature is primarily used for making a cluster span across a WAN link and use CTDB as a WAN\-accelerator\&. -.sp -Please see the -REMOTE CLUSTER NODES -section in -\fBctdb\fR(7) -for more information\&. -.sp -Default: -true -.RE -.PP -script log level = \fILOGLEVEL\fR -.RS 4 -This option sets the debug level of event script output to LOGLEVEL\&. -.sp -See the -DEBUG LEVELS -section in -\fBctdb\fR(7) -for more information\&. -.sp -Default: -ERROR -.RE -.SH "FILES" -.RS 4 -/usr/local/etc/ctdb/ctdb\&.conf -.RE -.SH "SEE ALSO" -.PP -\fBctdbd\fR(1), -\fBonnode\fR(1), -\fBctdb.sysconfig\fR(5), -\fBctdb-script.options\fR(5), -\fBctdb\fR(7), -\fBctdb-tunables\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdb.sysconfig.5 b/net/samba413/files/man/ctdb.sysconfig.5 deleted file mode 100644 index 32afdb2bcf24..000000000000 --- a/net/samba413/files/man/ctdb.sysconfig.5 +++ /dev/null @@ -1,139 +0,0 @@ -'\" t -.\" Title: ctdb.sysconfig -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB\&.SYSCONFIG" "5" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb.sysconfig \- CTDB daemon configuration file -.SH "DESCRIPTION" -.PP -This file contains configuration that affects the operation of CTDB\&. This is a distribution\-specific service configuration file such as -/etc/sysconfig/ctdb -(Red Hat) or -/etc/default/ctdb -(Debian) and is a shell script (see -\fBsh\fR(1))\&. -.SH "GLOBAL CONFIGURATION" -.PP -CTDB_INIT_STYLE=debian|redhat|suse -.RS 4 -This is the init style used by the Linux distribution (or other operating system) being used\&. This is usually determined dynamically by checking the system\&. This variable is used by the initscript to determine which init system primitives to use\&. It is also used by some eventscripts to choose the name of initscripts for certain services, since these can vary between distributions\&. -.sp -If using CTDB\*(Aqs event scripts are unable to determine an appropriate default then this option can also be placed in a relevant -\fBctdb-script.options\fR(5) -file\&. -.sp -Default: NONE\&. Guessed, based on features of distribution\&. -.RE -.PP -CTDB_STARTUP_TIMEOUT=\fINUM\fR -.RS 4 -NUM is the number of seconds to wait for -\fBctdbd\fR(1) -complete early initialisation up to a point where it is unlikely to abort\&. If -\fBctdbd\fR -doesn\*(Aqt complete the "setup" event before this timeout then it is killed\&. -.sp -Defaults: 10 -.RE -.SH "RESOURCE LIMITS" -.SS "Maximum number of open files" -.PP -CTDB can use a lot of file descriptors, especially when used with Samba\&. If there are thousands of smbd processes connected to CTDB when this can mean that thousands of file descriptors are used\&. For CTDB, it is often necessary to increase limit on the maximum number of open files\&. -.PP -The maximum number of open files should be configured using an operating system mechanism\&. -.PP -systemd -.RS 4 -The -LimitNOFILE=\fBLIMIT\fR -option can be used in a unit/service file increase the maximum number of open files\&. See -\fBsystemd.exec\fR(5) -for details\&. -.RE -.PP -SYSV init -.RS 4 -Use a command like -\fBulimit \-n \fR\fB\fBLIMIT\fR\fR -to increase the maximum number of open files\&. This command can be put in the relevant distribution\-specific service configuration file\&. -.RE -.SS "Allowing core dumps" -.PP -Many distributions do not allow core dump files to be generated by default\&. To assist with debugging, core files can be enabled\&. This should be configured using an operating system mechanism\&. -.PP -systemd -.RS 4 -The -LimitCORE=0|unlimited -option can be used in a unit/service file\&. -0 -disallows core files, -unlimited -allows them\&. maximum number of open files\&. See -\fBsystemd.exec\fR(5) -for details\&. -.RE -.PP -SYSV init -.RS 4 -Use a command like -\fBulimit \-c 0|unlimited\fR -to disable or enable core files as required\&. This command can be put in the relevant distribution\-specific service configuration file\&. -.RE -.SH "FILES" -.RS 4 -/etc/sysconfig/ctdb -.RE -.RS 4 -/etc/default/ctdb -.RE -.RS 4 -/usr/local/etc/ctdb/script\&.options -.RE -.SH "SEE ALSO" -.PP -\fBctdbd\fR(1), -\fBctdb-script.options\fR(5), -\fBctdb\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdb_diagnostics.1 b/net/samba413/files/man/ctdb_diagnostics.1 deleted file mode 100644 index b24c57d5acd6..000000000000 --- a/net/samba413/files/man/ctdb_diagnostics.1 +++ /dev/null @@ -1,79 +0,0 @@ -'\" t -.\" Title: ctdb_diagnostics -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 11/18/2018 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDB_DIAGNOSTICS" "1" "11/18/2018" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdb_diagnostics \- dump diagnostic information about CTDB/Samba installation -.SH "SYNOPSIS" -.HP \w'\fBctdb_diagnostics\fR\ 'u -\fBctdb_diagnostics\fR [OPTIONS] \&.\&.\&. -.SH "DESCRIPTION" -.PP -ctdb_diagnostics is used to dump diagnostic information about a clustered Samba installation\&. This includes configuration files, output of relevant commands and logs\&. This information can be used to check the correctness of the configuration and to diagnose problems\&. -.SH "OPTIONS" -.PP -\-n <nodes> -.RS 4 -Comma separated list of nodes to operate on -.RE -.PP -\-c -.RS 4 -Ignore comment lines (starting with \*(Aq#\*(Aq) in file comparisons -.RE -.PP -\-w -.RS 4 -Ignore whitespace in file comparisons -.RE -.PP -\-\-no\-ads -.RS 4 -Do not use commands that assume an Active Directory Server -.RE -.SH "SEE ALSO" -.PP -\fBctdb\fR(1), -\fBctdb\fR(7), -\m[blue]\fB\%https://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Martijn van Brummelen -.SH "COPYRIGHT" -.br -Copyright \(co 2015 Martijn van Brummelen -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdbd.1 b/net/samba413/files/man/ctdbd.1 deleted file mode 100644 index 394b632a0368..000000000000 --- a/net/samba413/files/man/ctdbd.1 +++ /dev/null @@ -1,83 +0,0 @@ -'\" t -.\" Title: ctdbd -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDBD" "1" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdbd \- The CTDB cluster daemon -.SH "SYNOPSIS" -.HP \w'\fBctdbd\fR\ 'u -\fBctdbd\fR [\fIOPTION\fR...] -.SH "DESCRIPTION" -.PP -ctdbd is the main CTDB daemon\&. -.PP -Note that ctdbd is not usually invoked directly\&. It is invoked via -\fBctdbd_wrapper\fR(1) -or via the initscript\&. -.PP -See -\fBctdb\fR(7) -for an overview of CTDB\&. -.SH "GENERAL OPTIONS" -.PP -\-i, \-\-interactive -.RS 4 -Enable interactive mode\&. This will make ctdbd run in the foreground and not detach from the terminal\&. In this mode ctdbd will log to stderr\&. -.sp -By default ctdbd will detach itself and run in the background as a daemon, logging to the configured destination\&. -.RE -.PP -\-?, \-\-help -.RS 4 -Display a summary of options\&. -.RE -.SH "SEE ALSO" -.PP -\fBctdb\fR(1), -\fBctdbd_wrapper\fR(1), -\fBonnode\fR(1), -\fBctdb.conf\fR(5), -\fBctdb\fR(7), -\fBctdb-tunables\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Ronnie Sahlberg, Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ctdbd_wrapper.1 b/net/samba413/files/man/ctdbd_wrapper.1 deleted file mode 100644 index b0b1f9bd783a..000000000000 --- a/net/samba413/files/man/ctdbd_wrapper.1 +++ /dev/null @@ -1,63 +0,0 @@ -'\" t -.\" Title: ctdbd_wrapper -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "CTDBD_WRAPPER" "1" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ctdbd_wrapper \- Wrapper for ctdbd -.SH "SYNOPSIS" -.HP \w'\fBctdbd_wrapper\fR\ 'u -\fBctdbd_wrapper\fR {start | stop} -.SH "DESCRIPTION" -.PP -ctdbd_wrapper is used to start or stop the main CTDB daemon\&. -.PP -See -\fBctdb\fR(7) -for an overview of CTDB\&. -.SH "SEE ALSO" -.PP -\fBctdbd\fR(1), -\fBctdb.sysconfig\fR(5), -\fBctdb\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Amitay Isaacs, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/gentest.1 b/net/samba413/files/man/gentest.1 deleted file mode 100644 index 550215e0db49..000000000000 --- a/net/samba413/files/man/gentest.1 +++ /dev/null @@ -1,133 +0,0 @@ -'\" t -.\" Title: gentest -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: Test Suite -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "GENTEST" "1" "09/23/2020" "Samba 4\&.0" "Test Suite" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -gentest \- Run random generic SMB operations against two SMB servers and show the differences in behavior -.SH "SYNOPSIS" -.HP \w'\fBgentest\fR\ 'u -\fBgentest\fR {//server1/share1} {//server2/share2} {\-U\ user%pass} {\-U\ user%pass} [\-s\ seed] [\-o\ numops] [\-a] [\-A] [\-i\ FILE] [\-O] [\-S\ FILE] [\-L] [\-F] [\-C] [\-X] -.SH "DESCRIPTION" -.PP -gentest -is a utility for detecting differences in behaviour between SMB servers\&. It will run a random set of generic operations against -\fI//server1/share1\fR -and then the same random set against -\fI//server2/share2\fR -and display the differences in the responses it gets\&. -.PP -This utility is used by the Samba team to find differences in behaviour between Samba and Windows servers\&. -.SH "OPTIONS" -.PP -\-U user%pass -.RS 4 -Specify the user and password to use when logging on on the shares\&. This parameter is mandatory and has to be specified twice\&. -.RE -.PP -\-s seed -.RS 4 -Seed the random number generator with the specified value\&. -.RE -.PP -\-o numops -.RS 4 -Set the number of operations to perform\&. -.RE -.PP -\-a -.RS 4 -Print the operations that are performed\&. -.RE -.PP -\-A -.RS 4 -Backtrack to find minimal number of operations required to make the response to a certain call differ\&. -.RE -.PP -\-i FILE -.RS 4 -Specify a file containing the names of fields that have to be ignored (such as time fields)\&. See below for a description of the file format\&. -.RE -.PP -\-O -.RS 4 -Enable oplocks\&. -.RE -.PP -\-S FILE -.RS 4 -Set preset seeds file\&. The default is -gentest_seeds\&.dat\&. -.RE -.PP -\-L -.RS 4 -Use preset seeds -.RE -.PP -\-F -.RS 4 -Fast reconnect (just close files) -.RE -.PP -\-C -.RS 4 -Continuous analysis mode -.RE -.PP -\-X -.RS 4 -Analyse even when the test succeeded\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -Samba -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -gentest was written by Andrew Tridgell\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/ldbadd.1 b/net/samba413/files/man/ldbadd.1 deleted file mode 100644 index 90014c9d6703..000000000000 --- a/net/samba413/files/man/ldbadd.1 +++ /dev/null @@ -1,78 +0,0 @@ -'\" t -.\" Title: ldbadd -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: LDB 1.1 -.\" Language: English -.\" -.TH "LDBADD" "1" "09/23/2020" "LDB 1\&.1" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ldbadd \- Command\-line utility for adding records to an LDB -.SH "SYNOPSIS" -.HP \w'\fBldbadd\fR\ 'u -\fBldbadd\fR [\-h] [\-H\ LDB\-URL] [ldif\-file1] [ldif\-file2] [\&.\&.\&.] -.SH "DESCRIPTION" -.PP -ldbadd adds records to an ldb(3) database\&. It reads the ldif(5) files specified on the command line and adds the records from these files to the LDB database, which is specified by the \-H option or the LDB_URL environment variable\&. -.PP -If \- is specified as a ldb file, the ldif input is read from standard input\&. -.SH "OPTIONS" -.PP -\-h -.RS 4 -Show list of available options\&. -.RE -.PP -\-H <ldb\-url> -.RS 4 -LDB URL to connect to\&. See ldb(3) for details\&. -.RE -.SH "ENVIRONMENT" -.PP -LDB_URL -.RS 4 -LDB URL to connect to (can be overridden by using the \-H command\-line option\&.) -.RE -.SH "VERSION" -.PP -This man page is correct for version 1\&.1 of LDB\&. -.SH "SEE ALSO" -.PP -ldb(3), ldbmodify, ldbdel, ldif(5) -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE diff --git a/net/samba413/files/man/ldbdel.1 b/net/samba413/files/man/ldbdel.1 deleted file mode 100644 index 86541dccc899..000000000000 --- a/net/samba413/files/man/ldbdel.1 +++ /dev/null @@ -1,80 +0,0 @@ -'\" t -.\" Title: ldbdel -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: LDB 1.1 -.\" Language: English -.\" -.TH "LDBDEL" "1" "09/23/2020" "LDB 1\&.1" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ldbdel \- Command\-line program for deleting LDB records -.SH "SYNOPSIS" -.HP \w'\fBldbdel\fR\ 'u -\fBldbdel\fR [\-h] [\-H\ LDB\-URL] [dn] [\&.\&.\&.] -.SH "DESCRIPTION" -.PP -ldbdel deletes records from an ldb(3) database\&. It deletes the records identified by the dn\*(Aqs specified on the command\-line\&. -.PP -ldbdel uses either the database that is specified with the \-H option or the database specified by the LDB_URL environment variable\&. -.SH "OPTIONS" -.PP -\-h -.RS 4 -Show list of available options\&. -.RE -.PP -\-H <ldb\-url> -.RS 4 -LDB URL to connect to\&. See ldb(3) for details\&. -.RE -.SH "ENVIRONMENT" -.PP -LDB_URL -.RS 4 -LDB URL to connect to (can be overridden by using the \-H command\-line option\&.) -.RE -.SH "VERSION" -.PP -This man page is correct for version 1\&.1 of LDB\&. -.SH "SEE ALSO" -.PP -ldb(3), ldbmodify, ldbadd, ldif(5) -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.PP -ldbdel was written by Andrew Tridgell\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE diff --git a/net/samba413/files/man/ldbedit.1 b/net/samba413/files/man/ldbedit.1 deleted file mode 100644 index cb7b75fe8d67..000000000000 --- a/net/samba413/files/man/ldbedit.1 +++ /dev/null @@ -1,111 +0,0 @@ -'\" t -.\" Title: ldbedit -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: LDB 1.1 -.\" Language: English -.\" -.TH "LDBEDIT" "1" "09/23/2020" "LDB 1\&.1" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ldbedit \- Edit LDB databases using your preferred editor -.SH "SYNOPSIS" -.HP \w'\fBldbedit\fR\ 'u -\fBldbedit\fR [\-?] [\-\-usage] [\-s\ base|one|sub] [\-b\ basedn] [\-a] [\-e\ editor] [\-H\ LDB\-URL] [expression] [attributes...] -.SH "DESCRIPTION" -.PP -ldbedit is a utility that allows you to edit LDB entries (in tdb files, sqlite files or LDAP servers) using your preferred editor\&. ldbedit generates an LDIF file based on your query, allows you to edit the LDIF, and then merges that LDIF back into the LDB backend\&. -.SH "OPTIONS" -.PP -\-?, \-\-help -.RS 4 -Show list of available options, and a phrase describing what that option does\&. -.RE -.PP -\-\-usage -.RS 4 -Show list of available options\&. This is similar to the help option, however it does not provide any description, and is hence shorter\&. -.RE -.PP -\-H <ldb\-url> -.RS 4 -LDB URL to connect to\&. For a tdb database, this will be of the form tdb://\fIfilename\fR\&. For a LDAP connection over unix domain sockets, this will be of the form ldapi://\fIsocket\fR\&. For a (potentially remote) LDAP connection over TCP, this will be of the form ldap://\fIhostname\fR\&. For an SQLite database, this will be of the form sqlite://\fIfilename\fR\&. -.RE -.PP -\-s one|sub|base -.RS 4 -Search scope to use\&. One\-level, subtree or base\&. -.RE -.PP -\-a, \-all -.RS 4 -Edit all records\&. This allows you to apply the same change to a number of records at once\&. You probably want to combine this with an expression of the form "objectclass=*"\&. -.RE -.PP -\-e editor, \-\-editor editor -.RS 4 -Specify the editor that should be used (overrides the VISUAL and EDITOR environment variables)\&. If this option is not used, and neither VISUAL nor EDITOR environment variables are set, then the vi editor will be used\&. -.RE -.PP -\-b basedn -.RS 4 -Specify Base Distinguished Name to use\&. -.RE -.PP -\-v, \-\-verbose -.RS 4 -Make ldbedit more verbose about the operations that are being performed\&. Without this option, ldbedit will only provide a summary change line\&. -.RE -.SH "ENVIRONMENT" -.PP -LDB_URL -.RS 4 -LDB URL to connect to\&. This can be overridden by using the \-H command\-line option\&.) -.RE -.PP -VISUAL and EDITOR -.RS 4 -Environment variables used to determine what editor to use\&. VISUAL takes precedence over EDITOR, and both are overridden by the \-e command\-line option\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 1\&.1 of LDB\&. -.SH "SEE ALSO" -.PP -ldb(3), ldbmodify(1), ldbdel(1), ldif(5), vi(1) -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.PP -This manpage was written by Jelmer Vernooij and updated by Brad Hards\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE diff --git a/net/samba413/files/man/ldbmodify.1 b/net/samba413/files/man/ldbmodify.1 deleted file mode 100644 index be4815da7287..000000000000 --- a/net/samba413/files/man/ldbmodify.1 +++ /dev/null @@ -1,73 +0,0 @@ -'\" t -.\" Title: ldbmodify -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: LDB 1.1 -.\" Language: English -.\" -.TH "LDBMODIFY" "1" "09/23/2020" "LDB 1\&.1" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ldbmodify \- Modify records in a LDB database -.SH "SYNOPSIS" -.HP \w'\fBldbmodify\fR\ 'u -\fBldbmodify\fR [\-H\ LDB\-URL] [ldif\-file] -.SH "DESCRIPTION" -.PP -ldbmodify changes, adds and deletes records in a LDB database\&. The changes that should be made to the LDB database are read from the specified LDIF\-file\&. If \- is specified as the filename, input is read from stdin\&. -.PP -For now, see ldapmodify(1) for details on the LDIF file format\&. -.SH "OPTIONS" -.PP -\-H <ldb\-url> -.RS 4 -LDB URL to connect to\&. See ldb(3) for details\&. -.RE -.SH "ENVIRONMENT" -.PP -LDB_URL -.RS 4 -LDB URL to connect to (can be overridden by using the \-H command\-line option\&.) -.RE -.SH "VERSION" -.PP -This man page is correct for version 1\&.1 of LDB\&. -.SH "SEE ALSO" -.PP -ldb(3), ldbedit -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE diff --git a/net/samba413/files/man/ldbrename.1 b/net/samba413/files/man/ldbrename.1 deleted file mode 100644 index 0bdbc67a3b32..000000000000 --- a/net/samba413/files/man/ldbrename.1 +++ /dev/null @@ -1,81 +0,0 @@ -'\" t -.\" Title: ldbrename -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: LDB 1.1 -.\" Language: English -.\" -.TH "LDBRENAME" "1" "09/23/2020" "LDB 1\&.1" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ldbrename \- Edit LDB databases using your favorite editor -.SH "SYNOPSIS" -.HP \w'\fBldbrename\fR\ 'u -\fBldbrename\fR [\-h] [\-o\ options] {olddn} {newdn} -.SH "DESCRIPTION" -.PP -ldbrename is a utility that allows you to rename trees in an LDB database based by DN\&. This utility takes two arguments: the original DN name of the top element and the DN to change it to\&. -.SH "OPTIONS" -.PP -\-h -.RS 4 -Show list of available options\&. -.RE -.PP -\-H <ldb\-url> -.RS 4 -LDB URL to connect to\&. See ldb(3) for details\&. -.RE -.PP -\-o options -.RS 4 -Extra ldb options, such as modules\&. -.RE -.SH "ENVIRONMENT" -.PP -LDB_URL -.RS 4 -LDB URL to connect to (can be overridden by using the \-H command\-line option\&.) -.RE -.SH "VERSION" -.PP -This man page is correct for version 1\&.1 of LDB\&. -.SH "SEE ALSO" -.PP -ldb(3), ldbmodify, ldbdel, ldif(5) -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE diff --git a/net/samba413/files/man/ldbsearch.1 b/net/samba413/files/man/ldbsearch.1 deleted file mode 100644 index ff7645bfce4e..000000000000 --- a/net/samba413/files/man/ldbsearch.1 +++ /dev/null @@ -1,91 +0,0 @@ -'\" t -.\" Title: ldbsearch -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: LDB 1.1 -.\" Language: English -.\" -.TH "LDBSEARCH" "1" "09/23/2020" "LDB 1\&.1" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ldbsearch \- Search for records in a LDB database -.SH "SYNOPSIS" -.HP \w'\fBldbsearch\fR\ 'u -\fBldbsearch\fR [\-h] [\-s\ base|one|sub] [\-b\ basedn] [\-i] [\-H\ LDB\-URL] [expression] [attributes] -.SH "DESCRIPTION" -.PP -ldbsearch searches a LDB database for records matching the specified expression (see the ldapsearch(1) manpage for a description of the expression format)\&. For each record, the specified attributes are printed\&. -.SH "OPTIONS" -.PP -\-h -.RS 4 -Show list of available options\&. -.RE -.PP -\-H <ldb\-url> -.RS 4 -LDB URL to connect to\&. See ldb(3) for details\&. -.RE -.PP -\-s one|sub|base -.RS 4 -Search scope to use\&. One\-level, subtree or base\&. -.RE -.PP -\-i -.RS 4 -Read search expressions from stdin\&. -.RE -.PP -\-b basedn -.RS 4 -Specify Base DN to use\&. -.RE -.SH "ENVIRONMENT" -.PP -LDB_URL -.RS 4 -LDB URL to connect to (can be overridden by using the \-H command\-line option\&.) -.RE -.SH "VERSION" -.PP -This man page is correct for version 1\&.1 of LDB\&. -.SH "SEE ALSO" -.PP -ldb(3), ldbedit(1) -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE diff --git a/net/samba413/files/man/locktest.1 b/net/samba413/files/man/locktest.1 deleted file mode 100644 index 06df14a59628..000000000000 --- a/net/samba413/files/man/locktest.1 +++ /dev/null @@ -1,137 +0,0 @@ -'\" t -.\" Title: locktest -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: Test Suite -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "LOCKTEST" "1" "09/23/2020" "Samba 4\&.0" "Test Suite" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -locktest \- Find differences in locking between two SMB servers -.SH "SYNOPSIS" -.HP \w'\fBlocktest\fR\ 'u -\fBlocktest\fR {//server1/share1} {//server2/share2} [\-U\ user%pass] [\-U\ user%pass] [\-s\ seed] [\-o\ numops] [\-a] [\-O] [\-E] [\-Z] [\-R\ range] [\-B\ base] [\-M\ min] -.SH "DESCRIPTION" -.PP -locktest -is a utility for detecting differences in behaviour in locking between SMB servers\&. It will run a random set of locking operations against -\fI//server1/share1\fR -and then the same random set against -\fI//server2/share2\fR -and display the differences in the responses it gets\&. -.PP -This utility is used by the Samba team to find differences in behaviour between Samba and Windows servers\&. -.SH "OPTIONS" -.PP -\-U user%pass -.RS 4 -Specify the user and password to use when logging on on the shares\&. This parameter can be specified twice (once for the first server, once for the second)\&. -.RE -.PP -\-s seed -.RS 4 -Seed the random number generator with the specified value\&. -.RE -.PP -\-o numops -.RS 4 -Set the number of operations to perform\&. -.RE -.PP -\-a -.RS 4 -Print the operations that are performed\&. -.RE -.PP -\-A -.RS 4 -Backtrack to find minimal number of operations required to make the response to a certain call differ\&. -.RE -.PP -\-O -.RS 4 -Enable oplocks\&. -.RE -.PP -\-u -.RS 4 -Hide unlock fails\&. -.RE -.PP -\-E -.RS 4 -enable exact error code checking -.RE -.PP -\-Z -.RS 4 -enable the zero/zero lock -.RE -.PP -\-R range -.RS 4 -set lock range -.RE -.PP -\-B base -.RS 4 -set lock base -.RE -.PP -\-M min -.RS 4 -set min lock length -.RE -.PP -\-k -.RS 4 -Use kerberos -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -Samba -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -locktest was written by Andrew Tridgell\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/ltdbtool.1 b/net/samba413/files/man/ltdbtool.1 deleted file mode 100644 index cfe19788d612..000000000000 --- a/net/samba413/files/man/ltdbtool.1 +++ /dev/null @@ -1,256 +0,0 @@ -'\" t -.\" Title: ltdbtool -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "LTDBTOOL" "1" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ltdbtool \- manipulate CTDB\*(Aqs local TDB files -.SH "SYNOPSIS" -.HP \w'\fBltdbtool\fR\ 'u -\fBltdbtool\fR [\fIOPTION\fR...] {\fICOMMAND\fR} [\fICOMMAND\-ARGS\fR] -.SH "DESCRIPTION" -.PP -ltdbtool is a utility to manipulate CTDB\*(Aqs local TDB databases (LTDBs) without connecting to a CTDB daemon\&. -.PP -It can be used to: -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -dump the contents of a LTDB, optionally printing the CTDB record header information, -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -convert between an LTDB and a non\-clustered tdb by adding or removing CTDB headers and -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -convert between 64 and 32 bit LTDBs where the CTDB record headers differ by 4 bytes of padding\&. -.RE -.SH "OPTIONS" -.PP -\-e -.RS 4 -Dump empty records\&. These are normally excluded\&. -.RE -.PP -\-p -.RS 4 -Dump with header information, similar to "ctdb catdb"\&. -.RE -.PP -\-s {0 | 32 | 64} -.RS 4 -Specify how to determine the CTDB record header size for the input database: -.PP -0 -.RS 4 -no CTDB header -.RE -.PP -32 -.RS 4 -CTDB header size of a 32 bit system (20 bytes) -.RE -.PP -64 -.RS 4 -CTDB header size of a 64 bit system (24 bytes) -.RE -.sp -The default is 32 or 64 depending on the system architecture\&. -.RE -.PP -\-o {0 | 32 | 64} -.RS 4 -Specify how to determine the CTDB record header size for the output database, see \-s\&. -.RE -.PP -\-S \fISIZE\fR -.RS 4 -Explicitly specify the CTDB record header SIZE of the input database in bytes\&. -.RE -.PP -\-O \fISIZE\fR -.RS 4 -Explicitly specify the CTDB record header SIZE for the output database in bytes\&. -.RE -.PP -\-h -.RS 4 -Print help text\&. -.RE -.SH "COMMANDS" -.PP -help -.RS 4 -Print help text\&. -.RE -.PP -dump \fIIDB\fR -.RS 4 -Dump the contents of an LTDB input file IDB to standard output in a human\-readable format\&. -.RE -.PP -convert \fIIDB\fR \fIODB\fR -.RS 4 -Copy an LTDB input file IDB to output file ODB, optionally adding or removing CTDB headers\&. -.RE -.SH "EXAMPLES" -.PP -Print a local tdb in "tdbdump" style: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool dump idmap2\&.tdb\&.0 - -.fi -.if n \{\ -.RE -.\} -.PP -Print a local tdb with header information similar to "ctdb catdb": -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool dump \-p idmap2\&.tdb\&.0 - -.fi -.if n \{\ -.RE -.\} -.PP -Strip the CTDB headers from records: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool convert \-o0 idmap2\&.tdb\&.0 idmap\&.tdb - -.fi -.if n \{\ -.RE -.\} -.PP -Strip 64 bit CTDB headers from records, running on i386: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool convert \-s64 \-o0 idmap2\&.tdb\&.0 idmap\&.tdb - -.fi -.if n \{\ -.RE -.\} -.PP -Strip the CTDB headers from records by piping through tdbrestore: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool dump idmap2\&.tdb\&.0 | tdbrestore idmap\&.tdb - -.fi -.if n \{\ -.RE -.\} -.PP -Convert a local tdb from a 64 bit system for usage on a 32 bit system: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool convert \-s64 \-o32 idmap2\&.tdb\&.0 idmap2\&.tdb\&.1 - -.fi -.if n \{\ -.RE -.\} -.PP -Add a default header: -.sp -.if n \{\ -.RS 4 -.\} -.nf - ltdbtool convert \-s0 idmap\&.tdb idmap2\&.tdb\&.0 - -.fi -.if n \{\ -.RE -.\} -.SH "SEE ALSO" -.PP -\fBctdb\fR(1), -\fBtdbdump\fR(1), -\fBtdbrestore\fR(1), -\fBctdb\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Gregor Beck -.SH "COPYRIGHT" -.br -Copyright \(co 2011 Gregor Beck, Michael Adam -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/masktest.1 b/net/samba413/files/man/masktest.1 deleted file mode 100644 index e2e1398d7b1b..000000000000 --- a/net/samba413/files/man/masktest.1 +++ /dev/null @@ -1,113 +0,0 @@ -'\" t -.\" Title: masktest -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: Test Suite -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "MASKTEST" "1" "09/23/2020" "Samba 4\&.0" "Test Suite" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -masktest \- Find differences in wildcard matching between Samba\*(Aqs implementation and that of a remote server\&. -.SH "SYNOPSIS" -.HP \w'\fBmasktest\fR\ 'u -\fBmasktest\fR {//server/share} [\-U\ user%pass] [\-d\ debuglevel] [\-W\ workgroup] [\-n\ numloops] [\-s\ seed] [\-a] [\-E] [\-M\ max\ protocol] [\-f\ filechars] [\-m\ maskchars] [\-v] -.SH "DESCRIPTION" -.PP -masktest -is a utility for detecting differences in behaviour between Samba\*(Aqs own implementation and that of a remote server\&. It will run generate random filenames/masks and check if these match the same files they do on the remote file as they do on the local server\&. It will display any differences it finds\&. -.PP -This utility is used by the Samba team to find differences in behaviour between Samba and Windows servers\&. -.SH "OPTIONS" -.PP -\-U user%pass -.RS 4 -Specify the user and password to use when logging on on the shares\&. This parameter can be specified twice (once for the first server, once for the second)\&. -.RE -.PP -\-s seed -.RS 4 -Seed the random number generator with the specified value\&. -.RE -.PP -\-n numops -.RS 4 -Set the number of operations to perform\&. -.RE -.PP -\-a -.RS 4 -Print the operations that are performed\&. -.RE -.PP -\-M max_protocol -.RS 4 -Maximum protocol to use\&. -.RE -.PP -\-f -.RS 4 -Specify characters that can be used when generating file names\&. Default: abcdefghijklm\&. -.RE -.PP -\-E -.RS 4 -Abort when difference in behaviour is found\&. -.RE -.PP -\-m maskchars -.RS 4 -Specify characters used for wildcards\&. -.RE -.PP -\-v -.RS 4 -Be verbose -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -Samba -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -masktest was written by Andrew Tridgell\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/mdfind.1 b/net/samba413/files/man/mdfind.1 deleted file mode 100644 index c4aad9b659ff..000000000000 --- a/net/samba413/files/man/mdfind.1 +++ /dev/null @@ -1,166 +0,0 @@ -'\" t -.\" Title: mdfind -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: User Commands -.\" Source: Samba 4.12.7 -.\" Language: English -.\" -.TH "MDFIND" "1" "09/23/2020" "Samba 4\&.12\&.7" "User Commands" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -mdfind \- Run Spotlight searches against an SMB server -.SH "SYNOPSIS" -.HP \w'\ 'u -mvxattr {server} {sharename} {query} [\-p,\ \-\-path] [\-L,\ \-\-live] -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(1) -suite\&. -.PP -mdfind is a simple utility to run Spotlight searches against an SMB server that runs the Spotlight -\fImdssvc\fR -RPC service\&. -.SH "OPTIONS" -.PP -server -.RS 4 -The SMB server name or IP address to connect to\&. -.RE -.PP -sharename -.RS 4 -The name of a share on the server\&. -.RE -.PP -query -.RS 4 -The query expression syntax is a simplified form of filename globbing familiar to shell users\&. Queries have the following format: -.sp -attribute=="value" -.sp -For queries against a Samba server with Spotlight enabled using the Elasticsearch backend, the list of supported metadata attributes is given by the JSON attribute mapping file, typically installed at -/usr/share/samba/mdssvc/elasticsearch_mappings\&.json -.RE -.PP -\-p PATH, \-\-path=PATH -.RS 4 -Server side path to search, defaults to -\fI"/"\fR -.RE -.PP -\-L, \-\-live -.RS 4 -Query remains running\&. -.RE -.SH "EXAMPLES" -.PP -Search all indexed metadata attributes, exact match: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \*(Aq*=="Samba"\*(Aq - -.fi -.if n \{\ -.RE -.\} -.PP -Search all indexed metadata attributes, prefix match: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \*(Aq*=="Samba*"\*(Aq - -.fi -.if n \{\ -.RE -.\} -.PP -Search by filename: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \*(AqkMDItemFSName=="Samba*"\*(Aq - -.fi -.if n \{\ -.RE -.\} -.PP -Search by date: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \*(AqkMDItemFSContentChangeDate<$time\&.iso(2018\-10\-01T10:00:00Z)\*(Aq - -.fi -.if n \{\ -.RE -.\} -.PP -Search files\*(Aqs content: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \*(AqkMDItemTextContent=="Samba*"\*(Aq - -.fi -.if n \{\ -.RE -.\} -.PP -Expressions: -.sp -.if n \{\ -.RS 4 -.\} -.nf - kMDItemFSName=="Samba*"||kMDItemTextContent=="Tango*"\*(Aq - -.fi -.if n \{\ -.RE -.\} -.SH "SEE ALSO" -.PP -File Metadata Search Programming Guide -https://developer\&.apple\&.com/library/archive/documentation/Carbon/Conceptual/SpotlightQuery/Concepts/Introduction\&.html -.SH "VERSION" -.PP -This man page is part of version 4\&.12\&.7 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -The mdfind manpage was written by Ralph Boehme\&. diff --git a/net/samba413/files/man/ndrdump.1 b/net/samba413/files/man/ndrdump.1 deleted file mode 100644 index 913d2471f730..000000000000 --- a/net/samba413/files/man/ndrdump.1 +++ /dev/null @@ -1,84 +0,0 @@ -'\" t -.\" Title: ndrdump -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "NDRDUMP" "1" "09/23/2020" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ndrdump \- DCE/RPC Packet Parser and Dumper -.SH "SYNOPSIS" -.HP \w'\fBndrdump\fR\ 'u -\fBndrdump\fR [\-c\ context] {pipe} {format} {in|out|struct} {filename} -.HP \w'\fBndrdump\fR\ 'u -\fBndrdump\fR [pipe] -.HP \w'\fBndrdump\fR\ 'u -\fBndrdump\fR -.SH "DESCRIPTION" -.PP -ndrdump tries to parse the specified -\fIfilename\fR -using Samba\*(Aqs parser for the specified pipe and format\&. The third argument should be either -\fIin\fR, -\fIout\fR -or -\fIstruct\fRdepending on whether the data should be parsed as a request, reply or a public structure\&. -.PP -Running ndrdump without arguments will list the pipes for which parsers are available\&. -.PP -Running ndrdump with one argument will list the functions and public structures that Samba can parse for the specified pipe\&. -.PP -The primary function of ndrdump is debugging Samba\*(Aqs internal DCE/RPC parsing functions\&. The file being parsed is usually one exported by wiresharks -\(lqExport selected packet bytes\(rq -function\&. -.PP -The context argument can be used to load context data from the request packet when parsing reply packets (such as array lengths)\&. -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -wireshark, pidl -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -ndrdump was written by Andrew Tridgell\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/nmblookup.1 b/net/samba413/files/man/nmblookup.1 deleted file mode 100644 index 186b3dbaa8db..000000000000 --- a/net/samba413/files/man/nmblookup.1 +++ /dev/null @@ -1,225 +0,0 @@ -'\" t -.\" Title: nmblookup -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: User Commands -.\" Source: Samba 4.12.7 -.\" Language: English -.\" -.TH "NMBLOOKUP" "1" "09/23/2020" "Samba 4\&.12\&.7" "User Commands" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -nmblookup \- NetBIOS over TCP/IP client used to lookup NetBIOS names -.SH "SYNOPSIS" -.HP \w'\ 'u -nmblookup [\-M|\-\-master\-browser] [\-R|\-\-recursion] [\-S|\-\-status] [\-r|\-\-root\-port] [\-A|\-\-lookup\-by\-ip] [\-B|\-\-broadcast\ <broadcast\ address>] [\-U|\-\-unicast\ <unicast\ address>] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-i\ <NetBIOS\ scope>] [\-T|\-\-translate] [\-f|\-\-flags] {name} -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(7) -suite\&. -.PP -nmblookup -is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries\&. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine\&. All queries are done over UDP\&. -.SH "OPTIONS" -.PP -\-M|\-\-master\-browser -.RS 4 -Searches for a master browser by looking up the NetBIOS -\fIname\fR -with a type of -\fB0x1d\fR\&. If -\fI name\fR -is "\-" then it does a lookup on the special name -\fB__MSBROWSE__\fR\&. Please note that in order to use the name "\-", you need to make sure "\-" isn\*(Aqt parsed as an argument, e\&.g\&. use : -\fBnmblookup \-M \-\- \-\fR\&. -.RE -.PP -\-R|\-\-recursion -.RS 4 -Set the recursion desired bit in the packet to do a recursive lookup\&. This is used when sending a name query to a machine running a WINS server and the user wishes to query the names in the WINS server\&. If this bit is unset the normal (broadcast responding) NetBIOS processing code on a machine is used instead\&. See RFC1001, RFC1002 for details\&. -.RE -.PP -\-S|\-\-status -.RS 4 -Once the name query has returned an IP address then do a node status query as well\&. A node status query returns the NetBIOS names registered by a host\&. -.RE -.PP -\-r|\-\-root\-port -.RS 4 -Try and bind to UDP port 137 to send and receive UDP datagrams\&. The reason for this option is a bug in Windows 95 where it ignores the source port of the requesting packet and only replies to UDP port 137\&. Unfortunately, on most UNIX systems root privilege is needed to bind to this port, and in addition, if the -\fBnmbd\fR(8) -daemon is running on this machine it also binds to this port\&. -.RE -.PP -\-A|\-\-lookup\-by\-ip -.RS 4 -Interpret -\fIname\fR -as an IP Address and do a node status query on this address\&. -.RE -.PP -\-n|\-\-netbiosname <primary NetBIOS name> -.RS 4 -This option allows you to override the NetBIOS name that Samba uses for itself\&. This is identical to setting the -\m[blue]\fBnetbios name\fR\m[] -parameter in the -smb\&.conf -file\&. However, a command line setting will take precedence over settings in -smb\&.conf\&. -.RE -.PP -\-i|\-\-scope <scope> -.RS 4 -This specifies a NetBIOS scope that -nmblookup -will use to communicate with when generating NetBIOS names\&. For details on the use of NetBIOS scopes, see rfc1001\&.txt and rfc1002\&.txt\&. NetBIOS scopes are -\fIvery\fR -rarely used, only set this parameter if you are the system administrator in charge of all the NetBIOS systems you communicate with\&. -.RE -.PP -\-W|\-\-workgroup=domain -.RS 4 -Set the SMB domain of the username\&. This overrides the default domain which is the domain defined in smb\&.conf\&. If the domain specified is the same as the servers NetBIOS name, it causes the client to log on using the servers local SAM (as opposed to the Domain SAM)\&. -.RE -.PP -\-O|\-\-socket\-options socket options -.RS 4 -TCP socket options to set on the client socket\&. See the socket options parameter in the -smb\&.conf -manual page for the list of valid options\&. -.RE -.PP -\-?|\-\-help -.RS 4 -Print a summary of command line options\&. -.RE -.PP -\-\-usage -.RS 4 -Display brief usage message\&. -.RE -.PP -\-B|\-\-broadcast <broadcast address> -.RS 4 -Send the query to the given broadcast address\&. Without this option the default behavior of nmblookup is to send the query to the broadcast address of the network interfaces as either auto\-detected or defined in the -\fIinterfaces\fR -parameter of the -\fBsmb.conf\fR(5) -file\&. -.RE -.PP -\-U|\-\-unicast <unicast address> -.RS 4 -Do a unicast query to the specified address or host -\fIunicast address\fR\&. This option (along with the -\fI\-R\fR -option) is needed to query a WINS server\&. -.RE -.PP -\-d|\-\-debuglevel=level -.RS 4 -\fIlevel\fR -is an integer from 0 to 10\&. The default value if this parameter is not specified is 0\&. -.sp -The higher this value, the more detail will be logged to the log files about the activities of the server\&. At level 0, only critical errors and serious warnings will be logged\&. Level 1 is a reasonable level for day\-to\-day running \- it generates a small amount of information about operations carried out\&. -.sp -Levels above 1 will generate considerable amounts of log data, and should only be used when investigating a problem\&. Levels above 3 are designed for use only by developers and generate HUGE amounts of log data, most of which is extremely cryptic\&. -.sp -Note that specifying this parameter here will override the -\m[blue]\fBlog level\fR\m[] -parameter in the -smb\&.conf -file\&. -.RE -.PP -\-V|\-\-version -.RS 4 -Prints the program version number\&. -.RE -.PP -\-s|\-\-configfile=<configuration file> -.RS 4 -The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See -smb\&.conf -for more information\&. The default configuration file name is determined at compile time\&. -.RE -.PP -\-l|\-\-log\-basename=logdirectory -.RS 4 -Base directory name for log/debug files\&. The extension -\fB"\&.progname"\fR -will be appended (e\&.g\&. log\&.smbclient, log\&.smbd, etc\&.\&.\&.)\&. The log file is never removed by the client\&. -.RE -.PP -\-\-option=<name>=<value> -.RS 4 -Set the -\fBsmb.conf\fR(5) -option "<name>" to value "<value>" from the command line\&. This overrides compiled\-in defaults and options read from the configuration file\&. -.RE -.PP -\-T|\-\-translate -.RS 4 -This causes any IP addresses found in the lookup to be looked up via a reverse DNS lookup into a DNS name, and printed out before each -.sp -\fIIP address \&.\&.\&.\&. NetBIOS name\fR -.sp -pair that is the normal output\&. -.RE -.PP -\-f|\-\-flags -.RS 4 -Show which flags apply to the name that has been looked up\&. Possible answers are zero or more of: Response, Authoritative, Truncated, Recursion_Desired, Recursion_Available, Broadcast\&. -.RE -.PP -name -.RS 4 -This is the NetBIOS name being queried\&. Depending upon the previous options this may be a NetBIOS name or IP address\&. If a NetBIOS name then the different name types may be specified by appending \*(Aq#<type>\*(Aq to the name\&. This name may also be \*(Aq*\*(Aq, which will return all registered names within a broadcast area\&. -.RE -.SH "EXAMPLES" -.PP -nmblookup -can be used to query a WINS server (in the same way -nslookup -is used to query DNS servers)\&. To query a WINS server, -nmblookup -must be called like this: -.PP -nmblookup \-U server \-R \*(Aqname\*(Aq -.PP -For example, running : -.PP -nmblookup \-U samba\&.org \-R \*(AqIRIX#1B\*(Aq -.PP -would query the WINS server samba\&.org for the domain master browser (1B name type) for the IRIX workgroup\&. -.SH "VERSION" -.PP -This man page is part of version 4\&.12\&.7 of the Samba suite\&. -.SH "SEE ALSO" -.PP -\fBnmbd\fR(8), -\fBsamba\fR(7), and -\fBsmb.conf\fR(5)\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. diff --git a/net/samba413/files/man/nmblookup4.1 b/net/samba413/files/man/nmblookup4.1 deleted file mode 100644 index 8b98f793c915..000000000000 --- a/net/samba413/files/man/nmblookup4.1 +++ /dev/null @@ -1,157 +0,0 @@ -'\" t -.\" Title: nmblookup4 -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/24/2017 -.\" Manual: User Commands -.\" Source: Samba 3.2 -.\" Language: English -.\" -.TH "NMBLOOKUP4" "1" "03/24/2017" "Samba 3\&.2" "User Commands" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -nmblookup4 \- NetBIOS over TCP/IP client used to lookup NetBIOS names -.SH "SYNOPSIS" -.HP \w'\fBnmblookup4\fR\ 'u -\fBnmblookup4\fR [\-M] [\-R] [\-S] [\-r] [\-A] [\-h] [\-B\ <broadcast\ address>] [\-U\ <unicast\ address>] [\-d\ <debug\ level>] [\-s\ <smb\ config\ file>] [\-i\ <NetBIOS\ scope>] [\-T] [\-f] {name} -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(7) -suite\&. -.PP -\fBnmblookup4\fR -is used to query NetBIOS names and map them to IP addresses in a network using NetBIOS over TCP/IP queries\&. The options allow the name queries to be directed at a particular IP broadcast area or to a particular machine\&. All queries are done over UDP\&. -.SH "OPTIONS" -.PP -\-M -.RS 4 -Searches for a master browser by looking up the NetBIOS -\fIname\fR -with a type of -\fB0x1d\fR\&. If -\fI name\fR -is "\-" then it does a lookup on the special name -\fB__MSBROWSE__\fR\&. Please note that in order to use the name "\-", you need to make sure "\-" isn\*(Aqt parsed as an argument, e\&.g\&. use : -\fBnmblookup4 \-M \-\- \-\fR\&. -.RE -.PP -\-R -.RS 4 -Set the recursion desired bit in the packet to do a recursive lookup\&. This is used when sending a name query to a machine running a WINS server and the user wishes to query the names in the WINS server\&. If this bit is unset the normal (broadcast responding) NetBIOS processing code on a machine is used instead\&. See RFC1001, RFC1002 for details\&. -.RE -.PP -\-S -.RS 4 -Once the name query has returned an IP address then do a node status query as well\&. A node status query returns the NetBIOS names registered by a host\&. -.RE -.PP -\-r -.RS 4 -Try and bind to UDP port 137 to send and receive UDP datagrams\&. The reason for this option is a bug in Windows 95 where it ignores the source port of the requesting packet and only replies to UDP port 137\&. Unfortunately, on most UNIX systems root privilege is needed to bind to this port, and in addition, if the -\fBnmbd\fR(8) -daemon is running on this machine it also binds to this port\&. -.RE -.PP -\-A -.RS 4 -Interpret -\fIname\fR -as an IP Address and do a node status query on this address\&. -.RE -.PP -\-B <broadcast address> -.RS 4 -Send the query to the given broadcast address\&. Without this option the default behavior of nmblookup4 is to send the query to the broadcast address of the network interfaces as either auto\-detected or defined in the -\m[blue]\fB\fIinterfaces\fR\fR\m[]\&\s-2\u[1]\d\s+2 -parameter of the -\fBsmb.conf\fR(5) -file\&. -.RE -.PP -\-U <unicast address> -.RS 4 -Do a unicast query to the specified address or host -\fIunicast address\fR\&. This option (along with the -\fI\-R\fR -option) is needed to query a WINS server\&. -.RE -.PP -\-T -.RS 4 -This causes any IP addresses found in the lookup to be looked up via a reverse DNS lookup into a DNS name, and printed out before each -.sp -\fIIP address \&.\&.\&.\&. NetBIOS name\fR -.sp -pair that is the normal output\&. -.RE -.PP -\-f -.RS 4 -Show which flags apply to the name that has been looked up\&. Possible answers are zero or more of: Response, Authoritative, Truncated, Recursion_Desired, Recursion_Available, Broadcast\&. -.RE -.PP -name -.RS 4 -This is the NetBIOS name being queried\&. Depending upon the previous options this may be a NetBIOS name or IP address\&. If a NetBIOS name then the different name types may be specified by appending \*(Aq#<type>\*(Aq to the name\&. This name may also be \*(Aq*\*(Aq, which will return all registered names within a broadcast area\&. -.RE -.SH "EXAMPLES" -.PP -\fBnmblookup4\fR -can be used to query a WINS server (in the same way -\fBnslookup\fR -is used to query DNS servers)\&. To query a WINS server, -\fBnmblookup4\fR -must be called like this: -.PP -\fBnmblookup4 \-U server \-R \*(Aqname\*(Aq\fR -.PP -For example, running : -.PP -\fBnmblookup4 \-U samba\&.org \-R \*(AqIRIX#1B\*(Aq\fR -.PP -would query the WINS server samba\&.org for the domain master browser (1B name type) for the IRIX workgroup\&. -.SH "VERSION" -.PP -This man page is correct for version 3 of the Samba suite\&. -.SH "SEE ALSO" -.PP -\fBnmbd\fR(8), -\fBsamba\fR(7), and -\fBsmb.conf\fR(5)\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -The original Samba man pages were written by Karl Auer\&. The man page sources were converted to YODL format (another excellent piece of Open Source software, available at -\m[blue]\fBftp://ftp\&.icce\&.rug\&.nl/pub/unix/\fR\m[]\&\s-2\u[2]\d\s+2) and updated for the Samba 2\&.0 release by Jeremy Allison\&. The conversion to DocBook for Samba 2\&.2 was done by Gerald Carter\&. The conversion to DocBook XML 4\&.2 for Samba 3\&.0 was done by Alexander Bokovoy\&. -.SH "NOTES" -.IP " 1." 4 -\fIinterfaces\fR - -.RS 4 -\%[set $man.base.url.for.relative.links]/smb.conf.5.html#INTERFACES -.RE -.IP " 2." 4 -ftp://ftp.icce.rug.nl/pub/unix/ -.RS 4 -\%ftp://ftp.icce.rug.nl/pub/unix/ -.RE diff --git a/net/samba413/files/man/ntlm_auth.1 b/net/samba413/files/man/ntlm_auth.1 deleted file mode 100644 index d06412615abc..000000000000 --- a/net/samba413/files/man/ntlm_auth.1 +++ /dev/null @@ -1,429 +0,0 @@ -'\" t -.\" Title: ntlm_auth -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: User Commands -.\" Source: Samba 4.12.7 -.\" Language: English -.\" -.TH "NTLM_AUTH" "1" "09/23/2020" "Samba 4\&.12\&.7" "User Commands" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ntlm_auth \- tool to allow external access to Winbind\*(Aqs NTLM authentication function -.SH "SYNOPSIS" -.HP \w'\ 'u -ntlm_auth -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(7) -suite\&. -.PP -ntlm_auth -is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth uses winbind to access the user and authentication data for a domain\&. This utility is only intended to be used by other programs (currently -Squid -and -mod_ntlm_winbind) -.SH "OPERATIONAL REQUIREMENTS" -.PP -The -\fBwinbindd\fR(8) -daemon must be operational for many of these commands to function\&. -.PP -Some of these commands also require access to the directory -winbindd_privileged -in -$LOCKDIR\&. This should be done either by running this command as root or providing group access to the -winbindd_privileged -directory\&. For security reasons, this directory should not be world\-accessable\&. -.SH "OPTIONS" -.PP -\-\-helper\-protocol=PROTO -.RS 4 -Operate as a stdio\-based helper\&. Valid helper protocols are: -.PP -squid\-2\&.4\-basic -.RS 4 -Server\-side helper for use with Squid 2\&.4\*(Aqs basic (plaintext) authentication\&. -.RE -.PP -squid\-2\&.5\-basic -.RS 4 -Server\-side helper for use with Squid 2\&.5\*(Aqs basic (plaintext) authentication\&. -.RE -.PP -squid\-2\&.5\-ntlmssp -.RS 4 -Server\-side helper for use with Squid 2\&.5\*(Aqs NTLMSSP authentication\&. -.sp -Requires access to the directory -winbindd_privileged -in -$LOCKDIR\&. The protocol used is described here: -http://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\&. This protocol has been extended to allow the NTLMSSP Negotiate packet to be included as an argument to the -YR -command\&. (Thus avoiding loss of information in the protocol exchange)\&. -.RE -.PP -ntlmssp\-client\-1 -.RS 4 -Client\-side helper for use with arbitrary external programs that may wish to use Samba\*(Aqs NTLMSSP authentication knowledge\&. -.sp -This helper is a client, and as such may be run by any user\&. The protocol used is effectively the reverse of the previous protocol\&. A -YR -command (without any arguments) starts the authentication exchange\&. -.RE -.PP -gss\-spnego -.RS 4 -Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as -squid\-2\&.5\-ntlmssp, but has some subtle differences that are undocumented outside the source at this stage\&. -.sp -Requires access to the directory -winbindd_privileged -in -$LOCKDIR\&. -.RE -.PP -gss\-spnego\-client -.RS 4 -Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&. -.RE -.PP -ntlm\-server\-1 -.RS 4 -Server\-side helper protocol, intended for use by a RADIUS server or the \*(Aqwinbind\*(Aq plugin for pppd, for the provision of MSCHAP and MSCHAPv2 authentication\&. -.sp -This protocol consists of lines in the form: -Parameter: value -and -Parameter:: Base64\-encode value\&. The presence of a single period -\&. -indicates that one side has finished supplying data to the other\&. (Which in turn could cause the helper to authenticate the user)\&. -.sp -Currently implemented parameters from the external program to the helper are: -.PP -Username -.RS 4 -The username, expected to be in Samba\*(Aqs -\m[blue]\fBunix charset\fR\m[]\&. -.PP -Examples: -.RS 4 -Username: bob -.sp -Username:: Ym9i -.RE -.RE -.PP -NT\-Domain -.RS 4 -The user\*(Aqs domain, expected to be in Samba\*(Aqs -\m[blue]\fBunix charset\fR\m[]\&. -.PP -Examples: -.RS 4 -NT\-Domain: WORKGROUP -.sp -NT\-Domain:: V09SS0dST1VQ -.RE -.RE -.PP -Full\-Username -.RS 4 -The fully qualified username, expected to be in Samba\*(Aqs -\m[blue]\fBunix charset\fR\m[] -and qualified with the -\m[blue]\fBwinbind separator\fR\m[]\&. -.PP -Examples: -.RS 4 -Full\-Username: WORKGROUP\ebob -.sp -Full\-Username:: V09SS0dST1VQYm9i -.RE -.RE -.PP -LANMAN\-Challenge -.RS 4 -The 8 byte -LANMAN Challenge -value, generated randomly by the server, or (in cases such as MSCHAPv2) generated in some way by both the server and the client\&. -.PP -Examples: -.RS 4 -LANMAN\-Challenge: 0102030405060708 -.RE -.RE -.PP -LANMAN\-Response -.RS 4 -The 24 byte -LANMAN Response -value, calculated from the user\*(Aqs password and the supplied -LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&. -.PP -Examples: -.RS 4 -LANMAN\-Response: 0102030405060708090A0B0C0D0E0F101112131415161718 -.RE -.RE -.PP -NT\-Response -.RS 4 -The >= 24 byte -NT Response -calculated from the user\*(Aqs password and the supplied -LANMAN Challenge\&. Typically, this is provided over the network by a client wishing to authenticate\&. -.PP -Examples: -.RS 4 -NT\-Response: 0102030405060708090A0B0C0D0E0F10111213141516171 -.RE -.RE -.PP -Password -.RS 4 -The user\*(Aqs password\&. This would be provided by a network client, if the helper is being used in a legacy situation that exposes plaintext passwords in this way\&. -.PP -Examples: -.RS 4 -Password: samba2 -.sp -Password:: c2FtYmEy -.RE -.RE -.PP -Request\-User\-Session\-Key -.RS 4 -Upon successful authentication, return the user session key associated with the login\&. -.PP -Examples: -.RS 4 -Request\-User\-Session\-Key: Yes -.RE -.RE -.PP -Request\-LanMan\-Session\-Key -.RS 4 -Upon successful authentication, return the LANMAN session key associated with the login\&. -.PP -Examples: -.RS 4 -Request\-LanMan\-Session\-Key: Yes -.RE -.RE -.RE -.sp -.if n \{\ -.sp -.\} -.RS 4 -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBWarning\fR -.ps -1 -.br -Implementers should take care to base64 encode any data (such as usernames/passwords) that may contain malicious user data, such as a newline\&. They may also need to decode strings from the helper, which likewise may have been base64 encoded\&. -.sp .5v -.RE -.RE -.PP -\-\-username=USERNAME -.RS 4 -Specify username of user to authenticate -.RE -.PP -\-\-domain=DOMAIN -.RS 4 -Specify domain of user to authenticate -.RE -.PP -\-\-workstation=WORKSTATION -.RS 4 -Specify the workstation the user authenticated from -.RE -.PP -\-\-challenge=STRING -.RS 4 -NTLM challenge (in HEXADECIMAL) -.RE -.PP -\-\-lm\-response=RESPONSE -.RS 4 -LM Response to the challenge (in HEXADECIMAL) -.RE -.PP -\-\-nt\-response=RESPONSE -.RS 4 -NT or NTLMv2 Response to the challenge (in HEXADECIMAL) -.RE -.PP -\-\-password=PASSWORD -.RS 4 -User\*(Aqs plaintext password -.sp -If not specified on the command line, this is prompted for when required\&. -.sp -For the NTLMSSP based server roles, this parameter specifies the expected password, allowing testing without winbindd operational\&. -.RE -.PP -\-\-request\-lm\-key -.RS 4 -Retrieve LM session key -.RE -.PP -\-\-request\-nt\-key -.RS 4 -Request NT key -.RE -.PP -\-\-diagnostics -.RS 4 -Perform Diagnostics on the authentication chain\&. Uses the password from -\-\-password -or prompts for one\&. -.RE -.PP -\-\-require\-membership\-of={SID|Name} -.RS 4 -Require that a user be a member of specified group (either name or SID) for authentication to succeed\&. -.RE -.PP -\-\-pam\-winbind\-conf=FILENAME -.RS 4 -Define the path to the pam_winbind\&.conf file\&. -.RE -.PP -\-\-target\-hostname=HOSTNAME -.RS 4 -Define the target hostname\&. -.RE -.PP -\-\-target\-service=SERVICE -.RS 4 -Define the target service\&. -.RE -.PP -\-\-use\-cached\-creds -.RS 4 -Whether to use credentials cached by winbindd\&. -.RE -.PP -\-\-allow\-mschapv2 -.RS 4 -Explicitly allow MSCHAPv2\&. -.RE -.PP -\-\-offline\-logon -.RS 4 -Allow offline logons for plain text auth\&. -.RE -.PP -\-\-configfile=<configuration file> -.RS 4 -The file specified contains the configuration details required by the server\&. The information in this file includes server\-specific information such as what printcap file to use, as well as descriptions of all the services that the server is to provide\&. See -smb\&.conf -for more information\&. The default configuration file name is determined at compile time\&. -.RE -.PP -\-V|\-\-version -.RS 4 -Prints the program version number\&. -.RE -.PP -\-?|\-\-help -.RS 4 -Print a summary of command line options\&. -.RE -.PP -\-\-usage -.RS 4 -Display brief usage message\&. -.RE -.SH "EXAMPLE SETUP" -.PP -To setup ntlm_auth for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the -squid\&.conf -file\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp -auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic -auth_param basic children 5 -auth_param basic realm Squid proxy\-caching web server -auth_param basic credentialsttl 2 hours -.fi -.if n \{\ -.RE -.\} -.if n \{\ -.sp -.\} -.RS 4 -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBNote\fR -.ps -1 -.br -.PP -This example assumes that ntlm_auth has been installed into your path, and that the group permissions on -winbindd_privileged -are as described above\&. -.sp .5v -.RE -.PP -To setup ntlm_auth for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the -squid\&.conf -file\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -auth_param ntlm program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq -auth_param basic program ntlm_auth \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq -.fi -.if n \{\ -.RE -.\} -.SH "TROUBLESHOOTING" -.PP -If you\*(Aqre experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millennium Edition against ntlm_auth\*(Aqs NTLMSSP authentication helper (\-\-helper\-protocol=squid\-2\&.5\-ntlmssp), then please read -the Microsoft Knowledge Base article #239869 and follow instructions described there\&. -.SH "VERSION" -.PP -This man page is part of version 4\&.12\&.7 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -The ntlm_auth manpage was written by Jelmer Vernooij and Andrew Bartlett\&. diff --git a/net/samba413/files/man/ntlm_auth4.1 b/net/samba413/files/man/ntlm_auth4.1 deleted file mode 100644 index ad1863b7aa56..000000000000 --- a/net/samba413/files/man/ntlm_auth4.1 +++ /dev/null @@ -1,233 +0,0 @@ -'\" t -.\" Title: ntlm_auth4 -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 03/24/2017 -.\" Manual: User Commands -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "NTLM_AUTH4" "1" "03/24/2017" "Samba 4\&.0" "User Commands" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ntlm_auth4 \- tool to allow external access to Winbind\*(Aqs NTLM authentication function -.SH "SYNOPSIS" -.HP \w'\fBntlm_auth4\fR\ 'u -\fBntlm_auth4\fR [\-d\ debuglevel] [\-l\ logdir] [\-s\ <smb\ config\ file>] -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(7) -suite\&. -.PP -\fBntlm_auth4\fR -is a helper utility that authenticates users using NT/LM authentication\&. It returns 0 if the users is authenticated successfully and 1 if access was denied\&. ntlm_auth4 uses winbind to access the user and authentication data for a domain\&. This utility is only indended to be used by other programs (currently squid)\&. -.SH "OPERATIONAL REQUIREMENTS" -.PP -The -\fBwinbindd\fR(8) -daemon must be operational for many of these commands to function\&. -.PP -Some of these commands also require access to the directory -winbindd_privileged -in -$LOCKDIR\&. This should be done either by running this command as root or providing group access to the -winbindd_privileged -directory\&. For security reasons, this directory should not be world\-accessable\&. -.SH "OPTIONS" -.PP -\-\-helper\-protocol=PROTO -.RS 4 -Operate as a stdio\-based helper\&. Valid helper protocols are: -.PP -squid\-2\&.4\-basic -.RS 4 -Server\-side helper for use with Squid 2\&.4\*(Aqs basic (plaintext) authentication\&. -.RE -.PP -squid\-2\&.5\-basic -.RS 4 -Server\-side helper for use with Squid 2\&.5\*(Aqs basic (plaintext) authentication\&. -.RE -.PP -squid\-2\&.5\-ntlmssp -.RS 4 -Server\-side helper for use with Squid 2\&.5\*(Aqs NTLMSSP authentication\&. -.sp -Requires access to the directory -winbindd_privileged -in -$LOCKDIR\&. The protocol used is described here: -\m[blue]\fBhttp://devel\&.squid\-cache\&.org/ntlm/squid_helper_protocol\&.html\fR\m[] -.RE -.PP -ntlmssp\-client\-1 -.RS 4 -Cleint\-side helper for use with arbitary external programs that may wish to use Samba\*(Aqs NTLMSSP authentication knowlege\&. -.sp -This helper is a client, and as such may be run by any user\&. The protocol used is effectivly the reverse of the previous protocol\&. -.RE -.PP -gss\-spnego -.RS 4 -Server\-side helper that implements GSS\-SPNEGO\&. This uses a protocol that is almost the same as -\fBsquid\-2\&.5\-ntlmssp\fR, but has some subtle differences that are undocumented outside the source at this stage\&. -.sp -Requires access to the directory -winbindd_privileged -in -$LOCKDIR\&. -.RE -.PP -gss\-spnego\-client -.RS 4 -Client\-side helper that implements GSS\-SPNEGO\&. This also uses a protocol similar to the above helpers, but is currently undocumented\&. -.RE -.RE -.PP -\-\-username=USERNAME -.RS 4 -Specify username of user to authenticate -.RE -.PP -\-\-domain=DOMAIN -.RS 4 -Specify domain of user to authenticate -.RE -.PP -\-\-workstation=WORKSTATION -.RS 4 -Specify the workstation the user authenticated from -.RE -.PP -\-\-challenge=STRING -.RS 4 -NTLM challenge (in HEXADECIMAL) -.RE -.PP -\-\-lm\-response=RESPONSE -.RS 4 -LM Response to the challenge (in HEXADECIMAL) -.RE -.PP -\-\-nt\-response=RESPONSE -.RS 4 -NT or NTLMv2 Response to the challenge (in HEXADECIMAL) -.RE -.PP -\-\-password=PASSWORD -.RS 4 -User\*(Aqs plaintext password -.sp -If not specified on the command line, this is prompted for when required\&. -.RE -.PP -\-\-request\-lm\-key -.RS 4 -Retrieve LM session key -.RE -.PP -\-\-request\-nt\-key -.RS 4 -Request NT key -.RE -.PP -\-\-diagnostics -.RS 4 -Perform Diagnostics on the authentication chain\&. Uses the password from -\fB\-\-password\fR -or prompts for one\&. -.RE -.PP -\-\-require\-membership\-of={SID|Name} -.RS 4 -Require that a user be a member of specified group (either name or SID) for authentication to succeed\&. -.RE -.SH "EXAMPLE SETUP" -.PP -To setup ntlm_auth4 for use by squid 2\&.5, with both basic and NTLMSSP authentication, the following should be placed in the -squid\&.conf -file\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -auth_param ntlm program ntlm_auth4 \-\-helper\-protocol=squid\-2\&.5\-ntlmssp -auth_param basic program ntlm_auth4 \-\-helper\-protocol=squid\-2\&.5\-basic -auth_param basic children 5 -auth_param basic realm Squid proxy\-caching web server -auth_param basic credentialsttl 2 hours -.fi -.if n \{\ -.RE -.\} -.if n \{\ -.sp -.\} -.RS 4 -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.ps +1 -\fBNote\fR -.ps -1 -.br -.PP -This example assumes that ntlm_auth4 has been installed into your path, and that the group permissions on -winbindd_privileged -are as described above\&. -.sp .5v -.RE -.PP -To setup ntlm_auth4 for use by squid 2\&.5 with group limitation in addition to the above example, the following should be added to the -squid\&.conf -file\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf -auth_param ntlm program ntlm_auth4 \-\-helper\-protocol=squid\-2\&.5\-ntlmssp \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq -auth_param basic program ntlm_auth4 \-\-helper\-protocol=squid\-2\&.5\-basic \-\-require\-membership\-of=\*(AqWORKGROUP\eDomain Users\*(Aq -.fi -.if n \{\ -.RE -.\} -.SH "TROUBLESHOOTING" -.PP -If you\*(Aqre experiencing problems with authenticating Internet Explorer running under MS Windows 9X or Millenium Edition against ntlm_auth4\*(Aqs NTLMSSP authentication helper (\-\-helper\-protocol=squid\-2\&.5\-ntlmssp), then please read -\m[blue]\fBthe Microsoft Knowledge Base article #239869 and follow instructions described there\fR\m[]\&\s-2\u[1]\d\s+2\&. -.SH "VERSION" -.PP -This man page is correct for version 3\&.0 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -The ntlm_auth4 manpage was written by Jelmer Vernooij and Andrew Bartlett\&. -.SH "NOTES" -.IP " 1." 4 -the Microsoft Knowledge Base article #239869 and follow instructions described there -.RS 4 -\%http://support.microsoft.com/support/kb/articles/Q239/8/69.ASP -.RE diff --git a/net/samba413/files/man/oLschema2ldif.1 b/net/samba413/files/man/oLschema2ldif.1 deleted file mode 100644 index 7d464dc465a6..000000000000 --- a/net/samba413/files/man/oLschema2ldif.1 +++ /dev/null @@ -1,74 +0,0 @@ -'\" t -.\" Title: oLschema2ldif -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "OLSCHEMA2LDIF" "1" "09/23/2020" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -oLschema2ldif \- Converts LDAP schema\*(Aqs to LDB\-compatible LDIF -.SH "SYNOPSIS" -.HP \w'\fBoLschema2ldif\fR\ 'u -\fBoLschema2ldif\fR [\-I\ INPUT\-FILE] [\-O\ OUTPUT\-FILE] -.SH "DESCRIPTION" -.PP -oLschema2ldif is a simple tool that converts standard OpenLDAP schema files to a LDIF format that is understood by LDB\&. -.SH "OPTIONS" -.PP -\-I input\-file -.RS 4 -OpenLDAP schema to read\&. If none are specified, the schema file will be read from standard input\&. -.RE -.PP -\-O output\-file -.RS 4 -File to write ldif version of schema to\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -ldb(7), ldbmodify, ldbdel, ldif(5) -.SH "AUTHOR" -.PP -ldb was written by -\m[blue]\fBAndrew Tridgell\fR\m[]\&\s-2\u[1]\d\s+2\&. oLschema2ldif was written by -\m[blue]\fBSimo Sorce\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -If you wish to report a problem or make a suggestion then please see the -\m[blue]\fB\%http://ldb.samba.org/\fR\m[] -web site for current contact and maintainer information\&. -.SH "NOTES" -.IP " 1." 4 -Andrew Tridgell -.RS 4 -\%https://www.samba.org/~tridge/ -.RE -.IP " 2." 4 -Simo Sorce -.RS 4 -\%mailto:idra@samba.org -.RE diff --git a/net/samba413/files/man/onnode.1 b/net/samba413/files/man/onnode.1 deleted file mode 100644 index 1fbd44b45ffc..000000000000 --- a/net/samba413/files/man/onnode.1 +++ /dev/null @@ -1,218 +0,0 @@ -'\" t -.\" Title: onnode -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "ONNODE" "1" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -onnode \- run commands on CTDB cluster nodes -.SH "SYNOPSIS" -.HP \w'\fBonnode\fR\ 'u -\fBonnode\fR [\fIOPTION\fR...] {\fINODES\fR} {\fICOMMAND\fR} -.SH "DESCRIPTION" -.PP -onnode is a utility to run commands on a specific node of a CTDB cluster, or on all nodes\&. -.PP -\fINODES\fR -specifies which node(s) to run a command on\&. See section -NODES SPECIFICATION -for details\&. -.PP -\fICOMMAND\fR -can be any shell command\&. The onnode utility uses ssh or rsh to connect to the remote nodes and run the command\&. -.SH "OPTIONS" -.PP -\-c -.RS 4 -Execute COMMAND in the current working directory on the specified nodes\&. -.RE -.PP -\-f \fIFILENAME\fR -.RS 4 -Specify an alternative nodes FILENAME to use instead of the default\&. See the discussion of -/usr/local/etc/ctdb/nodes -in the FILES section for more details\&. -.RE -.PP -\-i -.RS 4 -Keep standard input open, allowing data to be piped to onnode\&. Normally onnode closes stdin to avoid surprises when scripting\&. Note that this option is ignored when using -\fB\-p\fR -or if -\fBONNODE_SSH\fR -is set to anything other than "ssh"\&. -.RE -.PP -\-n -.RS 4 -Allow nodes to be specified by name rather than node numbers\&. These nodes don\*(Aqt need to be listed in the nodes file\&. You can avoid the nodes file entirely by combining this with -\-f /dev/null\&. -.RE -.PP -\-p -.RS 4 -Run COMMAND in parallel on the specified nodes\&. The default is to run COMMAND sequentially on each node\&. -.RE -.PP -\-P -.RS 4 -Push files to nodes\&. Names of files to push are specified rather than the usual command\&. Quoting is fragile/broken \- filenames with whitespace in them are not supported\&. -.RE -.PP -\-q -.RS 4 -Do not print node addresses\&. Normally, onnode prints informational node addresses if more than one node is specified\&. This overrides \-v\&. -.RE -.PP -\-v -.RS 4 -Print node addresses even if only one node is specified\&. Normally, onnode prints informational node addresses when more than one node is specified\&. -.RE -.PP -\-h, \-\-help -.RS 4 -Show a short usage guide\&. -.RE -.SH "NODES SPECIFICATION" -.PP -Nodes can be specified via numeric node numbers (from 0 to N\-1) or mnemonics\&. Multiple nodes are specified using lists of nodes, separated by commas, and ranges of numeric node numbers, separated by dashes\&. If nodes are specified multiple times then the command will be executed multiple times on those nodes\&. The order of nodes is significant\&. -.PP -The following mnemonics are available: -.PP -all -.RS 4 -All nodes\&. -.RE -.PP -any -.RS 4 -A node where ctdbd is running\&. This semi\-random but there is a bias towards choosing a low numbered node\&. -.RE -.PP -ok | healthy -.RS 4 -All nodes that are not disconnected, banned, disabled or unhealthy\&. -.RE -.PP -con | connected -.RS 4 -All nodes that are not disconnected\&. -.RE -.SH "EXAMPLES" -.PP -The following command would show the process ID of ctdbd on all nodes -.sp -.if n \{\ -.RS 4 -.\} -.nf - onnode all ctdb getpid - -.fi -.if n \{\ -.RE -.\} -.PP -The following command would show the last 5 lines of log on each node, preceded by the node\*(Aqs hostname -.sp -.if n \{\ -.RS 4 -.\} -.nf - onnode all "hostname; tail \-5 /var/log/log\&.ctdb" - -.fi -.if n \{\ -.RE -.\} -.PP -The following command would restart the ctdb service on all nodes, in parallel\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf - onnode \-p all service ctdb restart - -.fi -.if n \{\ -.RE -.\} -.PP -The following command would run \&./foo in the current working directory, in parallel, on nodes 0, 2, 3 and 4\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf - onnode \-c \-p 0,2\-4 \&./foo - -.fi -.if n \{\ -.RE -.\} -.SH "FILES" -.PP -/usr/local/etc/ctdb/nodes -.RS 4 -Default file containing a list of each node\*(Aqs IP address or hostname\&. -.sp -As above, a file specified via the -\fB\-f\fR -is given precedence\&. If a relative path is specified and no corresponding file exists relative to the current directory then the file is also searched for in the CTDB configuration directory\&. -.sp -Otherwise the default is -/usr/local/etc/ctdb/nodes\&. -.RE -.PP -/usr/local/etc/ctdb/onnode\&.conf -.RS 4 -If this file exists it is sourced by onnode\&. The main purpose is to allow the administrator to set -\fBONNODE_SSH\fR -to something other than "ssh"\&. In this case the \-t option is ignored\&. -.RE -.SH "SEE ALSO" -.PP -\fBctdb\fR(7), -\m[blue]\fB\%http://ctdb.samba.org/\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Andrew Tridgell, Martin Schwenke -.SH "COPYRIGHT" -.br -Copyright \(co 2007 Andrew Tridgell, Ronnie Sahlberg -.br -Copyright \(co 2008 Martin Schwenke -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/ping_pong.1 b/net/samba413/files/man/ping_pong.1 deleted file mode 100644 index 1ed9363b426c..000000000000 --- a/net/samba413/files/man/ping_pong.1 +++ /dev/null @@ -1,122 +0,0 @@ -'\" t -.\" Title: ping_pong -.\" Author: -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: CTDB - clustered TDB database -.\" Source: ctdb -.\" Language: English -.\" -.TH "PING_PONG" "1" "09/23/2020" "ctdb" "CTDB \- clustered TDB database" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -ping_pong \- measures the ping\-pong byte range lock latency -.SH "SYNOPSIS" -.HP \w'\fBping_pong\fR\ 'u -\fBping_pong\fR {\-r | \-w | \-rw} [\-m] [\-c] {\fIFILENAME\fR} {\fINUM\-LOCKS\fR} -.SH "DESCRIPTION" -.PP -ping_pong measures the byte range lock latency\&. It is especially useful on a cluster of nodes sharing a common lock manager as it will give some indication of the lock manager\*(Aqs performance under stress\&. -.PP -FILENAME is a file on shared storage to use for byte range locking tests\&. -.PP -NUM\-LOCKS is the number of byte range locks, so needs to be (strictly) greater than the number of nodes in the cluster\&. -.SH "OPTIONS" -.PP -\-r -.RS 4 -test read performance -.RE -.PP -\-w -.RS 4 -test write performance -.RE -.PP -\-m -.RS 4 -use mmap -.RE -.PP -\-c -.RS 4 -validate the locks -.RE -.SH "EXAMPLES" -.PP -Testing lock coherence -.sp -.if n \{\ -.RS 4 -.\} -.nf - ping_pong test\&.dat N - -.fi -.if n \{\ -.RE -.\} -.PP -Testing lock coherence with lock validation -.sp -.if n \{\ -.RS 4 -.\} -.nf - ping_pong \-c test\&.dat N - -.fi -.if n \{\ -.RE -.\} -.PP -Testing IO coherence -.sp -.if n \{\ -.RS 4 -.\} -.nf - ping_pong \-rw test\&.dat N - -.fi -.if n \{\ -.RE -.\} -.SH "SEE ALSO" -.PP -\fBctdb\fR(7), -\m[blue]\fB\%https://wiki.samba.org/index.php/Ping_pong\fR\m[] -.SH "AUTHOR" -.br -.PP -This documentation was written by Mathieu Parent -.SH "COPYRIGHT" -.br -Copyright \(co 2002 Andrew Tridgell -.br -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see -\m[blue]\fB\%http://www.gnu.org/licenses\fR\m[]\&. -.sp diff --git a/net/samba413/files/man/regdiff.1 b/net/samba413/files/man/regdiff.1 deleted file mode 100644 index d669648fac82..000000000000 --- a/net/samba413/files/man/regdiff.1 +++ /dev/null @@ -1,87 +0,0 @@ -'\" t -.\" Title: regdiff -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "REGDIFF" "1" "09/23/2020" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -regdiff \- Diff program for Windows registry files -.SH "SYNOPSIS" -.HP \w'\fBregdiff\fR\ 'u -\fBregdiff\fR [\-\-help] [\-\-backend=BACKEND] [\-\-credentials=CREDENTIALS] [location] -.SH "DESCRIPTION" -.PP -regdiff compares two Windows registry files key by key and value by value and generates a text file that contains the differences between the two files\&. -.PP -A file generated by regdiff can later be applied to a registry file by the regpatch utility\&. -.PP -regdiff and regpatch use the same file format as the regedit32\&.exe utility from Windows\&. -.SH "OPTIONS" -.PP -\-\-help -.RS 4 -Show list of available options\&. -.RE -.PP -\-\-backend BACKEND -.RS 4 -Name of backend to load\&. Possible values are: creg, regf, dir and rpc\&. The default is -\fIdir\fR\&. -.sp -This argument can be specified twice: once for the first registry file and once for the second\&. -.RE -.PP -\-\-credentials=CREDENTIALS -.RS 4 -Credentials to use, if any\&. Password should be separated from user name by a percent sign\&. -.sp -This argument can be specified twice: once for the first registry file and once for the second\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -gregedit, regshell, regpatch, regtree, samba, patch, diff -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -This manpage and regdiff were written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/regpatch.1 b/net/samba413/files/man/regpatch.1 deleted file mode 100644 index e8255161fe74..000000000000 --- a/net/samba413/files/man/regpatch.1 +++ /dev/null @@ -1,81 +0,0 @@ -'\" t -.\" Title: regpatch -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "REGPATCH" "1" "09/23/2020" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -regpatch \- Applies registry patches to registry files -.SH "SYNOPSIS" -.HP \w'\fBregpatch\fR\ 'u -\fBregpatch\fR [\-\-help] [\-\-backend=BACKEND] [\-\-credentials=CREDENTIALS] [location] [patch\-file] -.SH "DESCRIPTION" -.PP -The regpatch utility applies registry patches to Windows registry files\&. The patch files should have the same format as is being used by the regdiff utility and regedit32\&.exe from Windows\&. -.PP -If no patch file is specified on the command line, regpatch attempts to read it from standard input\&. -.SH "OPTIONS" -.PP -\-\-help -.RS 4 -Show list of available options\&. -.RE -.PP -\-\-backend BACKEND -.RS 4 -Name of backend to load\&. Possible values are: creg, regf, dir and rpc\&. The default is -\fIdir\fR\&. -.RE -.PP -\-\-credentials=CREDENTIALS -.RS 4 -Credentials to use, if any\&. Password should be separated from user name by a percent sign\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -regdiff, regtree, regshell, gregedit, samba, diff, patch -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -This manpage and regpatch were written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/regshell.1 b/net/samba413/files/man/regshell.1 deleted file mode 100644 index a43926e10c3a..000000000000 --- a/net/samba413/files/man/regshell.1 +++ /dev/null @@ -1,177 +0,0 @@ -'\" t -.\" Title: regshell -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "REGSHELL" "1" "09/23/2020" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -regshell \- Windows registry file browser using readline -.SH "SYNOPSIS" -.HP \w'\fBregshell\fR\ 'u -\fBregshell\fR [\-\-help] [\-\-backend=BACKEND] [\-\-credentials=CREDENTIALS] [location] -.SH "DESCRIPTION" -.PP -regshell is a utility that lets you browse thru a Windows registry file as if you were using a regular unix shell to browse thru a file system\&. -.SH "OPTIONS" -.PP -\-\-help -.RS 4 -Show list of available options\&. -.RE -.PP -\-\-backend BACKEND -.RS 4 -Name of backend to load\&. Possible values are: creg, regf, dir and rpc\&. The default is -\fIdir\fR\&. -.RE -.PP -\-\-credentials=CREDENTIALS -.RS 4 -Credentials to use, if any\&. Password should be separated from user name by a percent sign\&. -.RE -.SH "COMMANDS" -.PP -ck|cd <keyname> -.RS 4 -Go to the specified subkey\&. -.RE -.PP -ch|predef [predefined\-key\-name] -.RS 4 -Go to the specified predefined key\&. -.RE -.PP -list|ls -.RS 4 -List subkeys and values of the current key\&. -.RE -.PP -mkkey|mkdir <keyname> -.RS 4 -Create a key with the specified -\fIkeyname\fR -as a subkey of the current key\&. -.RE -.PP -rmval|rm <valname> -.RS 4 -Delete the specified value\&. -.RE -.PP -rmkey|rmdir <keyname> -.RS 4 -Delete the specified subkey recursively\&. -.RE -.PP -pwd|pwk -.RS 4 -Print the full name of the current key\&. -.RE -.PP -set|update -.RS 4 -Update the value of a key value\&. Not implemented at the moment\&. -.RE -.PP -help|? -.RS 4 -Print a list of available commands\&. -.RE -.PP -exit|quit -.RS 4 -Leave regshell\&. -.RE -.SH "EXAMPLES" -.PP -Browsing thru a nt4 registry file -.sp -.if n \{\ -.RS 4 -.\} -.nf -\fBregshell \-b nt4 NTUSER\&.DAT\fR -$$$PROTO\&.HIV> \fBls\fR -K AppEvents -K Console -K Control Panel -K Environment -K Identities -K Keyboard Layout -K Network -K Printers -K Software -K UNICODE Program Groups -K Windows 3\&.1 Migration Status -$$$PROTO\&.HIV> \fBexit\fR -.fi -.if n \{\ -.RE -.\} -.PP -Listing the subkeys of HKEY_CURRENT_USER\eAppEvents on a remote computer: -.sp -.if n \{\ -.RS 4 -.\} -.nf -\fBregshell \-\-remote=ncacn_np:aurelia \-c "jelmer%secret"\fR -HKEY_CURRENT_MACHINE> \fBpredef HKEY_CURRENT_USER\fR -HKEY_CURRENT_USER> \fBcd AppEvents\fR -Current path is: HKEY_CURRENT_USER\eAppEvents -HKEY_CURRENT_USER\eAppEvents> \fBls\fR -K EventLabels -K Schemes -HKEY_CURRENT_USER\eAppEvents> \fBexit\fR -.fi -.if n \{\ -.RE -.\} -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -regtree, regdiff, regpatch, gregedit, samba -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -This manpage and regshell were written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/regtree.1 b/net/samba413/files/man/regtree.1 deleted file mode 100644 index fc1d39171c71..000000000000 --- a/net/samba413/files/man/regtree.1 +++ /dev/null @@ -1,89 +0,0 @@ -'\" t -.\" Title: regtree -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "REGTREE" "1" "09/23/2020" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -regtree \- Text\-mode registry viewer -.SH "SYNOPSIS" -.HP \w'\fBregtree\fR\ 'u -\fBregtree\fR [\-\-help] [\-\-backend=BACKEND] [\-\-fullpath] [\-\-no\-values] [\-\-credentials=CREDENTIALS] [location] -.SH "DESCRIPTION" -.PP -The regtree utility prints out all the contents of a Windows registry file\&. Subkeys are printed with one level more indentation than their parents\&. -.SH "OPTIONS" -.PP -\-\-help -.RS 4 -Show list of available options\&. -.RE -.PP -\-\-backend BACKEND -.RS 4 -Name of backend to load\&. Possible values are: creg, regf, dir and rpc\&. The default is -\fIdir\fR\&. -.RE -.PP -\-\-credentials=CREDENTIALS -.RS 4 -Credentials to use, if any\&. Password should be separated from user name by a percent sign\&. -.RE -.PP -\-\-fullpath -.RS 4 -Print the full path to each key instead of only its name\&. -.RE -.PP -\-\-no\-values -.RS 4 -Don\*(Aqt print values, just keys\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -gregedit, regshell, regdiff, regpatch, samba -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -This manpage and regtree were written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/samba-gpupdate.8 b/net/samba413/files/man/samba-gpupdate.8 deleted file mode 100644 index c464ec605737..000000000000 --- a/net/samba413/files/man/samba-gpupdate.8 +++ /dev/null @@ -1,116 +0,0 @@ -'\" t -.\" Title: SAMBA_GPOUPDATE -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 2017-07-11 -.\" Manual: System Administration tools -.\" Source: Samba 4.8.0 -.\" Language: English -.\" -.TH "SAMBA_GPOUPDATE" "8" "2017\-07\-11" "Samba 4\&.8\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -samba-gpupdate \- apply group policy -.SH "SYNOPSIS" -.HP \w'\fBsamba\-gpupdate\fR\ 'u -\fBsamba\-gpupdate\fR -.HP \w'\fBsamba\-gpupdate\fR\ 'u -\fBsamba\-gpupdate\fR [\fIoptions\fR] -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(1) -suite\&. -.PP -\fBsamba\-gpupdate\fR -a script for applying and unapplying Group Policy\&. Group Policy application is experimental\&. Currently this applies password policies (minimum/maximum password age, minimum password length, and password complexity) and kerberos policies (user/service ticket lifetime and renew lifetime)\&. -.SH "OPTIONS" -.PP -\fB\-h\fR, -\fB\-\-help\fR -show this help message and exit -.PP -\fB\-H \fRURL, -\fB\-\-url\fR=\fIURL\fR -URL for the samdb -.PP -\fB\-X\fR, -\fB\-\-unapply\fR -Unapply Group Policy -.PP -\fB\-\-target\fR -{Computer | User} -.PP -Samba Common Options: -.PP -\fB\-s \fRFILE, -\fB\-\-configfile\fR=\fIFILE\fR -Configuration file -.PP -\fB\-d \fRDEBUGLEVEL, -\fB\-\-debuglevel\fR=\fIDEBUGLEVEL\fR -debug level -.PP -\fB\-\-option\fR=\fIOPTION\fR -set smb\&.conf option from command line -.PP -\fB\-\-realm\fR=\fIREALM\fR -set the realm name -.PP -Version Options: -.PP -\fB\-V\fR, -\fB\-\-version\fR -Display version number -.PP -Credentials Options: -.PP -\fB\-\-simple\-bind\-dn\fR=\fIDN\fR -DN to use for a simple bind -.PP -\fB\-\-password\fR=\fIPASSWORD\fR -Password -.PP -\fB\-U \fRUSERNAME, -\fB\-\-username\fR=\fIUSERNAME\fR -Username -.PP -\fB\-W \fRWORKGROUP, -\fB\-\-workgroup\fR=\fIWORKGROUP\fR -Workgroup -.PP -\fB\-N\fR, -\fB\-\-no\-pass\fR -Don\*(Aqt ask for a password -.PP -\fB\-k \fRKERBEROS, -\fB\-\-kerberos\fR=\fIKERBEROS\fR -Use Kerberos -.PP -\fB\-\-ipaddress\fR=\fIIPADDRESS\fR -IP address of server -.PP -\fB\-P\fR, -\fB\-\-machine\-pass\fR -Use stored machine account password -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. diff --git a/net/samba413/files/man/smbtorture.1 b/net/samba413/files/man/smbtorture.1 deleted file mode 100644 index 2740816b2f58..000000000000 --- a/net/samba413/files/man/smbtorture.1 +++ /dev/null @@ -1,362 +0,0 @@ -'\" t -.\" Title: smbtorture -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/23/2020 -.\" Manual: Test Suite -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "SMBTORTURE" "1" "09/23/2020" "Samba 4\&.0" "Test Suite" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -smbtorture \- Run a series of tests against a SMB server -.SH "SYNOPSIS" -.HP \w'\fBsmbtorture\fR\ 'u -\fBsmbtorture\fR {//server/share} [\-d\ debuglevel] [\-U\ user%pass] [\-k] [\-N\ numprocs] [\-n\ netbios_name] [\-W\ workgroup] [\-e\ num\ files(entries)] [\-O\ socket_options] [\-m\ maximum_protocol] [\-L] [\-c\ CLIENT\&.TXT] [\-t\ timelimit] [\-C\ filename] [\-A] [\-p\ port] [\-s\ seed] [\-f\ max_failures] [\-X] {BINDING\-STRING|UNC} {TEST1} [TEST2] [\&.\&.\&.] -.SH "DESCRIPTION" -.PP -smbtorture is a testsuite that runs several tests against a SMB server\&. All tests are known to succeed against a Windows 2003 server (?)\&. Smbtorture\*(Aqs primary goal is finding differences in implementations of the SMB protocol and testing SMB servers\&. -.PP -Any number of tests can be specified on the command\-line\&. If no tests are specified, all tests are run\&. -.PP -If no arguments are specified at all, all available options and tests are listed\&. -.SS "Binding string format" -.PP -The binding string format is: -.PP -TRANSPORT:host[flags] -.PP -Where TRANSPORT is either ncacn_np for SMB, ncacn_ip_tcp for RPC/TCP or ncalrpc for local connections\&. -.PP -\*(Aqhost\*(Aq is an IP or hostname or netbios name\&. If the binding string identifies the server side of an endpoint, \*(Aqhost\*(Aq may be an empty string\&. -.PP -\*(Aqflags\*(Aq can include a SMB pipe name if using the ncacn_np transport or a TCP port number if using the ncacn_ip_tcp transport, otherwise they will be auto\-determined\&. -.PP -other recognised flags are: -.PP -sign -.RS 4 -enable ntlmssp signing -.RE -.PP -seal -.RS 4 -enable ntlmssp sealing -.RE -.PP -connect -.RS 4 -enable rpc connect level auth (auth, but no sign or seal) -.RE -.PP -validate -.RS 4 -enable the NDR validator -.RE -.PP -print -.RS 4 -enable debugging of the packets -.RE -.PP -bigendian -.RS 4 -use bigendian RPC -.RE -.PP -padcheck -.RS 4 -check reply data for non\-zero pad bytes -.RE -.PP -For example, these all connect to the samr pipe: -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver[samr] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver[\e\epipe\e\esamr] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver[/pipe/samr] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver[samr,sign,print] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver[\e\epipe\e\esamr,sign,seal,bigendian] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:myserver[/pipe/samr,seal,validate] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np: -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_np:[/pipe/samr] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_ip_tcp:myserver -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_ip_tcp:myserver[1024] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncacn_ip_tcp:myserver[1024,sign,seal] -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -ncalrpc: -.RE -.SS "UNC Format" -.PP -The UNC format is: -.PP -//server/share -.SH "OPTIONS" -.PP -\-d debuglevel -.RS 4 -Use the specified Samba debug level\&. A higher debug level means more output\&. -.RE -.PP -\-U user%pass -.RS 4 -Use the specified username/password combination when logging in to a remote server\&. -.RE -.PP -\-k -.RS 4 -Use kerberos when authenticating\&. -.RE -.PP -\-W workgroup -.RS 4 -Use specified name as our workgroup name\&. -.RE -.PP -\-n netbios_name -.RS 4 -Use specified name as our NetBIOS name\&. -.RE -.PP -\-O socket_options -.RS 4 -Use specified socket options, equivalent of the smb\&.conf option -\(lqsocket options\(rq\&. See the smb\&.conf(5) manpage for details\&. -.RE -.PP -\-m max_protocol -.RS 4 -Specify the maximum SMB dialect that should be used\&. Possible values are: CORE, COREPLUS, LANMAN1, LANMAN2, NT1 -.RE -.PP -\-s seed -.RS 4 -Initialize the randomizer using -\fIseed\fR -as seed\&. -.RE -.PP -\-L -.RS 4 -Use oplocks\&. -.RE -.PP -\-X -.RS 4 -Enable dangerous tests\&. Use with care! This might crash your server\&.\&.\&. -.RE -.PP -\-t timelimit -.RS 4 -Specify the NBENCH time limit in seconds\&. Defaults to 600\&. -.RE -.PP -\-p ports -.RS 4 -Specify ports to connect to\&. -.RE -.PP -\-c file -.RS 4 -Read NBENCH commands from -\fIfile\fR -instead of from CLIENT\&.TXT\&. -.RE -.PP -\-A -.RS 4 -Show not just OK or FAILED but more detailed output\&. Used only by DENY test at the moment\&. -.RE -.PP -\-C filename -.RS 4 -Load a list of UNC names from the specified filename\&. Smbtorture instances will connect to a random host from this list\&. -.RE -.PP -\-N numprocs -.RS 4 -Specify number of smbtorture processes to launch\&. -.RE -.PP -\-e num_files -.RS 4 -Number of entries to use in certain tests (such as creating X files) (default: 1000)\&. -.RE -.PP -\-f max_failures -.RS 4 -Number of failures before aborting a test (default: 1)\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 4\&.0 of the Samba suite\&. -.SH "SEE ALSO" -.PP -Samba -.SH "AUTHOR" -.PP -This utility is part of the -\m[blue]\fBSamba\fR\m[]\&\s-2\u[1]\d\s+2 -suite, which is developed by the global -\m[blue]\fBSamba Team\fR\m[]\&\s-2\u[2]\d\s+2\&. -.PP -smbtorture was written by Andrew Tridgell\&. -.PP -This manpage was written by Jelmer Vernooij\&. -.SH "NOTES" -.IP " 1." 4 -Samba -.RS 4 -\%http://www.samba.org/ -.RE -.IP " 2." 4 -Samba Team -.RS 4 -\%http://www.samba.org/samba/team/ -.RE diff --git a/net/samba413/files/man/talloc.3 b/net/samba413/files/man/talloc.3 deleted file mode 100644 index 6a10b4990c2e..000000000000 --- a/net/samba413/files/man/talloc.3 +++ /dev/null @@ -1,683 +0,0 @@ -'\" t -.\" Title: talloc -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 2015-04-10 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "TALLOC" "3" "2015\-04\-10" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -talloc \- hierarchical reference counted memory pool system with destructors -.SH "SYNOPSIS" -.sp -.nf -#include <talloc\&.h> -.fi -.SH "DESCRIPTION" -.PP -If you are used to talloc from Samba3 then please read this carefully, as talloc has changed a lot\&. -.PP -The new talloc is a hierarchical, reference counted memory pool system with destructors\&. Quite a mouthful really, but not too bad once you get used to it\&. -.PP -Perhaps the biggest change from Samba3 is that there is no distinction between a "talloc context" and a "talloc pointer"\&. Any pointer returned from talloc() is itself a valid talloc context\&. This means you can do this: -.sp -.if n \{\ -.RS 4 -.\} -.nf - struct foo *X = talloc(mem_ctx, struct foo); - X\->name = talloc_strdup(X, "foo"); - -.fi -.if n \{\ -.RE -.\} -.PP -and the pointer -X\->name -would be a "child" of the talloc context -X -which is itself a child of -mem_ctx\&. So if you do -talloc_free(mem_ctx) -then it is all destroyed, whereas if you do -talloc_free(X) -then just -X -and -X\->name -are destroyed, and if you do -talloc_free(X\->name) -then just the name element of -X -is destroyed\&. -.PP -If you think about this, then what this effectively gives you is an n\-ary tree, where you can free any part of the tree with talloc_free()\&. -.PP -If you find this confusing, then I suggest you run the -testsuite -program to watch talloc in action\&. You may also like to add your own tests to -testsuite\&.c -to clarify how some particular situation is handled\&. -.SH "TALLOC API" -.PP -The following is a complete guide to the talloc API\&. Read it all at least twice\&. -.SS "(type *)talloc(const void *ctx, type);" -.PP -The talloc() macro is the core of the talloc library\&. It takes a memory -\fIctx\fR -and a -\fItype\fR, and returns a pointer to a new area of memory of the given -\fItype\fR\&. -.PP -The returned pointer is itself a talloc context, so you can use it as the -\fIctx\fR -argument to more calls to talloc() if you wish\&. -.PP -The returned pointer is a "child" of the supplied context\&. This means that if you talloc_free() the -\fIctx\fR -then the new child disappears as well\&. Alternatively you can free just the child\&. -.PP -The -\fIctx\fR -argument to talloc() can be NULL, in which case a new top level context is created\&. -.SS "void *talloc_size(const void *ctx, size_t size);" -.PP -The function talloc_size() should be used when you don\*(Aqt have a convenient type to pass to talloc()\&. Unlike talloc(), it is not type safe (as it returns a void *), so you are on your own for type checking\&. -.SS "(typeof(ptr)) talloc_ptrtype(const void *ctx, ptr);" -.PP -The talloc_ptrtype() macro should be used when you have a pointer and want to allocate memory to point at with this pointer\&. When compiling with gcc >= 3 it is typesafe\&. Note this is a wrapper of talloc_size() and talloc_get_name() will return the current location in the source file\&. and not the type\&. -.SS "int talloc_free(void *ptr);" -.PP -The talloc_free() function frees a piece of talloc memory, and all its children\&. You can call talloc_free() on any pointer returned by talloc()\&. -.PP -The return value of talloc_free() indicates success or failure, with 0 returned for success and \-1 for failure\&. The only possible failure condition is if -\fIptr\fR -had a destructor attached to it and the destructor returned \-1\&. See -\(lqtalloc_set_destructor()\(rq -for details on destructors\&. -.PP -If this pointer has an additional parent when talloc_free() is called then the memory is not actually released, but instead the most recently established parent is destroyed\&. See -\(lqtalloc_reference()\(rq -for details on establishing additional parents\&. -.PP -For more control on which parent is removed, see -\(lqtalloc_unlink()\(rq\&. -.PP -talloc_free() operates recursively on its children\&. -.PP -From the 2\&.0 version of talloc, as a special case, talloc_free() is refused on pointers that have more than one parent, as talloc would have no way of knowing which parent should be removed\&. To free a pointer that has more than one parent please use talloc_unlink()\&. -.PP -To help you find problems in your code caused by this behaviour, if you do try and free a pointer with more than one parent then the talloc logging function will be called to give output like this: -.PP - -.sp -.if n \{\ -.RS 4 -.\} -.nf - ERROR: talloc_free with references at some_dir/source/foo\&.c:123 - reference at some_dir/source/other\&.c:325 - reference at some_dir/source/third\&.c:121 - -.fi -.if n \{\ -.RE -.\} -.PP -Please see the documentation for talloc_set_log_fn() and talloc_set_log_stderr() for more information on talloc logging functions\&. -.SS "void *talloc_reference(const void *ctx, const void *ptr);" -.PP -The talloc_reference() function makes -\fIctx\fR -an additional parent of -\fIptr\fR\&. -.PP -The return value of talloc_reference() is always the original pointer -\fIptr\fR, unless talloc ran out of memory in creating the reference in which case it will return NULL (each additional reference consumes around 48 bytes of memory on intel x86 platforms)\&. -.PP -If -\fIptr\fR -is NULL, then the function is a no\-op, and simply returns NULL\&. -.PP -After creating a reference you can free it in one of the following ways: -.PP - -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -you can talloc_free() any parent of the original pointer\&. That will reduce the number of parents of this pointer by 1, and will cause this pointer to be freed if it runs out of parents\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} -you can talloc_free() the pointer itself if it has at maximum one parent\&. This behaviour has been changed since the release of version 2\&.0\&. Further informations in the description of "talloc_free"\&. -.RE -.PP -For more control on which parent to remove, see -\(lqtalloc_unlink()\(rq\&. -.SS "int talloc_unlink(const void *ctx, void *ptr);" -.PP -The talloc_unlink() function removes a specific parent from -\fIptr\fR\&. The -\fIctx\fR -passed must either be a context used in talloc_reference() with this pointer, or must be a direct parent of ptr\&. -.PP -Note that if the parent has already been removed using talloc_free() then this function will fail and will return \-1\&. Likewise, if -\fIptr\fR -is NULL, then the function will make no modifications and return \-1\&. -.PP -Usually you can just use talloc_free() instead of talloc_unlink(), but sometimes it is useful to have the additional control on which parent is removed\&. -.SS "void talloc_set_destructor(const void *ptr, int (*destructor)(void *));" -.PP -The function talloc_set_destructor() sets the -\fIdestructor\fR -for the pointer -\fIptr\fR\&. A -\fIdestructor\fR -is a function that is called when the memory used by a pointer is about to be released\&. The destructor receives -\fIptr\fR -as an argument, and should return 0 for success and \-1 for failure\&. -.PP -The -\fIdestructor\fR -can do anything it wants to, including freeing other pieces of memory\&. A common use for destructors is to clean up operating system resources (such as open file descriptors) contained in the structure the destructor is placed on\&. -.PP -You can only place one destructor on a pointer\&. If you need more than one destructor then you can create a zero\-length child of the pointer and place an additional destructor on that\&. -.PP -To remove a destructor call talloc_set_destructor() with NULL for the destructor\&. -.PP -If your destructor attempts to talloc_free() the pointer that it is the destructor for then talloc_free() will return \-1 and the free will be ignored\&. This would be a pointless operation anyway, as the destructor is only called when the memory is just about to go away\&. -.SS "int talloc_increase_ref_count(const void *\fIptr\fR);" -.PP -The talloc_increase_ref_count(\fIptr\fR) function is exactly equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_reference(NULL, ptr); -.fi -.if n \{\ -.RE -.\} -.PP -You can use either syntax, depending on which you think is clearer in your code\&. -.PP -It returns 0 on success and \-1 on failure\&. -.SS "size_t talloc_reference_count(const void *\fIptr\fR);" -.PP -Return the number of references to the pointer\&. -.SS "void talloc_set_name(const void *ptr, const char *fmt, \&.\&.\&.);" -.PP -Each talloc pointer has a "name"\&. The name is used principally for debugging purposes, although it is also possible to set and get the name on a pointer in as a way of "marking" pointers in your code\&. -.PP -The main use for names on pointer is for "talloc reports"\&. See -\(lqtalloc_report_depth_cb()\(rq, -\(lqtalloc_report_depth_file()\(rq, -\(lqtalloc_report()\(rq -\(lqtalloc_report()\(rq -and -\(lqtalloc_report_full()\(rq -for details\&. Also see -\(lqtalloc_enable_leak_report()\(rq -and -\(lqtalloc_enable_leak_report_full()\(rq\&. -.PP -The talloc_set_name() function allocates memory as a child of the pointer\&. It is logically equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, talloc_asprintf(ptr, fmt, \&.\&.\&.)); -.fi -.if n \{\ -.RE -.\} -.PP -Note that multiple calls to talloc_set_name() will allocate more memory without releasing the name\&. All of the memory is released when the ptr is freed using talloc_free()\&. -.SS "void talloc_set_name_const(const void *\fIptr\fR, const char *\fIname\fR);" -.PP -The function talloc_set_name_const() is just like talloc_set_name(), but it takes a string constant, and is much faster\&. It is extensively used by the "auto naming" macros, such as talloc_p()\&. -.PP -This function does not allocate any memory\&. It just copies the supplied pointer into the internal representation of the talloc ptr\&. This means you must not pass a -\fIname\fR -pointer to memory that will disappear before -\fIptr\fR -is freed with talloc_free()\&. -.SS "void *talloc_named(const void *\fIctx\fR, size_t \fIsize\fR, const char *\fIfmt\fR, \&.\&.\&.);" -.PP -The talloc_named() function creates a named talloc pointer\&. It is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -ptr = talloc_size(ctx, size); -talloc_set_name(ptr, fmt, \&.\&.\&.\&.); -.fi -.if n \{\ -.RE -.\} -.SS "void *talloc_named_const(const void *\fIctx\fR, size_t \fIsize\fR, const char *\fIname\fR);" -.PP -This is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -ptr = talloc_size(ctx, size); -talloc_set_name_const(ptr, name); -.fi -.if n \{\ -.RE -.\} -.SS "const char *talloc_get_name(const void *\fIptr\fR);" -.PP -This returns the current name for the given talloc pointer, -\fIptr\fR\&. See -\(lqtalloc_set_name()\(rq -for details\&. -.SS "void *talloc_init(const char *\fIfmt\fR, \&.\&.\&.);" -.PP -This function creates a zero length named talloc context as a top level context\&. It is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_named(NULL, 0, fmt, \&.\&.\&.); -.fi -.if n \{\ -.RE -.\} -.SS "void *talloc_new(void *\fIctx\fR);" -.PP -This is a utility macro that creates a new memory context hanging off an existing context, automatically naming it "talloc_new: __location__" where __location__ is the source line it is called from\&. It is particularly useful for creating a new temporary working context\&. -.SS "(\fItype\fR *)talloc_realloc(const void *\fIctx\fR, void *\fIptr\fR, \fItype\fR, \fIcount\fR);" -.PP -The talloc_realloc() macro changes the size of a talloc pointer\&. It has the following equivalences: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_realloc(ctx, NULL, type, 1) ==> talloc(ctx, type); -talloc_realloc(ctx, ptr, type, 0) ==> talloc_free(ptr); -.fi -.if n \{\ -.RE -.\} -.PP -The -\fIctx\fR -argument is only used if -\fIptr\fR -is not NULL, otherwise it is ignored\&. -.PP -talloc_realloc() returns the new pointer, or NULL on failure\&. The call will fail either due to a lack of memory, or because the pointer has more than one parent (see -\(lqtalloc_reference()\(rq)\&. -.SS "void *talloc_realloc_size(const void *ctx, void *ptr, size_t size);" -.PP -the talloc_realloc_size() function is useful when the type is not known so the type\-safe talloc_realloc() cannot be used\&. -.SS "TYPE *talloc_steal(const void *\fInew_ctx\fR, const TYPE *\fIptr\fR);" -.PP -The talloc_steal() function changes the parent context of a talloc pointer\&. It is typically used when the context that the pointer is currently a child of is going to be freed and you wish to keep the memory for a longer time\&. -.PP -The talloc_steal() function returns the pointer that you pass it\&. It does not have any failure modes\&. -.PP -It is possible to produce loops in the parent/child relationship if you are not careful with talloc_steal()\&. No guarantees are provided as to your sanity or the safety of your data if you do this\&. -.PP -Note that if you try and call talloc_steal() on a pointer that has more than one parent then the result is ambiguous\&. Talloc will choose to remove the parent that is currently indicated by talloc_parent() and replace it with the chosen parent\&. You will also get a message like this via the talloc logging functions: -.PP - -.sp -.if n \{\ -.RS 4 -.\} -.nf - WARNING: talloc_steal with references at some_dir/source/foo\&.c:123 - reference at some_dir/source/other\&.c:325 - reference at some_dir/source/third\&.c:121 - -.fi -.if n \{\ -.RE -.\} -.PP -To unambiguously change the parent of a pointer please see the function -\(lqtalloc_reparent()\(rq\&. See the talloc_set_log_fn() documentation for more information on talloc logging\&. -.SS "TYPE *talloc_reparent(const void *\fIold_parent\fR, const void *\fInew_parent\fR, const TYPE *\fIptr\fR);" -.PP -The talloc_reparent() function changes the parent context of a talloc pointer\&. It is typically used when the context that the pointer is currently a child of is going to be freed and you wish to keep the memory for a longer time\&. -.PP -The talloc_reparent() function returns the pointer that you pass it\&. It does not have any failure modes\&. -.PP -The difference between talloc_reparent() and talloc_steal() is that talloc_reparent() can specify which parent you wish to change\&. This is useful when a pointer has multiple parents via references\&. -.SS "TYPE *talloc_move(const void *\fInew_ctx\fR, TYPE **\fIptr\fR);" -.PP -The talloc_move() function is a wrapper around talloc_steal() which zeros the source pointer after the move\&. This avoids a potential source of bugs where a programmer leaves a pointer in two structures, and uses the pointer from the old structure after it has been moved to a new one\&. -.SS "size_t talloc_total_size(const void *\fIptr\fR);" -.PP -The talloc_total_size() function returns the total size in bytes used by this pointer and all child pointers\&. Mostly useful for debugging\&. -.PP -Passing NULL is allowed, but it will only give a meaningful result if talloc_enable_leak_report() or talloc_enable_leak_report_full() has been called\&. -.SS "size_t talloc_total_blocks(const void *\fIptr\fR);" -.PP -The talloc_total_blocks() function returns the total memory block count used by this pointer and all child pointers\&. Mostly useful for debugging\&. -.PP -Passing NULL is allowed, but it will only give a meaningful result if talloc_enable_leak_report() or talloc_enable_leak_report_full() has been called\&. -.SS "void talloc_report(const void *ptr, FILE *f);" -.PP -The talloc_report() function prints a summary report of all memory used by -\fIptr\fR\&. One line of report is printed for each immediate child of ptr, showing the total memory and number of blocks used by that child\&. -.PP -You can pass NULL for the pointer, in which case a report is printed for the top level memory context, but only if talloc_enable_leak_report() or talloc_enable_leak_report_full() has been called\&. -.SS "void talloc_report_full(const void *\fIptr\fR, FILE *\fIf\fR);" -.PP -This provides a more detailed report than talloc_report()\&. It will recursively print the entire tree of memory referenced by the pointer\&. References in the tree are shown by giving the name of the pointer that is referenced\&. -.PP -You can pass NULL for the pointer, in which case a report is printed for the top level memory context, but only if talloc_enable_leak_report() or talloc_enable_leak_report_full() has been called\&. -.SS "" -.HP \w'void\ talloc_report_depth_cb('u -.BI "void talloc_report_depth_cb(" "const\ void\ *ptr" ", " "int\ depth" ", " "int\ max_depth" ", " "void\ (*callback)(const\ void\ *ptr,\ int\ depth,\ int\ max_depth,\ int\ is_ref,\ void\ *priv)" ", " "void\ *priv" ");" -.PP -This provides a more flexible reports than talloc_report()\&. It will recursively call the callback for the entire tree of memory referenced by the pointer\&. References in the tree are passed with -\fIis_ref = 1\fR -and the pointer that is referenced\&. -.PP -You can pass NULL for the pointer, in which case a report is printed for the top level memory context, but only if talloc_enable_leak_report() or talloc_enable_leak_report_full() has been called\&. -.PP -The recursion is stopped when depth >= max_depth\&. max_depth = \-1 means only stop at leaf nodes\&. -.SS "" -.HP \w'void\ talloc_report_depth_file('u -.BI "void talloc_report_depth_file(" "const\ void\ *ptr" ", " "int\ depth" ", " "int\ max_depth" ", " "FILE\ *f" ");" -.PP -This provides a more flexible reports than talloc_report()\&. It will let you specify the depth and max_depth\&. -.SS "void talloc_enable_leak_report(void);" -.PP -This enables calling of talloc_report(NULL, stderr) when the program exits\&. In Samba4 this is enabled by using the \-\-leak\-report command line option\&. -.PP -For it to be useful, this function must be called before any other talloc function as it establishes a "null context" that acts as the top of the tree\&. If you don\*(Aqt call this function first then passing NULL to talloc_report() or talloc_report_full() won\*(Aqt give you the full tree printout\&. -.PP -Here is a typical talloc report: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc report on \*(Aqnull_context\*(Aq (total 267 bytes in 15 blocks) -libcli/auth/spnego_parse\&.c:55 contains 31 bytes in 2 blocks -libcli/auth/spnego_parse\&.c:55 contains 31 bytes in 2 blocks -iconv(UTF8,CP850) contains 42 bytes in 2 blocks -libcli/auth/spnego_parse\&.c:55 contains 31 bytes in 2 blocks -iconv(CP850,UTF8) contains 42 bytes in 2 blocks -iconv(UTF8,UTF\-16LE) contains 45 bytes in 2 blocks -iconv(UTF\-16LE,UTF8) contains 45 bytes in 2 blocks - -.fi -.if n \{\ -.RE -.