Age | Commit message (Collapse) | Author | Files | Lines |
|
The relative DN must be the one that the most specific structural
objectclass specifies.
Andrew Bartlett
|
|
We need to create Domain Users in the test ldb
|
|
This helped track down the samba3sam.py failures
|
|
|
|
I'll need help from Andrew on how to get gensec to initialise it's ops
element
|
|
|
|
|
|
|
|
mdw is working on the correct call to check the password strength
|
|
|
|
It is nice to tell the user why their command failed :-)
|
|
As metze pointed out - this seems to be completely dead code. I too didn't find
any dependencies in other code parts. Therefore remove it.
|
|
Windows 2003 Native
|
|
Add checks to make sure that we join only supported AD domains (we agreed that
those are >= (Windows) 2003 Native per default - this is changeable with the
"ads:function level" option).
Add also checks to make sure that we cannot join domains which have a bigger
function level than our DC capable function level (e.g. a (Windows) 2008 DC
cannot join a (Windows) 2008 R2 domain).
|
|
NDR64 has a 'trailing gap' alignment, which aligns the end of a
structure on the overall structure alignment.
This explains the discrepancy we had with the RPC-SAMR test and NDR64
|
|
|
|
AD has the concept of a DN prefixed with B:NN:XXXXXX: that contains a
binary blob. We need to support those in order to give correctly
formatted binary blobs for things like wellKnownObjects
This implementation is not ideal, as it allows for binary blobs on all
DNs, whereas it should only allow them on those with a syntax of
2.5.5.7. We should clean this up in the future, but meanwhile this
implementation at least gets us a working DC join of w2k8 to s4.
This patch also uses a static function for marking DNs as invalid,
which is very useful when debugging this code, as you can break on it
in gdb.
|
|
Windows does not set the 3 high bits, which is strange given their
meaning. I've submitted a CAR on this.
|
|
Update to use the new DS_DNS_FOREST_ROOT name, which makes it clearer
what this bit means (according to MS-ADTS doc)
|
|
These are in nbt.idl and netlogon.idl as well, no need to have them
here under different names, especially when the comments are wrong
|
|
The DS_ bits had got a bit ahead of the NBT_ bits.
Ideally we'd make these a single set of bits at some point.
This also removes NBT_SERVER_DNS_FOREST as this bit doesn't exist. I
think it came from someone mis-reading the docs, which show the bits
in reverse order within bytes (one of the worst bit table
representations I have ever seen!)
|
|
* Add chained NTCREATEX_READX test which first tries to open/read
a non-existant file failing on the open, then attempts the same
operation on a file that does exist, opening and reading
successfully.
* Add test for open_dispositions on directories.
|
|
Allows "make test" and other harnesses to print cleaner output.
|
|
Always use LSTAT for POSIX pathnames.
Jeremy.
|
|
Forgot to "git add" the new file in commit b2bcfaae
|
|
Jeremy.
|
|
|
|
I've ported all applicable SMB oplock torture tests to SMB2, giving us
a good base for SMB2 oplock testing.
There are several differences between oplocks in SMB and SMB2, mostly
because of differences in W2K3 and W2K8. The existing SMB oplock
tests all pass against W2K3, but several fail against W2K8. These
same tests were failing in SMB2, util I reworked them.
BATCH19, BATCH20: In W2K3/SMB a setfileinfo - rename command wouldn't
cause a sharing violation or break an existing oplock. It appears that
in W2K8/SMB2 a sharing violation is raised.
BATCH22: In W2K3/SMB when a second opener was waiting the full timeout
of an oplock break, it would receive NT_STATUS_SHARING_VIOLATION after
about 35 seconds. This bug has been fixed in W2K8/SMB2 and instead
the second opener succeeds.
LEVELII500: Added 1 new test checking that the server returns a proper
error code when a client improperly replies to a levelII to none break
notification.
STREAM1: W2K8 now grants oplocks on alternate data streams.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Modified implementation _ber_read_OID_String_impl()
returns how much bytes are converted.
The intentation is to use this implementation both for
reading OIDs and partial-OIDs in the future
|
|
|
|
When configure options --with-libtalloc=no --enable-shared-libs=no are used,
LIBTALLOC_TARGET stays empty. Actually LIBTALLOC_TARGET which is only used for
Makefile dependencies is obsolete as LIBTALLOC contains exactly the targets
that make the dependencies are. Obnox, pleaѕe check!
|
|
PRINT_LIBS might have been set before intentionally, so don't thow it away.
|
|
|
|
===========================================================
== Subject: Misconfigured /etc/passwd file may share folders unexpectedly
==
== CVE ID#: CVE-2009-2813
==
== Versions: All versions of Samba later than 3.0.11
==
== Summary: If a user in /etc/passwd is misconfigured to have
== an empty home directory then connecting to the home
== share of this user will use the root of the filesystem
== as the home directory.
===========================================================
|
|
Karolin
|
|
Summary:
Specially crafted SMB requests on
authenticated SMB connections can send smbd
into a 100% CPU loop, causing a DoS on the
Samba server.
|
|
When running mount.cifs with the --verbose option, it'll print out the
option string that it passes to the kernel...including the mount
password if there is one. Print a placeholder string instead to help
ensure that this info can't be used for nefarious purposes.
Also, the --verbose option printed the option string before it was
completely assembled anyway. This patch should also make sure that
the complete option string is printed out.
Finally, strndup passwords passed in on the command line to ensure that
they aren't shown by --verbose as well. Passwords used this way can
never be truly kept private from other users on the machine of course,
but it's simple enough to do it this way for completeness sake.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
|
|
It's possible for an unprivileged user to pass a setuid mount.cifs a
credential or password file to which he does not have access. This can cause
mount.cifs to open the file on his behalf and possibly leak the info in the
first few lines of the file.
Check the access permissions of the file before opening it.
Reported-by: Ronald Volgers <r.c.volgers@student.utwente.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <sfrench@us.ibm.com>
|