\} -.SS "void talloc_enable_leak_report_full(void);" -.PP -This enables calling of talloc_report_full(NULL, stderr) when the program exits\&. In Samba4 this is enabled by using the \-\-leak\-report\-full command line option\&. -.PP -For it to be useful, this function must be called before any other talloc function as it establishes a "null context" that acts as the top of the tree\&. If you don\*(Aqt call this function first then passing NULL to talloc_report() or talloc_report_full() won\*(Aqt give you the full tree printout\&. -.PP -Here is a typical full report: -.sp -.if n \{\ -.RS 4 -.\} -.nf -full talloc report on \*(Aqroot\*(Aq (total 18 bytes in 8 blocks) -p1 contains 18 bytes in 7 blocks (ref 0) - r1 contains 13 bytes in 2 blocks (ref 0) - reference to: p2 - p2 contains 1 bytes in 1 blocks (ref 1) - x3 contains 1 bytes in 1 blocks (ref 0) - x2 contains 1 bytes in 1 blocks (ref 0) - x1 contains 1 bytes in 1 blocks (ref 0) - -.fi -.if n \{\ -.RE -.\} -.SS "(\fItype\fR *)talloc_zero(const void *\fIctx\fR, \fItype\fR);" -.PP -The talloc_zero() macro is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -ptr = talloc(ctx, type); -if (ptr) memset(ptr, 0, sizeof(type)); -.fi -.if n \{\ -.RE -.\} -.SS "void *talloc_zero_size(const void *\fIctx\fR, size_t \fIsize\fR)" -.PP -The talloc_zero_size() function is useful when you don\*(Aqt have a known type\&. -.SS "void *talloc_memdup(const void *\fIctx\fR, const void *\fIp\fR, size_t size);" -.PP -The talloc_memdup() function is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -ptr = talloc_size(ctx, size); -if (ptr) memcpy(ptr, p, size); -.fi -.if n \{\ -.RE -.\} -.SS "char *talloc_strdup(const void *\fIctx\fR, const char *\fIp\fR);" -.PP -The talloc_strdup() function is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -ptr = talloc_size(ctx, strlen(p)+1); -if (ptr) memcpy(ptr, p, strlen(p)+1); -.fi -.if n \{\ -.RE -.\} -.PP -This function sets the name of the new pointer to the passed string\&. This is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, ptr) -.fi -.if n \{\ -.RE -.\} -.SS "char *talloc_strndup(const void *\fIt\fR, const char *\fIp\fR, size_t \fIn\fR);" -.PP -The talloc_strndup() function is the talloc equivalent of the C library function strndup(3)\&. -.PP -This function sets the name of the new pointer to the passed string\&. This is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, ptr) -.fi -.if n \{\ -.RE -.\} -.SS "char *talloc_vasprintf(const void *\fIt\fR, const char *\fIfmt\fR, va_list \fIap\fR);" -.PP -The talloc_vasprintf() function is the talloc equivalent of the C library function vasprintf(3)\&. -.PP -This function sets the name of the new pointer to the new string\&. This is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, ptr) -.fi -.if n \{\ -.RE -.\} -.SS "char *talloc_asprintf(const void *\fIt\fR, const char *\fIfmt\fR, \&.\&.\&.);" -.PP -The talloc_asprintf() function is the talloc equivalent of the C library function asprintf(3)\&. -.PP -This function sets the name of the new pointer to the passed string\&. This is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, ptr) -.fi -.if n \{\ -.RE -.\} -.SS "char *talloc_asprintf_append(char *s, const char *fmt, \&.\&.\&.);" -.PP -The talloc_asprintf_append() function appends the given formatted string to the given string\&. -.PP -This function sets the name of the new pointer to the new string\&. This is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, ptr) -.fi -.if n \{\ -.RE -.\} -.SS "(type *)talloc_array(const void *ctx, type, unsigned int count);" -.PP -The talloc_array() macro is equivalent to: -.sp -.if n \{\ -.RS 4 -.\} -.nf -(type *)talloc_size(ctx, sizeof(type) * count); -.fi -.if n \{\ -.RE -.\} -.PP -except that it provides integer overflow protection for the multiply, returning NULL if the multiply overflows\&. -.SS "void *talloc_array_size(const void *ctx, size_t size, unsigned int count);" -.PP -The talloc_array_size() function is useful when the type is not known\&. It operates in the same way as talloc_array(), but takes a size instead of a type\&. -.SS "(typeof(ptr)) talloc_array_ptrtype(const void *ctx, ptr, unsigned int count);" -.PP -The talloc_ptrtype() macro should be used when you have a pointer to an array and want to allocate memory of an array to point at with this pointer\&. When compiling with gcc >= 3 it is typesafe\&. Note this is a wrapper of talloc_array_size() and talloc_get_name() will return the current location in the source file\&. and not the type\&. -.SS "void *talloc_realloc_fn(const void *ctx, void *ptr, size_t size)" -.PP -This is a non\-macro version of talloc_realloc(), which is useful as libraries sometimes want a realloc function pointer\&. A realloc(3) implementation encapsulates the functionality of malloc(3), free(3) and realloc(3) in one call, which is why it is useful to be able to pass around a single function pointer\&. -.SS "void *talloc_autofree_context(void);" -.PP -This is a handy utility function that returns a talloc context which will be automatically freed on program exit\&. This can be used to reduce the noise in memory leak reports\&. -.SS "void *talloc_check_name(const void *ptr, const char *name);" -.PP -This function checks if a pointer has the specified -\fIname\fR\&. If it does then the pointer is returned\&. It it doesn\*(Aqt then NULL is returned\&. -.SS "(type *)talloc_get_type(const void *ptr, type);" -.PP -This macro allows you to do type checking on talloc pointers\&. It is particularly useful for void* private pointers\&. It is equivalent to this: -.sp -.if n \{\ -.RS 4 -.\} -.nf -(type *)talloc_check_name(ptr, #type) -.fi -.if n \{\ -.RE -.\} -.SS "talloc_set_type(const void *ptr, type);" -.PP -This macro allows you to force the name of a pointer to be a particular -\fItype\fR\&. This can be used in conjunction with talloc_get_type() to do type checking on void* pointers\&. -.PP -It is equivalent to this: -.sp -.if n \{\ -.RS 4 -.\} -.nf -talloc_set_name_const(ptr, #type) -.fi -.if n \{\ -.RE -.\} -.SS "talloc_set_log_fn(void (*log_fn)(const char *message));" -.PP -This function sets a logging function that talloc will use for warnings and errors\&. By default talloc will not print any warnings or errors\&. -.SS "talloc_set_log_stderr(void);" -.PP -This sets the talloc log function to write log messages to stderr -.SH "PERFORMANCE" -.PP -All the additional features of talloc(3) over malloc(3) do come at a price\&. We have a simple performance test in Samba4 that measures talloc() versus malloc() performance, and it seems that talloc() is about 10% slower than malloc() on my x86 Debian Linux box\&. For Samba, the great reduction in code complexity that we get by using talloc makes this worthwhile, especially as the total overhead of talloc/malloc in Samba is already quite small\&. -.SH "SEE ALSO" -.PP -malloc(3), strndup(3), vasprintf(3), asprintf(3), -\m[blue]\fB\%http://talloc.samba.org/\fR\m[] -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.SH "COPYRIGHT/LICENSE" -.PP -Copyright (C) Andrew Tridgell 2004 -.PP -This program is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version\&. -.PP -This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License for more details\&. -.PP -You should have received a copy of the GNU General Public License along with this program; if not, see http://www\&.gnu\&.org/licenses/\&. diff --git a/net/samba413/files/man/tdbbackup.8 b/net/samba413/files/man/tdbbackup.8 deleted file mode 100644 index 92f510aecccf..000000000000 --- a/net/samba413/files/man/tdbbackup.8 +++ /dev/null @@ -1,129 +0,0 @@ -'\" t -.\" Title: tdbbackup -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 2015-04-25 -.\" Manual: System Administration tools -.\" Source: Samba 3.6 -.\" Language: English -.\" -.TH "TDBBACKUP" "8" "2015\-04\-25" "Samba 3\&.6" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -tdbbackup \- tool for backing up and for validating the integrity of samba \&.tdb files -.SH "SYNOPSIS" -.HP \w'\fBtdbbackup\fR\ 'u -\fBtdbbackup\fR [\-s\ suffix] [\-v] [\-h] [\-l] -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(1) -suite\&. -.PP -\fBtdbbackup\fR -is a tool that may be used to backup samba \&.tdb files\&. This tool may also be used to verify the integrity of the \&.tdb files prior to samba startup or during normal operation\&. If it finds file damage and it finds a prior backup the backup file will be restored\&. -.SH "OPTIONS" -.PP -\-h -.RS 4 -Get help information\&. -.RE -.PP -\-s suffix -.RS 4 -The -\fB\-s\fR -option allows the administrator to specify a file backup extension\&. This way it is possible to keep a history of tdb backup files by using a new suffix for each backup\&. -.RE -.PP -\-v -.RS 4 -The -\fB\-v\fR -will check the database for damages (corrupt data) which if detected causes the backup to be restored\&. -.RE -.PP -\-l -.RS 4 -This options disables any locking, by passing TDB_NOLOCK to tdb_open_ex()\&. Only use this for database files which are not used by any other process! And also only if it is otherwise not possible to open the database, e\&.g\&. databases which were created with mutex locking\&. -.RE -.SH "COMMANDS" -.PP -\fIGENERAL INFORMATION\fR -.PP -The -\fBtdbbackup\fR -utility can safely be run at any time\&. It was designed so that it can be used at any time to validate the integrity of tdb files, even during Samba operation\&. Typical usage for the command will be: -.PP -tdbbackup [\-s suffix] *\&.tdb -.PP -Before restarting samba the following command may be run to validate \&.tdb files: -.PP -tdbbackup \-v [\-s suffix] *\&.tdb -.PP -Samba \&.tdb files are stored in various locations, be sure to run backup all \&.tdb file on the system\&. Important files includes: -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} - -\fBsecrets\&.tdb\fR -\- usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} - -\fBpassdb\&.tdb\fR -\- usual location is in the /usr/local/samba/private directory, or on some systems in /etc/samba\&. -.RE -.sp -.RS 4 -.ie n \{\ -\h'-04'\(bu\h'+03'\c -.\} -.el \{\ -.sp -1 -.IP \(bu 2.3 -.\} - -\fB*\&.tdb\fR -located in the /usr/local/samba/var directory or on some systems in the /var/cache or /var/lib/samba directories\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 3 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -The tdbbackup man page was written by John H Terpstra\&. diff --git a/net/samba413/files/man/tdbdump.8 b/net/samba413/files/man/tdbdump.8 deleted file mode 100644 index 86d9e2c67556..000000000000 --- a/net/samba413/files/man/tdbdump.8 +++ /dev/null @@ -1,72 +0,0 @@ -'\" t -.\" Title: tdbdump -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 2015-04-25 -.\" Manual: System Administration tools -.\" Source: Samba 3.6 -.\" Language: English -.\" -.TH "TDBDUMP" "8" "2015\-04\-25" "Samba 3\&.6" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -tdbdump \- tool for printing the contents of a TDB file -.SH "SYNOPSIS" -.HP \w'\fBtdbdump\fR\ 'u -\fBtdbdump\fR [\-k\ \fIkeyname\fR] [\-e] [\-h] {filename} -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(1) -suite\&. -.PP -\fBtdbdump\fR -is a very simple utility that \*(Aqdumps\*(Aq the contents of a TDB (Trivial DataBase) file to standard output in a human\-readable format\&. -.PP -This tool can be used when debugging problems with TDB files\&. It is intended for those who are somewhat familiar with Samba internals\&. -.SH "OPTIONS" -.PP -\-h -.RS 4 -Get help information\&. -.RE -.PP -\-k \fIkeyname\fR -.RS 4 -The -\fB\-k\fR -option restricts dumping to a single key, if found\&. -.RE -.PP -\-e -.RS 4 -The -\fB\-e\fR -tries to dump out from a corrupt database\&. Naturally, such a dump is unreliable, at best\&. -.RE -.SH "VERSION" -.PP -This man page is correct for version 3 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -The tdbdump man page was written by Jelmer Vernooij\&. diff --git a/net/samba413/files/man/tdbrestore.8 b/net/samba413/files/man/tdbrestore.8 deleted file mode 100644 index 28632ac094c5..000000000000 --- a/net/samba413/files/man/tdbrestore.8 +++ /dev/null @@ -1,54 +0,0 @@ -'\" t -.\" Title: tdbrestore -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 2015-04-25 -.\" Manual: System Administration tools -.\" Source: Samba 3.6 -.\" Language: English -.\" -.TH "TDBRESTORE" "8" "2015\-04\-25" "Samba 3\&.6" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -tdbrestore \- tool for creating a TDB file out of a tdbdump output -.SH "SYNOPSIS" -.HP \w'\fBtdbrestore\fR\ 'u -\fBtdbrestore\fR {tdbfilename} -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(1) -suite\&. -.PP -\fBtdbrestore\fR -is a very simple utility that \*(Aqrestores\*(Aq the contents of dump file into TDB (Trivial DataBase) file\&. The dump file is obtained from the tdbdump command\&. -.PP -This tool wait on the standard input for the content of the dump and will write the tdb in the tdbfilename parameter\&. -.PP -This tool can be used for unpacking the content of tdb as backup mean\&. -.SH "VERSION" -.PP -This man page is correct for version 3 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. This tool was initially written by Volker Lendecke based on an idea by Simon McVittie\&. -.PP -The tdbrestore man page was written by Matthieu Patou\&. diff --git a/net/samba413/files/man/tdbtool.8 b/net/samba413/files/man/tdbtool.8 deleted file mode 100644 index 04ed76594c19..000000000000 --- a/net/samba413/files/man/tdbtool.8 +++ /dev/null @@ -1,170 +0,0 @@ -'\" t -.\" Title: tdbtool -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/> -.\" Date: 2015-04-25 -.\" Manual: System Administration tools -.\" Source: Samba 4.0 -.\" Language: English -.\" -.TH "TDBTOOL" "8" "2015\-04\-25" "Samba 4\&.0" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -tdbtool \- manipulate the contents TDB files -.SH "SYNOPSIS" -.HP \w'\fBtdbtool\fR\ 'u -\fBtdbtool\fR -.HP \w'\fBtdbtool\fR\ 'u -\fBtdbtool\fR [\-l] \fITDBFILE\fR [\fICOMMANDS\fR...] -.SH "DESCRIPTION" -.PP -This tool is part of the -\fBsamba\fR(1) -suite\&. -.PP -\fBtdbtool\fR -a tool for displaying and altering the contents of Samba TDB (Trivial DataBase) files\&. Each of the commands listed below can be entered interactively or provided on the command line\&. -.SH "OPTIONS" -.PP -\-l -.RS 4 -This options disables any locking, by passing TDB_NOLOCK to tdb_open_ex()\&. Only use this for database files which are not used by any other process! And also only if it is otherwise not possible to open the database, e\&.g\&. databases which were created with mutex locking\&. -.RE -.SH "COMMANDS" -.PP -\fBcreate\fR \fITDBFILE\fR -.RS 4 -Create a new database named -\fITDBFILE\fR\&. -.RE -.PP -\fBopen\fR \fITDBFILE\fR -.RS 4 -Open an existing database named -\fITDBFILE\fR\&. -.RE -.PP -\fBerase\fR -.RS 4 -Erase the current database\&. -.RE -.PP -\fBdump\fR -.RS 4 -Dump the current database as strings\&. -.RE -.PP -\fBcdump\fR -.RS 4 -Dump the current database as connection records\&. -.RE -.PP -\fBkeys\fR -.RS 4 -Dump the current database keys as strings\&. -.RE -.PP -\fBhexkeys\fR -.RS 4 -Dump the current database keys as hex values\&. -.RE -.PP -\fBinfo\fR -.RS 4 -Print summary information about the current database\&. -.RE -.PP -\fBinsert\fR \fIKEY\fR \fIDATA\fR -.RS 4 -Insert a record into the current database\&. -.RE -.PP -\fBmove\fR \fIKEY\fR \fITDBFILE\fR -.RS 4 -Move a record from the current database into -\fITDBFILE\fR\&. -.RE -.PP -\fBstore\fR \fIKEY\fR \fIDATA\fR -.RS 4 -Store (replace) a record in the current database\&. -.RE -.PP -\fBshow\fR \fIKEY\fR -.RS 4 -Show a record by key\&. -.RE -.PP -\fBdelete\fR \fIKEY\fR -.RS 4 -Delete a record by key\&. -.RE -.PP -\fBlist\fR -.RS 4 -Print the current database hash table and free list\&. -.RE -.PP -\fBfree\fR -.RS 4 -Print the current database and free list\&. -.RE -.PP -\fB!\fR \fICOMMAND\fR -.RS 4 -Execute the given system command\&. -.RE -.PP -\fBfirst\fR -.RS 4 -Print the first record in the current database\&. -.RE -.PP -\fBnext\fR -.RS 4 -Print the next record in the current database\&. -.RE -.PP -\fBcheck\fR -.RS 4 -Check the integrity of the current database\&. -.RE -.PP -\fBrepack\fR -.RS 4 -Repack a database using a temporary file to remove fragmentation\&. -.RE -.PP -\fBquit\fR -.RS 4 -Exit -\fBtdbtool\fR\&. -.RE -.SH "CAVEATS" -.PP -The contents of the Samba TDB files are private to the implementation and should not be altered with -\fBtdbtool\fR\&. -.SH "VERSION" -.PP -This man page is correct for version 3\&.6 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. diff --git a/net/samba413/files/man/vfs_freebsd.8 b/net/samba413/files/man/vfs_freebsd.8 deleted file mode 100644 index d721fd4589ac..000000000000 --- a/net/samba413/files/man/vfs_freebsd.8 +++ /dev/null @@ -1,204 +0,0 @@ -'\" t -.\" Title: vfs_freebsd -.\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 06/24/2019 -.\" Manual: System Administration tools -.\" Source: Samba 4.10.5 -.\" Language: English -.\" -.TH "VFS_FREEBSD" "8" "06/24/2019" "Samba 4\&.10\&.5" "System Administration tools" -.\" ----------------------------------------------------------------- -.\" * Define some portability stuff -.\" ----------------------------------------------------------------- -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" http://bugs.debian.org/507673 -.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" ----------------------------------------------------------------- -.\" * set default formatting -.\" ----------------------------------------------------------------- -.\" disable hyphenation -.nh -.\" disable justification (adjust text to left margin only) -.ad l -.\" ----------------------------------------------------------------- -.\" * MAIN CONTENT STARTS HERE * -.\" ----------------------------------------------------------------- -.SH "NAME" -vfs_freebsd \- FreeBSD\-specific VFS functions -.SH "SYNOPSIS" -.HP \w'\ 'u -vfs objects = freebsd -.SH "DESCRIPTION" -.PP -This VFS module is part of the -\fBsamba\fR(7) -suite\&. -.PP -The -vfs_freebsd -module implements some of the FreeBSD\-specific VFS functions\&. -.PP -This module is stackable\&. -.SH "OPTIONS" -.PP -freebsd:extattr mode=[legacy|compat|secure] -.RS 4 -This parameter defines how the emulation of the Linux attr(5) extended attributes is performed through the FreeBSD native extattr(9) system calls\&. -.sp -Currently the -\fIsecurity\fR, -\fIsystem\fR, -\fItrusted\fR -and -\fIuser\fR -extended attribute(xattr) classes are defined in Linux\&. Contrary FreeBSD has only -\fIUSER\fR -and -\fISYSTEM\fR -extended attribute(extattr) namespaces, so mapping of one set into another isn\*(Aqt straightforward and can be done in different ways\&. -.sp -Historically the Samba(7) built\-in xattr mapping implementation simply converted -\fIsystem\fR -and -\fIuser\fR -xattr into corresponding -\fISYSTEM\fR -and -\fIUSER\fR -extattr namespaces, dropping the class prefix name with the separating dot and using attribute name only within the mapped namespace\&. It also rejected any other xattr classes, like -\fIsecurity\fR -and -\fItrusted\fR -as invalid\&. Such behavior in particular broke AD provisioning on UFS2 file systems as essential -\fIsecurity\&.NTACL\fR -xattr was rejected as invalid\&. -.sp -This module tries to address this problem and provide secure, where it\*(Aqs possible, way to map Linux xattr into FreeBSD\*(Aqs extattr\&. -.sp -When -\fImode\fR -is set to the -\fIlegacy (default)\fR -then modified version of built\-in mapping is used, where -\fIsystem\fR -xattr is mapped into SYSTEM namespace, while -\fIsecure\fR, -\fItrusted\fR -and -\fIuser\fR -xattr are all mapped into the USER namespace, dropping class prefixes and mix them all together\&. This is the way how Samba FreeBSD ports were patched up to the 4\&.9 version and that created multiple potential security issues\&. This mode is aimed for the compatibility with the legacy installations only and should be avoided in new setups\&. -.sp -The -\fIcompat\fR -mode is mostly designed for the jailed environments, where it\*(Aqs not possible to write extattrs into the secure SYSTEM namespace, so all four classes are mapped into the USER namespace\&. To preserve information about origin of the extended attribute it is stored together with the class preffix in the -\fIclass\&.attribute\fR -format\&. -.sp -The -\fIsecure\fR -mode is meant for storing extended attributes in a secure manner, so that -\fIsecurity\fR, -\fIsystem\fR -and -\fItrusted\fR -are stored in the SYSTEM namespace, which can be modified only by root\&. -.RE -.SH "" -.sp -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.br -.B Table\ \&1.\ \&Attributes mapping -.TS -allbox tab(:); -lB lB lB lB lB. -T{ - -T}:T{ -built\-in -T}:T{ -legacy -T}:T{ -compat/jail -T}:T{ -secure -T} -.T& -lB l l l l -lB l l l l -lB l l l l -lB l l l l. -T{ -user -T}:T{ -USER; attribute -T}:T{ -USER; attribute -T}:T{ -USER; user\&.attribute -T}:T{ -USER; user\&.attribute -T} -T{ -system -T}:T{ -SYSTEM; attribute -T}:T{ -SYSTEM; attribute -T}:T{ -USER; system\&.attribute -T}:T{ -SYSTEM; system\&.attribute -T} -T{ -trusted -T}:T{ -FAIL -T}:T{ -USER; attribute -T}:T{ -USER; trusted\&.attribute -T}:T{ -SYSTEM; trusted\&.attribute -T} -T{ -security -T}:T{ -FAIL -T}:T{ -USER; attribute -T}:T{ -USER; security\&.attribute -T}:T{ -SYSTEM; security\&.attribute -T} -.TE -.sp 1 -.SH "EXAMPLES" -.PP -Use secure method of setting extended attributes on the share: -.sp -.if n \{\ -.RS 4 -.\} -.nf - \fI[sysvol]\fR - \m[blue]\fBvfs objects = freebsd\fR\m[] - \m[blue]\fBfreebsd:extattr mode = secure\fR\m[] -.fi -.if n \{\ -.RE -.\} -.SH "VERSION" -.PP -This man page is part of version 4\&.10\&.5 of the Samba suite\&. -.SH "AUTHOR" -.PP -The original Samba software and related utilities were created by Andrew Tridgell\&. Samba is now developed by the Samba Team as an Open Source project similar to the way the Linux kernel is developed\&. -.PP -This module was written by Timur I\&. Bakeyev diff --git a/net/samba413/files/patch-buildtools_scripts_abi__gen.sh b/net/samba413/files/patch-buildtools_scripts_abi__gen.sh deleted file mode 100644 index fceedf56fc61..000000000000 --- a/net/samba413/files/patch-buildtools_scripts_abi__gen.sh +++ /dev/null @@ -1,21 +0,0 @@ ---- buildtools/scripts/abi_gen.sh.orig 2019-01-15 10:07:00 UTC -+++ buildtools/scripts/abi_gen.sh -@@ -9,13 +9,14 @@ GDBSCRIPT="gdb_syms.$$" - cat <<EOF - set height 0 - set width 0 -+set print sevenbit-strings on - EOF --nm "$SHAREDLIB" | cut -d' ' -f2- | egrep '^[BDGTRVWS]' | grep -v @ | egrep -v ' (__bss_start|_edata|_init|_fini|_end)' | cut -c3- | sort | while read s; do -- echo "echo $s: " -- echo p $s -+nm "$SHAREDLIB" | cut -d" " -f2- | awk '/^[BDGTRVWS]/ && !/@|__bss_start|_edata|_init|_fini|_end/ { print $2 }' | sort | while read s; do -+ echo "echo $s:\\ " -+ echo whatis $s - done - ) > $GDBSCRIPT - - # forcing the terminal avoids a problem on Fedora12 --TERM=none gdb -n -batch -x $GDBSCRIPT "$SHAREDLIB" < /dev/null -+TERM=none %%GDB_CMD%% -n -batch -x $GDBSCRIPT "$SHAREDLIB" < /dev/null | sed -e 's/:type =/:/g' - rm -f $GDBSCRIPT diff --git a/net/samba413/files/patch-buildtools_wafsamba_samba__autoconf.py b/net/samba413/files/patch-buildtools_wafsamba_samba__autoconf.py deleted file mode 100644 index d0ab789743f0..000000000000 --- a/net/samba413/files/patch-buildtools_wafsamba_samba__autoconf.py +++ /dev/null @@ -1,35 +0,0 @@ ---- buildtools/wafsamba/samba_autoconf.py.orig 2019-08-20 15:35:08 UTC -+++ buildtools/wafsamba/samba_autoconf.py -@@ -573,7 +573,7 @@ def library_flags(self, libs): - - - @conf --def CHECK_LIB(conf, libs, mandatory=False, empty_decl=True, set_target=True, shlib=False): -+def CHECK_LIB(conf, libs, mandatory=False, empty_decl=True, set_target=True, shlib=False, msg=None): - '''check if a set of libraries exist as system libraries - - returns the sublist of libs that do exist as a syslib or [] -@@ -593,11 +593,14 @@ int foo() - ret.append(lib) - continue - -+ if msg is None: -+ msg = 'Checking for library %s' % lib -+ - (ccflags, ldflags, cpppath) = library_flags(conf, lib) - if shlib: -- res = conf.check(features='c cshlib', fragment=fragment, lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False) -+ res = conf.check(features='c cshlib', fragment=fragment, lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False, msg=msg) - else: -- res = conf.check(lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False) -+ res = conf.check(lib=lib, uselib_store=lib, cflags=ccflags, ldflags=ldflags, uselib=lib.upper(), mandatory=False, msg=msg) - - if not res: - if mandatory: -@@ -949,5 +952,5 @@ def SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS(c - conf.env.undefined_ldflags = conf.ADD_LDFLAGS('-Wl,-no-undefined', testflags=True) - - if (conf.env.undefined_ignore_ldflags == [] and -- conf.CHECK_LDFLAGS(['-undefined', 'dynamic_lookup'])): -+ conf.CHECK_LDFLAGS(['-undefined', 'dynamic_lookup'] + conf.env.WERROR_CFLAGS)): - conf.env.undefined_ignore_ldflags = ['-undefined', 'dynamic_lookup'] diff --git a/net/samba413/files/patch-buildtools_wafsamba_samba__install.py b/net/samba413/files/patch-buildtools_wafsamba_samba__install.py deleted file mode 100644 index cbb55ad497e8..000000000000 --- a/net/samba413/files/patch-buildtools_wafsamba_samba__install.py +++ /dev/null @@ -1,11 +0,0 @@ ---- buildtools/wafsamba/samba_install.py.orig 2019-01-15 10:07:00 UTC -+++ buildtools/wafsamba/samba_install.py -@@ -118,7 +118,7 @@ def install_library(self): - inst_name = bld.make_libname(t.target) - elif self.vnum: - vnum_base = self.vnum.split('.')[0] -- install_name = bld.make_libname(target_name, version=self.vnum) -+ install_name = bld.make_libname(target_name, version=vnum_base) - install_link = bld.make_libname(target_name, version=vnum_base) - inst_name = bld.make_libname(t.target) - if not self.private_library or not t.env.SONAME_ST: diff --git a/net/samba413/files/patch-buildtools_wafsamba_wafsamba.py b/net/samba413/files/patch-buildtools_wafsamba_wafsamba.py deleted file mode 100644 index 16c55b42dbdd..000000000000 --- a/net/samba413/files/patch-buildtools_wafsamba_wafsamba.py +++ /dev/null @@ -1,11 +0,0 @@ ---- ./buildtools/wafsamba/wafsamba.py.orig 2015-07-21 09:47:48 UTC -+++ ./buildtools/wafsamba/wafsamba.py -@@ -919,7 +919,7 @@ def SAMBAMANPAGES(bld, manpages, extra_s - bld.env.SAMBA_EXPAND_XSL = bld.srcnode.abspath() + '/docs-xml/xslt/expand-sambadoc.xsl' - bld.env.SAMBA_MAN_XSL = bld.srcnode.abspath() + '/docs-xml/xslt/man.xsl' - bld.env.SAMBA_CATALOG = bld.bldnode.abspath() + '/docs-xml/build/catalog.xml' -- bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file:///usr/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG -+ bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file://%%LOCALBASE%%/share/xml/catalog file://' + bld.env.SAMBA_CATALOG - - for m in manpages.split(): - source = m + '.xml' diff --git a/net/samba413/files/patch-buildtools_wafsamba_wscript b/net/samba413/files/patch-buildtools_wafsamba_wscript deleted file mode 100644 index 39df9d9922a5..000000000000 --- a/net/samba413/files/patch-buildtools_wafsamba_wscript +++ /dev/null @@ -1,22 +0,0 @@ ---- buildtools/wafsamba/wscript.orig 2019-01-15 10:07:00 UTC -+++ buildtools/wafsamba/wscript -@@ -80,12 +80,17 @@ def options(opt): - help=("private library directory [PREFIX/lib/%s]" % Context.g_module.APPNAME), - action="store", dest='PRIVATELIBDIR', default=None) - -+ opt.add_option('--with-openldap', -+ help='additional directory to search for OpenLDAP libs', -+ action='store', dest='ldap_open', default=None, -+ match = ['Checking for library lber', 'Checking for library ldap']) -+ - opt.add_option('--with-libiconv', - help='additional directory to search for libiconv', -- action='store', dest='iconv_open', default='/usr/local', -+ action='store', dest='iconv_open', default=None, - match = ['Checking for library iconv', 'Checking for iconv_open', 'Checking for header iconv.h']) - opt.add_option('--without-gettext', -- help=("Disable use of gettext"), -+ help=("disable use of gettext"), - action="store_true", dest='disable_gettext', default=False) - - gr = opt.option_group('developer options') diff --git a/net/samba413/files/patch-ctdb_wscript b/net/samba413/files/patch-ctdb_wscript deleted file mode 100644 index e501bf3e4703..000000000000 --- a/net/samba413/files/patch-ctdb_wscript +++ /dev/null @@ -1,62 +0,0 @@ ---- ctdb/wscript.orig 2020-01-31 10:25:36 UTC -+++ ctdb/wscript -@@ -104,6 +104,9 @@ def options(opt): - opt.add_option('--enable-ceph-reclock', - help=("Enable Ceph CTDB recovery lock helper (default=no)"), - action="store_true", dest='ctdb_ceph_reclock', default=False) -+ opt.add_option('--disable-ctdb-tests', -+ help=("Disable CTDB tests (default=no)"), -+ action="store_true", dest='ctdb_no_tests', default=False) - - opt.add_option('--with-logdir', - help=("Path to log directory"), -@@ -261,7 +264,7 @@ def configure(conf): - - if Options.options.ctdb_ceph_reclock: - if (conf.CHECK_HEADERS('rados/librados.h', False, False, 'rados') and -- conf.CHECK_LIB('rados', shlib=True)): -+ conf.CHECK_LIB('rados', shlib=True)): - Logs.info('Building with Ceph librados recovery lock support') - conf.define('HAVE_LIBRADOS', 1) - else: -@@ -300,9 +303,15 @@ def configure(conf): - conf.env.CTDB_VARDIR, - conf.env.CTDB_RUNDIR)) - -- conf.env.CTDB_TEST_DATADIR = os.path.join(conf.env.CTDB_DATADIR, 'tests') -- conf.env.CTDB_TEST_LIBEXECDIR = os.path.join(conf.env.LIBEXECDIR, 'ctdb/tests') -+ if Options.options.ctdb_no_tests: -+ conf.env.ctdb_tests = False -+ else: -+ conf.env.ctdb_tests = True - -+ if conf.env.ctdb_tests: -+ conf.env.CTDB_TEST_DATADIR = os.path.join(conf.env.CTDB_DATADIR, 'tests') -+ conf.env.CTDB_TEST_LIBEXECDIR = os.path.join(conf.env.LIBEXECDIR, 'ctdb/tests') -+ - # Allow unified compilation and separate compilation of utilities - # to find includes - if not conf.env.standalone_ctdb: -@@ -681,9 +690,9 @@ def build(bld): - if bld.env.HAVE_LIBRADOS: - bld.SAMBA_BINARY('ctdb_mutex_ceph_rados_helper', - source='utils/ceph/ctdb_mutex_ceph_rados_helper.c', -- deps='talloc tevent rados', -- includes='include', -- install_path='${CTDB_HELPER_BINDIR}') -+ deps='talloc tevent rados', -+ includes='include', -+ install_path='${CTDB_HELPER_BINDIR}') - - sed_expr1 = 's|/usr/local/var/lib/ctdb|%s|g' % (bld.env.CTDB_VARDIR) - sed_expr2 = 's|/usr/local/etc/ctdb|%s|g' % (bld.env.CTDB_ETCDIR) -@@ -859,6 +868,9 @@ def build(bld): - - for d in ['volatile', 'persistent', 'state']: - bld.INSTALL_DIR(os.path.join(bld.env.CTDB_VARDIR, d)) -+ -+ if not bld.env.ctdb_tests: -+ return - - bld.SAMBA_BINARY('errcode', - source='tests/src/errcode.c', diff --git a/net/samba413/files/patch-dwrap b/net/samba413/files/patch-dwrap deleted file mode 100644 index 7346ae7c4589..000000000000 --- a/net/samba413/files/patch-dwrap +++ /dev/null @@ -1,96 +0,0 @@ ---- lib/dbwrap/dbwrap.c.orig 2019-01-15 10:07:00 UTC -+++ lib/dbwrap/dbwrap.c -@@ -28,6 +28,9 @@ - #include "lib/util/util_tdb.h" - #include "lib/util/tevent_ntstatus.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - /* - * Fall back using fetch if no genuine exists operation is provided - */ ---- lib/dbwrap/dbwrap_local_open.c.orig 2019-01-15 10:07:00 UTC -+++ lib/dbwrap/dbwrap_local_open.c -@@ -23,6 +23,9 @@ - #include "dbwrap/dbwrap_tdb.h" - #include "tdb.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - struct db_context *dbwrap_local_open(TALLOC_CTX *mem_ctx, - const char *name, - int hash_size, int tdb_flags, ---- lib/dbwrap/dbwrap_rbt.c.orig 2019-01-15 10:07:00 UTC -+++ lib/dbwrap/dbwrap_rbt.c -@@ -24,6 +24,9 @@ - #include "../lib/util/rbtree.h" - #include "../lib/util/dlinklist.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - #define DBWRAP_RBT_ALIGN(_size_) (((_size_)+15)&~15) - - struct db_rbt_ctx { ---- lib/dbwrap/dbwrap_tdb.c.orig 2019-01-15 10:07:00 UTC -+++ lib/dbwrap/dbwrap_tdb.c -@@ -27,6 +27,9 @@ - #include "lib/param/param.h" - #include "libcli/util/error.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - struct db_tdb_ctx { - struct tdb_wrap *wtdb; - ---- lib/dbwrap/dbwrap_util.c.orig 2019-01-15 10:07:00 UTC -+++ lib/dbwrap/dbwrap_util.c -@@ -26,6 +26,9 @@ - #include "dbwrap.h" - #include "lib/util/util_tdb.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - struct dbwrap_fetch_int32_state { - NTSTATUS status; - int32_t result; ---- source3/lib/dbwrap/dbwrap_ctdb.c.orig 2019-01-15 10:07:00 UTC -+++ source3/lib/dbwrap/dbwrap_ctdb.c -@@ -38,6 +38,9 @@ - #include "lib/cluster_support.h" - #include "lib/util/tevent_ntstatus.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - struct db_ctdb_transaction_handle { - struct db_ctdb_ctx *ctx; - /* ---- source3/lib/dbwrap/dbwrap_open.c.orig 2019-01-15 10:07:00 UTC -+++ source3/lib/dbwrap/dbwrap_open.c -@@ -31,6 +31,9 @@ - #include "ctdbd_conn.h" - #include "messages.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - bool db_is_local(const char *name) - { - const char *sockname = lp_ctdbd_socket(); ---- source3/lib/dbwrap/dbwrap_watch.c.orig 2019-01-15 10:07:00 UTC -+++ source3/lib/dbwrap/dbwrap_watch.c -@@ -28,6 +28,9 @@ - #include "server_id_watch.h" - #include "lib/dbwrap/dbwrap_private.h" - -+#undef DBGC_CLASS -+#define DBGC_CLASS DBGC_LOCKING -+ - struct dbwrap_watcher { - /* - * Process watching this record diff --git a/net/samba413/files/patch-dynconfig_wscript b/net/samba413/files/patch-dynconfig_wscript deleted file mode 100644 index ac1c9da8cf14..000000000000 --- a/net/samba413/files/patch-dynconfig_wscript +++ /dev/null @@ -1,32 +0,0 @@ ---- dynconfig/wscript.orig 2019-01-15 10:07:00 UTC -+++ dynconfig/wscript -@@ -141,6 +141,8 @@ dynconfig = { - 'PKGCONFIGDIR' : { - 'STD-PATH': '${LIBDIR}/pkgconfig', - 'FHS-PATH': '${LIBDIR}/pkgconfig', -+ 'OPTION': '--with-pkgconfigdir', -+ 'HELPTEXT': 'Where to put .pc files', - }, - 'CODEPAGEDIR' : { - 'STD-PATH': '${DATADIR}/codepages', -@@ -247,8 +249,8 @@ dynconfig = { - 'DELAY': True, - }, - 'CONFIGFILE' : { -- 'STD-PATH': '${CONFIGDIR}/smb.conf', -- 'FHS-PATH': '${CONFIGDIR}/smb.conf', -+ 'STD-PATH': '${CONFIGDIR}/%%SAMBA4_CONFIG%%', -+ 'FHS-PATH': '${CONFIGDIR}/%%SAMBA4_CONFIG%%', - 'DELAY': True, - }, - 'LMHOSTSFILE' : { -@@ -307,9 +309,6 @@ def configure(conf): - flavor = 'FHS-PATH' - else: - flavor = 'STD-PATH' -- if conf.env.PREFIX == '/usr' or conf.env.PREFIX == '/usr/local': -- Logs.error("Don't install directly under /usr or /usr/local without using the FHS option (--enable-fhs)") -- raise Errors.WafError("ERROR: invalid --prefix=%s value" % (conf.env.PREFIX)) - - explicit_set ={} - diff --git a/net/samba413/files/patch-examples_pdb_wscript__build b/net/samba413/files/patch-examples_pdb_wscript__build deleted file mode 100644 index 6b8e2685e80a..000000000000 --- a/net/samba413/files/patch-examples_pdb_wscript__build +++ /dev/null @@ -1,11 +0,0 @@ ---- examples/pdb/wscript_build.orig 2019-01-15 10:07:00 UTC -+++ examples/pdb/wscript_build -@@ -3,7 +3,7 @@ - bld.SAMBA3_MODULE('pdb_test', - subsystem='pdb', - source='test.c', -- deps='samba-util', -+ deps='samba-util samba-debug', - init_function='', - internal_module=bld.SAMBA3_IS_STATIC_MODULE('pdb_test'), - enabled=bld.SAMBA3_IS_ENABLED_MODULE('pdb_test')) diff --git a/net/samba413/files/patch-lib_ldb_ldb__key__value_ldb__kv__cache.c b/net/samba413/files/patch-lib_ldb_ldb__key__value_ldb__kv__cache.c deleted file mode 100644 index 0f21db6d6126..000000000000 --- a/net/samba413/files/patch-lib_ldb_ldb__key__value_ldb__kv__cache.c +++ /dev/null @@ -1,13 +0,0 @@ ---- lib/ldb/ldb_key_value/ldb_kv_cache.c.orig 2019-01-15 10:07:00 UTC -+++ lib/ldb/ldb_key_value/ldb_kv_cache.c -@@ -90,7 +90,9 @@ static int ldb_schema_attribute_compare( - { - const struct ldb_schema_attribute *sa1 = (const struct ldb_schema_attribute *)p1; - const struct ldb_schema_attribute *sa2 = (const struct ldb_schema_attribute *)p2; -- return ldb_attr_cmp(sa1->name, sa2->name); -+ int res = ldb_attr_cmp(sa1->name, sa2->name); -+ -+ return (res) ? res : (sa1->flags > sa2->flags) ? 1 : (sa1->flags < sa2->flags) ? -1 : 0; - } - - /* diff --git a/net/samba413/files/patch-lib_ldb_wscript b/net/samba413/files/patch-lib_ldb_wscript deleted file mode 100644 index 62195ac59183..000000000000 --- a/net/samba413/files/patch-lib_ldb_wscript +++ /dev/null @@ -1,61 +0,0 @@ ---- lib/ldb/wscript.orig 2019-07-08 12:47:51 UTC -+++ lib/ldb/wscript -@@ -207,7 +207,7 @@ def build(bld): - if bld.env.standalone_ldb: - if not 'PACKAGE_VERSION' in bld.env: - bld.env.PACKAGE_VERSION = VERSION -- bld.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' -+ bld.env.PKGCONFIGDIR = '%%PKGCONFIGDIR%%' - private_library = False - else: - private_library = True -@@ -284,7 +284,6 @@ def build(bld): - pc_files='ldb.pc', - vnum=VERSION, - private_library=private_library, -- manpages='man/ldb.3', - abi_directory='ABI', - abi_match = abi_match) - -@@ -437,7 +436,7 @@ def build(bld): - - LDB_TOOLS='ldbadd ldbsearch ldbdel ldbmodify ldbedit ldbrename' - for t in LDB_TOOLS.split(): -- bld.SAMBA_BINARY(t, 'tools/%s.c' % t, deps='ldb-cmdline ldb', -+ bld.SAMBA_BINARY('samba-%s' % t, 'tools/%s.c' % t, deps='ldb-cmdline ldb', - manpages='man/%s.1' % t) - - # ldbtest doesn't get installed -@@ -449,10 +448,10 @@ def build(bld): - else: - lmdb_deps = '' - # ldbdump doesn't get installed -- bld.SAMBA_BINARY('ldbdump', -+ bld.SAMBA_BINARY('samba-ldbdump', - 'tools/ldbdump.c', - deps='ldb-cmdline ldb' + lmdb_deps, -- install=False) -+ install=True) - - bld.SAMBA_LIBRARY('ldb-cmdline', - source='tools/ldbutil.c tools/cmdline.c', -@@ -497,11 +496,6 @@ def build(bld): - deps='cmocka ldb', - install=False) - -- bld.SAMBA_BINARY('ldb_match_test', -- source='tests/ldb_match_test.c', -- deps='cmocka ldb', -- install=False) -- - bld.SAMBA_BINARY('ldb_key_value_test', - source='tests/ldb_key_value_test.c', - deps='cmocka ldb ldb_tdb_err_map', -@@ -609,7 +603,6 @@ def test(ctx): - 'ldb_msg_test', - 'ldb_tdb_kv_ops_test', - 'ldb_tdb_test', -- 'ldb_match_test', - 'ldb_key_value_test', - # we currently don't run ldb_key_value_sub_txn_tdb_test as it - # tests the nested/sub transaction handling diff --git a/net/samba413/files/patch-lib_replace_wscript b/net/samba413/files/patch-lib_replace_wscript deleted file mode 100644 index 9688e7e2082b..000000000000 --- a/net/samba413/files/patch-lib_replace_wscript +++ /dev/null @@ -1,11 +0,0 @@ ---- lib/replace/wscript.orig 2019-01-15 10:07:00 UTC -+++ lib/replace/wscript -@@ -119,7 +119,7 @@ def configure(conf): - conf.CHECK_HEADERS('sys/atomic.h stdatomic.h') - conf.CHECK_HEADERS('libgen.h') - -- if conf.CHECK_CFLAGS('-Wno-format-truncation'): -+ if conf.CHECK_CFLAGS(['-Wno-format-truncation'] + conf.env.WERROR_CFLAGS): - conf.define('HAVE_WNO_FORMAT_TRUNCATION', '1') - - if conf.CHECK_CFLAGS('-Wno-unused-function'): diff --git a/net/samba413/files/patch-lib_talloc_talloc.c b/net/samba413/files/patch-lib_talloc_talloc.c deleted file mode 100644 index 25b68fd71844..000000000000 --- a/net/samba413/files/patch-lib_talloc_talloc.c +++ /dev/null @@ -1,20 +0,0 @@ ---- lib/talloc/talloc.c.orig 2019-01-15 10:07:00 UTC -+++ lib/talloc/talloc.c -@@ -391,6 +391,9 @@ void talloc_lib_init(void) __attribute__ - void talloc_lib_init(void) - { - uint32_t random_value; -+#if defined(HAVE_ARC4RANDOM) -+ random_value = arc4random(); -+#else - #if defined(HAVE_GETAUXVAL) && defined(AT_RANDOM) - uint8_t *p; - /* -@@ -424,6 +427,7 @@ void talloc_lib_init(void) - */ - random_value = ((uintptr_t)talloc_lib_init & 0xFFFFFFFF); - } -+#endif /* HAVE_ARC4RANDOM */ - talloc_magic = random_value & ~TALLOC_FLAG_MASK; - } - #else diff --git a/net/samba413/files/patch-lib_talloc_wscript b/net/samba413/files/patch-lib_talloc_wscript deleted file mode 100644 index 522c2055f34c..000000000000 --- a/net/samba413/files/patch-lib_talloc_wscript +++ /dev/null @@ -1,18 +0,0 @@ ---- lib/talloc/wscript.orig 2019-05-07 08:38:21 UTC -+++ lib/talloc/wscript -@@ -45,13 +45,14 @@ def configure(conf): - conf.env.TALLOC_COMPAT1 = False - if conf.env.standalone_talloc: - conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1 -- conf.env.PKGCONFIGDIR = '${LIBDIR}/pkgconfig' -+ conf.env.PKGCONFIGDIR = '%%PKGCONFIGDIR%%' - conf.env.TALLOC_VERSION = VERSION - - conf.CHECK_XSLTPROC_MANPAGES() - - conf.CHECK_HEADERS('sys/auxv.h') - conf.CHECK_FUNCS('getauxval') -+ conf.CHECK_FUNCS('arc4random') - - conf.SAMBA_CONFIG_H() - diff --git a/net/samba413/files/patch-lib_tdb_wscript b/net/samba413/files/patch-lib_tdb_wscript deleted file mode 100644 index eaa885227094..000000000000 --- a/net/samba413/files/patch-lib_tdb_wscript +++ /dev/null @@ -1,27 +0,0 @@ ---- lib/tdb/wscript.orig 2019-07-02 22:39:54 UTC -+++ lib/tdb/wscript -@@ -145,20 +145,20 @@ def build(bld): - 'tdb', - install=False) - -- bld.SAMBA_BINARY('tdbrestore', -+ bld.SAMBA_BINARY('samba-tdbrestore', - 'tools/tdbrestore.c', - 'tdb', manpages='man/tdbrestore.8') - -- bld.SAMBA_BINARY('tdbdump', -+ bld.SAMBA_BINARY('samba-tdbdump', - 'tools/tdbdump.c', - 'tdb', manpages='man/tdbdump.8') - -- bld.SAMBA_BINARY('tdbbackup', -+ bld.SAMBA_BINARY('samba-tdbbackup', - 'tools/tdbbackup.c', - 'tdb', - manpages='man/tdbbackup.8') - -- bld.SAMBA_BINARY('tdbtool', -+ bld.SAMBA_BINARY('samba-tdbtool', - 'tools/tdbtool.c', - 'tdb', manpages='man/tdbtool.8') - diff --git a/net/samba413/files/patch-lib_util_wscript__build b/net/samba413/files/patch-lib_util_wscript__build deleted file mode 100644 index 5b88f2183bc0..000000000000 --- a/net/samba413/files/patch-lib_util_wscript__build +++ /dev/null @@ -1,11 +0,0 @@ ---- lib/util/wscript_build.orig 2019-05-07 08:38:21 UTC -+++ lib/util/wscript_build -@@ -151,7 +151,7 @@ else: - - bld.SAMBA_LIBRARY('samba-modules', - source='modules.c', -- deps='samba-errors samba-util', -+ deps='samba-errors samba-util samba-debug', - local_include=False, - private_library=True) - diff --git a/net/samba413/files/patch-linuxisms b/net/samba413/files/patch-linuxisms deleted file mode 100644 index 36d2ac1bc26e..000000000000 --- a/net/samba413/files/patch-linuxisms +++ /dev/null @@ -1,91 +0,0 @@ ---- libcli/http/http.c.orig 2020-07-09 13:33:56 -+++ libcli/http/http.c -@@ -141,7 +141,19 @@ static enum http_read_status http_parse_headers(struct - return HTTP_ALL_DATA_READ; - } - -+#ifdef FREEBSD -+ int s0, s1, s2, s3; s0 = s1 = s2 = s3 = 0; -+ n = sscanf(line, "%n%*[^:]%n: %n%*[^\r\n]%n\r\n", &s0, &s1, &s2, &s3); -+ -+ if(n >= 0) { -+ key = calloc(sizeof(char), s1-s0+1); -+ value = calloc(sizeof(char), s3-s2+1); -+ -+ n = sscanf(line, "%[^:]: %[^\r\n]\r\n", key, value); -+ } -+#else - n = sscanf(line, "%m[^:]: %m[^\r\n]\r\n", &key, &value); -+#endif - if (n != 2) { - DEBUG(0, ("%s: Error parsing header '%s'\n", __func__, line)); - status = HTTP_DATA_CORRUPTED; -@@ -167,7 +179,7 @@ error: - static bool http_parse_response_line(struct http_read_response_state *state) - { - bool status = true; -- char *protocol; -+ char *protocol = NULL; - char *msg = NULL; - char major; - char minor; -@@ -187,18 +199,32 @@ static bool http_parse_response_line(struct http_read_ - return false; - } - -+#ifdef FREEBSD -+ int s0, s1, s2, s3; s0 = s1 = s2 = s3 = 0; -+ n = sscanf(line, "%n%*[^/]%n/%c.%c %d %n%*[^\r\n]%n\r\n", -+ &s0, &s1, &major, &minor, &code, &s2, &s3); -+ -+ if(n == 3) { -+ protocol = calloc(sizeof(char), s1-s0+1); -+ msg = calloc(sizeof(char), s3-s2+1); -+ -+ n = sscanf(line, "%[^/]/%c.%c %d %[^\r\n]\r\n", -+ protocol, &major, &minor, &code, msg); -+ } -+#else - n = sscanf(line, "%m[^/]/%c.%c %d %m[^\r\n]\r\n", - &protocol, &major, &minor, &code, &msg); -+#endif - -- DEBUG(11, ("%s: Header parsed(%i): protocol->%s, major->%c, minor->%c, " -- "code->%d, message->%s\n", __func__, n, protocol, major, minor, -- code, msg)); -- - if (n != 5) { - DEBUG(0, ("%s: Error parsing header\n", __func__)); - status = false; - goto error; - } -+ -+ DEBUG(11, ("%s: Header parsed(%i): protocol->%s, major->%c, minor->%c, " -+ "code->%d, message->%s\n", __func__, n, protocol, major, minor, -+ code, msg)); - - if (major != '1') { - DEBUG(0, ("%s: Bad HTTP major number '%c'\n", __func__, major)); ---- source4/libcli/ldap/ldap_client.c.orig 2020-07-09 13:33:56 -+++ source4/libcli/ldap/ldap_client.c -@@ -402,8 +402,20 @@ static int ldap_parse_basic_url( - *pport = port; - return 0; - } -+#ifdef FREEBSD -+ int s0, s1; s0 = s1 = 0; -+ ret = sscanf(url, "%n%*[^:/]%n:%d", &s0, &s1, &port); - -+ if(ret >= 0) { -+ host = calloc(sizeof(char), s1 - s0 + 1); -+ if (host == NULL) { -+ return ENOMEM; -+ } -+ ret = sscanf(url, "%[^:/]:%d", host, &port); -+ } -+#else - ret = sscanf(url, "%m[^:/]:%d", &host, &port); -+#endif - if (ret < 1) { - return EINVAL; - } diff --git a/net/samba413/files/patch-listen-backlog b/net/samba413/files/patch-listen-backlog deleted file mode 100644 index b963d45d6966..000000000000 --- a/net/samba413/files/patch-listen-backlog +++ /dev/null @@ -1,94 +0,0 @@ ---- lib/tevent/echo_server.c.orig 2019-01-15 10:07:00 UTC -+++ lib/tevent/echo_server.c -@@ -633,7 +633,7 @@ int main(int argc, const char **argv) - exit(1); - } - -- ret = listen(listen_sock, 5); -+ ret = listen(listen_sock, DEFAULT_LISTEN_BACKLOG); - if (ret == -1) { - perror("listen() failed"); - exit(1); ---- source3/include/local.h.orig 2019-01-15 10:07:00 UTC -+++ source3/include/local.h -@@ -173,7 +173,18 @@ - #define WINBIND_SERVER_MUTEX_WAIT_TIME (( ((NUM_CLI_AUTH_CONNECT_RETRIES) * ((CLI_AUTH_TIMEOUT)/1000)) + 5)*2) - - /* size of listen() backlog in smbd */ -+#if defined (FREEBSD) -+#define SMBD_LISTEN_BACKLOG -1 -+#else - #define SMBD_LISTEN_BACKLOG 50 -+#endif -+ -+/* size of listen() default backlog */ -+#if defined (FREEBSD) -+#define DEFAULT_LISTEN_BACKLOG -1 -+#else -+#define DEFAULT_LISTEN_BACKLOG 5 -+#endif - - /* Number of microseconds to wait before a sharing violation. */ - #define SHARING_VIOLATION_USEC_WAIT 950000 ---- source3/libsmb/unexpected.c.orig 2019-01-15 10:07:00 UTC -+++ source3/libsmb/unexpected.c -@@ -95,7 +95,7 @@ NTSTATUS nb_packet_server_create(TALLOC_ - status = map_nt_error_from_unix(errno); - goto fail; - } -- rc = listen(result->listen_sock, 5); -+ rc = listen(result->listen_sock, DEFAULT_LISTEN_BACKLOG); - if (rc < 0) { - status = map_nt_error_from_unix(errno); - goto fail; ---- source3/rpc_server/rpc_server.c.orig 2019-01-15 10:07:00 UTC -+++ source3/rpc_server/rpc_server.c -@@ -158,7 +158,7 @@ bool setup_named_pipe_socket(const char - goto out; - } - -- rc = listen(state->fd, 5); -+ rc = listen(state->fd, DEFAULT_LISTEN_BACKLOG); - if (rc < 0) { - DEBUG(0, ("Failed to listen on pipe socket %s: %s\n", - pipe_name, strerror(errno))); -@@ -830,7 +830,7 @@ bool setup_dcerpc_ncalrpc_socket(struct - goto out; - } - -- rc = listen(state->fd, 5); -+ rc = listen(state->fd, DEFAULT_LISTEN_BACKLOG); - if (rc < 0) { - DEBUG(0, ("Failed to listen on ncalrpc socket %s: %s\n", - name, strerror(errno))); ---- source3/utils/smbfilter.c.orig 2019-01-15 10:07:00 UTC -+++ source3/utils/smbfilter.c -@@ -291,7 +291,7 @@ static void start_filter(char *desthost) - exit(1); - } - -- if (listen(s, 5) == -1) { -+ if (listen(s, DEFAULT_LISTEN_BACKLOG) == -1) { - d_printf("listen failed\n"); - } - ---- source3/winbindd/winbindd.c.orig 2019-01-15 10:07:00 UTC -+++ source3/winbindd/winbindd.c -@@ -1317,7 +1317,7 @@ static bool winbindd_setup_listeners(voi - if (pub_state->fd == -1) { - goto failed; - } -- rc = listen(pub_state->fd, 5); -+ rc = listen(pub_state->fd, DEFAULT_LISTEN_BACKLOG); - if (rc < 0) { - goto failed; - } -@@ -1349,7 +1349,7 @@ static bool winbindd_setup_listeners(voi - if (priv_state->fd == -1) { - goto failed; - } -- rc = listen(priv_state->fd, 5); -+ rc = listen(priv_state->fd, DEFAULT_LISTEN_BACKLOG); - if (rc < 0) { - goto failed; - } diff --git a/net/samba413/files/patch-mdns b/net/samba413/files/patch-mdns deleted file mode 100644 index c707fb620eb3..000000000000 --- a/net/samba413/files/patch-mdns +++ /dev/null @@ -1,532 +0,0 @@ -From 923bc7a1afeb0b920e60e14846987ae1d2d7dca4 Mon Sep 17 00:00:00 2001 -From: John Hixson <john@ixsystems.com> -Date: Thu, 7 Dec 2017 09:36:32 -0500 -Subject: [PATCH] Freenas/master mdns fixes (#22) - -* mDNS fixes for Samba (work in progress). - -* Fix mDNS - Can advertise on individual interfaces - -* Fix mDNS browsing in smbclient - -Signed-off-by: Timur I. Bakeyev <timur@iXsystems.com> - ---- source3/client/dnsbrowse.c.orig 2019-01-15 10:07:00 UTC -+++ source3/client/dnsbrowse.c -@@ -39,6 +39,7 @@ struct mdns_smbsrv_result - struct mdns_browse_state - { - struct mdns_smbsrv_result *listhead; /* Browse result list head */ -+ TALLOC_CTX * ctx; - int browseDone; - - }; -@@ -64,7 +65,7 @@ static void do_smb_resolve(struct mdns_s - struct timeval tv; - DNSServiceErrorType err; - -- TALLOC_CTX * ctx = talloc_tos(); -+ TALLOC_CTX * ctx = talloc_new(NULL); - - err = DNSServiceResolve(&mdns_conn_sdref, 0 /* flags */, - browsesrv->ifIndex, -@@ -91,7 +92,7 @@ static void do_smb_resolve(struct mdns_s - } - } - -- TALLOC_FREE(fdset); -+ TALLOC_FREE(ctx); - DNSServiceRefDeallocate(mdns_conn_sdref); - } - -@@ -124,18 +125,19 @@ do_smb_browse_reply(DNSServiceRef sdRef, - return; - } - -- bresult = talloc_array(talloc_tos(), struct mdns_smbsrv_result, 1); -+ bresult = talloc_array(bstatep->ctx, struct mdns_smbsrv_result, 1); - if (bresult == NULL) { - return; - } - -+ bresult->nextResult = NULL; - if (bstatep->listhead != NULL) { - bresult->nextResult = bstatep->listhead; - } - -- bresult->serviceName = talloc_strdup(talloc_tos(), serviceName); -- bresult->regType = talloc_strdup(talloc_tos(), regtype); -- bresult->domain = talloc_strdup(talloc_tos(), replyDomain); -+ bresult->serviceName = talloc_strdup(bstatep->ctx, serviceName); -+ bresult->regType = talloc_strdup(bstatep->ctx, regtype); -+ bresult->domain = talloc_strdup(bstatep->ctx, replyDomain); - bresult->ifIndex = interfaceIndex; - bstatep->listhead = bresult; - } -@@ -151,10 +153,13 @@ int do_smb_browse(void) - DNSServiceRef mdns_conn_sdref = NULL; - DNSServiceErrorType err; - -- TALLOC_CTX * ctx = talloc_stackframe(); -+ TALLOC_CTX * ctx = talloc_new(NULL); - - ZERO_STRUCT(bstate); - -+ bstate.ctx = ctx; -+ bstate.listhead = NULL; -+ - err = DNSServiceBrowse(&mdns_conn_sdref, 0, 0, "_smb._tcp", "", - do_smb_browse_reply, &bstate); - ---- source3/smbd/dnsregister.c.orig 2019-01-15 10:07:00 UTC -+++ source3/smbd/dnsregister.c -@@ -29,6 +29,29 @@ - * browse for advertised SMB services. - */ - -+/* -+ * Time Machine Errata: -+ * sys=adVF=0x100 -- this is required when ._adisk._tcp is present on device. When it is -+ * set, the MacOS client will send a NetShareEnumAll IOCTL and shares will be visible. -+ * Otherwise, Finder will only see the Time Machine share. In the absence of ._adisk._tcp -+ * MacOS will _always_ send NetShareEnumAll IOCTL. -+ * -+ * waMa=0 -- MacOS server uses waMa=0, while embedded devices have it set to their Mac Address. -+ * Speculation in Samba-Technical indicates that this stands for "Wireless AirDisk Mac Address". -+ * -+ * adVU -- AirDisk Volume UUID. Mac OS servers generate a UUID. Time machine over SMB works without one -+ * set. Netatalk generates a UUID and stores it persistently in afp_voluuid.conf. This can be -+ * set by adding the share parameter "fruit:volume_uuid = " -+ * -+ * dk(n)=adVF= -+ * 0xa1, 0x81 - AFP support -+ * 0xa2, 0x82 - SMB support -+ * 0xa3, 0x83 - AFP and SMB support -+ * -+ * adVN -- AirDisk Volume Name. We set this to the share name. -+ * -+ */ -+ - #define DNS_REG_RETRY_INTERVAL (5*60) /* in seconds */ - - #ifdef WITH_DNSSD_SUPPORT -@@ -36,85 +59,177 @@ - #include <dns_sd.h> - - struct dns_reg_state { -- struct tevent_context *event_ctx; -- uint16_t port; -- DNSServiceRef srv_ref; -- struct tevent_timer *te; -- int fd; -- struct tevent_fd *fde; -+ int count; -+ struct reg_state { -+ DNSServiceRef srv_ref; -+ TALLOC_CTX *mem_ctx; -+ struct tevent_context *event_ctx; -+ struct tevent_timer *te; -+ struct tevent_fd *fde; -+ uint16_t port; -+ int if_index; -+ int fd; -+ } *drs; - }; - --static int dns_reg_state_destructor(struct dns_reg_state *dns_state) -+static void dns_register_smbd_retry(struct tevent_context *ctx, -+ struct tevent_timer *te, -+ struct timeval now, -+ void *private_data); -+static void dns_register_smbd_fde_handler(struct tevent_context *ev, -+ struct tevent_fd *fde, -+ uint16_t flags, -+ void *private_data); -+ -+ -+static int reg_state_destructor(struct reg_state *state) - { -- if (dns_state->srv_ref != NULL) { -+ if (state == NULL) { -+ return -1; -+ } -+ -+ if (state->srv_ref != NULL) { - /* Close connection to the mDNS daemon */ -- DNSServiceRefDeallocate(dns_state->srv_ref); -- dns_state->srv_ref = NULL; -+ DNSServiceRefDeallocate(state->srv_ref); -+ state->srv_ref = NULL; - } - - /* Clear event handler */ -- TALLOC_FREE(dns_state->te); -- TALLOC_FREE(dns_state->fde); -- dns_state->fd = -1; -+ TALLOC_FREE(state->te); -+ TALLOC_FREE(state->fde); -+ state->fd = -1; - - return 0; - } - --static void dns_register_smbd_retry(struct tevent_context *ctx, -- struct tevent_timer *te, -- struct timeval now, -- void *private_data); --static void dns_register_smbd_fde_handler(struct tevent_context *ev, -- struct tevent_fd *fde, -- uint16_t flags, -- void *private_data); -+int TXTRecordPrintf(TXTRecordRef * rec, const char * key, const char * fmt, ... ) -+{ -+ int ret = 0; -+ char *str; -+ va_list ap; -+ va_start( ap, fmt ); - --static bool dns_register_smbd_schedule(struct dns_reg_state *dns_state, -+ if( 0 > vasprintf(&str, fmt, ap ) ) { -+ va_end(ap); -+ return -1; -+ } -+ va_end(ap); -+ -+ if( kDNSServiceErr_NoError != TXTRecordSetValue(rec, key, strlen(str), str) ) { -+ ret = -1; -+ } -+ -+ free(str); -+ return ret; -+} -+ -+int TXTRecordKeyPrintf(TXTRecordRef * rec, const char * key_fmt, int key_var, const char * fmt, ...) -+{ -+ int ret = 0; -+ char *key = NULL, *str = NULL; -+ va_list ap; -+ -+ if( 0 > asprintf(&key, key_fmt, key_var)) { -+ DEBUG(1, ("Failed in asprintf\n")); -+ return -1; -+ } -+ -+ va_start( ap, fmt ); -+ if( 0 > vasprintf(&str, fmt, ap )) { -+ va_end(ap); -+ DEBUG(1, ("Failed in vasprintf\n")); -+ ret = -1; -+ goto exit; -+ } -+ va_end(ap); -+ -+ if( kDNSServiceErr_NoError != TXTRecordSetValue(rec, key, strlen(str), str) ) { -+ DEBUG(1, ("Failed in TXTRecordSetValuen")); -+ ret = -1; -+ goto exit; -+ } -+ -+ exit: -+ if (str) -+ free(str); -+ if (key) -+ free(key); -+ return ret; -+} -+ -+ -+static bool dns_register_smbd_schedule(struct reg_state *state, - struct timeval tval) - { -- dns_reg_state_destructor(dns_state); -+ reg_state_destructor(state); - -- dns_state->te = tevent_add_timer(dns_state->event_ctx, -- dns_state, -+ state->te = tevent_add_timer(state->event_ctx, -+ state->mem_ctx, - tval, - dns_register_smbd_retry, -- dns_state); -- if (!dns_state->te) { -+ state); -+ if (!state->te) { - return false; - } - - return true; - } - -+static void dns_register_smbd_callback(DNSServiceRef service, -+ DNSServiceFlags flags, -+ DNSServiceErrorType errorCode, -+ const char *name, -+ const char *type, -+ const char *domain, -+ void *context) -+{ -+ if (errorCode != kDNSServiceErr_NoError) { -+ DEBUG(6, ("error=%d\n", errorCode)); -+ } else { -+ DEBUG(6, ("%-15s %s.%s%s\n", "REGISTER", name, type, domain)); -+ } -+} -+ - static void dns_register_smbd_retry(struct tevent_context *ctx, - struct tevent_timer *te, - struct timeval now, - void *private_data) - { -- struct dns_reg_state *dns_state = talloc_get_type_abort(private_data, -- struct dns_reg_state); -+ struct reg_state *state = (struct reg_state *)private_data; - DNSServiceErrorType err; -+ int snum; -+ size_t dk = 0; -+ bool sys_txt_created = false; -+ TXTRecordRef txt_adisk; -+ TXTRecordRef txt_devinfo; -+ char *servname; -+ char *v_uuid; -+ int num_services = lp_numservices(); - -- dns_reg_state_destructor(dns_state); -+ reg_state_destructor(state); - -- DEBUG(6, ("registering _smb._tcp service on port %d\n", -- dns_state->port)); -+ TXTRecordCreate(&txt_adisk, 0, NULL); -+ -+ DEBUG(6, ("registering _smb._tcp service on port %d index %d\n", -+ state->port, state->if_index)); - - /* Register service with DNS. Connects with the mDNS - * daemon running on the local system to perform DNS - * service registration. - */ -- err = DNSServiceRegister(&dns_state->srv_ref, 0 /* flags */, -- kDNSServiceInterfaceIndexAny, -- NULL /* service name */, -- "_smb._tcp" /* service type */, -- NULL /* domain */, -- "" /* SRV target host name */, -- htons(dns_state->port), -- 0 /* TXT record len */, -- NULL /* TXT record data */, -- NULL /* callback func */, -- NULL /* callback context */); -+ err = DNSServiceRegister(&state->srv_ref, -+ 0 /* flags */, -+ state->if_index /* interface index */, -+ NULL /* service name */, -+ "_smb._tcp" /* service type */, -+ NULL /* domain */, -+ "" /* SRV target host name */, -+ htons(state->port) /* port */, -+ 0 /* TXT record len */, -+ NULL /* TXT record data */, -+ dns_register_smbd_callback /* callback func */, -+ NULL /* callback context */); -+ - - if (err != kDNSServiceErr_NoError) { - /* Failed to register service. Schedule a re-try attempt. -@@ -123,24 +238,96 @@ static void dns_register_smbd_retry(stru - goto retry; - } - -- dns_state->fd = DNSServiceRefSockFD(dns_state->srv_ref); -- if (dns_state->fd == -1) { -+ /* -+ * Check for services that are configured as Time Machine targets -+ * -+ */ -+ for (snum = 0; snum < num_services; snum++) { -+ if (lp_snum_ok(snum) && lp_parm_bool(snum, "fruit", "time machine", false)) -+ { -+ if (!sys_txt_created) { -+ if( 0 > TXTRecordPrintf(&txt_adisk, "sys", "adVF=0x100") ) { -+ DEBUG(1, ("Failed to create Zeroconf TXTRecord for sys") ); -+ goto retry; -+ } -+ else -+ { -+ sys_txt_created = true; -+ } -+ } -+ -+ v_uuid = lp_parm_const_string(snum, "fruit", "volume_uuid", NULL); -+ servname = lp_const_servicename(snum); -+ DEBUG(1, ("Registering volume %s for TimeMachine\n", servname)); -+ if (v_uuid) { -+ if( 0 > TXTRecordKeyPrintf(&txt_adisk, "dk%zu", dk++, "adVN=%s,adVF=0x82,adVU=%s", -+ servname, v_uuid) ) { -+ DEBUG(1, ("Could not set Zeroconf TXTRecord for dk%zu \n", dk)); -+ goto retry; -+ } -+ DEBUG(1, ("Registering TimeMachine with the following TXT parameters: " -+ "dk%zu,adVN=%s,adVF=0x82,adVU=%s\n", dk, servname, v_uuid) ); -+ } -+ else { -+ if( 0 > TXTRecordKeyPrintf(&txt_adisk, "dk%zu", dk++, "adVN=%s,adVF=0x82", -+ servname) ) { -+ DEBUG(1, ("Could not set Zeroconf TXTRecord for dk%zu \n", dk)); -+ goto retry; -+ } -+ DEBUG(1, ("Registering TimeMachine with the following TXT parameters: " -+ "dk%zu,adVN=%s,adVF=0x82\n", dk, servname) ); -+ } -+ } -+ } -+ -+ if (dk) { -+ err = DNSServiceRegister(&state->srv_ref, -+ 0 /* flags */, -+ state->if_index /* interface index */, -+ NULL /* service name */, -+ "_adisk._tcp" /* service type */, -+ NULL /* domain */, -+ "" /* SRV target host name */, -+ /* -+ * We would probably use port 0 zero, but we can't, from man DNSServiceRegister: -+ * "A value of 0 for a port is passed to register placeholder services. -+ * Place holder services are not found when browsing, but other -+ * clients cannot register with the same name as the placeholder service." -+ * We therefor use port 9 which is used by the adisk service type. -+ */ -+ htons(9) /* port */, -+ TXTRecordGetLength(&txt_adisk) /* TXT record len */, -+ TXTRecordGetBytesPtr(&txt_adisk) /* TXT record data */, -+ dns_register_smbd_callback /* callback func */, -+ NULL /* callback context */); -+ -+ -+ if (err != kDNSServiceErr_NoError) { -+ /* Failed to register service. Schedule a re-try attempt. -+ */ -+ DEBUG(1, ("unable to register with mDNS (err %d)\n", err)); -+ goto retry; -+ } -+ } -+ -+ state->fd = DNSServiceRefSockFD(state->srv_ref); -+ if (state->fd == -1) { - goto retry; - } - -- dns_state->fde = tevent_add_fd(dns_state->event_ctx, -- dns_state, -- dns_state->fd, -- TEVENT_FD_READ, -- dns_register_smbd_fde_handler, -- dns_state); -- if (!dns_state->fde) { -+ state->fde = tevent_add_fd(state->event_ctx, -+ state->mem_ctx, -+ state->fd, -+ TEVENT_FD_READ, -+ dns_register_smbd_fde_handler, -+ state); -+ if (!state->fde) { - goto retry; - } - - return; - retry: -- dns_register_smbd_schedule(dns_state, -+ dns_register_smbd_schedule(state, - timeval_current_ofs(DNS_REG_RETRY_INTERVAL, 0)); - } - -@@ -150,44 +337,77 @@ static void dns_register_smbd_fde_handle - uint16_t flags, - void *private_data) - { -- struct dns_reg_state *dns_state = talloc_get_type_abort(private_data, -- struct dns_reg_state); -+ struct reg_state *state = (struct reg_state *)private_data; - DNSServiceErrorType err; - -- err = DNSServiceProcessResult(dns_state->srv_ref); -+ err = DNSServiceProcessResult(state->srv_ref); - if (err != kDNSServiceErr_NoError) { -- DEBUG(3, ("failed to process mDNS result (err %d), re-trying\n", -- err)); -+ DEBUG(3, ("failed to process mDNS result (err %d), re-trying\n", err)); - goto retry; - } - -- talloc_free(dns_state); - return; - - retry: -- dns_register_smbd_schedule(dns_state, -- timeval_current_ofs(DNS_REG_RETRY_INTERVAL, 0)); -+ dns_register_smbd_schedule(state, timeval_zero()); -+} -+ -+static int dns_reg_state_destructor(struct dns_reg_state *state) -+{ -+ if (state != NULL) { -+ talloc_free(state); -+ } -+ return 0; - } - -+ - bool smbd_setup_mdns_registration(struct tevent_context *ev, - TALLOC_CTX *mem_ctx, - uint16_t port) - { - struct dns_reg_state *dns_state; -+ bool bind_all = true; -+ int i; - - dns_state = talloc_zero(mem_ctx, struct dns_reg_state); -- if (dns_state == NULL) { -+ if (dns_state == NULL) -+ return false; -+ -+ if (lp_interfaces() && lp_bind_interfaces_only()) -+ bind_all = false; -+ -+ dns_state->count = iface_count(); -+ if (dns_state->count <= 0 || bind_all == true) -+ dns_state->count = 1; -+ -+ dns_state->drs = talloc_array(mem_ctx, struct reg_state, dns_state->count); -+ if (dns_state->drs == NULL) { -+ talloc_free(dns_state); - return false; - } -- dns_state->event_ctx = ev; -- dns_state->port = port; -- dns_state->fd = -1; - -- talloc_set_destructor(dns_state, dns_reg_state_destructor); -+ for (i = 0; i < dns_state->count; i++) { -+ struct interface *iface = get_interface(i); -+ struct reg_state *state = &dns_state->drs[i]; - -- return dns_register_smbd_schedule(dns_state, timeval_zero()); -+ state->mem_ctx = mem_ctx; -+ state->srv_ref = NULL; -+ state->event_ctx = ev; -+ state->te = NULL; -+ state->fde = NULL; -+ state->port = port; -+ state->fd = -1; -+ -+ state->if_index = bind_all ? kDNSServiceInterfaceIndexAny : iface->if_index; -+ -+ dns_register_smbd_schedule(&dns_state->drs[i], timeval_zero()); -+ } -+ -+ talloc_set_destructor(dns_state, dns_reg_state_destructor); -+ return true; - } - -+ - #else /* WITH_DNSSD_SUPPORT */ - - bool smbd_setup_mdns_registration(struct tevent_context *ev, diff --git a/net/samba413/files/patch-nsswitch_wscript__build b/net/samba413/files/patch-nsswitch_wscript__build deleted file mode 100644 index bb94e8aeeb38..000000000000 --- a/net/samba413/files/patch-nsswitch_wscript__build +++ /dev/null @@ -1,17 +0,0 @@ ---- nsswitch/wscript_build.orig 2019-01-15 10:07:00 UTC -+++ nsswitch/wscript_build -@@ -61,12 +61,14 @@ elif (host_os.rfind('freebsd') > -1): - source='winbind_nss_linux.c winbind_nss_freebsd.c', - deps='winbind-client', - realname='nss_winbind.so.1', -+ install_path='${PAMMODULESDIR}', - vnum='1') - - bld.SAMBA3_LIBRARY('nss_wins', - source='wins.c wins_freebsd.c', - deps='''wbclient''', - realname='nss_wins.so.1', -+ install_path='${PAMMODULESDIR}', - vnum='1') - - elif (host_os.rfind('netbsd') > -1): diff --git a/net/samba413/files/patch-samba-4.14.14 b/net/samba413/files/patch-samba-4.14.14 deleted file mode 100644 index 4127ab67308e..000000000000 --- a/net/samba413/files/patch-samba-4.14.14 +++ /dev/null @@ -1,13366 +0,0 @@ -From 5d958156c7e5d6c1da61d18fe4fd105b22639b56 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 14 Jun 2022 21:09:53 +1200 -Subject: [PATCH 01/99] CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/dsdb/samdb/ldb_modules/objectclass_attrs.c source4/dsdb/samdb/ldb_modules/objectclass_attrs.c -index 6ab46a729a2..2a77353cdfc 100644 ---- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c -+++ source4/dsdb/samdb/ldb_modules/objectclass_attrs.c -@@ -263,7 +263,7 @@ static int attr_handler(struct oc_context *ac) - LDB_CONTROL_AS_SYSTEM_OID); - if (!dsdb_module_am_system(ac->module) && !as_system) { - ldb_asprintf_errstring(ldb, -- "objectclass_attrs: attribute '%s' on entry '%s' must can only be modified as system", -+ "objectclass_attrs: attribute '%s' on entry '%s' can only be modified as system", - msg->elements[i].name, - ldb_dn_get_linearized(msg->dn)); - return LDB_ERR_CONSTRAINT_VIOLATION; --- -2.25.1 - - -From 51cbeff886fe01db463448f8655a43d10040dc8b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 21 Jun 2022 15:37:15 +1200 -Subject: [PATCH 02/99] CVE-2022-32746 s4:dsdb:tests: Add test for deleting a - disallowed SPN - -If an account has an SPN that requires Write Property to set, we should -still be able to delete it with just Validated Write. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - selftest/knownfail.d/acl-spn-delete | 1 + - source4/dsdb/tests/python/acl.py | 26 ++++++++++++++++++++++++++ - 2 files changed, 27 insertions(+) - create mode 100644 selftest/knownfail.d/acl-spn-delete - -diff --git selftest/knownfail.d/acl-spn-delete selftest/knownfail.d/acl-spn-delete -new file mode 100644 -index 00000000000..32018413c49 ---- /dev/null -+++ selftest/knownfail.d/acl-spn-delete -@@ -0,0 +1 @@ -+^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( -diff --git source4/dsdb/tests/python/acl.py source4/dsdb/tests/python/acl.py -index df0fe12bf29..d90d3b3923f 100755 ---- source4/dsdb/tests/python/acl.py -+++ source4/dsdb/tests/python/acl.py -@@ -2286,6 +2286,32 @@ class AclSPNTests(AclTests): - else: - self.fail(f'able to add disallowed SPN {not_allowed_spn}') - -+ def test_delete_disallowed_spn(self): -+ # Grant Validated-SPN property. -+ mod = f'(OA;;SW;{security.GUID_DRS_VALIDATE_SPN};;{self.user_sid1})' -+ self.sd_utils.dacl_add_ace(self.computerdn, mod) -+ -+ spn_base = f'HOST/{self.computername}' -+ -+ not_allowed_spn = f'{spn_base}/{self.dcctx.get_domain_name()}' -+ -+ # Add a disallowed SPN as admin. -+ msg = Message(Dn(self.ldb_admin, self.computerdn)) -+ msg['servicePrincipalName'] = MessageElement(not_allowed_spn, -+ FLAG_MOD_ADD, -+ 'servicePrincipalName') -+ self.ldb_admin.modify(msg) -+ -+ # Ensure we are able to delete a disallowed SPN. -+ msg = Message(Dn(self.ldb_user1, self.computerdn)) -+ msg['servicePrincipalName'] = MessageElement(not_allowed_spn, -+ FLAG_MOD_DELETE, -+ 'servicePrincipalName') -+ try: -+ self.ldb_user1.modify(msg) -+ except LdbError: -+ self.fail(f'unable to delete disallowed SPN {not_allowed_spn}') -+ - - # tests SEC_ADS_LIST vs. SEC_ADS_LIST_OBJECT - @DynamicTestCase --- -2.25.1 - - -From a68553792a8512a2d266bbb86f064f78b5482a65 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 21 Jun 2022 14:41:02 +1200 -Subject: [PATCH 03/99] CVE-2022-32746 s4/dsdb/partition: Fix LDB flags - comparison - -LDB_FLAG_MOD_* values are not actually flags, and the previous -comparison was equivalent to - -(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0 - -which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct -the expression to what it was probably intended to be. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/partition.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git source4/dsdb/samdb/ldb_modules/partition.c source4/dsdb/samdb/ldb_modules/partition.c -index 2544a106d13..2d90ca5d1b3 100644 ---- source4/dsdb/samdb/ldb_modules/partition.c -+++ source4/dsdb/samdb/ldb_modules/partition.c -@@ -493,8 +493,8 @@ static int partition_copy_all_callback_action( - * them here too - */ - for (el_idx=0; el_idx < req_msg->num_elements; el_idx++) { -- if (req_msg->elements[el_idx].flags & LDB_FLAG_MOD_DELETE -- || ((req_msg->elements[el_idx].flags & LDB_FLAG_MOD_REPLACE) && -+ if (LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_DELETE -+ || ((LDB_FLAG_MOD_TYPE(req_msg->elements[el_idx].flags) == LDB_FLAG_MOD_REPLACE) && - req_msg->elements[el_idx].num_values == 0)) { - if (ldb_msg_find_element(modify_msg, - req_msg->elements[el_idx].name) != NULL) { --- -2.25.1 - - -From 582ac171364f0c28f54eaf4f21b5bfa7569b5233 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 21 Jun 2022 14:49:51 +1200 -Subject: [PATCH 04/99] CVE-2022-32746 s4:torture: Fix LDB flags comparison - -LDB_FLAG_MOD_* values are not actually flags, and the previous -comparison was equivalent to - -(el->flags & LDB_FLAG_MOD_MASK) == 0 - -which is only true if none of the LDB_FLAG_MOD_* values are set. Correct -the expression to what it was probably intended to be. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/torture/drs/rpc/dssync.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git source4/torture/drs/rpc/dssync.c source4/torture/drs/rpc/dssync.c -index cde9f78692b..ff7ce2d9074 100644 ---- source4/torture/drs/rpc/dssync.c -+++ source4/torture/drs/rpc/dssync.c -@@ -527,7 +527,9 @@ static bool test_analyse_objects(struct torture_context *tctx, - el = &new_msg->elements[idx]; - a = dsdb_attribute_by_lDAPDisplayName(ldap_schema, - el->name); -- if (!(el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE))) { -+ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && -+ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) -+ { - /* DRS only value */ - is_warning = false; - } else if (a->linkID & 1) { --- -2.25.1 - - -From 0526d27e9eddd9c2a54434cf0dcdb136a6c659e4 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 21 Jun 2022 15:22:47 +1200 -Subject: [PATCH 05/99] CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison - -LDB_FLAG_MOD_* values are not actually flags, and the previous -comparison was equivalent to - -(el->flags & LDB_FLAG_MOD_MASK) == 0 - -which is only true if none of the LDB_FLAG_MOD_* values are set, so we -would not successfully return if the element was a DELETE. Correct the -expression to what it was intended to be. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - selftest/knownfail.d/acl-spn-delete | 1 - - source4/dsdb/samdb/ldb_modules/acl.c | 5 +++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - delete mode 100644 selftest/knownfail.d/acl-spn-delete - -diff --git selftest/knownfail.d/acl-spn-delete selftest/knownfail.d/acl-spn-delete -deleted file mode 100644 -index 32018413c49..00000000000 ---- selftest/knownfail.d/acl-spn-delete -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.ldap.acl.python.*__main__.AclSPNTests.test_delete_disallowed_spn\( -diff --git source4/dsdb/samdb/ldb_modules/acl.c source4/dsdb/samdb/ldb_modules/acl.c -index 21e83276bfd..8016a2d4bd0 100644 ---- source4/dsdb/samdb/ldb_modules/acl.c -+++ source4/dsdb/samdb/ldb_modules/acl.c -@@ -734,8 +734,9 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx, - * If not add or replace (eg delete), - * return success - */ -- if ((el->flags -- & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0) { -+ if (LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_ADD && -+ LDB_FLAG_MOD_TYPE(el->flags) != LDB_FLAG_MOD_REPLACE) -+ { - talloc_free(tmp_ctx); - return LDB_SUCCESS; - } --- -2.25.1 - - -From 2869b5aa3148869edf0d079266542aef6e64608e Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 16 Feb 2022 12:43:52 +1300 -Subject: [PATCH 06/99] CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() - for flags equality check - -Now unrelated flags will no longer affect the result. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - lib/ldb/modules/rdn_name.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git lib/ldb/modules/rdn_name.c lib/ldb/modules/rdn_name.c -index e69ad9315ae..25cffe07591 100644 ---- lib/ldb/modules/rdn_name.c -+++ lib/ldb/modules/rdn_name.c -@@ -545,7 +545,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) - if (e != NULL) { - ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead", - ldb_dn_get_linearized(req->op.mod.message->dn)); -- if (e->flags == LDB_FLAG_MOD_REPLACE) { -+ if (LDB_FLAG_MOD_TYPE(e->flags) == LDB_FLAG_MOD_REPLACE) { - return LDB_ERR_CONSTRAINT_VIOLATION; - } else { - return LDB_ERR_UNWILLING_TO_PERFORM; --- -2.25.1 - - -From 535b5a366a2ad054f729e57e282e402cf13b2efc Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 14 Jun 2022 19:49:19 +1200 -Subject: [PATCH 07/99] CVE-2022-32746 s4/dsdb/repl_meta_data: Use - LDB_FLAG_MOD_TYPE() for flags equality check - -Now unrelated flags will no longer affect the result. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git source4/dsdb/samdb/ldb_modules/repl_meta_data.c source4/dsdb/samdb/ldb_modules/repl_meta_data.c -index ab506cec488..29ffda75c87 100644 ---- source4/dsdb/samdb/ldb_modules/repl_meta_data.c -+++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c -@@ -3525,7 +3525,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) - return ldb_module_operr(module); - } - -- if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_REPLACE) { -+ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_REPLACE) { - return ldb_module_operr(module); - } - -@@ -3558,11 +3558,11 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) - return ldb_module_operr(module); - } - -- if (req->op.mod.message->elements[0].flags != LDB_FLAG_MOD_DELETE) { -+ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[0].flags) != LDB_FLAG_MOD_DELETE) { - return ldb_module_operr(module); - } - -- if (req->op.mod.message->elements[1].flags != LDB_FLAG_MOD_ADD) { -+ if (LDB_FLAG_MOD_TYPE(req->op.mod.message->elements[1].flags) != LDB_FLAG_MOD_ADD) { - return ldb_module_operr(module); - } - -@@ -3645,7 +3645,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) - return ldb_module_operr(module); - } - -- if (msg->elements[0].flags != LDB_FLAG_MOD_ADD) { -+ if (LDB_FLAG_MOD_TYPE(msg->elements[0].flags) != LDB_FLAG_MOD_ADD) { - talloc_free(ac); - return ldb_module_operr(module); - } --- -2.25.1 - - -From bedd0b768c3f92645af033399aefd7ee971d9150 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 14 Jun 2022 21:11:33 +1200 -Subject: [PATCH 08/99] CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use - LDB_FLAG_MOD_TYPE() for flags equality check - -Now unrelated flags will no longer affect the result. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c -index 64e05195798..5f8911c66be 100644 ---- source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c -+++ source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c -@@ -104,7 +104,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, - if (el_dn == NULL) { - return false; - } -- if (el_dn->flags != LDB_FLAG_MOD_REPLACE) { -+ if (LDB_FLAG_MOD_TYPE(el_dn->flags) != LDB_FLAG_MOD_REPLACE) { - return false; - } - if (el_dn->num_values != 1) { -@@ -117,7 +117,7 @@ static bool is_tombstone_reanimate_request(struct ldb_request *req, - return false; - } - -- if (el_deleted->flags != LDB_FLAG_MOD_DELETE) { -+ if (LDB_FLAG_MOD_TYPE(el_deleted->flags) != LDB_FLAG_MOD_DELETE) { - return false; - } - --- -2.25.1 - - -From 49dd9042f4ee380fa1dafcebcb54d0e1f0852463 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 14 Jun 2022 21:12:39 +1200 -Subject: [PATCH 09/99] CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for - flags equality check - -Now unrelated flags will no longer affect the result. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/lib/registry/ldb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/lib/registry/ldb.c source4/lib/registry/ldb.c -index e089355975b..db383a560da 100644 ---- source4/lib/registry/ldb.c -+++ source4/lib/registry/ldb.c -@@ -859,7 +859,7 @@ static WERROR ldb_set_value(struct hive_key *parent, - - /* Try first a "modify" and if this doesn't work do try an "add" */ - for (i = 0; i < msg->num_elements; i++) { -- if (msg->elements[i].flags != LDB_FLAG_MOD_DELETE) { -+ if (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) != LDB_FLAG_MOD_DELETE) { - msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; - } - } --- -2.25.1 - - -From faa61ab3053d077ac9d0aa67e955217e85b660f4 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 21 Feb 2022 16:10:32 +1300 -Subject: [PATCH 10/99] CVE-2022-32746 ldb: Add flag to mark message element - values as shared - -When making a shallow copy of an ldb message, mark the message elements -of the copy as sharing their values with the message elements in the -original message. - -This flag value will be heeded in the next commit. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - lib/ldb/common/ldb_msg.c | 43 +++++++++++++++++++++++++++++++----- - lib/ldb/include/ldb_module.h | 6 +++++ - 2 files changed, 43 insertions(+), 6 deletions(-) - -diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c -index 57dfc5a04c2..2a9ce384bb9 100644 ---- lib/ldb/common/ldb_msg.c -+++ lib/ldb/common/ldb_msg.c -@@ -833,11 +833,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg) - ldb_msg_element_compare_name); - } - --/* -- shallow copy a message - copying only the elements array so that the caller -- can safely add new elements without changing the message --*/ --struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, -+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx, - const struct ldb_message *msg) - { - struct ldb_message *msg2; -@@ -863,6 +859,35 @@ failed: - return NULL; - } - -+/* -+ shallow copy a message - copying only the elements array so that the caller -+ can safely add new elements without changing the message -+*/ -+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx, -+ const struct ldb_message *msg) -+{ -+ struct ldb_message *msg2; -+ unsigned int i; -+ -+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); -+ if (msg2 == NULL) { -+ return NULL; -+ } -+ -+ for (i = 0; i < msg2->num_elements; ++i) { -+ /* -+ * Mark this message's elements as sharing their values with the -+ * original message, so that we don't inadvertently modify or -+ * free them. We don't mark the original message element as -+ * shared, so the original message element should not be -+ * modified or freed while the shallow copy lives. -+ */ -+ struct ldb_message_element *el = &msg2->elements[i]; -+ el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES; -+ } -+ -+ return msg2; -+} - - /* - copy a message, allocating new memory for all parts -@@ -873,7 +898,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, - struct ldb_message *msg2; - unsigned int i, j; - -- msg2 = ldb_msg_copy_shallow(mem_ctx, msg); -+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg); - if (msg2 == NULL) return NULL; - - if (msg2->dn != NULL) { -@@ -894,6 +919,12 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx, - goto failed; - } - } -+ -+ /* -+ * Since we copied this element's values, we can mark them as -+ * not shared. -+ */ -+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; - } - - return msg2; -diff --git lib/ldb/include/ldb_module.h lib/ldb/include/ldb_module.h -index 8c1e5ee7936..4c7c85a17f0 100644 ---- lib/ldb/include/ldb_module.h -+++ lib/ldb/include/ldb_module.h -@@ -96,6 +96,12 @@ struct ldb_module; - */ - #define LDB_FLAG_INTERNAL_FORCE_UNIQUE_INDEX 0x100 - -+/* -+ * indicates that this element's values are shared with another element (for -+ * example, in a shallow copy of an ldb_message) and should not be freed -+ */ -+#define LDB_FLAG_INTERNAL_SHARED_VALUES 0x200 -+ - /* an extended match rule that always fails to match */ - #define SAMBA_LDAP_MATCH_ALWAYS_FALSE "1.3.6.1.4.1.7165.4.5.1" - --- -2.25.1 - - -From 4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 16 Feb 2022 12:35:13 +1300 -Subject: [PATCH 11/99] CVE-2022-32746 ldb: Ensure shallow copy modifications - do not affect original message - -Using the newly added ldb flag, we can now detect when a message has -been shallow-copied so that its elements share their values with the -original message elements. Then when adding values to the copied -message, we now make a copy of the shared values array first. - -This should prevent a use-after-free that occurred in LDB modules when -new values were added to a shallow copy of a message by calling -talloc_realloc() on the original values array, invalidating the 'values' -pointer in the original message element. The original values pointer can -later be used in the database audit logging module which logs database -requests, and potentially cause a crash. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - lib/ldb/common/ldb_msg.c | 52 ++++++++++++++++++++++++++++++++------ - lib/ldb/include/ldb.h | 6 +++++ - source4/dsdb/common/util.c | 20 +++++---------- - 3 files changed, 56 insertions(+), 22 deletions(-) - -diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c -index 2a9ce384bb9..44d3b29e9a7 100644 ---- lib/ldb/common/ldb_msg.c -+++ lib/ldb/common/ldb_msg.c -@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg, - return LDB_SUCCESS; - } - -+/* -+ * add a value to a message element -+ */ -+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, -+ struct ldb_message_element *el, -+ const struct ldb_val *val) -+{ -+ struct ldb_val *vals; -+ -+ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) { -+ /* -+ * Another message is using this message element's values array, -+ * so we don't want to make any modifications to the original -+ * message, or potentially invalidate its own values by calling -+ * talloc_realloc(). Make a copy instead. -+ */ -+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES; -+ -+ vals = talloc_array(mem_ctx, struct ldb_val, -+ el->num_values + 1); -+ if (vals == NULL) { -+ return LDB_ERR_OPERATIONS_ERROR; -+ } -+ -+ if (el->values != NULL) { -+ memcpy(vals, el->values, el->num_values * sizeof(struct ldb_val)); -+ } -+ } else { -+ vals = talloc_realloc(mem_ctx, el->values, struct ldb_val, -+ el->num_values + 1); -+ if (vals == NULL) { -+ return LDB_ERR_OPERATIONS_ERROR; -+ } -+ } -+ el->values = vals; -+ el->values[el->num_values] = *val; -+ el->num_values++; -+ -+ return LDB_SUCCESS; -+} -+ - /* - add a value to a message - */ -@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg, - struct ldb_message_element **return_el) - { - struct ldb_message_element *el; -- struct ldb_val *vals; - int ret; - - el = ldb_msg_find_element(msg, attr_name); -@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg, - } - } - -- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, -- el->num_values+1); -- if (!vals) { -- return LDB_ERR_OPERATIONS_ERROR; -+ ret = ldb_msg_element_add_value(msg->elements, el, val); -+ if (ret != LDB_SUCCESS) { -+ return ret; - } -- el->values = vals; -- el->values[el->num_values] = *val; -- el->num_values++; - - if (return_el) { - *return_el = el; -diff --git lib/ldb/include/ldb.h lib/ldb/include/ldb.h -index bc44157eaf4..129beefeaf5 100644 ---- lib/ldb/include/ldb.h -+++ lib/ldb/include/ldb.h -@@ -1981,6 +1981,12 @@ int ldb_msg_add_empty(struct ldb_message *msg, - int flags, - struct ldb_message_element **return_el); - -+/** -+ add a value to a message element -+*/ -+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx, -+ struct ldb_message_element *el, -+ const struct ldb_val *val); - /** - add a element to a ldb_message - */ -diff --git source4/dsdb/common/util.c source4/dsdb/common/util.c -index 5ce4c0a5e33..577b2a33873 100644 ---- source4/dsdb/common/util.c -+++ source4/dsdb/common/util.c -@@ -816,7 +816,7 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, - const char *value) - { - struct ldb_message_element *el; -- struct ldb_val val, *vals; -+ struct ldb_val val; - char *v; - unsigned int i; - bool found = false; -@@ -851,14 +851,10 @@ int samdb_msg_add_addval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, - } - } - -- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, -- el->num_values + 1); -- if (vals == NULL) { -+ ret = ldb_msg_element_add_value(msg->elements, el, &val); -+ if (ret != LDB_SUCCESS) { - return ldb_oom(sam_ldb); - } -- el->values = vals; -- el->values[el->num_values] = val; -- ++(el->num_values); - - return LDB_SUCCESS; - } -@@ -872,7 +868,7 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, - const char *value) - { - struct ldb_message_element *el; -- struct ldb_val val, *vals; -+ struct ldb_val val; - char *v; - unsigned int i; - bool found = false; -@@ -907,14 +903,10 @@ int samdb_msg_add_delval(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, - } - } - -- vals = talloc_realloc(msg->elements, el->values, struct ldb_val, -- el->num_values + 1); -- if (vals == NULL) { -+ ret = ldb_msg_element_add_value(msg->elements, el, &val); -+ if (ret != LDB_SUCCESS) { - return ldb_oom(sam_ldb); - } -- el->values = vals; -- el->values[el->num_values] = val; -- ++(el->num_values); - - return LDB_SUCCESS; - } --- -2.25.1 - - -From 512a2617b1593bdc16caeeeda4312a581cbb34e9 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 16 Feb 2022 16:30:03 +1300 -Subject: [PATCH 12/99] CVE-2022-32746 ldb: Add functions for appending to an - ldb_message - -Currently, there are many places where we use ldb_msg_add_empty() to add -an empty element to a message, and then call ldb_msg_add_value() or -similar to add values to that element. However, this performs an -unnecessary search of the message's elements to locate the new element. -Moreover, if an element with the same attribute name already exists -earlier in the message, the values will be added to that element, -instead of to the intended newly added element. - -A similar pattern exists where we add values to a message, and then call -ldb_msg_find_element() to locate that message element and sets its flags -to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary -search, and may locate the wrong message element for setting the flags. - -To avoid these problems, add functions for appending a value to a -message, so that a particular value can be added to the end of a message -in a single operation. - -For ADD requests, it is important that no two message elements share the -same attribute name, otherwise things will break. (Normally, -ldb_msg_normalize() is called before processing the request to help -ensure this.) Thus, we must be careful not to append an attribute to an -ADD message, unless we are sure (e.g. through ldb_msg_find_element()) -that an existing element for that attribute is not present. - -These functions will be used in the next commit. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - lib/ldb/common/ldb_msg.c | 165 ++++++++++++++++++++++++++++++++++++++- - lib/ldb/include/ldb.h | 24 ++++++ - 2 files changed, 185 insertions(+), 4 deletions(-) - -diff --git lib/ldb/common/ldb_msg.c lib/ldb/common/ldb_msg.c -index 44d3b29e9a7..9cd7998e21c 100644 ---- lib/ldb/common/ldb_msg.c -+++ lib/ldb/common/ldb_msg.c -@@ -509,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, - - - /* -- add a string element to a message -+ add a string element to a message, specifying flags - */ --int ldb_msg_add_string(struct ldb_message *msg, -- const char *attr_name, const char *str) -+int ldb_msg_add_string_flags(struct ldb_message *msg, -+ const char *attr_name, const char *str, -+ int flags) - { - struct ldb_val val; -+ int ret; -+ struct ldb_message_element *el = NULL; - - val.data = discard_const_p(uint8_t, str); - val.length = strlen(str); -@@ -524,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg, - return LDB_SUCCESS; - } - -- return ldb_msg_add_value(msg, attr_name, &val, NULL); -+ ret = ldb_msg_add_value(msg, attr_name, &val, &el); -+ if (ret != LDB_SUCCESS) { -+ return ret; -+ } -+ -+ if (flags != 0) { -+ el->flags = flags; -+ } -+ -+ return LDB_SUCCESS; -+} -+ -+/* -+ add a string element to a message -+*/ -+int ldb_msg_add_string(struct ldb_message *msg, -+ const char *attr_name, const char *str) -+{ -+ return ldb_msg_add_string_flags(msg, attr_name, str, 0); - } - - /* -@@ -586,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg, - return ldb_msg_add_steal_value(msg, attr_name, &val); - } - -+static int ldb_msg_append_value_impl(struct ldb_message *msg, -+ const char *attr_name, -+ const struct ldb_val *val, -+ int flags, -+ struct ldb_message_element **return_el) -+{ -+ struct ldb_message_element *el = NULL; -+ int ret; -+ -+ ret = ldb_msg_add_empty(msg, attr_name, flags, &el); -+ if (ret != LDB_SUCCESS) { -+ return ret; -+ } -+ -+ ret = ldb_msg_element_add_value(msg->elements, el, val); -+ if (ret != LDB_SUCCESS) { -+ return ret; -+ } -+ -+ if (return_el != NULL) { -+ *return_el = el; -+ } -+ -+ return LDB_SUCCESS; -+} -+ -+/* -+ append a value to a message -+*/ -+int ldb_msg_append_value(struct ldb_message *msg, -+ const char *attr_name, -+ const struct ldb_val *val, -+ int flags) -+{ -+ return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL); -+} -+ -+/* -+ append a value to a message, stealing it into the 'right' place -+*/ -+int ldb_msg_append_steal_value(struct ldb_message *msg, -+ const char *attr_name, -+ struct ldb_val *val, -+ int flags) -+{ -+ int ret; -+ struct ldb_message_element *el = NULL; -+ -+ ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el); -+ if (ret == LDB_SUCCESS) { -+ talloc_steal(el->values, val->data); -+ } -+ return ret; -+} -+ -+/* -+ append a string element to a message, stealing it into the 'right' place -+*/ -+int ldb_msg_append_steal_string(struct ldb_message *msg, -+ const char *attr_name, char *str, -+ int flags) -+{ -+ struct ldb_val val; -+ -+ val.data = (uint8_t *)str; -+ val.length = strlen(str); -+ -+ if (val.length == 0) { -+ /* allow empty strings as non-existent attributes */ -+ return LDB_SUCCESS; -+ } -+ -+ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); -+} -+ -+/* -+ append a string element to a message -+*/ -+int ldb_msg_append_string(struct ldb_message *msg, -+ const char *attr_name, const char *str, int flags) -+{ -+ struct ldb_val val; -+ -+ val.data = discard_const_p(uint8_t, str); -+ val.length = strlen(str); -+ -+ if (val.length == 0) { -+ /* allow empty strings as non-existent attributes */ -+ return LDB_SUCCESS; -+ } -+ -+ return ldb_msg_append_value(msg, attr_name, &val, flags); -+} -+ -+/* -+ append a DN element to a message -+ WARNING: this uses the linearized string from the dn, and does not -+ copy the string. -+*/ -+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, -+ struct ldb_dn *dn, int flags) -+{ -+ char *str = ldb_dn_alloc_linearized(msg, dn); -+ -+ if (str == NULL) { -+ /* we don't want to have unknown DNs added */ -+ return LDB_ERR_OPERATIONS_ERROR; -+ } -+ -+ return ldb_msg_append_steal_string(msg, attr_name, str, flags); -+} -+ -+/* -+ append a printf formatted element to a message -+*/ -+int ldb_msg_append_fmt(struct ldb_message *msg, int flags, -+ const char *attr_name, const char *fmt, ...) -+{ -+ struct ldb_val val; -+ va_list ap; -+ char *str = NULL; -+ -+ va_start(ap, fmt); -+ str = talloc_vasprintf(msg, fmt, ap); -+ va_end(ap); -+ -+ if (str == NULL) { -+ return LDB_ERR_OPERATIONS_ERROR; -+ } -+ -+ val.data = (uint8_t *)str; -+ val.length = strlen(str); -+ -+ return ldb_msg_append_steal_value(msg, attr_name, &val, flags); -+} -+ - /* - compare two ldb_message_element structures - assumes case sensitive comparison -diff --git lib/ldb/include/ldb.h lib/ldb/include/ldb.h -index 129beefeaf5..63d8aedd672 100644 ---- lib/ldb/include/ldb.h -+++ lib/ldb/include/ldb.h -@@ -2002,12 +2002,36 @@ int ldb_msg_add_steal_value(struct ldb_message *msg, - struct ldb_val *val); - int ldb_msg_add_steal_string(struct ldb_message *msg, - const char *attr_name, char *str); -+int ldb_msg_add_string_flags(struct ldb_message *msg, -+ const char *attr_name, const char *str, -+ int flags); - int ldb_msg_add_string(struct ldb_message *msg, - const char *attr_name, const char *str); - int ldb_msg_add_linearized_dn(struct ldb_message *msg, const char *attr_name, - struct ldb_dn *dn); - int ldb_msg_add_fmt(struct ldb_message *msg, - const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(3,4); -+/** -+ append a element to a ldb_message -+*/ -+int ldb_msg_append_value(struct ldb_message *msg, -+ const char *attr_name, -+ const struct ldb_val *val, -+ int flags); -+int ldb_msg_append_steal_value(struct ldb_message *msg, -+ const char *attr_name, -+ struct ldb_val *val, -+ int flags); -+int ldb_msg_append_steal_string(struct ldb_message *msg, -+ const char *attr_name, char *str, -+ int flags); -+int ldb_msg_append_string(struct ldb_message *msg, -+ const char *attr_name, const char *str, -+ int flags); -+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char *attr_name, -+ struct ldb_dn *dn, int flags); -+int ldb_msg_append_fmt(struct ldb_message *msg, int flags, -+ const char *attr_name, const char *fmt, ...) PRINTF_ATTRIBUTE(4,5); - - /** - compare two message elements - return 0 on match --- -2.25.1 - - -From f419753d1c7a373fb32ffe20930a6e084e44b44d Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 21 Feb 2022 16:27:37 +1300 -Subject: [PATCH 13/99] CVE-2022-32746 ldb: Make use of functions for appending - to an ldb_message - -This aims to minimise usage of the error-prone pattern of searching for -a just-added message element in order to make modifications to it (and -potentially finding the wrong element). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - lib/ldb/ldb_map/ldb_map.c | 5 +- - lib/ldb/ldb_map/ldb_map_inbound.c | 9 +- - lib/ldb/modules/rdn_name.c | 22 +--- - source3/passdb/pdb_samba_dsdb.c | 14 +-- - source4/dns_server/dnsserver_common.c | 12 +- - source4/dsdb/common/util.c | 114 ++++++++++++++---- - source4/dsdb/samdb/ldb_modules/descriptor.c | 10 +- - source4/dsdb/samdb/ldb_modules/objectguid.c | 20 +-- - .../dsdb/samdb/ldb_modules/partition_init.c | 14 +-- - .../dsdb/samdb/ldb_modules/repl_meta_data.c | 24 +--- - source4/dsdb/samdb/ldb_modules/samldb.c | 78 +++++------- - .../samdb/ldb_modules/tombstone_reanimate.c | 12 +- - source4/nbt_server/wins/winsdb.c | 13 +- - source4/rpc_server/lsa/dcesrv_lsa.c | 55 +++------ - source4/winbind/idmap.c | 10 +- - 15 files changed, 183 insertions(+), 229 deletions(-) - -diff --git lib/ldb/ldb_map/ldb_map.c lib/ldb/ldb_map/ldb_map.c -index b453dff80d2..c7b0c228631 100644 ---- lib/ldb/ldb_map/ldb_map.c -+++ lib/ldb/ldb_map/ldb_map.c -@@ -946,10 +946,7 @@ struct ldb_request *map_build_fixup_req(struct map_context *ac, - if ( ! dn || ! ldb_dn_validate(msg->dn)) { - goto failed; - } -- if (ldb_msg_add_empty(msg, IS_MAPPED, LDB_FLAG_MOD_REPLACE, NULL) != 0) { -- goto failed; -- } -- if (ldb_msg_add_string(msg, IS_MAPPED, dn) != 0) { -+ if (ldb_msg_append_string(msg, IS_MAPPED, dn, LDB_FLAG_MOD_REPLACE) != 0) { - goto failed; - } - -diff --git lib/ldb/ldb_map/ldb_map_inbound.c lib/ldb/ldb_map/ldb_map_inbound.c -index 324295737da..50b9427c26c 100644 ---- lib/ldb/ldb_map/ldb_map_inbound.c -+++ lib/ldb/ldb_map/ldb_map_inbound.c -@@ -569,12 +569,9 @@ static int map_modify_do_local(struct map_context *ac) - /* No local record present, add it instead */ - /* Add local 'IS_MAPPED' */ - /* TODO: use GUIDs here instead */ -- if (ldb_msg_add_empty(ac->local_msg, IS_MAPPED, -- LDB_FLAG_MOD_ADD, NULL) != 0) { -- return LDB_ERR_OPERATIONS_ERROR; -- } -- ret = ldb_msg_add_linearized_dn(ac->local_msg, IS_MAPPED, -- ac->remote_req->op.mod.message->dn); -+ ret = ldb_msg_append_linearized_dn(ac->local_msg, IS_MAPPED, -+ ac->remote_req->op.mod.message->dn, -+ LDB_FLAG_MOD_ADD); - if (ret != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } -diff --git lib/ldb/modules/rdn_name.c lib/ldb/modules/rdn_name.c -index 25cffe07591..3cb62bf567b 100644 ---- lib/ldb/modules/rdn_name.c -+++ lib/ldb/modules/rdn_name.c -@@ -308,16 +308,10 @@ static int rdn_rename_callback(struct ldb_request *req, struct ldb_reply *ares) - } - rdn_val = ldb_val_dup(msg, rdn_val_p); - -- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { -+ if (ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { - goto error; - } -- if (ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL) != 0) { -- goto error; -- } -- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { -- goto error; -- } -- if (ldb_msg_add_value(msg, "name", &rdn_val, NULL) != 0) { -+ if (ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { - goto error; - } - -@@ -466,11 +460,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) - if (ret != 0) { - return ldb_module_oom(module); - } -- ret = ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_ADD, NULL); -- if (ret != 0) { -- return ldb_module_oom(module); -- } -- ret = ldb_msg_add_value(msg, rdn_name, &rdn_val, NULL); -+ ret = ldb_msg_append_value(msg, rdn_name, &rdn_val, LDB_FLAG_MOD_ADD); - if (ret != 0) { - return ldb_module_oom(module); - } -@@ -479,11 +469,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req) - if (ret != 0) { - return ldb_module_oom(module); - } -- ret = ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_ADD, NULL); -- if (ret != 0) { -- return ldb_module_oom(module); -- } -- ret = ldb_msg_add_value(msg, "name", &rdn_val, NULL); -+ ret = ldb_msg_append_value(msg, "name", &rdn_val, LDB_FLAG_MOD_ADD); - if (ret != 0) { - return ldb_module_oom(module); - } -diff --git source3/passdb/pdb_samba_dsdb.c source3/passdb/pdb_samba_dsdb.c -index 93e8f5bebe6..b2063825c04 100644 ---- source3/passdb/pdb_samba_dsdb.c -+++ source3/passdb/pdb_samba_dsdb.c -@@ -2855,18 +2855,10 @@ static bool pdb_samba_dsdb_set_trusteddom_pw(struct pdb_methods *m, - } - - msg->num_elements = 0; -- ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", -- LDB_FLAG_MOD_REPLACE, NULL); -+ ret = ldb_msg_append_value(msg, "trustAuthOutgoing", -+ &new_val, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { -- DEBUG(0, ("ldb_msg_add_empty() failed\n")); -- TALLOC_FREE(tmp_ctx); -- ldb_transaction_cancel(state->ldb); -- return false; -- } -- ret = ldb_msg_add_value(msg, "trustAuthOutgoing", -- &new_val, NULL); -- if (ret != LDB_SUCCESS) { -- DEBUG(0, ("ldb_msg_add_value() failed\n")); -+ DEBUG(0, ("ldb_msg_append_value() failed\n")); - TALLOC_FREE(tmp_ctx); - ldb_transaction_cancel(state->ldb); - return false; -diff --git source4/dns_server/dnsserver_common.c source4/dns_server/dnsserver_common.c -index bcb0d087faf..cb9a082ebf6 100644 ---- source4/dns_server/dnsserver_common.c -+++ source4/dns_server/dnsserver_common.c -@@ -1092,15 +1092,9 @@ WERROR dns_common_replace(struct ldb_context *samdb, - } - - if (was_tombstoned || become_tombstoned) { -- ret = ldb_msg_add_empty(msg, "dNSTombstoned", -- LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) { -- werr = DNS_ERR(SERVER_FAILURE); -- goto exit; -- } -- -- ret = ldb_msg_add_fmt(msg, "dNSTombstoned", "%s", -- become_tombstoned ? "TRUE" : "FALSE"); -+ ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, -+ "dNSTombstoned", "%s", -+ become_tombstoned ? "TRUE" : "FALSE"); - if (ret != LDB_SUCCESS) { - werr = DNS_ERR(SERVER_FAILURE); - goto exit; -diff --git source4/dsdb/common/util.c source4/dsdb/common/util.c -index 577b2a33873..10d6ea8883b 100644 ---- source4/dsdb/common/util.c -+++ source4/dsdb/common/util.c -@@ -924,6 +924,16 @@ int samdb_msg_add_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct l - return ldb_msg_add_string(msg, attr_name, s); - } - -+int samdb_msg_add_int_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, -+ const char *attr_name, int v, int flags) -+{ -+ const char *s = talloc_asprintf(mem_ctx, "%d", v); -+ if (s == NULL) { -+ return ldb_oom(sam_ldb); -+ } -+ return ldb_msg_add_string_flags(msg, attr_name, s, flags); -+} -+ - /* - * Add an unsigned int element to a message - * -@@ -942,6 +952,12 @@ int samdb_msg_add_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct - return samdb_msg_add_int(sam_ldb, mem_ctx, msg, attr_name, (int)v); - } - -+int samdb_msg_add_uint_flags(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, -+ const char *attr_name, unsigned int v, int flags) -+{ -+ return samdb_msg_add_int_flags(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); -+} -+ - /* - add a (signed) int64_t element to a message - */ -@@ -973,6 +989,68 @@ int samdb_msg_add_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struc - return samdb_msg_add_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v); - } - -+/* -+ append a int element to a message -+*/ -+int samdb_msg_append_int(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, -+ const char *attr_name, int v, int flags) -+{ -+ const char *s = talloc_asprintf(mem_ctx, "%d", v); -+ if (s == NULL) { -+ return ldb_oom(sam_ldb); -+ } -+ return ldb_msg_append_string(msg, attr_name, s, flags); -+} -+ -+/* -+ * Append an unsigned int element to a message -+ * -+ * The issue here is that we have not yet first cast to int32_t explicitly, -+ * before we cast to an signed int to printf() into the %d or cast to a -+ * int64_t before we then cast to a long long to printf into a %lld. -+ * -+ * There are *no* unsigned integers in Active Directory LDAP, even the RID -+ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. -+ * (See the schema, and the syntax definitions in schema_syntax.c). -+ * -+ */ -+int samdb_msg_append_uint(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, -+ const char *attr_name, unsigned int v, int flags) -+{ -+ return samdb_msg_append_int(sam_ldb, mem_ctx, msg, attr_name, (int)v, flags); -+} -+ -+/* -+ append a (signed) int64_t element to a message -+*/ -+int samdb_msg_append_int64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, -+ const char *attr_name, int64_t v, int flags) -+{ -+ const char *s = talloc_asprintf(mem_ctx, "%lld", (long long)v); -+ if (s == NULL) { -+ return ldb_oom(sam_ldb); -+ } -+ return ldb_msg_append_string(msg, attr_name, s, flags); -+} -+ -+/* -+ * Append an unsigned int64_t (uint64_t) element to a message -+ * -+ * The issue here is that we have not yet first cast to int32_t explicitly, -+ * before we cast to an signed int to printf() into the %d or cast to a -+ * int64_t before we then cast to a long long to printf into a %lld. -+ * -+ * There are *no* unsigned integers in Active Directory LDAP, even the RID -+ * allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. -+ * (See the schema, and the syntax definitions in schema_syntax.c). -+ * -+ */ -+int samdb_msg_append_uint64(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, -+ const char *attr_name, uint64_t v, int flags) -+{ -+ return samdb_msg_append_int64(sam_ldb, mem_ctx, msg, attr_name, (int64_t)v, flags); -+} -+ - /* - add a samr_Password element to a message - */ -@@ -2814,15 +2892,8 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, - tdo_msg->num_elements = 0; - TALLOC_FREE(tdo_msg->elements); - -- ret = ldb_msg_add_empty(tdo_msg, "trustAuthIncoming", -- LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) { -- ldb_transaction_cancel(ldb); -- TALLOC_FREE(frame); -- return NT_STATUS_NO_MEMORY; -- } -- ret = ldb_msg_add_value(tdo_msg, "trustAuthIncoming", -- &new_val, NULL); -+ ret = ldb_msg_append_value(tdo_msg, "trustAuthIncoming", -+ &new_val, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - ldb_transaction_cancel(ldb); - TALLOC_FREE(frame); -@@ -3187,6 +3258,7 @@ int dsdb_find_guid_by_dn(struct ldb_context *ldb, - /* - adds the given GUID to the given ldb_message. This value is added - for the given attr_name (may be either "objectGUID" or "parentGUID"). -+ This function is used in processing 'add' requests. - */ - int dsdb_msg_add_guid(struct ldb_message *msg, - struct GUID *guid, -@@ -5656,7 +5728,8 @@ int dsdb_user_obj_set_defaults(struct ldb_context *ldb, - } - - /** -- * Sets 'sAMAccountType on user object based on userAccountControl -+ * Sets 'sAMAccountType on user object based on userAccountControl. -+ * This function is used in processing both 'add' and 'modify' requests. - * @param ldb Current ldb_context - * @param usr_obj ldb_message representing User object - * @param user_account_control Value for userAccountControl flags -@@ -5668,21 +5741,19 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message * - { - int ret; - uint32_t account_type; -- struct ldb_message_element *el; - - account_type = ds_uf2atype(user_account_control); - if (account_type == 0) { - ldb_set_errstring(ldb, "dsdb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } -- ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj, -- "sAMAccountType", -- account_type); -+ ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, -+ "sAMAccountType", -+ account_type, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(usr_obj, "sAMAccountType"); -- el->flags = LDB_FLAG_MOD_REPLACE; - - if (account_type_p) { - *account_type_p = account_type; -@@ -5692,7 +5763,8 @@ int dsdb_user_obj_set_account_type(struct ldb_context *ldb, struct ldb_message * - } - - /** -- * Determine and set primaryGroupID based on userAccountControl value -+ * Determine and set primaryGroupID based on userAccountControl value. -+ * This function is used in processing both 'add' and 'modify' requests. - * @param ldb Current ldb_context - * @param usr_obj ldb_message representing User object - * @param user_account_control Value for userAccountControl flags -@@ -5704,17 +5776,15 @@ int dsdb_user_obj_set_primary_group_id(struct ldb_context *ldb, struct ldb_messa - { - int ret; - uint32_t rid; -- struct ldb_message_element *el; - - rid = ds_uf2prim_group_rid(user_account_control); - -- ret = samdb_msg_add_uint(ldb, usr_obj, usr_obj, -- "primaryGroupID", rid); -+ ret = samdb_msg_add_uint_flags(ldb, usr_obj, usr_obj, -+ "primaryGroupID", rid, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(usr_obj, "primaryGroupID"); -- el->flags = LDB_FLAG_MOD_REPLACE; - - if (group_rid_p) { - *group_rid_p = rid; -diff --git source4/dsdb/samdb/ldb_modules/descriptor.c source4/dsdb/samdb/ldb_modules/descriptor.c -index daa08c2ebc7..4b01961dcb0 100644 ---- source4/dsdb/samdb/ldb_modules/descriptor.c -+++ source4/dsdb/samdb/ldb_modules/descriptor.c -@@ -857,14 +857,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req) - return ldb_module_done(req, NULL, NULL, LDB_SUCCESS); - } - -- ret = ldb_msg_add_empty(msg, "nTSecurityDescriptor", -- LDB_FLAG_MOD_REPLACE, -- &sd_element); -- if (ret != LDB_SUCCESS) { -- return ldb_oom(ldb); -- } -- ret = ldb_msg_add_value(msg, "nTSecurityDescriptor", -- sd, NULL); -+ ret = ldb_msg_append_value(msg, "nTSecurityDescriptor", -+ sd, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ldb_oom(ldb); - } -diff --git source4/dsdb/samdb/ldb_modules/objectguid.c source4/dsdb/samdb/ldb_modules/objectguid.c -index bc3260cf0d8..0fe995a5763 100644 ---- source4/dsdb/samdb/ldb_modules/objectguid.c -+++ source4/dsdb/samdb/ldb_modules/objectguid.c -@@ -41,7 +41,6 @@ - */ - static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) - { -- struct ldb_message_element *el; - char *s; - int ret; - -@@ -54,16 +53,13 @@ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) - return LDB_ERR_OPERATIONS_ERROR; - } - -- ret = ldb_msg_add_string(msg, attr, s); -+ /* always set as replace. This works because on add ops, the flag -+ is ignored */ -+ ret = ldb_msg_append_string(msg, attr, s, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } - -- el = ldb_msg_find_element(msg, attr); -- /* always set as replace. This works because on add ops, the flag -- is ignored */ -- el->flags = LDB_FLAG_MOD_REPLACE; -- - return LDB_SUCCESS; - } - -@@ -73,23 +69,19 @@ static int add_time_element(struct ldb_message *msg, const char *attr, time_t t) - static int add_uint64_element(struct ldb_context *ldb, struct ldb_message *msg, - const char *attr, uint64_t v) - { -- struct ldb_message_element *el; - int ret; - - if (ldb_msg_find_element(msg, attr) != NULL) { - return LDB_SUCCESS; - } - -- ret = samdb_msg_add_uint64(ldb, msg, msg, attr, v); -+ /* always set as replace. This works because on add ops, the flag -+ is ignored */ -+ ret = samdb_msg_append_uint64(ldb, msg, msg, attr, v, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } - -- el = ldb_msg_find_element(msg, attr); -- /* always set as replace. This works because on add ops, the flag -- is ignored */ -- el->flags = LDB_FLAG_MOD_REPLACE; -- - return LDB_SUCCESS; - } - -diff --git source4/dsdb/samdb/ldb_modules/partition_init.c source4/dsdb/samdb/ldb_modules/partition_init.c -index 58c65ccedd0..484b5bffb27 100644 ---- source4/dsdb/samdb/ldb_modules/partition_init.c -+++ source4/dsdb/samdb/ldb_modules/partition_init.c -@@ -742,10 +742,6 @@ int partition_create(struct ldb_module *module, struct ldb_request *req) - } - - mod_msg->dn = ldb_dn_new(mod_msg, ldb, DSDB_PARTITION_DN); -- ret = ldb_msg_add_empty(mod_msg, DSDB_PARTITION_ATTR, LDB_FLAG_MOD_ADD, NULL); -- if (ret != LDB_SUCCESS) { -- return ret; -- } - - casefold_dn = ldb_dn_get_casefold(dn); - -@@ -785,18 +781,16 @@ int partition_create(struct ldb_module *module, struct ldb_request *req) - } - partition_record = talloc_asprintf(mod_msg, "%s:%s", casefold_dn, filename); - -- ret = ldb_msg_add_steal_string(mod_msg, DSDB_PARTITION_ATTR, partition_record); -+ ret = ldb_msg_append_steal_string(mod_msg, DSDB_PARTITION_ATTR, partition_record, -+ LDB_FLAG_MOD_ADD); - if (ret != LDB_SUCCESS) { - return ret; - } - - if (ldb_request_get_control(req, DSDB_CONTROL_PARTIAL_REPLICA)) { - /* this new partition is a partial replica */ -- ret = ldb_msg_add_empty(mod_msg, "partialReplica", LDB_FLAG_MOD_ADD, NULL); -- if (ret != LDB_SUCCESS) { -- return ret; -- } -- ret = ldb_msg_add_fmt(mod_msg, "partialReplica", "%s", ldb_dn_get_linearized(dn)); -+ ret = ldb_msg_append_fmt(mod_msg, LDB_FLAG_MOD_ADD, -+ "partialReplica", "%s", ldb_dn_get_linearized(dn)); - if (ret != LDB_SUCCESS) { - return ret; - } -diff --git source4/dsdb/samdb/ldb_modules/repl_meta_data.c source4/dsdb/samdb/ldb_modules/repl_meta_data.c -index 29ffda75c87..eec1e639856 100644 ---- source4/dsdb/samdb/ldb_modules/repl_meta_data.c -+++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c -@@ -3888,22 +3888,12 @@ static int replmd_rename_callback(struct ldb_request *req, struct ldb_reply *are - ldb_operr(ldb)); - } - -- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { -+ if (ldb_msg_append_value(msg, rdn_name, rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - ldb_oom(ldb)); - } -- if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) { -- talloc_free(ares); -- return ldb_module_done(ac->req, NULL, NULL, -- ldb_oom(ldb)); -- } -- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { -- talloc_free(ares); -- return ldb_module_done(ac->req, NULL, NULL, -- ldb_oom(ldb)); -- } -- if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) { -+ if (ldb_msg_append_value(msg, "name", rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { - talloc_free(ares); - return ldb_module_done(ac->req, NULL, NULL, - ldb_oom(ldb)); -@@ -5161,16 +5151,10 @@ static int replmd_name_modify(struct replmd_replicated_request *ar, - goto failed; - } - -- if (ldb_msg_add_empty(msg, rdn_name, LDB_FLAG_MOD_REPLACE, NULL) != 0) { -- goto failed; -- } -- if (ldb_msg_add_value(msg, rdn_name, rdn_val, NULL) != 0) { -- goto failed; -- } -- if (ldb_msg_add_empty(msg, "name", LDB_FLAG_MOD_REPLACE, NULL) != 0) { -+ if (ldb_msg_append_value(msg, rdn_name, rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { - goto failed; - } -- if (ldb_msg_add_value(msg, "name", rdn_val, NULL) != 0) { -+ if (ldb_msg_append_value(msg, "name", rdn_val, LDB_FLAG_MOD_REPLACE) != 0) { - goto failed; - } - -diff --git source4/dsdb/samdb/ldb_modules/samldb.c source4/dsdb/samdb/ldb_modules/samldb.c -index 5fb9c195c9a..107e643e492 100644 ---- source4/dsdb/samdb/ldb_modules/samldb.c -+++ source4/dsdb/samdb/ldb_modules/samldb.c -@@ -1103,14 +1103,11 @@ static int samldb_rodc_add(struct samldb_ctx *ac) - return LDB_ERR_OTHER; - - found: -- ret = ldb_msg_add_empty(ac->msg, "msDS-SecondaryKrbTgtNumber", -- LDB_FLAG_INTERNAL_DISABLE_VALIDATION, NULL); -- if (ret != LDB_SUCCESS) { -- return ldb_operr(ldb); -- } - -- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, -- "msDS-SecondaryKrbTgtNumber", krbtgt_number); -+ ldb_msg_remove_attr(ac->msg, "msDS-SecondaryKrbTgtNumber"); -+ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, -+ "msDS-SecondaryKrbTgtNumber", krbtgt_number, -+ LDB_FLAG_INTERNAL_DISABLE_VALIDATION); - if (ret != LDB_SUCCESS) { - return ldb_operr(ldb); - } -@@ -1792,7 +1789,7 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) - struct ldb_context *ldb = ldb_module_get_ctx(ac->module); - void *skip_allocate_sids = ldb_get_opaque(ldb, - "skip_allocate_sids"); -- struct ldb_message_element *el, *el2; -+ struct ldb_message_element *el; - struct dom_sid *sid; - int ret; - -@@ -1926,23 +1923,17 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) - /* "isCriticalSystemObject" might be set */ - if (user_account_control & - (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) { -- ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", -- "TRUE"); -+ ret = ldb_msg_add_string_flags(ac->msg, "isCriticalSystemObject", -+ "TRUE", LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el2 = ldb_msg_find_element(ac->msg, -- "isCriticalSystemObject"); -- el2->flags = LDB_FLAG_MOD_REPLACE; - } else if (user_account_control & UF_WORKSTATION_TRUST_ACCOUNT) { -- ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", -- "FALSE"); -+ ret = ldb_msg_add_string_flags(ac->msg, "isCriticalSystemObject", -+ "FALSE", LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el2 = ldb_msg_find_element(ac->msg, -- "isCriticalSystemObject"); -- el2->flags = LDB_FLAG_MOD_REPLACE; - } - - /* Step 1.4: "userAccountControl" -> "primaryGroupID" mapping */ -@@ -2018,14 +2009,13 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac) - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } -- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, -- "sAMAccountType", -- account_type); -+ ret = samdb_msg_add_uint_flags(ldb, ac->msg, ac->msg, -+ "sAMAccountType", -+ account_type, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el2 = ldb_msg_find_element(ac->msg, "sAMAccountType"); -- el2->flags = LDB_FLAG_MOD_REPLACE; - } - break; - } -@@ -2945,26 +2935,23 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) - } - - if (old_atype != new_atype) { -- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, -- "sAMAccountType", new_atype); -+ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, -+ "sAMAccountType", new_atype, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->msg, "sAMAccountType"); -- el->flags = LDB_FLAG_MOD_REPLACE; - } - - /* As per MS-SAMR 3.1.1.8.10 these flags have not to be set */ - if ((clear_uac & UF_LOCKOUT) && (old_lockoutTime != 0)) { - /* "lockoutTime" reset as per MS-SAMR 3.1.1.8.10 */ - ldb_msg_remove_attr(ac->msg, "lockoutTime"); -- ret = samdb_msg_add_uint64(ldb, ac->msg, ac->msg, "lockoutTime", -- (NTTIME)0); -+ ret = samdb_msg_append_uint64(ldb, ac->msg, ac->msg, "lockoutTime", -+ (NTTIME)0, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->msg, "lockoutTime"); -- el->flags = LDB_FLAG_MOD_REPLACE; - } - - /* -@@ -2975,14 +2962,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) - * creating the attribute. - */ - if (old_is_critical != new_is_critical || old_atype != new_atype) { -- ret = ldb_msg_add_string(ac->msg, "isCriticalSystemObject", -- new_is_critical ? "TRUE": "FALSE"); -+ ret = ldb_msg_append_string(ac->msg, "isCriticalSystemObject", -+ new_is_critical ? "TRUE": "FALSE", -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->msg, -- "isCriticalSystemObject"); -- el->flags = LDB_FLAG_MOD_REPLACE; - } - - if (!ldb_msg_find_element(ac->msg, "primaryGroupID") && -@@ -2995,14 +2980,12 @@ static int samldb_user_account_control_change(struct samldb_ctx *ac) - } - } - -- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, -- "primaryGroupID", new_pgrid); -+ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, -+ "primaryGroupID", new_pgrid, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->msg, -- "primaryGroupID"); -- el->flags = LDB_FLAG_MOD_REPLACE; - } - - /* Propagate eventual "userAccountControl" attribute changes */ -@@ -3205,13 +3188,12 @@ static int samldb_lockout_time(struct samldb_ctx *ac) - - /* lockoutTime == 0 resets badPwdCount */ - ldb_msg_remove_attr(ac->msg, "badPwdCount"); -- ret = samdb_msg_add_int(ldb, ac->msg, ac->msg, -- "badPwdCount", 0); -+ ret = samdb_msg_append_int(ldb, ac->msg, ac->msg, -+ "badPwdCount", 0, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->msg, "badPwdCount"); -- el->flags = LDB_FLAG_MOD_REPLACE; - - return LDB_SUCCESS; - } -@@ -3309,13 +3291,11 @@ static int samldb_group_type_change(struct samldb_ctx *ac) - ldb_set_errstring(ldb, "samldb: Unrecognized account type!"); - return LDB_ERR_UNWILLING_TO_PERFORM; - } -- ret = samdb_msg_add_uint(ldb, ac->msg, ac->msg, "sAMAccountType", -- account_type); -+ ret = samdb_msg_append_uint(ldb, ac->msg, ac->msg, "sAMAccountType", -+ account_type, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->msg, "sAMAccountType"); -- el->flags = LDB_FLAG_MOD_REPLACE; - - return LDB_SUCCESS; - } -diff --git source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c -index 5f8911c66be..99c5955e9e7 100644 ---- source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c -+++ source4/dsdb/samdb/ldb_modules/tombstone_reanimate.c -@@ -294,14 +294,13 @@ static int tr_prepare_attributes(struct tr_context *ac) - return ldb_error(ldb, LDB_ERR_UNWILLING_TO_PERFORM, - "reanimate: Unrecognized account type!"); - } -- ret = samdb_msg_add_uint(ldb, ac->mod_msg, ac->mod_msg, -- "sAMAccountType", account_type); -+ ret = samdb_msg_append_uint(ldb, ac->mod_msg, ac->mod_msg, -+ "sAMAccountType", account_type, -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR, - "reanimate: Failed to add sAMAccountType to restored object."); - } -- el = ldb_msg_find_element(ac->mod_msg, "sAMAccountType"); -- el->flags = LDB_FLAG_MOD_REPLACE; - - /* Default values set by Windows */ - ret = samdb_find_or_add_attribute(ldb, ac->mod_msg, -@@ -324,12 +323,11 @@ static int tr_prepare_attributes(struct tr_context *ac) - return ret; - } - -- ret = ldb_msg_add_string(ac->mod_msg, "objectCategory", value); -+ ret = ldb_msg_append_string(ac->mod_msg, "objectCategory", value, -+ LDB_FLAG_MOD_ADD); - if (ret != LDB_SUCCESS) { - return ret; - } -- el = ldb_msg_find_element(ac->mod_msg, "objectCategory"); -- el->flags = LDB_FLAG_MOD_ADD; - } - - return LDB_SUCCESS; -diff --git source4/nbt_server/wins/winsdb.c source4/nbt_server/wins/winsdb.c -index e4a7c2042ed..2a05e96bca4 100644 ---- source4/nbt_server/wins/winsdb.c -+++ source4/nbt_server/wins/winsdb.c -@@ -102,13 +102,11 @@ uint64_t winsdb_set_maxVersion(struct winsdb_handle *h, uint64_t newMaxVersion) - msg->dn = dn; - - -- ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, NULL); -+ ret = ldb_msg_append_string(msg, "objectClass", "winsMaxVersion", -+ LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) goto failed; -- ret = ldb_msg_add_string(msg, "objectClass", "winsMaxVersion"); -- if (ret != LDB_SUCCESS) goto failed; -- ret = ldb_msg_add_empty(msg, "maxVersion", LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) goto failed; -- ret = ldb_msg_add_fmt(msg, "maxVersion", "%llu", (long long)newMaxVersion); -+ ret = ldb_msg_append_fmt(msg, LDB_FLAG_MOD_REPLACE, -+ "maxVersion", "%llu", (long long)newMaxVersion); - if (ret != LDB_SUCCESS) goto failed; - - ret = ldb_modify(wins_db, msg); -@@ -779,8 +777,7 @@ static struct ldb_message *winsdb_message(struct ldb_context *ldb, - ret |= ldb_msg_add_winsdb_addr(msg, rec, "address", rec->addresses[i]); - } - if (rec->registered_by) { -- ret |= ldb_msg_add_empty(msg, "registeredBy", 0, NULL); -- ret |= ldb_msg_add_string(msg, "registeredBy", rec->registered_by); -+ ret |= ldb_msg_append_string(msg, "registeredBy", rec->registered_by, 0); - } - if (ret != LDB_SUCCESS) goto failed; - return msg; -diff --git source4/rpc_server/lsa/dcesrv_lsa.c source4/rpc_server/lsa/dcesrv_lsa.c -index 15b068aec62..a165ab2b9d6 100644 ---- source4/rpc_server/lsa/dcesrv_lsa.c -+++ source4/rpc_server/lsa/dcesrv_lsa.c -@@ -1778,12 +1778,7 @@ static NTSTATUS update_uint32_t_value(TALLOC_CTX *mem_ctx, - goto done; - } - -- ret = ldb_msg_add_empty(dest, attribute, flags, NULL); -- if (ret != LDB_SUCCESS) { -- return NT_STATUS_NO_MEMORY; -- } -- -- ret = samdb_msg_add_uint(sam_ldb, dest, dest, attribute, value); -+ ret = samdb_msg_append_uint(sam_ldb, dest, dest, attribute, value, flags); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } -@@ -1874,13 +1869,7 @@ static NTSTATUS update_trust_user(TALLOC_CTX *mem_ctx, - continue; - } - -- ret = ldb_msg_add_empty(msg, attribute, -- LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) { -- return NT_STATUS_NO_MEMORY; -- } -- -- ret = ldb_msg_add_value(msg, attribute, &v, NULL); -+ ret = ldb_msg_append_value(msg, attribute, &v, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } -@@ -2166,28 +2155,30 @@ static NTSTATUS setInfoTrustedDomain_base(struct dcesrv_call_state *dce_call, - } - - if (add_incoming || del_incoming) { -- ret = ldb_msg_add_empty(msg, "trustAuthIncoming", -- LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) { -- return NT_STATUS_NO_MEMORY; -- } - if (add_incoming) { -- ret = ldb_msg_add_value(msg, "trustAuthIncoming", -- &trustAuthIncoming, NULL); -+ ret = ldb_msg_append_value(msg, "trustAuthIncoming", -+ &trustAuthIncoming, LDB_FLAG_MOD_REPLACE); -+ if (ret != LDB_SUCCESS) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } else { -+ ret = ldb_msg_add_empty(msg, "trustAuthIncoming", -+ LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } - } - } - if (add_outgoing || del_outgoing) { -- ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", -- LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) { -- return NT_STATUS_NO_MEMORY; -- } - if (add_outgoing) { -- ret = ldb_msg_add_value(msg, "trustAuthOutgoing", -- &trustAuthOutgoing, NULL); -+ ret = ldb_msg_append_value(msg, "trustAuthOutgoing", -+ &trustAuthOutgoing, LDB_FLAG_MOD_REPLACE); -+ if (ret != LDB_SUCCESS) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } else { -+ ret = ldb_msg_add_empty(msg, "trustAuthOutgoing", -+ LDB_FLAG_MOD_REPLACE, NULL); - if (ret != LDB_SUCCESS) { - return NT_STATUS_NO_MEMORY; - } -@@ -4635,14 +4626,8 @@ static NTSTATUS dcesrv_lsa_lsaRSetForestTrustInformation(struct dcesrv_call_stat - goto done; - } - -- ret = ldb_msg_add_empty(msg, "msDS-TrustForestTrustInfo", -- LDB_FLAG_MOD_REPLACE, NULL); -- if (ret != LDB_SUCCESS) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -- } -- ret = ldb_msg_add_value(msg, "msDS-TrustForestTrustInfo", -- &ft_blob, NULL); -+ ret = ldb_msg_append_value(msg, "msDS-TrustForestTrustInfo", -+ &ft_blob, LDB_FLAG_MOD_REPLACE); - if (ret != LDB_SUCCESS) { - status = NT_STATUS_NO_MEMORY; - goto done; -diff --git source4/winbind/idmap.c source4/winbind/idmap.c -index c4039be473a..c6375f8357a 100644 ---- source4/winbind/idmap.c -+++ source4/winbind/idmap.c -@@ -672,14 +672,8 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx, - vals[1].data = (uint8_t *)hwm_string; - vals[1].length = strlen(hwm_string); - } else { -- ret = ldb_msg_add_empty(hwm_msg, "xidNumber", LDB_FLAG_MOD_ADD, -- NULL); -- if (ret != LDB_SUCCESS) { -- status = NT_STATUS_NONE_MAPPED; -- goto failed; -- } -- -- ret = ldb_msg_add_string(hwm_msg, "xidNumber", hwm_string); -+ ret = ldb_msg_append_string(hwm_msg, "xidNumber", hwm_string, -+ LDB_FLAG_MOD_ADD); - if (ret != LDB_SUCCESS) - { - status = NT_STATUS_NONE_MAPPED; --- -2.25.1 - - -From 7270b68386692829f97d5c51c50108db395b263e Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett <abartlet@samba.org> -Date: Tue, 14 Jun 2022 15:43:26 +1200 -Subject: [PATCH 14/99] CVE-2022-32746 ldb: Release LDB 2.3.4 - -* CVE-2022-32746 Use-after-free occurring in database audit logging module (bug 15009) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009 - -Signed-off-by: Andrew Bartlett <abartlet@samba.org> ---- - lib/ldb/ABI/ldb-2.3.4.sigs | 291 ++++++++++++++++++++++++++++++ - lib/ldb/ABI/pyldb-util-2.3.4.sigs | 3 + - lib/ldb/wscript | 2 +- - 3 files changed, 295 insertions(+), 1 deletion(-) - create mode 100644 lib/ldb/ABI/ldb-2.3.4.sigs - create mode 100644 lib/ldb/ABI/pyldb-util-2.3.4.sigs - -diff --git lib/ldb/ABI/ldb-2.3.4.sigs lib/ldb/ABI/ldb-2.3.4.sigs -new file mode 100644 -index 00000000000..40388d9e330 ---- /dev/null -+++ lib/ldb/ABI/ldb-2.3.4.sigs -@@ -0,0 +1,291 @@ -+ldb_add: int (struct ldb_context *, const struct ldb_message *) -+ldb_any_comparison: int (struct ldb_context *, void *, ldb_attr_handler_t, const struct ldb_val *, const struct ldb_val *) -+ldb_asprintf_errstring: void (struct ldb_context *, const char *, ...) -+ldb_attr_casefold: char *(TALLOC_CTX *, const char *) -+ldb_attr_dn: int (const char *) -+ldb_attr_in_list: int (const char * const *, const char *) -+ldb_attr_list_copy: const char **(TALLOC_CTX *, const char * const *) -+ldb_attr_list_copy_add: const char **(TALLOC_CTX *, const char * const *, const char *) -+ldb_base64_decode: int (char *) -+ldb_base64_encode: char *(TALLOC_CTX *, const char *, int) -+ldb_binary_decode: struct ldb_val (TALLOC_CTX *, const char *) -+ldb_binary_encode: char *(TALLOC_CTX *, struct ldb_val) -+ldb_binary_encode_string: char *(TALLOC_CTX *, const char *) -+ldb_build_add_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_build_del_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_build_extended_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const char *, void *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_build_mod_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_build_rename_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, struct ldb_dn *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_build_search_req: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, const char *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_build_search_req_ex: int (struct ldb_request **, struct ldb_context *, TALLOC_CTX *, struct ldb_dn *, enum ldb_scope, struct ldb_parse_tree *, const char * const *, struct ldb_control **, void *, ldb_request_callback_t, struct ldb_request *) -+ldb_casefold: char *(struct ldb_context *, TALLOC_CTX *, const char *, size_t) -+ldb_casefold_default: char *(void *, TALLOC_CTX *, const char *, size_t) -+ldb_check_critical_controls: int (struct ldb_control **) -+ldb_comparison_binary: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) -+ldb_comparison_fold: int (struct ldb_context *, void *, const struct ldb_val *, const struct ldb_val *) -+ldb_connect: int (struct ldb_context *, const char *, unsigned int, const char **) -+ldb_control_to_string: char *(TALLOC_CTX *, const struct ldb_control *) -+ldb_controls_except_specified: struct ldb_control **(struct ldb_control **, TALLOC_CTX *, struct ldb_control *) -+ldb_debug: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) -+ldb_debug_add: void (struct ldb_context *, const char *, ...) -+ldb_debug_end: void (struct ldb_context *, enum ldb_debug_level) -+ldb_debug_set: void (struct ldb_context *, enum ldb_debug_level, const char *, ...) -+ldb_delete: int (struct ldb_context *, struct ldb_dn *) -+ldb_dn_add_base: bool (struct ldb_dn *, struct ldb_dn *) -+ldb_dn_add_base_fmt: bool (struct ldb_dn *, const char *, ...) -+ldb_dn_add_child: bool (struct ldb_dn *, struct ldb_dn *) -+ldb_dn_add_child_fmt: bool (struct ldb_dn *, const char *, ...) -+ldb_dn_add_child_val: bool (struct ldb_dn *, const char *, struct ldb_val) -+ldb_dn_alloc_casefold: char *(TALLOC_CTX *, struct ldb_dn *) -+ldb_dn_alloc_linearized: char *(TALLOC_CTX *, struct ldb_dn *) -+ldb_dn_canonical_ex_string: char *(TALLOC_CTX *, struct ldb_dn *) -+ldb_dn_canonical_string: char *(TALLOC_CTX *, struct ldb_dn *) -+ldb_dn_check_local: bool (struct ldb_module *, struct ldb_dn *) -+ldb_dn_check_special: bool (struct ldb_dn *, const char *) -+ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) -+ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) -+ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) -+ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) -+ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) -+ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) -+ldb_dn_extended_syntax_by_name: const struct ldb_dn_extended_syntax *(struct ldb_context *, const char *) -+ldb_dn_from_ldb_val: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const struct ldb_val *) -+ldb_dn_get_casefold: const char *(struct ldb_dn *) -+ldb_dn_get_comp_num: int (struct ldb_dn *) -+ldb_dn_get_component_name: const char *(struct ldb_dn *, unsigned int) -+ldb_dn_get_component_val: const struct ldb_val *(struct ldb_dn *, unsigned int) -+ldb_dn_get_extended_comp_num: int (struct ldb_dn *) -+ldb_dn_get_extended_component: const struct ldb_val *(struct ldb_dn *, const char *) -+ldb_dn_get_extended_linearized: char *(TALLOC_CTX *, struct ldb_dn *, int) -+ldb_dn_get_ldb_context: struct ldb_context *(struct ldb_dn *) -+ldb_dn_get_linearized: const char *(struct ldb_dn *) -+ldb_dn_get_parent: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) -+ldb_dn_get_rdn_name: const char *(struct ldb_dn *) -+ldb_dn_get_rdn_val: const struct ldb_val *(struct ldb_dn *) -+ldb_dn_has_extended: bool (struct ldb_dn *) -+ldb_dn_is_null: bool (struct ldb_dn *) -+ldb_dn_is_special: bool (struct ldb_dn *) -+ldb_dn_is_valid: bool (struct ldb_dn *) -+ldb_dn_map_local: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) -+ldb_dn_map_rebase_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) -+ldb_dn_map_remote: struct ldb_dn *(struct ldb_module *, void *, struct ldb_dn *) -+ldb_dn_minimise: bool (struct ldb_dn *) -+ldb_dn_new: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *) -+ldb_dn_new_fmt: struct ldb_dn *(TALLOC_CTX *, struct ldb_context *, const char *, ...) -+ldb_dn_remove_base_components: bool (struct ldb_dn *, unsigned int) -+ldb_dn_remove_child_components: bool (struct ldb_dn *, unsigned int) -+ldb_dn_remove_extended_components: void (struct ldb_dn *) -+ldb_dn_replace_components: bool (struct ldb_dn *, struct ldb_dn *) -+ldb_dn_set_component: int (struct ldb_dn *, int, const char *, const struct ldb_val) -+ldb_dn_set_extended_component: int (struct ldb_dn *, const char *, const struct ldb_val *) -+ldb_dn_update_components: int (struct ldb_dn *, const struct ldb_dn *) -+ldb_dn_validate: bool (struct ldb_dn *) -+ldb_dump_results: void (struct ldb_context *, struct ldb_result *, FILE *) -+ldb_error_at: int (struct ldb_context *, int, const char *, const char *, int) -+ldb_errstring: const char *(struct ldb_context *) -+ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) -+ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) -+ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) -+ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) -+ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) -+ldb_get_create_perms: unsigned int (struct ldb_context *) -+ldb_get_default_basedn: struct ldb_dn *(struct ldb_context *) -+ldb_get_event_context: struct tevent_context *(struct ldb_context *) -+ldb_get_flags: unsigned int (struct ldb_context *) -+ldb_get_opaque: void *(struct ldb_context *, const char *) -+ldb_get_root_basedn: struct ldb_dn *(struct ldb_context *) -+ldb_get_schema_basedn: struct ldb_dn *(struct ldb_context *) -+ldb_global_init: int (void) -+ldb_handle_get_event_context: struct tevent_context *(struct ldb_handle *) -+ldb_handle_new: struct ldb_handle *(TALLOC_CTX *, struct ldb_context *) -+ldb_handle_use_global_event_context: void (struct ldb_handle *) -+ldb_handler_copy: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) -+ldb_handler_fold: int (struct ldb_context *, void *, const struct ldb_val *, struct ldb_val *) -+ldb_init: struct ldb_context *(TALLOC_CTX *, struct tevent_context *) -+ldb_ldif_message_redacted_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) -+ldb_ldif_message_string: char *(struct ldb_context *, TALLOC_CTX *, enum ldb_changetype, const struct ldb_message *) -+ldb_ldif_parse_modrdn: int (struct ldb_context *, const struct ldb_ldif *, TALLOC_CTX *, struct ldb_dn **, struct ldb_dn **, bool *, struct ldb_dn **, struct ldb_dn **) -+ldb_ldif_read: struct ldb_ldif *(struct ldb_context *, int (*)(void *), void *) -+ldb_ldif_read_file: struct ldb_ldif *(struct ldb_context *, FILE *) -+ldb_ldif_read_file_state: struct ldb_ldif *(struct ldb_context *, struct ldif_read_file_state *) -+ldb_ldif_read_free: void (struct ldb_context *, struct ldb_ldif *) -+ldb_ldif_read_string: struct ldb_ldif *(struct ldb_context *, const char **) -+ldb_ldif_write: int (struct ldb_context *, int (*)(void *, const char *, ...), void *, const struct ldb_ldif *) -+ldb_ldif_write_file: int (struct ldb_context *, FILE *, const struct ldb_ldif *) -+ldb_ldif_write_redacted_trace_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) -+ldb_ldif_write_string: char *(struct ldb_context *, TALLOC_CTX *, const struct ldb_ldif *) -+ldb_load_modules: int (struct ldb_context *, const char **) -+ldb_map_add: int (struct ldb_module *, struct ldb_request *) -+ldb_map_delete: int (struct ldb_module *, struct ldb_request *) -+ldb_map_init: int (struct ldb_module *, const struct ldb_map_attribute *, const struct ldb_map_objectclass *, const char * const *, const char *, const char *) -+ldb_map_modify: int (struct ldb_module *, struct ldb_request *) -+ldb_map_rename: int (struct ldb_module *, struct ldb_request *) -+ldb_map_search: int (struct ldb_module *, struct ldb_request *) -+ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, enum ldb_scope, bool *) -+ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) -+ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) -+ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) -+ldb_mod_register_control: int (struct ldb_module *, const char *) -+ldb_modify: int (struct ldb_context *, const struct ldb_message *) -+ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) -+ldb_module_call_chain: char *(struct ldb_request *, TALLOC_CTX *) -+ldb_module_connect_backend: int (struct ldb_context *, const char *, const char **, struct ldb_module **) -+ldb_module_done: int (struct ldb_request *, struct ldb_control **, struct ldb_extended *, int) -+ldb_module_flags: uint32_t (struct ldb_context *) -+ldb_module_get_ctx: struct ldb_context *(struct ldb_module *) -+ldb_module_get_name: const char *(struct ldb_module *) -+ldb_module_get_ops: const struct ldb_module_ops *(struct ldb_module *) -+ldb_module_get_private: void *(struct ldb_module *) -+ldb_module_init_chain: int (struct ldb_context *, struct ldb_module *) -+ldb_module_load_list: int (struct ldb_context *, const char **, struct ldb_module *, struct ldb_module **) -+ldb_module_new: struct ldb_module *(TALLOC_CTX *, struct ldb_context *, const char *, const struct ldb_module_ops *) -+ldb_module_next: struct ldb_module *(struct ldb_module *) -+ldb_module_popt_options: struct poptOption **(struct ldb_context *) -+ldb_module_send_entry: int (struct ldb_request *, struct ldb_message *, struct ldb_control **) -+ldb_module_send_referral: int (struct ldb_request *, char *) -+ldb_module_set_next: void (struct ldb_module *, struct ldb_module *) -+ldb_module_set_private: void (struct ldb_module *, void *) -+ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) -+ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) -+ldb_modules_load: int (const char *, const char *) -+ldb_msg_add: int (struct ldb_message *, const struct ldb_message_element *, int) -+ldb_msg_add_empty: int (struct ldb_message *, const char *, int, struct ldb_message_element **) -+ldb_msg_add_fmt: int (struct ldb_message *, const char *, const char *, ...) -+ldb_msg_add_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *) -+ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *) -+ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct ldb_val *) -+ldb_msg_add_string: int (struct ldb_message *, const char *, const char *) -+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char *, int) -+ldb_msg_add_value: int (struct ldb_message *, const char *, const struct ldb_val *, struct ldb_message_element **) -+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char *, ...) -+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct ldb_dn *, int) -+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *, int) -+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct ldb_val *, int) -+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *, int) -+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct ldb_val *, int) -+ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct ldb_message *) -+ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *, const char *) -+ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) -+ldb_msg_copy_attr: int (struct ldb_message *, const char *, const char *) -+ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *) -+ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *, struct ldb_message *) -+ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message *, struct ldb_message *, struct ldb_message **) -+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *, const struct ldb_val *) -+ldb_msg_element_compare: int (struct ldb_message_element *, struct ldb_message_element *) -+ldb_msg_element_compare_name: int (struct ldb_message_element *, struct ldb_message_element *) -+ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const struct ldb_message_element *) -+ldb_msg_find_attr_as_bool: int (const struct ldb_message *, const char *, int) -+ldb_msg_find_attr_as_dn: struct ldb_dn *(struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, const char *) -+ldb_msg_find_attr_as_double: double (const struct ldb_message *, const char *, double) -+ldb_msg_find_attr_as_int: int (const struct ldb_message *, const char *, int) -+ldb_msg_find_attr_as_int64: int64_t (const struct ldb_message *, const char *, int64_t) -+ldb_msg_find_attr_as_string: const char *(const struct ldb_message *, const char *, const char *) -+ldb_msg_find_attr_as_uint: unsigned int (const struct ldb_message *, const char *, unsigned int) -+ldb_msg_find_attr_as_uint64: uint64_t (const struct ldb_message *, const char *, uint64_t) -+ldb_msg_find_common_values: int (struct ldb_context *, TALLOC_CTX *, struct ldb_message_element *, struct ldb_message_element *, uint32_t) -+ldb_msg_find_duplicate_val: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message_element *, struct ldb_val **, uint32_t) -+ldb_msg_find_element: struct ldb_message_element *(const struct ldb_message *, const char *) -+ldb_msg_find_ldb_val: const struct ldb_val *(const struct ldb_message *, const char *) -+ldb_msg_find_val: struct ldb_val *(const struct ldb_message_element *, struct ldb_val *) -+ldb_msg_new: struct ldb_message *(TALLOC_CTX *) -+ldb_msg_normalize: int (struct ldb_context *, TALLOC_CTX *, const struct ldb_message *, struct ldb_message **) -+ldb_msg_remove_attr: void (struct ldb_message *, const char *) -+ldb_msg_remove_element: void (struct ldb_message *, struct ldb_message_element *) -+ldb_msg_rename_attr: int (struct ldb_message *, const char *, const char *) -+ldb_msg_sanity_check: int (struct ldb_context *, const struct ldb_message *) -+ldb_msg_sort_elements: void (struct ldb_message *) -+ldb_next_del_trans: int (struct ldb_module *) -+ldb_next_end_trans: int (struct ldb_module *) -+ldb_next_init: int (struct ldb_module *) -+ldb_next_prepare_commit: int (struct ldb_module *) -+ldb_next_read_lock: int (struct ldb_module *) -+ldb_next_read_unlock: int (struct ldb_module *) -+ldb_next_remote_request: int (struct ldb_module *, struct ldb_request *) -+ldb_next_request: int (struct ldb_module *, struct ldb_request *) -+ldb_next_start_trans: int (struct ldb_module *) -+ldb_op_default_callback: int (struct ldb_request *, struct ldb_reply *) -+ldb_options_copy: const char **(TALLOC_CTX *, const char **) -+ldb_options_find: const char *(struct ldb_context *, const char **, const char *) -+ldb_options_get: const char **(struct ldb_context *) -+ldb_pack_data: int (struct ldb_context *, const struct ldb_message *, struct ldb_val *, uint32_t) -+ldb_parse_control_from_string: struct ldb_control *(struct ldb_context *, TALLOC_CTX *, const char *) -+ldb_parse_control_strings: struct ldb_control **(struct ldb_context *, TALLOC_CTX *, const char **) -+ldb_parse_tree: struct ldb_parse_tree *(TALLOC_CTX *, const char *) -+ldb_parse_tree_attr_replace: void (struct ldb_parse_tree *, const char *, const char *) -+ldb_parse_tree_copy_shallow: struct ldb_parse_tree *(TALLOC_CTX *, const struct ldb_parse_tree *) -+ldb_parse_tree_walk: int (struct ldb_parse_tree *, int (*)(struct ldb_parse_tree *, void *), void *) -+ldb_qsort: void (void * const, size_t, size_t, void *, ldb_qsort_cmp_fn_t) -+ldb_register_backend: int (const char *, ldb_connect_fn, bool) -+ldb_register_extended_match_rule: int (struct ldb_context *, const struct ldb_extended_match_rule *) -+ldb_register_hook: int (ldb_hook_fn) -+ldb_register_module: int (const struct ldb_module_ops *) -+ldb_rename: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *) -+ldb_reply_add_control: int (struct ldb_reply *, const char *, bool, void *) -+ldb_reply_get_control: struct ldb_control *(struct ldb_reply *, const char *) -+ldb_req_get_custom_flags: uint32_t (struct ldb_request *) -+ldb_req_is_untrusted: bool (struct ldb_request *) -+ldb_req_location: const char *(struct ldb_request *) -+ldb_req_mark_trusted: void (struct ldb_request *) -+ldb_req_mark_untrusted: void (struct ldb_request *) -+ldb_req_set_custom_flags: void (struct ldb_request *, uint32_t) -+ldb_req_set_location: void (struct ldb_request *, const char *) -+ldb_request: int (struct ldb_context *, struct ldb_request *) -+ldb_request_add_control: int (struct ldb_request *, const char *, bool, void *) -+ldb_request_done: int (struct ldb_request *, int) -+ldb_request_get_control: struct ldb_control *(struct ldb_request *, const char *) -+ldb_request_get_status: int (struct ldb_request *) -+ldb_request_replace_control: int (struct ldb_request *, const char *, bool, void *) -+ldb_request_set_state: void (struct ldb_request *, int) -+ldb_reset_err_string: void (struct ldb_context *) -+ldb_save_controls: int (struct ldb_control *, struct ldb_request *, struct ldb_control ***) -+ldb_schema_attribute_add: int (struct ldb_context *, const char *, unsigned int, const char *) -+ldb_schema_attribute_add_with_syntax: int (struct ldb_context *, const char *, unsigned int, const struct ldb_schema_syntax *) -+ldb_schema_attribute_by_name: const struct ldb_schema_attribute *(struct ldb_context *, const char *) -+ldb_schema_attribute_fill_with_syntax: int (struct ldb_context *, TALLOC_CTX *, const char *, unsigned int, const struct ldb_schema_syntax *, struct ldb_schema_attribute *) -+ldb_schema_attribute_remove: void (struct ldb_context *, const char *) -+ldb_schema_attribute_remove_flagged: void (struct ldb_context *, unsigned int) -+ldb_schema_attribute_set_override_handler: void (struct ldb_context *, ldb_attribute_handler_override_fn_t, void *) -+ldb_schema_set_override_GUID_index: void (struct ldb_context *, const char *, const char *) -+ldb_schema_set_override_indexlist: void (struct ldb_context *, bool) -+ldb_search: int (struct ldb_context *, TALLOC_CTX *, struct ldb_result **, struct ldb_dn *, enum ldb_scope, const char * const *, const char *, ...) -+ldb_search_default_callback: int (struct ldb_request *, struct ldb_reply *) -+ldb_sequence_number: int (struct ldb_context *, enum ldb_sequence_type, uint64_t *) -+ldb_set_create_perms: void (struct ldb_context *, unsigned int) -+ldb_set_debug: int (struct ldb_context *, void (*)(void *, enum ldb_debug_level, const char *, va_list), void *) -+ldb_set_debug_stderr: int (struct ldb_context *) -+ldb_set_default_dns: void (struct ldb_context *) -+ldb_set_errstring: void (struct ldb_context *, const char *) -+ldb_set_event_context: void (struct ldb_context *, struct tevent_context *) -+ldb_set_flags: void (struct ldb_context *, unsigned int) -+ldb_set_modules_dir: void (struct ldb_context *, const char *) -+ldb_set_opaque: int (struct ldb_context *, const char *, void *) -+ldb_set_require_private_event_context: void (struct ldb_context *) -+ldb_set_timeout: int (struct ldb_context *, struct ldb_request *, int) -+ldb_set_timeout_from_prev_req: int (struct ldb_context *, struct ldb_request *, struct ldb_request *) -+ldb_set_utf8_default: void (struct ldb_context *) -+ldb_set_utf8_fns: void (struct ldb_context *, void *, char *(*)(void *, void *, const char *, size_t)) -+ldb_setup_wellknown_attributes: int (struct ldb_context *) -+ldb_should_b64_encode: int (struct ldb_context *, const struct ldb_val *) -+ldb_standard_syntax_by_name: const struct ldb_schema_syntax *(struct ldb_context *, const char *) -+ldb_strerror: const char *(int) -+ldb_string_to_time: time_t (const char *) -+ldb_string_utc_to_time: time_t (const char *) -+ldb_timestring: char *(TALLOC_CTX *, time_t) -+ldb_timestring_utc: char *(TALLOC_CTX *, time_t) -+ldb_transaction_cancel: int (struct ldb_context *) -+ldb_transaction_cancel_noerr: int (struct ldb_context *) -+ldb_transaction_commit: int (struct ldb_context *) -+ldb_transaction_prepare_commit: int (struct ldb_context *) -+ldb_transaction_start: int (struct ldb_context *) -+ldb_unpack_data: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *) -+ldb_unpack_data_flags: int (struct ldb_context *, const struct ldb_val *, struct ldb_message *, unsigned int) -+ldb_unpack_get_format: int (const struct ldb_val *, uint32_t *) -+ldb_val_dup: struct ldb_val (TALLOC_CTX *, const struct ldb_val *) -+ldb_val_equal_exact: int (const struct ldb_val *, const struct ldb_val *) -+ldb_val_map_local: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) -+ldb_val_map_remote: struct ldb_val (struct ldb_module *, void *, const struct ldb_map_attribute *, const struct ldb_val *) -+ldb_val_string_cmp: int (const struct ldb_val *, const char *) -+ldb_val_to_time: int (const struct ldb_val *, time_t *) -+ldb_valid_attr_name: int (const char *) -+ldb_vdebug: void (struct ldb_context *, enum ldb_debug_level, const char *, va_list) -+ldb_wait: int (struct ldb_handle *, enum ldb_wait_type) -diff --git lib/ldb/ABI/pyldb-util-2.3.4.sigs lib/ldb/ABI/pyldb-util-2.3.4.sigs -new file mode 100644 -index 00000000000..164a806b2ff ---- /dev/null -+++ lib/ldb/ABI/pyldb-util-2.3.4.sigs -@@ -0,0 +1,3 @@ -+pyldb_Dn_FromDn: PyObject *(struct ldb_dn *) -+pyldb_Object_AsDn: bool (TALLOC_CTX *, PyObject *, struct ldb_context *, struct ldb_dn **) -+pyldb_check_type: bool (PyObject *, const char *) - --- -2.25.1 - - -From 6237c85565332e0be1890dd57cc7e25fb76571d7 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 16 Feb 2022 17:03:10 +1300 -Subject: [PATCH 15/99] CVE-2022-32745 s4/dsdb/samldb: Check for empty values - array - -This avoids potentially trying to access the first element of an empty -array. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git source4/dsdb/samdb/ldb_modules/samldb.c source4/dsdb/samdb/ldb_modules/samldb.c -index 107e643e492..3625bb42e58 100644 ---- source4/dsdb/samdb/ldb_modules/samldb.c -+++ source4/dsdb/samdb/ldb_modules/samldb.c -@@ -751,7 +751,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac) - return ret; - } - -- if (el == NULL) { -+ if (el == NULL || el->num_values == 0) { - return LDB_SUCCESS; - } - -@@ -919,7 +919,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac) - return ret; - } - -- if (el == NULL) { -+ if (el == NULL || el->num_values == 0) { - return LDB_SUCCESS; - } - --- -2.25.1 - - -From 7c8427e5d2f247921ab44996829acfed1f5f2360 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 17 Feb 2022 11:11:53 +1300 -Subject: [PATCH 16/99] CVE-2022-32745 s4/dsdb/util: Use correct value for loop - count limit - -Currently, we can crash the server by sending a large number of values -of a specific attribute (such as sAMAccountName) spread across a few -message elements. If val_count is larger than the total number of -elements, we get an access beyond the elements array. - -Similarly, we can include unrelated message elements prior to the -message elements of the attribute in question, so that not all of the -attribute's values are copied into the returned elements values array. -This can cause the server to access uninitialised data, likely resulting -in a crash or unexpected behaviour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/dsdb/samdb/ldb_modules/util.c source4/dsdb/samdb/ldb_modules/util.c -index 405febf0b3d..14947746837 100644 ---- source4/dsdb/samdb/ldb_modules/util.c -+++ source4/dsdb/samdb/ldb_modules/util.c -@@ -1546,7 +1546,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, - - v = _el->values; - -- for (i = 0; i < val_count; i++) { -+ for (i = 0; i < msg->num_elements; i++) { - if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { - if ((operation == LDB_MODIFY) && - (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) --- -2.25.1 - - -From 4d2d30c21b16a53d5547cb803efe49cb6304ce37 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 17 Feb 2022 11:13:38 +1300 -Subject: [PATCH 17/99] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a - NULL pointer - -Doing so is undefined behaviour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git source4/dsdb/samdb/ldb_modules/util.c source4/dsdb/samdb/ldb_modules/util.c -index 14947746837..35ae110b5ef 100644 ---- source4/dsdb/samdb/ldb_modules/util.c -+++ source4/dsdb/samdb/ldb_modules/util.c -@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, - - for (i = 0; i < msg->num_elements; i++) { - if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) { -+ const struct ldb_message_element *tmp_el = &msg->elements[i]; - if ((operation == LDB_MODIFY) && -- (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) -+ (LDB_FLAG_MOD_TYPE(tmp_el->flags) - == LDB_FLAG_MOD_DELETE)) { - continue; - } -+ if (tmp_el->values == NULL || tmp_el->num_values == 0) { -+ continue; -+ } - memcpy(v, -- msg->elements[i].values, -- msg->elements[i].num_values); -- v += msg->elements[i].num_values; -+ tmp_el->values, -+ tmp_el->num_values); -+ v += tmp_el->num_values; - } - } - --- -2.25.1 - - -From 65d96369fa4f915f01e203cfc8b15e48c5b4b440 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 3 Jun 2022 16:16:31 +1200 -Subject: [PATCH 18/99] CVE-2022-32745 s4/dsdb/util: Correctly copy values into - message element - -To use memcpy(), we need to specify the number of bytes to copy, rather -than the number of ldb_val structures. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/dsdb/samdb/ldb_modules/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/dsdb/samdb/ldb_modules/util.c source4/dsdb/samdb/ldb_modules/util.c -index 35ae110b5ef..e7fe8f855df 100644 ---- source4/dsdb/samdb/ldb_modules/util.c -+++ source4/dsdb/samdb/ldb_modules/util.c -@@ -1559,7 +1559,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx, - } - memcpy(v, - tmp_el->values, -- tmp_el->num_values); -+ tmp_el->num_values * sizeof(*v)); - v += tmp_el->num_values; - } - } --- -2.25.1 - - -From 34eb92a2066cc403aac5a3708257b04a40ba19ee Mon Sep 17 00:00:00 2001 -From: Isaac Boukris <iboukris@gmail.com> -Date: Sat, 19 Sep 2020 14:16:20 +0200 -Subject: [PATCH 19/99] s4:mit-kdb: Force canonicalization for looking up - principals - -See also -https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148 - -Pair-Programmed-With: Andreas Schneider <asn@samba.org> -Signed-off-by: Isaac Boukris <iboukris@gmail.com> -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Alexander Bokovoy <ab@samba.org> - -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> -Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184 - -(cherry picked from commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b) - -[jsutton@samba.org Removed MIT knownfail changes] ---- - source4/heimdal/lib/hdb/hdb.h | 1 + - source4/kdc/db-glue.c | 7 ++++++- - source4/kdc/mit_samba.c | 8 ++++++++ - source4/kdc/sdb.h | 1 + - 4 files changed, 16 insertions(+), 1 deletion(-) - -diff --git source4/heimdal/lib/hdb/hdb.h source4/heimdal/lib/hdb/hdb.h -index 5ef9d9565f3..dafaffc6c2d 100644 ---- source4/heimdal/lib/hdb/hdb.h -+++ source4/heimdal/lib/hdb/hdb.h -@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; - #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ - #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ - - /* hdb_capability_flags */ - #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index 3a7e2176653..ac47fe78373 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -957,11 +957,16 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - krb5_clear_error_message(context); - goto out; - } -- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { -+ } else if ((flags & SDB_F_FORCE_CANON) || -+ ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { - /* - * SDB_F_CANON maps from the canonicalize flag in the - * packet, and has a different meaning between AS-REQ - * and TGS-REQ. We only change the principal in the AS-REQ case -+ * -+ * The SDB_F_FORCE_CANON if for new MIT KDC code that wants -+ * the canonical name in all lookups, and takes care to -+ * canonicalize only when appropriate. - */ - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { -diff --git source4/kdc/mit_samba.c source4/kdc/mit_samba.c -index e015c5a52db..c2a604045d9 100644 ---- source4/kdc/mit_samba.c -+++ source4/kdc/mit_samba.c -@@ -195,6 +195,14 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, - return ENOMEM; - } - -+#if KRB5_KDB_API_VERSION >= 10 -+ /* -+ * The MIT KDC code that wants the canonical name in all lookups, and -+ * takes care to canonicalize only when appropriate. -+ */ -+ sflags |= SDB_F_FORCE_CANON; -+#endif -+ - if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { - sflags |= SDB_F_CANON; - } -diff --git source4/kdc/sdb.h source4/kdc/sdb.h -index c929acccce6..a9115ec23d7 100644 ---- source4/kdc/sdb.h -+++ source4/kdc/sdb.h -@@ -116,6 +116,7 @@ struct sdb_entry_ex { - #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ - #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ - - void sdb_free_entry(struct sdb_entry_ex *e); - void free_sdb_entry(struct sdb_entry *s); --- -2.25.1 - - -From 06a0a75b16bace9c29568653d9e4bde4050c5ee5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Tue, 21 Dec 2021 12:17:11 +0100 -Subject: [PATCH 20/99] s4:kdc: Also cannoicalize krbtgt principals when - enforcing canonicalization - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> -(cherry picked from commit f1ec950aeb47283a504018bafa21f54c3282e70c) ---- - source4/kdc/db-glue.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index ac47fe78373..d017741e30a 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -920,7 +920,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { - p->is_krbtgt = true; - -- if (flags & (SDB_F_CANON)) { -+ if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { - /* - * When requested to do so, ensure that the - * both realm values in the principal are set --- -2.25.1 - - -From b4005403032b0b33ca88d3abcbf085621b32bd5b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 11:30:38 +1300 -Subject: [PATCH 21/99] selftest: Check received LDB error code when - STRICT_CHECKING=0 - -We were instead only checking the expected error. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit ad4d6fb01fd8083e68f07c427af8932574810cdc) ---- - source4/dsdb/tests/python/priv_attrs.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/dsdb/tests/python/priv_attrs.py source4/dsdb/tests/python/priv_attrs.py -index aa35dcc1317..4dfdfb9cbb8 100644 ---- source4/dsdb/tests/python/priv_attrs.py -+++ source4/dsdb/tests/python/priv_attrs.py -@@ -167,7 +167,7 @@ class PrivAttrsTests(samba.tests.TestCase): - creds_tmp.set_kerberos_state(DONT_USE_KERBEROS) # kinit is too expensive to use in a tight loop - return creds_tmp - -- def assertGotLdbError(self, got, wanted): -+ def assertGotLdbError(self, wanted, got): - if not self.strict_checking: - self.assertNotEqual(got, ldb.SUCCESS) - else: --- -2.25.1 - - -From 6a4ed078902dcc57ab14f701c88e76ec0ac375e7 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 11:53:18 +1300 -Subject: [PATCH 22/99] tests/krb5: Remove unused variable - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf) ---- - python/samba/tests/krb5/raw_testcase.py | 2 -- - 1 file changed, 2 deletions(-) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 42f2e94f5aa..36a6134e6c9 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -2855,7 +2855,6 @@ class RawKerberosTest(TestCaseInTempDir): - - expect_etype_info2 = () - expect_etype_info = False -- unexpect_etype_info = True - expected_aes_type = 0 - expected_rc4_type = 0 - if kcrypto.Enctype.RC4 in proposed_etypes: -@@ -2868,7 +2867,6 @@ class RawKerberosTest(TestCaseInTempDir): - if etype > expected_aes_type: - expected_aes_type = etype - if etype in (kcrypto.Enctype.RC4,) and error_code != 0: -- unexpect_etype_info = False - if etype > expected_rc4_type: - expected_rc4_type = etype - --- -2.25.1 - - -From 837453d34799f44653d0d6d690d3e3d5eb074993 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 11:34:11 +1300 -Subject: [PATCH 23/99] tests/krb5: Deduplicate AS-REQ tests - -salt_tests was running the tests defined in the base class as well as -its own tests. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5) ---- - python/samba/tests/krb5/as_req_tests.py | 163 ++++++++++++------------ - python/samba/tests/krb5/salt_tests.py | 4 +- - 2 files changed, 85 insertions(+), 82 deletions(-) - -diff --git python/samba/tests/krb5/as_req_tests.py python/samba/tests/krb5/as_req_tests.py -index 08081928363..315720f85d6 100755 ---- python/samba/tests/krb5/as_req_tests.py -+++ python/samba/tests/krb5/as_req_tests.py -@@ -38,87 +38,8 @@ from samba.tests.krb5.rfc4120_constants import ( - global_asn1_print = False - global_hexdump = False - --@DynamicTestCase --class AsReqKerberosTests(KDCBaseTest): -- -- @classmethod -- def setUpDynamicTestCases(cls): -- for (name, idx) in cls.etype_test_permutation_name_idx(): -- for pac in [None, True, False]: -- tname = "%s_pac_%s" % (name, pac) -- targs = (idx, pac) -- cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) -- -- def setUp(self): -- super(AsReqKerberosTests, self).setUp() -- self.do_asn1_print = global_asn1_print -- self.do_hexdump = global_hexdump -- -- def _test_as_req_nopreauth(self, -- initial_etypes, -- pac=None, -- initial_kdc_options=None): -- client_creds = self.get_client_creds() -- client_account = client_creds.get_username() -- client_as_etypes = self.get_default_enctypes() -- krbtgt_creds = self.get_krbtgt_creds(require_keys=False) -- krbtgt_account = krbtgt_creds.get_username() -- realm = krbtgt_creds.get_realm() -- -- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -- names=[client_account]) -- sname = self.PrincipalName_create(name_type=NT_SRV_INST, -- names=[krbtgt_account, realm]) -- -- expected_crealm = realm -- expected_cname = cname -- expected_srealm = realm -- expected_sname = sname -- expected_salt = client_creds.get_salt() -- -- if any(etype in client_as_etypes and etype in initial_etypes -- for etype in (kcrypto.Enctype.AES256, -- kcrypto.Enctype.AES128, -- kcrypto.Enctype.RC4)): -- expected_error_mode = KDC_ERR_PREAUTH_REQUIRED -- else: -- expected_error_mode = KDC_ERR_ETYPE_NOSUPP -- -- kdc_exchange_dict = self.as_exchange_dict( -- expected_crealm=expected_crealm, -- expected_cname=expected_cname, -- expected_srealm=expected_srealm, -- expected_sname=expected_sname, -- generate_padata_fn=None, -- check_error_fn=self.generic_check_kdc_error, -- check_rep_fn=None, -- expected_error_mode=expected_error_mode, -- client_as_etypes=client_as_etypes, -- expected_salt=expected_salt, -- kdc_options=str(initial_kdc_options), -- pac_request=pac) -- -- self._generic_kdc_exchange(kdc_exchange_dict, -- cname=cname, -- realm=realm, -- sname=sname, -- etypes=initial_etypes) -- -- def _test_as_req_no_preauth_with_args(self, etype_idx, pac): -- name, etypes = self.etype_test_permutation_by_idx(etype_idx) -- self._test_as_req_nopreauth( -- pac=pac, -- initial_etypes=etypes, -- initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) -- -- def test_as_req_enc_timestamp(self): -- client_creds = self.get_client_creds() -- self._run_as_req_enc_timestamp(client_creds) -- -- def test_as_req_enc_timestamp_mac(self): -- client_creds = self.get_mach_creds() -- self._run_as_req_enc_timestamp(client_creds) - -+class AsReqBaseTest(KDCBaseTest): - def _run_as_req_enc_timestamp(self, client_creds): - client_account = client_creds.get_username() - client_as_etypes = self.get_default_enctypes() -@@ -207,6 +128,88 @@ class AsReqKerberosTests(KDCBaseTest): - return etype_info2 - - -+@DynamicTestCase -+class AsReqKerberosTests(AsReqBaseTest): -+ -+ @classmethod -+ def setUpDynamicTestCases(cls): -+ for (name, idx) in cls.etype_test_permutation_name_idx(): -+ for pac in [None, True, False]: -+ tname = "%s_pac_%s" % (name, pac) -+ targs = (idx, pac) -+ cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) -+ -+ def setUp(self): -+ super(AsReqKerberosTests, self).setUp() -+ self.do_asn1_print = global_asn1_print -+ self.do_hexdump = global_hexdump -+ -+ def _test_as_req_nopreauth(self, -+ initial_etypes, -+ pac=None, -+ initial_kdc_options=None): -+ client_creds = self.get_client_creds() -+ client_account = client_creds.get_username() -+ client_as_etypes = self.get_default_enctypes() -+ krbtgt_creds = self.get_krbtgt_creds(require_keys=False) -+ krbtgt_account = krbtgt_creds.get_username() -+ realm = krbtgt_creds.get_realm() -+ -+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=[client_account]) -+ sname = self.PrincipalName_create(name_type=NT_SRV_INST, -+ names=[krbtgt_account, realm]) -+ -+ expected_crealm = realm -+ expected_cname = cname -+ expected_srealm = realm -+ expected_sname = sname -+ expected_salt = client_creds.get_salt() -+ -+ if any(etype in client_as_etypes and etype in initial_etypes -+ for etype in (kcrypto.Enctype.AES256, -+ kcrypto.Enctype.AES128, -+ kcrypto.Enctype.RC4)): -+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED -+ else: -+ expected_error_mode = KDC_ERR_ETYPE_NOSUPP -+ -+ kdc_exchange_dict = self.as_exchange_dict( -+ expected_crealm=expected_crealm, -+ expected_cname=expected_cname, -+ expected_srealm=expected_srealm, -+ expected_sname=expected_sname, -+ generate_padata_fn=None, -+ check_error_fn=self.generic_check_kdc_error, -+ check_rep_fn=None, -+ expected_error_mode=expected_error_mode, -+ client_as_etypes=client_as_etypes, -+ expected_salt=expected_salt, -+ kdc_options=str(initial_kdc_options), -+ pac_request=pac) -+ -+ self._generic_kdc_exchange(kdc_exchange_dict, -+ cname=cname, -+ realm=realm, -+ sname=sname, -+ etypes=initial_etypes) -+ -+ def _test_as_req_no_preauth_with_args(self, etype_idx, pac): -+ name, etypes = self.etype_test_permutation_by_idx(etype_idx) -+ self._test_as_req_nopreauth( -+ pac=pac, -+ initial_etypes=etypes, -+ initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) -+ -+ def test_as_req_enc_timestamp(self): -+ client_creds = self.get_client_creds() -+ self._run_as_req_enc_timestamp(client_creds) -+ -+ def test_as_req_enc_timestamp_mac(self): -+ client_creds = self.get_mach_creds() -+ self._run_as_req_enc_timestamp(client_creds) -+ -+ - if __name__ == "__main__": - global_asn1_print = False - global_hexdump = False -diff --git python/samba/tests/krb5/salt_tests.py python/samba/tests/krb5/salt_tests.py -index ecbf618e40e..db777f8b7bc 100755 ---- python/samba/tests/krb5/salt_tests.py -+++ python/samba/tests/krb5/salt_tests.py -@@ -21,7 +21,7 @@ import os - - import ldb - --from samba.tests.krb5.as_req_tests import AsReqKerberosTests -+from samba.tests.krb5.as_req_tests import AsReqBaseTest - import samba.tests.krb5.kcrypto as kcrypto - - sys.path.insert(0, "bin/python") -@@ -31,7 +31,7 @@ global_asn1_print = False - global_hexdump = False - - --class SaltTests(AsReqKerberosTests): -+class SaltTests(AsReqBaseTest): - - def setUp(self): - super().setUp() --- -2.25.1 - - -From 3d48ade670bb5b026d7bc0a26a4fa6775b21653b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 16:02:00 +1300 -Subject: [PATCH 24/99] tests/krb5: Run test_rpc against member server - -We were instead always running against the DC. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579) ---- - python/samba/tests/krb5/test_rpc.py | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git python/samba/tests/krb5/test_rpc.py python/samba/tests/krb5/test_rpc.py -index 03c125f518a..2d483986e83 100755 ---- python/samba/tests/krb5/test_rpc.py -+++ python/samba/tests/krb5/test_rpc.py -@@ -58,7 +58,7 @@ class RpcTests(KDCBaseTest): - - samdb = self.get_samdb() - -- mach_name = samdb.host_dns_name() -+ mach_name = self.host - service = "cifs" - - # Create the user account. -@@ -67,7 +67,7 @@ class RpcTests(KDCBaseTest): - use_cache=False) - user_name = user_credentials.get_username() - -- mach_credentials = self.get_dc_creds() -+ mach_credentials = self.get_server_creds() - - # Talk to the KDC to obtain the service ticket, which gets placed into - # the cache. The machine account name has to match the name in the -@@ -114,8 +114,7 @@ class RpcTests(KDCBaseTest): - self.assertEqual(user_name, account_name.string) - - def test_rpc_anonymous(self): -- samdb = self.get_samdb() -- mach_name = samdb.host_dns_name() -+ mach_name = self.host - - anon_creds = credentials.Credentials() - anon_creds.set_anonymous() -@@ -125,7 +124,7 @@ class RpcTests(KDCBaseTest): - - (account_name, _) = conn.GetUserName(None, None, None) - -- self.assertEqual('ANONYMOUS LOGON', account_name.string) -+ self.assertEqual('ANONYMOUS LOGON', account_name.string.upper()) - - - if __name__ == "__main__": --- -2.25.1 - - -From bf1aa0927895b1007ecea738681235b5be2e6208 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 11:37:35 +1300 -Subject: [PATCH 25/99] tests/krb5: Allow PasswordKey_create() to use s2kparams - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit a560c2e9ad8abb824d1805c86c656943745f81eb) ---- - python/samba/tests/krb5/raw_testcase.py | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 36a6134e6c9..da3f69c79c6 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -1167,10 +1167,11 @@ class RawKerberosTest(TestCaseInTempDir): - key = kcrypto.Key(etype, contents) - return RodcPacEncryptionKey(key, kvno) - -- def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): -+ def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None, -+ params=None): - self.assertIsNotNone(pwd) - self.assertIsNotNone(salt) -- key = kcrypto.string_to_key(etype, pwd, salt) -+ key = kcrypto.string_to_key(etype, pwd, salt, params=params) - return RodcPacEncryptionKey(key, kvno) - - def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): -@@ -1182,9 +1183,11 @@ class RawKerberosTest(TestCaseInTempDir): - nthash = creds.get_nt_hash() - return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) - -+ params = etype_info2.get('s2kparams') -+ - password = creds.get_password() - return self.PasswordKey_create( -- etype=e, pwd=password, salt=salt, kvno=kvno) -+ etype=e, pwd=password, salt=salt, kvno=kvno, params=params) - - def TicketDecryptionKey_from_creds(self, creds, etype=None): - --- -2.25.1 - - -From 651db77b1c19c036cf229c44b764b0155e1dc399 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 11:40:35 +1300 -Subject: [PATCH 26/99] tests/krb5: Split out methods to create renewable or - invalid tickets - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit e930274aa43810d6485c3c8a7c82958ecb409630) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 68 +++++++++++++----------- - 1 file changed, 36 insertions(+), 32 deletions(-) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index abac5a47a56..0578969ba69 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -1786,6 +1786,40 @@ class KdcTgsTests(KDCBaseTest): - - self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) - -+ def _modify_renewable(self, enc_part): -+ # Set the renewable flag. -+ renewable_flag = krb5_asn1.TicketFlags('renewable') -+ pos = len(tuple(renewable_flag)) - 1 -+ -+ flags = enc_part['flags'] -+ self.assertLessEqual(pos, len(flags)) -+ -+ new_flags = flags[:pos] + '1' + flags[pos + 1:] -+ enc_part['flags'] = new_flags -+ -+ # Set the renew-till time to be in the future. -+ renew_till = self.get_KerberosTime(offset=100 * 60 * 60) -+ enc_part['renew-till'] = renew_till -+ -+ return enc_part -+ -+ def _modify_invalid(self, enc_part): -+ # Set the invalid flag. -+ invalid_flag = krb5_asn1.TicketFlags('invalid') -+ pos = len(tuple(invalid_flag)) - 1 -+ -+ flags = enc_part['flags'] -+ self.assertLessEqual(pos, len(flags)) -+ -+ new_flags = flags[:pos] + '1' + flags[pos + 1:] -+ enc_part['flags'] = new_flags -+ -+ # Set the ticket start time to be in the past. -+ past_time = self.get_KerberosTime(offset=-100 * 60 * 60) -+ enc_part['starttime'] = past_time -+ -+ return enc_part -+ - def _get_tgt(self, - client_creds, - renewable=False, -@@ -1880,39 +1914,9 @@ class KdcTgsTests(KDCBaseTest): - } - - if renewable: -- def flags_modify_fn(enc_part): -- # Set the renewable flag. -- renewable_flag = krb5_asn1.TicketFlags('renewable') -- pos = len(tuple(renewable_flag)) - 1 -- -- flags = enc_part['flags'] -- self.assertLessEqual(pos, len(flags)) -- -- new_flags = flags[:pos] + '1' + flags[pos + 1:] -- enc_part['flags'] = new_flags -- -- # Set the renew-till time to be in the future. -- renew_till = self.get_KerberosTime(offset=100 * 60 * 60) -- enc_part['renew-till'] = renew_till -- -- return enc_part -+ flags_modify_fn = self._modify_renewable - elif invalid: -- def flags_modify_fn(enc_part): -- # Set the invalid flag. -- invalid_flag = krb5_asn1.TicketFlags('invalid') -- pos = len(tuple(invalid_flag)) - 1 -- -- flags = enc_part['flags'] -- self.assertLessEqual(pos, len(flags)) -- -- new_flags = flags[:pos] + '1' + flags[pos + 1:] -- enc_part['flags'] = new_flags -- -- # Set the ticket start time to be in the past. -- past_time = self.get_KerberosTime(offset=-100 * 60 * 60) -- enc_part['starttime'] = past_time -- -- return enc_part -+ flags_modify_fn = self._modify_invalid - else: - flags_modify_fn = None - --- -2.25.1 - - -From 1e9ad4246ce7fe7a212da4357e6e11c5ac22a8b2 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 11:52:31 +1300 -Subject: [PATCH 27/99] tests/krb5: Adjust error codes to better match Windows - with PacRequestorEnforcement=2 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit d95705172bcf6fe24817800a4c0009e9cc8be595) - -[jsutton@samba.org Fixed MIT knownfail conflict] ---- - python/samba/tests/krb5/alias_tests.py | 7 +- - python/samba/tests/krb5/kdc_tgs_tests.py | 130 ++++++++---------- - .../ms_kile_client_principal_lookup_tests.py | 39 ++---- - python/samba/tests/krb5/s4u_tests.py | 57 ++++---- - python/samba/tests/krb5/test_rpc.py | 8 +- - selftest/knownfail_heimdal_kdc | 64 +++++++++ - selftest/knownfail_mit_kdc | 9 ++ - 7 files changed, 181 insertions(+), 133 deletions(-) - -diff --git python/samba/tests/krb5/alias_tests.py python/samba/tests/krb5/alias_tests.py -index 60213845a44..1f63775c189 100755 ---- python/samba/tests/krb5/alias_tests.py -+++ python/samba/tests/krb5/alias_tests.py -@@ -28,7 +28,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest - from samba.tests.krb5.rfc4120_constants import ( - AES256_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5, -- KDC_ERR_CLIENT_NAME_MISMATCH, -+ KDC_ERR_TGT_REVOKED, - NT_PRINCIPAL, - ) - -@@ -168,7 +168,7 @@ class AliasTests(KDCBaseTest): - ctype=None) - return [padata], req_body - -- expected_error_mode = KDC_ERR_CLIENT_NAME_MISMATCH -+ expected_error_mode = KDC_ERR_TGT_REVOKED - - # Make a request using S4U2Self. The request should fail. - kdc_exchange_dict = self.tgs_exchange_dict( -@@ -184,7 +184,8 @@ class AliasTests(KDCBaseTest): - tgt=tgt, - authenticator_subkey=authenticator_subkey, - kdc_options='0', -- expect_pac=True) -+ expect_pac=True, -+ expect_edata=False) - - rep = self._generic_kdc_exchange(kdc_exchange_dict, - cname=None, -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 0578969ba69..7ea15f0fbab 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -23,7 +23,7 @@ import os - import ldb - - --from samba import dsdb, ntstatus -+from samba import dsdb - - from samba.dcerpc import krb5pac, security - -@@ -38,8 +38,6 @@ from samba.tests.krb5.rfc4120_constants import ( - KRB_ERROR, - KRB_TGS_REP, - KDC_ERR_BADMATCH, -- KDC_ERR_BADOPTION, -- KDC_ERR_CLIENT_NAME_MISMATCH, - KDC_ERR_GENERIC, - KDC_ERR_MODIFIED, - KDC_ERR_POLICY, -@@ -262,7 +260,7 @@ class KdcTgsTests(KDCBaseTest): - authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) - - if expect_error: -- expected_error_mode = KDC_ERR_BADOPTION -+ expected_error_mode = KDC_ERR_TGT_REVOKED - check_error_fn = self.generic_check_kdc_error - check_rep_fn = None - else: -@@ -288,7 +286,8 @@ class KdcTgsTests(KDCBaseTest): - authenticator_subkey=authenticator_subkey, - kdc_options=kdc_options, - pac_request=pac_request, -- expect_pac=expect_pac) -+ expect_pac=expect_pac, -+ expect_edata=False) - - rep = self._generic_kdc_exchange(kdc_exchange_dict, - cname=cname, -@@ -516,8 +515,7 @@ class KdcTgsTests(KDCBaseTest): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_requester_sid=True) - -- self._run_tgs(tgt, expected_error=0, expect_pac=True, -- expect_requester_sid=False) # Note: not expected -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_req_no_pac_attrs(self): - creds = self._get_creds() -@@ -531,11 +529,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True) - -- samdb = self.get_samdb() -- sid = self.get_objectSid(samdb, creds.get_dn()) -- -- self._run_tgs(tgt, expected_error=0, expect_pac=True, -- expect_requester_sid=True, expected_sid=sid) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_req_from_rodc_no_pac_attrs(self): - creds = self._get_creds(replication_allowed=True, -@@ -548,101 +542,99 @@ class KdcTgsTests(KDCBaseTest): - def test_tgs_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_pac=True) -- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_renew_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, renewable=True, remove_pac=True) -- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_validate_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, invalid=True, remove_pac=True) -- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_s4u2self_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_pac=True) - self._s4u2self(tgt, creds, -- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), -- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, -- expect_edata=True) -+ expected_error=KDC_ERR_TGT_REVOKED, -+ expect_edata=False) - - def test_user2user_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_pac=True) -- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) -+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - - # Test making a request with authdata and without a PAC. - def test_tgs_authdata_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) -- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_renew_authdata_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, renewable=True, remove_pac=True, - allow_empty_authdata=True) -- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_validate_authdata_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, invalid=True, remove_pac=True, - allow_empty_authdata=True) -- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_s4u2self_authdata_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) - self._s4u2self(tgt, creds, -- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), -- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, -- expect_edata=True) -+ expected_error=KDC_ERR_TGT_REVOKED, -+ expect_edata=False) - - def test_user2user_authdata_no_pac(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) -- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) -+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - - # Test changing the SID in the PAC to that of another account. - def test_tgs_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, new_rid=existing_rid) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_renew_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid) -- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_validate_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid) -- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_s4u2self_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, new_rid=existing_rid) - self._s4u2self(tgt, creds, -- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ expected_error=KDC_ERR_TGT_REVOKED) - - def test_user2user_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, new_rid=existing_rid) - self._user2user(tgt, creds, -- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ expected_error=KDC_ERR_TGT_REVOKED) - - def test_requester_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, new_rid=existing_rid, - can_modify_logon_info=False) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_logon_info_sid_mismatch_existing(self): - creds = self._get_creds() -@@ -656,49 +648,49 @@ class KdcTgsTests(KDCBaseTest): - existing_rid = self._get_existing_rid() - tgt = self._get_tgt(creds, new_rid=existing_rid, - remove_requester_sid=True) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - # Test changing the SID in the PAC to a non-existent one. - def test_tgs_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, new_rid=nonexistent_rid) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_renew_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, renewable=True, - new_rid=nonexistent_rid) -- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_validate_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, invalid=True, - new_rid=nonexistent_rid) -- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_s4u2self_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, new_rid=nonexistent_rid) - self._s4u2self(tgt, creds, -- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ expected_error=KDC_ERR_TGT_REVOKED) - - def test_user2user_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, new_rid=nonexistent_rid) - self._user2user(tgt, creds, -- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ expected_error=KDC_ERR_TGT_REVOKED) - - def test_requester_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, new_rid=nonexistent_rid, - can_modify_logon_info=False) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_logon_info_sid_mismatch_nonexisting(self): - creds = self._get_creds() -@@ -712,7 +704,7 @@ class KdcTgsTests(KDCBaseTest): - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, new_rid=nonexistent_rid, - remove_requester_sid=True) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - # Test with an RODC-issued ticket where the client is revealed to the RODC. - def test_tgs_rodc_revealed(self): -@@ -753,7 +745,7 @@ class KdcTgsTests(KDCBaseTest): - existing_rid = self._get_existing_rid(replication_allowed=True, - revealed_to_rodc=True) - tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_renew_rodc_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, -@@ -762,7 +754,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - tgt = self._get_tgt(creds, renewable=True, from_rodc=True, - new_rid=existing_rid) -- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_validate_rodc_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, -@@ -771,7 +763,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - tgt = self._get_tgt(creds, invalid=True, from_rodc=True, - new_rid=existing_rid) -- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_s4u2self_rodc_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, -@@ -779,7 +771,7 @@ class KdcTgsTests(KDCBaseTest): - existing_rid = self._get_existing_rid(replication_allowed=True, - revealed_to_rodc=True) - tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) -- self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - - def test_user2user_rodc_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, -@@ -788,7 +780,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) - self._user2user(tgt, creds, -- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_rodc_requester_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, -@@ -797,7 +789,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid, - can_modify_logon_info=False) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_rodc_logon_info_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, -@@ -815,7 +807,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid, - remove_requester_sid=True) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - # Test with an RODC-issued ticket where the SID in the PAC is changed to a - # non-existent one. -@@ -824,7 +816,7 @@ class KdcTgsTests(KDCBaseTest): - revealed_to_rodc=True) - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_renew_rodc_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, -@@ -832,7 +824,7 @@ class KdcTgsTests(KDCBaseTest): - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, renewable=True, from_rodc=True, - new_rid=nonexistent_rid) -- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_validate_rodc_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, -@@ -840,14 +832,14 @@ class KdcTgsTests(KDCBaseTest): - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, invalid=True, from_rodc=True, - new_rid=nonexistent_rid) -- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_s4u2self_rodc_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) -- self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - - def test_user2user_rodc_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, -@@ -855,7 +847,7 @@ class KdcTgsTests(KDCBaseTest): - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) - self._user2user(tgt, creds, -- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_rodc_requester_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, -@@ -863,7 +855,7 @@ class KdcTgsTests(KDCBaseTest): - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid, - can_modify_logon_info=False) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, -@@ -879,7 +871,7 @@ class KdcTgsTests(KDCBaseTest): - nonexistent_rid = self._get_non_existent_rid() - tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid, - remove_requester_sid=True) -- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) -+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - # Test with an RODC-issued ticket where the client is not revealed to the - # RODC. -@@ -1111,8 +1103,7 @@ class KdcTgsTests(KDCBaseTest): - names=[user_name]) - - self._user2user(tgt, creds, sname=sname, -- expected_error=(KDC_ERR_BADMATCH, -- KDC_ERR_BADOPTION)) -+ expected_error=KDC_ERR_BADMATCH) - - def test_user2user_other_sname(self): - other_name = self.get_new_username() -@@ -1134,8 +1125,7 @@ class KdcTgsTests(KDCBaseTest): - sname = self.get_krbtgt_sname() - - self._user2user(tgt, creds, sname=sname, -- expected_error=(KDC_ERR_BADMATCH, -- KDC_ERR_BADOPTION)) -+ expected_error=KDC_ERR_BADMATCH) - - def test_user2user_wrong_srealm(self): - creds = self._get_creds() -@@ -1206,7 +1196,9 @@ class KdcTgsTests(KDCBaseTest): - - tgt = self._modify_tgt(tgt, cname=cname) - -- self._user2user(tgt, creds, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) -+ self._user2user(tgt, creds, -+ expected_error=(KDC_ERR_TGT_REVOKED, -+ KDC_ERR_C_PRINCIPAL_UNKNOWN)) - - def test_user2user_non_existent_sname(self): - creds = self._get_creds() -@@ -1522,8 +1514,7 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._modify_tgt(tgt, renewable=True, - remove_requester_sid=True) - -- self._renew_tgt(tgt, expected_error=0, expect_pac=True, -- expect_requester_sid=False) # Note: not expected -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_requester_sid_missing_rodc_renew(self): - creds = self._get_creds(replication_allowed=True, -@@ -1539,9 +1530,7 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True, - remove_requester_sid=True) - -- self._renew_tgt(tgt, expected_error=0, expect_pac=True, -- expected_sid=sid, -- expect_requester_sid=True) -+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - - def test_tgs_pac_request_none(self): - creds = self._get_creds() -@@ -1655,10 +1644,10 @@ class KdcTgsTests(KDCBaseTest): - creds = self._get_creds() - tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) - -- ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=False) -+ ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True) - -- pac = self.get_ticket_pac(ticket, expect_pac=False) -- self.assertIsNone(pac) -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) - - def test_s4u2self_pac_request_true(self): - creds = self._get_creds() -@@ -1753,10 +1742,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) - tgt = self._modify_tgt(tgt, from_rodc=True) - -- ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) - - pac = self.get_ticket_pac(ticket, expect_pac=False) -- self.assertIsNone(pac) -+ self.assertIsNotNone(pac) - - def test_tgs_rodc_pac_request_true(self): - creds = self._get_creds(replication_allowed=True, -@@ -1784,7 +1773,8 @@ class KdcTgsTests(KDCBaseTest): - 'sAMAccountName') - samdb.modify(msg) - -- self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) -+ self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, -+ KDC_ERR_C_PRINCIPAL_UNKNOWN)) - - def _modify_renewable(self, enc_part): - # Set the renewable flag. -diff --git python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py -index 0aa3309b814..e6b90d3e16a 100755 ---- python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py -+++ python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py -@@ -32,6 +32,7 @@ from samba.tests.krb5.rfc4120_constants import ( - NT_PRINCIPAL, - NT_SRV_INST, - KDC_ERR_C_PRINCIPAL_UNKNOWN, -+ KDC_ERR_TGT_REVOKED, - ) - - global_asn1_print = False -@@ -322,21 +323,10 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): - - (rep, enc_part) = self.tgs_req( - cname, sname, uc.get_realm(), ticket, key, etype, -- service_creds=mc, expect_pac=False) -- self.check_tgs_reply(rep) -- -- # Check the contents of the service ticket -- ticket = rep['ticket'] -- enc_part = self.decode_service_ticket(mc, ticket) -- # -- # We get an empty authorization-data element in the ticket. -- # i.e. no PAC -- self.assertEqual([], enc_part['authorization-data']) -- # check the crealm and cname -- cname = enc_part['cname'] -- self.assertEqual(NT_PRINCIPAL, cname['name-type']) -- self.assertEqual(alt_name.encode('UTF8'), cname['name-string'][0]) -- self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) -+ service_creds=mc, expect_pac=False, -+ expect_edata=False, -+ expected_error_mode=KDC_ERR_TGT_REVOKED) -+ self.check_error_rep(rep, KDC_ERR_TGT_REVOKED) - - def test_nt_principal_step_4_b(self): - ''' Step 4, pre-authentication -@@ -703,21 +693,10 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): - - (rep, enc_part) = self.tgs_req( - cname, sname, uc.get_realm(), ticket, key, etype, -- service_creds=mc, expect_pac=False) -- self.check_tgs_reply(rep) -- -- # Check the contents of the service ticket -- ticket = rep['ticket'] -- enc_part = self.decode_service_ticket(mc, ticket) -- # -- # We get an empty authorization-data element in the ticket. -- # i.e. no PAC -- self.assertEqual([], enc_part['authorization-data']) -- # check the crealm and cname -- cname = enc_part['cname'] -- self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) -- self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) -- self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) -+ service_creds=mc, expect_pac=False, -+ expect_edata=False, -+ expected_error_mode=KDC_ERR_TGT_REVOKED) -+ self.check_error_rep(rep, KDC_ERR_TGT_REVOKED) - - def test_nt_enterprise_principal_step_6_b(self): - ''' Step 4, pre-authentication -diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py -index a80a7b3427e..5f37525f393 100755 ---- python/samba/tests/krb5/s4u_tests.py -+++ python/samba/tests/krb5/s4u_tests.py -@@ -42,6 +42,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_INAPP_CKSUM, - KDC_ERR_MODIFIED, - KDC_ERR_SUMTYPE_NOSUPP, -+ KDC_ERR_TGT_REVOKED, - KU_PA_ENC_TIMESTAMP, - KU_AS_REP_ENC_PART, - KU_TGS_REP_ENC_PART_SUB_KEY, -@@ -278,6 +279,8 @@ class S4UKerberosTests(KDCBaseTest): - etypes = kdc_dict.pop('etypes', (AES256_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5)) - -+ expect_edata = kdc_dict.pop('expect_edata', None) -+ - def generate_s4u2self_padata(_kdc_exchange_dict, - _callback_dict, - req_body): -@@ -309,7 +312,8 @@ class S4UKerberosTests(KDCBaseTest): - tgt=service_tgt, - authenticator_subkey=authenticator_subkey, - kdc_options=str(kdc_options), -- expect_claims=False) -+ expect_claims=False, -+ expect_edata=expect_edata) - - self._generic_kdc_exchange(kdc_exchange_dict, - cname=None, -@@ -343,15 +347,14 @@ class S4UKerberosTests(KDCBaseTest): - - self._run_s4u2self_test( - { -- 'expected_error_mode': (KDC_ERR_GENERIC, -- KDC_ERR_BADOPTION), -- 'expected_status': ntstatus.NT_STATUS_INVALID_PARAMETER, -+ 'expected_error_mode': KDC_ERR_TGT_REVOKED, - 'client_opts': { - 'not_delegated': False - }, - 'kdc_options': 'forwardable', - 'modify_service_tgt_fn': forwardable_no_pac, -- 'expected_flags': 'forwardable' -+ 'expected_flags': 'forwardable', -+ 'expect_edata': False - }) - - # Test performing an S4U2Self operation without requesting a forwardable -@@ -674,8 +677,8 @@ class S4UKerberosTests(KDCBaseTest): - # contain a PAC. - self._run_delegation_test( - { -- 'expected_error_mode': (KDC_ERR_BADOPTION, -- KDC_ERR_MODIFIED), -+ 'expected_error_mode': (KDC_ERR_MODIFIED, -+ KDC_ERR_TGT_REVOKED), - 'allow_delegation': True, - 'modify_client_tkt_fn': self.remove_ticket_pac, - 'expect_edata': False -@@ -686,9 +689,10 @@ class S4UKerberosTests(KDCBaseTest): - # PAC. - self._run_delegation_test( - { -- 'expected_error_mode': 0, -+ 'expected_error_mode': KDC_ERR_TGT_REVOKED, - 'allow_delegation': True, -- 'modify_service_tgt_fn': self.remove_ticket_pac -+ 'modify_service_tgt_fn': self.remove_ticket_pac, -+ 'expect_edata': False - }) - - def test_constrained_delegation_no_client_pac_no_auth_data_required(self): -@@ -696,8 +700,8 @@ class S4UKerberosTests(KDCBaseTest): - # contain a PAC. - self._run_delegation_test( - { -- 'expected_error_mode': (KDC_ERR_BADOPTION, -- KDC_ERR_MODIFIED), -+ 'expected_error_mode': (KDC_ERR_MODIFIED, -+ KDC_ERR_BADOPTION), - 'allow_delegation': True, - 'modify_client_tkt_fn': self.remove_ticket_pac, - 'expect_edata': False, -@@ -711,13 +715,14 @@ class S4UKerberosTests(KDCBaseTest): - # PAC. - self._run_delegation_test( - { -- 'expected_error_mode': (KDC_ERR_BADOPTION, -- KDC_ERR_MODIFIED), -+ 'expected_error_mode': KDC_ERR_TGT_REVOKED, - 'allow_delegation': True, - 'modify_service_tgt_fn': self.remove_ticket_pac, - 'service2_opts': { - 'no_auth_data_required': True -- } -+ }, -+ 'expect_pac': False, -+ 'expect_edata': False - }) - - def test_constrained_delegation_non_forwardable(self): -@@ -812,12 +817,11 @@ class S4UKerberosTests(KDCBaseTest): - # PAC. - self._run_delegation_test( - { -- 'expected_error_mode': KDC_ERR_BADOPTION, -- 'expected_status': -- ntstatus.NT_STATUS_NOT_FOUND, -+ 'expected_error_mode': KDC_ERR_TGT_REVOKED, - 'allow_rbcd': True, - 'pac_options': '0001', # supports RBCD -- 'modify_service_tgt_fn': self.remove_ticket_pac -+ 'modify_service_tgt_fn': self.remove_ticket_pac, -+ 'expect_edata': False - }) - - def test_rbcd_no_client_pac_no_auth_data_required_a(self): -@@ -858,15 +862,14 @@ class S4UKerberosTests(KDCBaseTest): - # PAC. - self._run_delegation_test( - { -- 'expected_error_mode': KDC_ERR_BADOPTION, -- 'expected_status': -- ntstatus.NT_STATUS_NOT_FOUND, -+ 'expected_error_mode': KDC_ERR_TGT_REVOKED, - 'allow_rbcd': True, - 'pac_options': '0001', # supports RBCD - 'modify_service_tgt_fn': self.remove_ticket_pac, - 'service2_opts': { - 'no_auth_data_required': True -- } -+ }, -+ 'expect_edata': False - }) - - def test_rbcd_non_forwardable(self): -@@ -941,8 +944,8 @@ class S4UKerberosTests(KDCBaseTest): - for checksum in self.pac_checksum_types: - with self.subTest(checksum=checksum): - if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM: -- expected_error_mode = (KDC_ERR_BADOPTION, -- KDC_ERR_MODIFIED) -+ expected_error_mode = (KDC_ERR_MODIFIED, -+ KDC_ERR_BADOPTION) - else: - expected_error_mode = KDC_ERR_GENERIC - -@@ -1061,8 +1064,7 @@ class S4UKerberosTests(KDCBaseTest): - for checksum in self.pac_checksum_types: - with self.subTest(checksum=checksum): - if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: -- expected_error_mode = (KDC_ERR_MODIFIED, -- KDC_ERR_BAD_INTEGRITY) -+ expected_error_mode = KDC_ERR_MODIFIED - expected_status = ntstatus.NT_STATUS_WRONG_PASSWORD - else: - expected_error_mode = 0 -@@ -1162,8 +1164,7 @@ class S4UKerberosTests(KDCBaseTest): - with self.subTest(checksum=checksum, ctype=ctype): - if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: - if ctype == Cksumtype.SHA1: -- expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP, -- KDC_ERR_BAD_INTEGRITY) -+ expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP - expected_status = ntstatus.NT_STATUS_LOGON_FAILURE - else: - expected_error_mode = KDC_ERR_GENERIC -diff --git python/samba/tests/krb5/test_rpc.py python/samba/tests/krb5/test_rpc.py -index 2d483986e83..5a3c7339cea 100755 ---- python/samba/tests/krb5/test_rpc.py -+++ python/samba/tests/krb5/test_rpc.py -@@ -24,7 +24,10 @@ import ldb - - from samba import NTSTATUSError, credentials - from samba.dcerpc import lsa --from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN -+from samba.ntstatus import ( -+ NT_STATUS_ACCESS_DENIED, -+ NT_STATUS_NO_IMPERSONATION_TOKEN -+) - - from samba.tests.krb5.kdc_base_test import KDCBaseTest - -@@ -103,7 +106,8 @@ class RpcTests(KDCBaseTest): - self.fail() - - enum, _ = e.args -- self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum) -+ self.assertIn(enum, {NT_STATUS_ACCESS_DENIED, -+ NT_STATUS_NO_IMPERSONATION_TOKEN}) - return - - (account_name, _) = conn.GetUserName(None, None, None) -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 7eba899966e..1b7e159c381 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -233,16 +233,21 @@ - # S4U tests - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac(?!_no_auth_data_required) - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$ -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required -@@ -259,3 +264,62 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed -+# -+# Alias tests -+# -+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete -+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename -+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete -+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename -+# -+# KDC TGS tests -+# -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 8cd36fe2d96..cc12499bb50 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -390,6 +390,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - # KDC TGT tests - # -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied -@@ -401,6 +403,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req -@@ -418,6 +422,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link -@@ -427,6 +432,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname -@@ -462,6 +469,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting - # - # PAC attributes tests - # --- -2.25.1 - - -From ea82822a5c451df50feed15c5da3501df2b5c106 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 12:04:36 +1300 -Subject: [PATCH 28/99] tests/krb5: Remove unnecessary expect_pac arguments - -The value of expect_pac is not considered if we are expecting an error. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 28d501875a98fa2817262eb8ec68bf91528428c2) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 7ea15f0fbab..6160ef649e8 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -412,7 +412,7 @@ class KdcTgsTests(KDCBaseTest): - self.assertIsNone(pac) - - self._make_tgs_request(client_creds, service_creds, tgt, -- expect_pac=False, expect_error=True) -+ expect_error=True) - - def test_remove_pac_client_no_auth_data_required(self): - client_creds = self.get_cached_creds( -@@ -427,7 +427,7 @@ class KdcTgsTests(KDCBaseTest): - self.assertIsNone(pac) - - self._make_tgs_request(client_creds, service_creds, tgt, -- expect_pac=False, expect_error=True) -+ expect_error=True) - - def test_remove_pac(self): - client_creds = self.get_client_creds() -@@ -440,7 +440,7 @@ class KdcTgsTests(KDCBaseTest): - self.assertIsNone(pac) - - self._make_tgs_request(client_creds, service_creds, tgt, -- expect_pac=False, expect_error=True) -+ expect_error=True) - - def test_upn_dns_info_ex_user(self): - client_creds = self.get_client_creds() --- -2.25.1 - - -From eb0ed5f4f6d725c49fda97bc8f7aae89f90bd913 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 30 Nov 2021 09:26:40 +1300 -Subject: [PATCH 29/99] tests/krb5: Add tests for invalid TGTs - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 7574ba9f580fca552b80532a49d00e657fbdf4fd) - -[jsutton@samba.org Removed some MIT knownfail changes] ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 16 ++++++++++++++++ - python/samba/tests/krb5/rfc4120_constants.py | 1 + - selftest/knownfail_mit_kdc | 1 + - 3 files changed, 18 insertions(+) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 6160ef649e8..f5f091610ac 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -44,6 +44,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_C_PRINCIPAL_UNKNOWN, - KDC_ERR_S_PRINCIPAL_UNKNOWN, - KDC_ERR_TGT_REVOKED, -+ KRB_ERR_TKT_NYV, - KDC_ERR_WRONG_REALM, - NT_PRINCIPAL, - NT_SRV_INST, -@@ -511,6 +512,21 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds) - self._user2user(tgt, creds, expected_error=0) - -+ def test_tgs_req_invalid(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds, invalid=True) -+ self._run_tgs(tgt, expected_error=KRB_ERR_TKT_NYV) -+ -+ def test_s4u2self_req_invalid(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds, invalid=True) -+ self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV) -+ -+ def test_user2user_req_invalid(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds, invalid=True) -+ self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV) -+ - def test_tgs_req_no_requester_sid(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_requester_sid=True) -diff --git python/samba/tests/krb5/rfc4120_constants.py python/samba/tests/krb5/rfc4120_constants.py -index 5251e291fde..a9fdc5735dd 100644 ---- python/samba/tests/krb5/rfc4120_constants.py -+++ python/samba/tests/krb5/rfc4120_constants.py -@@ -76,6 +76,7 @@ KDC_ERR_TGT_REVOKED = 20 - KDC_ERR_PREAUTH_FAILED = 24 - KDC_ERR_PREAUTH_REQUIRED = 25 - KDC_ERR_BAD_INTEGRITY = 31 -+KRB_ERR_TKT_NYV = 33 - KDC_ERR_NOT_US = 35 - KDC_ERR_BADMATCH = 36 - KDC_ERR_SKEW = 37 -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index cc12499bb50..3aacec00870 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -422,6 +422,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_invalid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied --- -2.25.1 - - -From 645d30ff371fdf3e16cb1fa69f2e93a848d20bdb Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 12:10:45 +1300 -Subject: [PATCH 30/99] tests/krb5: Add tests for TGS requests with a non-TGT - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 51 ++++++++++++++++++++++++ - selftest/knownfail_mit_kdc | 2 + - 2 files changed, 53 insertions(+) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index f5f091610ac..52297c963e8 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -40,6 +40,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_BADMATCH, - KDC_ERR_GENERIC, - KDC_ERR_MODIFIED, -+ KDC_ERR_NOT_US, - KDC_ERR_POLICY, - KDC_ERR_C_PRINCIPAL_UNKNOWN, - KDC_ERR_S_PRINCIPAL_UNKNOWN, -@@ -1234,6 +1235,56 @@ class KdcTgsTests(KDCBaseTest): - expected_error=(KDC_ERR_GENERIC, - KDC_ERR_S_PRINCIPAL_UNKNOWN)) - -+ def test_tgs_service_ticket(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds) -+ -+ service_creds = self.get_service_creds() -+ service_ticket = self.get_service_ticket(tgt, service_creds) -+ -+ self._run_tgs(service_ticket, -+ expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY)) -+ -+ def test_renew_service_ticket(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds) -+ -+ service_creds = self.get_service_creds() -+ service_ticket = self.get_service_ticket(tgt, service_creds) -+ -+ service_ticket = self.modified_ticket( -+ service_ticket, -+ modify_fn=self._modify_renewable, -+ checksum_keys=self.get_krbtgt_checksum_key()) -+ -+ self._renew_tgt(service_ticket, -+ expected_error=KDC_ERR_POLICY) -+ -+ def test_validate_service_ticket(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds) -+ -+ service_creds = self.get_service_creds() -+ service_ticket = self.get_service_ticket(tgt, service_creds) -+ -+ service_ticket = self.modified_ticket( -+ service_ticket, -+ modify_fn=self._modify_invalid, -+ checksum_keys=self.get_krbtgt_checksum_key()) -+ -+ self._validate_tgt(service_ticket, -+ expected_error=KDC_ERR_POLICY) -+ -+ def test_s4u2self_service_ticket(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds) -+ -+ service_creds = self.get_service_creds() -+ service_ticket = self.get_service_ticket(tgt, service_creds) -+ -+ self._s4u2self(service_ticket, creds, -+ expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY)) -+ - def test_user2user_service_ticket(self): - creds = self._get_creds() - tgt = self._get_tgt(creds) -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 3aacec00870..98e8a34cd5f 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -403,6 +403,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac -@@ -470,6 +471,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting - # --- -2.25.1 - - -From 1d616e8e9c0dceabebd1f079fc4d652d6bf2060d Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 12:09:18 +1300 -Subject: [PATCH 31/99] tests/krb5: Add TGS-REQ tests with FAST - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit ec823c2a83c639f1d7c422153a53d366750e5f2a) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 184 ++++++++++++++++++++++- - selftest/knownfail_heimdal_kdc | 13 ++ - selftest/knownfail_mit_kdc | 17 +++ - 3 files changed, 212 insertions(+), 2 deletions(-) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 52297c963e8..99a91528fa8 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -32,6 +32,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" - - import samba.tests.krb5.kcrypto as kcrypto - from samba.tests.krb5.kdc_base_test import KDCBaseTest -+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey - from samba.tests.krb5.rfc4120_constants import ( - AES256_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5, -@@ -513,6 +514,11 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds) - self._user2user(tgt, creds, expected_error=0) - -+ def test_fast_req(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds) -+ self._fast(tgt, creds, expected_error=0) -+ - def test_tgs_req_invalid(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, invalid=True) -@@ -528,6 +534,12 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds, invalid=True) - self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV) - -+ def test_fast_req_invalid(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds, invalid=True) -+ self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV, -+ expected_sname=self.get_krbtgt_sname()) -+ - def test_tgs_req_no_requester_sid(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, remove_requester_sid=True) -@@ -583,6 +595,12 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds, remove_pac=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_no_pac(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds, remove_pac=True) -+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test making a request with authdata and without a PAC. - def test_tgs_authdata_no_pac(self): - creds = self._get_creds() -@@ -613,6 +631,12 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_authdata_no_pac(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) -+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test changing the SID in the PAC to that of another account. - def test_tgs_sid_mismatch_existing(self): - creds = self._get_creds() -@@ -646,6 +670,14 @@ class KdcTgsTests(KDCBaseTest): - self._user2user(tgt, creds, - expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_sid_mismatch_existing(self): -+ creds = self._get_creds() -+ existing_rid = self._get_existing_rid() -+ tgt = self._get_tgt(creds, new_rid=existing_rid) -+ self._fast(tgt, creds, -+ expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - def test_requester_sid_mismatch_existing(self): - creds = self._get_creds() - existing_rid = self._get_existing_rid() -@@ -702,6 +734,14 @@ class KdcTgsTests(KDCBaseTest): - self._user2user(tgt, creds, - expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_sid_mismatch_nonexisting(self): -+ creds = self._get_creds() -+ nonexistent_rid = self._get_non_existent_rid() -+ tgt = self._get_tgt(creds, new_rid=nonexistent_rid) -+ self._fast(tgt, creds, -+ expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - def test_requester_sid_mismatch_nonexisting(self): - creds = self._get_creds() - nonexistent_rid = self._get_non_existent_rid() -@@ -799,6 +839,16 @@ class KdcTgsTests(KDCBaseTest): - self._user2user(tgt, creds, - expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_rodc_sid_mismatch_existing(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ existing_rid = self._get_existing_rid(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) -+ self._fast(tgt, creds, -+ expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - def test_tgs_rodc_requester_sid_mismatch_existing(self): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) -@@ -866,6 +916,15 @@ class KdcTgsTests(KDCBaseTest): - self._user2user(tgt, creds, - expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_rodc_sid_mismatch_nonexisting(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ nonexistent_rid = self._get_non_existent_rid() -+ tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) -+ self._fast(tgt, creds, -+ expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - def test_tgs_rodc_requester_sid_mismatch_nonexisting(self): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) -@@ -955,6 +1014,14 @@ class KdcTgsTests(KDCBaseTest): - self._remove_rodc_partial_secrets() - self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY) - -+ def test_fast_rodc_no_partial_secrets(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self._get_tgt(creds, from_rodc=True) -+ self._remove_rodc_partial_secrets() -+ self._fast(tgt, creds, expected_error=KDC_ERR_POLICY, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test with an RODC-issued ticket where the RODC account does not have an - # msDS-KrbTgtLink. - def test_tgs_rodc_no_krbtgt_link(self): -@@ -992,6 +1059,14 @@ class KdcTgsTests(KDCBaseTest): - self._remove_rodc_krbtgt_link() - self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY) - -+ def test_fast_rodc_no_krbtgt_link(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self._get_tgt(creds, from_rodc=True) -+ self._remove_rodc_krbtgt_link() -+ self._fast(tgt, creds, expected_error=KDC_ERR_POLICY, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test with an RODC-issued ticket where the client is not allowed to - # replicate to the RODC. - def test_tgs_rodc_not_allowed(self): -@@ -1019,6 +1094,12 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds, from_rodc=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_rodc_not_allowed(self): -+ creds = self._get_creds(revealed_to_rodc=True) -+ tgt = self._get_tgt(creds, from_rodc=True) -+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test with an RODC-issued ticket where the client is denied from - # replicating to the RODC. - def test_tgs_rodc_denied(self): -@@ -1051,6 +1132,13 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds, from_rodc=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_rodc_denied(self): -+ creds = self._get_creds(replication_denied=True, -+ revealed_to_rodc=True) -+ tgt = self._get_tgt(creds, from_rodc=True) -+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test with an RODC-issued ticket where the client is both allowed and - # denied replicating to the RODC. - def test_tgs_rodc_allowed_denied(self): -@@ -1088,6 +1176,14 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._get_tgt(creds, from_rodc=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_fast_rodc_allowed_denied(self): -+ creds = self._get_creds(replication_allowed=True, -+ replication_denied=True, -+ revealed_to_rodc=True) -+ tgt = self._get_tgt(creds, from_rodc=True) -+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, -+ expected_sname=self.get_krbtgt_sname()) -+ - # Test user-to-user with incorrect service principal names. - def test_user2user_matching_sname_host(self): - creds = self._get_creds() -@@ -1295,6 +1391,17 @@ class KdcTgsTests(KDCBaseTest): - self._user2user(service_ticket, creds, - expected_error=(KDC_ERR_MODIFIED, KDC_ERR_POLICY)) - -+ # Expected to fail against Windows, which does not produce a policy error. -+ def test_fast_service_ticket(self): -+ creds = self._get_creds() -+ tgt = self._get_tgt(creds) -+ -+ service_creds = self.get_service_creds() -+ service_ticket = self.get_service_ticket(tgt, service_creds) -+ -+ self._fast(service_ticket, creds, -+ expected_error=KDC_ERR_POLICY) -+ - def test_pac_attrs_none(self): - creds = self._get_creds() - self.get_tgt(creds, pac_request=None, -@@ -1792,6 +1899,34 @@ class KdcTgsTests(KDCBaseTest): - pac = self.get_ticket_pac(ticket) - self.assertIsNotNone(pac) - -+ def test_fast_pac_request_none(self): -+ creds = self._get_creds() -+ tgt = self.get_tgt(creds, pac_request=None) -+ -+ ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ -+ def test_fast_pac_request_false(self): -+ creds = self._get_creds() -+ tgt = self.get_tgt(creds, pac_request=False) -+ -+ ticket = self._fast(tgt, creds, expected_error=0, -+ expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket, expect_pac=True) -+ self.assertIsNotNone(pac) -+ -+ def test_fast_pac_request_true(self): -+ creds = self._get_creds() -+ tgt = self.get_tgt(creds, pac_request=True) -+ -+ ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ - def test_tgs_rodc_pac_request_none(self): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) -@@ -2192,13 +2327,28 @@ class KdcTgsTests(KDCBaseTest): - srealm=srealm, - expect_pac=expect_pac) - -+ def _fast(self, armor_tgt, armor_tgt_creds, expected_error, -+ expected_sname=None, expect_pac=True): -+ user_creds = self._get_mach_creds() -+ user_tgt = self.get_tgt(user_creds) -+ -+ target_creds = self.get_service_creds() -+ -+ return self._tgs_req(user_tgt, expected_error, target_creds, -+ armor_tgt=armor_tgt, -+ expected_sname=expected_sname, -+ expect_pac=expect_pac) -+ - def _tgs_req(self, tgt, expected_error, target_creds, -+ armor_tgt=None, - kdc_options='0', - expected_cname=None, -+ expected_sname=None, - additional_ticket=None, - generate_padata_fn=None, - sname=None, - srealm=None, -+ use_fast=False, - expect_claims=True, - expect_pac=True, - expect_pac_attrs=None, -@@ -2214,7 +2364,8 @@ class KdcTgsTests(KDCBaseTest): - - if sname is False: - sname = None -- expected_sname = self.get_krbtgt_sname() -+ if expected_sname is None: -+ expected_sname = self.get_krbtgt_sname() - else: - if sname is None: - target_name = target_creds.get_username() -@@ -2229,7 +2380,8 @@ class KdcTgsTests(KDCBaseTest): - name_type=NT_PRINCIPAL, - names=['host', target_name]) - -- expected_sname = sname -+ if expected_sname is None: -+ expected_sname = sname - - if additional_ticket is not None: - additional_tickets = [additional_ticket.ticket] -@@ -2241,6 +2393,28 @@ class KdcTgsTests(KDCBaseTest): - - subkey = self.RandomKey(tgt.session_key.etype) - -+ if armor_tgt is not None: -+ armor_subkey = self.RandomKey(subkey.etype) -+ explicit_armor_key = self.generate_armor_key(armor_subkey, -+ armor_tgt.session_key) -+ armor_key = kcrypto.cf2(explicit_armor_key.key, -+ subkey.key, -+ b'explicitarmor', -+ b'tgsarmor') -+ armor_key = Krb5EncryptionKey(armor_key, None) -+ -+ generate_fast_fn = self.generate_simple_fast -+ generate_fast_armor_fn = self.generate_ap_req -+ -+ pac_options = '1' # claims support -+ else: -+ armor_subkey = None -+ armor_key = None -+ generate_fast_fn = None -+ generate_fast_armor_fn = None -+ -+ pac_options = None -+ - etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - - if expected_error: -@@ -2260,12 +2434,18 @@ class KdcTgsTests(KDCBaseTest): - expected_sname=expected_sname, - ticket_decryption_key=decryption_key, - generate_padata_fn=generate_padata_fn, -+ generate_fast_fn=generate_fast_fn, -+ generate_fast_armor_fn=generate_fast_armor_fn, - check_error_fn=check_error_fn, - check_rep_fn=check_rep_fn, - check_kdc_private_fn=self.generic_check_kdc_private, - expected_error_mode=expected_error, - expected_status=expected_status, - tgt=tgt, -+ armor_key=armor_key, -+ armor_tgt=armor_tgt, -+ armor_subkey=armor_subkey, -+ pac_options=pac_options, - authenticator_subkey=subkey, - kdc_options=kdc_options, - expect_edata=expect_edata, -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 1b7e159c381..61de06659be 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -274,6 +274,19 @@ - # - # KDC TGS tests - # -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req_invalid -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_allowed_denied -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_denied -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_krbtgt_link -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_partial_secrets -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_not_allowed -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 98e8a34cd5f..3e19ee6c8b9 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -390,6 +390,23 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - # KDC TGT tests - # -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_pac_request_true -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_req_invalid -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_allowed_denied -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_denied -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_krbtgt_link -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_no_partial_secrets -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_not_allowed -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_rodc_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac --- -2.25.1 - - -From 5375e2b99cd5fd9e40d6d5f94eb7d46f366f525e Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 12:37:08 +1300 -Subject: [PATCH 32/99] tests/krb5: Align PAC buffer checking to more closely - match Windows with PacRequestorEnforcement=2 - -We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that -these checks are currently not enforced, which avoids a lot of test -failures. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1) - -[jsutton@samba.org Fixed conflicts] ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 121 ++++++++++++++++------- - python/samba/tests/krb5/raw_testcase.py | 39 ++++++-- - selftest/knownfail_heimdal_kdc | 9 ++ - selftest/knownfail_mit_kdc | 6 ++ - source4/selftest/tests.py | 58 +++++++---- - 5 files changed, 168 insertions(+), 65 deletions(-) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 99a91528fa8..f14439a4ab5 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -497,12 +497,18 @@ class KdcTgsTests(KDCBaseTest): - def test_renew_req(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, renewable=True) -- self._renew_tgt(tgt, expected_error=0) -+ self._renew_tgt(tgt, expected_error=0, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=True, -+ expect_requester_sid=True) - - def test_validate_req(self): - creds = self._get_creds() - tgt = self._get_tgt(creds, invalid=True) -- self._validate_tgt(tgt, expected_error=0) -+ self._validate_tgt(tgt, expected_error=0, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=True, -+ expect_requester_sid=True) - - def test_s4u2self_req(self): - creds = self._get_creds() -@@ -774,13 +780,17 @@ class KdcTgsTests(KDCBaseTest): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) - tgt = self._get_tgt(creds, renewable=True, from_rodc=True) -- self._renew_tgt(tgt, expected_error=0) -+ self._renew_tgt(tgt, expected_error=0, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_validate_rodc_revealed(self): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) - tgt = self._get_tgt(creds, invalid=True, from_rodc=True) -- self._validate_tgt(tgt, expected_error=0) -+ self._validate_tgt(tgt, expected_error=0, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_s4u2self_rodc_revealed(self): - creds = self._get_creds(replication_allowed=True, -@@ -1434,7 +1444,8 @@ class KdcTgsTests(KDCBaseTest): - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, - expect_pac_attrs=True, -- expect_pac_attrs_pac_request=None) -+ expect_pac_attrs_pac_request=None, -+ expect_requester_sid=True) - - def test_pac_attrs_renew_false(self): - creds = self._get_creds() -@@ -1447,7 +1458,8 @@ class KdcTgsTests(KDCBaseTest): - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, - expect_pac_attrs=True, -- expect_pac_attrs_pac_request=False) -+ expect_pac_attrs_pac_request=False, -+ expect_requester_sid=True) - - def test_pac_attrs_renew_true(self): - creds = self._get_creds() -@@ -1460,7 +1472,8 @@ class KdcTgsTests(KDCBaseTest): - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, - expect_pac_attrs=True, -- expect_pac_attrs_pac_request=True) -+ expect_pac_attrs_pac_request=True, -+ expect_requester_sid=True) - - def test_pac_attrs_rodc_renew_none(self): - creds = self._get_creds(replication_allowed=True, -@@ -1473,8 +1486,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=True, -- expect_pac_attrs_pac_request=None) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_rodc_renew_false(self): - creds = self._get_creds(replication_allowed=True, -@@ -1487,8 +1500,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=True, -- expect_pac_attrs_pac_request=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_rodc_renew_true(self): - creds = self._get_creds(replication_allowed=True, -@@ -1501,8 +1514,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=True, -- expect_pac_attrs_pac_request=True) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_missing_renew_none(self): - creds = self._get_creds() -@@ -1515,7 +1528,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_missing_renew_false(self): - creds = self._get_creds() -@@ -1528,7 +1542,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_missing_renew_true(self): - creds = self._get_creds() -@@ -1541,7 +1556,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_missing_rodc_renew_none(self): - creds = self._get_creds(replication_allowed=True, -@@ -1555,7 +1571,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_missing_rodc_renew_false(self): - creds = self._get_creds(replication_allowed=True, -@@ -1569,7 +1586,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_pac_attrs_missing_rodc_renew_true(self): - creds = self._get_creds(replication_allowed=True, -@@ -1583,7 +1601,8 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=0, - expect_pac=True, -- expect_pac_attrs=False) -+ expect_pac_attrs=False, -+ expect_requester_sid=True) - - def test_tgs_pac_attrs_none(self): - creds = self._get_creds() -@@ -1593,8 +1612,7 @@ class KdcTgsTests(KDCBaseTest): - expect_pac_attrs_pac_request=None) - - self._run_tgs(tgt, expected_error=0, expect_pac=True, -- expect_pac_attrs=True, -- expect_pac_attrs_pac_request=None) -+ expect_pac_attrs=False) - - def test_tgs_pac_attrs_false(self): - creds = self._get_creds() -@@ -1603,7 +1621,8 @@ class KdcTgsTests(KDCBaseTest): - expect_pac_attrs=True, - expect_pac_attrs_pac_request=False) - -- self._run_tgs(tgt, expected_error=0, expect_pac=False) -+ self._run_tgs(tgt, expected_error=0, expect_pac=False, -+ expect_pac_attrs=False) - - def test_tgs_pac_attrs_true(self): - creds = self._get_creds() -@@ -1613,8 +1632,7 @@ class KdcTgsTests(KDCBaseTest): - expect_pac_attrs_pac_request=True) - - self._run_tgs(tgt, expected_error=0, expect_pac=True, -- expect_pac_attrs=True, -- expect_pac_attrs_pac_request=True) -+ expect_pac_attrs=False) - - def test_as_requester_sid(self): - creds = self._get_creds() -@@ -1639,8 +1657,7 @@ class KdcTgsTests(KDCBaseTest): - expect_requester_sid=True) - - self._run_tgs(tgt, expected_error=0, expect_pac=True, -- expected_sid=sid, -- expect_requester_sid=True) -+ expect_requester_sid=False) - - def test_tgs_requester_sid_renew(self): - creds = self._get_creds() -@@ -1655,6 +1672,8 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._modify_tgt(tgt, renewable=True) - - self._renew_tgt(tgt, expected_error=0, expect_pac=True, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=None, - expected_sid=sid, - expect_requester_sid=True) - -@@ -1672,6 +1691,7 @@ class KdcTgsTests(KDCBaseTest): - tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True) - - self._renew_tgt(tgt, expected_error=0, expect_pac=True, -+ expect_pac_attrs=False, - expected_sid=sid, - expect_requester_sid=True) - -@@ -1738,7 +1758,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=None) - tgt = self._modify_tgt(tgt, renewable=True) - -- tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None) -+ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=None, -+ expect_requester_sid=True) - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) - -@@ -1750,7 +1773,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) - tgt = self._modify_tgt(tgt, renewable=True) - -- tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None) -+ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=False, -+ expect_requester_sid=True) - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) - -@@ -1762,7 +1788,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=True) - tgt = self._modify_tgt(tgt, renewable=True) - -- tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None) -+ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=True, -+ expect_requester_sid=True) - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) - -@@ -1774,7 +1803,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=None) - tgt = self._modify_tgt(tgt, invalid=True) - -- tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None) -+ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=None, -+ expect_requester_sid=True) - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) - -@@ -1786,7 +1818,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) - tgt = self._modify_tgt(tgt, invalid=True) - -- tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None) -+ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=False, -+ expect_requester_sid=True) - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) - -@@ -1798,7 +1833,10 @@ class KdcTgsTests(KDCBaseTest): - tgt = self.get_tgt(creds, pac_request=True) - tgt = self._modify_tgt(tgt, invalid=True) - -- tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None) -+ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=True, -+ expect_requester_sid=True) - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) - -@@ -1946,7 +1984,7 @@ class KdcTgsTests(KDCBaseTest): - - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) - -- pac = self.get_ticket_pac(ticket, expect_pac=False) -+ pac = self.get_ticket_pac(ticket) - self.assertIsNotNone(pac) - - def test_tgs_rodc_pac_request_true(self): -@@ -2279,12 +2317,21 @@ class KdcTgsTests(KDCBaseTest): - expect_requester_sid=expect_requester_sid, - expected_sid=expected_sid) - -- def _validate_tgt(self, tgt, expected_error, expect_pac=True): -+ def _validate_tgt(self, tgt, expected_error, expect_pac=True, -+ expect_pac_attrs=None, -+ expect_pac_attrs_pac_request=None, -+ expect_requester_sid=None, -+ expected_sid=None): - krbtgt_creds = self.get_krbtgt_creds() - kdc_options = str(krb5_asn1.KDCOptions('validate')) -- return self._tgs_req(tgt, expected_error, krbtgt_creds, -- kdc_options=kdc_options, -- expect_pac=expect_pac) -+ return self._tgs_req( -+ tgt, expected_error, krbtgt_creds, -+ kdc_options=kdc_options, -+ expect_pac=expect_pac, -+ expect_pac_attrs=expect_pac_attrs, -+ expect_pac_attrs_pac_request=expect_pac_attrs_pac_request, -+ expect_requester_sid=expect_requester_sid, -+ expected_sid=expected_sid) - - def _s4u2self(self, tgt, tgt_creds, expected_error, expect_pac=True, - expect_edata=False, expected_status=None): -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index da3f69c79c6..14e655313fc 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -602,6 +602,13 @@ class RawKerberosTest(TestCaseInTempDir): - expect_pac = '1' - cls.expect_pac = bool(int(expect_pac)) - -+ expect_extra_pac_buffers = samba.tests.env_get_var_value( -+ 'EXPECT_EXTRA_PAC_BUFFERS', -+ allow_missing=True) -+ if expect_extra_pac_buffers is None: -+ expect_extra_pac_buffers = '1' -+ cls.expect_extra_pac_buffers = bool(int(expect_extra_pac_buffers)) -+ - def setUp(self): - super().setUp() - self.do_asn1_print = False -@@ -2624,17 +2631,34 @@ class RawKerberosTest(TestCaseInTempDir): - if not self.tkt_sig_support: - require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM) - -+ expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP -+ - expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs'] -+ -+ if expect_pac_attrs: -+ expect_pac_attrs_pac_request = kdc_exchange_dict[ -+ 'expect_pac_attrs_pac_request'] -+ else: -+ expect_pac_attrs_pac_request = kdc_exchange_dict[ -+ 'pac_request'] -+ -+ if expect_pac_attrs is None: -+ if self.expect_extra_pac_buffers: -+ expect_pac_attrs = expect_extra_pac_buffers -+ else: -+ require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) - if expect_pac_attrs: - expected_types.append(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) -- elif expect_pac_attrs is None: -- require_strict.add(krb5pac.PAC_TYPE_ATTRIBUTES_INFO) - - expect_requester_sid = kdc_exchange_dict['expect_requester_sid'] -+ -+ if expect_requester_sid is None: -+ if self.expect_extra_pac_buffers: -+ expect_requester_sid = expect_extra_pac_buffers -+ else: -+ require_strict.add(krb5pac.PAC_TYPE_REQUESTER_SID) - if expect_requester_sid: - expected_types.append(krb5pac.PAC_TYPE_REQUESTER_SID) -- elif expect_requester_sid is None: -- require_strict.add(krb5pac.PAC_TYPE_REQUESTER_SID) - - buffer_types = [pac_buffer.type - for pac_buffer in pac.buffers] -@@ -2722,9 +2746,6 @@ class RawKerberosTest(TestCaseInTempDir): - requested_pac = bool(flags & 1) - given_pac = bool(flags & 2) - -- expect_pac_attrs_pac_request = kdc_exchange_dict[ -- 'expect_pac_attrs_pac_request'] -- - self.assertEqual(expect_pac_attrs_pac_request is True, - requested_pac) - self.assertEqual(expect_pac_attrs_pac_request is None, -@@ -2734,8 +2755,8 @@ class RawKerberosTest(TestCaseInTempDir): - and expect_requester_sid): - requester_sid = pac_buffer.info.sid - -- self.assertIsNotNone(expected_sid) -- self.assertEqual(expected_sid, str(requester_sid)) -+ if expected_sid is not None: -+ self.assertEqual(expected_sid, str(requester_sid)) - - def generic_check_kdc_error(self, - kdc_exchange_dict, -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 61de06659be..294e06027b1 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -289,11 +289,15 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing -@@ -309,10 +313,14 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid(?!_) - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false -@@ -332,6 +340,7 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 3e19ee6c8b9..6c74657e87d 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -411,6 +411,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_true -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_req - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_no_krbtgt_link -@@ -479,6 +482,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_true -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_req - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_allowed_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_no_krbtgt_link - -From 3fdfbd08b9460fb486f100d7091984f41ebd9429 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 13:10:52 +1300 -Subject: [PATCH 33/99] tests/krb5: Add tests for validation with requester SID - PAC buffer - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit ca80c47406e0f2b6fac2c55229306e21ccef9745) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 67 ++++++++++++++++++++++++ - selftest/knownfail_heimdal_kdc | 3 ++ - selftest/knownfail_mit_kdc | 4 ++ - 3 files changed, 74 insertions(+) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index f14439a4ab5..50079a1710c 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -1726,6 +1726,73 @@ class KdcTgsTests(KDCBaseTest): - - self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) - -+ def test_tgs_requester_sid_validate(self): -+ creds = self._get_creds() -+ -+ samdb = self.get_samdb() -+ sid = self.get_objectSid(samdb, creds.get_dn()) -+ -+ tgt = self.get_tgt(creds, pac_request=None, -+ expect_pac=True, -+ expected_sid=sid, -+ expect_requester_sid=True) -+ tgt = self._modify_tgt(tgt, invalid=True) -+ -+ self._validate_tgt(tgt, expected_error=0, expect_pac=True, -+ expect_pac_attrs=True, -+ expect_pac_attrs_pac_request=None, -+ expected_sid=sid, -+ expect_requester_sid=True) -+ -+ def test_tgs_requester_sid_rodc_validate(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ -+ samdb = self.get_samdb() -+ sid = self.get_objectSid(samdb, creds.get_dn()) -+ -+ tgt = self.get_tgt(creds, pac_request=None, -+ expect_pac=True, -+ expected_sid=sid, -+ expect_requester_sid=True) -+ tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True) -+ -+ self._validate_tgt(tgt, expected_error=0, expect_pac=True, -+ expect_pac_attrs=False, -+ expected_sid=sid, -+ expect_requester_sid=True) -+ -+ def test_tgs_requester_sid_missing_validate(self): -+ creds = self._get_creds() -+ -+ samdb = self.get_samdb() -+ sid = self.get_objectSid(samdb, creds.get_dn()) -+ -+ tgt = self.get_tgt(creds, pac_request=None, -+ expect_pac=True, -+ expected_sid=sid, -+ expect_requester_sid=True) -+ tgt = self._modify_tgt(tgt, invalid=True, -+ remove_requester_sid=True) -+ -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) -+ -+ def test_tgs_requester_sid_missing_rodc_validate(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ -+ samdb = self.get_samdb() -+ sid = self.get_objectSid(samdb, creds.get_dn()) -+ -+ tgt = self.get_tgt(creds, pac_request=None, -+ expect_pac=True, -+ expected_sid=sid, -+ expect_requester_sid=True) -+ tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True, -+ remove_requester_sid=True) -+ -+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) -+ - def test_tgs_pac_request_none(self): - creds = self._get_creds() - tgt = self.get_tgt(creds, pac_request=None) -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 294e06027b1..f7c5feda872 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -320,7 +320,10 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid(?!_) - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 6c74657e87d..ff287e6cd9d 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -546,8 +546,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_existing --- -2.25.1 - - -From 69233dd323b1ce715387e6015542ed234d909295 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 15:32:32 +1300 -Subject: [PATCH 34/99] tests/krb5: Add comments for tests that fail against - Windows - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 749349efab9b401d33a4fc286473a924364a41c9) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 50079a1710c..ecc38538e61 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -792,6 +792,8 @@ class KdcTgsTests(KDCBaseTest): - expect_pac_attrs=False, - expect_requester_sid=True) - -+ # This test fails on Windows, which gives KDC_ERR_C_PRINCIPAL_UNKNOWN when -+ # attempting to use S4U2Self with a TGT from an RODC. - def test_s4u2self_rodc_revealed(self): - creds = self._get_creds(replication_allowed=True, - revealed_to_rodc=True) -@@ -2370,6 +2372,8 @@ class KdcTgsTests(KDCBaseTest): - expect_requester_sid=expect_requester_sid, - expected_sid=expected_sid) - -+ # These tests fail against Windows, which does not implement ticket -+ # renewal. - def _renew_tgt(self, tgt, expected_error, expect_pac=True, - expect_pac_attrs=None, expect_pac_attrs_pac_request=None, - expect_requester_sid=None, expected_sid=None): -@@ -2384,6 +2388,8 @@ class KdcTgsTests(KDCBaseTest): - expect_requester_sid=expect_requester_sid, - expected_sid=expected_sid) - -+ # These tests fail against Windows, which does not implement ticket -+ # validation. - def _validate_tgt(self, tgt, expected_error, expect_pac=True, - expect_pac_attrs=None, - expect_pac_attrs_pac_request=None, --- -2.25.1 - - -From 6dbed53756f6bac8f63847644b3e9cbb7b6181b0 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 18 Nov 2021 13:14:51 +1300 -Subject: [PATCH 35/99] heimdal:kdc: Fix error message for user-to-user - -We were checking the wrong variable to see whether a PAC was found or not. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2) ---- - source4/heimdal/kdc/krb5tgs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c -index fb2ef8230c9..cde68b41714 100644 ---- source4/heimdal/kdc/krb5tgs.c -+++ source4/heimdal/kdc/krb5tgs.c -@@ -1629,7 +1629,7 @@ server_lookup: - ret = KRB5KDC_ERR_BADOPTION; - kdc_log(context, config, 0, - "Ticket not signed with PAC; user-to-user failed (%s).", -- mspac ? "Ticket unsigned" : "No PAC"); -+ user2user_pac ? "Ticket unsigned" : "No PAC"); - goto out; - } - --- -2.25.1 - - -From 33d5e5ad3a06ca6a1a62e64d323580ca60f068b8 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 18 Nov 2021 16:22:34 +1300 -Subject: [PATCH 36/99] s4:torture: Fix typo - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490) ---- - source4/torture/krb5/kdc-canon-heimdal.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git source4/torture/krb5/kdc-canon-heimdal.c source4/torture/krb5/kdc-canon-heimdal.c -index cd47182c0ef..059078a4ffb 100644 ---- source4/torture/krb5/kdc-canon-heimdal.c -+++ source4/torture/krb5/kdc-canon-heimdal.c -@@ -262,7 +262,7 @@ static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_ - KRB5_NT_PRINCIPAL, - "krb5 libs unexpectedly " - "did not set principal " -- "as NT_SRV_HST!"); -+ "as NT_PRINCIPAL!"); - } else { - torture_assert_int_equal(test_context->tctx, - test_context->as_req.req_body.cname->name_type, --- -2.25.1 - - -From 02ceb9be33dca0e3a885fd7d85b1199f76e04670 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 20:41:34 +1300 -Subject: [PATCH 37/99] heimdal:kdc: Adjust no-PAC error code to match Windows - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a) ---- - selftest/knownfail_heimdal_kdc | 19 ------------------- - source4/heimdal/kdc/krb5tgs.c | 2 +- - 2 files changed, 1 insertion(+), 20 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index f7c5feda872..9ff85fe18fc 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -233,21 +233,15 @@ - # S4U tests - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac(?!_no_auth_data_required) --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$ --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required -@@ -292,11 +286,6 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting -@@ -304,15 +293,11 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid -@@ -333,16 +318,12 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting -diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c -index cde68b41714..6c5c51aa448 100644 ---- source4/heimdal/kdc/krb5tgs.c -+++ source4/heimdal/kdc/krb5tgs.c -@@ -78,7 +78,7 @@ check_PAC(krb5_context context, - return ret; - - if (pac == NULL) -- return KRB5KDC_ERR_BADOPTION; -+ return KRB5KDC_ERR_TGT_REVOKED; - - /* Verify the server signature. */ - ret = krb5_pac_verify(context, pac, tkt->authtime, client_principal, --- -2.25.1 - - -From 5556f97c782c9be9af47c76f2432bb8480bc0622 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 20:41:45 +1300 -Subject: [PATCH 38/99] kdc: Adjust SID mismatch error code to match Windows - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit d5d22bf84a71492342287e54b555c9f024e7e71c) ---- - selftest/knownfail_heimdal_kdc | 35 ---------------------------------- - selftest/knownfail_mit_kdc | 8 -------- - source4/kdc/pac-glue.c | 6 +----- - 3 files changed, 1 insertion(+), 48 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 9ff85fe18fc..bc644587319 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -259,13 +259,6 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed - # --# Alias tests --# --^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete --^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename --^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete --^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename --# - # KDC TGS tests - # - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_authdata_no_pac -@@ -281,23 +274,11 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid -@@ -309,23 +290,7 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index ff287e6cd9d..c6dc1285837 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -407,8 +407,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none -@@ -424,8 +422,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req -@@ -454,8 +450,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname -@@ -495,8 +489,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_service_ticket --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting - # - # PAC attributes tests - # -diff --git source4/kdc/pac-glue.c source4/kdc/pac-glue.c -index e0e483662c0..2a96a683cd9 100644 ---- source4/kdc/pac-glue.c -+++ source4/kdc/pac-glue.c -@@ -1237,11 +1237,7 @@ krb5_error_code samba_kdc_validate_pac_blob( - "PAC[%s] != CLI[%s]\n", - dom_sid_str_buf(&pac_sid, &buf1), - dom_sid_str_buf(client_sid, &buf2)); --#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ -- code = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; --#else /* Heimdal (where this is an enum) */ -- code = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; --#endif -+ code = KRB5KDC_ERR_TGT_REVOKED; - goto out; - } - --- -2.25.1 - - -From c62a2b7a218e2c4bdbd476a055049e78b8c0f4ce Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 25 Nov 2021 10:05:17 +1300 -Subject: [PATCH 39/99] tests/krb5: Add test for S4U2Self with wrong sname - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit bac5f75059450898937be891e863826e1350b62c) ---- - python/samba/tests/krb5/s4u_tests.py | 32 +++++++++++++++++++++++++++- - selftest/knownfail_heimdal_kdc | 1 + - 2 files changed, 32 insertions(+), 1 deletion(-) - -diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py -index 5f37525f393..2953766ef21 100755 ---- python/samba/tests/krb5/s4u_tests.py -+++ python/samba/tests/krb5/s4u_tests.py -@@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import ( - from samba.tests.krb5.rfc4120_constants import ( - AES256_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5, -+ KDC_ERR_BADMATCH, - KDC_ERR_BADOPTION, - KDC_ERR_BAD_INTEGRITY, - KDC_ERR_GENERIC, -@@ -243,7 +244,9 @@ class S4UKerberosTests(KDCBaseTest): - client_dn = client_creds.get_dn() - sid = self.get_objectSid(samdb, client_dn) - -- service_name = service_creds.get_username()[:-1] -+ service_name = kdc_dict.pop('service_name', None) -+ if service_name is None: -+ service_name = service_creds.get_username()[:-1] - service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=['host', service_name]) - -@@ -474,6 +477,33 @@ class S4UKerberosTests(KDCBaseTest): - 'expected_flags': 'forwardable' - }) - -+ # Do an S4U2Self with the sname in the request different to that of the -+ # service. We expect an error. -+ def test_s4u2self_wrong_sname(self): -+ other_creds = self.get_cached_creds( -+ account_type=self.AccountType.COMPUTER, -+ opts={ -+ 'trusted_to_auth_for_delegation': True, -+ 'id': 0 -+ }) -+ other_sname = other_creds.get_username()[:-1] -+ -+ self._run_s4u2self_test( -+ { -+ 'expected_error_mode': KDC_ERR_BADMATCH, -+ 'expect_edata': False, -+ 'client_opts': { -+ 'not_delegated': False -+ }, -+ 'service_opts': { -+ 'trusted_to_auth_for_delegation': True -+ }, -+ 'service_name': other_sname, -+ 'kdc_options': 'forwardable', -+ 'modify_service_tgt_fn': functools.partial( -+ self.set_ticket_forwardable, flag=True) -+ }) -+ - def _run_delegation_test(self, kdc_dict): - client_opts = kdc_dict.pop('client_opts', None) - client_creds = self.get_cached_creds( -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index bc644587319..483145f1473 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -243,6 +243,7 @@ - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required --- -2.25.1 - - -From 46b05cbf803c54cf56dca228fe95a3454027d0cc Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 23 Nov 2021 20:00:07 +1300 -Subject: [PATCH 40/99] kdc: Match Windows error code for mismatching sname - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83) ---- - selftest/knownfail_heimdal_kdc | 3 --- - source4/kdc/db-glue.c | 2 +- - 2 files changed, 1 insertion(+), 4 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 483145f1473..981d7894158 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -243,7 +243,6 @@ - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required -@@ -292,6 +291,4 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index d017741e30a..bed0ff773f9 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -2599,7 +2599,7 @@ samba_kdc_check_s4u2self(krb5_context context, - */ - if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { - talloc_free(frame); -- return KRB5KDC_ERR_BADOPTION; -+ return KRB5KRB_AP_ERR_BADMATCH; - } - - talloc_free(frame); --- -2.25.1 - - -From 93a5264dd68da57e172af50020f670631eeef263 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 23 Nov 2021 20:15:41 +1300 -Subject: [PATCH 41/99] kdc: Always add the PAC if the header TGT is from an - RODC - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8) ---- - selftest/knownfail_heimdal_kdc | 1 - - source4/kdc/wdc-samba4.c | 2 +- - 2 files changed, 1 insertion(+), 2 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 981d7894158..94a4509f45a 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -290,5 +290,4 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed -diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c -index ecd182702c3..8c3ce71529c 100644 ---- source4/kdc/wdc-samba4.c -+++ source4/kdc/wdc-samba4.c -@@ -471,7 +471,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, - goto out; - } - -- if (!server_skdc_entry->is_krbtgt) { -+ if (!is_untrusted && !server_skdc_entry->is_krbtgt) { - /* - * The client may have requested no PAC when obtaining the - * TGT. --- -2.25.1 - - -From 4cd44326ce38187965c46c71322caedb7a2fbf6c Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 25 Nov 2021 10:32:44 +1300 -Subject: [PATCH 42/99] tests/krb5: Add tests for renewal and validation of - RODC TGTs with PAC requests - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 73a48063469205099f02efdf3b8f0f1040dc7a3d) ---- - python/samba/tests/krb5/kdc_tgs_tests.py | 90 ++++++++++++++++++++++++ - selftest/knownfail_heimdal_kdc | 6 ++ - selftest/knownfail_mit_kdc | 6 ++ - 3 files changed, 102 insertions(+) - -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index ecc38538e61..2923d53772a 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -1867,6 +1867,51 @@ class KdcTgsTests(KDCBaseTest): - pac = self.get_ticket_pac(ticket) - self.assertIsNotNone(pac) - -+ def test_rodc_renew_pac_request_none(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self.get_tgt(creds, pac_request=None) -+ tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True) -+ -+ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) -+ -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ -+ def test_rodc_renew_pac_request_false(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) -+ tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True) -+ -+ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) -+ -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ -+ def test_rodc_renew_pac_request_true(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self.get_tgt(creds, pac_request=True) -+ tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True) -+ -+ tgt = self._renew_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) -+ -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ - def test_validate_pac_request_none(self): - creds = self._get_creds() - tgt = self.get_tgt(creds, pac_request=None) -@@ -1912,6 +1957,51 @@ class KdcTgsTests(KDCBaseTest): - pac = self.get_ticket_pac(ticket) - self.assertIsNotNone(pac) - -+ def test_rodc_validate_pac_request_none(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self.get_tgt(creds, pac_request=None) -+ tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True) -+ -+ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) -+ -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ -+ def test_rodc_validate_pac_request_false(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) -+ tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True) -+ -+ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) -+ -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ -+ def test_rodc_validate_pac_request_true(self): -+ creds = self._get_creds(replication_allowed=True, -+ revealed_to_rodc=True) -+ tgt = self.get_tgt(creds, pac_request=True) -+ tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True) -+ -+ tgt = self._validate_tgt(tgt, expected_error=0, expect_pac=None, -+ expect_pac_attrs=False, -+ expect_requester_sid=True) -+ -+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ - def test_s4u2self_pac_request_none(self): - creds = self._get_creds() - tgt = self.get_tgt(creds, pac_request=None) -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 94a4509f45a..2de898e73c2 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -278,6 +278,12 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index c6dc1285837..73e64145e42 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -422,6 +422,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req --- -2.25.1 - - -From 925f63f3e464c0fdb91aaa5ed523a6ddb481bfff Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 25 Nov 2021 13:24:57 +1300 -Subject: [PATCH 43/99] Revert "CVE-2020-25719 s4/torture: Expect additional - PAC buffers" - -This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f. - -We should not be generating these additional PAC buffers for service -tickets, only for TGTs. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit e61983c7f2c4daade83b237efb990d0c0645b3a3) ---- - selftest/knownfail_heimdal_kdc | 39 ++++++++++++++++++++++++++++++++ - source4/torture/rpc/remote_pac.c | 24 ++------------------ - 2 files changed, 41 insertions(+), 22 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 2de898e73c2..65e4fee9510 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -297,3 +297,42 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed -+# -+# PAC tests -+# -+^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local -+^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local -+^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local -+^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local -+^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local -+^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local -+^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local -+^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local -+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local -+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local -+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local -+^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local -+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc -+^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc -+^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc -+^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc -diff --git source4/torture/rpc/remote_pac.c source4/torture/rpc/remote_pac.c -index c94decef5ce..14c23f674f1 100644 ---- source4/torture/rpc/remote_pac.c -+++ source4/torture/rpc/remote_pac.c -@@ -266,7 +266,7 @@ static bool test_PACVerify(struct torture_context *tctx, - (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); - torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed"); - -- num_pac_buffers = 7; -+ num_pac_buffers = 5; - if (expect_pac_upn_dns_info) { - num_pac_buffers += 1; - } -@@ -323,18 +323,6 @@ static bool test_PACVerify(struct torture_context *tctx, - pac_buf->info != NULL, - "PAC_TYPE_TICKET_CHECKSUM info"); - -- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_ATTRIBUTES_INFO); -- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_ATTRIBUTES_INFO"); -- torture_assert(tctx, -- pac_buf->info != NULL, -- "PAC_TYPE_ATTRIBUTES_INFO info"); -- -- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_REQUESTER_SID); -- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_REQUESTER_SID"); -- torture_assert(tctx, -- pac_buf->info != NULL, -- "PAC_TYPE_REQUESTER_SID info"); -- - ok = netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name, - negotiate_flags, pac_data, session_info); - -@@ -1094,7 +1082,7 @@ static bool test_S4U2Proxy(struct torture_context *tctx, - (ndr_pull_flags_fn_t)ndr_pull_PAC_DATA); - torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), "ndr_pull_struct_blob of PAC_DATA structure failed"); - -- num_pac_buffers = 9; -+ num_pac_buffers = 7; - - torture_assert_int_equal(tctx, pac_data_struct.version, 0, "version"); - torture_assert_int_equal(tctx, pac_data_struct.num_buffers, num_pac_buffers, "num_buffers"); -@@ -1134,14 +1122,6 @@ static bool test_S4U2Proxy(struct torture_context *tctx, - talloc_asprintf(tctx, "%s@%s", self_princ, cli_credentials_get_realm(credentials)), - "wrong transited_services[0]"); - -- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_ATTRIBUTES_INFO); -- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_ATTRIBUTES_INFO"); -- torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_ATTRIBUTES_INFO info"); -- -- pac_buf = get_pac_buffer(&pac_data_struct, PAC_TYPE_REQUESTER_SID); -- torture_assert_not_null(tctx, pac_buf, "PAC_TYPE_REQUESTER_SID"); -- torture_assert_not_null(tctx, pac_buf->info, "PAC_TYPE_REQUESTER_SID info"); -- - return netlogon_validate_pac(tctx, p, server_creds, secure_channel_type, test_machine_name, - negotiate_flags, pac_data, session_info); - } --- -2.25.1 - - -From 72afa2641c24bd18a32463f0b0de7e91feb54290 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 20:42:22 +1300 -Subject: [PATCH 44/99] kdc: Don't include extra PAC buffers in service tickets - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef) ---- - selftest/knownfail_heimdal_kdc | 42 ---------------------------------- - source4/kdc/wdc-samba4.c | 31 +++++++++++++++++-------- - 2 files changed, 21 insertions(+), 52 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 65e4fee9510..ea08cb44122 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -285,11 +285,8 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid(?!_) - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate -@@ -297,42 +294,3 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed --# --# PAC tests --# --^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local --^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local --^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local --^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local --^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local --^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local --^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local --^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local --^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local --^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local --^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local --^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local --^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2000dc --^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2003dc --^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008dc --^samba4.rpc.pac on ncacn_np.netr-bdc-aes.verify-sig-aes.fl2008r2dc --^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2000dc --^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2003dc --^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008dc --^samba4.rpc.pac on ncacn_np.netr-bdc-arcfour.verify-sig-arcfour.fl2008r2dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008r2dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2000dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2003dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008dc --^samba4.rpc.pac on ncacn_np.netr-mem-aes.verify-sig-aes.fl2008r2dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2000dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2003dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.s4u2proxy-arcfour.fl2008r2dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2000dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2003dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc --^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc -diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c -index 8c3ce71529c..17af76f4edb 100644 ---- source4/kdc/wdc-samba4.c -+++ source4/kdc/wdc-samba4.c -@@ -132,6 +132,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, - krb5_error_code ret; - NTSTATUS nt_status; - bool is_in_db, is_untrusted; -+ bool is_krbtgt; - size_t num_types = 0; - uint32_t *types = NULL; - uint32_t forced_next_type = 0; -@@ -471,7 +472,9 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, - goto out; - } - -- if (!is_untrusted && !server_skdc_entry->is_krbtgt) { -+ is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal); -+ -+ if (!is_untrusted && !is_krbtgt) { - /* - * The client may have requested no PAC when obtaining the - * TGT. -@@ -576,17 +579,25 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, - type_blob = data_blob_const(&zero_byte, 1); - break; - case PAC_TYPE_ATTRIBUTES_INFO: -- /* just copy... */ -- break; -+ if (is_krbtgt) { -+ /* just copy... */ -+ break; -+ } else { -+ continue; -+ } - case PAC_TYPE_REQUESTER_SID: -- /* -- * Replace in the RODC case, otherwise -- * requester_sid_blob is NULL and we just copy. -- */ -- if (requester_sid_blob != NULL) { -- type_blob = *requester_sid_blob; -+ if (is_krbtgt) { -+ /* -+ * Replace in the RODC case, otherwise -+ * requester_sid_blob is NULL and we just copy. -+ */ -+ if (requester_sid_blob != NULL) { -+ type_blob = *requester_sid_blob; -+ } -+ break; -+ } else { -+ continue; - } -- break; - default: - /* just copy... */ - break; --- -2.25.1 - - -From 29f15fe2d92831dcf5f4eb6d295df866ff689ee3 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 25 Nov 2021 10:53:49 +1300 -Subject: [PATCH 45/99] kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued - tickets - -Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when -presented with an RODC-issued TGT. By removing this PAC buffer from -RODC-issued tickets, we ensure that an RODC-issued ticket will still -result in a PAC if it is first renewed or validated by the main DC. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 4b60e9516497c2e7f1545fe50887d0336b9893f2) ---- - selftest/knownfail_heimdal_kdc | 13 ------------- - source4/kdc/wdc-samba4.c | 2 +- - 2 files changed, 1 insertion(+), 14 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index ea08cb44122..5e94cb63d7a 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -274,16 +274,6 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_none --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_renew_pac_request_true --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_none --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_rodc_validate_pac_request_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid -@@ -291,6 +281,3 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed -diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c -index 17af76f4edb..713720bcb99 100644 ---- source4/kdc/wdc-samba4.c -+++ source4/kdc/wdc-samba4.c -@@ -579,7 +579,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, - type_blob = data_blob_const(&zero_byte, 1); - break; - case PAC_TYPE_ATTRIBUTES_INFO: -- if (is_krbtgt) { -+ if (!is_untrusted && is_krbtgt) { - /* just copy... */ - break; - } else { --- -2.25.1 - - -From d3436300745c41226d7ed146f269c929133f8f49 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 25 Nov 2021 12:46:40 +1300 -Subject: [PATCH 46/99] tests/krb5: Add a test for S4U2Self with no - authorization data required - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3) ---- - python/samba/tests/krb5/s4u_tests.py | 34 ++++++++++++++++++++++++++++ - selftest/knownfail_heimdal_kdc | 1 + - 2 files changed, 35 insertions(+) - -diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py -index 2953766ef21..6ec9af11423 100755 ---- python/samba/tests/krb5/s4u_tests.py -+++ python/samba/tests/krb5/s4u_tests.py -@@ -324,6 +324,13 @@ class S4UKerberosTests(KDCBaseTest): - sname=service_sname, - etypes=etypes) - -+ if not expected_error_mode: -+ # Check that the ticket contains a PAC. -+ ticket = kdc_exchange_dict['rep_ticket_creds'] -+ -+ pac = self.get_ticket_pac(ticket) -+ self.assertIsNotNone(pac) -+ - # Ensure we used all the parameters given to us. - self.assertEqual({}, kdc_dict) - -@@ -504,6 +511,24 @@ class S4UKerberosTests(KDCBaseTest): - self.set_ticket_forwardable, flag=True) - }) - -+ # Do an S4U2Self where the service does not require authorization data. The -+ # resulting ticket should still contain a PAC. -+ def test_s4u2self_no_auth_data_required(self): -+ self._run_s4u2self_test( -+ { -+ 'client_opts': { -+ 'not_delegated': False -+ }, -+ 'service_opts': { -+ 'trusted_to_auth_for_delegation': True, -+ 'no_auth_data_required': True -+ }, -+ 'kdc_options': 'forwardable', -+ 'modify_service_tgt_fn': functools.partial( -+ self.set_ticket_forwardable, flag=True), -+ 'expected_flags': 'forwardable' -+ }) -+ - def _run_delegation_test(self, kdc_dict): - client_opts = kdc_dict.pop('client_opts', None) - client_creds = self.get_cached_creds( -@@ -654,6 +679,15 @@ class S4UKerberosTests(KDCBaseTest): - etypes=etypes, - additional_tickets=additional_tickets) - -+ if not expected_error_mode: -+ # Check whether the ticket contains a PAC. -+ ticket = kdc_exchange_dict['rep_ticket_creds'] -+ pac = self.get_ticket_pac(ticket, expect_pac=expect_pac) -+ if expect_pac: -+ self.assertIsNotNone(pac) -+ else: -+ self.assertIsNone(pac) -+ - # Ensure we used all the parameters given to us. - self.assertEqual({}, kdc_dict) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 5e94cb63d7a..2025032a278 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -242,6 +242,7 @@ - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required --- -2.25.1 - - -From 8f97f78dd8023d88d76fc7de063661d94ebe5400 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 23 Nov 2021 17:30:50 +1300 -Subject: [PATCH 47/99] heimdal:kdc: Always generate a PAC for S4U2Self - -If we decided not to put a PAC into the ticket, mspac would be NULL -here, and the resulting ticket would not contain a PAC. This could -happen if there was a request to omit the PAC or the service did not -require authorization data. Ensure that we always generate a PAC. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1) ---- - selftest/knownfail_heimdal_kdc | 2 -- - source4/heimdal/kdc/krb5tgs.c | 13 +++++++------ - 2 files changed, 7 insertions(+), 8 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 2025032a278..53cc8e6b6a2 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -242,7 +242,6 @@ - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required -@@ -275,7 +274,6 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew -diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c -index 6c5c51aa448..dc356b4daa5 100644 ---- source4/heimdal/kdc/krb5tgs.c -+++ source4/heimdal/kdc/krb5tgs.c -@@ -1846,12 +1846,13 @@ server_lookup: - if (mspac) { - krb5_pac_free(context, mspac); - mspac = NULL; -- ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); -- if (ret) { -- kdc_log(context, config, 0, "PAC generation failed for -- %s", -- tpn); -- goto out; -- } -+ } -+ -+ ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); -+ if (ret) { -+ kdc_log(context, config, 0, "PAC generation failed for -- %s", -+ tpn); -+ goto out; - } - - /* --- -2.25.1 - - -From 8585333a8ef54295a60faf47689a8978c0740361 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 25 Nov 2021 09:29:42 +1300 -Subject: [PATCH 48/99] selftest: Properly check extra PAC buffers with Heimdal - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit ee4aa21c487fa80082a548b2e4f115a791e30340) - -[jsutton@samba.org Fixed conflicts] ---- - selftest/knownfail_heimdal_kdc | 12 ++++++++++++ - source4/selftest/tests.py | 2 +- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 53cc8e6b6a2..f71b95f306e 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -241,8 +241,15 @@ - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed -+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required -@@ -274,6 +281,11 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) -+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew - - -From 65bb0e3201d60d87a3f228ea161644d9a5f918c5 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 23 Nov 2021 19:38:35 +1300 -Subject: [PATCH 49/99] heimdal:kdc: Do not generate extra PAC buffers for - S4U2Self service ticket - -Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but -when generating a service ticket for S4U2Self, we want to avoid adding -the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 9bd26804852d957f81cb311e5142f9190f9afa65) ---- - selftest/knownfail_heimdal_kdc | 12 ------------ - source4/heimdal/kdc/kerberos5.c | 2 +- - source4/heimdal/kdc/krb5tgs.c | 3 ++- - source4/heimdal/kdc/windc.c | 5 +++-- - source4/heimdal/kdc/windc_plugin.h | 2 ++ - source4/kdc/wdc-samba4.c | 11 ++++++++--- - 6 files changed, 16 insertions(+), 19 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index f71b95f306e..53cc8e6b6a2 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -241,15 +241,8 @@ - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_client_not_delegated - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_forwardable - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_nonempty_allowed --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_empty_allowed --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_trusted_nonempty_allowed --^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_without_forwardable - # - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required - ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required -@@ -281,11 +274,6 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_none --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_true --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_revealed - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew -diff --git source4/heimdal/kdc/kerberos5.c source4/heimdal/kdc/kerberos5.c -index 9684364c519..a9e81336615 100644 ---- source4/heimdal/kdc/kerberos5.c -+++ source4/heimdal/kdc/kerberos5.c -@@ -1776,7 +1776,7 @@ _kdc_as_rep(krb5_context context, - - sent_pac_request = send_pac_p(context, req, &pac_request); - -- ret = _kdc_pac_generate(context, client, pk_reply_key, -+ ret = _kdc_pac_generate(context, client, server, pk_reply_key, - sent_pac_request ? &pac_request : NULL, - &p); - if (ret) { -diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c -index dc356b4daa5..38dba8493ae 100644 ---- source4/heimdal/kdc/krb5tgs.c -+++ source4/heimdal/kdc/krb5tgs.c -@@ -1848,7 +1848,8 @@ server_lookup: - mspac = NULL; - } - -- ret = _kdc_pac_generate(context, s4u2self_impersonated_client, NULL, NULL, &mspac); -+ ret = _kdc_pac_generate(context, s4u2self_impersonated_client, server, -+ NULL, NULL, &mspac); - if (ret) { - kdc_log(context, config, 0, "PAC generation failed for -- %s", - tpn); -diff --git source4/heimdal/kdc/windc.c source4/heimdal/kdc/windc.c -index 93b973f576b..0a5ae5025ec 100644 ---- source4/heimdal/kdc/windc.c -+++ source4/heimdal/kdc/windc.c -@@ -73,6 +73,7 @@ krb5_kdc_windc_init(krb5_context context) - krb5_error_code - _kdc_pac_generate(krb5_context context, - hdb_entry_ex *client, -+ hdb_entry_ex *server, - const krb5_keyblock *pk_reply_key, - const krb5_boolean *pac_request, - krb5_pac *pac) -@@ -88,9 +89,9 @@ _kdc_pac_generate(krb5_context context, - - if (windcft->pac_pk_generate != NULL && pk_reply_key != NULL) - return (windcft->pac_pk_generate)(windcctx, context, -- client, pk_reply_key, -+ client, server, pk_reply_key, - pac_request, pac); -- return (windcft->pac_generate)(windcctx, context, client, -+ return (windcft->pac_generate)(windcctx, context, client, server, - pac_request, pac); - } - -diff --git source4/heimdal/kdc/windc_plugin.h source4/heimdal/kdc/windc_plugin.h -index c7f2bcb5ed9..d239d0260e7 100644 ---- source4/heimdal/kdc/windc_plugin.h -+++ source4/heimdal/kdc/windc_plugin.h -@@ -55,12 +55,14 @@ struct hdb_entry_ex; - typedef krb5_error_code - (*krb5plugin_windc_pac_generate)(void *, krb5_context, - struct hdb_entry_ex *, /* client */ -+ struct hdb_entry_ex *, /* server */ - const krb5_boolean *, /* pac_request */ - krb5_pac *); - - typedef krb5_error_code - (*krb5plugin_windc_pac_pk_generate)(void *, krb5_context, - struct hdb_entry_ex *, /* client */ -+ struct hdb_entry_ex *, /* server */ - const krb5_keyblock *, /* pk_replykey */ - const krb5_boolean *, /* pac_request */ - krb5_pac *); -diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c -index 713720bcb99..b1d011c09a9 100644 ---- source4/kdc/wdc-samba4.c -+++ source4/kdc/wdc-samba4.c -@@ -37,6 +37,7 @@ - */ - static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, - struct hdb_entry_ex *client, -+ struct hdb_entry_ex *server, - const krb5_keyblock *pk_reply_key, - const krb5_boolean *pac_request, - krb5_pac *pac) -@@ -55,6 +56,7 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, - struct samba_kdc_entry *skdc_entry = - talloc_get_type_abort(client->ctx, - struct samba_kdc_entry); -+ bool is_krbtgt; - - mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context"); - if (!mem_ctx) { -@@ -65,13 +67,15 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, - cred_ndr_ptr = &cred_ndr; - } - -+ is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal); -+ - nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry, - &logon_blob, - cred_ndr_ptr, - &upn_blob, -- &pac_attrs_blob, -+ is_krbtgt ? &pac_attrs_blob : NULL, - pac_request, -- &requester_sid_blob, -+ is_krbtgt ? &requester_sid_blob : NULL, - NULL); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); -@@ -101,10 +105,11 @@ static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, - - static krb5_error_code samba_wdc_get_pac_compat(void *priv, krb5_context context, - struct hdb_entry_ex *client, -+ struct hdb_entry_ex *server, - const krb5_boolean *pac_request, - krb5_pac *pac) - { -- return samba_wdc_get_pac(priv, context, client, NULL, pac_request, pac); -+ return samba_wdc_get_pac(priv, context, client, server, NULL, pac_request, pac); - } - - static krb5_error_code samba_wdc_reget_pac2(krb5_context context, --- -2.25.1 - - -From 49aafce0a705d47ffd4753ce6c6f452c4f7aa882 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 24 Nov 2021 20:41:54 +1300 -Subject: [PATCH 50/99] kdc: Require that PAC_REQUESTER_SID buffer is present - for TGTs - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> - -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> -Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184 - -(cherry picked from commit 38c5bad4a853b19fe9a51fb059e150b153c4632a) ---- - selftest/knownfail_heimdal_kdc | 6 ------ - source4/kdc/wdc-samba4.c | 6 ++++++ - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 53cc8e6b6a2..32465cb6042 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -274,9 +274,3 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate -diff --git source4/kdc/wdc-samba4.c source4/kdc/wdc-samba4.c -index b1d011c09a9..d7ce34fb3a9 100644 ---- source4/kdc/wdc-samba4.c -+++ source4/kdc/wdc-samba4.c -@@ -459,6 +459,12 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, - talloc_free(mem_ctx); - return EINVAL; - } -+ if (delegated_proxy_principal == NULL && requester_sid_idx == -1) { -+ DEBUG(1, ("PAC_TYPE_REQUESTER_SID missing\n")); -+ SAFE_FREE(types); -+ talloc_free(mem_ctx); -+ return KRB5KDC_ERR_TGT_REVOKED; -+ } - - /* - * The server account may be set not to want the PAC. --- -2.25.1 - - -From 3fc519edec0159535baa0b659861b73f40632110 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 7 Dec 2021 13:15:38 +1300 -Subject: [PATCH 51/99] kdc: Canonicalize realm for enterprise principals - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> - -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> -Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184 - -(cherry picked from commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c) ---- - selftest/knownfail.d/kdc-enterprise | 63 ----------------------------- - selftest/knownfail_heimdal_kdc | 3 -- - selftest/knownfail_mit_kdc | 36 +++++++++++++++++ - source4/kdc/db-glue.c | 24 +++++------ - 4 files changed, 47 insertions(+), 79 deletions(-) - delete mode 100644 selftest/knownfail.d/kdc-enterprise - -diff --git selftest/knownfail.d/kdc-enterprise selftest/knownfail.d/kdc-enterprise -deleted file mode 100644 -index c9b6c98a2ee..00000000000 ---- selftest/knownfail.d/kdc-enterprise -+++ /dev/null -@@ -1,63 +0,0 @@ --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( --samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( -- -- -- --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( --^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 32465cb6042..424a8b81c38 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -5,9 +5,6 @@ - # - # Heimdal currently fails the following MS-KILE client principal lookup - # tests --^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 --^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 --^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 - ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a - ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b - ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 73e64145e42..4d685af7140 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -56,17 +56,53 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( -+samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\( - samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\( -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index bed0ff773f9..5752ffb821c 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -980,19 +980,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - goto out; - } - -- if (smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL) { -- /* While we have copied the client principal, tests -- * show that Win2k3 returns the 'corrected' realm, not -- * the client-specified realm. This code attempts to -- * replace the client principal's realm with the one -- * we determine from our records */ -- -- /* this has to be with malloc() */ -- ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -+ /* While we have copied the client principal, tests -+ * show that Win2k3 returns the 'corrected' realm, not -+ * the client-specified realm. This code attempts to -+ * replace the client principal's realm with the one -+ * we determine from our records */ -+ -+ /* this has to be with malloc() */ -+ ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); -+ if (ret) { -+ krb5_clear_error_message(context); -+ goto out; - } - } - --- -2.25.1 - - -From 787405ef59b70cef011f005a6ed98898c5d43adb Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 14 Dec 2021 19:16:00 +1300 -Subject: [PATCH 52/99] tests/krb5: Correctly determine whether tickets are - service tickets - -Previously we expected tickets to contain a ticket checksum if the sname -was not the krbtgt. However, the ticket checksum should not be present -if we are performing an AS-REQ to our own account. Now we determine a -ticket is a service ticket only if the request is also a TGS-REQ. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -(cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901) ---- - python/samba/tests/krb5/compatability_tests.py | 10 ++++++---- - python/samba/tests/krb5/kdc_base_test.py | 2 +- - python/samba/tests/krb5/raw_testcase.py | 18 ++++++++++-------- - python/samba/tests/krb5/rodc_tests.py | 4 ++-- - 4 files changed, 19 insertions(+), 15 deletions(-) - -diff --git python/samba/tests/krb5/compatability_tests.py python/samba/tests/krb5/compatability_tests.py -index ed2dc565b6d..65e9e3788d5 100755 ---- python/samba/tests/krb5/compatability_tests.py -+++ python/samba/tests/krb5/compatability_tests.py -@@ -132,13 +132,14 @@ class SimpleKerberosTests(KDCBaseTest): - tgt = self.get_tgt(user_creds) - - # Ensure the PAC contains the expected checksums. -- self.verify_ticket(tgt, key) -+ self.verify_ticket(tgt, key, service_ticket=False) - - # Get a service ticket from the DC. - service_ticket = self.get_service_ticket(tgt, target_creds) - - # Ensure the PAC contains the expected checksums. -- self.verify_ticket(service_ticket, key, expect_ticket_checksum=True) -+ self.verify_ticket(service_ticket, key, service_ticket=True, -+ expect_ticket_checksum=True) - - def test_mit_ticket_signature(self): - # Ensure that a DC does not issue tickets signed with its krbtgt key. -@@ -152,13 +153,14 @@ class SimpleKerberosTests(KDCBaseTest): - tgt = self.get_tgt(user_creds) - - # Ensure the PAC contains the expected checksums. -- self.verify_ticket(tgt, key) -+ self.verify_ticket(tgt, key, service_ticket=False) - - # Get a service ticket from the DC. - service_ticket = self.get_service_ticket(tgt, target_creds) - - # Ensure the PAC does not contain the expected checksums. -- self.verify_ticket(service_ticket, key, expect_ticket_checksum=False) -+ self.verify_ticket(service_ticket, key, service_ticket=True, -+ expect_ticket_checksum=False) - - def as_pre_auth_req(self, creds, etypes): - user = creds.get_username() -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 6e96b982167..9506048ee2a 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -1395,7 +1395,7 @@ class KDCBaseTest(RawKerberosTest): - krbtgt_creds = self.get_krbtgt_creds() - krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) - self.verify_ticket(service_ticket_creds, krbtgt_key, -- expect_pac=expect_pac, -+ service_ticket=True, expect_pac=expect_pac, - expect_ticket_checksum=self.tkt_sig_support) - - self.tkt_cache[cache_key] = service_ticket_creds -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 14e655313fc..a2241707d44 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -2587,7 +2587,11 @@ class RawKerberosTest(TestCaseInTempDir): - self.assertIsNotNone(ticket_decryption_key) - - if ticket_decryption_key is not None: -- self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac, -+ service_ticket = (not self.is_tgs(expected_sname) -+ and rep_msg_type == KRB_TGS_REP) -+ self.verify_ticket(ticket_creds, krbtgt_keys, -+ service_ticket=service_ticket, -+ expect_pac=expect_pac, - expect_ticket_checksum=expect_ticket_checksum - or self.tkt_sig_support) - -@@ -2624,14 +2628,14 @@ class RawKerberosTest(TestCaseInTempDir): - expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO) - expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO) - -- if not self.is_tgs(expected_sname): -+ if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP: - expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM) - - require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO} - if not self.tkt_sig_support: - require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM) - -- expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP -+ expect_extra_pac_buffers = self.is_tgs(expected_sname) - - expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs'] - -@@ -3233,11 +3237,9 @@ class RawKerberosTest(TestCaseInTempDir): - ticket_blob) - self.assertEqual(expected_checksum, checksum) - -- def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True, -+ def verify_ticket(self, ticket, krbtgt_keys, service_ticket, -+ expect_pac=True, - expect_ticket_checksum=True): -- # Check if the ticket is a TGT. -- is_tgt = self.is_tgt(ticket) -- - # Decrypt the ticket. - - key = ticket.decryption_key -@@ -3336,7 +3338,7 @@ class RawKerberosTest(TestCaseInTempDir): - kdc_ctype, - kdc_checksum) - -- if is_tgt: -+ if not service_ticket: - self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums) - else: - ticket_checksum, ticket_ctype = checksums.get( -diff --git python/samba/tests/krb5/rodc_tests.py python/samba/tests/krb5/rodc_tests.py -index 0e252d90262..83ee35d650a 100755 ---- python/samba/tests/krb5/rodc_tests.py -+++ python/samba/tests/krb5/rodc_tests.py -@@ -58,14 +58,14 @@ class RodcKerberosTests(KDCBaseTest): - tgt = self.get_tgt(user_creds, to_rodc=True) - - # Ensure the PAC contains the expected checksums. -- self.verify_ticket(tgt, rodc_key) -+ self.verify_ticket(tgt, rodc_key, service_ticket=False) - - # Get a service ticket from the RODC. - service_ticket = self.get_service_ticket(tgt, target_creds, - to_rodc=True) - - # Ensure the PAC contains the expected checksums. -- self.verify_ticket(service_ticket, rodc_key) -+ self.verify_ticket(service_ticket, rodc_key, service_ticket=True) - - - if __name__ == "__main__": --- -2.25.1 - - -From c0977bee5b8c2f72cb5467e95a6ab034f696eee7 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 8 Feb 2022 12:15:36 +1300 -Subject: [PATCH 53/99] tests/krb5: Add helper function to modify ticket flags - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Stefan Metzmacher <metze@samba.org> -(cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3) ---- - python/samba/tests/krb5/kdc_base_test.py | 14 ++++++++++++++ - python/samba/tests/krb5/kdc_tgs_tests.py | 18 ++---------------- - python/samba/tests/krb5/s4u_tests.py | 17 +++-------------- - 3 files changed, 19 insertions(+), 30 deletions(-) - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 9506048ee2a..58b87eab25b 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -1602,6 +1602,20 @@ class KDCBaseTest(RawKerberosTest): - enc_part, asn1Spec=krb5_asn1.EncTicketPart()) - return enc_ticket_part - -+ def modify_ticket_flag(self, enc_part, flag, value): -+ self.assertIsInstance(value, bool) -+ -+ flag = krb5_asn1.TicketFlags(flag) -+ pos = len(tuple(flag)) - 1 -+ -+ flags = enc_part['flags'] -+ self.assertLessEqual(pos, len(flags)) -+ -+ new_flags = flags[:pos] + str(int(value)) + flags[pos + 1:] -+ enc_part['flags'] = new_flags -+ -+ return enc_part -+ - def get_objectSid(self, samdb, dn): - ''' Get the objectSID for a DN - Note: performs an Ldb query. -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 2923d53772a..8cd27dec2aa 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -2177,14 +2177,7 @@ class KdcTgsTests(KDCBaseTest): - - def _modify_renewable(self, enc_part): - # Set the renewable flag. -- renewable_flag = krb5_asn1.TicketFlags('renewable') -- pos = len(tuple(renewable_flag)) - 1 -- -- flags = enc_part['flags'] -- self.assertLessEqual(pos, len(flags)) -- -- new_flags = flags[:pos] + '1' + flags[pos + 1:] -- enc_part['flags'] = new_flags -+ enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) - - # Set the renew-till time to be in the future. - renew_till = self.get_KerberosTime(offset=100 * 60 * 60) -@@ -2194,14 +2187,7 @@ class KdcTgsTests(KDCBaseTest): - - def _modify_invalid(self, enc_part): - # Set the invalid flag. -- invalid_flag = krb5_asn1.TicketFlags('invalid') -- pos = len(tuple(invalid_flag)) - 1 -- -- flags = enc_part['flags'] -- self.assertLessEqual(pos, len(flags)) -- -- new_flags = flags[:pos] + '1' + flags[pos + 1:] -- enc_part['flags'] = new_flags -+ enc_part = self.modify_ticket_flag(enc_part, 'invalid', value=True) - - # Set the ticket start time to be in the past. - past_time = self.get_KerberosTime(offset=-100 * 60 * 60) -diff --git python/samba/tests/krb5/s4u_tests.py python/samba/tests/krb5/s4u_tests.py -index 6ec9af11423..49dd89cd764 100755 ---- python/samba/tests/krb5/s4u_tests.py -+++ python/samba/tests/krb5/s4u_tests.py -@@ -1336,20 +1336,9 @@ class S4UKerberosTests(KDCBaseTest): - modify_pac_fn=modify_pac_fn) - - def set_ticket_forwardable(self, ticket, flag, update_pac_checksums=True): -- flag = '1' if flag else '0' -- -- def modify_fn(enc_part): -- # Reset the forwardable flag -- forwardable_pos = (len(tuple(krb5_asn1.TicketFlags('forwardable'))) -- - 1) -- -- flags = enc_part['flags'] -- self.assertLessEqual(forwardable_pos, len(flags)) -- enc_part['flags'] = (flags[:forwardable_pos] + -- flag + -- flags[forwardable_pos+1:]) -- -- return enc_part -+ modify_fn = functools.partial(self.modify_ticket_flag, -+ flag='forwardable', -+ value=flag) - - if update_pac_checksums: - checksum_keys = self.get_krbtgt_checksum_key() --- -2.25.1 - - -From c0395578c50fbc4f1946e2f5a065d94f67212eb0 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 15 Jun 2022 19:37:39 +1200 -Subject: [PATCH 55/99] CVE-2022-2031 s4:kdc: Add MIT support for - ATTRIBUTES_INFO and REQUESTER_SID PAC buffers - -So that we do not confuse TGTs and kpasswd tickets, it is critical to -check that the REQUESTER_SID buffer exists in TGTs, and to ensure that -it is not propagated to service tickets. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> - -[jsutton@samba.org Brought in changes to add ATTRIBUTES_INFO and - REQUESTER_SID buffers to new PACs, and updated knownfails] - -[jsutton@samba.org Adjusted MIT knownfails] ---- - selftest/knownfail_mit_kdc | 17 ----- - source4/kdc/mit-kdb/kdb_samba_policies.c | 5 +- - source4/kdc/mit_samba.c | 93 +++++++++++++++++++++++- - source4/kdc/mit_samba.h | 1 + - 4 files changed, 94 insertions(+), 22 deletions(-) - -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 4d685af7140..108c6055d0c 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -445,7 +445,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_req - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied -@@ -482,7 +481,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_invalid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link -@@ -518,7 +516,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_req - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_allowed_denied -@@ -536,21 +533,17 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_renew_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_missing_rodc_renew_true --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_renew_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_false - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_rodc_renew_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_pac_attrs_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_false --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_true - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_pac_attrs - # -@@ -571,21 +564,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - # PAC requester SID tests - # --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_as_requester_sid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_sid_mismatch_nonexisting --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_renew - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_rodc_validate --^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_validate - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_existing -diff --git source4/kdc/mit-kdb/kdb_samba_policies.c source4/kdc/mit-kdb/kdb_samba_policies.c -index 7bc9a7b3347..3b25fff410b 100644 ---- source4/kdc/mit-kdb/kdb_samba_policies.c -+++ source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -159,6 +159,7 @@ done: - - static krb5_error_code ks_get_pac(krb5_context context, - krb5_db_entry *client, -+ krb5_db_entry *server, - krb5_keyblock *client_key, - krb5_pac *pac) - { -@@ -173,6 +174,7 @@ static krb5_error_code ks_get_pac(krb5_context context, - code = mit_samba_get_pac(mit_ctx, - context, - client, -+ server, - client_key, - pac); - if (code != 0) { -@@ -439,7 +441,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - */ - if (with_pac && generate_pac) { - DBG_DEBUG("Generate PAC for AS-REQ [%s]\n", client_name); -- code = ks_get_pac(context, client_entry, client_key, &pac); -+ code = ks_get_pac(context, client_entry, server, client_key, &pac); - if (code != 0) { - goto done; - } -@@ -490,6 +492,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, - - code = ks_get_pac(context, - client_entry, -+ server, - client_key, - &pac); - if (code != 0 && code != ENOENT) { -diff --git source4/kdc/mit_samba.c source4/kdc/mit_samba.c -index c2a604045d9..df2ba0a906f 100644 ---- source4/kdc/mit_samba.c -+++ source4/kdc/mit_samba.c -@@ -407,6 +407,7 @@ int mit_samba_get_nextkey(struct mit_samba_context *ctx, - int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_context context, - krb5_db_entry *client, -+ krb5_db_entry *server, - krb5_keyblock *client_key, - krb5_pac *pac) - { -@@ -417,9 +418,12 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - DATA_BLOB **cred_ndr_ptr = NULL; - DATA_BLOB cred_blob = data_blob_null; - DATA_BLOB *pcred_blob = NULL; -+ DATA_BLOB *pac_attrs_blob = NULL; -+ DATA_BLOB *requester_sid_blob = NULL; - NTSTATUS nt_status; - krb5_error_code code; - struct samba_kdc_entry *skdc_entry; -+ bool is_krbtgt; - - skdc_entry = talloc_get_type_abort(client->e_data, - struct samba_kdc_entry); -@@ -438,12 +442,16 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - } - #endif - -+ is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ); -+ - nt_status = samba_kdc_get_pac_blobs(tmp_ctx, - skdc_entry, - &logon_info_blob, - cred_ndr_ptr, - &upn_dns_info_blob, -- NULL, NULL, NULL, -+ is_krbtgt ? &pac_attrs_blob : NULL, -+ NULL, -+ is_krbtgt ? &requester_sid_blob : NULL, - NULL); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); -@@ -471,8 +479,8 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - logon_info_blob, - pcred_blob, - upn_dns_info_blob, -- NULL, -- NULL, -+ pac_attrs_blob, -+ requester_sid_blob, - NULL, - pac); - -@@ -496,6 +504,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - DATA_BLOB *pac_blob = NULL; - DATA_BLOB *upn_blob = NULL; - DATA_BLOB *deleg_blob = NULL; -+ DATA_BLOB *requester_sid_blob = NULL; - struct samba_kdc_entry *client_skdc_entry = NULL; - struct samba_kdc_entry *krbtgt_skdc_entry = NULL; - struct samba_kdc_entry *server_skdc_entry = NULL; -@@ -511,8 +520,12 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - ssize_t upn_dns_info_idx = -1; - ssize_t srv_checksum_idx = -1; - ssize_t kdc_checksum_idx = -1; -+ ssize_t tkt_checksum_idx = -1; -+ ssize_t attrs_info_idx = -1; -+ ssize_t requester_sid_idx = -1; - krb5_pac new_pac = NULL; - bool ok; -+ bool is_krbtgt; - - /* Create a memory context early so code can use talloc_stackframe() */ - tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context"); -@@ -520,6 +533,8 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - return ENOMEM; - } - -+ is_krbtgt = ks_is_tgs_principal(ctx, server->princ); -+ - if (client != NULL) { - client_skdc_entry = - talloc_get_type_abort(client->e_data, -@@ -578,7 +593,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - NULL, - &upn_blob, - NULL, NULL, -- NULL, -+ &requester_sid_blob, - NULL); - if (!NT_STATUS_IS_OK(nt_status)) { - code = EINVAL; -@@ -737,6 +752,45 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - } - kdc_checksum_idx = i; - break; -+ case PAC_TYPE_TICKET_CHECKSUM: -+ if (tkt_checksum_idx != -1) { -+ DBG_WARNING("ticket checksum type[%u] twice " -+ "[%zd] and [%zu]: \n", -+ types[i], -+ tkt_checksum_idx, -+ i); -+ SAFE_FREE(types); -+ code = EINVAL; -+ goto done; -+ } -+ tkt_checksum_idx = i; -+ break; -+ case PAC_TYPE_ATTRIBUTES_INFO: -+ if (attrs_info_idx != -1) { -+ DBG_WARNING("attributes info type[%u] twice " -+ "[%zd] and [%zu]: \n", -+ types[i], -+ attrs_info_idx, -+ i); -+ SAFE_FREE(types); -+ code = EINVAL; -+ goto done; -+ } -+ attrs_info_idx = i; -+ break; -+ case PAC_TYPE_REQUESTER_SID: -+ if (requester_sid_idx != -1) { -+ DBG_WARNING("requester sid type[%u] twice" -+ "[%zd] and [%zu]: \n", -+ types[i], -+ requester_sid_idx, -+ i); -+ SAFE_FREE(types); -+ code = EINVAL; -+ goto done; -+ } -+ requester_sid_idx = i; -+ break; - default: - continue; - } -@@ -766,6 +820,13 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - code = EINVAL; - goto done; - } -+ if (!(flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) && -+ requester_sid_idx == -1) { -+ DEBUG(1, ("PAC_TYPE_REQUESTER_SID missing\n")); -+ SAFE_FREE(types); -+ code = KRB5KDC_ERR_TGT_REVOKED; -+ goto done; -+ } - - /* Build an updated PAC */ - code = krb5_pac_init(context, &new_pac); -@@ -831,6 +892,10 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - } - break; - case PAC_TYPE_SRV_CHECKSUM: -+ if (requester_sid_idx == -1 && requester_sid_blob != NULL) { -+ /* inject REQUESTER_SID */ -+ forced_next_type = PAC_TYPE_REQUESTER_SID; -+ } - /* - * This is generated in the main KDC code - */ -@@ -840,6 +905,26 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, - * This is generated in the main KDC code - */ - continue; -+ case PAC_TYPE_ATTRIBUTES_INFO: -+ if (!is_untrusted && is_krbtgt) { -+ /* just copy... */ -+ break; -+ } -+ -+ continue; -+ case PAC_TYPE_REQUESTER_SID: -+ if (!is_krbtgt) { -+ continue; -+ } -+ -+ /* -+ * Replace in the RODC case, otherwise -+ * requester_sid_blob is NULL and we just copy. -+ */ -+ if (requester_sid_blob != NULL) { -+ type_blob = *requester_sid_blob; -+ } -+ break; - default: - /* just copy... */ - break; -diff --git source4/kdc/mit_samba.h source4/kdc/mit_samba.h -index 636c77ec97c..4431e82a1b2 100644 ---- source4/kdc/mit_samba.h -+++ source4/kdc/mit_samba.h -@@ -50,6 +50,7 @@ int mit_samba_get_nextkey(struct mit_samba_context *ctx, - int mit_samba_get_pac(struct mit_samba_context *smb_ctx, - krb5_context context, - krb5_db_entry *client, -+ krb5_db_entry *server, - krb5_keyblock *client_key, - krb5_pac *pac); - --- -2.25.1 - - -From 6843c44a45044808f90687f85183e7111a465d1f Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 16 Jun 2022 10:33:29 +1200 -Subject: [PATCH 56/99] heimdal:kdc: Accommodate NULL data parameter in - krb5_pac_get_buffer() - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - source4/heimdal/lib/krb5/pac.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git source4/heimdal/lib/krb5/pac.c source4/heimdal/lib/krb5/pac.c -index 05bcc523080..100de904662 100644 ---- source4/heimdal/lib/krb5/pac.c -+++ source4/heimdal/lib/krb5/pac.c -@@ -394,10 +394,12 @@ krb5_pac_get_buffer(krb5_context context, krb5_pac p, - if (p->pac->buffers[i].type != type) - continue; - -- ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len); -- if (ret) { -- krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); -- return ret; -+ if (data) { -+ ret = krb5_data_copy(data, (unsigned char *)p->data.data + offset, len); -+ if (ret) { -+ krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); -+ return ret; -+ } - } - return 0; - } --- -2.25.1 - - -From 1b38a28bcaebdae0128518605a422a194747a60f Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 27 May 2022 19:17:02 +1200 -Subject: [PATCH 57/99] CVE-2022-2031 s4:kpasswd: Account for missing target - principal - -This field is supposed to be optional. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/kdc/kpasswd-service-mit.c | 22 ++++++++++++---------- - 1 file changed, 12 insertions(+), 10 deletions(-) - -diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c -index 2117c1c1696..b53c1a4618a 100644 ---- source4/kdc/kpasswd-service-mit.c -+++ source4/kdc/kpasswd-service-mit.c -@@ -143,16 +143,18 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - return KRB5_KPASSWD_HARDERROR; - } - -- target_realm = smb_krb5_principal_get_realm( -- mem_ctx, context, target_principal); -- code = krb5_unparse_name_flags(context, -- target_principal, -- KRB5_PRINCIPAL_UNPARSE_NO_REALM, -- &target_name); -- if (code != 0) { -- DBG_WARNING("Failed to parse principal\n"); -- *error_string = "String conversion failed"; -- return KRB5_KPASSWD_HARDERROR; -+ if (target_principal != NULL) { -+ target_realm = smb_krb5_principal_get_realm( -+ mem_ctx, context, target_principal); -+ code = krb5_unparse_name_flags(context, -+ target_principal, -+ KRB5_PRINCIPAL_UNPARSE_NO_REALM, -+ &target_name); -+ if (code != 0) { -+ DBG_WARNING("Failed to parse principal\n"); -+ *error_string = "String conversion failed"; -+ return KRB5_KPASSWD_HARDERROR; -+ } - } - - if ((target_name != NULL && target_realm == NULL) || --- -2.25.1 - - -From f6c5a60336de8fd67a2ef371dd2ee4cf75c53904 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 30 May 2022 19:17:41 +1200 -Subject: [PATCH 58/99] CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding - setpw structure - -The target principal and realm fields of the setpw structure are -supposed to be optional, but in MIT Kerberos they are mandatory. For -better compatibility and ease of testing, fall back to parsing the -simpler (containing only the new password) structure if the MIT function -fails to decode it. - -Although the target principal and realm fields should be optional, one -is not supposed to specified without the other, so we don't have to deal -with the case where only one is specified. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/kdc/kpasswd-service-mit.c | 94 ++++++++++++++++++++++++++----- - 1 file changed, 79 insertions(+), 15 deletions(-) - -diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c -index b53c1a4618a..9c4d2801669 100644 ---- source4/kdc/kpasswd-service-mit.c -+++ source4/kdc/kpasswd-service-mit.c -@@ -28,6 +28,7 @@ - #include "kdc/kpasswd_glue.h" - #include "kdc/kpasswd-service.h" - #include "kdc/kpasswd-helper.h" -+#include "../lib/util/asn1.h" - - #define RFC3244_VERSION 0xff80 - -@@ -35,6 +36,52 @@ krb5_error_code decode_krb5_setpw_req(const krb5_data *code, - krb5_data **password_out, - krb5_principal *target_out); - -+/* -+ * A fallback for when MIT refuses to parse a setpw structure without the -+ * (optional) target principal and realm -+ */ -+static bool decode_krb5_setpw_req_simple(TALLOC_CTX *mem_ctx, -+ const DATA_BLOB *decoded_data, -+ DATA_BLOB *clear_data) -+{ -+ struct asn1_data *asn1 = NULL; -+ bool ret; -+ -+ asn1 = asn1_init(mem_ctx, 3); -+ if (asn1 == NULL) { -+ return false; -+ } -+ -+ ret = asn1_load(asn1, *decoded_data); -+ if (!ret) { -+ goto out; -+ } -+ -+ ret = asn1_start_tag(asn1, ASN1_SEQUENCE(0)); -+ if (!ret) { -+ goto out; -+ } -+ ret = asn1_start_tag(asn1, ASN1_CONTEXT(0)); -+ if (!ret) { -+ goto out; -+ } -+ ret = asn1_read_OctetString(asn1, mem_ctx, clear_data); -+ if (!ret) { -+ goto out; -+ } -+ -+ ret = asn1_end_tag(asn1); -+ if (!ret) { -+ goto out; -+ } -+ ret = asn1_end_tag(asn1); -+ -+out: -+ asn1_free(asn1); -+ -+ return ret; -+} -+ - static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - struct auth_session_info *session_info, -@@ -93,9 +140,10 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - const char **error_string) - { - krb5_context context = kdc->smb_krb5_context->krb5_context; -+ DATA_BLOB clear_data; - krb5_data k_dec_data; -- krb5_data *k_clear_data; -- krb5_principal target_principal; -+ krb5_data *k_clear_data = NULL; -+ krb5_principal target_principal = NULL; - krb5_error_code code; - DATA_BLOB password; - char *target_realm = NULL; -@@ -114,29 +162,45 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - code = decode_krb5_setpw_req(&k_dec_data, - &k_clear_data, - &target_principal); -- if (code != 0) { -- DBG_WARNING("decode_krb5_setpw_req failed: %s\n", -- error_message(code)); -- ok = kpasswd_make_error_reply(mem_ctx, -- KRB5_KPASSWD_MALFORMED, -- "Failed to decode packet", -- kpasswd_reply); -+ if (code == 0) { -+ clear_data.data = (uint8_t *)k_clear_data->data; -+ clear_data.length = k_clear_data->length; -+ } else { -+ target_principal = NULL; -+ -+ /* -+ * The MIT decode failed, so fall back to trying the simple -+ * case, without target_principal. -+ */ -+ ok = decode_krb5_setpw_req_simple(mem_ctx, -+ decoded_data, -+ &clear_data); - if (!ok) { -- *error_string = "Failed to create reply"; -- return KRB5_KPASSWD_HARDERROR; -+ DBG_WARNING("decode_krb5_setpw_req failed: %s\n", -+ error_message(code)); -+ ok = kpasswd_make_error_reply(mem_ctx, -+ KRB5_KPASSWD_MALFORMED, -+ "Failed to decode packet", -+ kpasswd_reply); -+ if (!ok) { -+ *error_string = "Failed to create reply"; -+ return KRB5_KPASSWD_HARDERROR; -+ } -+ return 0; - } -- return 0; - } - - ok = convert_string_talloc_handle(mem_ctx, - lpcfg_iconv_handle(kdc->task->lp_ctx), - CH_UTF8, - CH_UTF16, -- (const char *)k_clear_data->data, -- k_clear_data->length, -+ clear_data.data, -+ clear_data.length, - (void **)&password.data, - &password.length); -- krb5_free_data(context, k_clear_data); -+ if (k_clear_data != NULL) { -+ krb5_free_data(context, k_clear_data); -+ } - if (!ok) { - DBG_WARNING("String conversion failed\n"); - *error_string = "String conversion failed"; --- -2.25.1 - - -From 6305a55870287191ce4268f6af7fe278ca7f2a30 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 26 May 2022 16:34:01 +1200 -Subject: [PATCH 59/99] CVE-2022-32744 tests/krb5: Correctly handle specifying - account kvno - -The environment variable is a string, but we expect an integer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/raw_testcase.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index a2241707d44..4120edf93b9 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -724,7 +724,7 @@ class RawKerberosTest(TestCaseInTempDir): - fallback_default=False, - allow_missing=kvno_allow_missing) - if kvno is not None: -- c.set_kvno(kvno) -+ c.set_kvno(int(kvno)) - aes256_key = self.env_get_var('AES256_KEY_HEX', prefix, - fallback_default=False, - allow_missing=aes256_allow_missing) --- -2.25.1 - - -From 8917979641abb03ef858ba72b652178475b6e918 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 26 May 2022 20:52:04 +1200 -Subject: [PATCH 60/99] CVE-2022-2031 tests/krb5: Split out _make_tgs_request() - -This allows us to make use of it in other tests. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed conflicts due to having older version of - _make_tgs_request()] ---- - python/samba/tests/krb5/kdc_base_test.py | 77 ++++++++++++++++++++++++ - python/samba/tests/krb5/kdc_tgs_tests.py | 76 ----------------------- - 2 files changed, 77 insertions(+), 76 deletions(-) - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 58b87eab25b..2117663b26b 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -67,6 +67,7 @@ from samba.tests.krb5.rfc4120_constants import ( - AES256_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5, - KDC_ERR_PREAUTH_REQUIRED, -+ KDC_ERR_TGT_REVOKED, - KRB_AS_REP, - KRB_TGS_REP, - KRB_ERROR, -@@ -1538,6 +1539,82 @@ class KDCBaseTest(RawKerberosTest): - - return ticket_creds - -+ def _make_tgs_request(self, client_creds, service_creds, tgt, -+ pac_request=None, expect_pac=True, -+ expect_error=False, -+ expected_account_name=None, -+ expected_upn_name=None, -+ expected_sid=None): -+ client_account = client_creds.get_username() -+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=[client_account]) -+ -+ service_account = service_creds.get_username() -+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=[service_account]) -+ -+ realm = service_creds.get_realm() -+ -+ expected_crealm = realm -+ expected_cname = cname -+ expected_srealm = realm -+ expected_sname = sname -+ -+ expected_supported_etypes = service_creds.tgs_supported_enctypes -+ -+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) -+ -+ kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) -+ -+ target_decryption_key = self.TicketDecryptionKey_from_creds( -+ service_creds) -+ -+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) -+ -+ if expect_error: -+ expected_error_mode = KDC_ERR_TGT_REVOKED -+ check_error_fn = self.generic_check_kdc_error -+ check_rep_fn = None -+ else: -+ expected_error_mode = 0 -+ check_error_fn = None -+ check_rep_fn = self.generic_check_kdc_rep -+ -+ kdc_exchange_dict = self.tgs_exchange_dict( -+ expected_crealm=expected_crealm, -+ expected_cname=expected_cname, -+ expected_srealm=expected_srealm, -+ expected_sname=expected_sname, -+ expected_account_name=expected_account_name, -+ expected_upn_name=expected_upn_name, -+ expected_sid=expected_sid, -+ expected_supported_etypes=expected_supported_etypes, -+ ticket_decryption_key=target_decryption_key, -+ check_error_fn=check_error_fn, -+ check_rep_fn=check_rep_fn, -+ check_kdc_private_fn=self.generic_check_kdc_private, -+ expected_error_mode=expected_error_mode, -+ tgt=tgt, -+ authenticator_subkey=authenticator_subkey, -+ kdc_options=kdc_options, -+ pac_request=pac_request, -+ expect_pac=expect_pac, -+ expect_edata=False) -+ -+ rep = self._generic_kdc_exchange(kdc_exchange_dict, -+ cname=cname, -+ realm=realm, -+ sname=sname, -+ etypes=etypes) -+ if expect_error: -+ self.check_error_rep(rep, expected_error_mode) -+ -+ return None -+ else: -+ self.check_reply(rep, KRB_TGS_REP) -+ -+ return kdc_exchange_dict['rep_ticket_creds'] -+ - # Named tuple to contain values of interest when the PAC is decoded. - PacData = namedtuple( - "PacData", -diff --git python/samba/tests/krb5/kdc_tgs_tests.py python/samba/tests/krb5/kdc_tgs_tests.py -index 8cd27dec2aa..e52f46152fa 100755 ---- python/samba/tests/krb5/kdc_tgs_tests.py -+++ python/samba/tests/krb5/kdc_tgs_tests.py -@@ -230,82 +230,6 @@ class KdcTgsTests(KDCBaseTest): - pac_data.account_sid, - "rep = {%s},%s" % (rep, pac_data)) - -- def _make_tgs_request(self, client_creds, service_creds, tgt, -- pac_request=None, expect_pac=True, -- expect_error=False, -- expected_account_name=None, -- expected_upn_name=None, -- expected_sid=None): -- client_account = client_creds.get_username() -- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -- names=[client_account]) -- -- service_account = service_creds.get_username() -- sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -- names=[service_account]) -- -- realm = service_creds.get_realm() -- -- expected_crealm = realm -- expected_cname = cname -- expected_srealm = realm -- expected_sname = sname -- -- expected_supported_etypes = service_creds.tgs_supported_enctypes -- -- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) -- -- kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) -- -- target_decryption_key = self.TicketDecryptionKey_from_creds( -- service_creds) -- -- authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) -- -- if expect_error: -- expected_error_mode = KDC_ERR_TGT_REVOKED -- check_error_fn = self.generic_check_kdc_error -- check_rep_fn = None -- else: -- expected_error_mode = 0 -- check_error_fn = None -- check_rep_fn = self.generic_check_kdc_rep -- -- kdc_exchange_dict = self.tgs_exchange_dict( -- expected_crealm=expected_crealm, -- expected_cname=expected_cname, -- expected_srealm=expected_srealm, -- expected_sname=expected_sname, -- expected_account_name=expected_account_name, -- expected_upn_name=expected_upn_name, -- expected_sid=expected_sid, -- expected_supported_etypes=expected_supported_etypes, -- ticket_decryption_key=target_decryption_key, -- check_error_fn=check_error_fn, -- check_rep_fn=check_rep_fn, -- check_kdc_private_fn=self.generic_check_kdc_private, -- expected_error_mode=expected_error_mode, -- tgt=tgt, -- authenticator_subkey=authenticator_subkey, -- kdc_options=kdc_options, -- pac_request=pac_request, -- expect_pac=expect_pac, -- expect_edata=False) -- -- rep = self._generic_kdc_exchange(kdc_exchange_dict, -- cname=cname, -- realm=realm, -- sname=sname, -- etypes=etypes) -- if expect_error: -- self.check_error_rep(rep, expected_error_mode) -- -- return None -- else: -- self.check_reply(rep, KRB_TGS_REP) -- -- return kdc_exchange_dict['rep_ticket_creds'] -- - def test_request(self): - client_creds = self.get_client_creds() - service_creds = self.get_service_creds() --- -2.25.1 - - -From 245d9a42329a1bfeb3db8431ef105e7758080e14 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:06:53 +1200 -Subject: [PATCH 61/99] CVE-2022-32744 tests/krb5: Correctly calculate salt for - pre-existing accounts - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/kdc_base_test.py | 1 + - python/samba/tests/krb5/raw_testcase.py | 1 + - 2 files changed, 2 insertions(+) - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 2117663b26b..685a6f71f88 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -1048,6 +1048,7 @@ class KDCBaseTest(RawKerberosTest): - - kvno = int(res[0]['msDS-KeyVersionNumber'][0]) - creds.set_kvno(kvno) -+ creds.set_workstation(username[:-1]) - creds.set_dn(dn) - - keys = self.get_keys(samdb, dn) -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 4120edf93b9..a9a98c36cbf 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -834,6 +834,7 @@ class RawKerberosTest(TestCaseInTempDir): - allow_missing_password=allow_missing_password, - allow_missing_keys=allow_missing_keys) - c.set_gensec_features(c.get_gensec_features() | FEATURE_SEAL) -+ c.set_workstation('') - return c - - def get_rodc_krbtgt_creds(self, --- -2.25.1 - - -From f7fad997cc06a14c9ffd101b26e16598f334148b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:13:54 +1200 -Subject: [PATCH 62/99] CVE-2022-2031 tests/krb5: Add new definitions for - kpasswd - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/rfc4120.asn1 | 6 ++++++ - python/samba/tests/krb5/rfc4120_constants.py | 13 +++++++++++++ - python/samba/tests/krb5/rfc4120_pyasn1.py | 13 ++++++++++++- - 3 files changed, 31 insertions(+), 1 deletion(-) - -diff --git python/samba/tests/krb5/rfc4120.asn1 python/samba/tests/krb5/rfc4120.asn1 -index e0831e1f86f..cac884be985 100644 ---- python/samba/tests/krb5/rfc4120.asn1 -+++ python/samba/tests/krb5/rfc4120.asn1 -@@ -567,6 +567,12 @@ PA-FX-FAST-REPLY ::= CHOICE { - ... - } - -+ChangePasswdDataMS ::= SEQUENCE { -+ newpasswd [0] OCTET STRING, -+ targname [1] PrincipalName OPTIONAL, -+ targrealm [2] Realm OPTIONAL -+} -+ - -- MS-KILE End - -- - -- -diff --git python/samba/tests/krb5/rfc4120_constants.py python/samba/tests/krb5/rfc4120_constants.py -index a9fdc5735dd..7f0f44500c7 100644 ---- python/samba/tests/krb5/rfc4120_constants.py -+++ python/samba/tests/krb5/rfc4120_constants.py -@@ -27,11 +27,13 @@ ARCFOUR_HMAC_MD5 = int( - - # Message types - KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) -+KRB_AP_REP = int(krb5_asn1.MessageTypeValues('krb-ap-rep')) - KRB_AP_REQ = int(krb5_asn1.MessageTypeValues('krb-ap-req')) - KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) - KRB_AS_REQ = int(krb5_asn1.MessageTypeValues('krb-as-req')) - KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) - KRB_TGS_REQ = int(krb5_asn1.MessageTypeValues('krb-tgs-req')) -+KRB_PRIV = int(krb5_asn1.MessageTypeValues('krb-priv')) - - # PAData types - PADATA_ENC_TIMESTAMP = int( -@@ -76,6 +78,7 @@ KDC_ERR_TGT_REVOKED = 20 - KDC_ERR_PREAUTH_FAILED = 24 - KDC_ERR_PREAUTH_REQUIRED = 25 - KDC_ERR_BAD_INTEGRITY = 31 -+KDC_ERR_TKT_EXPIRED = 32 - KRB_ERR_TKT_NYV = 33 - KDC_ERR_NOT_US = 35 - KDC_ERR_BADMATCH = 36 -@@ -87,6 +90,16 @@ KDC_ERR_WRONG_REALM = 68 - KDC_ERR_CLIENT_NAME_MISMATCH = 75 - KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS = 93 - -+# Kpasswd error codes -+KPASSWD_SUCCESS = 0 -+KPASSWD_MALFORMED = 1 -+KPASSWD_HARDERROR = 2 -+KPASSWD_AUTHERROR = 3 -+KPASSWD_SOFTERROR = 4 -+KPASSWD_ACCESSDENIED = 5 -+KPASSWD_BAD_VERSION = 6 -+KPASSWD_INITIAL_FLAG_NEEDED = 7 -+ - # Extended error types - KERB_AP_ERR_TYPE_SKEW_RECOVERY = int( - krb5_asn1.KerbErrorDataTypeValues('kERB-AP-ERR-TYPE-SKEW-RECOVERY')) -diff --git python/samba/tests/krb5/rfc4120_pyasn1.py python/samba/tests/krb5/rfc4120_pyasn1.py -index 348dd8c63fb..3c02b0efbc1 100644 ---- python/samba/tests/krb5/rfc4120_pyasn1.py -+++ python/samba/tests/krb5/rfc4120_pyasn1.py -@@ -1,5 +1,5 @@ - # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 --# (last modified on 2021-06-25 12:10:34.484667) -+# (last modified on 2022-05-13 20:03:06.039817) - - # KerberosV5Spec2 - from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful -@@ -364,6 +364,17 @@ Authenticator.componentType = namedtype.NamedTypes( - ) - - -+class ChangePasswdDataMS(univ.Sequence): -+ pass -+ -+ -+ChangePasswdDataMS.componentType = namedtype.NamedTypes( -+ namedtype.NamedType('newpasswd', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), -+ namedtype.OptionalNamedType('targname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), -+ namedtype.OptionalNamedType('targrealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) -+) -+ -+ - class ChecksumTypeValues(univ.Integer): - pass - --- -2.25.1 - - -From 695c662bdc286d7a4699025f00656f8339ceecd8 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:17:45 +1200 -Subject: [PATCH 63/99] CVE-2022-2031 tests/krb5: Add methods to create ASN1 - kpasswd structures - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/raw_testcase.py | 95 +++++++++++++++++++++++++ - 1 file changed, 95 insertions(+) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index a9a98c36cbf..df41dff688d 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -54,6 +54,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KRB_AS_REP, - KRB_AS_REQ, - KRB_ERROR, -+ KRB_PRIV, - KRB_TGS_REP, - KRB_TGS_REQ, - KU_AP_REQ_AUTH, -@@ -63,6 +64,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KU_FAST_FINISHED, - KU_FAST_REP, - KU_FAST_REQ_CHKSUM, -+ KU_KRB_PRIV, - KU_NON_KERB_CKSUM_SALT, - KU_TGS_REP_ENC_PART_SESSION, - KU_TGS_REP_ENC_PART_SUB_KEY, -@@ -1780,6 +1782,99 @@ class RawKerberosTest(TestCaseInTempDir): - PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) - return self.PA_DATA_create(PADATA_FOR_USER, pa_s4u2self) - -+ def ChangePasswdDataMS_create(self, -+ new_password, -+ target_princ=None, -+ target_realm=None): -+ ChangePasswdDataMS_obj = { -+ 'newpasswd': new_password, -+ } -+ if target_princ is not None: -+ ChangePasswdDataMS_obj['targname'] = target_princ -+ if target_realm is not None: -+ ChangePasswdDataMS_obj['targrealm'] = target_realm -+ -+ change_password_data = self.der_encode( -+ ChangePasswdDataMS_obj, asn1Spec=krb5_asn1.ChangePasswdDataMS()) -+ -+ return change_password_data -+ -+ def KRB_PRIV_create(self, -+ subkey, -+ user_data, -+ s_address, -+ timestamp=None, -+ usec=None, -+ seq_number=None, -+ r_address=None): -+ EncKrbPrivPart_obj = { -+ 'user-data': user_data, -+ 's-address': s_address, -+ } -+ if timestamp is not None: -+ EncKrbPrivPart_obj['timestamp'] = timestamp -+ if usec is not None: -+ EncKrbPrivPart_obj['usec'] = usec -+ if seq_number is not None: -+ EncKrbPrivPart_obj['seq-number'] = seq_number -+ if r_address is not None: -+ EncKrbPrivPart_obj['r-address'] = r_address -+ -+ enc_krb_priv_part = self.der_encode( -+ EncKrbPrivPart_obj, asn1Spec=krb5_asn1.EncKrbPrivPart()) -+ -+ enc_data = self.EncryptedData_create(subkey, -+ KU_KRB_PRIV, -+ enc_krb_priv_part) -+ -+ KRB_PRIV_obj = { -+ 'pvno': 5, -+ 'msg-type': KRB_PRIV, -+ 'enc-part': enc_data, -+ } -+ -+ krb_priv = self.der_encode( -+ KRB_PRIV_obj, asn1Spec=krb5_asn1.KRB_PRIV()) -+ -+ return krb_priv -+ -+ def kpasswd_create(self, -+ subkey, -+ user_data, -+ version, -+ seq_number, -+ ap_req, -+ local_address, -+ remote_address): -+ self.assertIsNotNone(self.s, 'call self.connect() first') -+ -+ timestamp, usec = self.get_KerberosTimeWithUsec() -+ -+ krb_priv = self.KRB_PRIV_create(subkey, -+ user_data, -+ s_address=local_address, -+ timestamp=timestamp, -+ usec=usec, -+ seq_number=seq_number, -+ r_address=remote_address) -+ -+ size = 6 + len(ap_req) + len(krb_priv) -+ self.assertLess(size, 0x10000) -+ -+ msg = bytearray() -+ msg.append(size >> 8) -+ msg.append(size & 0xff) -+ msg.append(version >> 8) -+ msg.append(version & 0xff) -+ msg.append(len(ap_req) >> 8) -+ msg.append(len(ap_req) & 0xff) -+ # Note: for sets, there could be a little-endian four-byte length here. -+ -+ msg.extend(ap_req) -+ msg.extend(krb_priv) -+ -+ return msg -+ - def _generic_kdc_exchange(self, - kdc_exchange_dict, # required - cname=None, # optional --- -2.25.1 - - -From ae7dd875cd4362ed4346716db493164c421b889f Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:21:37 +1200 -Subject: [PATCH 64/99] CVE-2022-2031 tests/krb5: Add 'port' parameter to - connect() - -This allows us to use the kpasswd port, 464. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/raw_testcase.py | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index df41dff688d..421143781ae 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -638,10 +638,11 @@ class RawKerberosTest(TestCaseInTempDir): - if self.do_hexdump: - sys.stderr.write("disconnect[%s]\n" % reason) - -- def _connect_tcp(self, host): -- tcp_port = 88 -+ def _connect_tcp(self, host, port=None): -+ if port is None: -+ port = 88 - try: -- self.a = socket.getaddrinfo(host, tcp_port, socket.AF_UNSPEC, -+ self.a = socket.getaddrinfo(host, port, socket.AF_UNSPEC, - socket.SOCK_STREAM, socket.SOL_TCP, - 0) - self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) -@@ -654,9 +655,9 @@ class RawKerberosTest(TestCaseInTempDir): - self.s.close() - raise - -- def connect(self, host): -+ def connect(self, host, port=None): - self.assertNotConnected() -- self._connect_tcp(host) -+ self._connect_tcp(host, port) - if self.do_hexdump: - sys.stderr.write("connected[%s]\n" % host) - --- -2.25.1 - - -From 13fe7e013eccca2c86258084f4443ddb7abaf089 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:20:28 +1200 -Subject: [PATCH 65/99] CVE-2022-2031 tests/krb5: Add methods to send and - receive generic messages - -This allows us to send and receive kpasswd messages, while avoiding the -existing logic for encoding and decoding other Kerberos message types. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/raw_testcase.py | 44 +++++++++++++++---------- - 1 file changed, 27 insertions(+), 17 deletions(-) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 421143781ae..2aed5530455 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -920,24 +920,28 @@ class RawKerberosTest(TestCaseInTempDir): - return blob - - def send_pdu(self, req, asn1_print=None, hexdump=None): -+ k5_pdu = self.der_encode( -+ req, native_decode=False, asn1_print=asn1_print, hexdump=False) -+ self.send_msg(k5_pdu, hexdump=hexdump) -+ -+ def send_msg(self, msg, hexdump=None): -+ header = struct.pack('>I', len(msg)) -+ req_pdu = header -+ req_pdu += msg -+ self.hex_dump("send_msg", header, hexdump=hexdump) -+ self.hex_dump("send_msg", msg, hexdump=hexdump) -+ - try: -- k5_pdu = self.der_encode( -- req, native_decode=False, asn1_print=asn1_print, hexdump=False) -- header = struct.pack('>I', len(k5_pdu)) -- req_pdu = header -- req_pdu += k5_pdu -- self.hex_dump("send_pdu", header, hexdump=hexdump) -- self.hex_dump("send_pdu", k5_pdu, hexdump=hexdump) - while True: - sent = self.s.send(req_pdu, 0) - if sent == len(req_pdu): -- break -+ return - req_pdu = req_pdu[sent:] - except socket.error as e: -- self._disconnect("send_pdu: %s" % e) -+ self._disconnect("send_msg: %s" % e) - raise - except IOError as e: -- self._disconnect("send_pdu: %s" % e) -+ self._disconnect("send_msg: %s" % e) - raise - - def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): -@@ -963,16 +967,14 @@ class RawKerberosTest(TestCaseInTempDir): - return rep_pdu - - def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): -- rep_pdu = None -- rep = None - raw_pdu = self.recv_raw( - num_recv=4, hexdump=hexdump, timeout=timeout) - if raw_pdu is None: -- return (None, None) -+ return None - header = struct.unpack(">I", raw_pdu[0:4]) - k5_len = header[0] - if k5_len == 0: -- return (None, "") -+ return "" - missing = k5_len - rep_pdu = b'' - while missing > 0: -@@ -981,6 +983,14 @@ class RawKerberosTest(TestCaseInTempDir): - self.assertGreaterEqual(len(raw_pdu), 1) - rep_pdu += raw_pdu - missing = k5_len - len(rep_pdu) -+ return rep_pdu -+ -+ def recv_reply(self, asn1_print=None, hexdump=None, timeout=None): -+ rep_pdu = self.recv_pdu_raw(asn1_print=asn1_print, -+ hexdump=hexdump, -+ timeout=timeout) -+ if not rep_pdu: -+ return None, rep_pdu - k5_raw = self.der_decode( - rep_pdu, - asn1Spec=None, -@@ -1002,9 +1012,9 @@ class RawKerberosTest(TestCaseInTempDir): - return (rep, rep_pdu) - - def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): -- (rep, rep_pdu) = self.recv_pdu_raw(asn1_print=asn1_print, -- hexdump=hexdump, -- timeout=timeout) -+ (rep, rep_pdu) = self.recv_reply(asn1_print=asn1_print, -+ hexdump=hexdump, -+ timeout=timeout) - return rep - - def assertIsConnected(self): --- -2.25.1 - - -From ca582250fcaf2ad3c585f7e31a1a4ce568b7ddb7 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:26:56 +1200 -Subject: [PATCH 66/99] tests/krb5: Fix enum typo - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/kdc_base_test.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 685a6f71f88..14f1d1a243d 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -248,9 +248,9 @@ class KDCBaseTest(RawKerberosTest): - which is used by tearDownClass to clean up the created accounts. - ''' - if ou is None: -- if account_type is account_type.COMPUTER: -+ if account_type is self.AccountType.COMPUTER: - guid = DS_GUID_COMPUTERS_CONTAINER -- elif account_type is account_type.SERVER: -+ elif account_type is self.AccountType.SERVER: - guid = DS_GUID_DOMAIN_CONTROLLERS_CONTAINER - else: - guid = DS_GUID_USERS_CONTAINER --- -2.25.1 - - -From 5b030b176b853938b1895ec255e838147d8e7fa9 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:30:12 +1200 -Subject: [PATCH 67/99] tests/krb5: Add option for creating accounts with - expired passwords - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - python/samba/tests/krb5/kdc_base_test.py | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 14f1d1a243d..777b3b4aaf1 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -242,7 +242,8 @@ class KDCBaseTest(RawKerberosTest): - - def create_account(self, samdb, name, account_type=AccountType.USER, - spn=None, upn=None, additional_details=None, -- ou=None, account_control=0, add_dollar=True): -+ ou=None, account_control=0, add_dollar=True, -+ expired_password=False): - '''Create an account for testing. - The dn of the created account is added to self.accounts, - which is used by tearDownClass to clean up the created accounts. -@@ -294,6 +295,8 @@ class KDCBaseTest(RawKerberosTest): - details["servicePrincipalName"] = spn - if upn is not None: - details["userPrincipalName"] = upn -+ if expired_password: -+ details["pwdLastSet"] = "0" - if additional_details is not None: - details.update(additional_details) - samdb.add(details) -@@ -653,6 +656,7 @@ class KDCBaseTest(RawKerberosTest): - 'revealed_to_rodc': False, - 'revealed_to_mock_rodc': False, - 'no_auth_data_required': False, -+ 'expired_password': False, - 'supported_enctypes': None, - 'not_delegated': False, - 'delegation_to_spn': None, -@@ -695,6 +699,7 @@ class KDCBaseTest(RawKerberosTest): - revealed_to_rodc, - revealed_to_mock_rodc, - no_auth_data_required, -+ expired_password, - supported_enctypes, - not_delegated, - delegation_to_spn, -@@ -754,7 +759,8 @@ class KDCBaseTest(RawKerberosTest): - spn=spn, - additional_details=details, - account_control=user_account_control, -- add_dollar=add_dollar) -+ add_dollar=add_dollar, -+ expired_password=expired_password) - - keys = self.get_keys(samdb, dn) - self.creds_set_keys(creds, keys) --- -2.25.1 - - -From 5c41e20fae268e04aa05e821c7f388ea090727af Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:34:59 +1200 -Subject: [PATCH 68/99] CVE-2022-2031 tests/krb5: Allow requesting a TGT to a - different sname and realm - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed conflict due to lacking rc4_support parameter] - -[jsutton@samba.org Fixed conflicts due to lacking client_name_type and - expected_cname parameters] ---- - python/samba/tests/krb5/kdc_base_test.py | 19 +++++++++++++------ - 1 file changed, 13 insertions(+), 6 deletions(-) - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index 777b3b4aaf1..c0ca881985a 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -1344,10 +1344,12 @@ class KDCBaseTest(RawKerberosTest): - expected_flags=None, unexpected_flags=None, - pac_request=True, expect_pac=True, fresh=False): - user_name = tgt.cname['name-string'][0] -+ ticket_sname = tgt.sname - if target_name is None: - target_name = target_creds.get_username()[:-1] - cache_key = (user_name, target_name, service, to_rodc, kdc_options, - pac_request, str(expected_flags), str(unexpected_flags), -+ str(ticket_sname), - expect_pac) - - if not fresh: -@@ -1414,6 +1416,7 @@ class KDCBaseTest(RawKerberosTest): - expected_flags=None, unexpected_flags=None, - expected_account_name=None, expected_upn_name=None, - expected_sid=None, -+ sname=None, realm=None, - pac_request=True, expect_pac=True, - expect_pac_attrs=None, expect_pac_attrs_pac_request=None, - expect_requester_sid=None, -@@ -1422,6 +1425,7 @@ class KDCBaseTest(RawKerberosTest): - cache_key = (user_name, to_rodc, kdc_options, pac_request, - str(expected_flags), str(unexpected_flags), - expected_account_name, expected_upn_name, expected_sid, -+ str(sname), str(realm), - expect_pac, expect_pac_attrs, - expect_pac_attrs_pac_request, expect_requester_sid) - -@@ -1431,15 +1435,21 @@ class KDCBaseTest(RawKerberosTest): - if tgt is not None: - return tgt - -- realm = creds.get_realm() -+ if realm is None: -+ realm = creds.get_realm() - - salt = creds.get_salt() - - etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=[user_name]) -- sname = self.PrincipalName_create(name_type=NT_SRV_INST, -- names=['krbtgt', realm]) -+ if sname is None: -+ sname = self.PrincipalName_create(name_type=NT_SRV_INST, -+ names=['krbtgt', realm]) -+ expected_sname = self.PrincipalName_create( -+ name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) -+ else: -+ expected_sname = sname - - till = self.get_KerberosTime(offset=36000) - -@@ -1505,9 +1515,6 @@ class KDCBaseTest(RawKerberosTest): - - expected_realm = realm.upper() - -- expected_sname = self.PrincipalName_create( -- name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) -- - rep, kdc_exchange_dict = self._test_as_exchange( - cname=cname, - realm=realm, --- -2.25.1 - - -From 668825ad56ff70715c626bc3209a6868409e4969 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:57:57 +1200 -Subject: [PATCH 69/99] CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method - -Now we can test the kpasswd service from Python. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed conflicts in imports] ---- - python/samba/tests/krb5/raw_testcase.py | 264 ++++++++++++++++++++++-- - 1 file changed, 251 insertions(+), 13 deletions(-) - -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 2aed5530455..57010ae73bd 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -26,6 +26,8 @@ import binascii - import itertools - import collections - -+from enum import Enum -+ - from pyasn1.codec.der.decoder import decode as pyasn1_der_decode - from pyasn1.codec.der.encoder import encode as pyasn1_der_encode - from pyasn1.codec.native.decoder import decode as pyasn1_native_decode -@@ -33,6 +35,8 @@ from pyasn1.codec.native.encoder import encode as pyasn1_native_encode - - from pyasn1.codec.ber.encoder import BitStringEncoder - -+from pyasn1.error import PyAsn1Error -+ - from samba.credentials import Credentials - from samba.dcerpc import krb5pac, security - from samba.gensec import FEATURE_SEAL -@@ -50,6 +54,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_PREAUTH_FAILED, - KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, - KERB_ERR_TYPE_EXTENDED, -+ KRB_AP_REP, - KRB_AP_REQ, - KRB_AS_REP, - KRB_AS_REQ, -@@ -59,6 +64,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KRB_TGS_REQ, - KU_AP_REQ_AUTH, - KU_AS_REP_ENC_PART, -+ KU_AP_REQ_ENC_PART, - KU_ENC_CHALLENGE_KDC, - KU_FAST_ENC, - KU_FAST_FINISHED, -@@ -73,6 +79,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KU_TGS_REQ_AUTH_DAT_SESSION, - KU_TGS_REQ_AUTH_DAT_SUBKEY, - KU_TICKET, -+ NT_PRINCIPAL, - NT_SRV_INST, - NT_WELLKNOWN, - PADATA_ENCRYPTED_CHALLENGE, -@@ -515,6 +522,10 @@ class KerberosTicketCreds: - class RawKerberosTest(TestCaseInTempDir): - """A raw Kerberos Test case.""" - -+ class KpasswdMode(Enum): -+ SET = object() -+ CHANGE = object() -+ - pac_checksum_types = {krb5pac.PAC_TYPE_SRV_CHECKSUM, - krb5pac.PAC_TYPE_KDC_CHECKSUM, - krb5pac.PAC_TYPE_TICKET_CHECKSUM} -@@ -1886,6 +1897,224 @@ class RawKerberosTest(TestCaseInTempDir): - - return msg - -+ def get_enc_part(self, obj, key, usage): -+ self.assertElementEqual(obj, 'pvno', 5) -+ -+ enc_part = obj['enc-part'] -+ self.assertElementEqual(enc_part, 'etype', key.etype) -+ self.assertElementKVNO(enc_part, 'kvno', key.kvno) -+ -+ enc_part = key.decrypt(usage, enc_part['cipher']) -+ -+ return enc_part -+ -+ def kpasswd_exchange(self, -+ ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode, -+ target_princ=None, -+ target_realm=None, -+ ap_options=None, -+ send_seq_number=True): -+ if mode is self.KpasswdMode.SET: -+ version = 0xff80 -+ user_data = self.ChangePasswdDataMS_create(new_password, -+ target_princ, -+ target_realm) -+ elif mode is self.KpasswdMode.CHANGE: -+ self.assertIsNone(target_princ, -+ 'target_princ only valid for pw set') -+ self.assertIsNone(target_realm, -+ 'target_realm only valid for pw set') -+ -+ version = 1 -+ user_data = new_password.encode('utf-8') -+ else: -+ self.fail(f'invalid mode {mode}') -+ -+ subkey = self.RandomKey(kcrypto.Enctype.AES256) -+ -+ if ap_options is None: -+ ap_options = '0' -+ ap_options = str(krb5_asn1.APOptions(ap_options)) -+ -+ kdc_exchange_dict = { -+ 'tgt': ticket, -+ 'authenticator_subkey': subkey, -+ 'auth_data': None, -+ 'ap_options': ap_options, -+ } -+ -+ if send_seq_number: -+ seq_number = random.randint(0, 0xfffffffe) -+ else: -+ seq_number = None -+ -+ ap_req = self.generate_ap_req(kdc_exchange_dict, -+ None, -+ req_body=None, -+ armor=False, -+ usage=KU_AP_REQ_AUTH, -+ seq_number=seq_number) -+ -+ self.connect(self.host, port=464) -+ self.assertIsNotNone(self.s) -+ -+ family = self.s.family -+ -+ if family == socket.AF_INET: -+ addr_type = 2 # IPv4 -+ elif family == socket.AF_INET6: -+ addr_type = 24 # IPv6 -+ else: -+ self.fail(f'unknown family {family}') -+ -+ def create_address(ip): -+ return { -+ 'addr-type': addr_type, -+ 'address': socket.inet_pton(family, ip), -+ } -+ -+ local_ip = self.s.getsockname()[0] -+ local_address = create_address(local_ip) -+ -+ # remote_ip = self.s.getpeername()[0] -+ # remote_address = create_address(remote_ip) -+ -+ # TODO: due to a bug (?), MIT Kerberos will not accept the request -+ # unless r-address is set to our _local_ address. Heimdal, on the other -+ # hand, requires the r-address is set to the remote address (as -+ # expected). To avoid problems, avoid sending r-address for now. -+ remote_address = None -+ -+ msg = self.kpasswd_create(subkey, -+ user_data, -+ version, -+ seq_number, -+ ap_req, -+ local_address, -+ remote_address) -+ -+ self.send_msg(msg) -+ rep_pdu = self.recv_pdu_raw() -+ -+ self._disconnect('transaction done') -+ -+ self.assertIsNotNone(rep_pdu) -+ -+ header = rep_pdu[:6] -+ reply = rep_pdu[6:] -+ -+ reply_len = (header[0] << 8) | header[1] -+ reply_version = (header[2] << 8) | header[3] -+ ap_rep_len = (header[4] << 8) | header[5] -+ -+ self.assertEqual(reply_len, len(rep_pdu)) -+ self.assertEqual(1, reply_version) # KRB5_KPASSWD_VERS_CHANGEPW -+ self.assertLess(ap_rep_len, reply_len) -+ -+ self.assertNotEqual(0x7e, rep_pdu[1]) -+ self.assertNotEqual(0x5e, rep_pdu[1]) -+ -+ if ap_rep_len: -+ # We received an AP-REQ and KRB-PRIV as a response. This may or may -+ # not indicate an error, depending on the status code. -+ ap_rep = reply[:ap_rep_len] -+ krb_priv = reply[ap_rep_len:] -+ -+ key = ticket.session_key -+ -+ ap_rep = self.der_decode(ap_rep, asn1Spec=krb5_asn1.AP_REP()) -+ self.assertElementEqual(ap_rep, 'msg-type', KRB_AP_REP) -+ enc_part = self.get_enc_part(ap_rep, key, KU_AP_REQ_ENC_PART) -+ enc_part = self.der_decode( -+ enc_part, asn1Spec=krb5_asn1.EncAPRepPart()) -+ -+ self.assertElementPresent(enc_part, 'ctime') -+ self.assertElementPresent(enc_part, 'cusec') -+ # self.assertElementMissing(enc_part, 'subkey') # TODO -+ # self.assertElementPresent(enc_part, 'seq-number') # TODO -+ -+ try: -+ krb_priv = self.der_decode(krb_priv, asn1Spec=krb5_asn1.KRB_PRIV()) -+ except PyAsn1Error: -+ self.fail() -+ -+ self.assertElementEqual(krb_priv, 'msg-type', KRB_PRIV) -+ priv_enc_part = self.get_enc_part(krb_priv, subkey, KU_KRB_PRIV) -+ priv_enc_part = self.der_decode( -+ priv_enc_part, asn1Spec=krb5_asn1.EncKrbPrivPart()) -+ -+ self.assertElementMissing(priv_enc_part, 'timestamp') -+ self.assertElementMissing(priv_enc_part, 'usec') -+ # self.assertElementPresent(priv_enc_part, 'seq-number') # TODO -+ # self.assertElementEqual(priv_enc_part, 's-address', remote_address) # TODO -+ # self.assertElementMissing(priv_enc_part, 'r-address') # TODO -+ -+ result_data = priv_enc_part['user-data'] -+ else: -+ # We received a KRB-ERROR as a response, indicating an error. -+ krb_error = self.der_decode(reply, asn1Spec=krb5_asn1.KRB_ERROR()) -+ -+ sname = self.PrincipalName_create( -+ name_type=NT_PRINCIPAL, -+ names=['kadmin', 'changepw']) -+ realm = self.get_krbtgt_creds().get_realm().upper() -+ -+ self.assertElementEqual(krb_error, 'pvno', 5) -+ self.assertElementEqual(krb_error, 'msg-type', KRB_ERROR) -+ self.assertElementMissing(krb_error, 'ctime') -+ self.assertElementMissing(krb_error, 'usec') -+ self.assertElementPresent(krb_error, 'stime') -+ self.assertElementPresent(krb_error, 'susec') -+ -+ error_code = krb_error['error-code'] -+ if isinstance(expected_code, int): -+ self.assertEqual(error_code, expected_code) -+ else: -+ self.assertIn(error_code, expected_code) -+ -+ self.assertElementMissing(krb_error, 'crealm') -+ self.assertElementMissing(krb_error, 'cname') -+ self.assertElementEqual(krb_error, 'realm', realm.encode('utf-8')) -+ self.assertElementEqualPrincipal(krb_error, 'sname', sname) -+ self.assertElementMissing(krb_error, 'e-text') -+ -+ result_data = krb_error['e-data'] -+ -+ status = result_data[:2] -+ message = result_data[2:] -+ -+ status_code = (status[0] << 8) | status[1] -+ if isinstance(expected_code, int): -+ self.assertEqual(status_code, expected_code) -+ else: -+ self.assertIn(status_code, expected_code) -+ -+ if not message: -+ self.assertEqual(0, status_code, -+ 'got an error result, but no message') -+ return -+ -+ # Check the first character of the message. -+ if message[0]: -+ if isinstance(expected_msg, bytes): -+ self.assertEqual(message, expected_msg) -+ else: -+ self.assertIn(message, expected_msg) -+ else: -+ # We got AD password policy information. -+ self.assertEqual(30, len(message)) -+ -+ (empty_bytes, -+ min_length, -+ history_length, -+ properties, -+ expire_time, -+ min_age) = struct.unpack('>HIIIQQ', message) -+ - def _generic_kdc_exchange(self, - kdc_exchange_dict, # required - cname=None, # optional -@@ -1996,7 +2225,7 @@ class RawKerberosTest(TestCaseInTempDir): - self.assertIsNotNone(generate_fast_fn) - fast_ap_req = generate_fast_armor_fn(kdc_exchange_dict, - callback_dict, -- req_body, -+ None, - armor=True) - - fast_armor_type = kdc_exchange_dict['fast_armor_type'] -@@ -3211,31 +3440,39 @@ class RawKerberosTest(TestCaseInTempDir): - kdc_exchange_dict, - _callback_dict, - req_body, -- armor): -+ armor, -+ usage=None, -+ seq_number=None): -+ req_body_checksum = None -+ - if armor: -+ self.assertIsNone(req_body) -+ - tgt = kdc_exchange_dict['armor_tgt'] - authenticator_subkey = kdc_exchange_dict['armor_subkey'] -- -- req_body_checksum = None - else: - tgt = kdc_exchange_dict['tgt'] - authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] -- body_checksum_type = kdc_exchange_dict['body_checksum_type'] - -- req_body_blob = self.der_encode(req_body, -- asn1Spec=krb5_asn1.KDC_REQ_BODY()) -+ if req_body is not None: -+ body_checksum_type = kdc_exchange_dict['body_checksum_type'] -+ -+ req_body_blob = self.der_encode( -+ req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY()) - -- req_body_checksum = self.Checksum_create(tgt.session_key, -- KU_TGS_REQ_AUTH_CKSUM, -- req_body_blob, -- ctype=body_checksum_type) -+ req_body_checksum = self.Checksum_create( -+ tgt.session_key, -+ KU_TGS_REQ_AUTH_CKSUM, -+ req_body_blob, -+ ctype=body_checksum_type) - - auth_data = kdc_exchange_dict['auth_data'] - - subkey_obj = None - if authenticator_subkey is not None: - subkey_obj = authenticator_subkey.export_obj() -- seq_number = random.randint(0, 0xfffffffe) -+ if seq_number is None: -+ seq_number = random.randint(0, 0xfffffffe) - (ctime, cusec) = self.get_KerberosTimeWithUsec() - authenticator_obj = self.Authenticator_create( - crealm=tgt.crealm, -@@ -3250,7 +3487,8 @@ class RawKerberosTest(TestCaseInTempDir): - authenticator_obj, - asn1Spec=krb5_asn1.Authenticator()) - -- usage = KU_AP_REQ_AUTH if armor else KU_TGS_REQ_AUTH -+ if usage is None: -+ usage = KU_AP_REQ_AUTH if armor else KU_TGS_REQ_AUTH - authenticator = self.EncryptedData_create(tgt.session_key, - usage, - authenticator_blob) --- -2.25.1 - - -From 450ff39d1c9f538bd828b7b2bee75c88d3dc1ee2 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 19:59:16 +1200 -Subject: [PATCH 71/99] CVE-2022-2031 tests/krb5: Add tests for kpasswd service - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed conflicts in usage.py and knownfails; removed - MIT KDC 1.20-specific knownfails as it's not supported] - -[jsutton@samba.org Fixed conflicts in usage.py, knownfails, and - tests.py] ---- - python/samba/tests/krb5/kdc_base_test.py | 4 +- - python/samba/tests/krb5/kpasswd_tests.py | 1021 ++++++++++++++++++++++ - python/samba/tests/krb5/raw_testcase.py | 8 + - python/samba/tests/usage.py | 1 + - selftest/knownfail_heimdal_kdc | 26 + - selftest/knownfail_mit_kdc | 26 + - source4/selftest/tests.py | 4 + - 7 files changed, 1089 insertions(+), 1 deletion(-) - create mode 100755 python/samba/tests/krb5/kpasswd_tests.py - -diff --git python/samba/tests/krb5/kdc_base_test.py python/samba/tests/krb5/kdc_base_test.py -index c0ca881985a..f0306dde110 100644 ---- python/samba/tests/krb5/kdc_base_test.py -+++ python/samba/tests/krb5/kdc_base_test.py -@@ -1586,7 +1586,9 @@ class KDCBaseTest(RawKerberosTest): - authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) - - if expect_error: -- expected_error_mode = KDC_ERR_TGT_REVOKED -+ expected_error_mode = expect_error -+ if expected_error_mode is True: -+ expected_error_mode = KDC_ERR_TGT_REVOKED - check_error_fn = self.generic_check_kdc_error - check_rep_fn = None - else: -diff --git python/samba/tests/krb5/kpasswd_tests.py python/samba/tests/krb5/kpasswd_tests.py -new file mode 100755 -index 00000000000..3a6c7d818dc ---- /dev/null -+++ python/samba/tests/krb5/kpasswd_tests.py -@@ -0,0 +1,1021 @@ -+#!/usr/bin/env python3 -+# Unix SMB/CIFS implementation. -+# Copyright (C) Stefan Metzmacher 2020 -+# Copyright (C) Catalyst.Net Ltd -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see <http://www.gnu.org/licenses/>. -+# -+ -+import os -+import sys -+ -+from functools import partial -+ -+from samba import generate_random_password, unix2nttime -+from samba.dcerpc import krb5pac, security -+from samba.sd_utils import SDUtils -+ -+from samba.tests.krb5.kdc_base_test import KDCBaseTest -+from samba.tests.krb5.rfc4120_constants import ( -+ KDC_ERR_TGT_REVOKED, -+ KDC_ERR_TKT_EXPIRED, -+ KPASSWD_ACCESSDENIED, -+ KPASSWD_HARDERROR, -+ KPASSWD_INITIAL_FLAG_NEEDED, -+ KPASSWD_MALFORMED, -+ KPASSWD_SOFTERROR, -+ KPASSWD_SUCCESS, -+ NT_PRINCIPAL, -+ NT_SRV_INST, -+) -+ -+sys.path.insert(0, 'bin/python') -+os.environ['PYTHONUNBUFFERED'] = '1' -+ -+global_asn1_print = False -+global_hexdump = False -+ -+ -+# Note: these tests do not pass on Windows, which returns different error codes -+# to the ones we have chosen, and does not always return additional error data. -+class KpasswdTests(KDCBaseTest): -+ -+ def setUp(self): -+ super().setUp() -+ self.do_asn1_print = global_asn1_print -+ self.do_hexdump = global_hexdump -+ -+ samdb = self.get_samdb() -+ -+ # Get the old 'dSHeuristics' if it was set -+ dsheuristics = samdb.get_dsheuristics() -+ -+ # Reset the 'dSHeuristics' as they were before -+ self.addCleanup(samdb.set_dsheuristics, dsheuristics) -+ -+ # Set the 'dSHeuristics' to activate the correct 'userPassword' -+ # behaviour -+ samdb.set_dsheuristics('000000001') -+ -+ # Get the old 'minPwdAge' -+ minPwdAge = samdb.get_minPwdAge() -+ -+ # Reset the 'minPwdAge' as it was before -+ self.addCleanup(samdb.set_minPwdAge, minPwdAge) -+ -+ # Set it temporarily to '0' -+ samdb.set_minPwdAge('0') -+ -+ def _get_creds(self, expired=False): -+ opts = { -+ 'expired_password': expired -+ } -+ -+ # Create the account. -+ creds = self.get_cached_creds(account_type=self.AccountType.USER, -+ opts=opts, -+ use_cache=False) -+ -+ return creds -+ -+ def issued_by_rodc(self, ticket): -+ krbtgt_creds = self.get_mock_rodc_krbtgt_creds() -+ -+ krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) -+ checksum_keys = { -+ krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key, -+ } -+ -+ return self.modified_ticket( -+ ticket, -+ new_ticket_key=krbtgt_key, -+ checksum_keys=checksum_keys) -+ -+ def get_kpasswd_sname(self): -+ return self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=['kadmin', 'changepw']) -+ -+ def get_ticket_lifetime(self, ticket): -+ enc_part = ticket.ticket_private -+ -+ authtime = enc_part['authtime'] -+ starttime = enc_part.get('starttime', authtime) -+ endtime = enc_part['endtime'] -+ -+ starttime = self.get_EpochFromKerberosTime(starttime) -+ endtime = self.get_EpochFromKerberosTime(endtime) -+ -+ return endtime - starttime -+ -+ def add_requester_sid(self, pac, sid): -+ pac_buffers = pac.buffers -+ -+ buffer_types = [pac_buffer.type for pac_buffer in pac_buffers] -+ self.assertNotIn(krb5pac.PAC_TYPE_REQUESTER_SID, buffer_types) -+ -+ requester_sid = krb5pac.PAC_REQUESTER_SID() -+ requester_sid.sid = security.dom_sid(sid) -+ -+ requester_sid_buffer = krb5pac.PAC_BUFFER() -+ requester_sid_buffer.type = krb5pac.PAC_TYPE_REQUESTER_SID -+ requester_sid_buffer.info = requester_sid -+ -+ pac_buffers.append(requester_sid_buffer) -+ -+ pac.buffers = pac_buffers -+ pac.num_buffers += 1 -+ -+ return pac -+ -+ # Test setting a password with kpasswd. -+ def test_kpasswd_set(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Test the newly set password. -+ creds.update_password(new_password) -+ self.get_tgt(creds, fresh=True) -+ -+ # Test changing a password with kpasswd. -+ def test_kpasswd_change(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test the newly set password. -+ creds.update_password(new_password) -+ self.get_tgt(creds, fresh=True) -+ -+ # Test kpasswd without setting the canonicalize option. -+ def test_kpasswd_no_canonicalize(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ sname = self.get_kpasswd_sname() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ creds.update_password(new_password) -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ kdc_options='0') -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test kpasswd with the canonicalize option reset and a non-canonical -+ # (by conversion to title case) realm. -+ def test_kpasswd_no_canonicalize_realm_case(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ sname = self.get_kpasswd_sname() -+ realm = creds.get_realm().capitalize() # We use a title-cased realm. -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ realm=realm, -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ creds.update_password(new_password) -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ realm=realm, -+ kdc_options='0') -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test kpasswd with the canonicalize option set. -+ def test_kpasswd_canonicalize(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. We set the canonicalize flag here. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='canonicalize') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ creds.update_password(new_password) -+ -+ # Get an initial ticket to kpasswd. We set the canonicalize flag here. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='canonicalize') -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test kpasswd with the canonicalize option set and a non-canonical (by -+ # conversion to title case) realm. -+ def test_kpasswd_canonicalize_realm_case(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ sname = self.get_kpasswd_sname() -+ realm = creds.get_realm().capitalize() # We use a title-cased realm. -+ -+ # Get an initial ticket to kpasswd. We set the canonicalize flag here. -+ ticket = self.get_tgt(creds, sname=sname, -+ realm=realm, -+ kdc_options='canonicalize') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ creds.update_password(new_password) -+ -+ # Get an initial ticket to kpasswd. We set the canonicalize flag here. -+ ticket = self.get_tgt(creds, sname=sname, -+ realm=realm, -+ kdc_options='canonicalize') -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test kpasswd rejects a password that does not meet complexity -+ # requirements. -+ def test_kpasswd_too_weak(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SOFTERROR -+ expected_msg = b'Password does not meet complexity requirements' -+ -+ # Set the password. -+ new_password = 'password' -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test kpasswd rejects an empty new password. -+ def test_kpasswd_empty(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SOFTERROR, KPASSWD_HARDERROR -+ expected_msg = (b'Password too short, password must be at least 7 ' -+ b'characters long.', -+ b'String conversion failed!') -+ -+ # Set the password. -+ new_password = '' -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ expected_code = KPASSWD_HARDERROR -+ expected_msg = b'String conversion failed!' -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test kpasswd rejects a request that does not include a random sequence -+ # number. -+ def test_kpasswd_no_seq_number(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_HARDERROR -+ expected_msg = b'gensec_unwrap failed - NT_STATUS_ACCESS_DENIED\n' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET, -+ send_seq_number=False) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE, -+ send_seq_number=False) -+ -+ # Test kpasswd rejects a ticket issued by an RODC. -+ def test_kpasswd_from_rodc(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ # Have the ticket be issued by the RODC. -+ ticket = self.issued_by_rodc(ticket) -+ -+ expected_code = KPASSWD_HARDERROR -+ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test setting a password, specifying the principal of the target user. -+ def test_kpasswd_set_target_princ_only(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ username = creds.get_username() -+ -+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=username.split('/')) -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_MALFORMED -+ expected_msg = (b'Realm and principal must be both present, or ' -+ b'neither present', -+ b'Failed to decode packet') -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET, -+ target_princ=cname) -+ -+ # Test that kpasswd rejects a password set specifying only the realm of the -+ # target user. -+ def test_kpasswd_set_target_realm_only(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_MALFORMED, KPASSWD_ACCESSDENIED -+ expected_msg = (b'Realm and principal must be both present, or ' -+ b'neither present', -+ b'Failed to decode packet', -+ b'No such user when changing password') -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET, -+ target_realm=creds.get_realm()) -+ -+ # Show that a user cannot set a password, specifying both principal and -+ # realm of the target user, without having control access. -+ def test_kpasswd_set_target_princ_and_realm_no_access(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ username = creds.get_username() -+ -+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=username.split('/')) -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_ACCESSDENIED -+ expected_msg = b'Not permitted to change password' -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET, -+ target_princ=cname, -+ target_realm=creds.get_realm()) -+ -+ # Test setting a password, specifying both principal and realm of the -+ # target user, whem the user has control access on their account. -+ def test_kpasswd_set_target_princ_and_realm_access(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ username = creds.get_username() -+ tgt = self.get_tgt(creds) -+ -+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=username.split('/')) -+ -+ samdb = self.get_samdb() -+ sd_utils = SDUtils(samdb) -+ -+ user_dn = creds.get_dn() -+ user_sid = self.get_objectSid(samdb, user_dn) -+ -+ # Give the user control access on their account. -+ ace = f'(A;;CR;;;{user_sid})' -+ sd_utils.dacl_add_ace(user_dn, ace) -+ -+ # Get a non-initial ticket to kpasswd. Since we have the right to -+ # change the account's password, we don't need an initial ticket. -+ krbtgt_creds = self.get_krbtgt_creds() -+ ticket = self.get_service_ticket(tgt, -+ krbtgt_creds, -+ service='kadmin', -+ target_name='changepw', -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET, -+ target_princ=cname, -+ target_realm=creds.get_realm()) -+ -+ # Test setting a password when the existing password has expired. -+ def test_kpasswd_set_expired_password(self): -+ # Create an account for testing, with an expired password. -+ creds = self._get_creds(expired=True) -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Test changing a password when the existing password has expired. -+ def test_kpasswd_change_expired_password(self): -+ # Create an account for testing, with an expired password. -+ creds = self._get_creds(expired=True) -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Check the lifetime of a kpasswd ticket is not more than two minutes. -+ def test_kpasswd_ticket_lifetime(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ # Check the lifetime of the ticket is equal to two minutes. -+ lifetime = self.get_ticket_lifetime(ticket) -+ self.assertEqual(2 * 60, lifetime) -+ -+ # Ensure we cannot perform a TGS-REQ with a kpasswd ticket. -+ def test_kpasswd_ticket_tgs(self): -+ creds = self.get_client_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ # Change the sname of the ticket to match that of a TGT. -+ realm = creds.get_realm() -+ krbtgt_sname = self.PrincipalName_create(name_type=NT_SRV_INST, -+ names=['krbtgt', realm]) -+ ticket.set_sname(krbtgt_sname) -+ -+ # Try to use that ticket to get a service ticket. -+ service_creds = self.get_service_creds() -+ -+ # This fails due to missing REQUESTER_SID buffer. -+ self._make_tgs_request(creds, service_creds, ticket, -+ expect_error=(KDC_ERR_TGT_REVOKED, -+ KDC_ERR_TKT_EXPIRED)) -+ -+ def modify_requester_sid_time(self, ticket, sid, lifetime): -+ # Get the krbtgt key. -+ krbtgt_creds = self.get_krbtgt_creds() -+ -+ krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) -+ checksum_keys = { -+ krb5pac.PAC_TYPE_KDC_CHECKSUM: krbtgt_key, -+ } -+ -+ # Set authtime and starttime to an hour in the past, to show that they -+ # do not affect ticket rejection. -+ start_time = self.get_KerberosTime(offset=-60 * 60) -+ -+ # Set the endtime of the ticket relative to our current time, so that -+ # the ticket has 'lifetime' seconds remaining to live. -+ end_time = self.get_KerberosTime(offset=lifetime) -+ -+ # Modify the times in the ticket. -+ def modify_ticket_times(enc_part): -+ enc_part['authtime'] = start_time -+ if 'starttime' in enc_part: -+ enc_part['starttime'] = start_time -+ -+ enc_part['endtime'] = end_time -+ -+ return enc_part -+ -+ # We have to set the times in both the ticket and the PAC, otherwise -+ # Heimdal will complain. -+ def modify_pac_time(pac): -+ pac_buffers = pac.buffers -+ -+ for pac_buffer in pac_buffers: -+ if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME: -+ logon_time = self.get_EpochFromKerberosTime(start_time) -+ pac_buffer.info.logon_time = unix2nttime(logon_time) -+ break -+ else: -+ self.fail('failed to find LOGON_NAME PAC buffer') -+ -+ pac.buffers = pac_buffers -+ -+ return pac -+ -+ # Add a requester SID to show that the KDC will then accept this -+ # kpasswd ticket as if it were a TGT. -+ def modify_pac_fn(pac): -+ pac = self.add_requester_sid(pac, sid=sid) -+ pac = modify_pac_time(pac) -+ return pac -+ -+ # Do the actual modification. -+ return self.modified_ticket(ticket, -+ new_ticket_key=krbtgt_key, -+ modify_fn=modify_ticket_times, -+ modify_pac_fn=modify_pac_fn, -+ checksum_keys=checksum_keys) -+ -+ # Ensure we cannot perform a TGS-REQ with a kpasswd ticket containing a -+ # requester SID and having a remaining lifetime of two minutes. -+ def test_kpasswd_ticket_requester_sid_tgs(self): -+ creds = self.get_client_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ # Change the sname of the ticket to match that of a TGT. -+ realm = creds.get_realm() -+ krbtgt_sname = self.PrincipalName_create(name_type=NT_SRV_INST, -+ names=['krbtgt', realm]) -+ ticket.set_sname(krbtgt_sname) -+ -+ # Get the user's SID. -+ samdb = self.get_samdb() -+ -+ user_dn = creds.get_dn() -+ user_sid = self.get_objectSid(samdb, user_dn) -+ -+ # Modify the ticket to add a requester SID and give it two minutes to -+ # live. -+ ticket = self.modify_requester_sid_time(ticket, -+ sid=user_sid, -+ lifetime=2 * 60) -+ -+ # Try to use that ticket to get a service ticket. -+ service_creds = self.get_service_creds() -+ -+ # This fails due to the lifetime being too short. -+ self._make_tgs_request(creds, service_creds, ticket, -+ expect_error=KDC_ERR_TKT_EXPIRED) -+ -+ # Show we can perform a TGS-REQ with a kpasswd ticket containing a -+ # requester SID if the remaining lifetime exceeds two minutes. -+ def test_kpasswd_ticket_requester_sid_lifetime_tgs(self): -+ creds = self.get_client_creds() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=self.get_kpasswd_sname(), -+ kdc_options='0') -+ -+ # Change the sname of the ticket to match that of a TGT. -+ realm = creds.get_realm() -+ krbtgt_sname = self.PrincipalName_create(name_type=NT_SRV_INST, -+ names=['krbtgt', realm]) -+ ticket.set_sname(krbtgt_sname) -+ -+ # Get the user's SID. -+ samdb = self.get_samdb() -+ -+ user_dn = creds.get_dn() -+ user_sid = self.get_objectSid(samdb, user_dn) -+ -+ # Modify the ticket to add a requester SID and give it two minutes and -+ # ten seconds to live. -+ ticket = self.modify_requester_sid_time(ticket, -+ sid=user_sid, -+ lifetime=2 * 60 + 10) -+ -+ # Try to use that ticket to get a service ticket. -+ service_creds = self.get_service_creds() -+ -+ # This succeeds. -+ self._make_tgs_request(creds, service_creds, ticket, -+ expect_error=False) -+ -+ # Test that kpasswd rejects requests with a service ticket. -+ def test_kpasswd_non_initial(self): -+ # Create an account for testing, and get a TGT. -+ creds = self._get_creds() -+ tgt = self.get_tgt(creds) -+ -+ # Get a non-initial ticket to kpasswd. -+ krbtgt_creds = self.get_krbtgt_creds() -+ ticket = self.get_service_ticket(tgt, -+ krbtgt_creds, -+ service='kadmin', -+ target_name='changepw', -+ kdc_options='0') -+ -+ expected_code = KPASSWD_INITIAL_FLAG_NEEDED -+ expected_msg = b'Expected an initial ticket' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Show that kpasswd accepts requests with a service ticket modified to set -+ # the 'initial' flag. -+ def test_kpasswd_initial(self): -+ # Create an account for testing, and get a TGT. -+ creds = self._get_creds() -+ -+ krbtgt_creds = self.get_krbtgt_creds() -+ -+ # Get a service ticket, and modify it to set the 'initial' flag. -+ def get_ticket(): -+ tgt = self.get_tgt(creds, fresh=True) -+ -+ # Get a non-initial ticket to kpasswd. -+ ticket = self.get_service_ticket(tgt, -+ krbtgt_creds, -+ service='kadmin', -+ target_name='changepw', -+ kdc_options='0', -+ fresh=True) -+ -+ set_initial_flag = partial(self.modify_ticket_flag, flag='initial', -+ value=True) -+ -+ checksum_keys = self.get_krbtgt_checksum_key() -+ return self.modified_ticket(ticket, -+ modify_fn=set_initial_flag, -+ checksum_keys=checksum_keys) -+ -+ expected_code = KPASSWD_SUCCESS -+ expected_msg = b'Password changed' -+ -+ ticket = get_ticket() -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ creds.update_password(new_password) -+ ticket = get_ticket() -+ -+ # Change the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test that kpasswd rejects requests where the ticket is encrypted with a -+ # key other than the krbtgt's. -+ def test_kpasswd_wrong_key(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ sname = self.get_kpasswd_sname() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ kdc_options='0') -+ -+ # Get a key belonging to the Administrator account. -+ admin_creds = self.get_admin_creds() -+ admin_key = self.TicketDecryptionKey_from_creds(admin_creds) -+ self.assertIsNotNone(admin_key.kvno, -+ 'a kvno is required to tell the DB ' -+ 'which key to look up.') -+ checksum_keys = { -+ krb5pac.PAC_TYPE_KDC_CHECKSUM: admin_key, -+ } -+ -+ # Re-encrypt the ticket using the Administrator's key. -+ ticket = self.modified_ticket(ticket, -+ new_ticket_key=admin_key, -+ checksum_keys=checksum_keys) -+ -+ # Set the sname of the ticket to that of the Administrator account. -+ admin_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=['Administrator']) -+ ticket.set_sname(admin_sname) -+ -+ expected_code = KPASSWD_HARDERROR -+ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ def test_kpasswd_wrong_key_service(self): -+ # Create an account for testing. -+ creds = self.get_cached_creds(account_type=self.AccountType.COMPUTER, -+ use_cache=False) -+ -+ sname = self.get_kpasswd_sname() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ kdc_options='0') -+ -+ # Get a key belonging to our account. -+ our_key = self.TicketDecryptionKey_from_creds(creds) -+ self.assertIsNotNone(our_key.kvno, -+ 'a kvno is required to tell the DB ' -+ 'which key to look up.') -+ checksum_keys = { -+ krb5pac.PAC_TYPE_KDC_CHECKSUM: our_key, -+ } -+ -+ # Re-encrypt the ticket using our key. -+ ticket = self.modified_ticket(ticket, -+ new_ticket_key=our_key, -+ checksum_keys=checksum_keys) -+ -+ # Set the sname of the ticket to that of our account. -+ username = creds.get_username() -+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=username.split('/')) -+ ticket.set_sname(sname) -+ -+ expected_code = KPASSWD_HARDERROR -+ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ # Test that kpasswd rejects requests where the ticket is encrypted with a -+ # key belonging to a server account other than the krbtgt. -+ def test_kpasswd_wrong_key_server(self): -+ # Create an account for testing. -+ creds = self._get_creds() -+ -+ sname = self.get_kpasswd_sname() -+ -+ # Get an initial ticket to kpasswd. -+ ticket = self.get_tgt(creds, sname=sname, -+ kdc_options='0') -+ -+ # Get a key belonging to the DC's account. -+ dc_creds = self.get_dc_creds() -+ dc_key = self.TicketDecryptionKey_from_creds(dc_creds) -+ self.assertIsNotNone(dc_key.kvno, -+ 'a kvno is required to tell the DB ' -+ 'which key to look up.') -+ checksum_keys = { -+ krb5pac.PAC_TYPE_KDC_CHECKSUM: dc_key, -+ } -+ -+ # Re-encrypt the ticket using the DC's key. -+ ticket = self.modified_ticket(ticket, -+ new_ticket_key=dc_key, -+ checksum_keys=checksum_keys) -+ -+ # Set the sname of the ticket to that of the DC's account. -+ dc_username = dc_creds.get_username() -+ dc_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, -+ names=dc_username.split('/')) -+ ticket.set_sname(dc_sname) -+ -+ expected_code = KPASSWD_HARDERROR -+ expected_msg = b'gensec_update failed - NT_STATUS_LOGON_FAILURE\n' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(ticket, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ -+ -+if __name__ == '__main__': -+ global_asn1_print = False -+ global_hexdump = False -+ import unittest -+ unittest.main() -diff --git python/samba/tests/krb5/raw_testcase.py python/samba/tests/krb5/raw_testcase.py -index 57010ae73bd..4a78a8eadf3 100644 ---- python/samba/tests/krb5/raw_testcase.py -+++ python/samba/tests/krb5/raw_testcase.py -@@ -500,6 +500,10 @@ class KerberosCredentials(Credentials): - def get_upn(self): - return self.upn - -+ def update_password(self, password): -+ self.set_password(password) -+ self.set_kvno(self.get_kvno() + 1) -+ - - class KerberosTicketCreds: - def __init__(self, ticket, session_key, -@@ -518,6 +522,10 @@ class KerberosTicketCreds: - self.ticket_private = ticket_private - self.encpart_private = encpart_private - -+ def set_sname(self, sname): -+ self.ticket['sname'] = sname -+ self.sname = sname -+ - - class RawKerberosTest(TestCaseInTempDir): - """A raw Kerberos Test case.""" -diff --git python/samba/tests/usage.py python/samba/tests/usage.py -index 6bbd96e7a08..a1210ada579 100644 ---- python/samba/tests/usage.py -+++ python/samba/tests/usage.py -@@ -109,6 +109,7 @@ EXCLUDE_USAGE = { - 'python/samba/tests/krb5/alias_tests.py', - 'python/samba/tests/krb5/test_min_domain_uid.py', - 'python/samba/tests/krb5/test_idmap_nss.py', -+ 'python/samba/tests/krb5/kpasswd_tests.py', - } - - EXCLUDE_HELP = { -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 424a8b81c38..54e69a48bc1 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -271,3 +271,29 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting -+# -+# Kpasswd tests -+# -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 108c6055d0c..53638afc17a 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -575,3 +575,29 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_sid_mismatch_nonexisting - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting -+# -+# Kpasswd tests -+# -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc --- -2.25.1 - - -From 29ec8b2369b5f5e2a660a3165d2528982514a0f2 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 27 May 2022 19:21:06 +1200 -Subject: [PATCH 72/99] CVE-2022-2031 s4:kpasswd: Correctly generate error - strings - -The error_data we create already has an explicit length, and should not -be zero-terminated, so we omit the trailing null byte. Previously, -Heimdal builds would leave a superfluous trailing null byte on error -strings, while MIT builds would omit the final character. - -The two bytes added to the string's length are for the prepended error -code. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails] ---- - selftest/knownfail_heimdal_kdc | 12 ------------ - selftest/knownfail_mit_kdc | 15 --------------- - source4/kdc/kpasswd-helper.c | 13 ++++++------- - 3 files changed, 6 insertions(+), 34 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 54e69a48bc1..40e24f3155b 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -276,24 +276,12 @@ - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 53638afc17a..a914c4d3492 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -578,26 +578,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - # Kpasswd tests - # --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git source4/kdc/kpasswd-helper.c source4/kdc/kpasswd-helper.c -index 995f54825b5..55a2f5b3bf6 100644 ---- source4/kdc/kpasswd-helper.c -+++ source4/kdc/kpasswd-helper.c -@@ -48,17 +48,16 @@ bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx, - } - - /* -- * The string 's' has two terminating nul-bytes which are also -- * reflected by 'slen'. Normally Kerberos doesn't expect that strings -- * are nul-terminated, but Heimdal does! -+ * The string 's' has one terminating nul-byte which is also -+ * reflected by 'slen'. We subtract it from the length. - */ --#ifndef SAMBA4_USES_HEIMDAL -- if (slen < 2) { -+ if (slen < 1) { - talloc_free(s); - return false; - } -- slen -= 2; --#endif -+ slen--; -+ -+ /* Two bytes are added to the length to account for the error code. */ - if (2 + slen < slen) { - talloc_free(s); - return false; --- -2.25.1 - - -From 3a8da51396f3bf9d4caf8dbd4e75a0314aa47046 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 16:48:59 +1200 -Subject: [PATCH 73/99] CVE-2022-2031 s4:kpasswd: Don't return AP-REP on - failure - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails] ---- - selftest/knownfail_mit_kdc | 1 - - source4/kdc/kpasswd-service.c | 2 ++ - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index a914c4d3492..f64291e776d 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -579,7 +579,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # Kpasswd tests - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc -diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c -index 8f1679e4a28..a3c57a67dd1 100644 ---- source4/kdc/kpasswd-service.c -+++ source4/kdc/kpasswd-service.c -@@ -253,6 +253,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc, - &kpasswd_dec_reply, - &error_string); - if (code != 0) { -+ ap_rep_blob = data_blob_null; - error_code = code; - goto reply; - } -@@ -262,6 +263,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc, - &kpasswd_dec_reply, - &enc_data_blob); - if (!NT_STATUS_IS_OK(status)) { -+ ap_rep_blob = data_blob_null; - error_code = KRB5_KPASSWD_HARDERROR; - error_string = talloc_asprintf(tmp_ctx, - "gensec_wrap failed - %s\n", --- -2.25.1 - - -From cf9e37604409ba0c3c5904af40beb2975c309ad4 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 27 May 2022 19:29:34 +1200 -Subject: [PATCH 74/99] CVE-2022-2031 lib:krb5_wrap: Generate valid error codes - in smb_krb5_mk_error() - -The error code passed in will be an offset from ERROR_TABLE_BASE_krb5, -so we need to subtract that before creating the error. Heimdal does this -internally, so it isn't needed there. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - lib/krb5_wrap/krb5_samba.c | 2 +- - selftest/knownfail_mit_kdc | 4 ++++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git lib/krb5_wrap/krb5_samba.c lib/krb5_wrap/krb5_samba.c -index 76c2dcd2126..610efcc9b87 100644 ---- lib/krb5_wrap/krb5_samba.c -+++ lib/krb5_wrap/krb5_samba.c -@@ -237,7 +237,7 @@ krb5_error_code smb_krb5_mk_error(krb5_context context, - return code; - } - -- errpkt.error = error_code; -+ errpkt.error = error_code - ERROR_TABLE_BASE_krb5; - - errpkt.text.length = 0; - if (e_text != NULL) { -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index f64291e776d..633bf79e8e0 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -579,9 +579,13 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # Kpasswd tests - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc --- -2.25.1 - - -From cf749fac346ef59c91a9ea87f5e7ddec2e5649c7 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 16:49:43 +1200 -Subject: [PATCH 75/99] CVE-2022-2031 s4:kpasswd: Return a kpasswd error code - in KRB-ERROR - -If we attempt to return an error code outside of Heimdal's allowed range -[KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC -error, and the error text will be set to the meaningless result of -krb5_get_error_message(). Avoid this by ensuring the error code is in -the correct range. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - selftest/knownfail_heimdal_kdc | 2 -- - selftest/knownfail_mit_kdc | 4 ---- - source4/kdc/kpasswd-service.c | 2 +- - 3 files changed, 1 insertion(+), 7 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 40e24f3155b..3b494baa658 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -276,9 +276,7 @@ - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 633bf79e8e0..f64291e776d 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -579,13 +579,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # Kpasswd tests - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c -index a3c57a67dd1..b4706de1ad7 100644 ---- source4/kdc/kpasswd-service.c -+++ source4/kdc/kpasswd-service.c -@@ -312,7 +312,7 @@ reply: - } - - code = smb_krb5_mk_error(kdc->smb_krb5_context->krb5_context, -- error_code, -+ KRB5KDC_ERR_NONE + error_code, - NULL, /* e_text */ - &k_dec_data, - NULL, /* client */ --- -2.25.1 - - -From 198256e2184897300e1cea4343437c3b7b6f74ad Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 16:06:31 +1200 -Subject: [PATCH 76/99] CVE-2022-2031 gensec_krb5: Add helper function to check - if client sent an initial ticket - -This will be used in the kpasswd service to ensure that the client has -an initial ticket to kadmin/changepw, and not a service ticket. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/auth/gensec/gensec_krb5.c | 20 +----- - source4/auth/gensec/gensec_krb5_helpers.c | 72 ++++++++++++++++++++++ - source4/auth/gensec/gensec_krb5_helpers.h | 32 ++++++++++ - source4/auth/gensec/gensec_krb5_internal.h | 47 ++++++++++++++ - source4/auth/gensec/wscript_build | 4 ++ - 5 files changed, 157 insertions(+), 18 deletions(-) - create mode 100644 source4/auth/gensec/gensec_krb5_helpers.c - create mode 100644 source4/auth/gensec/gensec_krb5_helpers.h - create mode 100644 source4/auth/gensec/gensec_krb5_internal.h - -diff --git source4/auth/gensec/gensec_krb5.c source4/auth/gensec/gensec_krb5.c -index 7d87b3ac6b9..104e4639c44 100644 ---- source4/auth/gensec/gensec_krb5.c -+++ source4/auth/gensec/gensec_krb5.c -@@ -44,27 +44,11 @@ - #include "../lib/util/asn1.h" - #include "auth/kerberos/pac_utils.h" - #include "gensec_krb5.h" -+#include "gensec_krb5_internal.h" -+#include "gensec_krb5_helpers.h" - - _PUBLIC_ NTSTATUS gensec_krb5_init(TALLOC_CTX *); - --enum GENSEC_KRB5_STATE { -- GENSEC_KRB5_SERVER_START, -- GENSEC_KRB5_CLIENT_START, -- GENSEC_KRB5_CLIENT_MUTUAL_AUTH, -- GENSEC_KRB5_DONE --}; -- --struct gensec_krb5_state { -- enum GENSEC_KRB5_STATE state_position; -- struct smb_krb5_context *smb_krb5_context; -- krb5_auth_context auth_context; -- krb5_data enc_ticket; -- krb5_keyblock *keyblock; -- krb5_ticket *ticket; -- bool gssapi; -- krb5_flags ap_req_options; --}; -- - static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state) - { - if (!gensec_krb5_state->smb_krb5_context) { -diff --git source4/auth/gensec/gensec_krb5_helpers.c source4/auth/gensec/gensec_krb5_helpers.c -new file mode 100644 -index 00000000000..21f2f1e884e ---- /dev/null -+++ source4/auth/gensec/gensec_krb5_helpers.c -@@ -0,0 +1,72 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ Kerberos backend for GENSEC -+ -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 -+ Copyright (C) Andrew Tridgell 2001 -+ Copyright (C) Luke Howard 2002-2003 -+ Copyright (C) Stefan Metzmacher 2004-2005 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+#include "includes.h" -+#include "auth/auth.h" -+#include "auth/gensec/gensec.h" -+#include "auth/gensec/gensec_internal.h" -+#include "gensec_krb5_internal.h" -+#include "gensec_krb5_helpers.h" -+#include "system/kerberos.h" -+#include "auth/kerberos/kerberos.h" -+ -+static struct gensec_krb5_state *get_private_state(const struct gensec_security *gensec_security) -+{ -+ struct gensec_krb5_state *gensec_krb5_state = NULL; -+ -+ if (strcmp(gensec_security->ops->name, "krb5") != 0) { -+ /* We require that the krb5 mechanism is being used. */ -+ return NULL; -+ } -+ -+ gensec_krb5_state = talloc_get_type(gensec_security->private_data, -+ struct gensec_krb5_state); -+ return gensec_krb5_state; -+} -+ -+/* -+ * Returns 1 if our ticket has the initial flag set, 0 if not, and -1 in case of -+ * error. -+ */ -+int gensec_krb5_initial_ticket(const struct gensec_security *gensec_security) -+{ -+ struct gensec_krb5_state *gensec_krb5_state = NULL; -+ -+ gensec_krb5_state = get_private_state(gensec_security); -+ if (gensec_krb5_state == NULL) { -+ return -1; -+ } -+ -+ if (gensec_krb5_state->ticket == NULL) { -+ /* We don't have a ticket */ -+ return -1; -+ } -+ -+#ifdef SAMBA4_USES_HEIMDAL -+ return gensec_krb5_state->ticket->ticket.flags.initial; -+#else /* MIT KERBEROS */ -+ return (gensec_krb5_state->ticket->enc_part2->flags & TKT_FLG_INITIAL) ? 1 : 0; -+#endif /* SAMBA4_USES_HEIMDAL */ -+} -diff --git source4/auth/gensec/gensec_krb5_helpers.h source4/auth/gensec/gensec_krb5_helpers.h -new file mode 100644 -index 00000000000..d7b694dad0c ---- /dev/null -+++ source4/auth/gensec/gensec_krb5_helpers.h -@@ -0,0 +1,32 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ Kerberos backend for GENSEC -+ -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 -+ Copyright (C) Andrew Tridgell 2001 -+ Copyright (C) Luke Howard 2002-2003 -+ Copyright (C) Stefan Metzmacher 2004-2005 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+struct gensec_security; -+ -+/* -+ * Returns 1 if our ticket has the initial flag set, 0 if not, and -1 in case of -+ * error. -+ */ -+int gensec_krb5_initial_ticket(const struct gensec_security *gensec_security); -diff --git source4/auth/gensec/gensec_krb5_internal.h source4/auth/gensec/gensec_krb5_internal.h -new file mode 100644 -index 00000000000..0bb796f1b2a ---- /dev/null -+++ source4/auth/gensec/gensec_krb5_internal.h -@@ -0,0 +1,47 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ Kerberos backend for GENSEC -+ -+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 -+ Copyright (C) Andrew Tridgell 2001 -+ Copyright (C) Luke Howard 2002-2003 -+ Copyright (C) Stefan Metzmacher 2004-2005 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+#include "includes.h" -+#include "auth/gensec/gensec.h" -+#include "system/kerberos.h" -+#include "auth/kerberos/kerberos.h" -+ -+enum GENSEC_KRB5_STATE { -+ GENSEC_KRB5_SERVER_START, -+ GENSEC_KRB5_CLIENT_START, -+ GENSEC_KRB5_CLIENT_MUTUAL_AUTH, -+ GENSEC_KRB5_DONE -+}; -+ -+struct gensec_krb5_state { -+ enum GENSEC_KRB5_STATE state_position; -+ struct smb_krb5_context *smb_krb5_context; -+ krb5_auth_context auth_context; -+ krb5_data enc_ticket; -+ krb5_keyblock *keyblock; -+ krb5_ticket *ticket; -+ bool gssapi; -+ krb5_flags ap_req_options; -+}; -diff --git source4/auth/gensec/wscript_build source4/auth/gensec/wscript_build -index d14a50ff273..20271f1665b 100644 ---- source4/auth/gensec/wscript_build -+++ source4/auth/gensec/wscript_build -@@ -18,6 +18,10 @@ bld.SAMBA_MODULE('gensec_krb5', - enabled=bld.AD_DC_BUILD_IS_ENABLED() - ) - -+bld.SAMBA_SUBSYSTEM('gensec_krb5_helpers', -+ source='gensec_krb5_helpers.c', -+ deps='gensec_krb5', -+ enabled=bld.AD_DC_BUILD_IS_ENABLED()) - - bld.SAMBA_MODULE('gensec_gssapi', - source='gensec_gssapi.c', --- -2.25.1 - - -From 6c4fd575d706b2695090941ad7947b30abdb9071 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 16:52:41 +1200 -Subject: [PATCH 77/99] CVE-2022-2031 s4:kpasswd: Require an initial ticket - -Ensure that for password changes the client uses an AS-REQ to get the -ticket to kpasswd, and not a TGS-REQ. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Removed MIT KDC 1.20-specific knownfails] ---- - selftest/knownfail_heimdal_kdc | 1 - - selftest/knownfail_mit_kdc | 1 - - source4/kdc/kpasswd-service-heimdal.c | 17 +++++++++++++++++ - source4/kdc/kpasswd-service-mit.c | 17 +++++++++++++++++ - source4/kdc/wscript_build | 1 + - 5 files changed, 35 insertions(+), 2 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 3b494baa658..5cd8615f6a9 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -277,7 +277,6 @@ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index f64291e776d..46b0f1fa9ed 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -580,7 +580,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc -diff --git source4/kdc/kpasswd-service-heimdal.c source4/kdc/kpasswd-service-heimdal.c -index c804852c3a7..1a6c2b60d03 100644 ---- source4/kdc/kpasswd-service-heimdal.c -+++ source4/kdc/kpasswd-service-heimdal.c -@@ -24,6 +24,7 @@ - #include "param/param.h" - #include "auth/auth.h" - #include "auth/gensec/gensec.h" -+#include "gensec_krb5_helpers.h" - #include "kdc/kdc-server.h" - #include "kdc/kpasswd_glue.h" - #include "kdc/kpasswd-service.h" -@@ -31,6 +32,7 @@ - - static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, -+ const struct gensec_security *gensec_security, - struct auth_session_info *session_info, - DATA_BLOB *password, - DATA_BLOB *kpasswd_reply, -@@ -42,6 +44,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - const char *reject_string = NULL; - struct samr_DomInfo1 *dominfo; - bool ok; -+ int ret; -+ -+ /* -+ * We're doing a password change (rather than a password set), so check -+ * that we were given an initial ticket. -+ */ -+ ret = gensec_krb5_initial_ticket(gensec_security); -+ if (ret != 1) { -+ *error_string = "Expected an initial ticket"; -+ return KRB5_KPASSWD_INITIAL_FLAG_NEEDED; -+ } - - status = samdb_kpasswd_change_password(mem_ctx, - kdc->task->lp_ctx, -@@ -81,6 +94,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - - static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, -+ const struct gensec_security *gensec_security, - struct auth_session_info *session_info, - DATA_BLOB *decoded_data, - DATA_BLOB *kpasswd_reply, -@@ -173,6 +187,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - free_ChangePasswdDataMS(&chpw); - return kpasswd_change_password(kdc, - mem_ctx, -+ gensec_security, - session_info, - &password, - kpasswd_reply, -@@ -272,6 +287,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - - return kpasswd_change_password(kdc, - mem_ctx, -+ gensec_security, - session_info, - &password, - kpasswd_reply, -@@ -280,6 +296,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - case KRB5_KPASSWD_VERS_SETPW: { - return kpasswd_set_password(kdc, - mem_ctx, -+ gensec_security, - session_info, - decoded_data, - kpasswd_reply, -diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c -index 9c4d2801669..de4c6f3f622 100644 ---- source4/kdc/kpasswd-service-mit.c -+++ source4/kdc/kpasswd-service-mit.c -@@ -24,6 +24,7 @@ - #include "param/param.h" - #include "auth/auth.h" - #include "auth/gensec/gensec.h" -+#include "gensec_krb5_helpers.h" - #include "kdc/kdc-server.h" - #include "kdc/kpasswd_glue.h" - #include "kdc/kpasswd-service.h" -@@ -84,6 +85,7 @@ out: - - static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, -+ const struct gensec_security *gensec_security, - struct auth_session_info *session_info, - DATA_BLOB *password, - DATA_BLOB *kpasswd_reply, -@@ -95,6 +97,17 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - const char *reject_string = NULL; - struct samr_DomInfo1 *dominfo; - bool ok; -+ int ret; -+ -+ /* -+ * We're doing a password change (rather than a password set), so check -+ * that we were given an initial ticket. -+ */ -+ ret = gensec_krb5_initial_ticket(gensec_security); -+ if (ret != 1) { -+ *error_string = "Expected an initial ticket"; -+ return KRB5_KPASSWD_INITIAL_FLAG_NEEDED; -+ } - - status = samdb_kpasswd_change_password(mem_ctx, - kdc->task->lp_ctx, -@@ -134,6 +147,7 @@ static krb5_error_code kpasswd_change_password(struct kdc_server *kdc, - - static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, -+ const struct gensec_security *gensec_security, - struct auth_session_info *session_info, - DATA_BLOB *decoded_data, - DATA_BLOB *kpasswd_reply, -@@ -250,6 +264,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - - return kpasswd_change_password(kdc, - mem_ctx, -+ gensec_security, - session_info, - &password, - kpasswd_reply, -@@ -350,6 +365,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - - return kpasswd_change_password(kdc, - mem_ctx, -+ gensec_security, - session_info, - &password, - kpasswd_reply, -@@ -358,6 +374,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - case RFC3244_VERSION: { - return kpasswd_set_password(kdc, - mem_ctx, -+ gensec_security, - session_info, - decoded_data, - kpasswd_reply, -diff --git source4/kdc/wscript_build source4/kdc/wscript_build -index 0edca94e75f..13ba3947cf6 100644 ---- source4/kdc/wscript_build -+++ source4/kdc/wscript_build -@@ -88,6 +88,7 @@ bld.SAMBA_SUBSYSTEM('KPASSWD-SERVICE', - krb5samba - samba_server_gensec - KPASSWD_GLUE -+ gensec_krb5_helpers - ''') - - bld.SAMBA_SUBSYSTEM('KDC-GLUE', --- -2.25.1 - - -From 69e742e6208bd471eb509795bd753a0c98392bf6 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 17:11:49 +1200 -Subject: [PATCH 78/99] s4:kpasswd: Restructure code for clarity - -View with 'git show -b'. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/kdc/kpasswd-service-heimdal.c | 46 +++++++++++++-------------- - 1 file changed, 22 insertions(+), 24 deletions(-) - -diff --git source4/kdc/kpasswd-service-heimdal.c source4/kdc/kpasswd-service-heimdal.c -index 1a6c2b60d03..a0352d1ad35 100644 ---- source4/kdc/kpasswd-service-heimdal.c -+++ source4/kdc/kpasswd-service-heimdal.c -@@ -160,30 +160,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - return 0; - } - -- if (chpw.targname != NULL && chpw.targrealm != NULL) { -- code = krb5_build_principal_ext(context, -- &target_principal, -- strlen(*chpw.targrealm), -- *chpw.targrealm, -- 0); -- if (code != 0) { -- free_ChangePasswdDataMS(&chpw); -- return kpasswd_make_error_reply(mem_ctx, -- KRB5_KPASSWD_MALFORMED, -- "Failed to parse principal", -- kpasswd_reply); -- } -- code = copy_PrincipalName(chpw.targname, -- &target_principal->name); -- if (code != 0) { -- free_ChangePasswdDataMS(&chpw); -- krb5_free_principal(context, target_principal); -- return kpasswd_make_error_reply(mem_ctx, -- KRB5_KPASSWD_MALFORMED, -- "Failed to parse principal", -- kpasswd_reply); -- } -- } else { -+ if (chpw.targname == NULL || chpw.targrealm == NULL) { - free_ChangePasswdDataMS(&chpw); - return kpasswd_change_password(kdc, - mem_ctx, -@@ -193,7 +170,28 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc, - kpasswd_reply, - error_string); - } -+ code = krb5_build_principal_ext(context, -+ &target_principal, -+ strlen(*chpw.targrealm), -+ *chpw.targrealm, -+ 0); -+ if (code != 0) { -+ free_ChangePasswdDataMS(&chpw); -+ return kpasswd_make_error_reply(mem_ctx, -+ KRB5_KPASSWD_MALFORMED, -+ "Failed to parse principal", -+ kpasswd_reply); -+ } -+ code = copy_PrincipalName(chpw.targname, -+ &target_principal->name); - free_ChangePasswdDataMS(&chpw); -+ if (code != 0) { -+ krb5_free_principal(context, target_principal); -+ return kpasswd_make_error_reply(mem_ctx, -+ KRB5_KPASSWD_MALFORMED, -+ "Failed to parse principal", -+ kpasswd_reply); -+ } - - if (target_principal->name.name_string.len >= 2) { - is_service_principal = true; --- -2.25.1 - - -From b5adf7cc6d740c8f4f7b5888f106de24a1181da7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Tue, 24 May 2022 10:17:00 +0200 -Subject: [PATCH 79/99] CVE-2022-2031 testprogs: Fix auth with smbclient and - krb5 ccache - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> - -[jsutton@samba.org Fixed conflict and renamed --use-krb5-ccache to - --krb5-ccache] ---- - testprogs/blackbox/test_kpasswd_heimdal.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git testprogs/blackbox/test_kpasswd_heimdal.sh testprogs/blackbox/test_kpasswd_heimdal.sh -index 7351ce022d1..1e895daa162 100755 ---- testprogs/blackbox/test_kpasswd_heimdal.sh -+++ testprogs/blackbox/test_kpasswd_heimdal.sh -@@ -72,7 +72,7 @@ testit "kinit with user password" \ - do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` - - test_smbclient "Test login with user kerberos ccache" \ -- "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1` -+ "ls" "$SMB_UNC" --krb5-ccache=${KRB5CCNAME} || failed=`expr $failed + 1` - - testit "change user password with 'samba-tool user password' (unforced)" \ - $VALGRIND $PYTHON $samba_tool user password -W$DOMAIN -U$TEST_USERNAME%$TEST_PASSWORD -k no --newpassword=$TEST_PASSWORD_NEW || failed=`expr $failed + 1` -@@ -85,7 +85,7 @@ testit "kinit with user password" \ - do_kinit $TEST_PRINCIPAL $TEST_PASSWORD || failed=`expr $failed + 1` - - test_smbclient "Test login with user kerberos ccache" \ -- "ls" "$SMB_UNC" -k yes || failed=`expr $failed + 1` -+ "ls" "$SMB_UNC" --krb5-ccache=${KRB5CCNAME} || failed=`expr $failed + 1` - - ########################################################### - ### check that a short password is rejected --- -2.25.1 - - -From 91a1b0955a053f73e6d531f0f12eaa604aca79d7 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 19 May 2022 16:35:28 +0200 -Subject: [PATCH 80/99] CVE-2022-2031 testprogs: Add kadmin/changepw - canonicalization test with MIT kpasswd - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> ---- - selftest/knownfail.d/kadmin_changepw | 1 + - testprogs/blackbox/test_kpasswd_heimdal.sh | 35 +++++++++++++++++++++- - 2 files changed, 35 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/kadmin_changepw - -diff --git selftest/knownfail.d/kadmin_changepw selftest/knownfail.d/kadmin_changepw -new file mode 100644 -index 00000000000..97c14793ea5 ---- /dev/null -+++ selftest/knownfail.d/kadmin_changepw -@@ -0,0 +1 @@ -+^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password -diff --git testprogs/blackbox/test_kpasswd_heimdal.sh testprogs/blackbox/test_kpasswd_heimdal.sh -index 1e895daa162..059b7a8e4d1 100755 ---- testprogs/blackbox/test_kpasswd_heimdal.sh -+++ testprogs/blackbox/test_kpasswd_heimdal.sh -@@ -7,7 +7,7 @@ - - if [ $# -lt 6 ]; then - cat <<EOF --Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT -+Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT - EOF - exit 1; - fi -@@ -27,6 +27,8 @@ smbclient="$samba_bindir/smbclient" - samba_kinit=$samba_bindir/samba4kinit - samba_kpasswd=$samba_bindir/samba4kpasswd - -+mit_kpasswd="$(command -v kpasswd)" -+ - samba_tool="$samba_bindir/samba-tool" - net_tool="$samba_bindir/net" - texpect="$samba_bindir/texpect" -@@ -142,6 +144,37 @@ testit "kpasswd change user password" \ - TEST_PASSWORD=$TEST_PASSWORD_NEW - TEST_PASSWORD_NEW="testPaSS@03%" - -+########################################################### -+### CVE-2022-XXXXX -+########################################################### -+ -+if [ -n "${mit_kpasswd}" ]; then -+ cat > "${PREFIX}/tmpkpasswdscript" <<EOF -+expect Password for ${TEST_PRINCIPAL} -+password ${TEST_PASSWORD}\n -+expect Enter new password -+send ${TEST_PASSWORD_NEW}\n -+expect Enter it again -+send ${TEST_PASSWORD_NEW}\n -+expect Password changed. -+EOF -+ -+ SAVE_KRB5_CONFIG="${KRB5_CONFIG}" -+ KRB5_CONFIG="${PREFIX}/tmpkrb5.conf" -+ export KRB5_CONFIG -+ sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \ -+ "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}" -+ testit "MIT kpasswd change user password" \ -+ "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \ -+ "${TEST_PRINCIPAL}" || -+ failed=$((failed + 1)) -+ KRB5_CONFIG="${SAVE_KRB5_CONFIG}" -+ export KRB5_CONFIG -+fi -+ -+TEST_PASSWORD="${TEST_PASSWORD_NEW}" -+TEST_PASSWORD_NEW="testPaSS@03force%" -+ - ########################################################### - ### Force password change at login - ########################################################### --- -2.25.1 - - -From 36d94ffb9c99f3e515024424020e3e03e98f34f5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Tue, 24 May 2022 09:54:18 +0200 -Subject: [PATCH 81/99] CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() - helper function - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> - -[jsutton@samba.org Adapted entry to entry_ex->entry] ---- - source4/kdc/db-glue.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index 5752ffb821c..45159e6e64d 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -816,6 +816,14 @@ static int principal_comp_strcmp(krb5_context context, - component, string, false); - } - -+static bool is_kadmin_changepw(krb5_context context, -+ krb5_const_principal principal) -+{ -+ return krb5_princ_size(context, principal) == 2 && -+ (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) && -+ (principal_comp_strcmp(context, principal, 1, "changepw") == 0); -+} -+ - /* - * Construct an hdb_entry from a directory entry. - */ -@@ -1110,11 +1118,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - * 'change password', as otherwise we could get into - * trouble, and not enforce the password expirty. - * Instead, only do it when request is for the kpasswd service */ -- if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER -- && krb5_princ_size(context, principal) == 2 -- && (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) -- && (principal_comp_strcmp(context, principal, 1, "changepw") == 0) -- && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) { -+ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && -+ is_kadmin_changepw(context, principal) && -+ lpcfg_is_my_domain_or_realm(lp_ctx, realm)) { - entry_ex->entry.flags.change_pw = 1; - } - --- -2.25.1 - - -From f68877af829bf73da8e965c9458a9846d1757038 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 16:56:01 +1200 -Subject: [PATCH 82/99] CVE-2022-2031 s4:kdc: Split out a - samba_kdc_get_entry_principal() function - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Adapted entry to entry_ex->entry] - -[jsutton@samba.org Fixed conflicts caused by superfluous whitespace] ---- - source4/kdc/db-glue.c | 192 +++++++++++++++++++++++------------------- - 1 file changed, 107 insertions(+), 85 deletions(-) - -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index 45159e6e64d..ac0c206b5c1 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -824,6 +824,101 @@ static bool is_kadmin_changepw(krb5_context context, - (principal_comp_strcmp(context, principal, 1, "changepw") == 0); - } - -+static krb5_error_code samba_kdc_get_entry_principal( -+ krb5_context context, -+ struct samba_kdc_db_context *kdc_db_ctx, -+ const char *samAccountName, -+ enum samba_kdc_ent_type ent_type, -+ unsigned flags, -+ krb5_const_principal in_princ, -+ krb5_principal *out_princ) -+{ -+ struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; -+ krb5_error_code ret = 0; -+ -+ /* -+ * If we are set to canonicalize, we get back the fixed UPPER -+ * case realm, and the real username (ie matching LDAP -+ * samAccountName) -+ * -+ * Otherwise, if we are set to enterprise, we -+ * get back the whole principal as-sent -+ * -+ * Finally, if we are not set to canonicalize, we get back the -+ * fixed UPPER case realm, but the as-sent username -+ */ -+ -+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { -+ if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { -+ /* -+ * When requested to do so, ensure that the -+ * both realm values in the principal are set -+ * to the upper case, canonical realm -+ */ -+ ret = smb_krb5_make_principal(context, out_princ, -+ lpcfg_realm(lp_ctx), "krbtgt", -+ lpcfg_realm(lp_ctx), NULL); -+ if (ret) { -+ return ret; -+ } -+ smb_krb5_principal_set_type(context, *out_princ, KRB5_NT_SRV_INST); -+ } else { -+ ret = krb5_copy_principal(context, in_princ, out_princ); -+ if (ret) { -+ return ret; -+ } -+ /* -+ * this appears to be required regardless of -+ * the canonicalize flag from the client -+ */ -+ ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); -+ if (ret) { -+ return ret; -+ } -+ } -+ -+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL) { -+ ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); -+ if (ret) { -+ return ret; -+ } -+ } else if ((flags & SDB_F_FORCE_CANON) || -+ ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { -+ /* -+ * SDB_F_CANON maps from the canonicalize flag in the -+ * packet, and has a different meaning between AS-REQ -+ * and TGS-REQ. We only change the principal in the AS-REQ case -+ * -+ * The SDB_F_FORCE_CANON if for new MIT KDC code that wants -+ * the canonical name in all lookups, and takes care to -+ * canonicalize only when appropriate. -+ */ -+ ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); -+ if (ret) { -+ return ret; -+ } -+ } else { -+ ret = krb5_copy_principal(context, in_princ, out_princ); -+ if (ret) { -+ return ret; -+ } -+ -+ /* While we have copied the client principal, tests -+ * show that Win2k3 returns the 'corrected' realm, not -+ * the client-specified realm. This code attempts to -+ * replace the client principal's realm with the one -+ * we determine from our records */ -+ -+ /* this has to be with malloc() */ -+ ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); -+ if (ret) { -+ return ret; -+ } -+ } -+ -+ return 0; -+} -+ - /* - * Construct an hdb_entry from a directory entry. - */ -@@ -913,93 +1008,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - userAccountControl |= msDS_User_Account_Control_Computed; - } - -- /* -- * If we are set to canonicalize, we get back the fixed UPPER -- * case realm, and the real username (ie matching LDAP -- * samAccountName) -- * -- * Otherwise, if we are set to enterprise, we -- * get back the whole principal as-sent -- * -- * Finally, if we are not set to canonicalize, we get back the -- * fixed UPPER case realm, but the as-sent username -- */ -- - if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { - p->is_krbtgt = true; -- -- if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { -- /* -- * When requested to do so, ensure that the -- * both realm values in the principal are set -- * to the upper case, canonical realm -- */ -- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, -- lpcfg_realm(lp_ctx), "krbtgt", -- lpcfg_realm(lp_ctx), NULL); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -- smb_krb5_principal_set_type(context, entry_ex->entry.principal, KRB5_NT_SRV_INST); -- } else { -- ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -- /* -- * this appears to be required regardless of -- * the canonicalize flag from the client -- */ -- ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -- } -- -- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { -- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -- } else if ((flags & SDB_F_FORCE_CANON) || -- ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { -- /* -- * SDB_F_CANON maps from the canonicalize flag in the -- * packet, and has a different meaning between AS-REQ -- * and TGS-REQ. We only change the principal in the AS-REQ case -- * -- * The SDB_F_FORCE_CANON if for new MIT KDC code that wants -- * the canonical name in all lookups, and takes care to -- * canonicalize only when appropriate. -- */ -- ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -- } else { -- ret = krb5_copy_principal(context, principal, &entry_ex->entry.principal); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } -- -- /* While we have copied the client principal, tests -- * show that Win2k3 returns the 'corrected' realm, not -- * the client-specified realm. This code attempts to -- * replace the client principal's realm with the one -- * we determine from our records */ -- -- /* this has to be with malloc() */ -- ret = smb_krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx)); -- if (ret) { -- krb5_clear_error_message(context); -- goto out; -- } - } - - /* First try and figure out the flags based on the userAccountControl */ -@@ -1185,6 +1195,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - } - } - -+ ret = samba_kdc_get_entry_principal(context, -+ kdc_db_ctx, -+ samAccountName, -+ ent_type, -+ flags, -+ principal, -+ &entry_ex->entry.principal); -+ if (ret != 0) { -+ krb5_clear_error_message(context); -+ goto out; -+ } -+ - entry_ex->entry.valid_start = NULL; - - entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life)); --- -2.25.1 - - -From fa4742e1b9dea0b9c379f00666478bd41c021634 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 25 May 2022 17:19:58 +1200 -Subject: [PATCH 83/99] CVE-2022-2031 s4:kdc: Refactor - samba_kdc_get_entry_principal() - -This eliminates some duplicate branches. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Pair-Programmed-With: Andreas Schneider <asn@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/kdc/db-glue.c | 116 ++++++++++++++++++++---------------------- - 1 file changed, 55 insertions(+), 61 deletions(-) - -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index ac0c206b5c1..385c118a073 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -834,7 +834,8 @@ static krb5_error_code samba_kdc_get_entry_principal( - krb5_principal *out_princ) - { - struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; -- krb5_error_code ret = 0; -+ krb5_error_code code = 0; -+ bool canon = flags & (SDB_F_CANON|SDB_F_FORCE_CANON); - - /* - * If we are set to canonicalize, we get back the fixed UPPER -@@ -848,75 +849,68 @@ static krb5_error_code samba_kdc_get_entry_principal( - * fixed UPPER case realm, but the as-sent username - */ - -- if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) { -- if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) { -- /* -- * When requested to do so, ensure that the -- * both realm values in the principal are set -- * to the upper case, canonical realm -- */ -- ret = smb_krb5_make_principal(context, out_princ, -- lpcfg_realm(lp_ctx), "krbtgt", -- lpcfg_realm(lp_ctx), NULL); -- if (ret) { -- return ret; -- } -- smb_krb5_principal_set_type(context, *out_princ, KRB5_NT_SRV_INST); -- } else { -- ret = krb5_copy_principal(context, in_princ, out_princ); -- if (ret) { -- return ret; -- } -- /* -- * this appears to be required regardless of -- * the canonicalize flag from the client -- */ -- ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); -- if (ret) { -- return ret; -- } -- } -+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) { -+ /* -+ * When requested to do so, ensure that the -+ * both realm values in the principal are set -+ * to the upper case, canonical realm -+ */ -+ code = smb_krb5_make_principal(context, -+ out_princ, -+ lpcfg_realm(lp_ctx), -+ "krbtgt", -+ lpcfg_realm(lp_ctx), -+ NULL); -+ if (code != 0) { -+ return code; -+ } -+ smb_krb5_principal_set_type(context, -+ *out_princ, -+ KRB5_NT_SRV_INST); - -- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL) { -- ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); -- if (ret) { -- return ret; -- } -- } else if ((flags & SDB_F_FORCE_CANON) || -- ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ))) { -+ return 0; -+ } -+ -+ if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) || -+ (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) { - /* - * SDB_F_CANON maps from the canonicalize flag in the - * packet, and has a different meaning between AS-REQ -- * and TGS-REQ. We only change the principal in the AS-REQ case -+ * and TGS-REQ. We only change the principal in the -+ * AS-REQ case. - * -- * The SDB_F_FORCE_CANON if for new MIT KDC code that wants -- * the canonical name in all lookups, and takes care to -- * canonicalize only when appropriate. -+ * The SDB_F_FORCE_CANON if for new MIT KDC code that -+ * wants the canonical name in all lookups, and takes -+ * care to canonicalize only when appropriate. - */ -- ret = smb_krb5_make_principal(context, out_princ, lpcfg_realm(lp_ctx), samAccountName, NULL); -- if (ret) { -- return ret; -- } -- } else { -- ret = krb5_copy_principal(context, in_princ, out_princ); -- if (ret) { -- return ret; -- } -- -- /* While we have copied the client principal, tests -- * show that Win2k3 returns the 'corrected' realm, not -- * the client-specified realm. This code attempts to -- * replace the client principal's realm with the one -- * we determine from our records */ -+ code = smb_krb5_make_principal(context, -+ out_princ, -+ lpcfg_realm(lp_ctx), -+ samAccountName, -+ NULL); -+ return code; -+ } - -- /* this has to be with malloc() */ -- ret = smb_krb5_principal_set_realm(context, *out_princ, lpcfg_realm(lp_ctx)); -- if (ret) { -- return ret; -- } -+ /* -+ * For a krbtgt entry, this appears to be required regardless of the -+ * canonicalize flag from the client. -+ */ -+ code = krb5_copy_principal(context, in_princ, out_princ); -+ if (code != 0) { -+ return code; - } - -- return 0; -+ /* -+ * While we have copied the client principal, tests show that Win2k3 -+ * returns the 'corrected' realm, not the client-specified realm. This -+ * code attempts to replace the client principal's realm with the one -+ * we determine from our records -+ */ -+ code = smb_krb5_principal_set_realm(context, -+ *out_princ, -+ lpcfg_realm(lp_ctx)); -+ -+ return code; - } - - /* --- -2.25.1 - - -From 3cab62893668742781551dae6505558e47cf08b5 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 18 May 2022 16:56:01 +1200 -Subject: [PATCH 84/99] CVE-2022-2031 s4:kdc: Fix canonicalisation of - kadmin/changepw principal - -Since this principal goes through the samba_kdc_fetch_server() path, -setting the canonicalisation flag would cause the principal to be -replaced with the sAMAccountName; this meant requests to -kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we -properly handle canonicalisation for the kadmin/changepw principal. - -View with 'git show -b'. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Pair-Programmed-With: Andreas Schneider <asn@samba.org> -Signed-off-by: Andreas Schneider <asn@samba.org> -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Adapted entry to entry_ex->entry; removed MIT KDC - 1.20-specific knownfails] ---- - selftest/knownfail.d/kadmin_changepw | 1 - - selftest/knownfail_heimdal_kdc | 2 - - source4/kdc/db-glue.c | 84 +++++++++++++++------------- - 3 files changed, 46 insertions(+), 41 deletions(-) - delete mode 100644 selftest/knownfail.d/kadmin_changepw - -diff --git selftest/knownfail.d/kadmin_changepw selftest/knownfail.d/kadmin_changepw -deleted file mode 100644 -index 97c14793ea5..00000000000 ---- selftest/knownfail.d/kadmin_changepw -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 5cd8615f6a9..49ab29f115d 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -274,8 +274,6 @@ - # - # Kpasswd tests - # --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index 385c118a073..d2d7136608e 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -830,6 +830,7 @@ static krb5_error_code samba_kdc_get_entry_principal( - const char *samAccountName, - enum samba_kdc_ent_type ent_type, - unsigned flags, -+ bool is_kadmin_changepw, - krb5_const_principal in_princ, - krb5_principal *out_princ) - { -@@ -849,46 +850,52 @@ static krb5_error_code samba_kdc_get_entry_principal( - * fixed UPPER case realm, but the as-sent username - */ - -- if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) { -- /* -- * When requested to do so, ensure that the -- * both realm values in the principal are set -- * to the upper case, canonical realm -- */ -- code = smb_krb5_make_principal(context, -- out_princ, -- lpcfg_realm(lp_ctx), -- "krbtgt", -- lpcfg_realm(lp_ctx), -- NULL); -- if (code != 0) { -- return code; -- } -- smb_krb5_principal_set_type(context, -- *out_princ, -- KRB5_NT_SRV_INST); -+ /* -+ * We need to ensure that the kadmin/changepw principal isn't able to -+ * issue krbtgt tickets, even if canonicalization is turned on. -+ */ -+ if (!is_kadmin_changepw) { -+ if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) { -+ /* -+ * When requested to do so, ensure that the -+ * both realm values in the principal are set -+ * to the upper case, canonical realm -+ */ -+ code = smb_krb5_make_principal(context, -+ out_princ, -+ lpcfg_realm(lp_ctx), -+ "krbtgt", -+ lpcfg_realm(lp_ctx), -+ NULL); -+ if (code != 0) { -+ return code; -+ } -+ smb_krb5_principal_set_type(context, -+ *out_princ, -+ KRB5_NT_SRV_INST); - -- return 0; -- } -+ return 0; -+ } - -- if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) || -- (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) { -- /* -- * SDB_F_CANON maps from the canonicalize flag in the -- * packet, and has a different meaning between AS-REQ -- * and TGS-REQ. We only change the principal in the -- * AS-REQ case. -- * -- * The SDB_F_FORCE_CANON if for new MIT KDC code that -- * wants the canonical name in all lookups, and takes -- * care to canonicalize only when appropriate. -- */ -- code = smb_krb5_make_principal(context, -- out_princ, -- lpcfg_realm(lp_ctx), -- samAccountName, -- NULL); -- return code; -+ if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) || -+ (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) { -+ /* -+ * SDB_F_CANON maps from the canonicalize flag in the -+ * packet, and has a different meaning between AS-REQ -+ * and TGS-REQ. We only change the principal in the -+ * AS-REQ case. -+ * -+ * The SDB_F_FORCE_CANON if for new MIT KDC code that -+ * wants the canonical name in all lookups, and takes -+ * care to canonicalize only when appropriate. -+ */ -+ code = smb_krb5_make_principal(context, -+ out_princ, -+ lpcfg_realm(lp_ctx), -+ samAccountName, -+ NULL); -+ return code; -+ } - } - - /* -@@ -1194,6 +1201,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - samAccountName, - ent_type, - flags, -+ entry_ex->entry.flags.change_pw, - principal, - &entry_ex->entry.principal); - if (ret != 0) { --- -2.25.1 - - -From 531e7b596d35785bee61f3b4289e38ece1530f94 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 24 May 2022 17:53:49 +1200 -Subject: [PATCH 85/99] CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to - two minutes or less - -This matches the behaviour of Windows. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Adapted entry to entry_ex->entry; included - samba_kdc.h header file] - -[jsutton@samba.org Fixed conflicts] ---- - selftest/knownfail_heimdal_kdc | 1 - - selftest/knownfail_mit_kdc | 1 - - source4/kdc/db-glue.c | 5 +++++ - source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +- - source4/kdc/samba_kdc.h | 2 ++ - 5 files changed, 8 insertions(+), 3 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 49ab29f115d..387ccea3ba7 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -275,7 +275,6 @@ - # Kpasswd tests - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 46b0f1fa9ed..c2a31b4a140 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -580,7 +580,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index d2d7136608e..073ec83c8cf 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -1226,6 +1226,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - kdc_db_ctx->policy.usr_tkt_lifetime); - } - -+ if (entry_ex->entry.flags.change_pw) { -+ /* Limit lifetime of kpasswd tickets to two minutes or less. */ -+ *entry_ex->entry.max_life = MIN(*entry_ex->entry.max_life, CHANGEPW_LIFETIME); -+ } -+ - entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life)); - if (entry_ex->entry.max_renew == NULL) { - ret = ENOMEM; -diff --git source4/kdc/mit-kdb/kdb_samba_principals.c source4/kdc/mit-kdb/kdb_samba_principals.c -index cc67c2392be..2059ffa855e 100644 ---- source4/kdc/mit-kdb/kdb_samba_principals.c -+++ source4/kdc/mit-kdb/kdb_samba_principals.c -@@ -27,11 +27,11 @@ - #include <profile.h> - #include <kdb.h> - -+#include "kdc/samba_kdc.h" - #include "kdc/mit_samba.h" - #include "kdb_samba.h" - - #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ --#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ - - krb5_error_code ks_get_principal(krb5_context context, - krb5_const_principal principal, -diff --git source4/kdc/samba_kdc.h source4/kdc/samba_kdc.h -index e228a82ce6a..8010d7c35ed 100644 ---- source4/kdc/samba_kdc.h -+++ source4/kdc/samba_kdc.h -@@ -62,4 +62,6 @@ struct samba_kdc_entry { - - extern struct hdb_method hdb_samba4_interface; - -+#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */ -+ - #endif /* _SAMBA_KDC_H_ */ --- -2.25.1 - - -From abdac4241dd08dd90a08db877edd799f3833c2b4 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 30 May 2022 19:18:17 +1200 -Subject: [PATCH 86/99] CVE-2022-2031 s4:kdc: Reject tickets during the last - two minutes of their life - -For Heimdal, this now matches the behaviour of Windows. The object of -this requirement is to ensure we don't allow kpasswd tickets, not having -a lifetime of more than two minutes, to be passed off as TGTs. - -An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer -suffices to prevent kpasswd ticket misuse, so this is just an additional -precaution on top. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org As we don't have access to the ticket or the request - in the plugin, rewrote check directly in Heimdal KDC] ---- - selftest/knownfail_heimdal_kdc | 1 - - source4/heimdal/kdc/krb5tgs.c | 19 ++++++++++++++++++- - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 387ccea3ba7..afb9bcf1209 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -275,7 +275,6 @@ - # Kpasswd tests - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git source4/heimdal/kdc/krb5tgs.c source4/heimdal/kdc/krb5tgs.c -index 38dba8493ae..15be136496f 100644 ---- source4/heimdal/kdc/krb5tgs.c -+++ source4/heimdal/kdc/krb5tgs.c -@@ -33,6 +33,9 @@ - - #include "kdc_locl.h" - -+/* Awful hack to get access to 'struct samba_kdc_entry'. */ -+#include "../../kdc/samba_kdc.h" -+ - /* - * return the realm of a krbtgt-ticket or NULL - */ -@@ -130,6 +133,7 @@ check_PAC(krb5_context context, - static krb5_error_code - check_tgs_flags(krb5_context context, - krb5_kdc_configuration *config, -+ const hdb_entry_ex *krbtgt_in, - KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et) - { - KDCOptions f = b->kdc_options; -@@ -244,6 +248,17 @@ check_tgs_flags(krb5_context context, - et->endtime = min(*et->renew_till, et->endtime); - } - -+ if (tgt->endtime - kdc_time <= CHANGEPW_LIFETIME) { -+ /* Check that the ticket has not arrived across a trust. */ -+ const struct samba_kdc_entry *skdc_entry = krbtgt_in->ctx; -+ if (!skdc_entry->is_trust) { -+ /* This may be a kpasswd ticket rather than a TGT, so don't accept it. */ -+ kdc_log(context, config, 0, -+ "Ticket is not a ticket-granting ticket"); -+ return KRB5KRB_AP_ERR_TKT_EXPIRED; -+ } -+ } -+ - #if 0 - /* checks for excess flags */ - if(f.request_anonymous && !config->allow_anonymous){ -@@ -510,6 +525,7 @@ tgs_make_reply(krb5_context context, - hdb_entry_ex *client, - krb5_principal client_principal, - const char *tgt_realm, -+ const hdb_entry_ex *krbtgt_in, - hdb_entry_ex *krbtgt, - krb5_pac mspac, - uint16_t rodc_id, -@@ -538,7 +554,7 @@ tgs_make_reply(krb5_context context, - ALLOC(et.starttime); - *et.starttime = kdc_time; - -- ret = check_tgs_flags(context, config, b, tgt, &et); -+ ret = check_tgs_flags(context, config, krbtgt_in, b, tgt, &et); - if(ret) - goto out; - -@@ -2129,6 +2145,7 @@ server_lookup: - client, - cp, - tgt_realm, -+ krbtgt, - krbtgt_out, - mspac, - rodc_id, --- -2.25.1 - - -From 389851bcf399f9511e2cb797350c37ce91aa5849 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Tue, 14 Jun 2022 15:23:55 +1200 -Subject: [PATCH 87/99] CVE-2022-2031 tests/krb5: Test truncated forms of - server principals - -We should not be able to use krb@REALM instead of krbtgt@REALM. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed conflicts due to having older version of - _run_as_req_enc_timestamp()] ---- - python/samba/tests/krb5/as_req_tests.py | 40 ++++++++++++++++++++++--- - selftest/knownfail_heimdal_kdc | 4 +++ - selftest/knownfail_mit_kdc | 4 +++ - 3 files changed, 44 insertions(+), 4 deletions(-) - -diff --git python/samba/tests/krb5/as_req_tests.py python/samba/tests/krb5/as_req_tests.py -index 315720f85d6..054a49b64aa 100755 ---- python/samba/tests/krb5/as_req_tests.py -+++ python/samba/tests/krb5/as_req_tests.py -@@ -27,6 +27,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest - import samba.tests.krb5.kcrypto as kcrypto - import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 - from samba.tests.krb5.rfc4120_constants import ( -+ KDC_ERR_S_PRINCIPAL_UNKNOWN, - KDC_ERR_ETYPE_NOSUPP, - KDC_ERR_PREAUTH_REQUIRED, - KU_PA_ENC_TIMESTAMP, -@@ -40,7 +41,8 @@ global_hexdump = False - - - class AsReqBaseTest(KDCBaseTest): -- def _run_as_req_enc_timestamp(self, client_creds): -+ def _run_as_req_enc_timestamp(self, client_creds, sname=None, -+ expected_error=None): - client_account = client_creds.get_username() - client_as_etypes = self.get_default_enctypes() - client_kvno = client_creds.get_kvno() -@@ -50,8 +52,9 @@ class AsReqBaseTest(KDCBaseTest): - - cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=[client_account]) -- sname = self.PrincipalName_create(name_type=NT_SRV_INST, -- names=[krbtgt_account, realm]) -+ if sname is None: -+ sname = self.PrincipalName_create(name_type=NT_SRV_INST, -+ names=[krbtgt_account, realm]) - - expected_crealm = realm - expected_cname = cname -@@ -63,7 +66,10 @@ class AsReqBaseTest(KDCBaseTest): - - initial_etypes = client_as_etypes - initial_kdc_options = krb5_asn1.KDCOptions('forwardable') -- initial_error_mode = KDC_ERR_PREAUTH_REQUIRED -+ if expected_error is not None: -+ initial_error_mode = expected_error -+ else: -+ initial_error_mode = KDC_ERR_PREAUTH_REQUIRED - - rep, kdc_exchange_dict = self._test_as_exchange(cname, - realm, -@@ -80,6 +86,10 @@ class AsReqBaseTest(KDCBaseTest): - None, - initial_kdc_options, - pac_request=True) -+ -+ if expected_error is not None: -+ return None -+ - etype_info2 = kdc_exchange_dict['preauth_etype_info2'] - self.assertIsNotNone(etype_info2) - -@@ -209,6 +219,28 @@ class AsReqKerberosTests(AsReqBaseTest): - client_creds = self.get_mach_creds() - self._run_as_req_enc_timestamp(client_creds) - -+ # Ensure we can't use truncated well-known principals such as krb@REALM -+ # instead of krbtgt@REALM. -+ def test_krbtgt_wrong_principal(self): -+ client_creds = self.get_client_creds() -+ -+ krbtgt_creds = self.get_krbtgt_creds() -+ -+ krbtgt_account = krbtgt_creds.get_username() -+ realm = krbtgt_creds.get_realm() -+ -+ # Truncate the name of the krbtgt principal. -+ krbtgt_account = krbtgt_account[:3] -+ -+ wrong_krbtgt_princ = self.PrincipalName_create( -+ name_type=NT_SRV_INST, -+ names=[krbtgt_account, realm]) -+ -+ self._run_as_req_enc_timestamp( -+ client_creds, -+ sname=wrong_krbtgt_princ, -+ expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) -+ - - if __name__ == "__main__": - global_asn1_print = False -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index afb9bcf1209..dbfff5784e6 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -278,3 +278,7 @@ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -+# -+# AS-REQ tests -+# -+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index c2a31b4a140..0f90ea10299 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -583,3 +583,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -+# -+# AS-REQ tests -+# -+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( --- -2.25.1 - - -From d40593be83144713cfc43e4eb1c7bc2d925a0da0 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 25 May 2022 20:00:55 +1200 -Subject: [PATCH 88/99] CVE-2022-2031 s4:kdc: Don't use strncmp to compare - principal components - -We would only compare the first 'n' characters, where 'n' is the length -of the principal component string, so 'k@REALM' would erroneously be -considered equal to 'krbtgt@REALM'. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - selftest/knownfail_heimdal_kdc | 4 ---- - selftest/knownfail_mit_kdc | 4 ---- - source4/kdc/db-glue.c | 27 ++++++++++++++++++++++----- - 3 files changed, 22 insertions(+), 13 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index dbfff5784e6..afb9bcf1209 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -278,7 +278,3 @@ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc --# --# AS-REQ tests --# --^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 0f90ea10299..c2a31b4a140 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -583,7 +583,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc --# --# AS-REQ tests --# --^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_krbtgt_wrong_principal\( -diff --git source4/kdc/db-glue.c source4/kdc/db-glue.c -index 073ec83c8cf..cfa2097acbd 100644 ---- source4/kdc/db-glue.c -+++ source4/kdc/db-glue.c -@@ -769,15 +769,19 @@ static int principal_comp_strcmp_int(krb5_context context, - bool do_strcasecmp) - { - const char *p; -- size_t len; - - #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) - p = krb5_principal_get_comp_string(context, principal, component); - if (p == NULL) { - return -1; - } -- len = strlen(p); -+ if (do_strcasecmp) { -+ return strcasecmp(p, string); -+ } else { -+ return strcmp(p, string); -+ } - #else -+ size_t len; - krb5_data *d; - if (component >= krb5_princ_size(context, principal)) { - return -1; -@@ -789,13 +793,26 @@ static int principal_comp_strcmp_int(krb5_context context, - } - - p = d->data; -- len = d->length; --#endif -+ -+ len = strlen(string); -+ -+ /* -+ * We explicitly return -1 or 1. Subtracting of the two lengths might -+ * give the wrong result if the result overflows or loses data when -+ * narrowed to int. -+ */ -+ if (d->length < len) { -+ return -1; -+ } else if (d->length > len) { -+ return 1; -+ } -+ - if (do_strcasecmp) { - return strncasecmp(p, string, len); - } else { -- return strncmp(p, string, len); -+ return memcmp(p, string, len); - } -+#endif - } - - static int principal_comp_strcasecmp(krb5_context context, --- -2.25.1 - - -From 42ba919c06c24c42ef123304de0c2ca8c689591a Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 26 May 2022 16:36:30 +1200 -Subject: [PATCH 89/99] CVE-2022-32744 s4:kdc: Rename keytab_name -> - kpasswd_keytab_name - -This makes explicitly clear the purpose of this keytab. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed conflicts due to lacking HDBGET support] ---- - source4/kdc/kdc-heimdal.c | 4 ++-- - source4/kdc/kdc-server.h | 2 +- - source4/kdc/kdc-service-mit.c | 4 ++-- - source4/kdc/kpasswd-service.c | 2 +- - 4 files changed, 6 insertions(+), 6 deletions(-) - -diff --git source4/kdc/kdc-heimdal.c source4/kdc/kdc-heimdal.c -index ba74df4f2ec..a4c845b62f8 100644 ---- source4/kdc/kdc-heimdal.c -+++ source4/kdc/kdc-heimdal.c -@@ -444,8 +444,8 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) - return; - } - -- kdc->keytab_name = talloc_asprintf(kdc, "HDB:samba4&%p", kdc->base_ctx); -- if (kdc->keytab_name == NULL) { -+ kdc->kpasswd_keytab_name = talloc_asprintf(kdc, "HDB:samba4&%p", kdc->base_ctx); -+ if (kdc->kpasswd_keytab_name == NULL) { - task_server_terminate(task, - "kdc: Failed to set keytab name", - true); -diff --git source4/kdc/kdc-server.h source4/kdc/kdc-server.h -index fd883c2e4b4..89b30f122f5 100644 ---- source4/kdc/kdc-server.h -+++ source4/kdc/kdc-server.h -@@ -40,7 +40,7 @@ struct kdc_server { - struct ldb_context *samdb; - bool am_rodc; - uint32_t proxy_timeout; -- const char *keytab_name; -+ const char *kpasswd_keytab_name; - void *private_data; - }; - -diff --git source4/kdc/kdc-service-mit.c source4/kdc/kdc-service-mit.c -index 5d4180aa7cc..22663b6ecc8 100644 ---- source4/kdc/kdc-service-mit.c -+++ source4/kdc/kdc-service-mit.c -@@ -291,8 +291,8 @@ NTSTATUS mitkdc_task_init(struct task_server *task) - return NT_STATUS_INTERNAL_ERROR; - } - -- kdc->keytab_name = talloc_asprintf(kdc, "KDB:"); -- if (kdc->keytab_name == NULL) { -+ kdc->kpasswd_keytab_name = talloc_asprintf(kdc, "KDB:"); -+ if (kdc->kpasswd_keytab_name == NULL) { - task_server_terminate(task, - "KDC: Out of memory", - true); -diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c -index b4706de1ad7..0d2acd8d9e8 100644 ---- source4/kdc/kpasswd-service.c -+++ source4/kdc/kpasswd-service.c -@@ -167,7 +167,7 @@ kdc_code kpasswd_process(struct kdc_server *kdc, - - rv = cli_credentials_set_keytab_name(server_credentials, - kdc->task->lp_ctx, -- kdc->keytab_name, -+ kdc->kpasswd_keytab_name, - CRED_SPECIFIED); - if (rv != 0) { - DBG_ERR("Failed to set credentials keytab name\n"); --- -2.25.1 - - -From 997f50c66471071efb8e02d8efbe4bf5d932e7ee Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Wed, 8 Jun 2022 13:53:29 +1200 -Subject: [PATCH 90/99] s4:kdc: Remove kadmin mode from HDB plugin - -It appears we no longer require it. - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/kdc/hdb-samba4-plugin.c | 35 +++++++-------------------------- - 1 file changed, 7 insertions(+), 28 deletions(-) - -diff --git source4/kdc/hdb-samba4-plugin.c source4/kdc/hdb-samba4-plugin.c -index 6f76124995d..4b90a766f76 100644 ---- source4/kdc/hdb-samba4-plugin.c -+++ source4/kdc/hdb-samba4-plugin.c -@@ -21,40 +21,20 @@ - - #include "includes.h" - #include "kdc/kdc-glue.h" --#include "kdc/db-glue.h" --#include "lib/util/samba_util.h" - #include "lib/param/param.h" --#include "source4/lib/events/events.h" - - static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, const char *arg) - { - NTSTATUS nt_status; -- void *ptr; -- struct samba_kdc_base_context *base_ctx; -- -- if (sscanf(arg, "&%p", &ptr) == 1) { -- base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); -- } else if (arg[0] == '\0' || file_exist(arg)) { -- /* This mode for use in kadmin, rather than in Samba */ -- -- setup_logging("hdb_samba4", DEBUG_DEFAULT_STDERR); -- -- base_ctx = talloc_zero(NULL, struct samba_kdc_base_context); -- if (!base_ctx) { -- return ENOMEM; -- } -- -- base_ctx->ev_ctx = s4_event_context_init(base_ctx); -- base_ctx->lp_ctx = loadparm_init_global(false); -- if (arg[0]) { -- lpcfg_load(base_ctx->lp_ctx, arg); -- } else { -- lpcfg_load_default(base_ctx->lp_ctx); -- } -- } else { -+ void *ptr = NULL; -+ struct samba_kdc_base_context *base_ctx = NULL; -+ -+ if (sscanf(arg, "&%p", &ptr) != 1) { - return EINVAL; - } - -+ base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); -+ - /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ - nt_status = hdb_samba4_create_kdc(base_ctx, context, db); - -@@ -90,8 +70,7 @@ static void hdb_samba4_fini(void *ctx) - - /* Only used in the hdb-backed keytab code - * for a keytab of 'samba4&<address>' or samba4, to find -- * kpasswd's key in the main DB, and to -- * copy all the keys into a file (libnet_keytab_export) -+ * kpasswd's key in the main DB - * - * The <address> is the string form of a pointer to a talloced struct hdb_samba_context - */ --- -2.25.1 - - -From c0c4b7a4bd229bd36d586faec6249baaba8e7adc Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 26 May 2022 16:39:20 +1200 -Subject: [PATCH 91/99] CVE-2022-32744 s4:kdc: Modify HDB plugin to only look - up kpasswd principal - -This plugin is now only used by the kpasswd service. Thus, ensuring we -only look up the kadmin/changepw principal means we can't be fooled into -accepting tickets for other service principals. We make sure not to -specify a specific kvno, to ensure that we do not accept RODC-issued -tickets. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed knownfail conflicts] - -[jsutton@samba.org Renamed entry to entry_ex; fixed knownfail conflicts; - retained knownfail for test_kpasswd_from_rodc which now causes the KDC - to panic] ---- - selftest/knownfail_heimdal_kdc | 3 -- - source4/kdc/hdb-samba4-plugin.c | 2 +- - source4/kdc/hdb-samba4.c | 66 +++++++++++++++++++++++++++++++++ - source4/kdc/kdc-glue.h | 3 ++ - 4 files changed, 70 insertions(+), 4 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index afb9bcf1209..0d93253f999 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -275,6 +275,3 @@ - # Kpasswd tests - # - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git source4/kdc/hdb-samba4-plugin.c source4/kdc/hdb-samba4-plugin.c -index 4b90a766f76..dba25e825de 100644 ---- source4/kdc/hdb-samba4-plugin.c -+++ source4/kdc/hdb-samba4-plugin.c -@@ -36,7 +36,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, - base_ctx = talloc_get_type_abort(ptr, struct samba_kdc_base_context); - - /* The global kdc_mem_ctx and kdc_lp_ctx, Disgusting, ugly hack, but it means one less private hook */ -- nt_status = hdb_samba4_create_kdc(base_ctx, context, db); -+ nt_status = hdb_samba4_kpasswd_create_kdc(base_ctx, context, db); - - if (NT_STATUS_IS_OK(nt_status)) { - return 0; -diff --git source4/kdc/hdb-samba4.c source4/kdc/hdb-samba4.c -index 43e836f8360..a8aae50b5b0 100644 ---- source4/kdc/hdb-samba4.c -+++ source4/kdc/hdb-samba4.c -@@ -136,6 +136,47 @@ static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, - return code; - } - -+static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db, -+ krb5_const_principal _principal, -+ unsigned flags, -+ krb5_kvno _kvno, -+ hdb_entry_ex *entry_ex) -+{ -+ struct samba_kdc_db_context *kdc_db_ctx = NULL; -+ krb5_error_code ret; -+ krb5_principal kpasswd_principal = NULL; -+ -+ kdc_db_ctx = talloc_get_type_abort(db->hdb_db, -+ struct samba_kdc_db_context); -+ -+ ret = smb_krb5_make_principal(context, &kpasswd_principal, -+ lpcfg_realm(kdc_db_ctx->lp_ctx), -+ "kadmin", "changepw", -+ NULL); -+ if (ret) { -+ return ret; -+ } -+ smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST); -+ -+ /* -+ * For the kpasswd service, always ensure we get the latest kvno. This -+ * also means we (correctly) refuse RODC-issued tickets. -+ */ -+ flags &= ~HDB_F_KVNO_SPECIFIED; -+ -+ /* Don't bother looking up a client or krbtgt. */ -+ flags &= ~(SDB_F_GET_CLIENT|SDB_F_GET_KRBTGT); -+ -+ ret = hdb_samba4_fetch_kvno(context, db, -+ kpasswd_principal, -+ flags, -+ 0, -+ entry_ex); -+ -+ krb5_free_principal(context, kpasswd_principal); -+ return ret; -+} -+ - static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags, - hdb_entry_ex *entry) - { -@@ -194,6 +235,14 @@ static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigne - return ret; - } - -+static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db, -+ unsigned flags, -+ hdb_entry_ex *entry) -+{ -+ DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n"); -+ smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab"); -+} -+ - static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) - { - talloc_free(db); -@@ -522,3 +571,20 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, - - return NT_STATUS_OK; - } -+ -+NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx, -+ krb5_context context, struct HDB **db) -+{ -+ NTSTATUS nt_status; -+ -+ nt_status = hdb_samba4_create_kdc(base_ctx, context, db); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } -+ -+ (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno; -+ (*db)->hdb_firstkey = hdb_samba4_nextkey_panic; -+ (*db)->hdb_nextkey = hdb_samba4_nextkey_panic; -+ -+ return NT_STATUS_OK; -+} -diff --git source4/kdc/kdc-glue.h source4/kdc/kdc-glue.h -index c083b8c6429..ff8684e1666 100644 ---- source4/kdc/kdc-glue.h -+++ source4/kdc/kdc-glue.h -@@ -45,6 +45,9 @@ kdc_code kpasswdd_process(struct kdc_server *kdc, - NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, - krb5_context context, struct HDB **db); - -+NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx, -+ krb5_context context, struct HDB **db); -+ - /* from kdc-glue.c */ - int kdc_check_pac(krb5_context krb5_context, - DATA_BLOB server_sig, --- -2.25.1 - - -From 340181bc1100fa31c63af88214a3d8328b944fe9 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Mon, 30 May 2022 19:16:02 +1200 -Subject: [PATCH 92/99] CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd - server principal into krb5_rd_req_ctx() - -To ensure that, when decrypting the kpasswd ticket, we look up the -correct principal and don't trust the sname from the ticket, we should -pass the principal name of the kpasswd service into krb5_rd_req_ctx(). -However, gensec_krb5_update_internal() will pass in NULL unless the -principal in our credentials is CRED_SPECIFIED. - -At present, our principal will be considered obtained as CRED_SMB_CONF -(from the cli_credentials_set_conf() a few lines up), so we explicitly -set the realm again, but this time as CRED_SPECIFIED. Now the value of -server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not -be NULL. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Removed knownfail as KDC no longer panics] ---- - selftest/knownfail_heimdal_kdc | 4 ---- - selftest/knownfail_mit_kdc | 2 -- - source4/kdc/kpasswd-service.c | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 30 insertions(+), 6 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 0d93253f999..424a8b81c38 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -271,7 +271,3 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --# --# Kpasswd tests --# --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index c2a31b4a140..0d2f5bab6d2 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -581,5 +581,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_server.ad_dc --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key_service.ad_dc -diff --git source4/kdc/kpasswd-service.c source4/kdc/kpasswd-service.c -index 0d2acd8d9e8..b6400be0c49 100644 ---- source4/kdc/kpasswd-service.c -+++ source4/kdc/kpasswd-service.c -@@ -29,6 +29,7 @@ - #include "kdc/kdc-server.h" - #include "kdc/kpasswd-service.h" - #include "kdc/kpasswd-helper.h" -+#include "param/param.h" - - #define HEADER_LEN 6 - #ifndef RFC3244_VERSION -@@ -158,6 +159,20 @@ kdc_code kpasswd_process(struct kdc_server *kdc, - - cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx); - -+ /* -+ * After calling cli_credentials_set_conf(), explicitly set the realm -+ * with CRED_SPECIFIED. We need to do this so the result of -+ * principal_from_credentials() called from the gensec layer is -+ * CRED_SPECIFIED rather than CRED_SMB_CONF, avoiding a fallback to -+ * match-by-key (very undesirable in this case). -+ */ -+ ok = cli_credentials_set_realm(server_credentials, -+ lpcfg_realm(kdc->task->lp_ctx), -+ CRED_SPECIFIED); -+ if (!ok) { -+ goto done; -+ } -+ - ok = cli_credentials_set_username(server_credentials, - "kadmin/changepw", - CRED_SPECIFIED); -@@ -165,6 +180,21 @@ kdc_code kpasswd_process(struct kdc_server *kdc, - goto done; - } - -+ /* Check that the server principal is indeed CRED_SPECIFIED. */ -+ { -+ char *principal = NULL; -+ enum credentials_obtained obtained; -+ -+ principal = cli_credentials_get_principal_and_obtained(server_credentials, -+ tmp_ctx, -+ &obtained); -+ if (obtained < CRED_SPECIFIED) { -+ goto done; -+ } -+ -+ TALLOC_FREE(principal); -+ } -+ - rv = cli_credentials_set_keytab_name(server_credentials, - kdc->task->lp_ctx, - kdc->kpasswd_keytab_name, --- -2.25.1 - - -From 95afbc2da9b541fb8f2eebdcd411f5873d1675ac Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 10 Jun 2022 19:17:11 +1200 -Subject: [PATCH 93/99] CVE-2022-2031 tests/krb5: Add test that we cannot - provide a TGT to kpasswd - -The kpasswd service should require a kpasswd service ticket, and -disallow TGTs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed knownfail conflicts] - -[jsutton@samba.org Fixed knownfail conflicts] ---- - python/samba/tests/krb5/kpasswd_tests.py | 28 ++++++++++++++++++++++++ - selftest/knownfail_heimdal_kdc | 4 ++++ - selftest/knownfail_mit_kdc | 4 ++++ - 3 files changed, 36 insertions(+) - -diff --git python/samba/tests/krb5/kpasswd_tests.py python/samba/tests/krb5/kpasswd_tests.py -index 3a6c7d818dc..0db857f7bbd 100755 ---- python/samba/tests/krb5/kpasswd_tests.py -+++ python/samba/tests/krb5/kpasswd_tests.py -@@ -31,6 +31,7 @@ from samba.tests.krb5.rfc4120_constants import ( - KDC_ERR_TGT_REVOKED, - KDC_ERR_TKT_EXPIRED, - KPASSWD_ACCESSDENIED, -+ KPASSWD_AUTHERROR, - KPASSWD_HARDERROR, - KPASSWD_INITIAL_FLAG_NEEDED, - KPASSWD_MALFORMED, -@@ -779,6 +780,33 @@ class KpasswdTests(KDCBaseTest): - self._make_tgs_request(creds, service_creds, ticket, - expect_error=False) - -+ # Show that we cannot provide a TGT to kpasswd to change the password. -+ def test_kpasswd_tgt(self): -+ # Create an account for testing, and get a TGT. -+ creds = self._get_creds() -+ tgt = self.get_tgt(creds) -+ -+ # Change the sname of the ticket to match that of kadmin/changepw. -+ tgt.set_sname(self.get_kpasswd_sname()) -+ -+ expected_code = KPASSWD_AUTHERROR -+ expected_msg = b'A TGT may not be used as a ticket to kpasswd' -+ -+ # Set the password. -+ new_password = generate_random_password(32, 32) -+ self.kpasswd_exchange(tgt, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.SET) -+ -+ # Change the password. -+ self.kpasswd_exchange(tgt, -+ new_password, -+ expected_code, -+ expected_msg, -+ mode=self.KpasswdMode.CHANGE) -+ - # Test that kpasswd rejects requests with a service ticket. - def test_kpasswd_non_initial(self): - # Create an account for testing, and get a TGT. -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 424a8b81c38..42beccaed58 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -271,3 +271,7 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting -+# -+# Kpasswd tests -+# -+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 0d2f5bab6d2..9fc34e5d8db 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -581,3 +581,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc -+# -+# Kpasswd tests -+# -+samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc --- -2.25.1 - - -From 4b61092459b403b2945daa9082052366f3508b69 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 10 Jun 2022 19:18:07 +1200 -Subject: [PATCH 94/99] CVE-2022-2031 auth: Add ticket type field to - auth_user_info_dc and auth_session_info - -This field may be used to convey whether we were provided with a TGT or -a non-TGT. We ensure both structures are zeroed out to avoid incorrect -results being produced by an uninitialised field. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - auth/auth_sam_reply.c | 2 +- - auth/auth_util.c | 2 +- - librpc/idl/auth.idl | 23 +++++++++++++++++++++++ - source4/auth/ntlm/auth_developer.c | 2 +- - source4/auth/sam.c | 2 +- - source4/auth/session.c | 2 ++ - source4/auth/system_session.c | 6 +++--- - 7 files changed, 32 insertions(+), 7 deletions(-) - -diff --git auth/auth_sam_reply.c auth/auth_sam_reply.c -index b5b6362dc93..2e27e5715d1 100644 ---- auth/auth_sam_reply.c -+++ auth/auth_sam_reply.c -@@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, - return NT_STATUS_INVALID_LEVEL; - } - -- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); -+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - - /* -diff --git auth/auth_util.c auth/auth_util.c -index fe01babd107..ec9094d0f15 100644 ---- auth/auth_util.c -+++ auth/auth_util.c -@@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx, - return NULL; - } - -- dst = talloc(mem_ctx, struct auth_session_info); -+ dst = talloc_zero(mem_ctx, struct auth_session_info); - if (dst == NULL) { - DBG_ERR("talloc failed\n"); - TALLOC_FREE(frame); -diff --git librpc/idl/auth.idl librpc/idl/auth.idl -index 1092935b971..f7658cdde28 100644 ---- librpc/idl/auth.idl -+++ librpc/idl/auth.idl -@@ -75,6 +75,26 @@ interface auth - [unique,charset(UTF8),string] char *sanitized_username; - } auth_user_info_unix; - -+ /* -+ * If the user was authenticated with a Kerberos ticket, this indicates -+ * the type of the ticket; TGT, or non-TGT (i.e. service ticket). If -+ * unset, the type is unknown. This indicator is useful for the KDC and -+ * the kpasswd service, which share the same account and keys. By -+ * ensuring it is provided with the appopriate ticket type, each service -+ * avoids accepting a ticket meant for the other. -+ * -+ * The heuristic used to determine the type is the presence or absence -+ * of a REQUESTER_SID buffer in the PAC; we use its presence to assume -+ * we have a TGT. This heuristic will fail for older Samba versions and -+ * Windows prior to Nov. 2021 updates, which lack support for this -+ * buffer. -+ */ -+ typedef enum { -+ TICKET_TYPE_UNKNOWN = 0, -+ TICKET_TYPE_TGT = 1, -+ TICKET_TYPE_NON_TGT = 2 -+ } ticket_type; -+ - /* This is the interim product of the auth subsystem, before - * privileges and local groups are handled */ - typedef [public] struct { -@@ -83,6 +103,7 @@ interface auth - auth_user_info *info; - [noprint] DATA_BLOB user_session_key; - [noprint] DATA_BLOB lm_session_key; -+ ticket_type ticket_type; - } auth_user_info_dc; - - typedef [public] struct { -@@ -112,6 +133,8 @@ interface auth - * We generate this in auth_generate_session_info() - */ - GUID unique_session_token; -+ -+ ticket_type ticket_type; - } auth_session_info; - - typedef [public] struct { -diff --git source4/auth/ntlm/auth_developer.c source4/auth/ntlm/auth_developer.c -index 1823989c68d..6e92252d5c5 100644 ---- source4/auth/ntlm/auth_developer.c -+++ source4/auth/ntlm/auth_developer.c -@@ -76,7 +76,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, - } - NT_STATUS_NOT_OK_RETURN(nt_status); - -- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); -+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - - /* This returns a pointer to a struct dom_sid, which is the -diff --git source4/auth/sam.c source4/auth/sam.c -index 8b233bab3ad..7c609655fcb 100644 ---- source4/auth/sam.c -+++ source4/auth/sam.c -@@ -363,7 +363,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, - TALLOC_CTX *tmp_ctx; - struct ldb_message_element *el; - -- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); -+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - - tmp_ctx = talloc_new(user_info_dc); -diff --git source4/auth/session.c source4/auth/session.c -index 8e44dcd24f1..d6e936dd1f1 100644 ---- source4/auth/session.c -+++ source4/auth/session.c -@@ -222,6 +222,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, - - session_info->credentials = NULL; - -+ session_info->ticket_type = user_info_dc->ticket_type; -+ - talloc_steal(mem_ctx, session_info); - *_session_info = session_info; - talloc_free(tmp_ctx); -diff --git source4/auth/system_session.c source4/auth/system_session.c -index 85b8f1c4edb..2518d654e8b 100644 ---- source4/auth/system_session.c -+++ source4/auth/system_session.c -@@ -115,7 +115,7 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, - struct auth_user_info_dc *user_info_dc; - struct auth_user_info *info; - -- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); -+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - - /* This returns a pointer to a struct dom_sid, which is the -@@ -191,7 +191,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx, - struct auth_user_info_dc *user_info_dc; - struct auth_user_info *info; - -- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); -+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - - user_info_dc->num_sids = 7; -@@ -356,7 +356,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, - { - struct auth_user_info_dc *user_info_dc; - struct auth_user_info *info; -- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); -+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - - /* This returns a pointer to a struct dom_sid, which is the --- -2.25.1 - - -From 89c6e36938c27b572573b06d1b35db210bfda99b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 10 Jun 2022 19:18:35 +1200 -Subject: [PATCH 95/99] CVE-2022-2031 s4:auth: Use PAC to determine whether - ticket is a TGT - -We use the presence or absence of a REQUESTER_SID PAC buffer to -determine whether the ticket is a TGT. We will later use this to reject -TGTs where a service ticket is expected. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source4/auth/kerberos/kerberos_pac.c | 44 ++++++++++++++++++++++++++++ - 1 file changed, 44 insertions(+) - -diff --git source4/auth/kerberos/kerberos_pac.c source4/auth/kerberos/kerberos_pac.c -index 54ef4d61b02..bd0ae20e007 100644 ---- source4/auth/kerberos/kerberos_pac.c -+++ source4/auth/kerberos/kerberos_pac.c -@@ -282,6 +282,28 @@ - return ret; - } - -+static krb5_error_code kerberos_pac_buffer_present(krb5_context context, -+ const krb5_pac pac, -+ uint32_t type) -+{ -+#ifdef SAMBA4_USES_HEIMDAL -+ return krb5_pac_get_buffer(context, pac, type, NULL); -+#else /* MIT */ -+ krb5_error_code ret; -+ krb5_data data; -+ -+ /* -+ * MIT won't let us pass NULL for the data parameter, so we are forced -+ * to allocate a new buffer and then immediately free it. -+ */ -+ ret = krb5_pac_get_buffer(context, pac, type, &data); -+ if (ret == 0) { -+ krb5_free_data_contents(context, &data); -+ } -+ return ret; -+#endif /* SAMBA4_USES_HEIMDAL */ -+} -+ - krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, - krb5_pac pac, - krb5_context context, -@@ -414,6 +436,28 @@ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, - return EINVAL; - } - } -+ -+ /* -+ * Based on the presence of a REQUESTER_SID PAC buffer, ascertain -+ * whether the ticket is a TGT. This helps the KDC and kpasswd service -+ * ensure they do not accept tickets meant for the other. -+ * -+ * This heuristic will fail for older Samba versions and Windows prior -+ * to Nov. 2021 updates, which lack support for the REQUESTER_SID PAC -+ * buffer. -+ */ -+ ret = kerberos_pac_buffer_present(context, pac, PAC_TYPE_REQUESTER_SID); -+ if (ret == ENOENT) { -+ /* This probably isn't a TGT. */ -+ user_info_dc_out->ticket_type = TICKET_TYPE_NON_TGT; -+ } else if (ret != 0) { -+ talloc_free(tmp_ctx); -+ return ret; -+ } else { -+ /* This probably is a TGT. */ -+ user_info_dc_out->ticket_type = TICKET_TYPE_TGT; -+ } -+ - *user_info_dc = user_info_dc_out; - - return 0; --- -2.25.1 - - -From d5af460403d3949ba266f5c74f051247cd7ce752 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Fri, 10 Jun 2022 19:18:53 +1200 -Subject: [PATCH 96/99] CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd - tickets - -If TGTs can be used as kpasswd tickets, the two-minute lifetime of a -authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets -are not supposed to be cached, but using this flaw, a stolen credentials -cache containing a TGT may be used to change that account's password, -and thus is made more valuable to an attacker. - -Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and -service tickets without it, we assert the absence of this buffer to -ensure we're not accepting a TGT. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> -Reviewed-by: Andreas Schneider <asn@samba.org> - -[jsutton@samba.org Fixed knownfail conflicts] - -[jsutton@samba.org Fixed knownfail conflicts] ---- - selftest/knownfail_heimdal_kdc | 4 ---- - selftest/knownfail_mit_kdc | 4 ---- - source4/kdc/kpasswd-helper.c | 20 ++++++++++++++++++++ - source4/kdc/kpasswd-helper.h | 2 ++ - source4/kdc/kpasswd-service-heimdal.c | 13 +++++++++++++ - source4/kdc/kpasswd-service-mit.c | 13 +++++++++++++ - 6 files changed, 48 insertions(+), 8 deletions(-) - -diff --git selftest/knownfail_heimdal_kdc selftest/knownfail_heimdal_kdc -index 42beccaed58..424a8b81c38 100644 ---- selftest/knownfail_heimdal_kdc -+++ selftest/knownfail_heimdal_kdc -@@ -271,7 +271,3 @@ - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing - ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting --# --# Kpasswd tests --# --^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc -diff --git selftest/knownfail_mit_kdc selftest/knownfail_mit_kdc -index 9fc34e5d8db..0d2f5bab6d2 100644 ---- selftest/knownfail_mit_kdc -+++ selftest/knownfail_mit_kdc -@@ -581,7 +581,3 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc - ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc --# --# Kpasswd tests --# --samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc -diff --git source4/kdc/kpasswd-helper.c source4/kdc/kpasswd-helper.c -index 55a2f5b3bf6..2ffdb79aea5 100644 ---- source4/kdc/kpasswd-helper.c -+++ source4/kdc/kpasswd-helper.c -@@ -241,3 +241,23 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx, - - return status; - } -+ -+krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info, -+ const char **error_string) -+{ -+ switch(session_info->ticket_type) { -+ case TICKET_TYPE_TGT: -+ /* TGTs are disallowed here. */ -+ *error_string = "A TGT may not be used as a ticket to kpasswd"; -+ return KRB5_KPASSWD_AUTHERROR; -+ case TICKET_TYPE_NON_TGT: -+ /* Non-TGTs are permitted, and expected. */ -+ break; -+ default: -+ /* In case we forgot to set the type. */ -+ *error_string = "Failed to ascertain that ticket to kpasswd is not a TGT"; -+ return KRB5_KPASSWD_HARDERROR; -+ } -+ -+ return 0; -+} -diff --git source4/kdc/kpasswd-helper.h source4/kdc/kpasswd-helper.h -index 8fad81e0a5d..94a6e2acfdd 100644 ---- source4/kdc/kpasswd-helper.h -+++ source4/kdc/kpasswd-helper.h -@@ -43,4 +43,6 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx, - enum samPwdChangeReason *reject_reason, - struct samr_DomInfo1 **dominfo); - -+krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info, -+ const char **error_string); - #endif /* _KPASSWD_HELPER_H */ -diff --git source4/kdc/kpasswd-service-heimdal.c source4/kdc/kpasswd-service-heimdal.c -index a0352d1ad35..4d009b9eb24 100644 ---- source4/kdc/kpasswd-service-heimdal.c -+++ source4/kdc/kpasswd-service-heimdal.c -@@ -253,6 +253,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - { - struct auth_session_info *session_info; - NTSTATUS status; -+ krb5_error_code code; - - status = gensec_session_info(gensec_security, - mem_ctx, -@@ -264,6 +265,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - return KRB5_KPASSWD_HARDERROR; - } - -+ /* -+ * Since the kpasswd service shares its keys with the krbtgt, we might -+ * have received a TGT rather than a kpasswd ticket. We need to check -+ * the ticket type to ensure that TGTs cannot be misused in this manner. -+ */ -+ code = kpasswd_check_non_tgt(session_info, -+ error_string); -+ if (code != 0) { -+ DBG_WARNING("%s\n", *error_string); -+ return code; -+ } -+ - switch(verno) { - case KRB5_KPASSWD_VERS_CHANGEPW: { - DATA_BLOB password = data_blob_null; -diff --git source4/kdc/kpasswd-service-mit.c source4/kdc/kpasswd-service-mit.c -index de4c6f3f622..6b051567b6e 100644 ---- source4/kdc/kpasswd-service-mit.c -+++ source4/kdc/kpasswd-service-mit.c -@@ -332,6 +332,7 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - { - struct auth_session_info *session_info; - NTSTATUS status; -+ krb5_error_code code; - - status = gensec_session_info(gensec_security, - mem_ctx, -@@ -344,6 +345,18 @@ krb5_error_code kpasswd_handle_request(struct kdc_server *kdc, - return KRB5_KPASSWD_HARDERROR; - } - -+ /* -+ * Since the kpasswd service shares its keys with the krbtgt, we might -+ * have received a TGT rather than a kpasswd ticket. We need to check -+ * the ticket type to ensure that TGTs cannot be misused in this manner. -+ */ -+ code = kpasswd_check_non_tgt(session_info, -+ error_string); -+ if (code != 0) { -+ DBG_WARNING("%s\n", *error_string); -+ return code; -+ } -+ - switch(verno) { - case 1: { - DATA_BLOB password; --- -2.25.1 - - -From a6231af1f1c03cd81614332f867916e1748e03a8 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton <josephsutton@catalyst.net.nz> -Date: Thu, 23 Jun 2022 13:59:11 +1200 -Subject: [PATCH 97/99] CVE-2022-2031 testprogs: Add test for short-lived - ticket across an incoming trust - -We ensure that the KDC does not reject a TGS-REQ with our short-lived -TGT over an incoming trust. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 - -Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> - -[jsutton@samba.org Changed --use-krb5-ccache to -k yes to match - surrounding usage] ---- - testprogs/blackbox/test_kinit_trusts_heimdal.sh | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git testprogs/blackbox/test_kinit_trusts_heimdal.sh testprogs/blackbox/test_kinit_trusts_heimdal.sh -index bf0b81a0473..621434eac35 100755 ---- testprogs/blackbox/test_kinit_trusts_heimdal.sh -+++ testprogs/blackbox/test_kinit_trusts_heimdal.sh -@@ -54,6 +54,10 @@ testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppa - test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` - rm -rf $KRB5CCNAME_PATH - -+testit "kinit with password and two minute lifetime" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac --server=krbtgt/$REALM@$TRUST_REALM --lifetime=2m $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` -+test_smbclient "Test login with user kerberos ccache and two minute lifetime" 'ls' "$unc" -k yes || failed=`expr $failed + 1` -+rm -rf $KRB5CCNAME_PATH -+ - # Test with smbclient4 - smbclient="$samba4bindir/smbclient4" - testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` -@@ -94,5 +98,5 @@ testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domai - - test_smbclient "Test user login with the changed outgoing secret" 'ls' "$unc" -k yes -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1` - --rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache -+rm -f $PREFIX/tmpccache $PREFIX/tmppassfile - exit $failed --- -2.25.1 - - -From f6e1750c4fc966c29c2e0663d3c04e87057fa0c3 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison <jra@samba.org> -Date: Tue, 7 Jun 2022 09:40:45 -0700 -Subject: [PATCH 98/99] CVE-2022-32742: s4: torture: Add raw.write.bad-write - test. - -Reproduces the test code in: - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 - -Add knownfail. - -Signed-off-by: Jeremy Allison <jra@samba.org> -Reviewed-by: David Disseldorp <ddiss@samba.org> ---- - selftest/knownfail.d/bad-write | 2 + - source4/torture/raw/write.c | 89 ++++++++++++++++++++++++++++++++++ - 2 files changed, 91 insertions(+) - create mode 100644 selftest/knownfail.d/bad-write - -diff --git selftest/knownfail.d/bad-write selftest/knownfail.d/bad-write -new file mode 100644 -index 00000000000..5fc16606a13 ---- /dev/null -+++ selftest/knownfail.d/bad-write -@@ -0,0 +1,2 @@ -+^samba3.raw.write.bad-write\(nt4_dc_smb1\) -+^samba3.raw.write.bad-write\(ad_dc_smb1\) -diff --git source4/torture/raw/write.c source4/torture/raw/write.c -index 0a2f50f425b..661485bb548 100644 ---- source4/torture/raw/write.c -+++ source4/torture/raw/write.c -@@ -25,6 +25,7 @@ - #include "libcli/libcli.h" - #include "torture/util.h" - #include "torture/raw/proto.h" -+#include "libcli/raw/raw_proto.h" - - #define CHECK_STATUS(status, correct) do { \ - if (!NT_STATUS_EQUAL(status, correct)) { \ -@@ -694,6 +695,93 @@ done: - return ret; - } - -+/* -+ test a deliberately bad SMB1 write. -+*/ -+static bool test_bad_write(struct torture_context *tctx, -+ struct smbcli_state *cli) -+{ -+ bool ret = false; -+ int fnum = -1; -+ struct smbcli_request *req = NULL; -+ const char *fname = BASEDIR "\\badwrite.txt"; -+ bool ok = false; -+ -+ if (!torture_setup_dir(cli, BASEDIR)) { -+ torture_fail(tctx, "failed to setup basedir"); -+ } -+ -+ torture_comment(tctx, "Testing RAW_BAD_WRITE\n"); -+ -+ fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE); -+ if (fnum == -1) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, -+ "Failed to create %s - %s\n", -+ fname, -+ smbcli_errstr(cli->tree))); -+ } -+ -+ req = smbcli_request_setup(cli->tree, -+ SMBwrite, -+ 5, -+ 0); -+ if (req == NULL) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "talloc fail\n")); -+ } -+ -+ SSVAL(req->out.vwv, VWV(0), fnum); -+ SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */ -+ SIVAL(req->out.vwv, VWV(2), 0); /* offset */ -+ SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */ -+ -+ if (!smbcli_request_send(req)) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "Send failed\n")); -+ } -+ -+ if (!smbcli_request_receive(req)) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "Reveive failed\n")); -+ } -+ -+ /* -+ * Check for expected error codes. -+ * ntvfs returns NT_STATUS_UNSUCCESSFUL. -+ */ -+ ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) || -+ NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL)); -+ -+ if (!ok) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, -+ "Should have returned " -+ "NT_STATUS_INVALID_PARAMETER or " -+ "NT_STATUS_UNSUCCESSFUL " -+ "got %s\n", -+ nt_errstr(req->status))); -+ } -+ -+ ret = true; -+ -+done: -+ if (req != NULL) { -+ smbcli_request_destroy(req); -+ } -+ if (fnum != -1) { -+ smbcli_close(cli->tree, fnum); -+ } -+ smb_raw_exit(cli->session); -+ smbcli_deltree(cli->tree, BASEDIR); -+ return ret; -+} -+ - /* - basic testing of write calls - */ -@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx) - torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock); - torture_suite_add_1smb_test(suite, "write close", test_writeclose); - torture_suite_add_1smb_test(suite, "writex", test_writex); -+ torture_suite_add_1smb_test(suite, "bad-write", test_bad_write); - - return suite; - } --- -2.25.1 - - -From 7720e0acfd7ea6a2339f3e389aa8dcedd6174095 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison <jra@samba.org> -Date: Wed, 8 Jun 2022 13:50:51 -0700 -Subject: [PATCH 99/99] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() - macro. - -Fixes the raw.write.bad-write test. - -NB. We need the two (==0) changes in source3/smbd/reply.c -as the gcc optimizer now knows that the return from -smbreq_bufrem() can never be less than zero. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 - -Remove knownfail. - -Signed-off-by: Jeremy Allison <jra@samba.org> -Reviewed-by: David Disseldorp <ddiss@samba.org> ---- - selftest/knownfail.d/bad-write | 2 -- - source3/include/smb_macros.h | 2 +- - source3/smbd/reply.c | 4 ++-- - 3 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/bad-write - -diff --git selftest/knownfail.d/bad-write selftest/knownfail.d/bad-write -deleted file mode 100644 -index 5fc16606a13..00000000000 ---- selftest/knownfail.d/bad-write -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba3.raw.write.bad-write\(nt4_dc_smb1\) --^samba3.raw.write.bad-write\(ad_dc_smb1\) -diff --git source3/include/smb_macros.h source3/include/smb_macros.h -index def122727f0..de1322a503b 100644 ---- source3/include/smb_macros.h -+++ source3/include/smb_macros.h -@@ -152,7 +152,7 @@ - - /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */ - #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf))) --#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf)) -+#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf)) - - - /* Note that chain_size must be available as an extern int to this macro. */ -diff --git source3/smbd/reply.c source3/smbd/reply.c -index f33326564f7..b5abe588910 100644 ---- source3/smbd/reply.c -+++ source3/smbd/reply.c -@@ -342,7 +342,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, - { - ssize_t bufrem = smbreq_bufrem(req, src); - -- if (bufrem < 0) { -+ if (bufrem == 0) { - *err = NT_STATUS_INVALID_PARAMETER; - return 0; - } -@@ -380,7 +380,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, - { - ssize_t bufrem = smbreq_bufrem(req, src); - -- if (bufrem < 0) { -+ if (bufrem == 0) { - return 0; - } - --- -2.25.1 - diff --git a/net/samba413/files/patch-source3_include_includes.h b/net/samba413/files/patch-source3_include_includes.h deleted file mode 100644 index 269fcb5d8113..000000000000 --- a/net/samba413/files/patch-source3_include_includes.h +++ /dev/null @@ -1,11 +0,0 @@ ---- source3/include/includes.h.orig 2019-01-15 10:07:00 UTC -+++ source3/include/includes.h -@@ -322,6 +322,8 @@ typedef char fstring[FSTRING_LEN]; - * the *bottom* of include files so as not to conflict. */ - #ifdef ENABLE_DMALLOC - # include <dmalloc.h> -+#elif ENABLE_JEMALLOC -+# include <jemalloc/jemalloc.h> - #endif - - diff --git a/net/samba413/files/patch-source3_lib_sysquotas__4B.c b/net/samba413/files/patch-source3_lib_sysquotas__4B.c deleted file mode 100644 index f665234adf37..000000000000 --- a/net/samba413/files/patch-source3_lib_sysquotas__4B.c +++ /dev/null @@ -1,18 +0,0 @@ ---- source3/lib/sysquotas_4B.c.orig 2019-01-15 10:07:00 UTC -+++ source3/lib/sysquotas_4B.c -@@ -140,7 +140,14 @@ static int sys_quotactl_4B(const char * - /* ENOTSUP means quota support is not compiled in. EINVAL - * means that quotas are not configured (commonly). - */ -- if (errno != ENOTSUP && errno != EINVAL) { -+ if (errno != ENOTSUP && errno != EINVAL -+/* -+ * FreeBSD 12 between r336017 and r342928 wrongfuly return ENOENT for the not enabled qoutas on ZFS. -+ */ -+#if defined(__FreeBSD__) && ((__FreeBSD_version >= 1102503 && __FreeBSD_version <= 1102506) || (__FreeBSD_version >= 1200072 && __FreeBSD_version <= 1200503) || (__FreeBSD_version >= 1300000 && __FreeBSD_version <= 1300009)) -+ && errno != ENOENT -+#endif -+ ) { - DEBUG(5, ("failed to %s quota for %s ID %u on %s: %s\n", - (cmd & QCMD(Q_GETQUOTA, 0)) ? "get" : "set", - (cmd & QCMD(0, GRPQUOTA)) ? "group" : "user", diff --git a/net/samba413/files/patch-source3_lib_util.c b/net/samba413/files/patch-source3_lib_util.c deleted file mode 100644 index cf5bae739144..000000000000 --- a/net/samba413/files/patch-source3_lib_util.c +++ /dev/null @@ -1,14 +0,0 @@ ---- source3/lib/util.c.orig 2019-05-07 08:38:21 UTC -+++ source3/lib/util.c -@@ -1916,7 +1916,10 @@ bool any_nt_status_not_ok(NTSTATUS err1, - - int timeval_to_msec(struct timeval t) - { -- return t.tv_sec * 1000 + (t.tv_usec+999) / 1000; -+ unsigned long result; -+ -+ result = t.tv_sec * 1000 + (t.tv_usec+999) / 1000; -+ return result > INT_MAX ? INT_MAX : result; - } - - /******************************************************************* diff --git a/net/samba413/files/patch-source3_librpc_crypto_gse.c b/net/samba413/files/patch-source3_librpc_crypto_gse.c deleted file mode 100644 index 61897ee6c8a2..000000000000 --- a/net/samba413/files/patch-source3_librpc_crypto_gse.c +++ /dev/null @@ -1,16 +0,0 @@ ---- source3/librpc/crypto/gse.c.orig 2019-01-15 10:07:00 UTC -+++ source3/librpc/crypto/gse.c -@@ -621,11 +621,12 @@ static NTSTATUS gse_get_server_auth_toke - struct gse_context *gse_ctx = - talloc_get_type_abort(gensec_security->private_data, - struct gse_context); -- OM_uint32 gss_maj, gss_min; -+ OM_uint32 gss_min; - gss_buffer_desc in_data; - gss_buffer_desc out_data; - DATA_BLOB blob = data_blob_null; - NTSTATUS status; -+ OM_uint32 gss_maj = -1; - OM_uint32 time_rec = 0; - struct timeval tv; - diff --git a/net/samba413/files/patch-source3_modules_vfs__fruit.c b/net/samba413/files/patch-source3_modules_vfs__fruit.c deleted file mode 100644 index 952f5c12ff06..000000000000 --- a/net/samba413/files/patch-source3_modules_vfs__fruit.c +++ /dev/null @@ -1,86 +0,0 @@ -From d9b748869a8f4018ebee302aae8246bf29f60309 Mon Sep 17 00:00:00 2001 -From: "Timur I. Bakeyev" <timur@iXsystems.com> -Date: Fri, 1 Jun 2018 01:35:08 +0800 -Subject: [PATCH] vfs_fruit: allow broken AFP_Signature where the first - byte is 0 - -FreeBSD bug ... caused the first byte of the AFP_AfpInfo xattr to be 0 -instead of 'A'. This hack allows such broken AFP_AfpInfo blobs to be -parsed by afpinfo_unpack(). - -FreeBSD Bug: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228462 - -Signed-off-by: Ralph Boehme <slow@samba.org> - ---- source3/lib/adouble.c.orig 2020-05-08 09:30:43 UTC -+++ source3/lib/adouble.c -@@ -2662,6 +2662,8 @@ ssize_t afpinfo_pack(const AfpInfo *ai, char *buf) - return AFP_INFO_SIZE; - } - -+#define BROKEN_FREEBSD_AFP_Signature 0x00465000 -+ - /** - * Unpack a buffer into a AfpInfo structure - * -@@ -2679,12 +2681,22 @@ AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *d - ai->afpi_Version = RIVAL(data, 4); - ai->afpi_BackupTime = RIVAL(data, 12); - memcpy(ai->afpi_FinderInfo, (const char *)data + 16, -- sizeof(ai->afpi_FinderInfo)); -+ sizeof(ai->afpi_FinderInfo)); - -- if (ai->afpi_Signature != AFP_Signature -- || ai->afpi_Version != AFP_Version) { -- DEBUG(1, ("Bad AfpInfo signature or version\n")); -+ if (ai->afpi_Signature != AFP_Signature) { -+ DBG_WARNING("Bad AFP signature [%x]\n", ai->afpi_Signature); -+ -+ if (ai->afpi_Signature != BROKEN_FREEBSD_AFP_Signature) { -+ DBG_ERR("Bad AfpInfo signature\n"); -+ TALLOC_FREE(ai); -+ return NULL; -+ } -+ } -+ -+ if (ai->afpi_Version != AFP_Version) { -+ DBG_ERR("Bad AfpInfo version\n"); - TALLOC_FREE(ai); -+ return NULL; - } - - return ai; ---- source3/modules/vfs_fruit.c.orig 2021-01-26 08:16:58 UTC -+++ source3/modules/vfs_fruit.c -@@ -2146,13 +2146,30 @@ static ssize_t fruit_pread_meta_stream(vfs_handle_stru - struct fio *fio = (struct fio *)VFS_FETCH_FSP_EXTENSION(handle, fsp); - ssize_t nread; - int ret; -+ char *p = (char *)data; - - if (fio->fake_fd) { - return -1; - } - - nread = SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); -- if (nread == -1 || nread == n) { -+ if (nread <= 0) { -+ /* -+ * fruit_meta_open_stream() removes O_CREAT flag -+ * from xattr open. This results in vfs_streams_xattr -+ * not generating an FSP extension for the files_struct -+ * and causes subsequent pread() of stream to return -+ * nread=0 if pread() occurs before pwrite(). -+ */ -+ return nread; -+ } -+ -+ if (nread == n) { -+ if (offset == 0 && nread > 3 && p[0] == 0 && p[1] == 'F' && p[2] == 'P') { -+ DBG_NOTICE("Fixing AFP_Info of [%s]\n", -+ fsp_str_dbg(fsp)); -+ p[0] = 'A'; -+ } - return nread; - } - diff --git a/net/samba413/files/patch-source3_modules_vfs__streams__xattr.c b/net/samba413/files/patch-source3_modules_vfs__streams__xattr.c deleted file mode 100644 index 59d79d9f76cd..000000000000 --- a/net/samba413/files/patch-source3_modules_vfs__streams__xattr.c +++ /dev/null @@ -1,526 +0,0 @@ ---- source3/modules/vfs_streams_xattr.c.orig 2019-01-15 10:07:00 UTC -+++ source3/modules/vfs_streams_xattr.c -@@ -1,10 +1,10 @@ - /* - * Store streams in xattrs - * -- * Copyright (C) Volker Lendecke, 2008 -+ * Copyright (C) Volker Lendecke, 2008 -+ * Copyright (C) Timur I. Bakeyev, 2017 - * - * Partly based on James Peach's Darwin module, which is -- * - * Copyright (C) James Peach 2006-2007 - * - * This program is free software; you can redistribute it and/or modify -@@ -79,25 +79,79 @@ static SMB_INO_T stream_inode(const SMB_ - } - - static ssize_t get_xattr_size(connection_struct *conn, -- const struct smb_filename *smb_fname, -- const char *xattr_name) -+ const struct smb_filename *smb_fname, -+ const char *xattr_name) - { -- NTSTATUS status; -- struct ea_struct ea; - ssize_t result; - -- status = get_ea_value(talloc_tos(), conn, NULL, smb_fname, -- xattr_name, &ea); -+ result = SMB_VFS_GETXATTR(conn, smb_fname, xattr_name, NULL, 0); -+ // ? -1 -+ return result; -+} - -- if (!NT_STATUS_IS_OK(status)) { -- return -1; -+static NTSTATUS get_xattr_value(TALLOC_CTX *mem_ctx, -+ connection_struct *conn, -+ const struct smb_filename *smb_fname, -+ const char *ea_name, -+ struct ea_struct *pea) -+{ -+ ssize_t attr_size; -+ -+ attr_size = get_xattr_size(conn, smb_fname, ea_name); -+ -+ if (attr_size == -1) { -+ return map_nt_error_from_unix(errno); - } - -- result = ea.value.length-1; -- TALLOC_FREE(ea.value.data); -- return result; -+ pea->value = data_blob_talloc(mem_ctx, NULL, attr_size); -+ /* We may have xattr of a 0 size */ -+ if(pea->value.data == NULL && attr_size) { -+ DEBUG(5, -+ ("get_xattr_value: for EA '%s' failed to allocate %lu bytes\n", -+ ea_name, (unsigned long)attr_size) -+ ); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ attr_size = SMB_VFS_GETXATTR(conn, smb_fname, ea_name, pea->value.data, pea->value.length); -+ -+ if (attr_size == -1) { -+ return map_nt_error_from_unix(errno); -+ } -+ -+ if(pea->value.length != attr_size) { -+ DEBUG(5, -+ ("get_xattr_value: for EA '%s' requested %lu, read %lu bytes\n", -+ ea_name, (unsigned long)pea->value.length, (unsigned long)attr_size) -+ ); -+ return NT_STATUS_UNSUCCESSFUL; -+ } -+ -+ DEBUG(10,("get_xattr_value: EA '%s' is of length %lu\n", ea_name, (unsigned long)attr_size)); -+ /* -+ * This can dump huge amount of data multiple times. For example -+ * for 1Mb ADS and chunk size 64Kb the same 1Mb dump will be -+ * logged 16 times! -+ */ -+ dump_data(50, (uint8_t *)pea->value.data, pea->value.length); -+ -+ pea->flags = 0; -+ // ? user. -+ if (strnequal(ea_name, "user.", 5)) { -+ pea->name = talloc_strdup(mem_ctx, &ea_name[5]); -+ } else { -+ pea->name = talloc_strdup(mem_ctx, ea_name); -+ } -+ -+ if (pea->name == NULL) { -+ data_blob_free(&pea->value); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ return NT_STATUS_OK; - } - -+ - /** - * Given a stream name, populate xattr_name with the xattr name to use for - * accessing the stream. -@@ -114,6 +168,7 @@ static NTSTATUS streams_xattr_get_name(v - SMB_VFS_HANDLE_GET_DATA(handle, config, struct streams_xattr_config, - return NT_STATUS_UNSUCCESSFUL); - -+ // stream_name is passed as ':stream', so skip leading ':' - sname = talloc_strdup(ctx, stream_name + 1); - if (sname == NULL) { - return NT_STATUS_NO_MEMORY; -@@ -125,7 +180,7 @@ static NTSTATUS streams_xattr_get_name(v - * characters from their on-the-wire Unicode Private Range - * encoding to their native ASCII representation. - * -- * As as result the name of xattrs storing the streams (via -+ * As a result the name of xattrs storing the streams (via - * vfs_streams_xattr) may contain a colon, so we have to use - * strrchr_m() instead of strchr_m() for matching the stream - * type suffix. -@@ -157,7 +212,7 @@ static NTSTATUS streams_xattr_get_name(v - return NT_STATUS_NO_MEMORY; - } - -- DEBUG(10, ("xattr_name: %s, stream_name: %s\n", *xattr_name, -+ DEBUG(10, ("xattr_name: '%s', stream_name: '%s'\n", *xattr_name, - stream_name)); - - talloc_free(sname); -@@ -270,8 +325,8 @@ static int streams_xattr_fstat(vfs_handl - return -1; - } - -- sbuf->st_ex_size = get_xattr_size(handle->conn, -- smb_fname_base, io->xattr_name); -+ sbuf->st_ex_size = get_xattr_size(handle->conn, smb_fname_base, -+ io->xattr_name); - if (sbuf->st_ex_size == -1) { - TALLOC_FREE(smb_fname_base); - SET_STAT_INVALID(*sbuf); -@@ -446,10 +501,10 @@ static int streams_xattr_open(vfs_handle - goto fail; - } - -- status = get_ea_value(talloc_tos(), handle->conn, NULL, -- smb_fname, xattr_name, &ea); -+ status = get_xattr_value(talloc_tos(), handle->conn, -+ smb_fname, xattr_name, &ea); - -- DEBUG(10, ("get_ea_value returned %s\n", nt_errstr(status))); -+ DEBUG(10, ("get_xattr_value returned %s\n", nt_errstr(status))); - - if (!NT_STATUS_IS_OK(status)) { - if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { -@@ -480,19 +535,13 @@ static int streams_xattr_open(vfs_handle - /* - * The attribute does not exist or needs to be truncated - */ -- -- /* -- * Darn, xattrs need at least 1 byte -- */ -- char null = '\0'; -- - DEBUG(10, ("creating or truncating attribute %s on file %s\n", - xattr_name, smb_fname->base_name)); - - ret = SMB_VFS_SETXATTR(fsp->conn, - smb_fname, - xattr_name, -- &null, sizeof(null), -+ NULL, 0, - flags & O_EXCL ? XATTR_CREATE : 0); - if (ret != 0) { - goto fail; -@@ -678,8 +727,8 @@ static int streams_xattr_rename(vfs_hand - } - - /* read the old stream */ -- status = get_ea_value(talloc_tos(), handle->conn, NULL, -- smb_fname_src, src_xattr_name, &ea); -+ status = get_xattr_value(talloc_tos(), handle->conn, -+ smb_fname_src, src_xattr_name, &ea); - if (!NT_STATUS_IS_OK(status)) { - errno = ENOENT; - goto fail; -@@ -766,14 +815,13 @@ static NTSTATUS walk_xattr_streams(vfs_h - continue; - } - -- status = get_ea_value(names, -+ status = get_xattr_value(names, - handle->conn, -- NULL, - smb_fname, - names[i], - &ea); - if (!NT_STATUS_IS_OK(status)) { -- DEBUG(10, ("Could not get ea %s for file %s: %s\n", -+ DEBUG(10, ("Could not get EA %s for file %s: %s\n", - names[i], - smb_fname->base_name, - nt_errstr(status))); -@@ -835,16 +883,17 @@ struct streaminfo_state { - NTSTATUS status; - }; - --static bool collect_one_stream(struct ea_struct *ea, void *private_data) -+static bool collect_one_stream(struct ea_struct *pea, void *private_data) - { - struct streaminfo_state *state = - (struct streaminfo_state *)private_data; - -+ // ? -1 - if (!add_one_stream(state->mem_ctx, - &state->num_streams, &state->streams, -- ea->name, ea->value.length-1, -+ pea->name, pea->value.length, - smb_roundup(state->handle->conn, -- ea->value.length-1))) { -+ pea->value.length))) { - state->status = NT_STATUS_NO_MEMORY; - return false; - } -@@ -964,14 +1013,17 @@ static ssize_t streams_xattr_pwrite(vfs_ - files_struct *fsp, const void *data, - size_t n, off_t offset) - { -- struct stream_io *sio = -+ struct stream_io *sio = - (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); -+ struct smb_filename *smb_fname_base = NULL; -+ TALLOC_CTX *frame = NULL; -+ - struct ea_struct ea; - NTSTATUS status; -- struct smb_filename *smb_fname_base = NULL; - int ret; - -- DEBUG(10, ("streams_xattr_pwrite called for %d bytes\n", (int)n)); -+ DEBUG(10, ("streams_xattr_pwrite: offset=%lu, size=%lu\n", -+ (unsigned long)offset, (unsigned long)n)); - - if (sio == NULL) { - return SMB_VFS_NEXT_PWRITE(handle, fsp, data, n, offset); -@@ -981,6 +1033,8 @@ static ssize_t streams_xattr_pwrite(vfs_ - return -1; - } - -+ frame = talloc_stackframe(); -+ - /* Create an smb_filename with stream_name == NULL. */ - smb_fname_base = synthetic_smb_fname(talloc_tos(), - sio->base, -@@ -988,39 +1042,55 @@ static ssize_t streams_xattr_pwrite(vfs_ - NULL, - fsp->fsp_name->flags); - if (smb_fname_base == NULL) { -+ TALLOC_FREE(frame); - errno = ENOMEM; - return -1; - } - -- status = get_ea_value(talloc_tos(), handle->conn, NULL, -- smb_fname_base, sio->xattr_name, &ea); -- if (!NT_STATUS_IS_OK(status)) { -- return -1; -- } -- -- if ((offset + n) > ea.value.length-1) { -- uint8_t *tmp; -+ status = get_xattr_value(talloc_tos(), handle->conn, -+ smb_fname_base, sio->xattr_name, &ea); - -- tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t, -- offset + n + 1); -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { -+ /* -+ * This can happen if we sit behind vfs_fruit: -+ * fruit_ftruncate calls UNLINK on an attribute -+ * truncating the "file" to zero length. A later -+ * pwrite faces a non-existing attribute, we need to -+ * cope with that here. -+ * -+ * This might be not the last word on this. -+ */ - -- if (tmp == NULL) { -- TALLOC_FREE(ea.value.data); -- errno = ENOMEM; -- return -1; -- } -- ea.value.data = tmp; -- ea.value.length = offset + n + 1; -- ea.value.data[offset+n] = 0; -- } -+ ea = (struct ea_struct) {0}; -+ ea.name = talloc_strdup(talloc_tos(), sio->xattr_name); -+ if (ea.name == NULL) { -+ TALLOC_FREE(frame); -+ errno = ENOMEM; -+ return -1; -+ } -+ status = NT_STATUS_OK; -+ } - -- memcpy(ea.value.data + offset, data, n); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return -1; -+ } -+ // ? -1 -+ if ((offset + n) > ea.value.length) { -+ if(!data_blob_realloc(talloc_tos(), &ea.value, offset + n)) { -+ TALLOC_FREE(frame); -+ errno = ENOMEM; -+ return -1; -+ } -+ } -+ memcpy(ea.value.data + offset, data, n); - - ret = SMB_VFS_SETXATTR(fsp->conn, - fsp->fsp_name, - sio->xattr_name, - ea.value.data, ea.value.length, 0); -- TALLOC_FREE(ea.value.data); -+ -+ TALLOC_FREE(frame); - - if (ret == -1) { - return -1; -@@ -1033,15 +1103,17 @@ static ssize_t streams_xattr_pread(vfs_h - files_struct *fsp, void *data, - size_t n, off_t offset) - { -- struct stream_io *sio = -+ struct stream_io *sio = - (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); -+ struct smb_filename *smb_fname_base = NULL; -+ TALLOC_CTX *frame = NULL; -+ - struct ea_struct ea; - NTSTATUS status; -- size_t length, overlap; -- struct smb_filename *smb_fname_base = NULL; -+ size_t overlap; - -- DEBUG(10, ("streams_xattr_pread: offset=%d, size=%d\n", -- (int)offset, (int)n)); -+ DEBUG(10, ("streams_xattr_pread: offset=%lu, size=%lu\n", -+ (unsigned long)offset, (unsigned long)n)); - - if (sio == NULL) { - return SMB_VFS_NEXT_PREAD(handle, fsp, data, n, offset); -@@ -1051,6 +1123,8 @@ static ssize_t streams_xattr_pread(vfs_h - return -1; - } - -+ frame = talloc_stackframe(); -+ - /* Create an smb_filename with stream_name == NULL. */ - smb_fname_base = synthetic_smb_fname(talloc_tos(), - sio->base, -@@ -1058,31 +1132,35 @@ static ssize_t streams_xattr_pread(vfs_h - NULL, - fsp->fsp_name->flags); - if (smb_fname_base == NULL) { -+ TALLOC_FREE(frame); - errno = ENOMEM; - return -1; - } - -- status = get_ea_value(talloc_tos(), handle->conn, NULL, -- smb_fname_base, sio->xattr_name, &ea); -+ status = get_xattr_value(talloc_tos(), handle->conn, -+ smb_fname_base, sio->xattr_name, &ea); - if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); - return -1; - } -+ // ? -1 -+ //length = ea.value.length-1; - -- length = ea.value.length-1; -+ DEBUG(10, ("streams_xattr_pread: get_xattr_value() returned %lu bytes\n", -+ (unsigned long)ea.value.length)); - -- DEBUG(10, ("streams_xattr_pread: get_ea_value returned %d bytes\n", -- (int)length)); -+ /* Attempt to read past EOF. */ -+ if (ea.value.length <= offset) { -+ TALLOC_FREE(frame); -+ return 0; -+ } - -- /* Attempt to read past EOF. */ -- if (length <= offset) { -- return 0; -- } -+ overlap = (offset + n) > ea.value.length ? (ea.value.length - offset) : n; -+ memcpy(data, ea.value.data + offset, overlap); - -- overlap = (offset + n) > length ? (length - offset) : n; -- memcpy(data, ea.value.data + offset, overlap); -+ TALLOC_FREE(frame); - -- TALLOC_FREE(ea.value.data); -- return overlap; -+ return overlap; - } - - struct streams_xattr_pread_state { -@@ -1249,16 +1327,18 @@ static int streams_xattr_ftruncate(struc - struct files_struct *fsp, - off_t offset) - { -- int ret; -- uint8_t *tmp; -- struct ea_struct ea; -- NTSTATUS status; -- struct stream_io *sio = -+ struct stream_io *sio = - (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); - struct smb_filename *smb_fname_base = NULL; -+ TALLOC_CTX *frame = NULL; - -- DEBUG(10, ("streams_xattr_ftruncate called for file %s offset %.0f\n", -- fsp_str_dbg(fsp), (double)offset)); -+ struct ea_struct ea; -+ NTSTATUS status; -+ size_t orig_length; -+ int ret; -+ -+ DEBUG(10, ("streams_xattr_ftruncate: called for file '%s' with offset %lu\n", -+ fsp_str_dbg(fsp), (unsigned long)offset)); - - if (sio == NULL) { - return SMB_VFS_NEXT_FTRUNCATE(handle, fsp, offset); -@@ -1268,6 +1348,8 @@ static int streams_xattr_ftruncate(struc - return -1; - } - -+ frame = talloc_stackframe(); -+ - /* Create an smb_filename with stream_name == NULL. */ - smb_fname_base = synthetic_smb_fname(talloc_tos(), - sio->base, -@@ -1275,40 +1357,46 @@ static int streams_xattr_ftruncate(struc - NULL, - fsp->fsp_name->flags); - if (smb_fname_base == NULL) { -+ TALLOC_FREE(frame); - errno = ENOMEM; - return -1; - } - -- status = get_ea_value(talloc_tos(), handle->conn, NULL, -- smb_fname_base, sio->xattr_name, &ea); -+ status = get_xattr_value(talloc_tos(), handle->conn, -+ smb_fname_base, sio->xattr_name, &ea); - if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); - return -1; - } -+ orig_length = ea.value.length; - -- tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t, -- offset + 1); -+ /* Requested size matches the original size */ -+ if(orig_length == offset) { -+ TALLOC_FREE(frame); -+ return 0; -+ } - -- if (tmp == NULL) { -- TALLOC_FREE(ea.value.data); -+ /* That can both shrink and expand */ -+ /* XXX: If offset == 0 the result of talloc_realloc is NULL, but still valid */ -+ if(offset && !data_blob_realloc(talloc_tos(), &ea.value, offset)) { -+ TALLOC_FREE(frame); - errno = ENOMEM; - return -1; - } - -- /* Did we expand ? */ -- if (ea.value.length < offset + 1) { -- memset(&tmp[ea.value.length], '\0', -- offset + 1 - ea.value.length); -+ /* If we expanded, fill up extra space with zeros */ -+ if (orig_length < offset) { -+ memset(ea.value.data + orig_length, 0, -+ offset - orig_length); - } - -- ea.value.data = tmp; -- ea.value.length = offset + 1; -- ea.value.data[offset] = 0; -- -+ /* XXX: We should use ea.value.length here, but when offset == 0 -+ it's not reset to 0 in data_blob_realloc() */ - ret = SMB_VFS_SETXATTR(fsp->conn, - fsp->fsp_name, - sio->xattr_name, -- ea.value.data, ea.value.length, 0); -- TALLOC_FREE(ea.value.data); -+ ea.value.data, offset, 0); -+ TALLOC_FREE(frame); - - if (ret == -1) { - return -1; -@@ -1326,9 +1414,9 @@ static int streams_xattr_fallocate(struc - struct stream_io *sio = - (struct stream_io *)VFS_FETCH_FSP_EXTENSION(handle, fsp); - -- DEBUG(10, ("streams_xattr_fallocate called for file %s offset %.0f" -- "len = %.0f\n", -- fsp_str_dbg(fsp), (double)offset, (double)len)); -+ DEBUG(10, ("streams_xattr_fallocate: called for file '%s' with offset %lu" -+ "len = %lu\n", -+ fsp_str_dbg(fsp), (unsigned long)offset, (unsigned long)len)); - - if (sio == NULL) { - return SMB_VFS_NEXT_FALLOCATE(handle, fsp, mode, offset, len); diff --git a/net/samba413/files/patch-source3_modules_vfs__virusfilter__utils.c b/net/samba413/files/patch-source3_modules_vfs__virusfilter__utils.c deleted file mode 100644 index 6e6dc6d2bae5..000000000000 --- a/net/samba413/files/patch-source3_modules_vfs__virusfilter__utils.c +++ /dev/null @@ -1,36 +0,0 @@ ---- source3/modules/vfs_virusfilter_utils.c.orig 2019-01-15 10:07:00 UTC -+++ source3/modules/vfs_virusfilter_utils.c -@@ -392,6 +392,10 @@ bool virusfilter_io_writel( - - bool virusfilter_io_writefl( - struct virusfilter_io_handle *io_h, -+ const char *data_fmt, ...) PRINTF_ATTRIBUTE(2, 3); -+ -+bool virusfilter_io_writefl( -+ struct virusfilter_io_handle *io_h, - const char *data_fmt, ...) - { - va_list ap; -@@ -415,6 +419,10 @@ bool virusfilter_io_writefl( - - bool virusfilter_io_vwritefl( - struct virusfilter_io_handle *io_h, -+ const char *data_fmt, va_list ap) PRINTF_ATTRIBUTE(2, 0); -+ -+bool virusfilter_io_vwritefl( -+ struct virusfilter_io_handle *io_h, - const char *data_fmt, va_list ap) - { - char data[VIRUSFILTER_IO_BUFFER_SIZE + VIRUSFILTER_IO_EOL_SIZE]; -@@ -666,6 +674,11 @@ bool virusfilter_io_readl(TALLOC_CTX *ct - bool virusfilter_io_writefl_readl( - struct virusfilter_io_handle *io_h, - char **read_line, -+ const char *fmt, ...) PRINTF_ATTRIBUTE(3, 4); -+ -+bool virusfilter_io_writefl_readl( -+ struct virusfilter_io_handle *io_h, -+ char **read_line, - const char *fmt, ...) - { - bool ok; diff --git a/net/samba413/files/patch-source3_registry_tests_test__regfio.c b/net/samba413/files/patch-source3_registry_tests_test__regfio.c deleted file mode 100644 index e79c77c9731e..000000000000 --- a/net/samba413/files/patch-source3_registry_tests_test__regfio.c +++ /dev/null @@ -1,10 +0,0 @@ ---- source3/registry/tests/test_regfio.c.orig 2019-05-07 08:38:21 UTC -+++ source3/registry/tests/test_regfio.c -@@ -24,6 +24,7 @@ - - #include <errno.h> - #include <stdlib.h> -+#include <unistd.h> - #include <sys/types.h> - #include <sys/stat.h> - #include <fcntl.h> diff --git a/net/samba413/files/patch-source3_smbd_quotas.c b/net/samba413/files/patch-source3_smbd_quotas.c deleted file mode 100644 index 8419481ae935..000000000000 --- a/net/samba413/files/patch-source3_smbd_quotas.c +++ /dev/null @@ -1,19 +0,0 @@ ---- source3/smbd/quotas.c.orig 2019-01-15 10:07:00 UTC -+++ source3/smbd/quotas.c -@@ -125,6 +125,7 @@ static bool nfs_quotas(char *nfspath, ui - if (!cutstr) - return False; - -+ memset(&D, '\0', sizeof(D)); - memset(cutstr, '\0', len+1); - host = strncat(cutstr,mnttype, sizeof(char) * len ); - DEBUG(5,("nfs_quotas: looking for mount on \"%s\"\n", cutstr)); -@@ -133,7 +134,7 @@ static bool nfs_quotas(char *nfspath, ui - args.gqa_pathp = testpath+1; - args.gqa_uid = uid; - -- DEBUG(5,("nfs_quotas: Asking for host \"%s\" rpcprog \"%i\" rpcvers \"%i\" network \"%s\"\n", host, RQUOTAPROG, RQUOTAVERS, "udp")); -+ DEBUG(5,("nfs_quotas: Asking for host \"%s\" rpcprog \"%lu\" rpcvers \"%lu\" network \"%s\"\n", host, RQUOTAPROG, RQUOTAVERS, "udp")); - - if ((clnt = clnt_create(host, RQUOTAPROG, RQUOTAVERS, "udp")) == NULL) { - ret = False; diff --git a/net/samba413/files/patch-source3_smbd_utmp.c b/net/samba413/files/patch-source3_smbd_utmp.c deleted file mode 100644 index b8cedca303d0..000000000000 --- a/net/samba413/files/patch-source3_smbd_utmp.c +++ /dev/null @@ -1,261 +0,0 @@ ---- source3/smbd/utmp.c.orig 2019-01-15 10:07:00 UTC -+++ source3/smbd/utmp.c -@@ -257,7 +257,7 @@ static char *uw_pathname(TALLOC_CTX *ctx - Update utmp file directly. No subroutine interface: probably a BSD system. - ****************************************************************************/ - --static void pututline_my(const char *uname, struct utmp *u, bool claim) -+static void pututline_my(const char *uname, STRUCT_UTMP *u, bool claim) - { - DEBUG(1,("pututline_my: not yet implemented\n")); - /* BSD implementor: may want to consider (or not) adjusting "lastlog" */ -@@ -271,7 +271,7 @@ static void pututline_my(const char *una - Credit: Michail Vidiassov <master@iaas.msu.ru> - ****************************************************************************/ - --static void updwtmp_my(const char *wname, struct utmp *u, bool claim) -+static void updwtmp_my(const char *wname, STRUCT_UTMP *u, bool claim) - { - int fd; - struct stat buf; -@@ -303,7 +303,7 @@ static void updwtmp_my(const char *wname - if ((fd = open(wname, O_WRONLY|O_APPEND, 0)) < 0) - return; - if (fstat(fd, &buf) == 0) { -- if (write(fd, (char *)u, sizeof(struct utmp)) != sizeof(struct utmp)) -+ if (write(fd, (char *)u, sizeof(STRUCT_UTMP)) != sizeof(STRUCT_UTMP)) - (void) ftruncate(fd, buf.st_size); - } - (void) close(fd); -@@ -314,12 +314,12 @@ static void updwtmp_my(const char *wname - Update via utmp/wtmp (not utmpx/wtmpx). - ****************************************************************************/ - --static void utmp_nox_update(struct utmp *u, bool claim) -+static void utmp_nox_update(STRUCT_UTMP *u, bool claim) - { - char *uname = NULL; - char *wname = NULL; - #if defined(PUTUTLINE_RETURNS_UTMP) -- struct utmp *urc; -+ STRUCT_UTMP *urc; - #endif /* PUTUTLINE_RETURNS_UTMP */ - - uname = uw_pathname(talloc_tos(), "utmp", ut_pathname); -@@ -376,127 +376,52 @@ static void utmp_nox_update(struct utmp - } - } - --/**************************************************************************** -- Copy a string in the utmp structure. --****************************************************************************/ - --static void utmp_strcpy(char *dest, const char *src, size_t n) --{ -- size_t len = 0; - -- memset(dest, '\0', n); -- if (src) -- len = strlen(src); -- if (len >= n) { -- memcpy(dest, src, n); -- } else { -- if (len) -- memcpy(dest, src, len); -- } --} -+ - - /**************************************************************************** - Update via utmpx/wtmpx (preferred) or via utmp/wtmp. - ****************************************************************************/ - --static void sys_utmp_update(struct utmp *u, const char *hostname, bool claim) -+static void sys_utmp_update(STRUCT_UTMP *u, const char *hostname, bool claim) - { --#if !defined(HAVE_UTMPX_H) -- /* No utmpx stuff. Drop to non-x stuff */ -- utmp_nox_update(u, claim); --#elif !defined(HAVE_PUTUTXLINE) -- /* Odd. Have utmpx.h but no "pututxline()". Drop to non-x stuff */ -- DEBUG(1,("utmp_update: have utmpx.h but no pututxline() function\n")); -- utmp_nox_update(u, claim); --#elif !defined(HAVE_GETUTMPX) -- /* Odd. Have utmpx.h but no "getutmpx()". Drop to non-x stuff */ -- DEBUG(1,("utmp_update: have utmpx.h but no getutmpx() function\n")); -- utmp_nox_update(u, claim); --#elif !defined(HAVE_UPDWTMPX) -- /* Have utmpx.h but no "updwtmpx()". Drop to non-x stuff */ -- DEBUG(1,("utmp_update: have utmpx.h but no updwtmpx() function\n")); -- utmp_nox_update(u, claim); --#else -- char *uname = NULL; -- char *wname = NULL; -- struct utmpx ux, *uxrc; -- -- getutmpx(u, &ux); -- --#if defined(HAVE_UX_UT_SYSLEN) -- if (hostname) -- ux.ut_syslen = strlen(hostname) + 1; /* include end NULL */ -- else -- ux.ut_syslen = 0; --#endif --#if defined(HAVE_UX_UT_HOST) -- utmp_strcpy(ux.ut_host, hostname, sizeof(ux.ut_host)); --#endif -- -- uname = uw_pathname(talloc_tos(), "utmpx", ux_pathname); -- wname = uw_pathname(talloc_tos(), "wtmpx", wx_pathname); -- if (uname && wname) { -- DEBUG(2,("utmp_update: uname:%s wname:%s\n", uname, wname)); -- } -+ STRUCT_UTMP *urc; - -- /* -- * Check for either uname or wname being empty. -- * Some systems, such as Redhat 6, have a "utmpx.h" which doesn't -- * define default filenames. -- * Also, our local installation has not provided an override. -- * Drop to non-x method. (E.g. RH6 has good defaults in "utmp.h".) -- */ -- if (!uname || !wname || (strlen(uname) == 0) || (strlen(wname) == 0)) { -- utmp_nox_update(u, claim); -- } else { -- utmpxname(uname); -- setutxent(); -- uxrc = pututxline(&ux); -- endutxent(); -- if (uxrc == NULL) { -- DEBUG(2,("utmp_update: pututxline() failed\n")); -- return; -- } -- updwtmpx(wname, &ux); -+ setutxent(); -+ urc = pututxline(u); -+ endutxent(); -+ if (urc == NULL) { -+ DEBUG(2,("utmp_update: pututxline() failed\n")); -+ return; - } --#endif /* HAVE_UTMPX_H */ - } - - #if defined(HAVE_UT_UT_ID) - /**************************************************************************** - Encode the unique connection number into "ut_id". - ****************************************************************************/ -- --static int ut_id_encode(int i, char *fourbyte) -+static void ut_id_encode(char *buf, int id, size_t buf_size) - { -- int nbase; -- const char *ut_id_encstr = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; -- --/* -- * 'ut_id_encstr' is the character set on which modulo arithmetic is done. -- * Example: digits would produce the base-10 numbers from '001'. -- */ -- nbase = strlen(ut_id_encstr); -+ const char ut_id_encstr[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; - -- fourbyte[0] = ut_id_encstr[i % nbase]; -- i /= nbase; -- fourbyte[1] = ut_id_encstr[i % nbase]; -- i /= nbase; -- fourbyte[3] = ut_id_encstr[i % nbase]; -- i /= nbase; -- fourbyte[2] = ut_id_encstr[i % nbase]; -- i /= nbase; -+ int nbase = sizeof(ut_id_encstr) - 1; -+ /* -+ * 'ut_id_encstr' is the character set on which modulo arithmetic is done. -+ * Example: digits would produce the base-10 numbers from '001'. -+ */ - -- /* we do not care about overflows as i is a random number */ -- return 0; -+ for(int i = 0; i < buf_size; i++) { -+ buf[i] = ut_id_encstr[id % nbase]; -+ id /= nbase; -+ } - } - #endif /* defined(HAVE_UT_UT_ID) */ - -- - /* - fill a system utmp structure given all the info we can gather - */ --static bool sys_utmp_fill(struct utmp *u, -+static bool sys_utmp_fill(STRUCT_UTMP *u, - const char *username, const char *hostname, - const char *id_str, int id_num) - { -@@ -509,16 +434,16 @@ static bool sys_utmp_fill(struct utmp *u - * rather than to try to detect and optimise. - */ - #if defined(HAVE_UT_UT_USER) -- utmp_strcpy(u->ut_user, username, sizeof(u->ut_user)); -+ strncpy(u->ut_user, username, sizeof(u->ut_user)); - #elif defined(HAVE_UT_UT_NAME) -- utmp_strcpy(u->ut_name, username, sizeof(u->ut_name)); -+ strncpy(u->ut_name, username, sizeof(u->ut_name)); - #endif - - /* - * ut_line: - * If size limit proves troublesome, then perhaps use "ut_id_encode()". - */ -- utmp_strcpy(u->ut_line, id_str, sizeof(u->ut_line)); -+ strncpy(u->ut_line, id_str, sizeof(u->ut_line)); - - #if defined(HAVE_UT_UT_PID) - u->ut_pid = getpid(); -@@ -535,20 +460,23 @@ static bool sys_utmp_fill(struct utmp *u - u->ut_time = timeval.tv_sec; - #elif defined(HAVE_UT_UT_TV) - GetTimeOfDay(&timeval); -- u->ut_tv = timeval; -+ u->ut_tv.tv_sec = timeval.tv_sec; -+ u->ut_tv.tv_usec = timeval.tv_usec; - #else - #error "with-utmp must have UT_TIME or UT_TV" - #endif - - #if defined(HAVE_UT_UT_HOST) -- utmp_strcpy(u->ut_host, hostname, sizeof(u->ut_host)); -+ if(hostname != NULL) { -+ strncpy(u->ut_host, hostname, sizeof(u->ut_host)); -+#if defined(HAVE_UT_UT_SYSLEN) -+ u->ut_syslen = strlen(hostname) + 1; /* include trailing NULL */ -+#endif -+ } - #endif - - #if defined(HAVE_UT_UT_ID) -- if (ut_id_encode(id_num, u->ut_id) != 0) { -- DEBUG(1,("utmp_fill: cannot encode id %d\n", id_num)); -- return False; -- } -+ ut_id_encode(u->ut_id, id_num, sizeof(u->ut_id)); - #endif - - return True; -@@ -561,7 +489,7 @@ static bool sys_utmp_fill(struct utmp *u - void sys_utmp_yield(const char *username, const char *hostname, - const char *id_str, int id_num) - { -- struct utmp u; -+ STRUCT_UTMP u; - - ZERO_STRUCT(u); - -@@ -587,7 +515,7 @@ void sys_utmp_yield(const char *username - void sys_utmp_claim(const char *username, const char *hostname, - const char *id_str, int id_num) - { -- struct utmp u; -+ STRUCT_UTMP u; - - ZERO_STRUCT(u); - diff --git a/net/samba413/files/patch-source3_torture_cmd__vfs.c b/net/samba413/files/patch-source3_torture_cmd__vfs.c deleted file mode 100644 index 8ea6cd0ac9f1..000000000000 --- a/net/samba413/files/patch-source3_torture_cmd__vfs.c +++ /dev/null @@ -1,140 +0,0 @@ ---- source3/torture/cmd_vfs.c.orig 2019-01-15 10:07:00 UTC -+++ source3/torture/cmd_vfs.c -@@ -145,7 +145,84 @@ static NTSTATUS cmd_disk_free(struct vfs_state *vfs, T - return NT_STATUS_OK; - } - -+static NTSTATUS cmd_get_quota(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc, const char **argv) -+{ -+ struct smb_filename *smb_fname = NULL; -+ uint64_t quota, bsize, dfree, dsize; -+ enum SMB_QUOTA_TYPE qtype; -+ SMB_DISK_QUOTA D; -+ unid_t id; -+ int r; - -+ if (argc != 4) { -+ printf("Usage: get_quota <path> [user|group] id\n"); -+ return NT_STATUS_OK; -+ } -+ -+ smb_fname = synthetic_smb_fname(talloc_tos(), -+ argv[1], -+ NULL, -+ NULL, -+ 0, -+ ssf_flags()); -+ if (smb_fname == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ if(strcmp(argv[2], "user") == 0) { -+ qtype = SMB_USER_FS_QUOTA_TYPE; -+ } -+ else if(strcmp(argv[2], "group") == 0) { -+ qtype = SMB_GROUP_FS_QUOTA_TYPE; -+ } -+ else { -+ printf("Usage: get_quota <path> [user|group] id\n"); -+ return NT_STATUS_OK; -+ } -+ -+ id.uid = atoi(argv[3]); -+ -+ ZERO_STRUCT(D); -+ -+ r = SMB_VFS_GET_QUOTA(vfs->conn, smb_fname, qtype, id, &D); -+ -+ if (r == -1 && errno != ENOSYS) { -+ return NT_STATUS_UNSUCCESSFUL; -+ } -+ -+ if (r == 0 && (D.qflags & QUOTAS_DENY_DISK) == 0) { -+ return NT_STATUS_UNSUCCESSFUL; -+ } -+ -+ bsize = D.bsize; -+ /* Use softlimit to determine disk space, except when it has been exceeded */ -+ if ( -+ (D.softlimit && D.curblocks >= D.softlimit) || -+ (D.hardlimit && D.curblocks >= D.hardlimit) || -+ (D.isoftlimit && D.curinodes >= D.isoftlimit) || -+ (D.ihardlimit && D.curinodes>=D.ihardlimit) -+ ) { -+ dfree = 0; -+ dsize = D.curblocks; -+ } else if (D.softlimit==0 && D.hardlimit==0) { -+ return NT_STATUS_UNSUCCESSFUL; -+ } else { -+ if (D.softlimit == 0) { -+ D.softlimit = D.hardlimit; -+ } -+ dfree = D.softlimit - D.curblocks; -+ dsize = D.softlimit; -+ } -+ -+ printf("get_quota: bsize = %lu, dfree = %lu, dsize = %lu\n", -+ (unsigned long)bsize, -+ (unsigned long)dfree, -+ (unsigned long)dsize); -+ -+ return NT_STATUS_OK; -+} -+ -+ - static NTSTATUS cmd_opendir(struct vfs_state *vfs, TALLOC_CTX *mem_ctx, int argc, const char **argv) - { - struct smb_filename *smb_fname = NULL; -@@ -2028,6 +2105,7 @@ struct cmd_set vfs_commands[] = { - { "connect", cmd_connect, "VFS connect()", "connect" }, - { "disconnect", cmd_disconnect, "VFS disconnect()", "disconnect" }, - { "disk_free", cmd_disk_free, "VFS disk_free()", "disk_free <path>" }, -+ { "get_quota", cmd_get_quota, "VFS get_quota()", "get_quota <path> [user|group] id" }, - { "opendir", cmd_opendir, "VFS opendir()", "opendir <fname>" }, - { "readdir", cmd_readdir, "VFS readdir()", "readdir" }, - { "mkdir", cmd_mkdir, "VFS mkdir()", "mkdir <path>" }, -@@ -2057,33 +2135,22 @@ struct cmd_set vfs_commands[] = { - { "link", cmd_link, "VFS link()", "link <oldpath> <newpath>" }, - { "mknod", cmd_mknod, "VFS mknod()", "mknod <path> <mode> <dev>" }, - { "realpath", cmd_realpath, "VFS realpath()", "realpath <path>" }, -- { "getxattr", cmd_getxattr, "VFS getxattr()", -- "getxattr <path> <name>" }, -- { "listxattr", cmd_listxattr, "VFS listxattr()", -- "listxattr <path>" }, -- { "setxattr", cmd_setxattr, "VFS setxattr()", -- "setxattr <path> <name> <value> [<flags>]" }, -- { "removexattr", cmd_removexattr, "VFS removexattr()", -- "removexattr <path> <name>\n" }, -- { "fget_nt_acl", cmd_fget_nt_acl, "VFS fget_nt_acl()", -- "fget_nt_acl <fd>\n" }, -- { "get_nt_acl", cmd_get_nt_acl, "VFS get_nt_acl()", -- "get_nt_acl <path>\n" }, -- { "fset_nt_acl", cmd_fset_nt_acl, "VFS fset_nt_acl()", -- "fset_nt_acl <fd>\n" }, -- { "set_nt_acl", cmd_set_nt_acl, "VFS open() and fset_nt_acl()", -- "set_nt_acl <file>\n" }, -+ { "getxattr", cmd_getxattr, "VFS getxattr()", "getxattr <path> <name>" }, -+ { "listxattr", cmd_listxattr, "VFS listxattr()", "listxattr <path>" }, -+ { "setxattr", cmd_setxattr, "VFS setxattr()", "setxattr <path> <name> <value> [<flags>]" }, -+ { "removexattr", cmd_removexattr, "VFS removexattr()", "removexattr <path> <name>\n" }, -+ { "fget_nt_acl", cmd_fget_nt_acl, "VFS fget_nt_acl()", "fget_nt_acl <fd>\n" }, -+ { "get_nt_acl", cmd_get_nt_acl, "VFS get_nt_acl()", "get_nt_acl <path>\n" }, -+ { "fset_nt_acl", cmd_fset_nt_acl, "VFS fset_nt_acl()", "fset_nt_acl <fd>\n" }, -+ { "set_nt_acl", cmd_set_nt_acl, "VFS open() and fset_nt_acl()", "set_nt_acl <file>\n" }, - { "sys_acl_get_file", cmd_sys_acl_get_file, "VFS sys_acl_get_file()", "sys_acl_get_file <path>" }, - { "sys_acl_get_fd", cmd_sys_acl_get_fd, "VFS sys_acl_get_fd()", "sys_acl_get_fd <fd>" }, -- { "sys_acl_blob_get_file", cmd_sys_acl_blob_get_file, -- "VFS sys_acl_blob_get_file()", "sys_acl_blob_get_file <path>" }, -- { "sys_acl_blob_get_fd", cmd_sys_acl_blob_get_fd, -- "VFS sys_acl_blob_get_fd()", "sys_acl_blob_get_fd <path>" }, -+ { "sys_acl_blob_get_file", cmd_sys_acl_blob_get_file, "VFS sys_acl_blob_get_file()", "sys_acl_blob_get_file <path>" }, -+ { "sys_acl_blob_get_fd", cmd_sys_acl_blob_get_fd, "VFS sys_acl_blob_get_fd()", "sys_acl_blob_get_fd <path>" }, - { "sys_acl_delete_def_file", cmd_sys_acl_delete_def_file, "VFS sys_acl_delete_def_file()", "sys_acl_delete_def_file <path>" }, - - -- { "test_chain", cmd_test_chain, "test chain code", -- "test_chain" }, -+ { "test_chain", cmd_test_chain, "test chain code", "test_chain" }, - { "translate_name", cmd_translate_name, "VFS translate_name()", "translate_name unix_filename" }, - {0} - }; diff --git a/net/samba413/files/patch-source3_utils_net.c b/net/samba413/files/patch-source3_utils_net.c deleted file mode 100644 index 8a05070550bd..000000000000 --- a/net/samba413/files/patch-source3_utils_net.c +++ /dev/null @@ -1,18 +0,0 @@ ---- source3/utils/net.c.orig 2019-01-15 10:07:00 UTC -+++ source3/utils/net.c -@@ -1096,8 +1096,13 @@ static void get_credentials_file(struct - lp_set_cmdline("netbios name", c->opt_requester_name); - } - -- if (!c->opt_user_name && getenv("LOGNAME")) { -- c->opt_user_name = getenv("LOGNAME"); -+ if (!c->opt_user_name) { -+ if(getenv("LOGNAME")) -+ c->opt_user_name = getenv("LOGNAME"); -+ else -+ d_fprintf(stderr, -+ _("Environment LOGNAME is not defined." -+ " Trying anonymous access.\n")); - } - - if (!c->opt_workgroup) { diff --git a/net/samba413/files/patch-source3_utils_net__time.c b/net/samba413/files/patch-source3_utils_net__time.c deleted file mode 100644 index adcbd9001d85..000000000000 --- a/net/samba413/files/patch-source3_utils_net__time.c +++ /dev/null @@ -1,19 +0,0 @@ ---- source3/utils/net_time.c.orig 2019-01-15 10:07:00 UTC -+++ source3/utils/net_time.c -@@ -81,10 +81,15 @@ static const char *systime(time_t t) - if (!tm) { - return "unknown"; - } -- -+#if defined(FREEBSD) -+ return talloc_asprintf(talloc_tos(), "%02d%02d%02d%02d%02d.%02d", -+ tm->tm_year + 1900, tm->tm_mon+1, tm->tm_mday, -+ tm->tm_hour, tm->tm_min, tm->tm_sec); -+#else - return talloc_asprintf(talloc_tos(), "%02d%02d%02d%02d%04d.%02d", - tm->tm_mon+1, tm->tm_mday, tm->tm_hour, - tm->tm_min, tm->tm_year + 1900, tm->tm_sec); -+#endif - } - - int net_time_usage(struct net_context *c, int argc, const char **argv) diff --git a/net/samba413/files/patch-source3_winbindd_wscript__build b/net/samba413/files/patch-source3_winbindd_wscript__build deleted file mode 100644 index 60acba0507a6..000000000000 --- a/net/samba413/files/patch-source3_winbindd_wscript__build +++ /dev/null @@ -1,11 +0,0 @@ ---- source3/winbindd/wscript_build.orig 2019-01-15 10:07:00 UTC -+++ source3/winbindd/wscript_build -@@ -2,7 +2,7 @@ - - bld.SAMBA3_LIBRARY('idmap', - source='idmap.c idmap_util.c', -- deps='samba-util pdb', -+ deps='pdb samba-modules secrets3', - allow_undefined_symbols=True, - private_library=True) - diff --git a/net/samba413/files/patch-source3_wscript b/net/samba413/files/patch-source3_wscript deleted file mode 100644 index 966121ea1137..000000000000 --- a/net/samba413/files/patch-source3_wscript +++ /dev/null @@ -1,84 +0,0 @@ ---- source3/wscript.orig 2019-07-09 10:08:41 UTC -+++ source3/wscript -@@ -50,6 +50,7 @@ def options(opt): - opt.samba_add_onoff_option('sendfile-support', default=None) - opt.samba_add_onoff_option('utmp') - opt.samba_add_onoff_option('avahi', with_name="enable", without_name="disable") -+ opt.samba_add_onoff_option('dnssd', with_name="enable", without_name="disable") - opt.samba_add_onoff_option('iconv') - opt.samba_add_onoff_option('acl-support') - opt.samba_add_onoff_option('dnsupdate') -@@ -784,34 +785,39 @@ msg.msg_accrightslen = sizeof(fd); - - if Options.options.with_utmp: - conf.env.with_utmp = True -- if not conf.CHECK_HEADERS('utmp.h'): conf.env.with_utmp = False -- conf.CHECK_FUNCS('pututline pututxline updwtmp updwtmpx getutmpx getutxent') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_name', headers='utmp.h', -+ if not conf.CHECK_HEADERS('utmpx.h') and not conf.CHECK_HEADERS('utmp.h'): -+ conf.env.with_utmp = False -+ if conf.CONFIG_SET('HAVE_UTMPX_H'): -+ conf.DEFINE('STRUCT_UTMP', 'struct utmpx') -+ elif conf.CONFIG_SET('HAVE_UTMP_H'): -+ conf.DEFINE('STRUCT_UTMP', 'struct utmp') -+ conf.CHECK_FUNCS('pututxline getutxid getutxline updwtmpx getutmpx setutxent endutxent') -+ conf.CHECK_FUNCS('pututline getutid getutline updwtmp getutmp setutent endutent') -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_name', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_NAME') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_user', headers='utmp.h', -+ -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_user', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_USER') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_id', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_id', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_ID') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_host', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_host', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_HOST') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_time', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_time', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_TIME') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_tv', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_tv', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_TV') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_type', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_type', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_TYPE') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_pid', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_pid', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_PID') -- conf.CHECK_STRUCTURE_MEMBER('struct utmp', 'ut_exit.e_exit', headers='utmp.h', -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_exit.e_exit', headers='utmpx.h utmp.h', - define='HAVE_UT_UT_EXIT') -- conf.CHECK_STRUCTURE_MEMBER('struct utmpx', 'ut_syslen', headers='utmpx.h', -- define='HAVE_UX_UT_SYSLEN') -- conf.CHECK_STRUCTURE_MEMBER('struct utmpx', 'ut_host', headers='utmpx.h', -- define='HAVE_UX_UT_HOST') -+ conf.CHECK_STRUCTURE_MEMBER('STRUCT_UTMP', 'ut_syslen', headers='utmpx.h utmp.h', -+ define='HAVE_UT_UT_SYSLEN') - conf.CHECK_CODE('struct utmp utarg; struct utmp *utreturn; utreturn = pututline(&utarg);', - 'PUTUTLINE_RETURNS_UTMP', headers='utmp.h', - msg="Checking whether pututline returns pointer") -- conf.CHECK_SIZEOF(['((struct utmp *)NULL)->ut_line'], headers='utmp.h', -+ conf.CHECK_SIZEOF(['((STRUCT_UTMP *)NULL)->ut_line'], headers='utmpx.h utmp.h', - define='SIZEOF_UTMP_UT_LINE', critical=False) - if not conf.CONFIG_SET('SIZEOF_UTMP_UT_LINE'): - conf.env.with_utmp = False -@@ -833,6 +839,17 @@ msg.msg_accrightslen = sizeof(fd); - conf.SET_TARGET_TYPE('avahi-common', 'EMPTY') - conf.SET_TARGET_TYPE('avahi-client', 'EMPTY') - -+ if Options.options.with_dnssd: -+ conf.env.with_dnssd = True -+ if not conf.CHECK_HEADERS('dns_sd.h'): -+ conf.env.with_dnssd = False -+ if not conf.CHECK_FUNCS_IN('DNSServiceRegister', 'dns_sd'): -+ conf.env.with_dnssd = False -+ if conf.env.with_dnssd: -+ conf.DEFINE('WITH_DNSSD_SUPPORT', 1) -+ else: -+ conf.SET_TARGET_TYPE('dns_sd', 'EMPTY') -+ - if Options.options.with_iconv: - conf.env.with_iconv = True - if not conf.CHECK_FUNCS_IN('iconv_open', 'iconv', headers='iconv.h'): diff --git a/net/samba413/files/patch-source3_wscript__build b/net/samba413/files/patch-source3_wscript__build deleted file mode 100644 index 57cea9d5aecf..000000000000 --- a/net/samba413/files/patch-source3_wscript__build +++ /dev/null @@ -1,60 +0,0 @@ ---- source3/wscript_build.orig 2020-07-09 13:33:56 UTC -+++ source3/wscript_build -@@ -233,11 +233,9 @@ bld.SAMBA3_SUBSYSTEM('SMBREGISTRY', - talloc - replace - util_reg -- samba-util -- samba-security - errors3 - dbwrap -- samba3-util -+ samba3util - ''') - - # Do not link against this use 'smbconf' -@@ -495,7 +493,7 @@ bld.SAMBA3_LIBRARY('secrets3', - - bld.SAMBA3_LIBRARY('smbldap', - source='lib/smbldap.c', -- deps='ldap lber samba-util smbconf', -+ deps='ldap lber samba3util smbd_shim samba-debug smbconf', - enabled=bld.CONFIG_SET("HAVE_LDAP"), - private_library=False, - abi_directory='lib/ABI', -@@ -721,6 +719,7 @@ bld.SAMBA3_LIBRARY('smbd_base', - smbd_conn - param_service - AVAHI -+ dns_sd - PRINTBASE - PROFILE - LOCKING -@@ -1129,6 +1128,7 @@ bld.SAMBA3_BINARY('client/smbclient', - msrpc3 - RPC_NDR_SRVSVC - cli_smb_common -+ dns_sd - archive - ''') - -@@ -1153,8 +1153,8 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', - enabled=bld.CONFIG_SET('HAVE_CUPS')) - - bld.SAMBA3_BINARY('smbspool_argv_wrapper', -- source='script/tests/smbspool_argv_wrapper.c', -- for_selftest=True) -+ source='script/tests/smbspool_argv_wrapper.c', -+ for_selftest=True) - - bld.SAMBA3_BINARY('locktest2', - source='torture/locktest2.c', -@@ -1303,7 +1303,7 @@ bld.SAMBA3_BINARY('vfstest', - smbconf - SMBREADLINE - ''', -- for_selftest=True) -+ install=True) - - bld.SAMBA3_BINARY('versiontest', - source='lib/version_test.c', diff --git a/net/samba413/files/patch-source4_heimdal_lib_roken_rand.c b/net/samba413/files/patch-source4_heimdal_lib_roken_rand.c deleted file mode 100644 index 5d2fab694d8a..000000000000 --- a/net/samba413/files/patch-source4_heimdal_lib_roken_rand.c +++ /dev/null @@ -1,10 +0,0 @@ ---- source4/heimdal/lib/roken/rand.c.orig 2019-01-15 10:07:00 UTC -+++ source4/heimdal/lib/roken/rand.c -@@ -37,7 +37,6 @@ void ROKEN_LIB_FUNCTION - rk_random_init(void) - { - #if defined(HAVE_ARC4RANDOM) -- arc4random_stir(); - #elif defined(HAVE_SRANDOMDEV) - srandomdev(); - #elif defined(HAVE_RANDOM) diff --git a/net/samba413/files/patch-source4_kdc_kdc-service-mit.c b/net/samba413/files/patch-source4_kdc_kdc-service-mit.c deleted file mode 100644 index 06624be7b94f..000000000000 --- a/net/samba413/files/patch-source4_kdc_kdc-service-mit.c +++ /dev/null @@ -1,17 +0,0 @@ ---- source4/kdc/kdc-service-mit.c.orig 2019-01-15 10:07:00 UTC -+++ source4/kdc/kdc-service-mit.c -@@ -36,9 +36,13 @@ - #include "kdc/samba_kdc.h" - #include "kdc/kdc-server.h" - #include "kdc/kpasswd-service.h" --#include <kadm5/admin.h> - #include <kdb.h> - -+#pragma clang diagnostic push -+#pragma clang diagnostic ignored "-Wstrict-prototypes" -+#include <kadm5/admin.h> -+#pragma clang diagnostic pop -+ - #include "source4/kdc/mit_kdc_irpc.h" - - /* PROTOTYPES */ diff --git a/net/samba413/files/patch-third__party_wscript b/net/samba413/files/patch-third__party_wscript deleted file mode 100644 index ce49f09109a0..000000000000 --- a/net/samba413/files/patch-third__party_wscript +++ /dev/null @@ -1,10 +0,0 @@ ---- third_party/wscript.orig 2020-09-15 22:45:54 UTC -+++ third_party/wscript -@@ -7,7 +7,6 @@ from waflib import Options, Errors - - # work out what python external libraries we need to install - external_pkgs = { -- "iso8601": "pyiso8601/iso8601", - } - - diff --git a/net/samba413/files/patch-vfs_freebsd b/net/samba413/files/patch-vfs_freebsd deleted file mode 100644 index dd88587c260f..000000000000 --- a/net/samba413/files/patch-vfs_freebsd +++ /dev/null @@ -1,1002 +0,0 @@ ---- docs-xml/wscript_build.orig 2019-06-25 00:52:38 UTC -+++ docs-xml/wscript_build -@@ -79,6 +79,7 @@ vfs_module_manpages = ['vfs_acl_tdb', - 'vfs_extd_audit', - 'vfs_fake_perms', - 'vfs_fileid', -+ 'vfs_freebsd', - 'vfs_fruit', - 'vfs_full_audit', - 'vfs_glusterfs', ---- source3/modules/wscript_build.orig 2019-05-07 08:38:21 UTC -+++ source3/modules/wscript_build -@@ -630,6 +630,14 @@ bld.SAMBA3_MODULE('vfs_delay_inject', - enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_delay_inject'), - install=False) - -+bld.SAMBA3_MODULE('vfs_freebsd', -+ subsystem='vfs', -+ source='vfs_freebsd.c', -+ deps='samba-util', -+ init_function='', -+ internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_freebsd'), -+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_freebsd')) -+ - bld.SAMBA3_MODULE('vfs_widelinks', - subsystem='vfs', - source='vfs_widelinks.c', ---- source3/modules/vfs_freebsd.c.orig 2019-06-22 11:56:57 UTC -+++ source3/modules/vfs_freebsd.c -@@ -0,0 +1,800 @@ -+/* -+ * This module implements VFS calls specific to FreeBSD -+ * -+ * Copyright (C) Timur I. Bakeyev, 2018 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, see <http://www.gnu.org/licenses/>. -+ */ -+ -+#include "includes.h" -+ -+#include "lib/util/tevent_unix.h" -+#include "lib/util/tevent_ntstatus.h" -+#include "system/filesys.h" -+ -+#include <sys/sysctl.h> -+ -+static int vfs_freebsd_debug_level = DBGC_VFS; -+ -+#undef DBGC_CLASS -+#define DBGC_CLASS vfs_freebsd_debug_level -+ -+#ifndef EXTATTR_MAXNAMELEN -+#define EXTATTR_MAXNAMELEN UINT8_MAX -+#endif -+ -+#define EXTATTR_NAMESPACE(NS) EXTATTR_NAMESPACE_ ## NS, \ -+ EXTATTR_NAMESPACE_ ## NS ## _STRING ".", \ -+ .data.len = (sizeof(EXTATTR_NAMESPACE_ ## NS ## _STRING ".") - 1) -+ -+#define EXTATTR_EMPTY 0x00 -+#define EXTATTR_USER 0x01 -+#define EXTATTR_SYSTEM 0x02 -+#define EXTATTR_SECURITY 0x03 -+#define EXTATTR_TRUSTED 0x04 -+ -+enum extattr_mode { -+ FREEBSD_EXTATTR_SECURE, -+ FREEBSD_EXTATTR_COMPAT, -+ FREEBSD_EXTATTR_LEGACY -+}; -+ -+typedef struct { -+ int namespace; -+ char name[EXTATTR_MAXNAMELEN+1]; -+ union { -+ uint16_t len; -+ uint16_t flags; -+ } data; -+} extattr_attr; -+ -+typedef struct { -+ enum { -+ EXTATTR_FILE, EXTATTR_LINK, EXTATTR_FDES -+ } method; -+ union { -+ const char *path; -+ int filedes; -+ } param; -+} extattr_arg; -+ -+static const struct enum_list extattr_mode_param[] = { -+ { FREEBSD_EXTATTR_SECURE, "secure" }, /* */ -+ { FREEBSD_EXTATTR_COMPAT, "compat" }, /* */ -+ { FREEBSD_EXTATTR_LEGACY, "legacy" }, /* */ -+ { -1, NULL } -+}; -+ -+ -+/* */ -+struct freebsd_handle_data { -+ enum extattr_mode extattr_mode; -+}; -+ -+ -+/* XXX: This order doesn't match namespace ids order! */ -+static extattr_attr extattr[] = { -+ { EXTATTR_NAMESPACE(EMPTY) }, -+ { EXTATTR_NAMESPACE(SYSTEM) }, -+ { EXTATTR_NAMESPACE(USER) }, -+}; -+ -+ -+static bool freebsd_in_jail(void) { -+ int val = 0; -+ size_t val_len = sizeof(val); -+ -+ if((sysctlbyname("security.jail.jailed", &val, &val_len, NULL, 0) != -1) && val == 1) { -+ return true; -+ } -+ return false; -+} -+ -+static uint16_t freebsd_map_attrname(const char *name) -+{ -+ if(name == NULL || name[0] == '\0') { -+ return EXTATTR_EMPTY; -+ } -+ -+ switch(name[0]) { -+ case 'u': -+ if(strncmp(name, "user.", 5) == 0) -+ return EXTATTR_USER; -+ break; -+ case 't': -+ if(strncmp(name, "trusted.", 8) == 0) -+ return EXTATTR_TRUSTED; -+ break; -+ case 's': -+ /* name[1] could be any character, including '\0' */ -+ switch(name[1]) { -+ case 'e': -+ if(strncmp(name, "security.", 9) == 0) -+ return EXTATTR_SECURITY; -+ break; -+ case 'y': -+ if(strncmp(name, "system.", 7) == 0) -+ return EXTATTR_SYSTEM; -+ break; -+ } -+ break; -+ } -+ return EXTATTR_USER; -+} -+ -+/* security, system, trusted or user */ -+static extattr_attr* freebsd_map_xattr(enum extattr_mode extattr_mode, const char *name, extattr_attr *attr) -+{ -+ int attrnamespace = EXTATTR_NAMESPACE_EMPTY; -+ const char *p, *attrname = name; -+ -+ if(name == NULL || name[0] == '\0') { -+ return NULL; -+ } -+ -+ if(attr == NULL) { -+ return NULL; -+ } -+ -+ uint16_t flags = freebsd_map_attrname(name); -+ -+ switch(flags) { -+ case EXTATTR_SECURITY: -+ case EXTATTR_TRUSTED: -+ case EXTATTR_SYSTEM: -+ attrnamespace = (extattr_mode == FREEBSD_EXTATTR_SECURE) ? -+ EXTATTR_NAMESPACE_SYSTEM : -+ EXTATTR_NAMESPACE_USER; -+ break; -+ case EXTATTR_USER: -+ attrnamespace = EXTATTR_NAMESPACE_USER; -+ break; -+ default: -+ /* Default to "user" namespace if nothing else was specified */ -+ attrnamespace = EXTATTR_NAMESPACE_USER; -+ flags = EXTATTR_USER; -+ break; -+ } -+ -+ if (extattr_mode == FREEBSD_EXTATTR_LEGACY) { -+ switch(flags) { -+ case EXTATTR_SECURITY: -+ attrname = name + 9; -+ break; -+ case EXTATTR_TRUSTED: -+ attrname = name + 8; -+ break; -+ case EXTATTR_SYSTEM: -+ attrname = name + 7; -+ break; -+ case EXTATTR_USER: -+ attrname = name + 5; -+ break; -+ default: -+ attrname = ((p=strchr(name, '.')) != NULL) ? p + 1 : name; -+ break; -+ } -+ } -+ -+ attr->namespace = attrnamespace; -+ attr->data.flags = flags; -+ strlcpy(attr->name, attrname, EXTATTR_MAXNAMELEN + 1); -+ -+ return attr; -+} -+ -+static ssize_t extattr_size(extattr_arg arg, extattr_attr *attr) -+{ -+ ssize_t result; -+ -+ switch(arg.method) { -+#if defined(HAVE_XATTR_EXTATTR) -+ case EXTATTR_FILE: -+ result = extattr_get_file(arg.param.path, attr->namespace, attr->name, NULL, 0); -+ break; -+ case EXTATTR_LINK: -+ result = extattr_get_link(arg.param.path, attr->namespace, attr->name, NULL, 0); -+ break; -+ case EXTATTR_FDES: -+ result = extattr_get_fd(arg.param.filedes, attr->namespace, attr->name, NULL, 0); -+ break; -+#endif -+ default: -+ errno = ENOSYS; -+ return -1; -+ } -+ -+ if(result < 0) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ return result; -+} -+ -+ -+/* -+ * The list of names is returned as an unordered array of NULL-terminated -+ * character strings (attribute names are separated by NULL characters), -+ * like this: -+ * user.name1\0system.name1\0user.name2\0 -+ * -+ * Filesystems like ext2, ext3 and XFS which implement POSIX ACLs using -+ * extended attributes, might return a list like this: -+ * system.posix_acl_access\0system.posix_acl_default\0 -+ */ -+/* -+ * The extattr_list_file() returns a list of attributes present in the -+ * requested namespace. Each list entry consists of a single byte containing -+ * the length of the attribute name, followed by the attribute name. The -+ * attribute name is not terminated by ASCII 0 (nul). -+*/ -+ -+static ssize_t freebsd_extattr_list(extattr_arg arg, enum extattr_mode extattr_mode, char *list, size_t size) -+{ -+ ssize_t list_size, total_size = 0; -+ char *p, *q, *list_end; -+ int len; -+ /* -+ Ignore all but user namespace when we are not root or in jail -+ See: https://bugzilla.samba.org/show_bug.cgi?id=10247 -+ */ -+ bool as_root = (geteuid() == 0); -+ -+ int ns = (extattr_mode == FREEBSD_EXTATTR_SECURE && as_root) ? 1 : 2; -+ -+ /* Iterate through extattr(2) namespaces */ -+ for(; ns < ARRAY_SIZE(extattr); ns++) { -+ switch(arg.method) { -+#if defined(HAVE_XATTR_EXTATTR) -+ case EXTATTR_FILE: -+ list_size = extattr_list_file(arg.param.path, extattr[ns].namespace, list, size); -+ break; -+ case EXTATTR_LINK: -+ list_size = extattr_list_link(arg.param.path, extattr[ns].namespace, list, size); -+ break; -+ case EXTATTR_FDES: -+ list_size = extattr_list_fd(arg.param.filedes, extattr[ns].namespace, list, size); -+ break; -+#endif -+ default: -+ errno = ENOSYS; -+ return -1; -+ } -+ /* Some error happend. Errno should be set by the previous call */ -+ if(list_size < 0) -+ return -1; -+ /* No attributes in this namespace */ -+ if(list_size == 0) -+ continue; -+ /* -+ Call with an empty buffer may be used to calculate -+ necessary buffer size. -+ */ -+ if(list == NULL) { -+ /* -+ XXX: Unfortunately, we can't say, how many attributes were -+ returned, so here is the potential problem with the emulation. -+ */ -+ if(extattr_mode == FREEBSD_EXTATTR_LEGACY) { -+ /* -+ Take the worse case of one char attribute names - -+ two bytes per name plus one more for sanity. -+ */ -+ total_size += list_size + (list_size/2 + 1)*extattr[ns].data.len; -+ } -+ else { -+ total_size += list_size; -+ } -+ continue; -+ } -+ -+ if(extattr_mode == FREEBSD_EXTATTR_LEGACY) { -+ /* Count necessary offset to fit namespace prefixes */ -+ int extra_len = 0; -+ uint16_t flags; -+ list_end = list + list_size; -+ for(list_size = 0, p = q = list; p < list_end; p += len) { -+ len = p[0] + 1; -+ (void)strlcpy(q, p + 1, len); -+ flags = freebsd_map_attrname(q); -+ /* Skip secure attributes for non-root user */ -+ if(extattr_mode != FREEBSD_EXTATTR_SECURE && !as_root && flags > EXTATTR_USER) { -+ continue; -+ } -+ if(flags <= EXTATTR_USER) { -+ /* Don't count trailing '\0' */ -+ extra_len += extattr[ns].data.len; -+ } -+ list_size += len; -+ q += len; -+ } -+ total_size += list_size + extra_len; -+ /* Buffer is too small to fit the results */ -+ if(total_size > size) { -+ errno = ERANGE; -+ return -1; -+ } -+ /* Shift results backwards, so we can prepend prefixes */ -+ list_end = list + extra_len; -+ p = (char*)memmove(list_end, list, list_size); -+ /* -+ We enter the loop with `p` pointing to the shifted list and -+ `extra_len` having the total margin between `list` and `p` -+ */ -+ for(list_end += list_size; p < list_end; p += len) { -+ len = strlen(p) + 1; -+ flags = freebsd_map_attrname(p); -+ if(flags <= EXTATTR_USER) { -+ /* Add namespace prefix */ -+ (void)strncpy(list, extattr[ns].name, extattr[ns].data.len); -+ list += extattr[ns].data.len; -+ } -+ /* Append attribute name */ -+ (void)strlcpy(list, p, len); -+ list += len; -+ } -+ } -+ else { -+ /* Convert UCSD strings into nul-terminated strings */ -+ for(list_end = list + list_size; list < list_end; list += len) { -+ len = list[0] + 1; -+ (void)strlcpy(list, list + 1, len); -+ } -+ total_size += list_size; -+ } -+ } -+ return total_size; -+} -+ -+/* -+static ssize_t freebsd_getxattr_size(vfs_handle_struct *handle, -+ const struct smb_filename *smb_fname, -+ const char *name) -+{ -+ struct freebsd_handle_data *data; -+ extattr_arg arg = { EXTATTR_FILE, smb_fname->base_name }; -+ extattr_attr attr; -+ -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ if(!freebsd_map_xattr(data->extattr_mode, name, &attr)) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ return extattr_size(arg, &attr); -+} -+*/ -+ -+/* VFS entries */ -+static ssize_t freebsd_getxattr(vfs_handle_struct *handle, -+ const struct smb_filename *smb_fname, -+ const char *name, -+ void *value, -+ size_t size) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_arg arg = { EXTATTR_FILE, .param.path = smb_fname->base_name }; -+ extattr_attr attr; -+ ssize_t res; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ if(!freebsd_map_xattr(data->extattr_mode, name, &attr)) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ /* Filter out 'secure' entries */ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ /* -+ * The BSD implementation has a nasty habit of silently truncating -+ * the returned value to the size of the buffer, so we have to check -+ * that the buffer is large enough to fit the returned value. -+ */ -+ if((res=extattr_size(arg, &attr)) < 0) { -+ return -1; -+ } -+ -+ if (size == 0) { -+ return res; -+ } -+ else if (res > size) { -+ errno = ERANGE; -+ return -1; -+ } -+ -+ if((res=extattr_get_file(smb_fname->base_name, attr.namespace, attr.name, value, size)) >= 0) { -+ return res; -+ } -+ return -1; -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+ -+static ssize_t freebsd_fgetxattr(vfs_handle_struct *handle, -+ struct files_struct *fsp, const char *name, -+ void *value, size_t size) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_arg arg = { EXTATTR_FDES, .param.filedes = fsp->fh->fd }; -+ extattr_attr attr; -+ ssize_t res; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ if(!freebsd_map_xattr(data->extattr_mode, name, &attr)) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ /* Filter out 'secure' entries */ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ /* -+ * The BSD implementation has a nasty habit of silently truncating -+ * the returned value to the size of the buffer, so we have to check -+ * that the buffer is large enough to fit the returned value. -+ */ -+ if((res=extattr_size(arg, &attr)) < 0) { -+ return -1; -+ } -+ -+ if (size == 0) { -+ return res; -+ } -+ else if (res > size) { -+ errno = ERANGE; -+ return -1; -+ } -+ -+ if((res=extattr_get_fd(fsp->fh->fd, attr.namespace, attr.name, value, size)) >= 0) { -+ return res; -+ } -+ return -1; -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+ -+static ssize_t freebsd_listxattr(vfs_handle_struct *handle, -+ const struct smb_filename *smb_fname, -+ char *list, -+ size_t size) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ extattr_arg arg = { EXTATTR_FILE, .param.path = smb_fname->base_name }; -+ -+ return freebsd_extattr_list(arg, data->extattr_mode, list, size); -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+ -+static ssize_t freebsd_flistxattr(vfs_handle_struct *handle, -+ struct files_struct *fsp, char *list, -+ size_t size) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_arg arg = { EXTATTR_FDES, .param.filedes = fsp->fh->fd }; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ return freebsd_extattr_list(arg, data->extattr_mode, list, size); -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+static int freebsd_removexattr(vfs_handle_struct *handle, -+ const struct smb_filename *smb_fname, -+ const char *name) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_attr attr; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ -+ /* Filter out 'secure' entries */ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ return extattr_delete_file(smb_fname->base_name, attr.namespace, attr.name); -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+ -+static int freebsd_fremovexattr(vfs_handle_struct *handle, -+ struct files_struct *fsp, const char *name) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_attr attr; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ if(!freebsd_map_xattr(data->extattr_mode, name, &attr)) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ /* Filter out 'secure' entries */ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ return extattr_delete_fd(fsp->fh->fd, attr.namespace, attr.name); -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+ -+static int freebsd_setxattr(vfs_handle_struct *handle, -+ const struct smb_filename *smb_fname, -+ const char *name, -+ const void *value, -+ size_t size, -+ int flags) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_attr attr; -+ ssize_t res; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ if(!freebsd_map_xattr(data->extattr_mode, name, &attr)) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ /* Filter out 'secure' entries */ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ if (flags) { -+ extattr_arg arg = { EXTATTR_FILE, .param.path = smb_fname->base_name }; -+ /* Check attribute existence */ -+ res = extattr_size(arg, &attr); -+ if (res < 0) { -+ /* REPLACE attribute, that doesn't exist */ -+ if ((flags & XATTR_REPLACE) && errno == ENOATTR) { -+ errno = ENOATTR; -+ return -1; -+ } -+ /* Ignore other errors */ -+ } -+ else { -+ /* CREATE attribute, that already exists */ -+ if (flags & XATTR_CREATE) { -+ errno = EEXIST; -+ return -1; -+ } -+ } -+ } -+ res = extattr_set_file(smb_fname->base_name, attr.namespace, attr.name, value, size); -+ -+ return (res >= 0) ? 0 : -1; -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+ -+static int freebsd_fsetxattr(vfs_handle_struct *handle, struct files_struct *fsp, -+ const char *name, const void *value, size_t size, -+ int flags) -+{ -+#if defined(HAVE_XATTR_EXTATTR) -+ struct freebsd_handle_data *data; -+ extattr_attr attr; -+ ssize_t res; -+ -+ SMB_VFS_HANDLE_GET_DATA(handle, data, -+ struct freebsd_handle_data, -+ return -1); -+ -+ if(!freebsd_map_xattr(data->extattr_mode, name, &attr)) { -+ errno = EINVAL; -+ return -1; -+ } -+ -+ /* Filter out 'secure' entries */ -+ if(data->extattr_mode != FREEBSD_EXTATTR_SECURE && geteuid() != 0 && attr.data.flags > EXTATTR_USER) { -+ errno = ENOATTR; -+ return -1; -+ } -+ -+ if (flags) { -+ extattr_arg arg = { EXTATTR_FDES, .param.filedes = fsp->fh->fd }; -+ /* Check attribute existence */ -+ res = extattr_size(arg, &attr); -+ if (res < 0) { -+ /* REPLACE attribute, that doesn't exist */ -+ if ((flags & XATTR_REPLACE) && errno == ENOATTR) { -+ errno = ENOATTR; -+ return -1; -+ } -+ /* Ignore other errors */ -+ } -+ else { -+ /* CREATE attribute, that already exists */ -+ if (flags & XATTR_CREATE) { -+ errno = EEXIST; -+ return -1; -+ } -+ } -+ } -+ -+ res = extattr_set_fd(fsp->fh->fd, attr.namespace, attr.name, value, size); -+ -+ return (res >= 0) ? 0 : -1; -+#else -+ errno = ENOSYS; -+ return -1; -+#endif -+} -+ -+static int freebsd_connect(vfs_handle_struct *handle, const char *service, -+ const char *user) -+{ -+ struct freebsd_handle_data *data; -+ int enumval, saved_errno; -+ -+ int ret = SMB_VFS_NEXT_CONNECT(handle, service, user); -+ -+ if (ret < 0) { -+ return ret; -+ } -+ -+ data = talloc_zero(handle->conn, struct freebsd_handle_data); -+ if (!data) { -+ saved_errno = errno; -+ SMB_VFS_NEXT_DISCONNECT(handle); -+ DEBUG(0, ("talloc_zero() failed\n")); -+ errno = saved_errno; -+ return -1; -+ } -+ -+ enumval = lp_parm_enum(SNUM(handle->conn), "freebsd", -+ "extattr mode", extattr_mode_param, FREEBSD_EXTATTR_LEGACY); -+ if (enumval == -1) { -+ saved_errno = errno; -+ SMB_VFS_NEXT_DISCONNECT(handle); -+ DBG_DEBUG("value for freebsd: 'extattr mode' is unknown\n"); -+ errno = saved_errno; -+ return -1; -+ } -+ -+ if(freebsd_in_jail()) { -+ enumval = FREEBSD_EXTATTR_COMPAT; -+ DBG_WARNING("running in jail, enforcing 'compat' mode\n"); -+ } -+ -+ data->extattr_mode = (enum extattr_mode)enumval; -+ -+ SMB_VFS_HANDLE_SET_DATA(handle, data, NULL, -+ struct freebsd_handle_data, -+ return -1); -+ -+ DBG_DEBUG("connect to service[%s] with '%s' extattr mode\n", -+ service, extattr_mode_param[data->extattr_mode].name); -+ -+ return 0; -+} -+ -+static void freebsd_disconnect(vfs_handle_struct *handle) -+{ -+ SMB_VFS_NEXT_DISCONNECT(handle); -+} -+ -+/* VFS operations structure */ -+ -+struct vfs_fn_pointers freebsd_fns = { -+ /* Disk operations */ -+ -+ .connect_fn = freebsd_connect, -+ .disconnect_fn = freebsd_disconnect, -+ -+ /* EA operations. */ -+ .getxattr_fn = freebsd_getxattr, -+ .fgetxattr_fn = freebsd_fgetxattr, -+ .listxattr_fn = freebsd_listxattr, -+ .flistxattr_fn = freebsd_flistxattr, -+ .removexattr_fn = freebsd_removexattr, -+ .fremovexattr_fn = freebsd_fremovexattr, -+ .setxattr_fn = freebsd_setxattr, -+ .fsetxattr_fn = freebsd_fsetxattr, -+}; -+ -+static_decl_vfs; -+NTSTATUS vfs_freebsd_init(TALLOC_CTX *ctx) -+{ -+ NTSTATUS ret; -+ -+ ret = smb_register_vfs(SMB_VFS_INTERFACE_VERSION, "freebsd", -+ &freebsd_fns); -+ -+ if (!NT_STATUS_IS_OK(ret)) { -+ return ret; -+ } -+ -+ vfs_freebsd_debug_level = debug_add_class("freebsd"); -+ if (vfs_freebsd_debug_level == -1) { -+ vfs_freebsd_debug_level = DBGC_VFS; -+ DEBUG(0, ("vfs_freebsd: Couldn't register custom debugging class!\n")); -+ } else { -+ DEBUG(10, ("vfs_freebsd: Debug class number of 'fileid': %d\n", vfs_freebsd_debug_level)); -+ } -+ -+ return ret; -+} ---- docs-xml/manpages/vfs_freebsd.8.xml.orig 2019-06-25 00:51:54 UTC -+++ docs-xml/manpages/vfs_freebsd.8.xml -@@ -0,0 +1,169 @@ -+<?xml version="1.0" encoding="iso-8859-1"?> -+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> -+<refentry id="vfs_freebsd.8"> -+ -+<refmeta> -+ <refentrytitle>vfs_freebsd</refentrytitle> -+ <manvolnum>8</manvolnum> -+ <refmiscinfo class="source">Samba</refmiscinfo> -+ <refmiscinfo class="manual">System Administration tools</refmiscinfo> -+ <refmiscinfo class="version">&doc.version;</refmiscinfo> -+</refmeta> -+ -+<refnamediv> -+ <refname>vfs_freebsd</refname> -+ <refpurpose>FreeBSD-specific VFS functions</refpurpose> -+</refnamediv> -+ -+<refsynopsisdiv> -+ <cmdsynopsis> -+ <command>vfs objects = freebsd</command> -+ </cmdsynopsis> -+</refsynopsisdiv> -+ -+<refsect1> -+ <title>DESCRIPTION</title> -+ -+ <para>This VFS module is part of the <citerefentry><refentrytitle>samba</refentrytitle> -+ <manvolnum>7</manvolnum></citerefentry> suite.</para> -+ -+ <para>The <command>vfs_freebsd</command> module implements some of the FreeBSD-specific VFS functions.</para> -+ -+ <para>This module is stackable.</para> -+</refsect1> -+ -+ -+<refsect1> -+ <title>OPTIONS</title> -+ -+ <variablelist> -+ -+ <varlistentry> -+ <term>freebsd:extattr mode=[legacy|compat|secure]</term> -+ <listitem> -+ <para>This parameter defines how the emulation of the Linux attr(5) extended attributes -+ is performed through the FreeBSD native extattr(9) system calls.</para> -+ -+ <para>Currently the <emphasis>security</emphasis>, <emphasis>system</emphasis>, -+ <emphasis>trusted</emphasis> and <emphasis>user</emphasis> extended attribute(xattr) -+ classes are defined in Linux. Contrary FreeBSD has only <emphasis>USER</emphasis> -+ and <emphasis>SYSTEM</emphasis> extended attribute(extattr) namespaces, so mapping -+ of one set into another isn't straightforward and can be done in different ways.</para> -+ -+ <para>Historically the Samba(7) built-in xattr mapping implementation simply converted -+ <emphasis>system</emphasis> and <emphasis>user</emphasis> xattr into corresponding -+ <emphasis>SYSTEM</emphasis> and <emphasis>USER</emphasis> extattr namespaces, dropping -+ the class prefix name with the separating dot and using attribute name only within the -+ mapped namespace. It also rejected any other xattr classes, like <emphasis>security</emphasis> -+ and <emphasis>trusted</emphasis> as invalid. Such behavior in particular broke AD -+ provisioning on UFS2 file systems as essential <emphasis>security.NTACL</emphasis> -+ xattr was rejected as invalid.</para> -+ -+ <para>This module tries to address this problem and provide secure, where it's possible, -+ way to map Linux xattr into FreeBSD's extattr.</para> -+ -+ <para>When <emphasis>mode</emphasis> is set to the <emphasis>legacy (default)</emphasis> -+ then modified version of built-in mapping is used, where <emphasis>system</emphasis> xattr -+ is mapped into SYSTEM namespace, while <emphasis>secure</emphasis>, <emphasis>trusted</emphasis> -+ and <emphasis>user</emphasis> xattr are all mapped into the USER namespace, dropping class -+ prefixes and mix them all together. This is the way how Samba FreeBSD ports were patched -+ up to the 4.9 version and that created multiple potential security issues. This mode is aimed for -+ the compatibility with the legacy installations only and should be avoided in new setups.</para> -+ -+ <para>The <emphasis>compat</emphasis> mode is mostly designed for the jailed environments, -+ where it's not possible to write extattrs into the secure SYSTEM namespace, so all four -+ classes are mapped into the USER namespace. To preserve information about origin of the -+ extended attribute it is stored together with the class preffix in the <emphasis>class.attribute</emphasis> -+ format.</para> -+ -+ <para>The <emphasis>secure</emphasis> mode is meant for storing extended attributes in a secure -+ manner, so that <emphasis>security</emphasis>, <emphasis>system</emphasis> and <emphasis>trusted</emphasis> -+ are stored in the SYSTEM namespace, which can be modified only by root. -+ </para> -+ </listitem> -+ </varlistentry> -+ -+ -+ </variablelist> -+</refsect1> -+ -+<refsect1> -+ <table frame="all" rowheader="firstcol"> -+ <title>Attributes mapping</title> -+ <tgroup cols='5' align='left' colsep='1' rowsep='1'> -+ <thead> -+ <row> -+ <entry> </entry> -+ <entry>built-in</entry> -+ <entry>legacy</entry> -+ <entry>compat/jail</entry> -+ <entry>secure</entry> -+ </row> -+ </thead> -+ <tbody> -+ <row> -+ <entry>user</entry> -+ <entry>USER; attribute</entry> -+ <entry>USER; attribute</entry> -+ <entry>USER; user.attribute</entry> -+ <entry>USER; user.attribute</entry> -+ </row> -+ <row> -+ <entry>system</entry> -+ <entry>SYSTEM; attribute</entry> -+ <entry>SYSTEM; attribute</entry> -+ <entry>USER; system.attribute</entry> -+ <entry>SYSTEM; system.attribute</entry> -+ </row> -+ <row> -+ <entry>trusted</entry> -+ <entry>FAIL</entry> -+ <entry>USER; attribute</entry> -+ <entry>USER; trusted.attribute</entry> -+ <entry>SYSTEM; trusted.attribute</entry> -+ </row> -+ <row> -+ <entry>security</entry> -+ <entry>FAIL</entry> -+ <entry>USER; attribute</entry> -+ <entry>USER; security.attribute</entry> -+ <entry>SYSTEM; security.attribute</entry> -+ </row> -+ </tbody> -+ </tgroup> -+ </table> -+</refsect1> -+ -+<refsect1> -+ <title>EXAMPLES</title> -+ -+ <para>Use secure method of setting extended attributes on the share:</para> -+ -+<programlisting> -+ <smbconfsection name="[sysvol]"/> -+ <smbconfoption name="vfs objects">freebsd</smbconfoption> -+ <smbconfoption name="freebsd:extattr mode">secure</smbconfoption> -+</programlisting> -+ -+</refsect1> -+ -+<refsect1> -+ <title>VERSION</title> -+ -+ <para>This man page is part of version &doc.version; of the Samba suite. -+ </para> -+</refsect1> -+ -+<refsect1> -+ <title>AUTHOR</title> -+ -+ <para>The original Samba software and related utilities -+ were created by Andrew Tridgell. Samba is now developed -+ by the Samba Team as an Open Source project similar -+ to the way the Linux kernel is developed.</para> -+ -+ <para>This module was written by Timur I. Bakeyev</para> -+ -+</refsect1> -+ -+</refentry> diff --git a/net/samba413/files/patch-waf-2.0.20 b/net/samba413/files/patch-waf-2.0.20 deleted file mode 100644 index 3c40ea15f0ed..000000000000 --- a/net/samba413/files/patch-waf-2.0.20 +++ /dev/null @@ -1,1663 +0,0 @@ -From 5fc3a71d0f54b176d3cb2e399718d0468507e797 Mon Sep 17 00:00:00 2001 -From: David Mulder <dmulder@suse.com> -Date: Mon, 24 Aug 2020 13:12:46 -0600 -Subject: [PATCH] waf: upgrade to 2.0.20 - -This contain an important change: -"Fix gccdeps.scan() returning nodes that no longer exist on disk." -https://gitlab.com/ita1024/waf/-/merge_requests/2293 - -Signed-off-by: David Mulder <dmulder@suse.com> -Reviewed-by: Stefan Metzmacher <metze@samba.org> ---- - buildtools/bin/waf | 2 +- - buildtools/wafsamba/samba_utils.py | 2 +- - buildtools/wafsamba/samba_waf18.py | 3 +- - buildtools/wafsamba/wafsamba.py | 2 +- - third_party/waf/waflib/Configure.py | 25 +- - third_party/waf/waflib/Context.py | 18 +- - third_party/waf/waflib/Options.py | 31 +- - third_party/waf/waflib/Scripting.py | 6 +- - third_party/waf/waflib/Tools/c_aliases.py | 4 +- - third_party/waf/waflib/Tools/c_config.py | 22 +- - third_party/waf/waflib/Tools/c_tests.py | 15 +- - third_party/waf/waflib/Tools/compiler_c.py | 2 +- - third_party/waf/waflib/Tools/compiler_cxx.py | 2 +- - third_party/waf/waflib/Tools/fc.py | 4 +- - third_party/waf/waflib/Tools/irixcc.py | 14 +- - third_party/waf/waflib/Tools/javaw.py | 2 +- - third_party/waf/waflib/Tools/python.py | 2 +- - third_party/waf/waflib/Tools/qt5.py | 6 +- - third_party/waf/waflib/Utils.py | 2 +- - .../extras/clang_compilation_database.py | 172 ++++-- - third_party/waf/waflib/extras/doxygen.py | 1 + - third_party/waf/waflib/extras/gccdeps.py | 15 +- - third_party/waf/waflib/extras/javatest.py | 135 ++++- - third_party/waf/waflib/extras/msvc_pdb.py | 46 ++ - third_party/waf/waflib/extras/pytest.py | 17 +- - third_party/waf/waflib/extras/wafcache.py | 524 ++++++++++++++++++ - 26 files changed, 942 insertions(+), 132 deletions(-) - create mode 100644 third_party/waf/waflib/extras/msvc_pdb.py - create mode 100644 third_party/waf/waflib/extras/wafcache.py - -diff --git buildtools/bin/waf buildtools/bin/waf -index 11ce8e7480a..feabe25d131 100755 ---- buildtools/bin/waf -+++ buildtools/bin/waf -@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. - - import os, sys, inspect - --VERSION="2.0.18" -+VERSION="2.0.20" - REVISION="x" - GIT="x" - INSTALL="x" -diff --git buildtools/wafsamba/samba_utils.py buildtools/wafsamba/samba_utils.py -index 4afee249d33..0587f525aff 100644 ---- buildtools/wafsamba/samba_utils.py -+++ buildtools/wafsamba/samba_utils.py -@@ -459,7 +459,7 @@ def RECURSE(ctx, directory): - return - visited_dirs.add(key) - relpath = os.path.relpath(abspath, ctx.path.abspath()) -- if ctxclass in ['tmp', 'OptionsContext', 'ConfigurationContext', 'BuildContext']: -+ if ctxclass in ['tmp', 'OptionsContext', 'ConfigurationContext', 'BuildContext', 'ClangDbContext']: - return ctx.recurse(relpath) - if 'waflib.extras.compat15' in sys.modules: - return ctx.recurse(relpath) -diff --git buildtools/wafsamba/samba_waf18.py buildtools/wafsamba/samba_waf18.py -index c0bb6bfcf55..ecf3891f175 100644 ---- buildtools/wafsamba/samba_waf18.py -+++ buildtools/wafsamba/samba_waf18.py -@@ -5,6 +5,7 @@ from waflib import Build, Configure, Node, Utils, Options, Logs, TaskGen - from waflib import ConfigSet - from waflib.TaskGen import feature, after - from waflib.Configure import conf, ConfigurationContext -+from waflib.extras import clang_compilation_database - - from waflib.Tools.flex import decide_ext - -@@ -37,7 +38,7 @@ TaskGen.declare_chain( - ) - - --for y in (Build.BuildContext, Build.CleanContext, Build.InstallContext, Build.UninstallContext, Build.ListContext): -+for y in (Build.BuildContext, Build.CleanContext, Build.InstallContext, Build.UninstallContext, Build.ListContext, clang_compilation_database.ClangDbContext): - class tmp(y): - variant = 'default' - -diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py -index 7827d374654..9f6ee4f5c7f 100644 ---- buildtools/wafsamba/wafsamba.py -+++ buildtools/wafsamba/wafsamba.py -@@ -38,7 +38,7 @@ LIB_PATH="shared" - - os.environ['PYTHONUNBUFFERED'] = '1' - --if Context.HEXVERSION not in (0x2001200,): -+if Context.HEXVERSION not in (0x2001400,): - Logs.error(''' - Please use the version of waf that comes with Samba, not - a system installed version. See http://wiki.samba.org/index.php/Waf -diff --git third_party/waf/waflib/Configure.py third_party/waf/waflib/Configure.py -index 5762eb66954..e7333948489 100644 ---- third_party/waf/waflib/Configure.py -+++ third_party/waf/waflib/Configure.py -@@ -508,23 +508,27 @@ def find_binary(self, filenames, exts, paths): - @conf - def run_build(self, *k, **kw): - """ -- Create a temporary build context to execute a build. A reference to that build -- context is kept on self.test_bld for debugging purposes, and you should not rely -- on it too much (read the note on the cache below). -- The parameters given in the arguments to this function are passed as arguments for -- a single task generator created in the build. Only three parameters are obligatory: -+ Create a temporary build context to execute a build. A temporary reference to that build -+ context is kept on self.test_bld for debugging purposes. -+ The arguments to this function are passed to a single task generator for that build. -+ Only three parameters are mandatory: - - :param features: features to pass to a task generator created in the build - :type features: list of string - :param compile_filename: file to create for the compilation (default: *test.c*) - :type compile_filename: string -- :param code: code to write in the filename to compile -+ :param code: input file contents - :type code: string - -- Though this function returns *0* by default, the build may set an attribute named *retval* on the -+ Though this function returns *0* by default, the build may bind attribute named *retval* on the - build context object to return a particular value. See :py:func:`waflib.Tools.c_config.test_exec_fun` for example. - -- This function also features a cache which can be enabled by the following option:: -+ The temporary builds creates a temporary folder; the name of that folder is calculated -+ by hashing input arguments to this function, with the exception of :py:class:`waflib.ConfigSet.ConfigSet` -+ objects which are used for both reading and writing values. -+ -+ This function also features a cache which is disabled by default; that cache relies -+ on the hash value calculated as indicated above:: - - def options(opt): - opt.add_option('--confcache', dest='confcache', default=0, -@@ -538,7 +542,10 @@ def run_build(self, *k, **kw): - buf = [] - for key in sorted(kw.keys()): - v = kw[key] -- if hasattr(v, '__call__'): -+ if isinstance(v, ConfigSet.ConfigSet): -+ # values are being written to, so they are excluded from contributing to the hash -+ continue -+ elif hasattr(v, '__call__'): - buf.append(Utils.h_fun(v)) - else: - buf.append(str(v)) -diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py -index e3305fa3341..3f1b4fa48ab 100644 ---- third_party/waf/waflib/Context.py -+++ third_party/waf/waflib/Context.py -@@ -6,20 +6,30 @@ - Classes and functions enabling the command system - """ - --import os, re, imp, sys -+import os, re, sys - from waflib import Utils, Errors, Logs - import waflib.Node - -+if sys.hexversion > 0x3040000: -+ import types -+ class imp(object): -+ new_module = lambda x: types.ModuleType(x) -+else: -+ import imp -+ - # the following 3 constants are updated on each new release (do not touch) --HEXVERSION=0x2001200 -+HEXVERSION=0x2001400 - """Constant updated on new releases""" - --WAFVERSION="2.0.18" -+WAFVERSION="2.0.20" - """Constant updated on new releases""" - --WAFREVISION="314689b8994259a84f0de0aaef74d7ce91f541ad" -+WAFREVISION="668769470956da8c5b60817cb8884cd7d0f87cd4" - """Git revision when the waf version is updated""" - -+WAFNAME="waf" -+"""Application name displayed on --help""" -+ - ABI = 20 - """Version of the build data cache file format (used in :py:const:`waflib.Context.DBFILE`)""" - -diff --git third_party/waf/waflib/Options.py third_party/waf/waflib/Options.py -index ad802d4b905..d4104917c82 100644 ---- third_party/waf/waflib/Options.py -+++ third_party/waf/waflib/Options.py -@@ -44,7 +44,7 @@ class opt_parser(optparse.OptionParser): - """ - def __init__(self, ctx, allow_unknown=False): - optparse.OptionParser.__init__(self, conflict_handler='resolve', add_help_option=False, -- version='waf %s (%s)' % (Context.WAFVERSION, Context.WAFREVISION)) -+ version='%s %s (%s)' % (Context.WAFNAME, Context.WAFVERSION, Context.WAFREVISION)) - self.formatter.width = Logs.get_term_cols() - self.ctx = ctx - self.allow_unknown = allow_unknown -@@ -62,6 +62,21 @@ class opt_parser(optparse.OptionParser): - else: - self.error(str(e)) - -+ def _process_long_opt(self, rargs, values): -+ # --custom-option=-ftxyz is interpreted as -f -t... see #2280 -+ if self.allow_unknown: -+ back = [] + rargs -+ try: -+ optparse.OptionParser._process_long_opt(self, rargs, values) -+ except optparse.BadOptionError: -+ while rargs: -+ rargs.pop() -+ rargs.extend(back) -+ rargs.pop(0) -+ raise -+ else: -+ optparse.OptionParser._process_long_opt(self, rargs, values) -+ - def print_usage(self, file=None): - return self.print_help(file) - -@@ -96,11 +111,11 @@ class opt_parser(optparse.OptionParser): - lst.sort() - ret = '\n'.join(lst) - -- return '''waf [commands] [options] -+ return '''%s [commands] [options] - --Main commands (example: ./waf build -j4) -+Main commands (example: ./%s build -j4) - %s --''' % ret -+''' % (Context.WAFNAME, Context.WAFNAME, ret) - - - class OptionsContext(Context.Context): -@@ -141,9 +156,9 @@ class OptionsContext(Context.Context): - gr.add_option('-o', '--out', action='store', default='', help='build dir for the project', dest='out') - gr.add_option('-t', '--top', action='store', default='', help='src dir for the project', dest='top') - -- gr.add_option('--no-lock-in-run', action='store_true', default='', help=optparse.SUPPRESS_HELP, dest='no_lock_in_run') -- gr.add_option('--no-lock-in-out', action='store_true', default='', help=optparse.SUPPRESS_HELP, dest='no_lock_in_out') -- gr.add_option('--no-lock-in-top', action='store_true', default='', help=optparse.SUPPRESS_HELP, dest='no_lock_in_top') -+ gr.add_option('--no-lock-in-run', action='store_true', default=os.environ.get('NO_LOCK_IN_RUN', ''), help=optparse.SUPPRESS_HELP, dest='no_lock_in_run') -+ gr.add_option('--no-lock-in-out', action='store_true', default=os.environ.get('NO_LOCK_IN_OUT', ''), help=optparse.SUPPRESS_HELP, dest='no_lock_in_out') -+ gr.add_option('--no-lock-in-top', action='store_true', default=os.environ.get('NO_LOCK_IN_TOP', ''), help=optparse.SUPPRESS_HELP, dest='no_lock_in_top') - - default_prefix = getattr(Context.g_module, 'default_prefix', os.environ.get('PREFIX')) - if not default_prefix: -@@ -282,6 +297,8 @@ class OptionsContext(Context.Context): - elif arg != 'options': - commands.append(arg) - -+ if options.jobs < 1: -+ options.jobs = 1 - for name in 'top out destdir prefix bindir libdir'.split(): - # those paths are usually expanded from Context.launch_dir - if getattr(options, name, None): -diff --git third_party/waf/waflib/Scripting.py third_party/waf/waflib/Scripting.py -index 68dccf29ce0..da83a2166a1 100644 ---- third_party/waf/waflib/Scripting.py -+++ third_party/waf/waflib/Scripting.py -@@ -306,7 +306,7 @@ def distclean(ctx): - - # remove a build folder, if any - cur = '.' -- if ctx.options.no_lock_in_top: -+ if os.environ.get('NO_LOCK_IN_TOP') or ctx.options.no_lock_in_top: - cur = ctx.options.out - - try: -@@ -333,9 +333,9 @@ def distclean(ctx): - remove_and_log(env.out_dir, shutil.rmtree) - - env_dirs = [env.out_dir] -- if not ctx.options.no_lock_in_top: -+ if not (os.environ.get('NO_LOCK_IN_TOP') or ctx.options.no_lock_in_top): - env_dirs.append(env.top_dir) -- if not ctx.options.no_lock_in_run: -+ if not (os.environ.get('NO_LOCK_IN_RUN') or ctx.options.no_lock_in_run): - env_dirs.append(env.run_dir) - for k in env_dirs: - p = os.path.join(k, Options.lockfile) -diff --git third_party/waf/waflib/Tools/c_aliases.py third_party/waf/waflib/Tools/c_aliases.py -index 985e048bdb7..928cfe29caa 100644 ---- third_party/waf/waflib/Tools/c_aliases.py -+++ third_party/waf/waflib/Tools/c_aliases.py -@@ -38,7 +38,7 @@ def sniff_features(**kw): - :return: the list of features for a task generator processing the source files - :rtype: list of string - """ -- exts = get_extensions(kw['source']) -+ exts = get_extensions(kw.get('source', [])) - typ = kw['typ'] - feats = [] - -@@ -72,7 +72,7 @@ def sniff_features(**kw): - feats.append(x + typ) - will_link = True - if not will_link and not kw.get('features', []): -- raise Errors.WafError('Cannot link from %r, try passing eg: features="c cprogram"?' % kw) -+ raise Errors.WafError('Unable to determine how to link %r, try adding eg: features="c cshlib"?' % kw) - return feats - - def set_features(kw, typ): -diff --git third_party/waf/waflib/Tools/c_config.py third_party/waf/waflib/Tools/c_config.py -index 80580cc9fcb..98187fac2e2 100644 ---- third_party/waf/waflib/Tools/c_config.py -+++ third_party/waf/waflib/Tools/c_config.py -@@ -86,6 +86,10 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No - :type uselib_store: string - :param env: config set or conf.env by default - :type env: :py:class:`waflib.ConfigSet.ConfigSet` -+ :param force_static: force usage of static libraries -+ :type force_static: bool default False -+ :param posix: usage of POSIX mode for shlex lexical analiysis library -+ :type posix: bool default True - """ - - assert(isinstance(line, str)) -@@ -103,6 +107,8 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No - lex.commenters = '' - lst = list(lex) - -+ so_re = re.compile(r"\.so(?:\.[0-9]+)*$") -+ - # append_unique is not always possible - # for example, apple flags may require both -arch i386 and -arch ppc - uselib = uselib_store -@@ -144,7 +150,7 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No - elif x.startswith('-std='): - prefix = 'CXXFLAGS' if '++' in x else 'CFLAGS' - app(prefix, x) -- elif x.startswith('+') or x in ('-pthread', '-fPIC', '-fpic', '-fPIE', '-fpie'): -+ elif x.startswith('+') or x in ('-pthread', '-fPIC', '-fpic', '-fPIE', '-fpie', '-flto', '-fno-lto'): - app('CFLAGS', x) - app('CXXFLAGS', x) - app('LINKFLAGS', x) -@@ -180,7 +186,7 @@ def parse_flags(self, line, uselib_store, env=None, force_static=False, posix=No - app('CFLAGS', tmp) - app('CXXFLAGS', tmp) - app('LINKFLAGS', tmp) -- elif x.endswith(('.a', '.so', '.dylib', '.lib')): -+ elif x.endswith(('.a', '.dylib', '.lib')) or so_re.search(x): - appu('LINKFLAGS', x) # not cool, #762 - else: - self.to_log('Unhandled flag %r' % x) -@@ -246,6 +252,8 @@ def exec_cfg(self, kw): - * if modversion is given, then return the module version - * else, execute the *-config* program with the *args* and *variables* given, and set the flags on the *conf.env.FLAGS_name* variable - -+ :param path: the **-config program to use** -+ :type path: list of string - :param atleast_pkgconfig_version: minimum pkg-config version to use (disable other tests) - :type atleast_pkgconfig_version: string - :param package: package name, for example *gtk+-2.0* -@@ -260,6 +268,12 @@ def exec_cfg(self, kw): - :type variables: list of string - :param define_variable: additional variables to define (also in conf.env.PKG_CONFIG_DEFINES) - :type define_variable: dict(string: string) -+ :param pkg_config_path: paths where pkg-config should search for .pc config files (overrides env.PKG_CONFIG_PATH if exists) -+ :type pkg_config_path: string, list of directories separated by colon -+ :param force_static: force usage of static libraries -+ :type force_static: bool default False -+ :param posix: usage of POSIX mode for shlex lexical analiysis library -+ :type posix: bool default True - """ - - path = Utils.to_list(kw['path']) -@@ -334,6 +348,7 @@ def check_cfg(self, *k, **kw): - """ - Checks for configuration flags using a **-config**-like program (pkg-config, sdl-config, etc). - This wraps internal calls to :py:func:`waflib.Tools.c_config.validate_cfg` and :py:func:`waflib.Tools.c_config.exec_cfg` -+ so check exec_cfg parameters descriptions for more details on kw passed - - A few examples:: - -@@ -1267,10 +1282,11 @@ def multicheck(self, *k, **kw): - tasks = [] - - id_to_task = {} -- for dct in k: -+ for counter, dct in enumerate(k): - x = Task.classes['cfgtask'](bld=bld, env=None) - tasks.append(x) - x.args = dct -+ x.args['multicheck_counter'] = counter - x.bld = bld - x.conf = self - x.args = dct -diff --git third_party/waf/waflib/Tools/c_tests.py third_party/waf/waflib/Tools/c_tests.py -index 7a4094f2450..bdd186c6bc4 100644 ---- third_party/waf/waflib/Tools/c_tests.py -+++ third_party/waf/waflib/Tools/c_tests.py -@@ -180,9 +180,15 @@ def check_large_file(self, **kw): - ######################################################################################## - - ENDIAN_FRAGMENT = ''' -+#ifdef _MSC_VER -+#define testshlib_EXPORT __declspec(dllexport) -+#else -+#define testshlib_EXPORT -+#endif -+ - short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; - short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; --int use_ascii (int i) { -+int testshlib_EXPORT use_ascii (int i) { - return ascii_mm[i] + ascii_ii[i]; - } - short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; -@@ -208,12 +214,12 @@ class grep_for_endianness(Task.Task): - return -1 - - @feature('grep_for_endianness') --@after_method('process_source') -+@after_method('apply_link') - def grep_for_endianness_fun(self): - """ - Used by the endianness configuration test - """ -- self.create_task('grep_for_endianness', self.compiled_tasks[0].outputs[0]) -+ self.create_task('grep_for_endianness', self.link_task.outputs[0]) - - @conf - def check_endianness(self): -@@ -223,7 +229,8 @@ def check_endianness(self): - tmp = [] - def check_msg(self): - return tmp[0] -- self.check(fragment=ENDIAN_FRAGMENT, features='c grep_for_endianness', -+ -+ self.check(fragment=ENDIAN_FRAGMENT, features='c cshlib grep_for_endianness', - msg='Checking for endianness', define='ENDIANNESS', tmp=tmp, - okmsg=check_msg, confcache=None) - return tmp[0] -diff --git third_party/waf/waflib/Tools/compiler_c.py third_party/waf/waflib/Tools/compiler_c.py -index 2dba3f82704..931dc57efec 100644 ---- third_party/waf/waflib/Tools/compiler_c.py -+++ third_party/waf/waflib/Tools/compiler_c.py -@@ -37,7 +37,7 @@ from waflib.Logs import debug - - c_compiler = { - 'win32': ['msvc', 'gcc', 'clang'], --'cygwin': ['gcc'], -+'cygwin': ['gcc', 'clang'], - 'darwin': ['clang', 'gcc'], - 'aix': ['xlc', 'gcc', 'clang'], - 'linux': ['gcc', 'clang', 'icc'], -diff --git third_party/waf/waflib/Tools/compiler_cxx.py third_party/waf/waflib/Tools/compiler_cxx.py -index 1af65a226dc..09fca7e4dc6 100644 ---- third_party/waf/waflib/Tools/compiler_cxx.py -+++ third_party/waf/waflib/Tools/compiler_cxx.py -@@ -38,7 +38,7 @@ from waflib.Logs import debug - - cxx_compiler = { - 'win32': ['msvc', 'g++', 'clang++'], --'cygwin': ['g++'], -+'cygwin': ['g++', 'clang++'], - 'darwin': ['clang++', 'g++'], - 'aix': ['xlc++', 'g++', 'clang++'], - 'linux': ['g++', 'clang++', 'icpc'], -diff --git third_party/waf/waflib/Tools/fc.py third_party/waf/waflib/Tools/fc.py -index fd4d39c90ae..7fbd76d3650 100644 ---- third_party/waf/waflib/Tools/fc.py -+++ third_party/waf/waflib/Tools/fc.py -@@ -13,8 +13,8 @@ from waflib.TaskGen import extension - from waflib.Configure import conf - - ccroot.USELIB_VARS['fc'] = set(['FCFLAGS', 'DEFINES', 'INCLUDES', 'FCPPFLAGS']) --ccroot.USELIB_VARS['fcprogram_test'] = ccroot.USELIB_VARS['fcprogram'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS']) --ccroot.USELIB_VARS['fcshlib'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS']) -+ccroot.USELIB_VARS['fcprogram_test'] = ccroot.USELIB_VARS['fcprogram'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS', 'LDFLAGS']) -+ccroot.USELIB_VARS['fcshlib'] = set(['LIB', 'STLIB', 'LIBPATH', 'STLIBPATH', 'LINKFLAGS', 'RPATH', 'LINKDEPS', 'LDFLAGS']) - ccroot.USELIB_VARS['fcstlib'] = set(['ARFLAGS', 'LINKDEPS']) - - @extension('.f','.F','.f90','.F90','.for','.FOR','.f95','.F95','.f03','.F03','.f08','.F08') -diff --git third_party/waf/waflib/Tools/irixcc.py third_party/waf/waflib/Tools/irixcc.py -index c3ae1ac915c..0335c13cb61 100644 ---- third_party/waf/waflib/Tools/irixcc.py -+++ third_party/waf/waflib/Tools/irixcc.py -@@ -13,22 +13,11 @@ from waflib.Configure import conf - @conf - def find_irixcc(conf): - v = conf.env -- cc = None -- if v.CC: -- cc = v.CC -- elif 'CC' in conf.environ: -- cc = conf.environ['CC'] -- if not cc: -- cc = conf.find_program('cc', var='CC') -- if not cc: -- conf.fatal('irixcc was not found') -- -+ cc = conf.find_program('cc', var='CC') - try: - conf.cmd_and_log(cc + ['-version']) - except Errors.WafError: - conf.fatal('%r -version could not be executed' % cc) -- -- v.CC = cc - v.CC_NAME = 'irix' - - @conf -@@ -57,7 +46,6 @@ def irixcc_common_flags(conf): - - def configure(conf): - conf.find_irixcc() -- conf.find_cpp() - conf.find_ar() - conf.irixcc_common_flags() - conf.cc_load_tools() -diff --git third_party/waf/waflib/Tools/javaw.py third_party/waf/waflib/Tools/javaw.py -index ceb08c28c87..b7f5dd1f87f 100644 ---- third_party/waf/waflib/Tools/javaw.py -+++ third_party/waf/waflib/Tools/javaw.py -@@ -251,7 +251,7 @@ def use_javac_files(self): - base_node = tg.path.get_bld() - - self.use_lst.append(base_node.abspath()) -- self.javac_task.dep_nodes.extend([x for x in base_node.ant_glob(JAR_RE, remove=False, quiet=True)]) -+ self.javac_task.dep_nodes.extend([dx for dx in base_node.ant_glob(JAR_RE, remove=False, quiet=True)]) - - for tsk in tg.tasks: - self.javac_task.set_run_after(tsk) -diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py -index 7c45a76ffd2..b1c8dd01285 100644 ---- third_party/waf/waflib/Tools/python.py -+++ third_party/waf/waflib/Tools/python.py -@@ -620,7 +620,7 @@ def configure(conf): - v.PYO = getattr(Options.options, 'pyo', 1) - - try: -- v.PYTAG = conf.cmd_and_log(conf.env.PYTHON + ['-c', "import imp;print(imp.get_tag())"]).strip() -+ v.PYTAG = conf.cmd_and_log(conf.env.PYTHON + ['-c', "import sys\ntry:\n print(sys.implementation.cache_tag)\nexcept AttributeError:\n import imp\n print(imp.get_tag())\n"]).strip() - except Errors.WafError: - pass - -diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py -index 287c25374a4..99e021bae61 100644 ---- third_party/waf/waflib/Tools/qt5.py -+++ third_party/waf/waflib/Tools/qt5.py -@@ -482,8 +482,8 @@ def configure(self): - self.fatal('No CXX compiler defined: did you forget to configure compiler_cxx first?') - - # Qt5 may be compiled with '-reduce-relocations' which requires dependent programs to have -fPIE or -fPIC? -- frag = '#include <QApplication>\nint main(int argc, char **argv) {return 0;}\n' -- uses = 'QT5CORE QT5WIDGETS QT5GUI' -+ frag = '#include <QMap>\nint main(int argc, char **argv) {QMap<int,int> m;return m.keys().size();}\n' -+ uses = 'QT5CORE' - for flag in [[], '-fPIE', '-fPIC', '-std=c++11' , ['-std=c++11', '-fPIE'], ['-std=c++11', '-fPIC']]: - msg = 'See if Qt files compile ' - if flag: -@@ -499,7 +499,7 @@ def configure(self): - - # FreeBSD does not add /usr/local/lib and the pkg-config files do not provide it either :-/ - if Utils.unversioned_sys_platform() == 'freebsd': -- frag = '#include <QApplication>\nint main(int argc, char **argv) { QApplication app(argc, argv); return NULL != (void*) (&app);}\n' -+ frag = '#include <QMap>\nint main(int argc, char **argv) {QMap<int,int> m;return m.keys().size();}\n' - try: - self.check(features='qt5 cxx cxxprogram', use=uses, fragment=frag, msg='Can we link Qt programs on FreeBSD directly?') - except self.errors.ConfigurationError: -diff --git third_party/waf/waflib/Utils.py third_party/waf/waflib/Utils.py -index 7472226da58..fc64fa05154 100644 ---- third_party/waf/waflib/Utils.py -+++ third_party/waf/waflib/Utils.py -@@ -891,7 +891,7 @@ def run_prefork_process(cmd, kwargs, cargs): - """ - Delegates process execution to a pre-forked process instance. - """ -- if not 'env' in kwargs: -+ if not kwargs.get('env'): - kwargs['env'] = dict(os.environ) - try: - obj = base64.b64encode(cPickle.dumps([cmd, kwargs, cargs])) -diff --git third_party/waf/waflib/extras/clang_compilation_database.py third_party/waf/waflib/extras/clang_compilation_database.py -index 4d9b5e275ae..ff71f22ecfd 100644 ---- third_party/waf/waflib/extras/clang_compilation_database.py -+++ third_party/waf/waflib/extras/clang_compilation_database.py -@@ -1,6 +1,7 @@ - #!/usr/bin/env python - # encoding: utf-8 - # Christoph Koke, 2013 -+# Alibek Omarov, 2019 - - """ - Writes the c and cpp compile commands into build/compile_commands.json -@@ -8,14 +9,23 @@ see http://clang.llvm.org/docs/JSONCompilationDatabase.html - - Usage: - -- def configure(conf): -- conf.load('compiler_cxx') -- ... -- conf.load('clang_compilation_database') -+ Load this tool in `options` to be able to generate database -+ by request in command-line and before build: -+ -+ $ waf clangdb -+ -+ def options(opt): -+ opt.load('clang_compilation_database') -+ -+ Otherwise, load only in `configure` to generate it always before build. -+ -+ def configure(conf): -+ conf.load('compiler_cxx') -+ ... -+ conf.load('clang_compilation_database') - """ - --import sys, os, json, shlex, pipes --from waflib import Logs, TaskGen, Task -+from waflib import Logs, TaskGen, Task, Build, Scripting - - Task.Task.keep_last_cmd = True - -@@ -23,63 +33,103 @@ Task.Task.keep_last_cmd = True - @TaskGen.after_method('process_use') - def collect_compilation_db_tasks(self): - "Add a compilation database entry for compiled tasks" -- try: -- clang_db = self.bld.clang_compilation_database_tasks -- except AttributeError: -- clang_db = self.bld.clang_compilation_database_tasks = [] -- self.bld.add_post_fun(write_compilation_database) -+ if not isinstance(self.bld, ClangDbContext): -+ return - - tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) - for task in getattr(self, 'compiled_tasks', []): - if isinstance(task, tup): -- clang_db.append(task) -- --def write_compilation_database(ctx): -- "Write the clang compilation database as JSON" -- database_file = ctx.bldnode.make_node('compile_commands.json') -- Logs.info('Build commands will be stored in %s', database_file.path_from(ctx.path)) -- try: -- root = json.load(database_file) -- except IOError: -- root = [] -- clang_db = dict((x['file'], x) for x in root) -- for task in getattr(ctx, 'clang_compilation_database_tasks', []): -+ self.bld.clang_compilation_database_tasks.append(task) -+ -+class ClangDbContext(Build.BuildContext): -+ '''generates compile_commands.json by request''' -+ cmd = 'clangdb' -+ clang_compilation_database_tasks = [] -+ -+ def write_compilation_database(self): -+ """ -+ Write the clang compilation database as JSON -+ """ -+ database_file = self.bldnode.make_node('compile_commands.json') -+ Logs.info('Build commands will be stored in %s', database_file.path_from(self.path)) - try: -- cmd = task.last_cmd -- except AttributeError: -- continue -- directory = getattr(task, 'cwd', ctx.variant_dir) -- f_node = task.inputs[0] -- filename = os.path.relpath(f_node.abspath(), directory) -- entry = { -- "directory": directory, -- "arguments": cmd, -- "file": filename, -- } -- clang_db[filename] = entry -- root = list(clang_db.values()) -- database_file.write(json.dumps(root, indent=2)) -- --# Override the runnable_status function to do a dummy/dry run when the file doesn't need to be compiled. --# This will make sure compile_commands.json is always fully up to date. --# Previously you could end up with a partial compile_commands.json if the build failed. --for x in ('c', 'cxx'): -- if x not in Task.classes: -- continue -- -- t = Task.classes[x] -- -- def runnable_status(self): -- def exec_command(cmd, **kw): -- pass -- -- run_status = self.old_runnable_status() -- if run_status == Task.SKIP_ME: -- setattr(self, 'old_exec_command', getattr(self, 'exec_command', None)) -- setattr(self, 'exec_command', exec_command) -- self.run() -- setattr(self, 'exec_command', getattr(self, 'old_exec_command', None)) -- return run_status -- -- setattr(t, 'old_runnable_status', getattr(t, 'runnable_status', None)) -- setattr(t, 'runnable_status', runnable_status) -+ root = database_file.read_json() -+ except IOError: -+ root = [] -+ clang_db = dict((x['file'], x) for x in root) -+ for task in self.clang_compilation_database_tasks: -+ try: -+ cmd = task.last_cmd -+ except AttributeError: -+ continue -+ f_node = task.inputs[0] -+ filename = f_node.path_from(task.get_cwd()) -+ entry = { -+ "directory": task.get_cwd().abspath(), -+ "arguments": cmd, -+ "file": filename, -+ } -+ clang_db[filename] = entry -+ root = list(clang_db.values()) -+ database_file.write_json(root) -+ -+ def execute(self): -+ """ -+ Build dry run -+ """ -+ self.restore() -+ -+ if not self.all_envs: -+ self.load_envs() -+ -+ self.recurse([self.run_dir]) -+ self.pre_build() -+ -+ # we need only to generate last_cmd, so override -+ # exec_command temporarily -+ def exec_command(self, *k, **kw): -+ return 0 -+ -+ for g in self.groups: -+ for tg in g: -+ try: -+ f = tg.post -+ except AttributeError: -+ pass -+ else: -+ f() -+ -+ if isinstance(tg, Task.Task): -+ lst = [tg] -+ else: lst = tg.tasks -+ for tsk in lst: -+ tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) -+ if isinstance(tsk, tup): -+ old_exec = tsk.exec_command -+ tsk.exec_command = exec_command -+ tsk.run() -+ tsk.exec_command = old_exec -+ -+ self.write_compilation_database() -+ -+EXECUTE_PATCHED = False -+def patch_execute(): -+ global EXECUTE_PATCHED -+ -+ if EXECUTE_PATCHED: -+ return -+ -+ def new_execute_build(self): -+ """ -+ Invoke clangdb command before build -+ """ -+ if self.cmd.startswith('build'): -+ Scripting.run_command('clangdb') -+ -+ old_execute_build(self) -+ -+ old_execute_build = getattr(Build.BuildContext, 'execute_build', None) -+ setattr(Build.BuildContext, 'execute_build', new_execute_build) -+ EXECUTE_PATCHED = True -+ -+patch_execute() -diff --git third_party/waf/waflib/extras/doxygen.py third_party/waf/waflib/extras/doxygen.py -index 20cd9e1a852..de75bc2738a 100644 ---- third_party/waf/waflib/extras/doxygen.py -+++ third_party/waf/waflib/extras/doxygen.py -@@ -69,6 +69,7 @@ def parse_doxy(txt): - class doxygen(Task.Task): - vars = ['DOXYGEN', 'DOXYFLAGS'] - color = 'BLUE' -+ ext_in = [ '.py', '.c', '.h', '.java', '.pb.cc' ] - - def runnable_status(self): - ''' -diff --git third_party/waf/waflib/extras/gccdeps.py third_party/waf/waflib/extras/gccdeps.py -index bfabe72e6fd..c3a809e252a 100644 ---- third_party/waf/waflib/extras/gccdeps.py -+++ third_party/waf/waflib/extras/gccdeps.py -@@ -27,7 +27,7 @@ if not c_preproc.go_absolute: - gccdeps_flags = ['-MMD'] - - # Third-party tools are allowed to add extra names in here with append() --supported_compilers = ['gcc', 'icc', 'clang'] -+supported_compilers = ['gas', 'gcc', 'icc', 'clang'] - - def scan(self): - if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: -@@ -175,14 +175,14 @@ def wrap_compiled_task(classname): - derived_class.scan = scan - derived_class.sig_implicit_deps = sig_implicit_deps - --for k in ('c', 'cxx'): -+for k in ('asm', 'c', 'cxx'): - if k in Task.classes: - wrap_compiled_task(k) - - @before_method('process_source') - @feature('force_gccdeps') - def force_gccdeps(self): -- self.env.ENABLE_GCCDEPS = ['c', 'cxx'] -+ self.env.ENABLE_GCCDEPS = ['asm', 'c', 'cxx'] - - def configure(conf): - # in case someone provides a --enable-gccdeps command-line option -@@ -191,6 +191,15 @@ def configure(conf): - - global gccdeps_flags - flags = conf.env.GCCDEPS_FLAGS or gccdeps_flags -+ if conf.env.ASM_NAME in supported_compilers: -+ try: -+ conf.check(fragment='', features='asm force_gccdeps', asflags=flags, compile_filename='test.S', msg='Checking for asm flags %r' % ''.join(flags)) -+ except Errors.ConfigurationError: -+ pass -+ else: -+ conf.env.append_value('ASFLAGS', flags) -+ conf.env.append_unique('ENABLE_GCCDEPS', 'asm') -+ - if conf.env.CC_NAME in supported_compilers: - try: - conf.check(fragment='int main() { return 0; }', features='c force_gccdeps', cflags=flags, msg='Checking for c flags %r' % ''.join(flags)) -diff --git third_party/waf/waflib/extras/javatest.py third_party/waf/waflib/extras/javatest.py -index 979b8d8242d..76d40edf250 100755 ---- third_party/waf/waflib/extras/javatest.py -+++ third_party/waf/waflib/extras/javatest.py -@@ -1,6 +1,6 @@ - #! /usr/bin/env python - # encoding: utf-8 --# Federico Pellegrin, 2017 (fedepell) -+# Federico Pellegrin, 2019 (fedepell) - - """ - Provides Java Unit test support using :py:class:`waflib.Tools.waf_unit_test.utest` -@@ -11,6 +11,10 @@ standard waf unit test environment. It has been tested with TestNG and JUnit - but should be easily expandable to other frameworks given the flexibility of - ut_str provided by the standard waf unit test environment. - -+The extra takes care also of managing non-java dependencies (ie. C/C++ libraries -+using JNI or Python modules via JEP) and setting up the environment needed to run -+them. -+ - Example usage: - - def options(opt): -@@ -20,15 +24,15 @@ def configure(conf): - conf.load('java javatest') - - def build(bld): -- -+ - [ ... mainprog is built here ... ] - - bld(features = 'javac javatest', -- srcdir = 'test/', -- outdir = 'test', -+ srcdir = 'test/', -+ outdir = 'test', - sourcepath = ['test'], -- classpath = [ 'src' ], -- basedir = 'test', -+ classpath = [ 'src' ], -+ basedir = 'test', - use = ['JAVATEST', 'mainprog'], # mainprog is the program being tested in src/ - ut_str = 'java -cp ${CLASSPATH} ${JTRUNNER} ${SRC}', - jtest_source = bld.path.ant_glob('test/*.xml'), -@@ -53,10 +57,107 @@ The runner class presence on the system is checked for at configuration stage. - """ - - import os --from waflib import Task, TaskGen, Options -+from waflib import Task, TaskGen, Options, Errors, Utils, Logs -+from waflib.Tools import ccroot -+ -+JAR_RE = '**/*' -+ -+def _process_use_rec(self, name): -+ """ -+ Recursively process ``use`` for task generator with name ``name``.. -+ Used by javatest_process_use. -+ """ -+ if name in self.javatest_use_not or name in self.javatest_use_seen: -+ return -+ try: -+ tg = self.bld.get_tgen_by_name(name) -+ except Errors.WafError: -+ self.javatest_use_not.add(name) -+ return -+ -+ self.javatest_use_seen.append(name) -+ tg.post() -+ -+ for n in self.to_list(getattr(tg, 'use', [])): -+ _process_use_rec(self, n) -+ -+@TaskGen.feature('javatest') -+@TaskGen.after_method('process_source', 'apply_link', 'use_javac_files') -+def javatest_process_use(self): -+ """ -+ Process the ``use`` attribute which contains a list of task generator names and store -+ paths that later is used to populate the unit test runtime environment. -+ """ -+ self.javatest_use_not = set() -+ self.javatest_use_seen = [] -+ self.javatest_libpaths = [] # strings or Nodes -+ self.javatest_pypaths = [] # strings or Nodes -+ self.javatest_dep_nodes = [] -+ -+ names = self.to_list(getattr(self, 'use', [])) -+ for name in names: -+ _process_use_rec(self, name) -+ -+ def extend_unique(lst, varlst): -+ ext = [] -+ for x in varlst: -+ if x not in lst: -+ ext.append(x) -+ lst.extend(ext) -+ -+ # Collect type specific info needed to construct a valid runtime environment -+ # for the test. -+ for name in self.javatest_use_seen: -+ tg = self.bld.get_tgen_by_name(name) -+ -+ # Python-Java embedding crosstools such as JEP -+ if 'py' in tg.features: -+ # Python dependencies are added to PYTHONPATH -+ pypath = getattr(tg, 'install_from', tg.path) -+ -+ if 'buildcopy' in tg.features: -+ # Since buildcopy is used we assume that PYTHONPATH in build should be used, -+ # not source -+ extend_unique(self.javatest_pypaths, [pypath.get_bld().abspath()]) -+ -+ # Add buildcopy output nodes to dependencies -+ extend_unique(self.javatest_dep_nodes, [o for task in getattr(tg, 'tasks', []) for o in getattr(task, 'outputs', [])]) -+ else: -+ # If buildcopy is not used, depend on sources instead -+ extend_unique(self.javatest_dep_nodes, tg.source) -+ extend_unique(self.javatest_pypaths, [pypath.abspath()]) -+ -+ -+ if getattr(tg, 'link_task', None): -+ # For tasks with a link_task (C, C++, D et.c.) include their library paths: -+ if not isinstance(tg.link_task, ccroot.stlink_task): -+ extend_unique(self.javatest_dep_nodes, tg.link_task.outputs) -+ extend_unique(self.javatest_libpaths, tg.link_task.env.LIBPATH) -+ -+ if 'pyext' in tg.features: -+ # If the taskgen is extending Python we also want to add the interpreter libpath. -+ extend_unique(self.javatest_libpaths, tg.link_task.env.LIBPATH_PYEXT) -+ else: -+ # Only add to libpath if the link task is not a Python extension -+ extend_unique(self.javatest_libpaths, [tg.link_task.outputs[0].parent.abspath()]) -+ -+ if 'javac' in tg.features or 'jar' in tg.features: -+ if hasattr(tg, 'jar_task'): -+ # For Java JAR tasks depend on generated JAR -+ extend_unique(self.javatest_dep_nodes, tg.jar_task.outputs) -+ else: -+ # For Java non-JAR ones we need to glob generated files (Java output files are not predictable) -+ if hasattr(tg, 'outdir'): -+ base_node = tg.outdir -+ else: -+ base_node = tg.path.get_bld() -+ -+ self.javatest_dep_nodes.extend([dx for dx in base_node.ant_glob(JAR_RE, remove=False, quiet=True)]) -+ -+ - - @TaskGen.feature('javatest') --@TaskGen.after_method('apply_java', 'use_javac_files', 'set_classpath') -+@TaskGen.after_method('apply_java', 'use_javac_files', 'set_classpath', 'javatest_process_use') - def make_javatest(self): - """ - Creates a ``utest`` task with a populated environment for Java Unit test execution -@@ -65,6 +166,9 @@ def make_javatest(self): - tsk = self.create_task('utest') - tsk.set_run_after(self.javac_task) - -+ # Dependencies from recursive use analysis -+ tsk.dep_nodes.extend(self.javatest_dep_nodes) -+ - # Put test input files as waf_unit_test relies on that for some prints and log generation - # If jtest_source is there, this is specially useful for passing XML for TestNG - # that contain test specification, use that as inputs, otherwise test sources -@@ -97,6 +201,21 @@ def make_javatest(self): - - if not hasattr(self, 'ut_env'): - self.ut_env = dict(os.environ) -+ def add_paths(var, lst): -+ # Add list of paths to a variable, lst can contain strings or nodes -+ lst = [ str(n) for n in lst ] -+ Logs.debug("ut: %s: Adding paths %s=%s", self, var, lst) -+ self.ut_env[var] = os.pathsep.join(lst) + os.pathsep + self.ut_env.get(var, '') -+ -+ add_paths('PYTHONPATH', self.javatest_pypaths) -+ -+ if Utils.is_win32: -+ add_paths('PATH', self.javatest_libpaths) -+ elif Utils.unversioned_sys_platform() == 'darwin': -+ add_paths('DYLD_LIBRARY_PATH', self.javatest_libpaths) -+ add_paths('LD_LIBRARY_PATH', self.javatest_libpaths) -+ else: -+ add_paths('LD_LIBRARY_PATH', self.javatest_libpaths) - - def configure(ctx): - cp = ctx.env.CLASSPATH or '.' -diff --git third_party/waf/waflib/extras/msvc_pdb.py third_party/waf/waflib/extras/msvc_pdb.py -new file mode 100644 -index 00000000000..077656b4f7e ---- /dev/null -+++ third_party/waf/waflib/extras/msvc_pdb.py -@@ -0,0 +1,46 @@ -+#!/usr/bin/env python -+# encoding: utf-8 -+# Rafaël Kooi 2019 -+ -+from waflib import TaskGen -+ -+@TaskGen.feature('c', 'cxx', 'fc') -+@TaskGen.after_method('propagate_uselib_vars') -+def add_pdb_per_object(self): -+ """For msvc/fortran, specify a unique compile pdb per object, to work -+ around LNK4099. Flags are updated with a unique /Fd flag based on the -+ task output name. This is separate from the link pdb. -+ """ -+ if not hasattr(self, 'compiled_tasks'): -+ return -+ -+ link_task = getattr(self, 'link_task', None) -+ -+ for task in self.compiled_tasks: -+ if task.inputs and task.inputs[0].name.lower().endswith('.rc'): -+ continue -+ -+ add_pdb = False -+ for flagname in ('CFLAGS', 'CXXFLAGS', 'FCFLAGS'): -+ # several languages may be used at once -+ for flag in task.env[flagname]: -+ if flag[1:].lower() == 'zi': -+ add_pdb = True -+ break -+ -+ if add_pdb: -+ node = task.outputs[0].change_ext('.pdb') -+ pdb_flag = '/Fd:' + node.abspath() -+ -+ for flagname in ('CFLAGS', 'CXXFLAGS', 'FCFLAGS'): -+ buf = [pdb_flag] -+ for flag in task.env[flagname]: -+ if flag[1:3] == 'Fd' or flag[1:].lower() == 'fs' or flag[1:].lower() == 'mp': -+ continue -+ buf.append(flag) -+ task.env[flagname] = buf -+ -+ if link_task and not node in link_task.dep_nodes: -+ link_task.dep_nodes.append(node) -+ if not node in task.outputs: -+ task.outputs.append(node) -diff --git third_party/waf/waflib/extras/pytest.py third_party/waf/waflib/extras/pytest.py -index 7dd5a1a087a..fc9ad1c23e4 100644 ---- third_party/waf/waflib/extras/pytest.py -+++ third_party/waf/waflib/extras/pytest.py -@@ -40,6 +40,8 @@ the following environment variables for the `pytest` test runner: - - - `pytest_libpath` attribute is used to manually specify additional linker paths. - -+3. Java class search path (CLASSPATH) of any Java/Javalike dependency -+ - Note: `pytest` cannot automatically determine the correct `PYTHONPATH` for `pyext` taskgens - because the extension might be part of a Python package or used standalone: - -@@ -119,6 +121,7 @@ def pytest_process_use(self): - self.pytest_use_seen = [] - self.pytest_paths = [] # strings or Nodes - self.pytest_libpaths = [] # strings or Nodes -+ self.pytest_javapaths = [] # strings or Nodes - self.pytest_dep_nodes = [] - - names = self.to_list(getattr(self, 'use', [])) -@@ -157,6 +160,17 @@ def pytest_process_use(self): - extend_unique(self.pytest_dep_nodes, tg.source) - extend_unique(self.pytest_paths, [pypath.abspath()]) - -+ if 'javac' in tg.features: -+ # If a JAR is generated point to that, otherwise to directory -+ if getattr(tg, 'jar_task', None): -+ extend_unique(self.pytest_javapaths, [tg.jar_task.outputs[0].abspath()]) -+ else: -+ extend_unique(self.pytest_javapaths, [tg.path.get_bld()]) -+ -+ # And add respective dependencies if present -+ if tg.use_lst: -+ extend_unique(self.pytest_javapaths, tg.use_lst) -+ - if getattr(tg, 'link_task', None): - # For tasks with a link_task (C, C++, D et.c.) include their library paths: - if not isinstance(tg.link_task, ccroot.stlink_task): -@@ -212,8 +226,9 @@ def make_pytest(self): - Logs.debug("ut: %s: Adding paths %s=%s", self, var, lst) - self.ut_env[var] = os.pathsep.join(lst) + os.pathsep + self.ut_env.get(var, '') - -- # Prepend dependency paths to PYTHONPATH and LD_LIBRARY_PATH -+ # Prepend dependency paths to PYTHONPATH, CLASSPATH and LD_LIBRARY_PATH - add_paths('PYTHONPATH', self.pytest_paths) -+ add_paths('CLASSPATH', self.pytest_javapaths) - - if Utils.is_win32: - add_paths('PATH', self.pytest_libpaths) -diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py -new file mode 100644 -index 00000000000..8b9567faf14 ---- /dev/null -+++ third_party/waf/waflib/extras/wafcache.py -@@ -0,0 +1,524 @@ -+#! /usr/bin/env python -+# encoding: utf-8 -+# Thomas Nagy, 2019 (ita) -+ -+""" -+Filesystem-based cache system to share and re-use build artifacts -+ -+Cache access operations (copy to and from) are delegated to -+independent pre-forked worker subprocesses. -+ -+The following environment variables may be set: -+* WAFCACHE: several possibilities: -+ - File cache: -+ absolute path of the waf cache (~/.cache/wafcache_user, -+ where `user` represents the currently logged-in user) -+ - URL to a cache server, for example: -+ export WAFCACHE=http://localhost:8080/files/ -+ in that case, GET/POST requests are made to urls of the form -+ http://localhost:8080/files/000000000/0 (cache management is then up to the server) -+ - GCS or S3 bucket -+ gs://my-bucket/ -+ s3://my-bucket/ -+* WAFCACHE_NO_PUSH: if set, disables pushing to the cache -+* WAFCACHE_VERBOSITY: if set, displays more detailed cache operations -+ -+File cache specific options: -+ Files are copied using hard links by default; if the cache is located -+ onto another partition, the system switches to file copies instead. -+* WAFCACHE_TRIM_MAX_FOLDER: maximum amount of tasks to cache (1M) -+* WAFCACHE_EVICT_MAX_BYTES: maximum amount of cache size in bytes (10GB) -+* WAFCACHE_EVICT_INTERVAL_MINUTES: minimum time interval to try -+ and trim the cache (3 minutess) -+Usage:: -+ -+ def build(bld): -+ bld.load('wafcache') -+ ... -+ -+To troubleshoot:: -+ -+ waf clean build --zones=wafcache -+""" -+ -+import atexit, base64, errno, fcntl, getpass, os, shutil, sys, time, traceback, urllib3 -+try: -+ import subprocess32 as subprocess -+except ImportError: -+ import subprocess -+ -+base_cache = os.path.expanduser('~/.cache/') -+if not os.path.isdir(base_cache): -+ base_cache = '/tmp/' -+default_wafcache_dir = os.path.join(base_cache, 'wafcache_' + getpass.getuser()) -+ -+CACHE_DIR = os.environ.get('WAFCACHE', default_wafcache_dir) -+TRIM_MAX_FOLDERS = int(os.environ.get('WAFCACHE_TRIM_MAX_FOLDER', 1000000)) -+EVICT_INTERVAL_MINUTES = int(os.environ.get('WAFCACHE_EVICT_INTERVAL_MINUTES', 3)) -+EVICT_MAX_BYTES = int(os.environ.get('WAFCACHE_EVICT_MAX_BYTES', 10**10)) -+WAFCACHE_NO_PUSH = 1 if os.environ.get('WAFCACHE_NO_PUSH') else 0 -+WAFCACHE_VERBOSITY = 1 if os.environ.get('WAFCACHE_VERBOSITY') else 0 -+OK = "ok" -+ -+try: -+ import cPickle -+except ImportError: -+ import pickle as cPickle -+ -+if __name__ != '__main__': -+ from waflib import Task, Logs, Utils, Build -+ -+def can_retrieve_cache(self): -+ """ -+ New method for waf Task classes -+ """ -+ if not self.outputs: -+ return False -+ -+ self.cached = False -+ -+ sig = self.signature() -+ ssig = Utils.to_hex(self.uid() + sig) -+ -+ files_to = [node.abspath() for node in self.outputs] -+ err = cache_command(ssig, [], files_to) -+ if err.startswith(OK): -+ if WAFCACHE_VERBOSITY: -+ Logs.pprint('CYAN', ' Fetched %r from cache' % files_to) -+ else: -+ Logs.debug('wafcache: fetched %r from cache', files_to) -+ else: -+ if WAFCACHE_VERBOSITY: -+ Logs.pprint('YELLOW', ' No cache entry %s' % files_to) -+ else: -+ Logs.debug('wafcache: No cache entry %s: %s', files_to, err) -+ return False -+ -+ self.cached = True -+ return True -+ -+def put_files_cache(self): -+ """ -+ New method for waf Task classes -+ """ -+ if WAFCACHE_NO_PUSH or getattr(self, 'cached', None) or not self.outputs: -+ return -+ -+ bld = self.generator.bld -+ sig = self.signature() -+ ssig = Utils.to_hex(self.uid() + sig) -+ -+ files_from = [node.abspath() for node in self.outputs] -+ err = cache_command(ssig, files_from, []) -+ -+ if err.startswith(OK): -+ if WAFCACHE_VERBOSITY: -+ Logs.pprint('CYAN', ' Successfully uploaded %s to cache' % files_from) -+ else: -+ Logs.debug('wafcache: Successfully uploaded %r to cache', files_from) -+ else: -+ if WAFCACHE_VERBOSITY: -+ Logs.pprint('RED', ' Error caching step results %s: %s' % (files_from, err)) -+ else: -+ Logs.debug('wafcache: Error caching results %s: %s', files_from, err) -+ -+ bld.task_sigs[self.uid()] = self.cache_sig -+ -+def hash_env_vars(self, env, vars_lst): -+ """ -+ Reimplement BuildContext.hash_env_vars so that the resulting hash does not depend on local paths -+ """ -+ if not env.table: -+ env = env.parent -+ if not env: -+ return Utils.SIG_NIL -+ -+ idx = str(id(env)) + str(vars_lst) -+ try: -+ cache = self.cache_env -+ except AttributeError: -+ cache = self.cache_env = {} -+ else: -+ try: -+ return self.cache_env[idx] -+ except KeyError: -+ pass -+ -+ v = str([env[a] for a in vars_lst]) -+ v = v.replace(self.srcnode.abspath().__repr__()[:-1], '') -+ m = Utils.md5() -+ m.update(v.encode()) -+ ret = m.digest() -+ -+ Logs.debug('envhash: %r %r', ret, v) -+ -+ cache[idx] = ret -+ -+ return ret -+ -+def uid(self): -+ """ -+ Reimplement Task.uid() so that the signature does not depend on local paths -+ """ -+ try: -+ return self.uid_ -+ except AttributeError: -+ m = Utils.md5() -+ src = self.generator.bld.srcnode -+ up = m.update -+ up(self.__class__.__name__.encode()) -+ for x in self.inputs + self.outputs: -+ up(x.path_from(src).encode()) -+ self.uid_ = m.digest() -+ return self.uid_ -+ -+ -+def make_cached(cls): -+ """ -+ Enable the waf cache for a given task class -+ """ -+ if getattr(cls, 'nocache', None) or getattr(cls, 'has_cache', False): -+ return -+ -+ m1 = getattr(cls, 'run', None) -+ def run(self): -+ if getattr(self, 'nocache', False): -+ return m1(self) -+ if self.can_retrieve_cache(): -+ return 0 -+ return m1(self) -+ cls.run = run -+ -+ m2 = getattr(cls, 'post_run', None) -+ def post_run(self): -+ if getattr(self, 'nocache', False): -+ return m2(self) -+ ret = m2(self) -+ self.put_files_cache() -+ if hasattr(self, 'chmod'): -+ for node in self.outputs: -+ os.chmod(node.abspath(), self.chmod) -+ return ret -+ cls.post_run = post_run -+ cls.has_cache = True -+ -+process_pool = [] -+def get_process(): -+ """ -+ Returns a worker process that can process waf cache commands -+ The worker process is assumed to be returned to the process pool when unused -+ """ -+ try: -+ return process_pool.pop() -+ except IndexError: -+ filepath = os.path.dirname(os.path.abspath(__file__)) + os.sep + 'wafcache.py' -+ cmd = [sys.executable, '-c', Utils.readf(filepath)] -+ return subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, bufsize=0) -+ -+def atexit_pool(): -+ for k in process_pool: -+ try: -+ os.kill(k.pid, 9) -+ except OSError: -+ pass -+ else: -+ k.wait() -+atexit.register(atexit_pool) -+ -+def build(bld): -+ """ -+ Called during the build process to enable file caching -+ """ -+ if process_pool: -+ # already called once -+ return -+ -+ for x in range(bld.jobs): -+ process_pool.append(get_process()) -+ -+ Task.Task.can_retrieve_cache = can_retrieve_cache -+ Task.Task.put_files_cache = put_files_cache -+ Task.Task.uid = uid -+ Build.BuildContext.hash_env_vars = hash_env_vars -+ for x in reversed(list(Task.classes.values())): -+ make_cached(x) -+ -+def cache_command(sig, files_from, files_to): -+ """ -+ Create a command for cache worker processes, returns a pickled -+ base64-encoded tuple containing the task signature, a list of files to -+ cache and a list of files files to get from cache (one of the lists -+ is assumed to be empty) -+ """ -+ proc = get_process() -+ -+ obj = base64.b64encode(cPickle.dumps([sig, files_from, files_to])) -+ proc.stdin.write(obj) -+ proc.stdin.write('\n'.encode()) -+ proc.stdin.flush() -+ obj = proc.stdout.readline() -+ if not obj: -+ raise OSError('Preforked sub-process %r died' % proc.pid) -+ process_pool.append(proc) -+ return cPickle.loads(base64.b64decode(obj)) -+ -+try: -+ copyfun = os.link -+except NameError: -+ copyfun = shutil.copy2 -+ -+def atomic_copy(orig, dest): -+ """ -+ Copy files to the cache, the operation is atomic for a given file -+ """ -+ global copyfun -+ tmp = dest + '.tmp' -+ up = os.path.dirname(dest) -+ try: -+ os.makedirs(up) -+ except OSError: -+ pass -+ -+ try: -+ copyfun(orig, tmp) -+ except OSError as e: -+ if e.errno == errno.EXDEV: -+ copyfun = shutil.copy2 -+ copyfun(orig, tmp) -+ else: -+ raise -+ os.rename(tmp, dest) -+ -+def lru_trim(): -+ """ -+ the cache folders take the form: -+ `CACHE_DIR/0b/0b180f82246d726ece37c8ccd0fb1cde2650d7bfcf122ec1f169079a3bfc0ab9` -+ they are listed in order of last access, and then removed -+ until the amount of folders is within TRIM_MAX_FOLDERS and the total space -+ taken by files is less than EVICT_MAX_BYTES -+ """ -+ lst = [] -+ for up in os.listdir(CACHE_DIR): -+ if len(up) == 2: -+ sub = os.path.join(CACHE_DIR, up) -+ for hval in os.listdir(sub): -+ path = os.path.join(sub, hval) -+ -+ size = 0 -+ for fname in os.listdir(path): -+ size += os.lstat(os.path.join(path, fname)).st_size -+ lst.append((os.stat(path).st_mtime, size, path)) -+ -+ lst.sort(key=lambda x: x[0]) -+ lst.reverse() -+ -+ tot = sum(x[1] for x in lst) -+ while tot > EVICT_MAX_BYTES or len(lst) > TRIM_MAX_FOLDERS: -+ _, tmp_size, path = lst.pop() -+ tot -= tmp_size -+ -+ tmp = path + '.tmp' -+ try: -+ shutil.rmtree(tmp) -+ except OSError: -+ pass -+ try: -+ os.rename(path, tmp) -+ except OSError: -+ sys.stderr.write('Could not rename %r to %r' % (path, tmp)) -+ else: -+ try: -+ shutil.rmtree(tmp) -+ except OSError: -+ sys.stderr.write('Could not remove %r' % tmp) -+ sys.stderr.write("Cache trimmed: %r bytes in %r folders left\n" % (tot, len(lst))) -+ -+ -+def lru_evict(): -+ """ -+ Reduce the cache size -+ """ -+ lockfile = os.path.join(CACHE_DIR, 'all.lock') -+ try: -+ st = os.stat(lockfile) -+ except EnvironmentError as e: -+ if e.errno == errno.ENOENT: -+ with open(lockfile, 'w') as f: -+ f.write('') -+ return -+ else: -+ raise -+ -+ if st.st_mtime < time.time() - EVICT_INTERVAL_MINUTES * 60: -+ # check every EVICT_INTERVAL_MINUTES minutes if the cache is too big -+ # OCLOEXEC is unnecessary because no processes are spawned -+ fd = os.open(lockfile, os.O_RDWR | os.O_CREAT, 0o755) -+ try: -+ try: -+ fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB) -+ except EnvironmentError: -+ sys.stderr.write('another process is running!\n') -+ pass -+ else: -+ # now dow the actual cleanup -+ lru_trim() -+ os.utime(lockfile, None) -+ finally: -+ os.close(fd) -+ -+class netcache(object): -+ def __init__(self): -+ self.http = urllib3.PoolManager() -+ -+ def url_of(self, sig, i): -+ return "%s/%s/%s" % (CACHE_DIR, sig, i) -+ -+ def upload(self, file_path, sig, i): -+ url = self.url_of(sig, i) -+ with open(file_path, 'rb') as f: -+ file_data = f.read() -+ r = self.http.request('POST', url, timeout=60, -+ fields={ 'file': ('%s/%s' % (sig, i), file_data), }) -+ if r.status >= 400: -+ raise OSError("Invalid status %r %r" % (url, r.status)) -+ -+ def download(self, file_path, sig, i): -+ url = self.url_of(sig, i) -+ with self.http.request('GET', url, preload_content=False, timeout=60) as inf: -+ if inf.status >= 400: -+ raise OSError("Invalid status %r %r" % (url, inf.status)) -+ with open(file_path, 'wb') as out: -+ shutil.copyfileobj(inf, out) -+ -+ def copy_to_cache(self, sig, files_from, files_to): -+ try: -+ for i, x in enumerate(files_from): -+ if not os.path.islink(x): -+ self.upload(x, sig, i) -+ except Exception: -+ return traceback.format_exc() -+ return OK -+ -+ def copy_from_cache(self, sig, files_from, files_to): -+ try: -+ for i, x in enumerate(files_to): -+ self.download(x, sig, i) -+ except Exception: -+ return traceback.format_exc() -+ return OK -+ -+class fcache(object): -+ def __init__(self): -+ if not os.path.exists(CACHE_DIR): -+ os.makedirs(CACHE_DIR) -+ if not os.path.exists(CACHE_DIR): -+ raise ValueError('Could not initialize the cache directory') -+ -+ def copy_to_cache(self, sig, files_from, files_to): -+ """ -+ Copy files to the cache, existing files are overwritten, -+ and the copy is atomic only for a given file, not for all files -+ that belong to a given task object -+ """ -+ try: -+ for i, x in enumerate(files_from): -+ dest = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) -+ atomic_copy(x, dest) -+ except Exception: -+ return traceback.format_exc() -+ else: -+ # attempt trimming if caching was successful: -+ # we may have things to trim! -+ lru_evict() -+ return OK -+ -+ def copy_from_cache(self, sig, files_from, files_to): -+ """ -+ Copy files from the cache -+ """ -+ try: -+ for i, x in enumerate(files_to): -+ orig = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) -+ atomic_copy(orig, x) -+ -+ # success! update the cache time -+ os.utime(os.path.join(CACHE_DIR, sig[:2], sig), None) -+ except Exception: -+ return traceback.format_exc() -+ return OK -+ -+class bucket_cache(object): -+ def bucket_copy(self, source, target): -+ if CACHE_DIR.startswith('s3://'): -+ cmd = ['aws', 's3', 'cp', source, target] -+ else: -+ cmd = ['gsutil', 'cp', source, target] -+ proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) -+ out, err = proc.communicate() -+ if proc.returncode: -+ raise OSError('Error copy %r to %r using: %r (exit %r):\n out:%s\n err:%s' % ( -+ source, target, cmd, proc.returncode, out.decode(), err.decode())) -+ -+ def copy_to_cache(self, sig, files_from, files_to): -+ try: -+ for i, x in enumerate(files_from): -+ dest = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) -+ self.bucket_copy(x, dest) -+ except Exception: -+ return traceback.format_exc() -+ return OK -+ -+ def copy_from_cache(self, sig, files_from, files_to): -+ try: -+ for i, x in enumerate(files_to): -+ orig = os.path.join(CACHE_DIR, sig[:2], sig, str(i)) -+ self.bucket_copy(orig, x) -+ except EnvironmentError: -+ return traceback.format_exc() -+ return OK -+ -+def loop(service): -+ """ -+ This function is run when this file is run as a standalone python script, -+ it assumes a parent process that will communicate the commands to it -+ as pickled-encoded tuples (one line per command) -+ -+ The commands are to copy files to the cache or copy files from the -+ cache to a target destination -+ """ -+ # one operation is performed at a single time by a single process -+ # therefore stdin never has more than one line -+ txt = sys.stdin.readline().strip() -+ if not txt: -+ # parent process probably ended -+ sys.exit(1) -+ ret = OK -+ -+ [sig, files_from, files_to] = cPickle.loads(base64.b64decode(txt)) -+ if files_from: -+ # TODO return early when pushing files upstream -+ ret = service.copy_to_cache(sig, files_from, files_to) -+ elif files_to: -+ # the build process waits for workers to (possibly) obtain files from the cache -+ ret = service.copy_from_cache(sig, files_from, files_to) -+ else: -+ ret = "Invalid command" -+ -+ obj = base64.b64encode(cPickle.dumps(ret)) -+ sys.stdout.write(obj.decode()) -+ sys.stdout.write('\n') -+ sys.stdout.flush() -+ -+if __name__ == '__main__': -+ if CACHE_DIR.startswith('s3://') or CACHE_DIR.startswith('gs://'): -+ service = bucket_cache() -+ elif CACHE_DIR.startswith('http'): -+ service = netcache() -+ else: -+ service = fcache() -+ while 1: -+ try: -+ loop(service) -+ except KeyboardInterrupt: -+ break -+ --- -2.37.3 - diff --git a/net/samba413/files/patch-waf-2.0.21 b/net/samba413/files/patch-waf-2.0.21 deleted file mode 100644 index 01b2d6e6cafe..000000000000 --- a/net/samba413/files/patch-waf-2.0.21 +++ /dev/null @@ -1,703 +0,0 @@ -From 6718b5e6d059e5668fc538be802ebd9fbe5ce9af Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher <metze@samba.org> -Date: Wed, 25 Nov 2020 16:29:06 +0100 -Subject: [PATCH] waf: upgrade to 2.0.21 - -This commit message was wrong: - - commit 5fc3a71d0f54b176d3cb2e399718d0468507e797 - Author: David Mulder <dmulder@suse.com> - Date: Mon Aug 24 13:12:46 2020 -0600 - - waf: upgrade to 2.0.20 - - This contain an important change: - "Fix gccdeps.scan() returning nodes that no longer exist on disk." - https://gitlab.com/ita1024/waf/-/merge_requests/2293 - - Signed-off-by: David Mulder <dmulder@suse.com> - Reviewed-by: Stefan Metzmacher <metze@samba.org> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> - -The fix was in in waf master, but not included in 2.0.20, -but it's now included in 2.0.21. - -Signed-off-by: Stefan Metzmacher <metze@samba.org> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> ---- - buildtools/bin/waf | 2 +- - buildtools/wafsamba/wafsamba.py | 2 +- - third_party/waf/waflib/Build.py | 6 ++- - third_party/waf/waflib/Context.py | 8 ++-- - third_party/waf/waflib/Tools/asm.py | 5 +- - third_party/waf/waflib/Tools/c_config.py | 1 + - third_party/waf/waflib/Tools/msvc.py | 8 +++- - third_party/waf/waflib/Tools/qt5.py | 26 +++++++++-- - third_party/waf/waflib/Tools/waf_unit_test.py | 10 +++- - third_party/waf/waflib/extras/boost.py | 5 +- - .../waf/waflib/extras/c_dumbpreproc.py | 2 +- - third_party/waf/waflib/extras/doxygen.py | 4 +- - .../waf/waflib/extras/file_to_object.py | 9 +++- - third_party/waf/waflib/extras/gccdeps.py | 21 +++++++-- - third_party/waf/waflib/extras/msvcdeps.py | 27 +++++++++-- - third_party/waf/waflib/extras/pch.py | 4 +- - third_party/waf/waflib/extras/sphinx.py | 40 ++++++++++++---- - third_party/waf/waflib/extras/wafcache.py | 46 +++++++++++++++---- - third_party/waf/waflib/extras/xcode6.py | 18 ++++---- - 19 files changed, 181 insertions(+), 63 deletions(-) - -diff --git buildtools/bin/waf buildtools/bin/waf -index feabe25d131..041450fc131 100755 ---- buildtools/bin/waf -+++ buildtools/bin/waf -@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. - - import os, sys, inspect - --VERSION="2.0.20" -+VERSION="2.0.21" - REVISION="x" - GIT="x" - INSTALL="x" -diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py -index 9dd6d05b91b..d1baa3b4940 100644 ---- buildtools/wafsamba/wafsamba.py -+++ buildtools/wafsamba/wafsamba.py -@@ -38,7 +38,7 @@ LIB_PATH="shared" - - os.environ['PYTHONUNBUFFERED'] = '1' - --if Context.HEXVERSION not in (0x2001400,): -+if Context.HEXVERSION not in (0x2001500,): - Logs.error(''' - Please use the version of waf that comes with Samba, not - a system installed version. See http://wiki.samba.org/index.php/Waf -diff --git third_party/waf/waflib/Build.py third_party/waf/waflib/Build.py -index 39f0991918b..52837618577 100644 ---- third_party/waf/waflib/Build.py -+++ third_party/waf/waflib/Build.py -@@ -753,10 +753,12 @@ class BuildContext(Context.Context): - else: - ln = self.launch_node() - if ln.is_child_of(self.bldnode): -- Logs.warn('Building from the build directory, forcing --targets=*') -+ if Logs.verbose > 1: -+ Logs.warn('Building from the build directory, forcing --targets=*') - ln = self.srcnode - elif not ln.is_child_of(self.srcnode): -- Logs.warn('CWD %s is not under %s, forcing --targets=* (run distclean?)', ln.abspath(), self.srcnode.abspath()) -+ if Logs.verbose > 1: -+ Logs.warn('CWD %s is not under %s, forcing --targets=* (run distclean?)', ln.abspath(), self.srcnode.abspath()) - ln = self.srcnode - - def is_post(tg, ln): -diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py -index 3f1b4fa48ab..0ce9df6e91f 100644 ---- third_party/waf/waflib/Context.py -+++ third_party/waf/waflib/Context.py -@@ -18,13 +18,13 @@ else: - import imp - - # the following 3 constants are updated on each new release (do not touch) --HEXVERSION=0x2001400 -+HEXVERSION=0x2001500 - """Constant updated on new releases""" - --WAFVERSION="2.0.20" -+WAFVERSION="2.0.21" - """Constant updated on new releases""" - --WAFREVISION="668769470956da8c5b60817cb8884cd7d0f87cd4" -+WAFREVISION="edde20a6425a5c3eb6b47d5f3f5c4fbc93fed5f4" - """Git revision when the waf version is updated""" - - WAFNAME="waf" -@@ -530,7 +530,7 @@ class Context(ctx): - """ - Prints a configuration message of the form ``msg: result``. - The second part of the message will be in colors. The output -- can be disabled easly by setting ``in_msg`` to a positive value:: -+ can be disabled easily by setting ``in_msg`` to a positive value:: - - def configure(conf): - self.in_msg = 1 -diff --git third_party/waf/waflib/Tools/asm.py third_party/waf/waflib/Tools/asm.py -index a57e83bb5ec..1d34ddaca7f 100644 ---- third_party/waf/waflib/Tools/asm.py -+++ third_party/waf/waflib/Tools/asm.py -@@ -56,13 +56,11 @@ class asm(Task.Task): - Compiles asm files by gas/nasm/yasm/... - """ - color = 'BLUE' -- run_str = '${AS} ${ASFLAGS} ${ASMPATH_ST:INCPATHS} ${DEFINES_ST:DEFINES} ${AS_SRC_F}${SRC} ${AS_TGT_F}${TGT}' -+ run_str = '${AS} ${ASFLAGS} ${ASMPATH_ST:INCPATHS} ${ASMDEFINES_ST:DEFINES} ${AS_SRC_F}${SRC} ${AS_TGT_F}${TGT}' - - def scan(self): - if self.env.ASM_NAME == 'gas': - return c_preproc.scan(self) -- Logs.warn('There is no dependency scanner for Nasm!') -- return [[], []] - elif self.env.ASM_NAME == 'nasm': - Logs.warn('The Nasm dependency scanner is incomplete!') - -@@ -106,3 +104,4 @@ class asmstlib(stlink_task): - - def configure(conf): - conf.env.ASMPATH_ST = '-I%s' -+ conf.env.ASMDEFINES_ST = '-D%s' -diff --git third_party/waf/waflib/Tools/c_config.py third_party/waf/waflib/Tools/c_config.py -index 98187fac2e2..03b6bf61bc0 100644 ---- third_party/waf/waflib/Tools/c_config.py -+++ third_party/waf/waflib/Tools/c_config.py -@@ -68,6 +68,7 @@ MACRO_TO_DEST_CPU = { - '__s390__' : 's390', - '__sh__' : 'sh', - '__xtensa__' : 'xtensa', -+'__e2k__' : 'e2k', - } - - @conf -diff --git third_party/waf/waflib/Tools/msvc.py third_party/waf/waflib/Tools/msvc.py -index f169c7f441b..37233be8242 100644 ---- third_party/waf/waflib/Tools/msvc.py -+++ third_party/waf/waflib/Tools/msvc.py -@@ -99,7 +99,13 @@ all_icl_platforms = [ ('intel64', 'amd64'), ('em64t', 'amd64'), ('ia32', 'x86'), - """List of icl platforms""" - - def options(opt): -- opt.add_option('--msvc_version', type='string', help = 'msvc version, eg: "msvc 10.0,msvc 9.0"', default='') -+ default_ver = '' -+ vsver = os.getenv('VSCMD_VER') -+ if vsver: -+ m = re.match(r'(^\d+\.\d+).*', vsver) -+ if m: -+ default_ver = 'msvc %s' % m.group(1) -+ opt.add_option('--msvc_version', type='string', help = 'msvc version, eg: "msvc 10.0,msvc 9.0"', default=default_ver) - opt.add_option('--msvc_targets', type='string', help = 'msvc targets, eg: "x64,arm"', default='') - opt.add_option('--no-msvc-lazy', action='store_false', help = 'lazily check msvc target environments', default=True, dest='msvc_lazy') - -diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py -index 99e021bae61..cff2028174f 100644 ---- third_party/waf/waflib/Tools/qt5.py -+++ third_party/waf/waflib/Tools/qt5.py -@@ -57,7 +57,23 @@ A few options (--qt{dir,bin,...}) and environment variables - (QT5_{ROOT,DIR,MOC,UIC,XCOMPILE}) allow finer tuning of the tool, - tool path selection, etc; please read the source for more info. - --The detection uses pkg-config on Linux by default. To force static library detection use: -+The detection uses pkg-config on Linux by default. The list of -+libraries to be requested to pkg-config is formulated by scanning -+in the QTLIBS directory (that can be passed via --qtlibs or by -+setting the environment variable QT5_LIBDIR otherwise is derived -+by querying qmake for QT_INSTALL_LIBS directory) for shared/static -+libraries present. -+Alternatively the list of libraries to be requested via pkg-config -+can be set using the qt5_vars attribute, ie: -+ -+ conf.qt5_vars = ['Qt5Core', 'Qt5Gui', 'Qt5Widgets', 'Qt5Test']; -+ -+This can speed up configuration phase if needed libraries are -+known beforehand, can improve detection on systems with a -+sparse QT5 libraries installation (ie. NIX) and can improve -+detection of some header-only Qt modules (ie. Qt5UiPlugin). -+ -+To force static library detection use: - QT5_XCOMPILE=1 QT5_FORCE_STATIC=1 waf configure - """ - -@@ -466,6 +482,9 @@ def configure(self): - - The detection uses the program ``pkg-config`` through :py:func:`waflib.Tools.config_c.check_cfg` - """ -+ if 'COMPILER_CXX' not in self.env: -+ self.fatal('No CXX compiler defined: did you forget to configure compiler_cxx first?') -+ - self.find_qt5_binaries() - self.set_qt5_libs_dir() - self.set_qt5_libs_to_check() -@@ -478,9 +497,6 @@ def configure(self): - if not has_xml: - Logs.error('No xml.sax support was found, rcc dependencies will be incomplete!') - -- if 'COMPILER_CXX' not in self.env: -- self.fatal('No CXX compiler defined: did you forget to configure compiler_cxx first?') -- - # Qt5 may be compiled with '-reduce-relocations' which requires dependent programs to have -fPIE or -fPIC? - frag = '#include <QMap>\nint main(int argc, char **argv) {QMap<int,int> m;return m.keys().size();}\n' - uses = 'QT5CORE' -@@ -637,7 +653,7 @@ def set_qt5_libs_dir(self): - except Errors.WafError: - qtdir = self.cmd_and_log(env.QMAKE + ['-query', 'QT_INSTALL_PREFIX']).strip() - qtlibs = os.path.join(qtdir, 'lib') -- self.msg('Found the Qt5 libraries in', qtlibs) -+ self.msg('Found the Qt5 library path', qtlibs) - env.QTLIBS = qtlibs - - @conf -diff --git third_party/waf/waflib/Tools/waf_unit_test.py third_party/waf/waflib/Tools/waf_unit_test.py -index 6ff6f72739f..dc66fe9c184 100644 ---- third_party/waf/waflib/Tools/waf_unit_test.py -+++ third_party/waf/waflib/Tools/waf_unit_test.py -@@ -97,6 +97,7 @@ def make_interpreted_test(self): - if isinstance(v, str): - v = v.split(os.pathsep) - self.ut_env[k] = os.pathsep.join(p + v) -+ self.env.append_value('UT_DEPS', ['%r%r' % (key, self.ut_env[key]) for key in self.ut_env]) - - @feature('test') - @after_method('apply_link', 'process_use') -@@ -108,7 +109,8 @@ def make_test(self): - tsk = self.create_task('utest', self.link_task.outputs) - if getattr(self, 'ut_str', None): - self.ut_run, lst = Task.compile_fun(self.ut_str, shell=getattr(self, 'ut_shell', False)) -- tsk.vars = lst + tsk.vars -+ tsk.vars = tsk.vars + lst -+ self.env.append_value('UT_DEPS', self.ut_str) - - self.handle_ut_cwd('ut_cwd') - -@@ -139,6 +141,10 @@ def make_test(self): - if not hasattr(self, 'ut_cmd'): - self.ut_cmd = getattr(Options.options, 'testcmd', False) - -+ self.env.append_value('UT_DEPS', str(self.ut_cmd)) -+ self.env.append_value('UT_DEPS', self.ut_paths) -+ self.env.append_value('UT_DEPS', ['%r%r' % (key, self.ut_env[key]) for key in self.ut_env]) -+ - @taskgen_method - def add_test_results(self, tup): - """Override and return tup[1] to interrupt the build immediately if a test does not run""" -@@ -159,7 +165,7 @@ class utest(Task.Task): - """ - color = 'PINK' - after = ['vnum', 'inst'] -- vars = [] -+ vars = ['UT_DEPS'] - - def runnable_status(self): - """ -diff --git third_party/waf/waflib/extras/boost.py third_party/waf/waflib/extras/boost.py -index c2aaaa938a2..93b312a1e6e 100644 ---- third_party/waf/waflib/extras/boost.py -+++ third_party/waf/waflib/extras/boost.py -@@ -270,10 +270,12 @@ def boost_get_libs(self, *k, **kw): - return file - return None - -+ # extensions from Tools.ccroot.lib_patterns -+ wo_ext = re.compile(r"\.(a|so|lib|dll|dylib)(\.[0-9\.]+)?$") - def format_lib_name(name): - if name.startswith('lib') and self.env.CC_NAME != 'msvc': - name = name[3:] -- return name[:name.rfind('.')] -+ return wo_ext.sub("", name) - - def match_libs(lib_names, is_static): - libs = [] -@@ -522,4 +524,3 @@ def install_boost(self): - except: - continue - install_boost.done = False -- -diff --git third_party/waf/waflib/extras/c_dumbpreproc.py third_party/waf/waflib/extras/c_dumbpreproc.py -index ce9e1a400b9..1fdd5c364ae 100644 ---- third_party/waf/waflib/extras/c_dumbpreproc.py -+++ third_party/waf/waflib/extras/c_dumbpreproc.py -@@ -66,7 +66,7 @@ class dumb_parser(parser): - if x == c_preproc.POPFILE: - self.currentnode_stack.pop() - continue -- self.tryfind(y) -+ self.tryfind(y, env=env) - - c_preproc.c_parser = dumb_parser - -diff --git third_party/waf/waflib/extras/doxygen.py third_party/waf/waflib/extras/doxygen.py -index de75bc2738a..0fda70361f3 100644 ---- third_party/waf/waflib/extras/doxygen.py -+++ third_party/waf/waflib/extras/doxygen.py -@@ -208,10 +208,10 @@ def process_doxy(self): - self.bld.fatal('doxygen file %s not found' % self.doxyfile) - - # the task instance -- dsk = self.create_task('doxygen', node) -+ dsk = self.create_task('doxygen', node, always_run=getattr(self, 'always', False)) - - if getattr(self, 'doxy_tar', None): -- tsk = self.create_task('tar') -+ tsk = self.create_task('tar', always_run=getattr(self, 'always', False)) - tsk.input_tasks = [dsk] - tsk.set_outputs(self.path.find_or_declare(self.doxy_tar)) - if self.doxy_tar.endswith('bz2'): -diff --git third_party/waf/waflib/extras/file_to_object.py third_party/waf/waflib/extras/file_to_object.py -index 1393b511d63..13d2aef37df 100644 ---- third_party/waf/waflib/extras/file_to_object.py -+++ third_party/waf/waflib/extras/file_to_object.py -@@ -31,7 +31,7 @@ Known issues: - - """ - --import os -+import os, sys - from waflib import Task, TaskGen, Errors - - def filename_c_escape(x): -@@ -95,12 +95,17 @@ class file_to_object_c(Task.Task): - - name = "_binary_" + "".join(name) - -+ def char_to_num(ch): -+ if sys.version_info[0] < 3: -+ return ord(ch) -+ return ch -+ - data = self.inputs[0].read('rb') - lines, line = [], [] - for idx_byte, byte in enumerate(data): - line.append(byte) - if len(line) > 15 or idx_byte == size-1: -- lines.append(", ".join(("0x%02x" % ord(x)) for x in line)) -+ lines.append(", ".join(("0x%02x" % char_to_num(x)) for x in line)) - line = [] - data = ",\n ".join(lines) - -diff --git third_party/waf/waflib/extras/gccdeps.py third_party/waf/waflib/extras/gccdeps.py -index c3a809e252a..1fc9373489a 100644 ---- third_party/waf/waflib/extras/gccdeps.py -+++ third_party/waf/waflib/extras/gccdeps.py -@@ -163,10 +163,25 @@ def post_run(self): - def sig_implicit_deps(self): - if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: - return super(self.derived_gccdeps, self).sig_implicit_deps() -+ bld = self.generator.bld -+ - try: -- return Task.Task.sig_implicit_deps(self) -- except Errors.WafError: -- return Utils.SIG_NIL -+ return self.compute_sig_implicit_deps() -+ except Errors.TaskNotReady: -+ raise ValueError("Please specify the build order precisely with gccdeps (asm/c/c++ tasks)") -+ except EnvironmentError: -+ # If a file is renamed, assume the dependencies are stale and must be recalculated -+ for x in bld.node_deps.get(self.uid(), []): -+ if not x.is_bld() and not x.exists(): -+ try: -+ del x.parent.children[x.name] -+ except KeyError: -+ pass -+ -+ key = self.uid() -+ bld.node_deps[key] = [] -+ bld.raw_deps[key] = [] -+ return Utils.SIG_NIL - - def wrap_compiled_task(classname): - derived_class = type(classname, (Task.classes[classname],), {}) -diff --git third_party/waf/waflib/extras/msvcdeps.py third_party/waf/waflib/extras/msvcdeps.py -index 873a4193150..52985dce058 100644 ---- third_party/waf/waflib/extras/msvcdeps.py -+++ third_party/waf/waflib/extras/msvcdeps.py -@@ -150,11 +150,25 @@ def scan(self): - def sig_implicit_deps(self): - if self.env.CC_NAME not in supported_compilers: - return super(self.derived_msvcdeps, self).sig_implicit_deps() -+ bld = self.generator.bld - - try: -- return Task.Task.sig_implicit_deps(self) -- except Errors.WafError: -- return Utils.SIG_NIL -+ return self.compute_sig_implicit_deps() -+ except Errors.TaskNotReady: -+ raise ValueError("Please specify the build order precisely with msvcdeps (c/c++ tasks)") -+ except EnvironmentError: -+ # If a file is renamed, assume the dependencies are stale and must be recalculated -+ for x in bld.node_deps.get(self.uid(), []): -+ if not x.is_bld() and not x.exists(): -+ try: -+ del x.parent.children[x.name] -+ except KeyError: -+ pass -+ -+ key = self.uid() -+ bld.node_deps[key] = [] -+ bld.raw_deps[key] = [] -+ return Utils.SIG_NIL - - def exec_command(self, cmd, **kw): - if self.env.CC_NAME not in supported_compilers: -@@ -211,11 +225,14 @@ def exec_command(self, cmd, **kw): - # get one from the exception object - ret = getattr(e, 'returncode', 1) - -+ Logs.debug('msvcdeps: Running for: %s' % self.inputs[0]) - for line in raw_out.splitlines(): - if line.startswith(INCLUDE_PATTERN): -- inc_path = line[len(INCLUDE_PATTERN):].strip() -+ # Only strip whitespace after log to preserve -+ # dependency structure in debug output -+ inc_path = line[len(INCLUDE_PATTERN):] - Logs.debug('msvcdeps: Regex matched %s', inc_path) -- self.msvcdeps_paths.append(inc_path) -+ self.msvcdeps_paths.append(inc_path.strip()) - else: - out.append(line) - -diff --git third_party/waf/waflib/extras/pch.py third_party/waf/waflib/extras/pch.py -index 103e752838c..b44c7a2e8fd 100644 ---- third_party/waf/waflib/extras/pch.py -+++ third_party/waf/waflib/extras/pch.py -@@ -90,7 +90,7 @@ def apply_pch(self): - - if getattr(self, 'name', None): - try: -- task = self.bld.pch_tasks["%s.%s" % (self.name, self.idx)] -+ task = self.bld.pch_tasks[self.name] - self.bld.fatal("Duplicated 'pch' task with name %r" % "%s.%s" % (self.name, self.idx)) - except KeyError: - pass -@@ -104,7 +104,7 @@ def apply_pch(self): - - self.pch_task = task - if getattr(self, 'name', None): -- self.bld.pch_tasks["%s.%s" % (self.name, self.idx)] = task -+ self.bld.pch_tasks[self.name] = task - - @TaskGen.feature('cxx') - @TaskGen.after_method('process_source', 'propagate_uselib_vars') -diff --git third_party/waf/waflib/extras/sphinx.py third_party/waf/waflib/extras/sphinx.py -index ce11110e634..71d1028393b 100644 ---- third_party/waf/waflib/extras/sphinx.py -+++ third_party/waf/waflib/extras/sphinx.py -@@ -20,7 +20,7 @@ def build(bld): - - from waflib.Node import Node - from waflib import Utils --from waflib.Task import Task -+from waflib import Task - from waflib.TaskGen import feature, after_method - - -@@ -55,13 +55,9 @@ def build_sphinx(self): - sphinx_build_task.set_outputs(self.path.get_bld()) - - # the sphinx-build results are in <build + output_format> directory -- sphinx_output_directory = self.path.get_bld().make_node(self.env.SPHINX_OUTPUT_FORMAT) -- sphinx_output_directory.mkdir() -+ self.sphinx_output_directory = self.path.get_bld().make_node(self.env.SPHINX_OUTPUT_FORMAT) -+ self.sphinx_output_directory.mkdir() - Utils.def_attrs(self, install_path=get_install_path(self)) -- self.add_install_files(install_to=self.install_path, -- install_from=sphinx_output_directory.ant_glob('**/*'), -- cwd=sphinx_output_directory, -- relative_trick=True) - - - def get_install_path(tg): -@@ -73,9 +69,37 @@ def get_install_path(tg): - return tg.env.DOCDIR - - --class SphinxBuildingTask(Task): -+class SphinxBuildingTask(Task.Task): - color = 'BOLD' - run_str = '${SPHINX_BUILD} -M ${SPHINX_OUTPUT_FORMAT} ${SRC} ${TGT} ${SPHINX_OPTIONS}' - - def keyword(self): - return 'Compiling (%s)' % self.env.SPHINX_OUTPUT_FORMAT -+ -+ def runnable_status(self): -+ -+ for x in self.run_after: -+ if not x.hasrun: -+ return Task.ASK_LATER -+ -+ self.signature() -+ ret = Task.Task.runnable_status(self) -+ if ret == Task.SKIP_ME: -+ # in case the files were removed -+ self.add_install() -+ return ret -+ -+ -+ def post_run(self): -+ self.add_install() -+ return Task.Task.post_run(self) -+ -+ -+ def add_install(self): -+ nodes = self.generator.sphinx_output_directory.ant_glob('**/*', quiet=True) -+ self.outputs += nodes -+ self.generator.add_install_files(install_to=self.generator.install_path, -+ install_from=nodes, -+ postpone=False, -+ cwd=self.generator.sphinx_output_directory, -+ relative_trick=True) -diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py -index 8b9567faf14..088fd0d098d 100644 ---- third_party/waf/waflib/extras/wafcache.py -+++ third_party/waf/waflib/extras/wafcache.py -@@ -16,10 +16,19 @@ The following environment variables may be set: - - URL to a cache server, for example: - export WAFCACHE=http://localhost:8080/files/ - in that case, GET/POST requests are made to urls of the form -- http://localhost:8080/files/000000000/0 (cache management is then up to the server) -- - GCS or S3 bucket -- gs://my-bucket/ -- s3://my-bucket/ -+ http://localhost:8080/files/000000000/0 (cache management is delegated to the server) -+ - GCS, S3 or MINIO bucket -+ gs://my-bucket/ (uses gsutil command line tool or WAFCACHE_CMD) -+ s3://my-bucket/ (uses aws command line tool or WAFCACHE_CMD) -+ minio://my-bucket/ (uses mc command line tool or WAFCACHE_CMD) -+* WAFCACHE_CMD: bucket upload/download command, for example: -+ WAFCACHE_CMD="gsutil cp %{SRC} %{TGT}" -+ Note that the WAFCACHE bucket value is used for the source or destination -+ depending on the operation (upload or download). For example, with: -+ WAFCACHE="gs://mybucket/" -+ the following commands may be run: -+ gsutil cp build/myprogram gs://mybucket/aa/aaaaa/1 -+ gsutil cp gs://mybucket/bb/bbbbb/2 build/somefile - * WAFCACHE_NO_PUSH: if set, disables pushing to the cache - * WAFCACHE_VERBOSITY: if set, displays more detailed cache operations - -@@ -30,6 +39,7 @@ File cache specific options: - * WAFCACHE_EVICT_MAX_BYTES: maximum amount of cache size in bytes (10GB) - * WAFCACHE_EVICT_INTERVAL_MINUTES: minimum time interval to try - and trim the cache (3 minutess) -+ - Usage:: - - def build(bld): -@@ -41,7 +51,7 @@ To troubleshoot:: - waf clean build --zones=wafcache - """ - --import atexit, base64, errno, fcntl, getpass, os, shutil, sys, time, traceback, urllib3 -+import atexit, base64, errno, fcntl, getpass, os, re, shutil, sys, time, traceback, urllib3, shlex - try: - import subprocess32 as subprocess - except ImportError: -@@ -53,6 +63,7 @@ if not os.path.isdir(base_cache): - default_wafcache_dir = os.path.join(base_cache, 'wafcache_' + getpass.getuser()) - - CACHE_DIR = os.environ.get('WAFCACHE', default_wafcache_dir) -+WAFCACHE_CMD = os.environ.get('WAFCACHE_CMD') - TRIM_MAX_FOLDERS = int(os.environ.get('WAFCACHE_TRIM_MAX_FOLDER', 1000000)) - EVICT_INTERVAL_MINUTES = int(os.environ.get('WAFCACHE_EVICT_INTERVAL_MINUTES', 3)) - EVICT_MAX_BYTES = int(os.environ.get('WAFCACHE_EVICT_MAX_BYTES', 10**10)) -@@ -60,6 +71,8 @@ WAFCACHE_NO_PUSH = 1 if os.environ.get('WAFCACHE_NO_PUSH') else 0 - WAFCACHE_VERBOSITY = 1 if os.environ.get('WAFCACHE_VERBOSITY') else 0 - OK = "ok" - -+re_waf_cmd = re.compile('(?P<src>%{SRC})|(?P<tgt>%{TGT})') -+ - try: - import cPickle - except ImportError: -@@ -233,8 +246,9 @@ def build(bld): - # already called once - return - -- for x in range(bld.jobs): -- process_pool.append(get_process()) -+ # pre-allocation -+ processes = [get_process() for x in range(bld.jobs)] -+ process_pool.extend(processes) - - Task.Task.can_retrieve_cache = can_retrieve_cache - Task.Task.put_files_cache = put_files_cache -@@ -449,10 +463,20 @@ class fcache(object): - - class bucket_cache(object): - def bucket_copy(self, source, target): -- if CACHE_DIR.startswith('s3://'): -+ if WAFCACHE_CMD: -+ def replacer(match): -+ if match.group('src'): -+ return source -+ elif match.group('tgt'): -+ return target -+ cmd = [re_waf_cmd.sub(replacer, x) for x in shlex.split(WAFCACHE_CMD)] -+ elif CACHE_DIR.startswith('s3://'): - cmd = ['aws', 's3', 'cp', source, target] -- else: -+ elif CACHE_DIR.startswith('gs://'): - cmd = ['gsutil', 'cp', source, target] -+ else: -+ cmd = ['mc', 'cp', source, target] -+ - proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - out, err = proc.communicate() - if proc.returncode: -@@ -510,7 +534,9 @@ def loop(service): - sys.stdout.flush() - - if __name__ == '__main__': -- if CACHE_DIR.startswith('s3://') or CACHE_DIR.startswith('gs://'): -+ if CACHE_DIR.startswith('s3://') or CACHE_DIR.startswith('gs://') or CACHE_DIR.startswith('minio://'): -+ if CACHE_DIR.startswith('minio://'): -+ CACHE_DIR = CACHE_DIR[8:] # minio doesn't need the protocol part, uses config aliases - service = bucket_cache() - elif CACHE_DIR.startswith('http'): - service = netcache() -diff --git third_party/waf/waflib/extras/xcode6.py third_party/waf/waflib/extras/xcode6.py -index 91bbff181ec..c5b309120c9 100644 ---- third_party/waf/waflib/extras/xcode6.py -+++ third_party/waf/waflib/extras/xcode6.py -@@ -99,7 +99,7 @@ env.PROJ_CONFIGURATION = { - ... - } - 'Release': { -- 'ARCHS' x86_64' -+ 'ARCHS': x86_64' - ... - } - } -@@ -163,12 +163,12 @@ class XCodeNode(object): - result = result + "\t\t}" - return result - elif isinstance(value, str): -- return "\"%s\"" % value -+ return '"%s"' % value.replace('"', '\\\\\\"') - elif isinstance(value, list): - result = "(\n" - for i in value: -- result = result + "\t\t\t%s,\n" % self.tostring(i) -- result = result + "\t\t)" -+ result = result + "\t\t\t\t%s,\n" % self.tostring(i) -+ result = result + "\t\t\t)" - return result - elif isinstance(value, XCodeNode): - return value._id -@@ -565,13 +565,13 @@ def process_xcode(self): - # Override target specific build settings - bldsettings = { - 'HEADER_SEARCH_PATHS': ['$(inherited)'] + self.env['INCPATHS'], -- 'LIBRARY_SEARCH_PATHS': ['$(inherited)'] + Utils.to_list(self.env.LIBPATH) + Utils.to_list(self.env.STLIBPATH) + Utils.to_list(self.env.LIBDIR) , -+ 'LIBRARY_SEARCH_PATHS': ['$(inherited)'] + Utils.to_list(self.env.LIBPATH) + Utils.to_list(self.env.STLIBPATH) + Utils.to_list(self.env.LIBDIR), - 'FRAMEWORK_SEARCH_PATHS': ['$(inherited)'] + Utils.to_list(self.env.FRAMEWORKPATH), -- 'OTHER_LDFLAGS': libs + ' ' + frameworks, -- 'OTHER_LIBTOOLFLAGS': bld.env['LINKFLAGS'], -+ 'OTHER_LDFLAGS': libs + ' ' + frameworks + ' ' + ' '.join(bld.env['LINKFLAGS']), - 'OTHER_CPLUSPLUSFLAGS': Utils.to_list(self.env['CXXFLAGS']), - 'OTHER_CFLAGS': Utils.to_list(self.env['CFLAGS']), -- 'INSTALL_PATH': [] -+ 'INSTALL_PATH': [], -+ 'GCC_PREPROCESSOR_DEFINITIONS': self.env['DEFINES'] - } - - # Install path -@@ -591,7 +591,7 @@ def process_xcode(self): - - # The keys represents different build configuration, e.g. Debug, Release and so on.. - # Insert our generated build settings to all configuration names -- keys = set(settings.keys() + bld.env.PROJ_CONFIGURATION.keys()) -+ keys = set(settings.keys()) | set(bld.env.PROJ_CONFIGURATION.keys()) - for k in keys: - if k in settings: - settings[k].update(bldsettings) --- -2.37.3 - diff --git a/net/samba413/files/patch-waf-2.0.22 b/net/samba413/files/patch-waf-2.0.22 deleted file mode 100644 index db3c8edff8d3..000000000000 --- a/net/samba413/files/patch-waf-2.0.22 +++ /dev/null @@ -1,596 +0,0 @@ -From 59ed09928541d40df72592419247add608a54aca Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Wed, 25 Aug 2021 15:34:58 +0200 -Subject: [PATCH] third_party: Update waf to version 2.0.22 - -New in waf 2.0.22 - -* Fix stdin propagation with faulty vcvarsall scripts #2315 -* Enable mixing Unix-style paths with destdir on Windows platforms #2337 -* Fix shell escaping unit test parameters #2314 -* Improve extras/clang_compilation_database and extras/swig compatibility #2336 -* Propagate C++ flags to the Cuda compiler in extras/cuda #2311 -* Fix detection of Qt 5.0.0 (preparation for Qt6) #2331 -* Enable Haxe processing #2308 -* Fix regression in MACOSX_DEPLOYMENT_TARGET caused by distutils #2330 -* Fix extras/wafcache concurrent trimming issues #2312 -* Fix extras/wafcache symlink handling #2327 - -The import was done like this: - -./third_party/waf/update.sh - -Then changing buildtools/bin/waf and buildtools/wafsamba/wafsamba.py -by hand. - -Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> - -Signed-off-by: Andreas Schneider <asn@samba.org> -Signed-off-by: Stefan Metzmacher <metze@samba.org> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> - -Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> -Autobuild-Date(master): Thu Sep 2 21:22:17 UTC 2021 on sn-devel-184 ---- - buildtools/bin/waf | 2 +- - buildtools/wafsamba/wafsamba.py | 2 +- - third_party/waf/waflib/Build.py | 4 +- - third_party/waf/waflib/Context.py | 6 +- - third_party/waf/waflib/Tools/msvc.py | 2 +- - third_party/waf/waflib/Tools/python.py | 2 +- - third_party/waf/waflib/Tools/qt5.py | 6 +- - third_party/waf/waflib/Tools/waf_unit_test.py | 2 +- - third_party/waf/waflib/Utils.py | 15 +- - .../extras/clang_compilation_database.py | 28 ++-- - third_party/waf/waflib/extras/haxe.py | 131 ++++++++++++++++++ - third_party/waf/waflib/extras/wafcache.py | 59 ++++++-- - 12 files changed, 215 insertions(+), 44 deletions(-) - create mode 100644 third_party/waf/waflib/extras/haxe.py - -diff --git buildtools/bin/waf buildtools/bin/waf -index 041450fc131..b0ccb09a877 100755 ---- buildtools/bin/waf -+++ buildtools/bin/waf -@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. - - import os, sys, inspect - --VERSION="2.0.21" -+VERSION="2.0.22" - REVISION="x" - GIT="x" - INSTALL="x" -diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py -index 4fe9daf160e..dee007bf84e 100644 ---- buildtools/wafsamba/wafsamba.py -+++ buildtools/wafsamba/wafsamba.py -@@ -38,7 +38,7 @@ LIB_PATH="shared" - - os.environ['PYTHONUNBUFFERED'] = '1' - --if Context.HEXVERSION not in (0x2001500,): -+if Context.HEXVERSION not in (0x2001600,): - Logs.error(''' - Please use the version of waf that comes with Samba, not - a system installed version. See http://wiki.samba.org/index.php/Waf -diff --git third_party/waf/waflib/Build.py third_party/waf/waflib/Build.py -index 52837618577..b49dd8302b1 100644 ---- third_party/waf/waflib/Build.py -+++ third_party/waf/waflib/Build.py -@@ -1066,9 +1066,9 @@ class inst(Task.Task): - else: - dest = os.path.normpath(Utils.subst_vars(self.install_to, self.env)) - if not os.path.isabs(dest): -- dest = os.path.join(self.env.PREFIX, dest) -+ dest = os.path.join(self.env.PREFIX, dest) - if destdir and Options.options.destdir: -- dest = os.path.join(Options.options.destdir, os.path.splitdrive(dest)[1].lstrip(os.sep)) -+ dest = Options.options.destdir.rstrip(os.sep) + os.sep + os.path.splitdrive(dest)[1].lstrip(os.sep) - return dest - - def copy_fun(self, src, tgt): -diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py -index 0ce9df6e91f..07ee1201f03 100644 ---- third_party/waf/waflib/Context.py -+++ third_party/waf/waflib/Context.py -@@ -18,13 +18,13 @@ else: - import imp - - # the following 3 constants are updated on each new release (do not touch) --HEXVERSION=0x2001500 -+HEXVERSION=0x2001600 - """Constant updated on new releases""" - --WAFVERSION="2.0.21" -+WAFVERSION="2.0.22" - """Constant updated on new releases""" - --WAFREVISION="edde20a6425a5c3eb6b47d5f3f5c4fbc93fed5f4" -+WAFREVISION="816d5bc48ba2abc4ac22f2b44d94d322bf992b9c" - """Git revision when the waf version is updated""" - - WAFNAME="waf" -diff --git third_party/waf/waflib/Tools/msvc.py third_party/waf/waflib/Tools/msvc.py -index 37233be8242..0c4703aaee9 100644 ---- third_party/waf/waflib/Tools/msvc.py -+++ third_party/waf/waflib/Tools/msvc.py -@@ -193,7 +193,7 @@ echo PATH=%%PATH%% - echo INCLUDE=%%INCLUDE%% - echo LIB=%%LIB%%;%%LIBPATH%% - """ % (vcvars,target)) -- sout = conf.cmd_and_log(['cmd.exe', '/E:on', '/V:on', '/C', batfile.abspath()]) -+ sout = conf.cmd_and_log(['cmd.exe', '/E:on', '/V:on', '/C', batfile.abspath()], stdin=getattr(Utils.subprocess, 'DEVNULL', None)) - lines = sout.splitlines() - - if not lines[0]: -diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py -index b1c8dd01285..07442561dff 100644 ---- third_party/waf/waflib/Tools/python.py -+++ third_party/waf/waflib/Tools/python.py -@@ -327,7 +327,7 @@ def check_python_headers(conf, features='pyembed pyext'): - dct = dict(zip(v, lst)) - x = 'MACOSX_DEPLOYMENT_TARGET' - if dct[x]: -- env[x] = conf.environ[x] = dct[x] -+ env[x] = conf.environ[x] = str(dct[x]) - env.pyext_PATTERN = '%s' + dct['SO'] # not a mistake - - -diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py -index cff2028174f..82c83e18c8a 100644 ---- third_party/waf/waflib/Tools/qt5.py -+++ third_party/waf/waflib/Tools/qt5.py -@@ -566,7 +566,7 @@ def find_qt5_binaries(self): - # at the end, try to find qmake in the paths given - # keep the one with the highest version - cand = None -- prev_ver = ['5', '0', '0'] -+ prev_ver = ['0', '0', '0'] - for qmk in ('qmake-qt5', 'qmake5', 'qmake'): - try: - qmake = self.find_program(qmk, path_list=paths) -@@ -580,7 +580,7 @@ def find_qt5_binaries(self): - else: - if version: - new_ver = version.split('.') -- if new_ver > prev_ver: -+ if new_ver[0] == '5' and new_ver > prev_ver: - cand = qmake - prev_ver = new_ver - -@@ -783,7 +783,7 @@ def set_qt5_libs_to_check(self): - pat = self.env.cxxstlib_PATTERN - if Utils.unversioned_sys_platform() == 'darwin': - pat = r"%s\.framework" -- re_qt = re.compile(pat%'Qt5?(?P<name>.*)'+'$') -+ re_qt = re.compile(pat % 'Qt5?(?P<name>\\D+)' + '$') - for x in dirlst: - m = re_qt.match(x) - if m: -diff --git third_party/waf/waflib/Tools/waf_unit_test.py third_party/waf/waflib/Tools/waf_unit_test.py -index dc66fe9c184..8cff89bdeb9 100644 ---- third_party/waf/waflib/Tools/waf_unit_test.py -+++ third_party/waf/waflib/Tools/waf_unit_test.py -@@ -206,7 +206,7 @@ class utest(Task.Task): - self.ut_exec = getattr(self.generator, 'ut_exec', [self.inputs[0].abspath()]) - ut_cmd = getattr(self.generator, 'ut_cmd', False) - if ut_cmd: -- self.ut_exec = shlex.split(ut_cmd % ' '.join(self.ut_exec)) -+ self.ut_exec = shlex.split(ut_cmd % Utils.shell_escape(self.ut_exec)) - - return self.exec_command(self.ut_exec) - -diff --git third_party/waf/waflib/Utils.py third_party/waf/waflib/Utils.py -index fc64fa05154..669490ca908 100644 ---- third_party/waf/waflib/Utils.py -+++ third_party/waf/waflib/Utils.py -@@ -11,7 +11,7 @@ through Python versions 2.5 to 3.X and across different platforms (win32, linux, - - from __future__ import with_statement - --import atexit, os, sys, errno, inspect, re, datetime, platform, base64, signal, functools, time -+import atexit, os, sys, errno, inspect, re, datetime, platform, base64, signal, functools, time, shlex - - try: - import cPickle -@@ -577,10 +577,13 @@ def quote_define_name(s): - fu = fu.upper() - return fu - --re_sh = re.compile('\\s|\'|"') --""" --Regexp used for shell_escape below --""" -+# shlex.quote didn't exist until python 3.3. Prior to that it was a non-documented -+# function in pipes. -+try: -+ shell_quote = shlex.quote -+except AttributeError: -+ import pipes -+ shell_quote = pipes.quote - - def shell_escape(cmd): - """ -@@ -589,7 +592,7 @@ def shell_escape(cmd): - """ - if isinstance(cmd, str): - return cmd -- return ' '.join(repr(x) if re_sh.search(x) else x for x in cmd) -+ return ' '.join(shell_quote(x) for x in cmd) - - def h_list(lst): - """ -diff --git third_party/waf/waflib/extras/clang_compilation_database.py third_party/waf/waflib/extras/clang_compilation_database.py -index ff71f22ecfd..17f66949376 100644 ---- third_party/waf/waflib/extras/clang_compilation_database.py -+++ third_party/waf/waflib/extras/clang_compilation_database.py -@@ -29,22 +29,9 @@ from waflib import Logs, TaskGen, Task, Build, Scripting - - Task.Task.keep_last_cmd = True - --@TaskGen.feature('c', 'cxx') --@TaskGen.after_method('process_use') --def collect_compilation_db_tasks(self): -- "Add a compilation database entry for compiled tasks" -- if not isinstance(self.bld, ClangDbContext): -- return -- -- tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) -- for task in getattr(self, 'compiled_tasks', []): -- if isinstance(task, tup): -- self.bld.clang_compilation_database_tasks.append(task) -- - class ClangDbContext(Build.BuildContext): - '''generates compile_commands.json by request''' - cmd = 'clangdb' -- clang_compilation_database_tasks = [] - - def write_compilation_database(self): - """ -@@ -78,6 +65,8 @@ class ClangDbContext(Build.BuildContext): - Build dry run - """ - self.restore() -+ self.cur_tasks = [] -+ self.clang_compilation_database_tasks = [] - - if not self.all_envs: - self.load_envs() -@@ -103,8 +92,21 @@ class ClangDbContext(Build.BuildContext): - lst = [tg] - else: lst = tg.tasks - for tsk in lst: -+ if tsk.__class__.__name__ == "swig": -+ tsk.runnable_status() -+ if hasattr(tsk, 'more_tasks'): -+ lst.extend(tsk.more_tasks) -+ # Not all dynamic tasks can be processed, in some cases -+ # one may have to call the method "run()" like this: -+ #elif tsk.__class__.__name__ == 'src2c': -+ # tsk.run() -+ # if hasattr(tsk, 'more_tasks'): -+ # lst.extend(tsk.more_tasks) -+ - tup = tuple(y for y in [Task.classes.get(x) for x in ('c', 'cxx')] if y) - if isinstance(tsk, tup): -+ self.clang_compilation_database_tasks.append(tsk) -+ tsk.nocache = True - old_exec = tsk.exec_command - tsk.exec_command = exec_command - tsk.run() -diff --git third_party/waf/waflib/extras/haxe.py third_party/waf/waflib/extras/haxe.py -new file mode 100644 -index 00000000000..cb3ba6a949c ---- /dev/null -+++ third_party/waf/waflib/extras/haxe.py -@@ -0,0 +1,131 @@ -+import os, re -+from waflib import Utils, Task, Errors -+from waflib.TaskGen import extension, taskgen_method, feature -+from waflib.Configure import conf -+ -+@conf -+def libname_haxe(self, libname): -+ return libname -+ -+@conf -+def check_lib_haxe(self, libname, uselib_store=None): -+ haxe_libs = [node.name for node in self.root.find_node('haxe_libraries').ant_glob()] -+ changed = False -+ self.start_msg('Checking for library %s' % libname) -+ if libname + '.hxml' in haxe_libs: -+ self.end_msg('yes') -+ else: -+ changed = True -+ try: -+ cmd = self.env.LIX + ['+lib', libname] -+ res = self.cmd_and_log(cmd) -+ if (res): -+ raise Errors.WafError(res) -+ else: -+ self.end_msg('downloaded', color = 'YELLOW') -+ except Errors.WafError as e: -+ self.end_msg('no', color = 'RED') -+ self.fatal('Getting %s has failed' % libname) -+ -+ postfix = uselib_store if uselib_store else libname.upper() -+ self.env['LIB_' + postfix] += [self.libname_haxe(libname)] -+ return changed -+ -+@conf -+def check_libs_haxe(self, libnames, uselib_store=None): -+ changed = False -+ for libname in Utils.to_list(libnames): -+ if self.check_lib_haxe(libname, uselib_store): -+ changed = True -+ return changed -+ -+@conf -+def ensure_lix_pkg(self, *k, **kw): -+ if kw.get('compiler') == 'hx': -+ if isinstance(kw.get('libs'), list) and len(kw.get('libs')): -+ changed = self.check_libs_haxe(kw.get('libs'), kw.get('uselib_store')) -+ if changed: -+ try: -+ cmd = self.env.LIX + ['download'] -+ res = self.cmd_and_log(cmd) -+ if (res): -+ raise Errors.WafError(res) -+ except Errors.WafError as e: -+ self.fatal('lix download has failed') -+ else: -+ self.check_lib_haxe(kw.get('lib'), kw.get('uselib_store')) -+ -+@conf -+def haxe(bld, *k, **kw): -+ task_gen = bld(*k, **kw) -+ -+class haxe(Task.Task): -+ vars = ['HAXE', 'HAXE_VERSION', 'HAXEFLAGS'] -+ ext_out = ['.hl', '.c', '.h'] -+ -+ def run(self): -+ cmd = self.env.HAXE + self.env.HAXEFLAGS -+ return self.exec_command(cmd, stdout = open(os.devnull, 'w')) -+ -+@taskgen_method -+def init_haxe_task(self, node): -+ def addflags(flags): -+ self.env.append_value('HAXEFLAGS', flags) -+ -+ if node.suffix() == '.hxml': -+ addflags(self.path.abspath() + '/' + node.name) -+ else: -+ addflags(['-main', node.name]) -+ addflags(['-hl', self.path.get_bld().make_node(self.target).abspath()]) -+ addflags(['-cp', self.path.abspath()]) -+ addflags(['-D', 'resourcesPath=%s' % getattr(self, 'res', '')]) -+ if hasattr(self, 'use'): -+ for dep in self.use: -+ if self.env['LIB_' + dep]: -+ for lib in self.env['LIB_' + dep]: addflags(['-lib', lib]) -+ -+@extension('.hx', '.hxml') -+def haxe_file(self, node): -+ if len(self.source) > 1: -+ self.bld.fatal('Use separate task generators for multiple files') -+ -+ try: -+ haxetask = self.haxetask -+ except AttributeError: -+ haxetask = self.haxetask = self.create_task('haxe') -+ self.init_haxe_task(node) -+ -+ haxetask.inputs.append(node) -+ haxetask.outputs.append(self.path.get_bld().make_node(self.target)) -+ -+@conf -+def find_haxe(self, min_version): -+ npx = self.env.NPX = self.find_program('npx') -+ self.env.LIX = npx + ['lix'] -+ npx_haxe = self.env.HAXE = npx + ['haxe'] -+ try: -+ output = self.cmd_and_log(npx_haxe + ['-version']) -+ except Errors.WafError: -+ haxe_version = None -+ else: -+ ver = re.search(r'\d+.\d+.\d+', output).group().split('.') -+ haxe_version = tuple([int(x) for x in ver]) -+ -+ self.msg('Checking for haxe version', -+ haxe_version, haxe_version and haxe_version >= min_version) -+ if npx_haxe and haxe_version < min_version: -+ self.fatal('haxe version %r is too old, need >= %r' % (haxe_version, min_version)) -+ -+ self.env.HAXE_VERSION = haxe_version -+ return npx_haxe -+ -+@conf -+def check_haxe(self, min_version=(4,1,4)): -+ if self.env.HAXE_MINVER: -+ min_version = self.env.HAXE_MINVER -+ find_haxe(self, min_version) -+ -+def configure(self): -+ self.env.HAXEFLAGS = [] -+ self.check_haxe() -+ self.add_os_flags('HAXEFLAGS', dup = False) -diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py -index 088fd0d098d..cc23fcd6673 100644 ---- third_party/waf/waflib/extras/wafcache.py -+++ third_party/waf/waflib/extras/wafcache.py -@@ -31,6 +31,7 @@ The following environment variables may be set: - gsutil cp gs://mybucket/bb/bbbbb/2 build/somefile - * WAFCACHE_NO_PUSH: if set, disables pushing to the cache - * WAFCACHE_VERBOSITY: if set, displays more detailed cache operations -+* WAFCACHE_STATS: if set, displays cache usage statistics on exit - - File cache specific options: - Files are copied using hard links by default; if the cache is located -@@ -69,6 +70,7 @@ EVICT_INTERVAL_MINUTES = int(os.environ.get('WAFCACHE_EVICT_INTERVAL_MINUTES', 3 - EVICT_MAX_BYTES = int(os.environ.get('WAFCACHE_EVICT_MAX_BYTES', 10**10)) - WAFCACHE_NO_PUSH = 1 if os.environ.get('WAFCACHE_NO_PUSH') else 0 - WAFCACHE_VERBOSITY = 1 if os.environ.get('WAFCACHE_VERBOSITY') else 0 -+WAFCACHE_STATS = 1 if os.environ.get('WAFCACHE_STATS') else 0 - OK = "ok" - - re_waf_cmd = re.compile('(?P<src>%{SRC})|(?P<tgt>%{TGT})') -@@ -93,6 +95,9 @@ def can_retrieve_cache(self): - sig = self.signature() - ssig = Utils.to_hex(self.uid() + sig) - -+ if WAFCACHE_STATS: -+ self.generator.bld.cache_reqs += 1 -+ - files_to = [node.abspath() for node in self.outputs] - err = cache_command(ssig, [], files_to) - if err.startswith(OK): -@@ -100,6 +105,8 @@ def can_retrieve_cache(self): - Logs.pprint('CYAN', ' Fetched %r from cache' % files_to) - else: - Logs.debug('wafcache: fetched %r from cache', files_to) -+ if WAFCACHE_STATS: -+ self.generator.bld.cache_hits += 1 - else: - if WAFCACHE_VERBOSITY: - Logs.pprint('YELLOW', ' No cache entry %s' % files_to) -@@ -117,11 +124,17 @@ def put_files_cache(self): - if WAFCACHE_NO_PUSH or getattr(self, 'cached', None) or not self.outputs: - return - -+ files_from = [] -+ for node in self.outputs: -+ path = node.abspath() -+ if not os.path.isfile(path): -+ return -+ files_from.append(path) -+ - bld = self.generator.bld - sig = self.signature() - ssig = Utils.to_hex(self.uid() + sig) - -- files_from = [node.abspath() for node in self.outputs] - err = cache_command(ssig, files_from, []) - - if err.startswith(OK): -@@ -129,6 +142,8 @@ def put_files_cache(self): - Logs.pprint('CYAN', ' Successfully uploaded %s to cache' % files_from) - else: - Logs.debug('wafcache: Successfully uploaded %r to cache', files_from) -+ if WAFCACHE_STATS: -+ self.generator.bld.cache_puts += 1 - else: - if WAFCACHE_VERBOSITY: - Logs.pprint('RED', ' Error caching step results %s: %s' % (files_from, err)) -@@ -193,6 +208,10 @@ def make_cached(cls): - if getattr(cls, 'nocache', None) or getattr(cls, 'has_cache', False): - return - -+ full_name = "%s.%s" % (cls.__module__, cls.__name__) -+ if full_name in ('waflib.Tools.ccroot.vnum', 'waflib.Build.inst'): -+ return -+ - m1 = getattr(cls, 'run', None) - def run(self): - if getattr(self, 'nocache', False): -@@ -208,9 +227,6 @@ def make_cached(cls): - return m2(self) - ret = m2(self) - self.put_files_cache() -- if hasattr(self, 'chmod'): -- for node in self.outputs: -- os.chmod(node.abspath(), self.chmod) - return ret - cls.post_run = post_run - cls.has_cache = True -@@ -257,6 +273,19 @@ def build(bld): - for x in reversed(list(Task.classes.values())): - make_cached(x) - -+ if WAFCACHE_STATS: -+ # Init counter for statistics and hook to print results at the end -+ bld.cache_reqs = bld.cache_hits = bld.cache_puts = 0 -+ -+ def printstats(bld): -+ hit_ratio = 0 -+ if bld.cache_reqs > 0: -+ hit_ratio = (bld.cache_hits / bld.cache_reqs) * 100 -+ Logs.pprint('CYAN', ' wafcache stats: requests: %s, hits, %s, ratio: %.2f%%, writes %s' % -+ (bld.cache_reqs, bld.cache_hits, hit_ratio, bld.cache_puts) ) -+ -+ bld.add_post_fun(printstats) -+ - def cache_command(sig, files_from, files_to): - """ - Create a command for cache worker processes, returns a pickled -@@ -320,7 +349,10 @@ def lru_trim(): - - size = 0 - for fname in os.listdir(path): -- size += os.lstat(os.path.join(path, fname)).st_size -+ try: -+ size += os.lstat(os.path.join(path, fname)).st_size -+ except OSError: -+ pass - lst.append((os.stat(path).st_mtime, size, path)) - - lst.sort(key=lambda x: x[0]) -@@ -331,7 +363,7 @@ def lru_trim(): - _, tmp_size, path = lst.pop() - tot -= tmp_size - -- tmp = path + '.tmp' -+ tmp = path + '.remove' - try: - shutil.rmtree(tmp) - except OSError: -@@ -339,12 +371,12 @@ def lru_trim(): - try: - os.rename(path, tmp) - except OSError: -- sys.stderr.write('Could not rename %r to %r' % (path, tmp)) -+ sys.stderr.write('Could not rename %r to %r\n' % (path, tmp)) - else: - try: - shutil.rmtree(tmp) - except OSError: -- sys.stderr.write('Could not remove %r' % tmp) -+ sys.stderr.write('Could not remove %r\n' % tmp) - sys.stderr.write("Cache trimmed: %r bytes in %r folders left\n" % (tot, len(lst))) - - -@@ -371,8 +403,8 @@ def lru_evict(): - try: - fcntl.flock(fd, fcntl.LOCK_EX | fcntl.LOCK_NB) - except EnvironmentError: -- sys.stderr.write('another process is running!\n') -- pass -+ if WAFCACHE_VERBOSITY: -+ sys.stderr.write('wafcache: another cleaning process is running\n') - else: - # now dow the actual cleanup - lru_trim() -@@ -443,7 +475,10 @@ class fcache(object): - else: - # attempt trimming if caching was successful: - # we may have things to trim! -- lru_evict() -+ try: -+ lru_evict() -+ except Exception: -+ return traceback.format_exc() - return OK - - def copy_from_cache(self, sig, files_from, files_to): -@@ -481,7 +516,7 @@ class bucket_cache(object): - out, err = proc.communicate() - if proc.returncode: - raise OSError('Error copy %r to %r using: %r (exit %r):\n out:%s\n err:%s' % ( -- source, target, cmd, proc.returncode, out.decode(), err.decode())) -+ source, target, cmd, proc.returncode, out.decode(errors='replace'), err.decode(errors='replace'))) - - def copy_to_cache(self, sig, files_from, files_to): - try: --- -2.37.3 - diff --git a/net/samba413/files/patch-waf-2.0.23 b/net/samba413/files/patch-waf-2.0.23 deleted file mode 100644 index 36a70e32e8c3..000000000000 --- a/net/samba413/files/patch-waf-2.0.23 +++ /dev/null @@ -1,877 +0,0 @@ -From fb175576b698f43224dab815fd6c0763a12db2b2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 17 Feb 2022 15:40:20 +0100 -Subject: [PATCH] third_party: Update waf to verison 2.0.23 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Alexander Bokovoy <ab@samba.org> - -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> -Autobuild-Date(master): Mon Feb 21 10:06:27 UTC 2022 on sn-devel-184 ---- - buildtools/bin/waf | 3 +- - buildtools/wafsamba/wafsamba.py | 2 +- - third_party/waf/waflib/Context.py | 6 +- - third_party/waf/waflib/Runner.py | 4 +- - third_party/waf/waflib/TaskGen.py | 8 +- - third_party/waf/waflib/Tools/c_config.py | 1 + - third_party/waf/waflib/Tools/compiler_c.py | 25 +++--- - third_party/waf/waflib/Tools/compiler_cxx.py | 25 +++--- - third_party/waf/waflib/Tools/python.py | 7 +- - third_party/waf/waflib/Tools/qt5.py | 4 +- - third_party/waf/waflib/Tools/winres.py | 35 ++++++++ - .../extras/clang_compilation_database.py | 2 +- - .../waf/waflib/extras/classic_runner.py | 68 +++++++++++++++ - third_party/waf/waflib/extras/color_gcc.py | 2 +- - third_party/waf/waflib/extras/eclipse.py | 74 ++++++++++++++++- - third_party/waf/waflib/extras/gccdeps.py | 82 ++++++++++--------- - third_party/waf/waflib/extras/msvcdeps.py | 54 ++++++++---- - third_party/waf/waflib/extras/msvs.py | 6 +- - third_party/waf/waflib/extras/swig.py | 2 +- - third_party/waf/waflib/extras/wafcache.py | 26 +++--- - third_party/waf/waflib/fixpy2.py | 2 +- - 21 files changed, 325 insertions(+), 113 deletions(-) - create mode 100644 third_party/waf/waflib/extras/classic_runner.py - -diff --git buildtools/bin/waf buildtools/bin/waf -index b0ccb09a877..2001ccdbd8a 100755 ---- buildtools/bin/waf -+++ buildtools/bin/waf -@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. - - import os, sys, inspect - --VERSION="2.0.22" -+VERSION="2.0.23" - REVISION="x" - GIT="x" - INSTALL="x" -@@ -164,4 +164,3 @@ if __name__ == '__main__': - - from waflib import Scripting - Scripting.waf_entry_point(cwd, VERSION, wafdir[0]) -- -diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py -index 185ef3b73a2..710b82af663 100644 ---- buildtools/wafsamba/wafsamba.py -+++ buildtools/wafsamba/wafsamba.py -@@ -38,7 +38,7 @@ LIB_PATH="shared" - - os.environ['PYTHONUNBUFFERED'] = '1' - --if Context.HEXVERSION not in (0x2001600,): -+if Context.HEXVERSION not in (0x2001700,): - Logs.error(''' - Please use the version of waf that comes with Samba, not - a system installed version. See http://wiki.samba.org/index.php/Waf -diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py -index 07ee1201f03..36d1ca74fef 100644 ---- third_party/waf/waflib/Context.py -+++ third_party/waf/waflib/Context.py -@@ -18,13 +18,13 @@ else: - import imp - - # the following 3 constants are updated on each new release (do not touch) --HEXVERSION=0x2001600 -+HEXVERSION=0x2001700 - """Constant updated on new releases""" - --WAFVERSION="2.0.22" -+WAFVERSION="2.0.23" - """Constant updated on new releases""" - --WAFREVISION="816d5bc48ba2abc4ac22f2b44d94d322bf992b9c" -+WAFREVISION="cc6b34cf555d354c34f554c41206134072588de7" - """Git revision when the waf version is updated""" - - WAFNAME="waf" -diff --git third_party/waf/waflib/Runner.py third_party/waf/waflib/Runner.py -index 91d55479e20..350c86a22c0 100644 ---- third_party/waf/waflib/Runner.py -+++ third_party/waf/waflib/Runner.py -@@ -71,7 +71,7 @@ class Consumer(Utils.threading.Thread): - """Task to execute""" - self.spawner = spawner - """Coordinator object""" -- self.setDaemon(1) -+ self.daemon = True - self.start() - def run(self): - """ -@@ -98,7 +98,7 @@ class Spawner(Utils.threading.Thread): - """:py:class:`waflib.Runner.Parallel` producer instance""" - self.sem = Utils.threading.Semaphore(master.numjobs) - """Bounded semaphore that prevents spawning more than *n* concurrent consumers""" -- self.setDaemon(1) -+ self.daemon = True - self.start() - def run(self): - """ -diff --git third_party/waf/waflib/TaskGen.py third_party/waf/waflib/TaskGen.py -index f8f92bd57c1..89f63169910 100644 ---- third_party/waf/waflib/TaskGen.py -+++ third_party/waf/waflib/TaskGen.py -@@ -631,12 +631,8 @@ def process_rule(self): - cls.scan = self.scan - elif has_deps: - def scan(self): -- nodes = [] -- for x in self.generator.to_list(getattr(self.generator, 'deps', None)): -- node = self.generator.path.find_resource(x) -- if not node: -- self.generator.bld.fatal('Could not find %r (was it declared?)' % x) -- nodes.append(node) -+ deps = getattr(self.generator, 'deps', None) -+ nodes = self.generator.to_nodes(deps) - return [nodes, []] - cls.scan = scan - -diff --git third_party/waf/waflib/Tools/c_config.py third_party/waf/waflib/Tools/c_config.py -index 03b6bf61bc0..f5ab19bf6ce 100644 ---- third_party/waf/waflib/Tools/c_config.py -+++ third_party/waf/waflib/Tools/c_config.py -@@ -69,6 +69,7 @@ MACRO_TO_DEST_CPU = { - '__sh__' : 'sh', - '__xtensa__' : 'xtensa', - '__e2k__' : 'e2k', -+'__riscv' : 'riscv', - } - - @conf -diff --git third_party/waf/waflib/Tools/compiler_c.py third_party/waf/waflib/Tools/compiler_c.py -index 931dc57efec..e033ce6c5c3 100644 ---- third_party/waf/waflib/Tools/compiler_c.py -+++ third_party/waf/waflib/Tools/compiler_c.py -@@ -36,18 +36,19 @@ from waflib import Utils - from waflib.Logs import debug - - c_compiler = { --'win32': ['msvc', 'gcc', 'clang'], --'cygwin': ['gcc', 'clang'], --'darwin': ['clang', 'gcc'], --'aix': ['xlc', 'gcc', 'clang'], --'linux': ['gcc', 'clang', 'icc'], --'sunos': ['suncc', 'gcc'], --'irix': ['gcc', 'irixcc'], --'hpux': ['gcc'], --'osf1V': ['gcc'], --'gnu': ['gcc', 'clang'], --'java': ['gcc', 'msvc', 'clang', 'icc'], --'default':['clang', 'gcc'], -+'win32': ['msvc', 'gcc', 'clang'], -+'cygwin': ['gcc', 'clang'], -+'darwin': ['clang', 'gcc'], -+'aix': ['xlc', 'gcc', 'clang'], -+'linux': ['gcc', 'clang', 'icc'], -+'sunos': ['suncc', 'gcc'], -+'irix': ['gcc', 'irixcc'], -+'hpux': ['gcc'], -+'osf1V': ['gcc'], -+'gnu': ['gcc', 'clang'], -+'java': ['gcc', 'msvc', 'clang', 'icc'], -+'gnukfreebsd': ['gcc', 'clang'], -+'default': ['clang', 'gcc'], - } - """ - Dict mapping platform names to Waf tools finding specific C compilers:: -diff --git third_party/waf/waflib/Tools/compiler_cxx.py third_party/waf/waflib/Tools/compiler_cxx.py -index 09fca7e4dc6..42658c5847e 100644 ---- third_party/waf/waflib/Tools/compiler_cxx.py -+++ third_party/waf/waflib/Tools/compiler_cxx.py -@@ -37,18 +37,19 @@ from waflib import Utils - from waflib.Logs import debug - - cxx_compiler = { --'win32': ['msvc', 'g++', 'clang++'], --'cygwin': ['g++', 'clang++'], --'darwin': ['clang++', 'g++'], --'aix': ['xlc++', 'g++', 'clang++'], --'linux': ['g++', 'clang++', 'icpc'], --'sunos': ['sunc++', 'g++'], --'irix': ['g++'], --'hpux': ['g++'], --'osf1V': ['g++'], --'gnu': ['g++', 'clang++'], --'java': ['g++', 'msvc', 'clang++', 'icpc'], --'default': ['clang++', 'g++'] -+'win32': ['msvc', 'g++', 'clang++'], -+'cygwin': ['g++', 'clang++'], -+'darwin': ['clang++', 'g++'], -+'aix': ['xlc++', 'g++', 'clang++'], -+'linux': ['g++', 'clang++', 'icpc'], -+'sunos': ['sunc++', 'g++'], -+'irix': ['g++'], -+'hpux': ['g++'], -+'osf1V': ['g++'], -+'gnu': ['g++', 'clang++'], -+'java': ['g++', 'msvc', 'clang++', 'icpc'], -+'gnukfreebsd': ['g++', 'clang++'], -+'default': ['clang++', 'g++'] - } - """ - Dict mapping the platform names to Waf tools finding specific C++ compilers:: -diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py -index 07442561dff..fb641e5e20d 100644 ---- third_party/waf/waflib/Tools/python.py -+++ third_party/waf/waflib/Tools/python.py -@@ -416,9 +416,14 @@ def check_python_headers(conf, features='pyembed pyext'): - - if not result: - path = [os.path.join(dct['prefix'], "libs")] -- conf.to_log("\n\n# try again with -L$prefix/libs, and pythonXY name rather than pythonX.Y (win32)\n") -+ conf.to_log("\n\n# try again with -L$prefix/libs, and pythonXY rather than pythonX.Y (win32)\n") - result = conf.check(lib=name, uselib='PYEMBED', libpath=path, mandatory=False, msg='Checking for library %s in $prefix/libs' % name) - -+ if not result: -+ path = [os.path.normpath(os.path.join(dct['INCLUDEPY'], '..', 'libs'))] -+ conf.to_log("\n\n# try again with -L$INCLUDEPY/../libs, and pythonXY rather than pythonX.Y (win32)\n") -+ result = conf.check(lib=name, uselib='PYEMBED', libpath=path, mandatory=False, msg='Checking for library %s in $INCLUDEPY/../libs' % name) -+ - if result: - break # do not forget to set LIBPATH_PYEMBED - -diff --git third_party/waf/waflib/Tools/qt5.py third_party/waf/waflib/Tools/qt5.py -index 82c83e18c8a..b3e61325e50 100644 ---- third_party/waf/waflib/Tools/qt5.py -+++ third_party/waf/waflib/Tools/qt5.py -@@ -783,8 +783,8 @@ def set_qt5_libs_to_check(self): - pat = self.env.cxxstlib_PATTERN - if Utils.unversioned_sys_platform() == 'darwin': - pat = r"%s\.framework" -- re_qt = re.compile(pat % 'Qt5?(?P<name>\\D+)' + '$') -- for x in dirlst: -+ re_qt = re.compile(pat % 'Qt5?(?P<name>\\w+)' + '$') -+ for x in sorted(dirlst): - m = re_qt.match(x) - if m: - self.qt5_vars.append("Qt5%s" % m.group('name')) -diff --git third_party/waf/waflib/Tools/winres.py third_party/waf/waflib/Tools/winres.py -index 9be1ed66009..73c0e95315b 100644 ---- third_party/waf/waflib/Tools/winres.py -+++ third_party/waf/waflib/Tools/winres.py -@@ -4,10 +4,12 @@ - - "Process *.rc* files for C/C++: X{.rc -> [.res|.rc.o]}" - -+import os - import re - from waflib import Task - from waflib.TaskGen import extension - from waflib.Tools import c_preproc -+from waflib import Utils - - @extension('.rc') - def rc_file(self, node): -@@ -61,6 +63,39 @@ class winrc(Task.Task): - tmp.start(self.inputs[0], self.env) - return (tmp.nodes, tmp.names) - -+ def exec_command(self, cmd, **kw): -+ if self.env.WINRC_TGT_F == '/fo': -+ # Since winres include paths may contain spaces, they do not fit in -+ # response files and are best passed as environment variables -+ replace_cmd = [] -+ incpaths = [] -+ while cmd: -+ # filter include path flags -+ flag = cmd.pop(0) -+ if flag.upper().startswith('/I'): -+ if len(flag) == 2: -+ incpaths.append(cmd.pop(0)) -+ else: -+ incpaths.append(flag[2:]) -+ else: -+ replace_cmd.append(flag) -+ cmd = replace_cmd -+ if incpaths: -+ # append to existing environment variables in INCLUDE -+ env = kw['env'] = dict(kw.get('env') or self.env.env or os.environ) -+ pre_includes = env.get('INCLUDE', '') -+ env['INCLUDE'] = pre_includes + os.pathsep + os.pathsep.join(incpaths) -+ -+ return super(winrc, self).exec_command(cmd, **kw) -+ -+ def quote_flag(self, flag): -+ if self.env.WINRC_TGT_F == '/fo': -+ # winres does not support quotes around flags in response files -+ return flag -+ -+ return super(winrc, self).quote_flag(flag) -+ -+ - def configure(conf): - """ - Detects the programs RC or windres, depending on the C/C++ compiler in use -diff --git third_party/waf/waflib/extras/clang_compilation_database.py third_party/waf/waflib/extras/clang_compilation_database.py -index 17f66949376..bd29db93fd5 100644 ---- third_party/waf/waflib/extras/clang_compilation_database.py -+++ third_party/waf/waflib/extras/clang_compilation_database.py -@@ -126,7 +126,7 @@ def patch_execute(): - Invoke clangdb command before build - """ - if self.cmd.startswith('build'): -- Scripting.run_command('clangdb') -+ Scripting.run_command(self.cmd.replace('build','clangdb')) - - old_execute_build(self) - -diff --git third_party/waf/waflib/extras/classic_runner.py third_party/waf/waflib/extras/classic_runner.py -new file mode 100644 -index 00000000000..b08c794e880 ---- /dev/null -+++ third_party/waf/waflib/extras/classic_runner.py -@@ -0,0 +1,68 @@ -+#!/usr/bin/env python -+# encoding: utf-8 -+# Thomas Nagy, 2021 (ita) -+ -+from waflib import Utils, Runner -+ -+""" -+Re-enable the classic threading system from waf 1.x -+ -+def configure(conf): -+ conf.load('classic_runner') -+""" -+ -+class TaskConsumer(Utils.threading.Thread): -+ """ -+ Task consumers belong to a pool of workers -+ -+ They wait for tasks in the queue and then use ``task.process(...)`` -+ """ -+ def __init__(self, spawner): -+ Utils.threading.Thread.__init__(self) -+ """ -+ Obtain :py:class:`waflib.Task.TaskBase` instances from this queue. -+ """ -+ self.spawner = spawner -+ self.daemon = True -+ self.start() -+ -+ def run(self): -+ """ -+ Loop over the tasks to execute -+ """ -+ try: -+ self.loop() -+ except Exception: -+ pass -+ -+ def loop(self): -+ """ -+ Obtain tasks from :py:attr:`waflib.Runner.TaskConsumer.ready` and call -+ :py:meth:`waflib.Task.TaskBase.process`. If the object is a function, execute it. -+ """ -+ master = self.spawner.master -+ while 1: -+ if not master.stop: -+ try: -+ tsk = master.ready.get() -+ if tsk: -+ tsk.log_display(tsk.generator.bld) -+ master.process_task(tsk) -+ else: -+ break -+ finally: -+ master.out.put(tsk) -+ -+class Spawner(object): -+ """ -+ Daemon thread that consumes tasks from :py:class:`waflib.Runner.Parallel` producer and -+ spawns a consuming thread :py:class:`waflib.Runner.Consumer` for each -+ :py:class:`waflib.Task.Task` instance. -+ """ -+ def __init__(self, master): -+ self.master = master -+ """:py:class:`waflib.Runner.Parallel` producer instance""" -+ -+ self.pool = [TaskConsumer(self) for i in range(master.numjobs)] -+ -+Runner.Spawner = Spawner -diff --git third_party/waf/waflib/extras/color_gcc.py third_party/waf/waflib/extras/color_gcc.py -index b68c5ebf2df..09729035fec 100644 ---- third_party/waf/waflib/extras/color_gcc.py -+++ third_party/waf/waflib/extras/color_gcc.py -@@ -19,7 +19,7 @@ class ColorGCCFormatter(Logs.formatter): - func = frame.f_code.co_name - if func == 'exec_command': - cmd = frame.f_locals.get('cmd') -- if isinstance(cmd, list) and ('gcc' in cmd[0] or 'g++' in cmd[0]): -+ if isinstance(cmd, list) and (len(cmd) > 0) and ('gcc' in cmd[0] or 'g++' in cmd[0]): - lines = [] - for line in rec.msg.splitlines(): - if 'warning: ' in line: -diff --git third_party/waf/waflib/extras/eclipse.py third_party/waf/waflib/extras/eclipse.py -index bb787416e9f..49ca9686b7b 100644 ---- third_party/waf/waflib/extras/eclipse.py -+++ third_party/waf/waflib/extras/eclipse.py -@@ -10,6 +10,9 @@ Usage: - def options(opt): - opt.load('eclipse') - -+To add additional targets beside standard ones (configure, dist, install, check) -+the environment ECLIPSE_EXTRA_TARGETS can be set (ie. to ['test', 'lint', 'docs']) -+ - $ waf configure eclipse - """ - -@@ -25,6 +28,8 @@ cdt_core = oe_cdt + '.core' - cdt_bld = oe_cdt + '.build.core' - extbuilder_dir = '.externalToolBuilders' - extbuilder_name = 'Waf_Builder.launch' -+settings_dir = '.settings' -+settings_name = 'language.settings.xml' - - class eclipse(Build.BuildContext): - cmd = 'eclipse' -@@ -131,9 +136,11 @@ class eclipse(Build.BuildContext): - path = p.path_from(self.srcnode) - - if (path.startswith("/")): -- cpppath.append(path) -+ if path not in cpppath: -+ cpppath.append(path) - else: -- workspace_includes.append(path) -+ if path not in workspace_includes: -+ workspace_includes.append(path) - - if is_cc and path not in source_dirs: - source_dirs.append(path) -@@ -156,6 +163,61 @@ class eclipse(Build.BuildContext): - project = self.impl_create_javaproject(javasrcpath, javalibpath) - self.write_conf_to_xml('.classpath', project) - -+ # Create editor language settings to have correct standards applied in IDE, as per project configuration -+ try: -+ os.mkdir(settings_dir) -+ except OSError: -+ pass # Ignore if dir already exists -+ -+ lang_settings = Document() -+ project = lang_settings.createElement('project') -+ -+ # Language configurations for C and C++ via cdt -+ if hasc: -+ configuration = self.add(lang_settings, project, 'configuration', -+ {'id' : 'org.eclipse.cdt.core.default.config.1', 'name': 'Default'}) -+ -+ extension = self.add(lang_settings, configuration, 'extension', {'point': 'org.eclipse.cdt.core.LanguageSettingsProvider'}) -+ -+ provider = self.add(lang_settings, extension, 'provider', -+ { 'copy-of': 'extension', -+ 'id': 'org.eclipse.cdt.ui.UserLanguageSettingsProvider'}) -+ -+ provider = self.add(lang_settings, extension, 'provider-reference', -+ { 'id': 'org.eclipse.cdt.core.ReferencedProjectsLanguageSettingsProvider', -+ 'ref': 'shared-provider'}) -+ -+ provider = self.add(lang_settings, extension, 'provider-reference', -+ { 'id': 'org.eclipse.cdt.managedbuilder.core.MBSLanguageSettingsProvider', -+ 'ref': 'shared-provider'}) -+ -+ # C and C++ are kept as separated providers so appropriate flags are used also in mixed projects -+ if self.env.CC: -+ provider = self.add(lang_settings, extension, 'provider', -+ { 'class': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector', -+ 'console': 'false', -+ 'id': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector.1', -+ 'keep-relative-paths' : 'false', -+ 'name': 'CDT GCC Built-in Compiler Settings', -+ 'parameter': '%s %s ${FLAGS} -E -P -v -dD "${INPUTS}"'%(self.env.CC[0],' '.join(self.env['CFLAGS'])), -+ 'prefer-non-shared': 'true' }) -+ -+ self.add(lang_settings, provider, 'language-scope', { 'id': 'org.eclipse.cdt.core.gcc'}) -+ -+ if self.env.CXX: -+ provider = self.add(lang_settings, extension, 'provider', -+ { 'class': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector', -+ 'console': 'false', -+ 'id': 'org.eclipse.cdt.managedbuilder.language.settings.providers.GCCBuiltinSpecsDetector.2', -+ 'keep-relative-paths' : 'false', -+ 'name': 'CDT GCC Built-in Compiler Settings', -+ 'parameter': '%s %s ${FLAGS} -E -P -v -dD "${INPUTS}"'%(self.env.CXX[0],' '.join(self.env['CXXFLAGS'])), -+ 'prefer-non-shared': 'true' }) -+ self.add(lang_settings, provider, 'language-scope', { 'id': 'org.eclipse.cdt.core.g++'}) -+ -+ lang_settings.appendChild(project) -+ self.write_conf_to_xml('%s%s%s'%(settings_dir, os.path.sep, settings_name), lang_settings) -+ - def impl_create_project(self, executable, appname, hasc, hasjava, haspython, waf_executable): - doc = Document() - projectDescription = doc.createElement('projectDescription') -@@ -341,6 +403,8 @@ class eclipse(Build.BuildContext): - addTargetWrap('dist', False) - addTargetWrap('install', False) - addTargetWrap('check', False) -+ for addTgt in self.env.ECLIPSE_EXTRA_TARGETS or []: -+ addTargetWrap(addTgt, False) - - storageModule = self.add(doc, cproject, 'storageModule', - {'moduleId': 'cdtBuildSystem', -@@ -348,6 +412,12 @@ class eclipse(Build.BuildContext): - - self.add(doc, storageModule, 'project', {'id': '%s.null.1'%appname, 'name': appname}) - -+ storageModule = self.add(doc, cproject, 'storageModule', -+ {'moduleId': 'org.eclipse.cdt.core.LanguageSettingsProviders'}) -+ -+ storageModule = self.add(doc, cproject, 'storageModule', -+ {'moduleId': 'scannerConfiguration'}) -+ - doc.appendChild(cproject) - return doc - -diff --git third_party/waf/waflib/extras/gccdeps.py third_party/waf/waflib/extras/gccdeps.py -index 1fc9373489a..9e9952f2f7d 100644 ---- third_party/waf/waflib/extras/gccdeps.py -+++ third_party/waf/waflib/extras/gccdeps.py -@@ -29,13 +29,6 @@ if not c_preproc.go_absolute: - # Third-party tools are allowed to add extra names in here with append() - supported_compilers = ['gas', 'gcc', 'icc', 'clang'] - --def scan(self): -- if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: -- return super(self.derived_gccdeps, self).scan() -- nodes = self.generator.bld.node_deps.get(self.uid(), []) -- names = [] -- return (nodes, names) -- - re_o = re.compile(r"\.o$") - re_splitter = re.compile(r'(?<!\\)\s+') # split by space, except when spaces are escaped - -@@ -61,28 +54,30 @@ def path_to_node(base_node, path, cached_nodes): - else: - # Not hashable, assume it is a list and join into a string - node_lookup_key = (base_node, os.path.sep.join(path)) -+ - try: -- lock.acquire() - node = cached_nodes[node_lookup_key] - except KeyError: -- node = base_node.find_resource(path) -- cached_nodes[node_lookup_key] = node -- finally: -- lock.release() -+ # retry with lock on cache miss -+ with lock: -+ try: -+ node = cached_nodes[node_lookup_key] -+ except KeyError: -+ node = cached_nodes[node_lookup_key] = base_node.find_resource(path) -+ - return node - - def post_run(self): - if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: - return super(self.derived_gccdeps, self).post_run() - -- name = self.outputs[0].abspath() -- name = re_o.sub('.d', name) -+ deps_filename = self.outputs[0].abspath() -+ deps_filename = re_o.sub('.d', deps_filename) - try: -- txt = Utils.readf(name) -+ deps_txt = Utils.readf(deps_filename) - except EnvironmentError: - Logs.error('Could not find a .d dependency file, are cflags/cxxflags overwritten?') - raise -- #os.remove(name) - - # Compilers have the choice to either output the file's dependencies - # as one large Makefile rule: -@@ -102,15 +97,16 @@ def post_run(self): - # So the first step is to sanitize the input by stripping out the left- - # hand side of all these lines. After that, whatever remains are the - # implicit dependencies of task.outputs[0] -- txt = '\n'.join([remove_makefile_rule_lhs(line) for line in txt.splitlines()]) -+ deps_txt = '\n'.join([remove_makefile_rule_lhs(line) for line in deps_txt.splitlines()]) - - # Now join all the lines together -- txt = txt.replace('\\\n', '') -+ deps_txt = deps_txt.replace('\\\n', '') - -- val = txt.strip() -- val = [x.replace('\\ ', ' ') for x in re_splitter.split(val) if x] -+ dep_paths = deps_txt.strip() -+ dep_paths = [x.replace('\\ ', ' ') for x in re_splitter.split(dep_paths) if x] - -- nodes = [] -+ resolved_nodes = [] -+ unresolved_names = [] - bld = self.generator.bld - - # Dynamically bind to the cache -@@ -119,39 +115,41 @@ def post_run(self): - except AttributeError: - cached_nodes = bld.cached_nodes = {} - -- for x in val: -+ for path in dep_paths: - - node = None -- if os.path.isabs(x): -- node = path_to_node(bld.root, x, cached_nodes) -+ if os.path.isabs(path): -+ node = path_to_node(bld.root, path, cached_nodes) - else: - # TODO waf 1.9 - single cwd value -- path = getattr(bld, 'cwdx', bld.bldnode) -+ base_node = getattr(bld, 'cwdx', bld.bldnode) - # when calling find_resource, make sure the path does not contain '..' -- x = [k for k in Utils.split_path(x) if k and k != '.'] -- while '..' in x: -- idx = x.index('..') -+ path = [k for k in Utils.split_path(path) if k and k != '.'] -+ while '..' in path: -+ idx = path.index('..') - if idx == 0: -- x = x[1:] -- path = path.parent -+ path = path[1:] -+ base_node = base_node.parent - else: -- del x[idx] -- del x[idx-1] -+ del path[idx] -+ del path[idx-1] - -- node = path_to_node(path, x, cached_nodes) -+ node = path_to_node(base_node, path, cached_nodes) - - if not node: -- raise ValueError('could not find %r for %r' % (x, self)) -+ raise ValueError('could not find %r for %r' % (path, self)) -+ - if id(node) == id(self.inputs[0]): - # ignore the source file, it is already in the dependencies - # this way, successful config tests may be retrieved from the cache - continue -- nodes.append(node) - -- Logs.debug('deps: gccdeps for %s returned %s', self, nodes) -+ resolved_nodes.append(node) - -- bld.node_deps[self.uid()] = nodes -- bld.raw_deps[self.uid()] = [] -+ Logs.debug('deps: gccdeps for %s returned %s', self, resolved_nodes) -+ -+ bld.node_deps[self.uid()] = resolved_nodes -+ bld.raw_deps[self.uid()] = unresolved_names - - try: - del self.cache_sig -@@ -160,6 +158,14 @@ def post_run(self): - - Task.Task.post_run(self) - -+def scan(self): -+ if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: -+ return super(self.derived_gccdeps, self).scan() -+ -+ resolved_nodes = self.generator.bld.node_deps.get(self.uid(), []) -+ unresolved_names = [] -+ return (resolved_nodes, unresolved_names) -+ - def sig_implicit_deps(self): - if not self.__class__.__name__ in self.env.ENABLE_GCCDEPS: - return super(self.derived_gccdeps, self).sig_implicit_deps() -diff --git third_party/waf/waflib/extras/msvcdeps.py third_party/waf/waflib/extras/msvcdeps.py -index 52985dce058..e8985bde7c7 100644 ---- third_party/waf/waflib/extras/msvcdeps.py -+++ third_party/waf/waflib/extras/msvcdeps.py -@@ -32,7 +32,6 @@ from waflib.Tools import c_preproc, c, cxx, msvc - from waflib.TaskGen import feature, before_method - - lock = threading.Lock() --nodes = {} # Cache the path -> Node lookup - - PREPROCESSOR_FLAG = '/showIncludes' - INCLUDE_PATTERN = 'Note: including file:' -@@ -50,23 +49,47 @@ def apply_msvcdeps_flags(taskgen): - if taskgen.env.get_flat(flag).find(PREPROCESSOR_FLAG) < 0: - taskgen.env.append_value(flag, PREPROCESSOR_FLAG) - -+ -+def get_correct_path_case(base_path, path): -+ ''' -+ Return a case-corrected version of ``path`` by searching the filesystem for -+ ``path``, relative to ``base_path``, using the case returned by the filesystem. -+ ''' -+ components = Utils.split_path(path) -+ -+ corrected_path = '' -+ if os.path.isabs(path): -+ corrected_path = components.pop(0).upper() + os.sep -+ -+ for part in components: -+ part = part.lower() -+ search_path = os.path.join(base_path, corrected_path) -+ if part == '..': -+ corrected_path = os.path.join(corrected_path, part) -+ search_path = os.path.normpath(search_path) -+ continue -+ -+ for item in sorted(os.listdir(search_path)): -+ if item.lower() == part: -+ corrected_path = os.path.join(corrected_path, item) -+ break -+ else: -+ raise ValueError("Can't find %r in %r" % (part, search_path)) -+ -+ return corrected_path -+ -+ - def path_to_node(base_node, path, cached_nodes): - ''' - Take the base node and the path and return a node - Results are cached because searching the node tree is expensive - The following code is executed by threads, it is not safe, so a lock is needed... - ''' -- # normalize the path because ant_glob() does not understand -- # parent path components (..) -+ # normalize the path to remove parent path components (..) - path = os.path.normpath(path) - - # normalize the path case to increase likelihood of a cache hit -- path = os.path.normcase(path) -- -- # ant_glob interprets [] and () characters, so those must be replaced -- path = path.replace('[', '?').replace(']', '?').replace('(', '[(]').replace(')', '[)]') -- -- node_lookup_key = (base_node, path) -+ node_lookup_key = (base_node, os.path.normcase(path)) - - try: - node = cached_nodes[node_lookup_key] -@@ -76,8 +99,8 @@ def path_to_node(base_node, path, cached_nodes): - try: - node = cached_nodes[node_lookup_key] - except KeyError: -- node_list = base_node.ant_glob([path], ignorecase=True, remove=False, quiet=True, regex=False) -- node = cached_nodes[node_lookup_key] = node_list[0] if node_list else None -+ path = get_correct_path_case(base_node.abspath(), path) -+ node = cached_nodes[node_lookup_key] = base_node.find_node(path) - - return node - -@@ -89,9 +112,9 @@ def post_run(self): - if getattr(self, 'cached', None): - return Task.Task.post_run(self) - -- bld = self.generator.bld -- unresolved_names = [] - resolved_nodes = [] -+ unresolved_names = [] -+ bld = self.generator.bld - - # Dynamically bind to the cache - try: -@@ -124,11 +147,14 @@ def post_run(self): - continue - - if id(node) == id(self.inputs[0]): -- # Self-dependency -+ # ignore the source file, it is already in the dependencies -+ # this way, successful config tests may be retrieved from the cache - continue - - resolved_nodes.append(node) - -+ Logs.debug('deps: msvcdeps for %s returned %s', self, resolved_nodes) -+ - bld.node_deps[self.uid()] = resolved_nodes - bld.raw_deps[self.uid()] = unresolved_names - -diff --git third_party/waf/waflib/extras/msvs.py third_party/waf/waflib/extras/msvs.py -index 8aa2db0b751..03b739f849c 100644 ---- third_party/waf/waflib/extras/msvs.py -+++ third_party/waf/waflib/extras/msvs.py -@@ -787,8 +787,12 @@ class msvs_generator(BuildContext): - self.collect_dirs() - default_project = getattr(self, 'default_project', None) - def sortfun(x): -- if x.name == default_project: -+ # folders should sort to the top -+ if getattr(x, 'VS_GUID_SOLUTIONFOLDER', None): - return '' -+ # followed by the default project -+ elif x.name == default_project: -+ return ' ' - return getattr(x, 'path', None) and x.path.win32path() or x.name - self.all_projects.sort(key=sortfun) - -diff --git third_party/waf/waflib/extras/swig.py third_party/waf/waflib/extras/swig.py -index 740ab46d963..967caeb5a82 100644 ---- third_party/waf/waflib/extras/swig.py -+++ third_party/waf/waflib/extras/swig.py -@@ -17,7 +17,7 @@ tasks have to be added dynamically: - - SWIG_EXTS = ['.swig', '.i'] - --re_module = re.compile(r'%module(?:\s*\(.*\))?\s+(.+)', re.M) -+re_module = re.compile(r'%module(?:\s*\(.*\))?\s+([^\r\n]+)', re.M) - - re_1 = re.compile(r'^%module.*?\s+([\w]+)\s*?$', re.M) - re_2 = re.compile(r'[#%](?:include|import(?:\(module=".*"\))+|python(?:begin|code)) [<"](.*)[">]', re.M) -diff --git third_party/waf/waflib/extras/wafcache.py third_party/waf/waflib/extras/wafcache.py -index cc23fcd6673..2cef46c0e1c 100644 ---- third_party/waf/waflib/extras/wafcache.py -+++ third_party/waf/waflib/extras/wafcache.py -@@ -258,6 +258,19 @@ def build(bld): - """ - Called during the build process to enable file caching - """ -+ if WAFCACHE_STATS: -+ # Init counter for statistics and hook to print results at the end -+ bld.cache_reqs = bld.cache_hits = bld.cache_puts = 0 -+ -+ def printstats(bld): -+ hit_ratio = 0 -+ if bld.cache_reqs > 0: -+ hit_ratio = (bld.cache_hits / bld.cache_reqs) * 100 -+ Logs.pprint('CYAN', ' wafcache stats: requests: %s, hits, %s, ratio: %.2f%%, writes %s' % -+ (bld.cache_reqs, bld.cache_hits, hit_ratio, bld.cache_puts) ) -+ -+ bld.add_post_fun(printstats) -+ - if process_pool: - # already called once - return -@@ -273,19 +286,6 @@ def build(bld): - for x in reversed(list(Task.classes.values())): - make_cached(x) - -- if WAFCACHE_STATS: -- # Init counter for statistics and hook to print results at the end -- bld.cache_reqs = bld.cache_hits = bld.cache_puts = 0 -- -- def printstats(bld): -- hit_ratio = 0 -- if bld.cache_reqs > 0: -- hit_ratio = (bld.cache_hits / bld.cache_reqs) * 100 -- Logs.pprint('CYAN', ' wafcache stats: requests: %s, hits, %s, ratio: %.2f%%, writes %s' % -- (bld.cache_reqs, bld.cache_hits, hit_ratio, bld.cache_puts) ) -- -- bld.add_post_fun(printstats) -- - def cache_command(sig, files_from, files_to): - """ - Create a command for cache worker processes, returns a pickled -diff --git third_party/waf/waflib/fixpy2.py third_party/waf/waflib/fixpy2.py -index 24176e06645..c99bff4b9ae 100644 ---- third_party/waf/waflib/fixpy2.py -+++ third_party/waf/waflib/fixpy2.py -@@ -56,7 +56,7 @@ def r1(code): - @subst('Runner.py') - def r4(code): - "generator syntax" -- return code.replace('next(self.biter)', 'self.biter.next()') -+ return code.replace('next(self.biter)', 'self.biter.next()').replace('self.daemon = True', 'self.setDaemon(1)') - - @subst('Context.py') - def r5(code): --- -2.37.3 - diff --git a/net/samba413/files/patch-waf-2.0.24 b/net/samba413/files/patch-waf-2.0.24 deleted file mode 100644 index 2c5c76e6ca3b..000000000000 --- a/net/samba413/files/patch-waf-2.0.24 +++ /dev/null @@ -1,164 +0,0 @@ -From d19dfe1efb2f6cb0dcf0a63b957df584d8ed5945 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Mon, 23 May 2022 07:54:06 +0200 -Subject: [PATCH] third_party: Update waf to version 2.0.24 - -This fixes building of python libraries with Python 3.11! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15071 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> - -Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> -Autobuild-Date(master): Mon May 23 09:34:51 UTC 2022 on sn-devel-184 ---- - buildtools/bin/waf | 2 +- - buildtools/wafsamba/wafsamba.py | 2 +- - third_party/waf/waflib/Context.py | 8 ++++---- - third_party/waf/waflib/Tools/ccroot.py | 1 + - third_party/waf/waflib/Tools/msvc.py | 17 ++++++++++++++++- - third_party/waf/waflib/Tools/python.py | 4 ++-- - third_party/waf/waflib/Tools/tex.py | 1 + - 7 files changed, 26 insertions(+), 9 deletions(-) - -diff --git buildtools/bin/waf buildtools/bin/waf -index 2001ccdbd8a..d9cba343623 100755 ---- buildtools/bin/waf -+++ buildtools/bin/waf -@@ -32,7 +32,7 @@ POSSIBILITY OF SUCH DAMAGE. - - import os, sys, inspect - --VERSION="2.0.23" -+VERSION="2.0.24" - REVISION="x" - GIT="x" - INSTALL="x" -diff --git buildtools/wafsamba/wafsamba.py buildtools/wafsamba/wafsamba.py -index 4bd4e9f7fe3..79fe8b5e575 100644 ---- buildtools/wafsamba/wafsamba.py -+++ buildtools/wafsamba/wafsamba.py -@@ -38,7 +38,7 @@ LIB_PATH="shared" - - os.environ['PYTHONUNBUFFERED'] = '1' - --if Context.HEXVERSION not in (0x2001700,): -+if Context.HEXVERSION not in (0x2001800,): - Logs.error(''' - Please use the version of waf that comes with Samba, not - a system installed version. See http://wiki.samba.org/index.php/Waf -diff --git third_party/waf/waflib/Context.py third_party/waf/waflib/Context.py -index 36d1ca74fef..4a0130b24a0 100644 ---- third_party/waf/waflib/Context.py -+++ third_party/waf/waflib/Context.py -@@ -18,13 +18,13 @@ else: - import imp - - # the following 3 constants are updated on each new release (do not touch) --HEXVERSION=0x2001700 -+HEXVERSION=0x2001800 - """Constant updated on new releases""" - --WAFVERSION="2.0.23" -+WAFVERSION="2.0.24" - """Constant updated on new releases""" - --WAFREVISION="cc6b34cf555d354c34f554c41206134072588de7" -+WAFREVISION="1af97c71f5a6756abf36d0f78ed8fd551596d7cb" - """Git revision when the waf version is updated""" - - WAFNAME="waf" -@@ -144,7 +144,7 @@ class Context(ctx): - :type fun: string - - .. inheritance-diagram:: waflib.Context.Context waflib.Build.BuildContext waflib.Build.InstallContext waflib.Build.UninstallContext waflib.Build.StepContext waflib.Build.ListContext waflib.Configure.ConfigurationContext waflib.Scripting.Dist waflib.Scripting.DistCheck waflib.Build.CleanContext -- -+ :top-classes: waflib.Context.Context - """ - - errors = Errors -diff --git third_party/waf/waflib/Tools/ccroot.py third_party/waf/waflib/Tools/ccroot.py -index 579d5b2b72b..76deff54dcb 100644 ---- third_party/waf/waflib/Tools/ccroot.py -+++ third_party/waf/waflib/Tools/ccroot.py -@@ -128,6 +128,7 @@ class link_task(Task.Task): - Base class for all link tasks. A task generator is supposed to have at most one link task bound in the attribute *link_task*. See :py:func:`waflib.Tools.ccroot.apply_link`. - - .. inheritance-diagram:: waflib.Tools.ccroot.stlink_task waflib.Tools.c.cprogram waflib.Tools.c.cshlib waflib.Tools.cxx.cxxstlib waflib.Tools.cxx.cxxprogram waflib.Tools.cxx.cxxshlib waflib.Tools.d.dprogram waflib.Tools.d.dshlib waflib.Tools.d.dstlib waflib.Tools.ccroot.fake_shlib waflib.Tools.ccroot.fake_stlib waflib.Tools.asm.asmprogram waflib.Tools.asm.asmshlib waflib.Tools.asm.asmstlib -+ :top-classes: waflib.Tools.ccroot.link_task - """ - color = 'YELLOW' - -diff --git third_party/waf/waflib/Tools/msvc.py third_party/waf/waflib/Tools/msvc.py -index 0c4703aaee9..026a4c7fc48 100644 ---- third_party/waf/waflib/Tools/msvc.py -+++ third_party/waf/waflib/Tools/msvc.py -@@ -109,6 +109,21 @@ def options(opt): - opt.add_option('--msvc_targets', type='string', help = 'msvc targets, eg: "x64,arm"', default='') - opt.add_option('--no-msvc-lazy', action='store_false', help = 'lazily check msvc target environments', default=True, dest='msvc_lazy') - -+class MSVCVersion(object): -+ def __init__(self, ver): -+ m = re.search('^(.*)\s+(\d+[.]\d+)', ver) -+ if m: -+ self.name = m.group(1) -+ self.number = float(m.group(2)) -+ else: -+ self.name = ver -+ self.number = 0. -+ -+ def __lt__(self, other): -+ if self.number == other.number: -+ return self.name < other.name -+ return self.number < other.number -+ - @conf - def setup_msvc(conf, versiondict): - """ -@@ -125,7 +140,7 @@ def setup_msvc(conf, versiondict): - platforms=Utils.to_list(conf.env.MSVC_TARGETS) or [i for i,j in all_msvc_platforms+all_icl_platforms+all_wince_platforms] - desired_versions = getattr(Options.options, 'msvc_version', '').split(',') - if desired_versions == ['']: -- desired_versions = conf.env.MSVC_VERSIONS or list(reversed(sorted(versiondict.keys()))) -+ desired_versions = conf.env.MSVC_VERSIONS or list(sorted(versiondict.keys(), key=MSVCVersion, reverse=True)) - - # Override lazy detection by evaluating after the fact. - lazy_detect = getattr(Options.options, 'msvc_lazy', True) -diff --git third_party/waf/waflib/Tools/python.py third_party/waf/waflib/Tools/python.py -index fb641e5e20d..a23bd019335 100644 ---- third_party/waf/waflib/Tools/python.py -+++ third_party/waf/waflib/Tools/python.py -@@ -315,7 +315,7 @@ def check_python_headers(conf, features='pyembed pyext'): - conf.fatal('Could not find the python executable') - - # so we actually do all this for compatibility reasons and for obtaining pyext_PATTERN below -- v = 'prefix SO LDFLAGS LIBDIR LIBPL INCLUDEPY Py_ENABLE_SHARED MACOSX_DEPLOYMENT_TARGET LDSHARED CFLAGS LDVERSION'.split() -+ v = 'prefix SO EXT_SUFFIX LDFLAGS LIBDIR LIBPL INCLUDEPY Py_ENABLE_SHARED MACOSX_DEPLOYMENT_TARGET LDSHARED CFLAGS LDVERSION'.split() - try: - lst = conf.get_python_variables(["get_config_var('%s') or ''" % x for x in v]) - except RuntimeError: -@@ -328,7 +328,7 @@ def check_python_headers(conf, features='pyembed pyext'): - x = 'MACOSX_DEPLOYMENT_TARGET' - if dct[x]: - env[x] = conf.environ[x] = str(dct[x]) -- env.pyext_PATTERN = '%s' + dct['SO'] # not a mistake -+ env.pyext_PATTERN = '%s' + (dct['EXT_SUFFIX'] or dct['SO']) # SO is deprecated in 3.5 and removed in 3.11 - - - # Try to get pythonX.Y-config -diff --git third_party/waf/waflib/Tools/tex.py third_party/waf/waflib/Tools/tex.py -index eaf9fdb5802..b4792c3fe87 100644 ---- third_party/waf/waflib/Tools/tex.py -+++ third_party/waf/waflib/Tools/tex.py -@@ -90,6 +90,7 @@ class tex(Task.Task): - Compiles a tex/latex file. - - .. inheritance-diagram:: waflib.Tools.tex.latex waflib.Tools.tex.xelatex waflib.Tools.tex.pdflatex -+ :top-classes: waflib.Tools.tex.tex - """ - - bibtex_fun, _ = Task.compile_fun('${BIBTEX} ${BIBTEXFLAGS} ${SRCFILE}', shell=False) --- -2.37.3 - diff --git a/net/samba413/files/pkg-message.in b/net/samba413/files/pkg-message.in deleted file mode 100644 index 22dcc3886939..000000000000 --- a/net/samba413/files/pkg-message.in +++ /dev/null @@ -1,24 +0,0 @@ -[ -{ type: install - message: <<EOM -How to start: http://wiki.samba.org/index.php/Samba4/HOWTO - -* Your configuration is: %%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%% - -* All the relevant databases are under: %%SAMBA4_LOCKDIR%% - -* All the logs are under: %%SAMBA4_LOGDIR%% - -%%AD_DC%%* Provisioning script is: %%PREFIX%%/bin/samba-tool -%%AD_DC%% -%%NSUPDATE%%You will need to specify location of the 'nsupdate' command in the -%%NSUPDATE%%%%SAMBA4_CONFIG%% file: -%%NSUPDATE%% -%%NSUPDATE%% nsupdate command = %%PREFIX%%/bin/samba-nsupdate -g -%%NSUPDATE%% -For additional documentation check: http://wiki.samba.org/index.php/Samba4 - -Bug reports should go to the: https://bugzilla.samba.org/ -EOM -} -] diff --git a/net/samba413/files/samba_server.in b/net/samba413/files/samba_server.in deleted file mode 100644 index 15a75b657b19..000000000000 --- a/net/samba413/files/samba_server.in +++ /dev/null @@ -1,196 +0,0 @@ -#!/bin/sh - -# PROVIDE: samba_server -# REQUIRE: NETWORKING SERVERS DAEMON ldconfig resolv ntpd %%SAMBA4_SERVICES%% -# BEFORE: LOGIN -# KEYWORD: shutdown -# -# Add the following lines to /etc/rc.conf.local or /etc/rc.conf -# to enable this service: -# -#samba_server_enable="YES" -# -# You can disable/enable any of the Samba daemons by specifying: -#samba_enable="NO" -#nmbd_enable="NO" -#smbd_enable="NO" -# You need to enable winbindd separately, by adding: -#winbindd_enable="YES" -# Configuration file can be set with: -#samba_server_config="%%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%%" -# - -. /etc/rc.subr - -name="samba_server" -rcvar=${name}_enable -# Defaults -samba_server_config_default="%%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%%" -smbcontrol_command="%%PREFIX%%/bin/smbcontrol" -# Custom commands -extra_commands="reload status configtest" - -start_precmd="samba_server_prestart" -restart_precmd="samba_server_checkconfig" -reload_precmd="samba_server_checkconfig" -start_cmd="samba_server_cmd" -stop_cmd="samba_server_cmd" -status_cmd="samba_server_cmd" -configtest_cmd="samba_server_checkconfig" -reload_cmd="samba_server_reload_cmd" -rcvar_cmd="samba_server_rcvar_cmd" - -samba_server_checkconfig() { - echo -n "Performing sanity check on Samba configuration: " - if ${testparm_command} >/dev/null 2>&1; then - echo "OK" - else - echo "FAILED" - return 1 - fi -} - -samba_server_prestart() { - # Make sure we have our RUNDIR, even if it's on a tmpfs - if [ -d "${samba_server_piddir}" -o ! -e "${samba_server_piddir}" ]; then - install -d -m 0755 "${samba_server_piddir}" - fi - # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200186 - if [ -d "${samba_server_privatedir}" -o ! -e "${samba_server_privatedir}" ]; then - install -d -m 0700 "${samba_server_privatedir}" - fi - samba_server_checkconfig -} - -samba_server_rcvar_cmd() { - local name rcvar - rcvar=${name}_enable - # Prevent recursive calling - unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd" - # Check master variable - run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args} - # Check dependent variables - for name in ${samba_daemons}; do - # XXX - rcvars=''; v='' - rcvar=${name}_enable - run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args} - done -} - -samba_server_reload_cmd() { - local name rcvar command pidfile force_run - # Prevent recursive calling - unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd" - # Ignore rcvar and run command - if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then - force_run=yes - fi - # Apply to all daemons - for name in ${samba_daemons}; do - rcvar=${name}_enable - command="%%PREFIX%%/sbin/${name}" - pidfile="${samba_server_piddir}/${name}.pid" - # Daemon should be enabled and running - if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then - if [ -n "$(check_pidfile "${pidfile}" "${command}")" ]; then - debug "reloading ${name} configuration" - echo "Reloading ${name}." - ${smbcontrol_command} "${name}" 'reload-config' ${command_args} >/dev/null 2>&1 - fi - fi - done -} - -samba_server_cmd() { - local name rcvar rcvars v command pidfile samba_daemons result force_run - # Prevent recursive calling - unset "${rc_arg}_cmd" "${rc_arg}_precmd" "${rc_arg}_postcmd" - # Stop processes in the reverse order - if [ "${rc_arg}" = "stop" ] ; then - samba_daemons=$(reverse_list ${samba_daemons}) - fi - # Ignore rcvar and run command - if [ -n "${_rc_prefix}" -a "${_rc_prefix}" = "one" ] || [ -n "${rc_force}" ] || [ -n "${rc_fast}" ]; then - force_run=yes - fi - # Assume success - result=0 - # Apply to all daemons - for name in ${samba_daemons}; do - # XXX - rcvars=''; v='' - rcvar=${name}_enable - command="%%PREFIX%%/sbin/${name}" - pidfile="${samba_server_piddir}/${name}.pid" - # Daemon should be enabled and running - if ( [ -n "${rcvar}" ] && checkyesno "${rcvar}" ) || [ -n "$force_run" ]; then - run_rc_command "${_rc_prefix}${rc_arg}" ${rc_extra_args} - # If any of the commands failed, take it as a global result - result=$((${result} || $?)) - fi - done - return ${result} -} - -samba_server_config_init() { - local name - # Load configuration - load_rc_config "${name}" - # Defaults - samba_server_enable=${samba_server_enable:=NO} - samba_server_config=${samba_server_config=${samba_server_config_default}} - samba_server_configfile_arg=${samba_server_config:+--configfile="${samba_server_config}"} #" - #testparm_command="%%PREFIX%%/bin/samba-tool testparm --suppress-prompt --verbose ${samba_server_configfile_arg}" - testparm_command="%%PREFIX%%/bin/testparm --suppress-prompt --verbose ${samba_server_config}" - # Determine what daemons are necessary to run Samba in the current role - samba_server_role=$(${testparm_command} --parameter-name='server role' 2>/dev/null) - case "${samba_server_role}" in - active\ directory\ domain\ controller) - samba_daemons="samba" - ;; - auto|*) - samba_daemons="nmbd smbd winbindd" - ;; - esac - # Load daemons configuration - for name in ${samba_daemons}; do - load_rc_config "${name}" - # If samba_server_enable is 'YES' - if [ -n "${rcvar}" ] && checkyesno "${rcvar}"; then - if [ "${name}" != "winbindd" ]; then - # Set variable to 'YES' only if it is unset - eval ${name}_enable=\${${name}_enable-YES} - else - # Winbindd - samba_server_idmap=$(${testparm_command} --parameter-name='idmap uid' 2>/dev/null) - if [ -n "${samba_server_idmap}" ]; then - winbindd_enable="YES" - fi - fi - fi - # If variable is empty, set it to 'NO' - eval ${name}_enable=\${${name}_enable:-NO} - done - # Fetch parameters from configuration file - samba_server_lockdir="$(${testparm_command} --parameter-name='lock directory' 2>/dev/null)" - samba_server_lockdir=${samba_server_lockdir:=%%SAMBA4_LOCKDIR%%} - samba_server_piddir="$(${testparm_command} --parameter-name='pid directory' 2>/dev/null)" - samba_server_piddir=${samba_server_piddir:=%%SAMBA4_RUNDIR%%} - samba_server_privatedir="$(${testparm_command} --parameter-name='private dir' 2>/dev/null)" - samba_server_privatedir=${samba_server_privatedir:=%%SAMBA4_PRIVATEDIR%%} -} - -# Load configuration variables -samba_server_config_init -# Common flags -command_args=${samba_server_configfile_arg} -samba_flags=${samba_flags="--daemon"} -nmbd_flags=${nmbd_flags="--daemon"} -smbd_flags=${smbd_flags="--daemon"} -winbindd_flags=${winbindd_flags="--daemon"} -# Requirements -required_files="${samba_server_config}" -required_dirs="${samba_server_lockdir}" - -run_rc_command "$1" diff --git a/net/samba413/pkg-descr b/net/samba413/pkg-descr deleted file mode 100644 index 885f153e054e..000000000000 --- a/net/samba413/pkg-descr +++ /dev/null @@ -1,6 +0,0 @@ -Samba4 is an attempt to implement an Active Directory compatible Domain -Controller. - -In short, you can join a WinNT, Win2000, WinXP or Win 2003 - 2016 member -server to a Samba4 domain, and it will behave much as it does in AD, -including Kerberos domain logins where applicable. diff --git a/net/samba413/pkg-plist b/net/samba413/pkg-plist deleted file mode 100644 index 4cd4f319c8f2..000000000000 --- a/net/samba413/pkg-plist +++ /dev/null @@ -1,453 +0,0 @@ -bin/cifsdd -bin/dbwrap_tool -bin/dumpmscat -bin/findsmb -bin/gentest -bin/locktest -bin/masktest -bin/mdfind -bin/mvxattr -bin/ndrdump -bin/net -bin/nmblookup -bin/ntlm_auth -bin/oLschema2ldif -bin/pdbedit -bin/profiles -bin/regdiff -bin/regpatch -bin/regshell -bin/regtree -bin/rpcclient -bin/samba-regedit -bin/sharesec -bin/smbcacls -bin/smbclient -bin/smbcontrol -bin/smbcquotas -bin/smbget -bin/smbpasswd -bin/smbspool -bin/smbstatus -bin/smbtar -bin/smbtree -bin/testparm -bin/vfstest -bin/wbinfo -sbin/eventlogadm -sbin/nmbd -sbin/smbd -sbin/winbindd -include/samba4/charset.h -include/samba4/core/doserr.h -include/samba4/core/error.h -include/samba4/core/hresult.h -include/samba4/core/ntstatus_gen.h -include/samba4/core/ntstatus.h -include/samba4/core/werror_gen.h -include/samba4/core/werror.h -include/samba4/credentials.h -include/samba4/dcerpc.h -include/samba4/dcesrv_core.h -%%LDAP%%include/samba4/smb_ldap.h -%%LDAP%%include/samba4/smbldap.h -include/samba4/domain_credentials.h -include/samba4/gen_ndr/atsvc.h -include/samba4/gen_ndr/auth.h -include/samba4/gen_ndr/dcerpc.h -include/samba4/gen_ndr/drsblobs.h -include/samba4/gen_ndr/drsuapi.h -include/samba4/gen_ndr/krb5pac.h -include/samba4/gen_ndr/lsa.h -include/samba4/gen_ndr/misc.h -include/samba4/gen_ndr/nbt.h -include/samba4/gen_ndr/ndr_atsvc.h -include/samba4/gen_ndr/ndr_dcerpc.h -include/samba4/gen_ndr/ndr_drsblobs.h -include/samba4/gen_ndr/ndr_drsuapi.h -include/samba4/gen_ndr/ndr_krb5pac.h -include/samba4/gen_ndr/ndr_misc.h -include/samba4/gen_ndr/ndr_nbt.h -include/samba4/gen_ndr/ndr_samr_c.h -include/samba4/gen_ndr/ndr_samr.h -include/samba4/gen_ndr/ndr_svcctl_c.h -include/samba4/gen_ndr/ndr_svcctl.h -include/samba4/gen_ndr/netlogon.h -include/samba4/gen_ndr/samr.h -include/samba4/gen_ndr/security.h -include/samba4/gen_ndr/server_id.h -include/samba4/gen_ndr/svcctl.h -include/samba4/ldb_wrap.h -include/samba4/libsmbclient.h -include/samba4/lookup_sid.h -include/samba4/machine_sid.h -include/samba4/ndr.h -include/samba4/ndr/ndr_dcerpc.h -include/samba4/ndr/ndr_drsblobs.h -include/samba4/ndr/ndr_drsuapi.h -include/samba4/ndr/ndr_krb5pac.h -include/samba4/ndr/ndr_nbt.h -include/samba4/ndr/ndr_svcctl.h -include/samba4/netapi.h -include/samba4/param.h -include/samba4/passdb.h -include/samba4/rpc_common.h -include/samba4/samba/session.h -include/samba4/samba/version.h -include/samba4/share.h -include/samba4/smb2_lease_struct.h -include/samba4/smbconf.h -include/samba4/tdr.h -include/samba4/tsocket_internal.h -include/samba4/tsocket.h -include/samba4/util_ldb.h -include/samba4/util/attr.h -include/samba4/util/blocking.h -include/samba4/util/data_blob.h -include/samba4/util/debug.h -include/samba4/util/discard.h -include/samba4/util/fault.h -include/samba4/util/genrand.h -include/samba4/util/idtree_random.h -include/samba4/util/idtree.h -include/samba4/util/signal.h -include/samba4/util/string_wrappers.h -include/samba4/util/substitute.h -include/samba4/util/tevent_ntstatus.h -include/samba4/util/tevent_unix.h -include/samba4/util/tevent_werror.h -include/samba4/util/tfork.h -include/samba4/util/time.h -include/samba4/wbclient.h -@dir include/samba4/util -@dir include/samba4/samba -@dir include/samba4/ndr -@dir include/samba4/gen_ndr -@dir include/samba4/core -@dir include/samba4 -%%SAMBA4_LIBDIR%%/libdcerpc-binding.so -%%SAMBA4_LIBDIR%%/libdcerpc-binding.so.0 -%%SAMBA4_LIBDIR%%/libdcerpc-samr.so -%%SAMBA4_LIBDIR%%/libdcerpc-samr.so.0 -%%SAMBA4_LIBDIR%%/libdcerpc-server-core.so -%%SAMBA4_LIBDIR%%/libdcerpc-server-core.so.0 -%%SAMBA4_LIBDIR%%/libdcerpc.so -%%SAMBA4_LIBDIR%%/libdcerpc.so.0 -%%SAMBA4_LIBDIR%%/libndr-krb5pac.so -%%SAMBA4_LIBDIR%%/libndr-krb5pac.so.0 -%%SAMBA4_LIBDIR%%/libndr-nbt.so -%%SAMBA4_LIBDIR%%/libndr-nbt.so.0 -%%SAMBA4_LIBDIR%%/libndr-standard.so -%%SAMBA4_LIBDIR%%/libndr-standard.so.0 -%%SAMBA4_LIBDIR%%/libndr.so -%%SAMBA4_LIBDIR%%/libndr.so.1 -%%SAMBA4_LIBDIR%%/libnetapi.so -%%SAMBA4_LIBDIR%%/libnetapi.so.0 -%%SAMBA4_LIBDIR%%/libsamba-credentials.so -%%SAMBA4_LIBDIR%%/libsamba-credentials.so.0 -%%SAMBA4_LIBDIR%%/libsamba-errors.so -%%SAMBA4_LIBDIR%%/libsamba-errors.so.1 -%%SAMBA4_LIBDIR%%/libsamba-hostconfig.so -%%SAMBA4_LIBDIR%%/libsamba-hostconfig.so.0 -%%SAMBA4_LIBDIR%%/libsamba-passdb.so -%%SAMBA4_LIBDIR%%/libsamba-passdb.so.0 -%%SAMBA4_LIBDIR%%/libsamba-util.so -%%SAMBA4_LIBDIR%%/libsamba-util.so.0 -%%SAMBA4_LIBDIR%%/libsamdb.so -%%SAMBA4_LIBDIR%%/libsamdb.so.0 -%%SAMBA4_LIBDIR%%/libsmbclient.so -%%SAMBA4_LIBDIR%%/libsmbclient.so.0 -%%SAMBA4_LIBDIR%%/libsmbconf.so -%%SAMBA4_LIBDIR%%/libsmbconf.so.0 -%%LDAP%%%%SAMBA4_LIBDIR%%/libsmbldap.so -%%LDAP%%%%SAMBA4_LIBDIR%%/libsmbldap.so.2 -%%SAMBA4_LIBDIR%%/libtevent-util.so -%%SAMBA4_LIBDIR%%/libtevent-util.so.0 -%%SAMBA4_LIBDIR%%/libwbclient.so -%%SAMBA4_LIBDIR%%/libwbclient.so.0 -lib/nss_winbind.so.1 -lib/nss_wins.so.1 -lib/pam_winbind.so -%%CUPS%%libexec/samba/smbspool_krb5_wrapper -%%SAMBA4_LIBDIR%%/private/libCHARSET3-samba4.so -%%SAMBA4_LIBDIR%%/private/libLIBWBCLIENT-OLD-samba4.so -%%SAMBA4_LIBDIR%%/private/libMESSAGING-samba4.so -%%SAMBA4_LIBDIR%%/private/libMESSAGING-SEND-samba4.so -%%SAMBA4_LIBDIR%%/private/libaddns-samba4.so -%%SAMBA4_LIBDIR%%/private/libads-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libasn1-samba4.so.8 -%%SAMBA4_LIBDIR%%/private/libasn1util-samba4.so -%%SAMBA4_LIBDIR%%/private/libauth-samba4.so -%%SAMBA4_LIBDIR%%/private/libauth-unix-token-samba4.so -%%SAMBA4_LIBDIR%%/private/libauth4-samba4.so -%%SAMBA4_LIBDIR%%/private/libauthkrb5-samba4.so -%%SAMBA4_LIBDIR%%/private/libcli-cldap-samba4.so -%%SAMBA4_LIBDIR%%/private/libcli-ldap-common-samba4.so -%%SAMBA4_LIBDIR%%/private/libcli-ldap-samba4.so -%%SAMBA4_LIBDIR%%/private/libcli-nbt-samba4.so -%%SAMBA4_LIBDIR%%/private/libcli-smb-common-samba4.so -%%SAMBA4_LIBDIR%%/private/libclidns-samba4.so -%%SAMBA4_LIBDIR%%/private/libcli-spoolss-samba4.so -%%SAMBA4_LIBDIR%%/private/libcliauth-samba4.so -%%SAMBA4_LIBDIR%%/private/libcluster-samba4.so -%%SAMBA4_LIBDIR%%/private/libcmdline-contexts-samba4.so -%%SAMBA4_LIBDIR%%/private/libcmdline-credentials-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libcom_err-samba4.so.0 -%%SAMBA4_LIBDIR%%/private/libcommon-auth-samba4.so -%%SAMBA4_LIBDIR%%/private/libdbwrap-samba4.so -%%SAMBA4_LIBDIR%%/private/libdcerpc-pkt-auth-samba4.so -%%SAMBA4_LIBDIR%%/private/libdcerpc-samba-samba4.so -%%SAMBA4_LIBDIR%%/private/libdcerpc-samba4.so -%%SAMBA4_LIBDIR%%/private/libdsdb-module-samba4.so -%%SAMBA4_LIBDIR%%/private/libevents-samba4.so -%%SAMBA4_LIBDIR%%/private/libflag-mapping-samba4.so -%%SAMBA4_LIBDIR%%/private/libgenrand-samba4.so -%%SAMBA4_LIBDIR%%/private/libgensec-samba4.so -%%SAMBA4_LIBDIR%%/private/libgpext-samba4.so -%%SAMBA4_LIBDIR%%/private/libgpo-samba4.so -%%SAMBA4_LIBDIR%%/private/libgse-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libgssapi-samba4.so.2 -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libhcrypto-samba4.so.5 -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libhdb-samba4.so.11 -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libheimbase-samba4.so.1 -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libheimntlm-samba4.so.1 -%%SAMBA4_LIBDIR%%/private/libhttp-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libhx509-samba4.so.5 -%%SAMBA4_LIBDIR%%/private/libidmap-samba4.so -%%SAMBA4_LIBDIR%%/private/libinterfaces-samba4.so -%%SAMBA4_LIBDIR%%/private/libiov-buf-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libkdc-samba4.so.2 -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libkrb5-samba4.so.26 -%%SAMBA4_LIBDIR%%/private/libkrb5samba-samba4.so -%%SAMBA4_LIBDIR%%/private/libldbsamba-samba4.so -%%SAMBA4_LIBDIR%%/private/liblibcli-lsa3-samba4.so -%%SAMBA4_LIBDIR%%/private/liblibcli-netlogon3-samba4.so -%%SAMBA4_LIBDIR%%/private/liblibsmb-samba4.so -%%SAMBA4_LIBDIR%%/private/libmessages-dgm-samba4.so -%%SAMBA4_LIBDIR%%/private/libmessages-util-samba4.so -%%SAMBA4_LIBDIR%%/private/libmscat-samba4.so -%%SAMBA4_LIBDIR%%/private/libmsghdr-samba4.so -%%SAMBA4_LIBDIR%%/private/libmsrpc3-samba4.so -%%SAMBA4_LIBDIR%%/private/libndr-samba-samba4.so -%%SAMBA4_LIBDIR%%/private/libndr-samba4.so -%%SAMBA4_LIBDIR%%/private/libnet-keytab-samba4.so -%%SAMBA4_LIBDIR%%/private/libnetif-samba4.so -%%SAMBA4_LIBDIR%%/private/libnpa-tstream-samba4.so -%%SAMBA4_LIBDIR%%/private/libnss-info-samba4.so -%%SAMBA4_LIBDIR%%/private/libpopt-samba3-cmdline-samba4.so -%%SAMBA4_LIBDIR%%/private/libpopt-samba3-samba4.so -%%SAMBA4_LIBDIR%%/private/libposix-eadb-samba4.so -%%SAMBA4_LIBDIR%%/private/libprinter-driver-samba4.so -%%SAMBA4_LIBDIR%%/private/libprinting-migrate-samba4.so -%%SAMBA4_LIBDIR%%/private/libregistry-samba4.so -%%SAMBA4_LIBDIR%%/private/libreplace-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libroken-samba4.so.19 -%%SAMBA4_LIBDIR%%/private/libsamba-cluster-support-samba4.so -%%SAMBA4_LIBDIR%%/private/libsamba-debug-samba4.so -%%SAMBA4_LIBDIR%%/private/libsamba-modules-samba4.so -%%SAMBA4_LIBDIR%%/private/libsamba-security-samba4.so -%%SAMBA4_LIBDIR%%/private/libsamba-sockets-samba4.so -%%SAMBA4_LIBDIR%%/private/libsamba3-util-samba4.so -%%SAMBA4_LIBDIR%%/private/libsamdb-common-samba4.so -%%SAMBA4_LIBDIR%%/private/libsecrets3-samba4.so -%%SAMBA4_LIBDIR%%/private/libserver-id-db-samba4.so -%%SAMBA4_LIBDIR%%/private/libserver-role-samba4.so -%%SAMBA4_LIBDIR%%/private/libshares-samba4.so -%%SAMBA4_LIBDIR%%/private/libsmb-transport-samba4.so -%%SAMBA4_LIBDIR%%/private/libsmbclient-raw-samba4.so -%%SAMBA4_LIBDIR%%/private/libsmbd-base-samba4.so -%%SAMBA4_LIBDIR%%/private/libsmbd-shim-samba4.so -%%LDAP%%%%SAMBA4_LIBDIR%%/private/libsmbldaphelper-samba4.so -%%SAMBA4_LIBDIR%%/private/libsmbpasswdparser-samba4.so -%%SAMBA4_LIBDIR%%/private/libsocket-blocking-samba4.so -%%SAMBA4_LIBDIR%%/private/libsys-rw-samba4.so -%%SAMBA4_LIBDIR%%/private/libtalloc-report-printf-samba4.so -%%SAMBA4_LIBDIR%%/private/libtalloc-report-samba4.so -%%SAMBA4_LIBDIR%%/private/libtdb-wrap-samba4.so -%%SAMBA4_LIBDIR%%/private/libtime-basic-samba4.so -%%SAMBA4_LIBDIR%%/private/libtorture-samba4.so -%%SAMBA4_LIBDIR%%/private/libtrusts-util-samba4.so -%%SAMBA4_LIBDIR%%/private/libutil-cmdline-samba4.so -%%SAMBA4_LIBDIR%%/private/libutil-reg-samba4.so -%%SAMBA4_LIBDIR%%/private/libutil-setid-samba4.so -%%SAMBA4_LIBDIR%%/private/libutil-tdb-samba4.so -%%SAMBA4_LIBDIR%%/private/libwinbind-client-samba4.so -%%GSSAPI_BUILTIN%%%%SAMBA4_LIBDIR%%/private/libwind-samba4.so.0 -%%SAMBA4_LIBDIR%%/private/libxattr-tdb-samba4.so -@dir %%SAMBA4_LIBDIR%%/private -@dir %%SAMBA4_LIBDIR%% -%%PKGCONFIGDIR%%/dcerpc.pc -%%PKGCONFIGDIR%%/dcerpc_samr.pc -%%PKGCONFIGDIR%%/ndr.pc -%%PKGCONFIGDIR%%/ndr_krb5pac.pc -%%PKGCONFIGDIR%%/ndr_nbt.pc -%%PKGCONFIGDIR%%/ndr_standard.pc -%%PKGCONFIGDIR%%/netapi.pc -%%PKGCONFIGDIR%%/samba-credentials.pc -%%PKGCONFIGDIR%%/samba-hostconfig.pc -%%PKGCONFIGDIR%%/samba-util.pc -%%PKGCONFIGDIR%%/samdb.pc -%%PKGCONFIGDIR%%/smbclient.pc -%%PKGCONFIGDIR%%/wbclient.pc -@comment Setup files -%%SPOTLIGHT%%%%DATADIR%%/samba/mdssvc/elasticsearch_mappings.json -@comment Man pages -share/man/man1/dbwrap_tool.1.gz -share/man/man1/findsmb.1.gz -share/man/man1/gentest.1.gz -share/man/man1/locktest.1.gz -share/man/man1/log2pcap.1.gz -share/man/man1/masktest.1.gz -share/man/man1/mdfind.1.gz -share/man/man1/mvxattr.1.gz -share/man/man1/ndrdump.1.gz -share/man/man1/nmblookup.1.gz -share/man/man1/ntlm_auth.1.gz -share/man/man1/oLschema2ldif.1.gz -share/man/man1/profiles.1.gz -share/man/man1/regdiff.1.gz -share/man/man1/regpatch.1.gz -share/man/man1/regshell.1.gz -share/man/man1/regtree.1.gz -share/man/man1/rpcclient.1.gz -share/man/man1/sharesec.1.gz -share/man/man1/smbcacls.1.gz -share/man/man1/smbclient.1.gz -share/man/man1/smbcontrol.1.gz -share/man/man1/smbcquotas.1.gz -share/man/man1/smbget.1.gz -share/man/man1/smbstatus.1.gz -share/man/man1/smbtar.1.gz -share/man/man1/smbtree.1.gz -share/man/man1/testparm.1.gz -share/man/man1/vfstest.1.gz -share/man/man1/wbinfo.1.gz -share/man/man5/lmhosts.5.gz -share/man/man5/pam_winbind.conf.5.gz -share/man/man5/smb.conf.5.gz -share/man/man5/smb4.conf.5.gz -share/man/man5/smbgetrc.5.gz -share/man/man5/smbpasswd.5.gz -share/man/man7/libsmbclient.7.gz -share/man/man7/samba.7.gz -share/man/man7/traffic_learner.7.gz -share/man/man7/traffic_replay.7.gz -share/man/man8/cifsdd.8.gz -share/man/man8/eventlogadm.8.gz -share/man/man8/idmap_ad.8.gz -share/man/man8/idmap_autorid.8.gz -share/man/man8/idmap_hash.8.gz -share/man/man8/idmap_ldap.8.gz -share/man/man8/idmap_nss.8.gz -share/man/man8/idmap_rfc2307.8.gz -share/man/man8/idmap_rid.8.gz -share/man/man8/idmap_script.8.gz -share/man/man8/idmap_tdb.8.gz -share/man/man8/idmap_tdb2.8.gz -share/man/man8/net.8.gz -share/man/man8/nmbd.8.gz -share/man/man8/pam_winbind.8.gz -share/man/man8/pdbedit.8.gz -share/man/man8/samba_downgrade_db.8.gz -share/man/man8/samba-regedit.8.gz -share/man/man8/samba-tool.8.gz -share/man/man8/samba.8.gz -share/man/man8/smbd.8.gz -share/man/man8/smbpasswd.8.gz -%%CUPS%%share/man/man8/smbspool_krb5_wrapper.8.gz -share/man/man8/smbspool.8.gz -share/man/man8/vfs_acl_tdb.8.gz -share/man/man8/vfs_acl_xattr.8.gz -share/man/man8/vfs_aio_fork.8.gz -share/man/man8/vfs_aio_pthread.8.gz -share/man/man8/vfs_audit.8.gz -share/man/man8/vfs_cacheprime.8.gz -share/man/man8/vfs_cap.8.gz -share/man/man8/vfs_catia.8.gz -share/man/man8/vfs_commit.8.gz -share/man/man8/vfs_crossrename.8.gz -share/man/man8/vfs_default_quota.8.gz -share/man/man8/vfs_dirsort.8.gz -share/man/man8/vfs_extd_audit.8.gz -share/man/man8/vfs_fake_perms.8.gz -share/man/man8/vfs_freebsd.8.gz -share/man/man8/vfs_full_audit.8.gz -share/man/man8/vfs_linux_xfs_sgid.8.gz -share/man/man8/vfs_media_harmony.8.gz -share/man/man8/vfs_offline.8.gz -share/man/man8/vfs_preopen.8.gz -share/man/man8/vfs_readahead.8.gz -share/man/man8/vfs_readonly.8.gz -share/man/man8/vfs_recycle.8.gz -share/man/man8/vfs_shadow_copy.8.gz -share/man/man8/vfs_shadow_copy2.8.gz -share/man/man8/vfs_shell_snap.8.gz -share/man/man8/vfs_streams_depot.8.gz -share/man/man8/vfs_streams_xattr.8.gz -share/man/man8/vfs_syncops.8.gz -share/man/man8/vfs_time_audit.8.gz -share/man/man8/vfs_unityed_media.8.gz -share/man/man8/vfs_virusfilter.8.gz -share/man/man8/vfs_widelinks.8.gz -share/man/man8/vfs_worm.8.gz -share/man/man8/vfs_xattr_tdb.8.gz -share/man/man8/vfs_zfsacl.8.gz -share/man/man8/winbind_krb5_locator.8.gz -share/man/man8/winbindd.8.gz -@dir %%SAMBA4_RUNDIR%% -@dir %%SAMBA4_LOGDIR%% -@dir %%SAMBA4_LOCKDIR%% -@dir %%SAMBA4_PRIVATEDIR%% -@dir %%SAMBA4_BINDDNSDIR%% -@comment Use bundled libraries -%%SAMBA4_BUNDLED_CMOCKA%%%%SAMBA4_LIBDIR%%/private/libcmocka-samba4.so -%%SAMBA4_BUNDLED_LDB%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/_ldb_text.py -%%SAMBA4_BUNDLED_LDB%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/ldb%%PYTHON_EXT_SUFFIX%%.so -%%SAMBA4_BUNDLED_LDB%%%%PYTHON3%%%%SAMBA4_LIBDIR%%/private/libpyldb-util%%PYTHON_EXT_SUFFIX%%.so.2 -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbdump -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbadd -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbdel -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbedit -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbmodify -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbrename -%%SAMBA4_BUNDLED_LDB%%bin/samba-ldbsearch -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_LIBDIR%%/private/libldb-cmdline-samba4.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_LIBDIR%%/private/libldb-key-value-samba4.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_LIBDIR%%/private/libldb-tdb-err-map-samba4.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_LIBDIR%%/private/libldb-tdb-int-samba4.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_LIBDIR%%/private/libldb.so.2 -%%AD_DC%%%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/count_attrs.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/asq.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/ildap.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/ldb.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/ldbsamba_extensions.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/paged_searches.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/rdn_name.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/sample.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/server_sort.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/skel.so -%%SAMBA4_BUNDLED_LDB%%%%SAMBA4_MODULEDIR%%/ldb/tdb.so -%%SAMBA4_BUNDLED_TALLOC%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/talloc%%PYTHON_EXT_SUFFIX%%.so -%%SAMBA4_BUNDLED_TALLOC%%%%PYTHON3%%%%SAMBA4_LIBDIR%%/private/libpytalloc-util%%PYTHON_EXT_SUFFIX%%.so.2 -%%SAMBA4_BUNDLED_TALLOC%%%%SAMBA4_LIBDIR%%/private/libtalloc.so.2 -%%SAMBA4_BUNDLED_TALLOC%%share/man/man3/talloc.3.gz -%%SAMBA4_BUNDLED_TDB%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/_tdb_text.py -%%SAMBA4_BUNDLED_TDB%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/tdb%%PYTHON_EXT_SUFFIX%%.so -%%SAMBA4_BUNDLED_TDB%%bin/samba-tdbbackup -%%SAMBA4_BUNDLED_TDB%%bin/samba-tdbdump -%%SAMBA4_BUNDLED_TDB%%bin/samba-tdbrestore -%%SAMBA4_BUNDLED_TDB%%bin/samba-tdbtool -%%SAMBA4_BUNDLED_TDB%%%%SAMBA4_LIBDIR%%/private/libtdb.so.1 -%%SAMBA4_BUNDLED_TEVENT%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/_tevent%%PYTHON_EXT_SUFFIX%%.so -%%SAMBA4_BUNDLED_TEVENT%%%%PYTHON3%%%%PYTHON_SITELIBDIR%%/tevent.py -%%SAMBA4_BUNDLED_TEVENT%%%%SAMBA4_LIBDIR%%/private/libtevent.so.0 -%%SAMBA4_BUNDLED_LDB%%share/man/man1/samba-ldbadd.1.gz -%%SAMBA4_BUNDLED_LDB%%share/man/man1/samba-ldbdel.1.gz -%%SAMBA4_BUNDLED_LDB%%share/man/man1/samba-ldbedit.1.gz -%%SAMBA4_BUNDLED_LDB%%share/man/man1/samba-ldbmodify.1.gz -%%SAMBA4_BUNDLED_LDB%%share/man/man1/samba-ldbrename.1.gz -%%SAMBA4_BUNDLED_LDB%%share/man/man1/samba-ldbsearch.1.gz -%%SAMBA4_BUNDLED_TDB%%share/man/man8/samba-tdbbackup.8.gz -%%SAMBA4_BUNDLED_TDB%%share/man/man8/samba-tdbdump.8.gz -%%SAMBA4_BUNDLED_TDB%%share/man/man8/samba-tdbrestore.8.gz -%%SAMBA4_BUNDLED_TDB%%share/man/man8/samba-tdbtool.8.gz diff --git a/net/samba413/pkg-plist.ad_dc b/net/samba413/pkg-plist.ad_dc deleted file mode 100644 index 13cd9bee6fd3..000000000000 --- a/net/samba413/pkg-plist.ad_dc +++ /dev/null @@ -1,172 +0,0 @@ -bin/samba-tool -sbin/samba_downgrade_db -sbin/samba -sbin/samba_dnsupdate -sbin/samba_kcc -sbin/samba_spnupdate -sbin/samba_upgradedns -include/samba4/dcerpc_server.h -lib/samba4/libdcerpc-server.so -lib/samba4/libdcerpc-server.so.0 -lib/samba4/private/libdlz-bind9-for-torture-samba4.so -lib/samba4/private/libprocess-model-samba4.so -lib/samba4/private/libservice-samba4.so -%%GSSAPI_BUILTIN%%lib/samba4/private/libHDB-SAMBA4-samba4.so -lib/samba4/private/libdb-glue-samba4.so -lib/samba4/private/libdfs-server-ad-samba4.so -lib/samba4/private/libdnsserver-common-samba4.so -lib/samba4/private/libdsdb-garbage-collect-tombstones-samba4.so -lib/samba4/private/libpac-samba4.so -lib/samba4/private/libscavenge-dns-records-samba4.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_10.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_11.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_12.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_14.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_16.so -%%SAMBA4_MODULEDIR%%/bind9/dlz_bind9_18.so -%%SAMBA4_MODULEDIR%%/gensec/krb5.so -%%SAMBA4_MODULEDIR%%/ldb/acl.so -%%SAMBA4_MODULEDIR%%/ldb/aclread.so -%%SAMBA4_MODULEDIR%%/ldb/anr.so -%%SAMBA4_MODULEDIR%%/ldb/audit_log.so -%%SAMBA4_MODULEDIR%%/ldb/descriptor.so -%%SAMBA4_MODULEDIR%%/ldb/dirsync.so -%%SAMBA4_MODULEDIR%%/ldb/dns_notify.so -%%SAMBA4_MODULEDIR%%/ldb/dsdb_notification.so -%%SAMBA4_MODULEDIR%%/ldb/encrypted_secrets.so -%%SAMBA4_MODULEDIR%%/ldb/extended_dn_in.so -%%SAMBA4_MODULEDIR%%/ldb/extended_dn_out.so -%%SAMBA4_MODULEDIR%%/ldb/extended_dn_store.so -%%SAMBA4_MODULEDIR%%/ldb/group_audit_log.so -%%SAMBA4_MODULEDIR%%/ldb/instancetype.so -%%SAMBA4_MODULEDIR%%/ldb/lazy_commit.so -%%SAMBA4_MODULEDIR%%/ldb/linked_attributes.so -%%SAMBA4_MODULEDIR%%/ldb/new_partition.so -%%SAMBA4_MODULEDIR%%/ldb/objectclass_attrs.so -%%SAMBA4_MODULEDIR%%/ldb/objectclass.so -%%SAMBA4_MODULEDIR%%/ldb/objectguid.so -%%SAMBA4_MODULEDIR%%/ldb/operational.so -%%SAMBA4_MODULEDIR%%/ldb/paged_results.so -%%SAMBA4_MODULEDIR%%/ldb/partition.so -%%SAMBA4_MODULEDIR%%/ldb/password_hash.so -%%SAMBA4_MODULEDIR%%/ldb/ranged_results.so -%%SAMBA4_MODULEDIR%%/ldb/repl_meta_data.so -%%SAMBA4_MODULEDIR%%/ldb/resolve_oids.so -%%SAMBA4_MODULEDIR%%/ldb/rootdse.so -%%SAMBA4_MODULEDIR%%/ldb/samba_dsdb.so -%%SAMBA4_MODULEDIR%%/ldb/samba_secrets.so -%%SAMBA4_MODULEDIR%%/ldb/samba3sam.so -%%SAMBA4_MODULEDIR%%/ldb/samba3sid.so -%%SAMBA4_MODULEDIR%%/ldb/samldb.so -%%SAMBA4_MODULEDIR%%/ldb/schema_data.so -%%SAMBA4_MODULEDIR%%/ldb/schema_load.so -%%SAMBA4_MODULEDIR%%/ldb/secrets_tdb_sync.so -%%SAMBA4_MODULEDIR%%/ldb/show_deleted.so -%%SAMBA4_MODULEDIR%%/ldb/subtree_delete.so -%%SAMBA4_MODULEDIR%%/ldb/subtree_rename.so -%%SAMBA4_MODULEDIR%%/ldb/tombstone_reanimate.so -%%SAMBA4_MODULEDIR%%/ldb/unique_object_sids.so -%%SAMBA4_MODULEDIR%%/ldb/update_keytab.so -%%SAMBA4_MODULEDIR%%/ldb/vlv.so -%%SAMBA4_MODULEDIR%%/ldb/wins_ldb.so -%%SAMBA4_MODULEDIR%%/process_model/prefork.so -%%SAMBA4_MODULEDIR%%/process_model/standard.so -%%SAMBA4_MODULEDIR%%/service/cldap.so -%%SAMBA4_MODULEDIR%%/service/dcerpc.so -%%SAMBA4_MODULEDIR%%/service/dns_update.so -%%SAMBA4_MODULEDIR%%/service/dns.so -%%SAMBA4_MODULEDIR%%/service/drepl.so -%%SAMBA4_MODULEDIR%%/service/kcc.so -%%SAMBA4_MODULEDIR%%/service/kdc.so -%%SAMBA4_MODULEDIR%%/service/ldap.so -%%SAMBA4_MODULEDIR%%/service/nbtd.so -%%SAMBA4_MODULEDIR%%/service/ntp_signd.so -%%SAMBA4_MODULEDIR%%/service/s3fs.so -%%SAMBA4_MODULEDIR%%/service/winbindd.so -%%SAMBA4_MODULEDIR%%/service/wrepl.so -%%SAMBA4_MODULEDIR%%/vfs/posix_eadb.so -%%PKGCONFIGDIR%%/dcerpc_server.pc -%%DATADIR%%/samba/admx/en-US/samba.adml -%%DATADIR%%/samba/admx/samba.admx -%%DATADIR%%/setup/ad-schema/AD_DS_Attributes__Windows_Server_2012_R2.ldf -%%DATADIR%%/setup/ad-schema/AD_DS_Attributes__Windows_Server_2016.ldf -%%DATADIR%%/setup/ad-schema/AD_DS_Classes__Windows_Server_2012_R2.ldf -%%DATADIR%%/setup/ad-schema/AD_DS_Classes__Windows_Server_2016.ldf -%%DATADIR%%/setup/ad-schema/Attributes_for_AD_DS__Windows_Server_2008_R2.ldf -%%DATADIR%%/setup/ad-schema/Attributes_for_AD_DS__Windows_Server_2012.ldf -%%DATADIR%%/setup/ad-schema/Classes_for_AD_DS__Windows_Server_2008_R2.ldf -%%DATADIR%%/setup/ad-schema/Classes_for_AD_DS__Windows_Server_2012.ldf -%%DATADIR%%/setup/ad-schema/licence.txt -%%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_Attributes.txt -%%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_Classes.txt -%%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt -%%DATADIR%%/setup/ad-schema/MS-AD_Schema_2K8_R2_Classes.txt -%%DATADIR%%/setup/adprep/fix-forest-rev.ldf -%%DATADIR%%/setup/adprep/WindowsServerDocs/Forest-Wide-Updates.md -%%DATADIR%%/setup/adprep/WindowsServerDocs/Sch49.ldf.diff -%%DATADIR%%/setup/adprep/WindowsServerDocs/Sch50.ldf.diff -%%DATADIR%%/setup/adprep/WindowsServerDocs/Sch51.ldf.diff -%%DATADIR%%/setup/adprep/WindowsServerDocs/Sch57.ldf.diff -%%DATADIR%%/setup/adprep/WindowsServerDocs/Sch59.ldf.diff -%%DATADIR%%/setup/adprep/WindowsServerDocs/Schema-Updates.md -%%DATADIR%%/setup/aggregate_schema.ldif -%%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k0.txt -%%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k3.txt -%%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k3R2.txt -%%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k8.txt -%%DATADIR%%/setup/display-specifiers/DisplaySpecifiers-Win2k8R2.txt -%%DATADIR%%/setup/dns_update_list -%%DATADIR%%/setup/extended-rights.ldif -%%DATADIR%%/setup/idmap_init.ldif -%%DATADIR%%/setup/krb5.conf -%%DATADIR%%/setup/named.conf -%%DATADIR%%/setup/named.conf.dlz -%%DATADIR%%/setup/named.conf.update -%%DATADIR%%/setup/named.txt -%%DATADIR%%/setup/prefixMap.txt -%%DATADIR%%/setup/provision_basedn_modify.ldif -%%DATADIR%%/setup/provision_basedn_options.ldif -%%DATADIR%%/setup/provision_basedn_references.ldif -%%DATADIR%%/setup/provision_basedn.ldif -%%DATADIR%%/setup/provision_computers_add.ldif -%%DATADIR%%/setup/provision_computers_modify.ldif -%%DATADIR%%/setup/provision_configuration_basedn.ldif -%%DATADIR%%/setup/provision_configuration_modify.ldif -%%DATADIR%%/setup/provision_configuration_references.ldif -%%DATADIR%%/setup/provision_configuration.ldif -%%DATADIR%%/setup/provision_dns_accounts_add.ldif -%%DATADIR%%/setup/provision_dns_add_samba.ldif -%%DATADIR%%/setup/provision_dnszones_add.ldif -%%DATADIR%%/setup/provision_dnszones_modify.ldif -%%DATADIR%%/setup/provision_dnszones_partitions.ldif -%%DATADIR%%/setup/provision_group_policy.ldif -%%DATADIR%%/setup/provision_init.ldif -%%DATADIR%%/setup/provision_partitions.ldif -%%DATADIR%%/setup/provision_privilege.ldif -%%DATADIR%%/setup/provision_rootdse_add.ldif -%%DATADIR%%/setup/provision_rootdse_modify.ldif -%%DATADIR%%/setup/provision_schema_basedn_modify.ldif -%%DATADIR%%/setup/provision_schema_basedn.ldif -%%DATADIR%%/setup/provision_self_join_config.ldif -%%DATADIR%%/setup/provision_self_join_modify_config.ldif -%%DATADIR%%/setup/provision_self_join_modify_schema.ldif -%%DATADIR%%/setup/provision_self_join_modify.ldif -%%DATADIR%%/setup/provision_self_join.ldif -%%DATADIR%%/setup/provision_users_add.ldif -%%DATADIR%%/setup/provision_users_modify.ldif -%%DATADIR%%/setup/provision_users.ldif -%%DATADIR%%/setup/provision_well_known_sec_princ.ldif -%%DATADIR%%/setup/provision.ldif -%%DATADIR%%/setup/provision.reg -%%DATADIR%%/setup/provision.zone -%%DATADIR%%/setup/schema_samba4.ldif -%%DATADIR%%/setup/secrets_dns.ldif -%%DATADIR%%/setup/secrets_init.ldif -%%DATADIR%%/setup/secrets.ldif -%%DATADIR%%/setup/share.ldif -%%DATADIR%%/setup/spn_update_list -%%DATADIR%%/setup/ypServ30.ldif -@dir %%DATADIR%%/setup/display-specifiers -@dir %%DATADIR%%/setup/ad-schema -@dir %%DATADIR%%/setup -@dir %%DATADIR%% diff --git a/net/samba413/pkg-plist.cluster b/net/samba413/pkg-plist.cluster deleted file mode 100644 index a7aff89718ca..000000000000 --- a/net/samba413/pkg-plist.cluster +++ /dev/null @@ -1,78 +0,0 @@ -@comment Cluster -bin/ctdb -bin/ctdb_diagnostics -bin/ltdbtool -bin/onnode -bin/ping_pong -etc/ctdb/ctdb-crash-cleanup.sh -etc/ctdb/debug_locks.sh -etc/ctdb/debug-hung-script.sh -etc/ctdb/events/legacy/00.ctdb.script -etc/ctdb/events/legacy/01.reclock.script -etc/ctdb/events/legacy/05.system.script -etc/ctdb/events/legacy/10.interface.script -etc/ctdb/events/notification/README -etc/ctdb/functions -etc/ctdb/nfs-checks.d/00.portmapper.check -etc/ctdb/nfs-checks.d/10.status.check -etc/ctdb/nfs-checks.d/20.nfs.check -etc/ctdb/nfs-checks.d/30.nlockmgr.check -etc/ctdb/nfs-checks.d/40.mountd.check -etc/ctdb/nfs-checks.d/50.rquotad.check -etc/ctdb/nfs-checks.d/README -etc/ctdb/nfs-linux-kernel-callout -etc/ctdb/notify.sh -etc/ctdb/statd-callout -etc/sudoers.d/ctdb -lib/samba4/private/libctdb-event-client-samba4.so -libexec/ctdb/ctdb_killtcp -libexec/ctdb/ctdb_lock_helper -libexec/ctdb/ctdb_lvs -libexec/ctdb/ctdb_mutex_fcntl_helper -libexec/ctdb/ctdb_natgw -libexec/ctdb/ctdb_recovery_helper -libexec/ctdb/ctdb_takeover_helper -libexec/ctdb/ctdb-config -libexec/ctdb/ctdb-event -libexec/ctdb/ctdb-eventd -libexec/ctdb/ctdb-path -libexec/ctdb/smnotify -share/man/man1/ctdb_diagnostics.1.gz -share/man/man1/ctdb.1.gz -share/man/man1/ctdbd_wrapper.1.gz -share/man/man1/ctdbd.1.gz -share/man/man1/ltdbtool.1.gz -share/man/man1/onnode.1.gz -share/man/man1/ping_pong.1.gz -share/man/man5/ctdb-script.options.5.gz -share/man/man5/ctdb.conf.5.gz -share/man/man5/ctdb.sysconfig.5.gz -share/man/man7/ctdb-statistics.7.gz -share/man/man7/ctdb-tunables.7.gz -share/man/man7/ctdb.7.gz -sbin/ctdbd -sbin/ctdbd_wrapper -share/ctdb/events/legacy/00.ctdb.script -share/ctdb/events/legacy/01.reclock.script -share/ctdb/events/legacy/05.system.script -share/ctdb/events/legacy/06.nfs.script -share/ctdb/events/legacy/10.interface.script -share/ctdb/events/legacy/11.natgw.script -share/ctdb/events/legacy/11.routing.script -share/ctdb/events/legacy/13.per_ip_routing.script -share/ctdb/events/legacy/20.multipathd.script -share/ctdb/events/legacy/31.clamd.script -share/ctdb/events/legacy/40.vsftpd.script -share/ctdb/events/legacy/41.httpd.script -share/ctdb/events/legacy/48.netbios.script -share/ctdb/events/legacy/49.winbind.script -share/ctdb/events/legacy/50.samba.script -share/ctdb/events/legacy/60.nfs.script -share/ctdb/events/legacy/70.iscsi.script -share/ctdb/events/legacy/91.lvs.script -@dir /var/lib/ctdb/volatile -@dir /var/lib/ctdb/state -@dir /var/lib/ctdb/persistent -@dir /var/lib/ctdb -@dir /var/lib -@dir /var/run/ctdb diff --git a/net/samba413/pkg-plist.python b/net/samba413/pkg-plist.python deleted file mode 100644 index 60883b702312..000000000000 --- a/net/samba413/pkg-plist.python +++ /dev/null @@ -1,389 +0,0 @@ -bin/smbtorture -sbin/samba-gpupdate -share/man/man1/smbtorture.1.gz -share/man/man8/samba-gpupdate.8.gz -include/samba4/policy.h -lib/samba4/libsamba-policy%%PYTHON_EXT_SUFFIX%%.so -lib/samba4/libsamba-policy%%PYTHON_EXT_SUFFIX%%.so.0 -lib/samba4/private/libsamba-net%%PYTHON_EXT_SUFFIX%%-samba4.so -lib/samba4/private/libsamba-python%%PYTHON_EXT_SUFFIX%%-samba4.so -%%PKGCONFIGDIR%%/samba-policy%%PYTHON_EXT_SUFFIX%%.pc -@comment Python block -%%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dckeytab%%PYTHON_EXT_SUFFIX%%.so -%%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/posix_eadb%%PYTHON_EXT_SUFFIX%%.so -%%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/xattr_native%%PYTHON_EXT_SUFFIX%%.so -%%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/xattr_tdb%%PYTHON_EXT_SUFFIX%%.so -%%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dsdb_dns%%PYTHON_EXT_SUFFIX%%.so -%%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dsdb%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/__init__.py -%%PYTHON_SITELIBDIR%%/samba/_glue%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/_ldb%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/auth_util.py -%%PYTHON_SITELIBDIR%%/samba/auth%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/colour.py -%%PYTHON_SITELIBDIR%%/samba/common.py -%%PYTHON_SITELIBDIR%%/samba/compat.py -%%PYTHON_SITELIBDIR%%/samba/credentials%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/crypto%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dbchecker.py -%%PYTHON_SITELIBDIR%%/samba/dcerpc/__init__.py -%%PYTHON_SITELIBDIR%%/samba/dcerpc/atsvc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/auth%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/base%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/dcerpc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/dfs%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/dns%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/dnsp%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/dnsserver%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/drsblobs%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/drsuapi%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/echo%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/epmapper%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/idmap%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/initshutdown%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/irpc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/krb5ccache%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/krb5pac%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/lsa%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/mdssvc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/messaging%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/mgmt%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/misc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/nbt%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/netlogon%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/ntlmssp%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/preg%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/samr%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/security%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/server_id%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/smb_acl%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/spoolss%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/srvsvc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/svcctl%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/unixinfo%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/winbind%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/windows_event_ids%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/winreg%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/winspool%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/witness%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/wkssvc%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/dcerpc/xattr%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/descriptor.py -%%PYTHON_SITELIBDIR%%/samba/dnsresolver.py -%%PYTHON_SITELIBDIR%%/samba/dnsserver.py -%%PYTHON_SITELIBDIR%%/samba/domain_update.py -%%PYTHON_SITELIBDIR%%/samba/drs_utils.py -%%PYTHON_SITELIBDIR%%/samba/emulate/__init__.py -%%PYTHON_SITELIBDIR%%/samba/emulate/traffic_packets.py -%%PYTHON_SITELIBDIR%%/samba/emulate/traffic.py -%%PYTHON_SITELIBDIR%%/samba/forest_update.py -%%PYTHON_SITELIBDIR%%/samba/gensec%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/getopt.py -%%PYTHON_SITELIBDIR%%/samba/gp_ext_loader.py -%%PYTHON_SITELIBDIR%%/samba/gp_parse/__init__.py -%%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_aas.py -%%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_csv.py -%%PYTHON_SITELIBDIR%%/samba/gp_scripts_ext.py -%%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_inf.py -%%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_ini.py -%%PYTHON_SITELIBDIR%%/samba/gp_parse/gp_pol.py -%%PYTHON_SITELIBDIR%%/samba/gp_sec_ext.py -%%PYTHON_SITELIBDIR%%/samba/gpclass.py -%%PYTHON_SITELIBDIR%%/samba/gpo%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/graph.py -%%PYTHON_SITELIBDIR%%/samba/hostconfig.py -%%PYTHON_SITELIBDIR%%/samba/idmap.py -%%PYTHON_SITELIBDIR%%/samba/join.py -%%PYTHON_SITELIBDIR%%/samba/kcc/__init__.py -%%PYTHON_SITELIBDIR%%/samba/kcc/debug.py -%%PYTHON_SITELIBDIR%%/samba/kcc/graph_utils.py -%%PYTHON_SITELIBDIR%%/samba/kcc/graph.py -%%PYTHON_SITELIBDIR%%/samba/kcc/kcc_utils.py -%%PYTHON_SITELIBDIR%%/samba/kcc/ldif_import_export.py -%%PYTHON_SITELIBDIR%%/samba/logger.py -%%PYTHON_SITELIBDIR%%/samba/mdb_util.py -%%PYTHON_SITELIBDIR%%/samba/messaging%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/ms_display_specifiers.py -%%PYTHON_SITELIBDIR%%/samba/ms_forest_updates_markdown.py -%%PYTHON_SITELIBDIR%%/samba/ms_schema_markdown.py -%%PYTHON_SITELIBDIR%%/samba/ms_schema.py -%%PYTHON_SITELIBDIR%%/samba/ndr.py -%%PYTHON_SITELIBDIR%%/samba/net%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/netbios%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/netcmd/__init__.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/common.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/computer.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/contact.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/dbcheck.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/delegation.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/dns.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/domain_backup.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/domain.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/drs.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/dsacl.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/forest.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/fsmo.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/gpo.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/group.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/ldapcmp.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/main.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/nettime.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/ntacl.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/ou.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/processes.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/pso.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/rodc.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/schema.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/sites.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/spn.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/testparm.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/user.py -%%PYTHON_SITELIBDIR%%/samba/netcmd/visualize.py -%%PYTHON_SITELIBDIR%%/samba/ntacls.py -%%PYTHON_SITELIBDIR%%/samba/ntstatus%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/param%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/policy%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/provision/__init__.py -%%PYTHON_SITELIBDIR%%/samba/provision/backend.py -%%PYTHON_SITELIBDIR%%/samba/provision/common.py -%%PYTHON_SITELIBDIR%%/samba/provision/kerberos_implementation.py -%%PYTHON_SITELIBDIR%%/samba/provision/kerberos.py -%%PYTHON_SITELIBDIR%%/samba/provision/sambadns.py -%%PYTHON_SITELIBDIR%%/samba/registry%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/remove_dc.py -%%PYTHON_SITELIBDIR%%/samba/samba3/__init__.py -%%PYTHON_SITELIBDIR%%/samba/samba3/libsmb_samba_internal%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/samba3/mdscli%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/samba3/param%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/samba3/passdb%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/samba3/smbd%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/samdb.py -%%PYTHON_SITELIBDIR%%/samba/schema.py -%%PYTHON_SITELIBDIR%%/samba/sd_utils.py -%%PYTHON_SITELIBDIR%%/samba/security%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/sites.py -%%PYTHON_SITELIBDIR%%/samba/subnets.py -%%PYTHON_SITELIBDIR%%/samba/subunit/__init__.py -%%PYTHON_SITELIBDIR%%/samba/subunit/run.py -%%PYTHON_SITELIBDIR%%/samba/tdb_util.py -%%PYTHON_SITELIBDIR%%/samba/tests/__init__.py -%%PYTHON_SITELIBDIR%%/samba/tests/audit_log_base.py -%%PYTHON_SITELIBDIR%%/samba/tests/audit_log_dsdb.py -%%PYTHON_SITELIBDIR%%/samba/tests/audit_log_pass_change.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_base.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_ncalrpc.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_netlogon_bad_creds.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_netlogon.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_pass_change.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_samlogon.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log_winbind.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth_log.py -%%PYTHON_SITELIBDIR%%/samba/tests/auth.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/__init__.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/bug13653.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/check_output.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/downgradedatabase.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/mdfind.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/ndrdump.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/netads_json.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/samba_dnsupdate.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcacls_basic.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcacls.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcontrol_process.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/smbcontrol.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/traffic_learner.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/traffic_replay.py -%%PYTHON_SITELIBDIR%%/samba/tests/blackbox/traffic_summary.py -%%PYTHON_SITELIBDIR%%/samba/tests/common.py -%%PYTHON_SITELIBDIR%%/samba/tests/complex_expressions.py -%%PYTHON_SITELIBDIR%%/samba/tests/core.py -%%PYTHON_SITELIBDIR%%/samba/tests/credentials.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/__init__.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/array.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/bare.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/dnsserver.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/integer.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/lsa.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/mdssvc.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/misc.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/raw_protocol.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/raw_testcase.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/registry.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/rpc_talloc.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/rpcecho.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/sam.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/srvsvc.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/string_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/testrpc.py -%%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/unix.py -%%PYTHON_SITELIBDIR%%/samba/tests/dckeytab.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_base.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_forwarder_helpers/server.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_forwarder.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_invalid.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_packet.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_tkey.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns_wildcard.py -%%PYTHON_SITELIBDIR%%/samba/tests/dns.py -%%PYTHON_SITELIBDIR%%/samba/tests/docs.py -%%PYTHON_SITELIBDIR%%/samba/tests/domain_backup_offline.py -%%PYTHON_SITELIBDIR%%/samba/tests/domain_backup.py -%%PYTHON_SITELIBDIR%%/samba/tests/dsdb_api.py -%%PYTHON_SITELIBDIR%%/samba/tests/dsdb_lock.py -%%PYTHON_SITELIBDIR%%/samba/tests/dsdb_schema_attributes.py -%%PYTHON_SITELIBDIR%%/samba/tests/dsdb.py -%%PYTHON_SITELIBDIR%%/samba/tests/emulate/__init__.py -%%PYTHON_SITELIBDIR%%/samba/tests/emulate/traffic_packet.py -%%PYTHON_SITELIBDIR%%/samba/tests/emulate/traffic.py -%%PYTHON_SITELIBDIR%%/samba/tests/encrypted_secrets.py -%%PYTHON_SITELIBDIR%%/samba/tests/gensec.py -%%PYTHON_SITELIBDIR%%/samba/tests/get_opt.py -%%PYTHON_SITELIBDIR%%/samba/tests/getdcname.py -%%PYTHON_SITELIBDIR%%/samba/tests/glue.py -%%PYTHON_SITELIBDIR%%/samba/tests/gpo.py -%%PYTHON_SITELIBDIR%%/samba/tests/graph.py -%%PYTHON_SITELIBDIR%%/samba/tests/group_audit.py -%%PYTHON_SITELIBDIR%%/samba/tests/hostconfig.py -%%PYTHON_SITELIBDIR%%/samba/tests/join.py -%%PYTHON_SITELIBDIR%%/samba/tests/kcc/__init__.py -%%PYTHON_SITELIBDIR%%/samba/tests/kcc/graph_utils.py -%%PYTHON_SITELIBDIR%%/samba/tests/kcc/graph.py -%%PYTHON_SITELIBDIR%%/samba/tests/kcc/kcc_utils.py -%%PYTHON_SITELIBDIR%%/samba/tests/kcc/ldif_import_export.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5_credentials.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/alias_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/as_canonicalization_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/as_req_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/compatability_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/fast_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/kcrypto.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_base_test.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/kdc_tgs_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/kpasswd_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/raw_testcase.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/rfc4120_constants.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/rfc4120_pyasn1.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/rodc_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/s4u_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/salt_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/simple_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/spn_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_ccache.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_idmap_nss.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_ldap.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_min_domain_uid.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_rpc.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/test_smb.py -%%PYTHON_SITELIBDIR%%/samba/tests/krb5/xrealm_tests.py -%%PYTHON_SITELIBDIR%%/samba/tests/ldap_raw.py -%%PYTHON_SITELIBDIR%%/samba/tests/ldap_referrals.py -%%PYTHON_SITELIBDIR%%/samba/tests/ldap_spn.py -%%PYTHON_SITELIBDIR%%/samba/tests/ldap_upn_sam_account.py -%%PYTHON_SITELIBDIR%%/samba/tests/libsmb.py -%%PYTHON_SITELIBDIR%%/samba/tests/loadparm.py -%%PYTHON_SITELIBDIR%%/samba/tests/lsa_string.py -%%PYTHON_SITELIBDIR%%/samba/tests/messaging.py -%%PYTHON_SITELIBDIR%%/samba/tests/net_join_no_spnego.py -%%PYTHON_SITELIBDIR%%/samba/tests/net_join.py -%%PYTHON_SITELIBDIR%%/samba/tests/netbios.py -%%PYTHON_SITELIBDIR%%/samba/tests/netcmd.py -%%PYTHON_SITELIBDIR%%/samba/tests/netlogonsvc.py -%%PYTHON_SITELIBDIR%%/samba/tests/ntacls_backup.py -%%PYTHON_SITELIBDIR%%/samba/tests/ntacls.py -%%PYTHON_SITELIBDIR%%/samba/tests/ntlm_auth_base.py -%%PYTHON_SITELIBDIR%%/samba/tests/ntlm_auth_krb5.py -%%PYTHON_SITELIBDIR%%/samba/tests/ntlm_auth.py -%%PYTHON_SITELIBDIR%%/samba/tests/ntlmdisabled.py -%%PYTHON_SITELIBDIR%%/samba/tests/pam_winbind_chauthtok.py -%%PYTHON_SITELIBDIR%%/samba/tests/pam_winbind_warn_pwd_expire.py -%%PYTHON_SITELIBDIR%%/samba/tests/pam_winbind.py -%%PYTHON_SITELIBDIR%%/samba/tests/param.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_hash_fl2003.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_hash_fl2008.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_hash_gpgme.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_hash_ldap.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_hash.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_quality.py -%%PYTHON_SITELIBDIR%%/samba/tests/password_test.py -%%PYTHON_SITELIBDIR%%/samba/tests/policy.py -%%PYTHON_SITELIBDIR%%/samba/tests/posixacl.py -%%PYTHON_SITELIBDIR%%/samba/tests/prefork_restart.py -%%PYTHON_SITELIBDIR%%/samba/tests/process_limits.py -%%PYTHON_SITELIBDIR%%/samba/tests/provision.py -%%PYTHON_SITELIBDIR%%/samba/tests/pso.py -%%PYTHON_SITELIBDIR%%/samba/tests/py_credentials.py -%%PYTHON_SITELIBDIR%%/samba/tests/registry.py -%%PYTHON_SITELIBDIR%%/samba/tests/s3idmapdb.py -%%PYTHON_SITELIBDIR%%/samba/tests/s3param.py -%%PYTHON_SITELIBDIR%%/samba/tests/s3passdb.py -%%PYTHON_SITELIBDIR%%/samba/tests/s3registry.py -%%PYTHON_SITELIBDIR%%/samba/tests/s3windb.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/__init__.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/base.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/computer.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/contact.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/demote.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/dnscmd.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/dsacl.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/forest.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/fsmo.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/gpo.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/group.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/help.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/join_lmdb_size.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/join.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/ntacl.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/ou.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/passwordsettings.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/processes.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/promote_dc_lmdb_size.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/provision_lmdb_size.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/provision_password_check.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/rodc.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/schema.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/sites.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/timecmd.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_check_password_script.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA_base.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_virtualCryptSHA.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user_wdigest.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/user.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/visualize_drs.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_tool/visualize.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba_upgradedns_lmdb.py -%%PYTHON_SITELIBDIR%%/samba/tests/samba3sam.py -%%PYTHON_SITELIBDIR%%/samba/tests/samdb_api.py -%%PYTHON_SITELIBDIR%%/samba/tests/samdb.py -%%PYTHON_SITELIBDIR%%/samba/tests/security.py -%%PYTHON_SITELIBDIR%%/samba/tests/segfault.py -%%PYTHON_SITELIBDIR%%/samba/tests/smb.py -%%PYTHON_SITELIBDIR%%/samba/tests/smbd_base.py -%%PYTHON_SITELIBDIR%%/samba/tests/smbd_fuzztest.py -%%PYTHON_SITELIBDIR%%/samba/tests/source.py -%%PYTHON_SITELIBDIR%%/samba/tests/strings.py -%%PYTHON_SITELIBDIR%%/samba/tests/subunitrun.py -%%PYTHON_SITELIBDIR%%/samba/tests/tdb_util.py -%%PYTHON_SITELIBDIR%%/samba/tests/upgrade.py -%%PYTHON_SITELIBDIR%%/samba/tests/upgradeprovision.py -%%PYTHON_SITELIBDIR%%/samba/tests/upgradeprovisionneeddc.py -%%PYTHON_SITELIBDIR%%/samba/tests/usage.py -%%PYTHON_SITELIBDIR%%/samba/tests/xattr.py -%%PYTHON_SITELIBDIR%%/samba/upgrade.py -%%PYTHON_SITELIBDIR%%/samba/upgradehelpers.py -%%PYTHON_SITELIBDIR%%/samba/uptodateness.py -%%PYTHON_SITELIBDIR%%/samba/werror%%PYTHON_EXT_SUFFIX%%.so -%%PYTHON_SITELIBDIR%%/samba/xattr.py -@dir %%PYTHON_SITELIBDIR%%/samba/tests/samba_tool -@dir %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc -@dir %%PYTHON_SITELIBDIR%%/samba/tests/blackbox -@dir %%PYTHON_SITELIBDIR%%/samba/tests -@dir %%PYTHON_SITELIBDIR%%/samba/samba3 -@dir %%PYTHON_SITELIBDIR%%/samba/provision -@dir %%PYTHON_SITELIBDIR%%/samba/netcmd -@dir %%PYTHON_SITELIBDIR%%/samba/dcerpc -@dir %%PYTHON_SITELIBDIR%%/samba |