| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
RFC 1035 says the maximum length for a DNS name is 255 characters, and
one of the factors that allowed CVE-2020-10745 is that Samba did not
enforce that directly, enabling names around 8k long.
We fix that by keeping track of the name length. It is easier and more
efficient to use a 64 byte buffer for the components, and this will
help us to introduce further hardening in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
the dns_packet tests originally checked only for a particular DoS
situation (CVE-2020-10745) but now we widen them to ensure Samba's
replies to invalid packets resembles those of Windows (in particular,
Windows 2012r2). We want Samba to reply only when Windows replies, and
with the same rcode.
At present we fail a lot of these tests.
The original CVE-2020-10745 test is retained and widened indirectly --
any test that leaves the server unable to respond within 0.5 seconds
will count as a failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
volume_label() calls lp_servicename() as a fallback when lp_volume()
returns an empty string. lp_servicename() is a FN_LOCAL_SUBSTITUTED_STRING
that falls back to sDefault.szService when the service is invalid. Since
sDefault.szService is initialized to NULL and is never set by
init_globals(), the substitution returns NULL, and the subsequent
strlen() call crashes with a segmentation fault.
Add a NULL guard so volume_label() returns an empty string instead
of crashing.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 15 00:07:12 UTC 2026 on atb-devel-224
|
|
Add a test that verifies smbd does not crash when a usershare
definition file becomes inaccessible while a client is connected.
The test creates a usershare, connects to it, makes the usershare
definition file inaccessible (chmod 000), then issues a volume
query which triggers the volume_label() -> lp_servicename() code
path. It verifies smbd is still alive afterward by connecting to
a different share.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14978
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
|
|
Without these, the type checker complains:
Method "addDuration" overrides class "TestResult" in an incompatible manner.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Large DNS response must be truncated over UDP, letting client retry over TCP. Current threshold is set to 1232 as it is regarded as a safe size.
Truncated packets have no answers nor record, only the packet header and initial question(s).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15988
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Apr 1 05:08:14 UTC 2026 on atb-devel-224
|
|
Large DNS response must be truncated over UDP, though this is not yet done in samba. Test is added as knownfail until implementation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15988
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Fix compiler errors when compiling with clang 22
Fixes for bug 15746
commits: 5367944b74888bd1f8af3567e18c1b763f8f58c6
1b18c37544405a74b20c6dff4454c0b7dc79d5df
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15746
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Mar 31 00:41:46 UTC 2026 on atb-devel-224
|
|
The windows ADDC checks password validity before password expiry. So an
incorrect expired password will return KDC_ERR_PREAUTH_REQUIRED not
KDC_ERR_KEY_EXPIRED.
The KDC behaviour fixes will be made to lorikeet-heimdal and then imported to
samba.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15746
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
Commit c1433f821f7 added PADATA_PK_AS_REP (PA-PK-AS-REP, type 17) to
the expected padata list when check_rep_padata sees KDC_ERR_KEY_EXPIRED.
This reflects Samba's Heimdal KDC behaviour, which includes PKINIT hints
in expired-password error responses.
Samba with MIT KDC does not include PADATA_PK_AS_REP in KDC_ERR_KEY_EXPIRED
responses; it returns a METHOD-DATA with just the NTSTATUS payload (type 3) and
the FX-COOKIE (type 133). This causes test_pw_expired to fail intermittently
when the expired-password code path is exercised against MIT KDC.
Add PADATA_PK_AS_REP to the require_strict set alongside PADATA_PK_AS_REP_19,
so it is treated as optional in non-strict checking mode (STRICT_CHECKING=0)
while still being enforced in strict mode.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar 30 10:41:07 UTC 2026 on atb-devel-224
|
|
Without the configuration argument, samba-tool falls back to
load_default() which fails in the test environment when there is no
system-wide smb.conf.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
MIT KRB5 1.22 fixed a spurious FAST armor processing error. In
KRB5 1.21 this spurious error caused verify_access() with device FAST
armor to fail, which accidentally made the device silo restriction check
in test_device_and_server_silo_restrictions appear to work.
With KRB5 1.22 the spurious error is gone. Device authentication is
still not implemented in MIT Kerberos, so the second assertRaises block
(user has silo assigned, device does not) no longer raises NTSTATUSError
and the test fails.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
- Replace delay_max configuration with burst_mult parameters.
- Add three test cases: basic rate limiting, burst behavior, and recovery
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16000
Signed-off-by: Avan Thakkar <athakkar@redhat.com>
Reviewed-by: Shweta Sodani <ssodani@redhat.com>
Reviewed-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Feb 27 11:52:46 UTC 2026 on atb-devel-224
|
|
commits: 4223f36655031fd13ad3b0bedbc937dd9ba40c8d
1a9371036d4baa7da50e9260e411eefa6cee0811
53f5f685a474413d009249ecd7750399737dcd39
Action upstream feedback on KB5014754 changes.
pkinit:match_name Implement 3.1.5.2.1.3 Explicit Mapping
Calculate hash for KB5014754 SHA1-PUKEY over entire certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Autobuild-User(master): Jennifer Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Feb 23 21:18:57 UTC 2026 on atb-devel-224
|
|
The SHA1 hash for KB5014754 SHA1-PUKEY is calculate over the entire
certificate not just the public key.
BUG https://bugzilla.samba.org/show_bug.cgi?id=16001
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15978
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Feb 23 12:37:28 UTC 2026 on atb-devel-224
|
|
If AES keys are available in the domain, assume that service accounts support
AES by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
cli_credentials_get_keytab() uses the sAMAccountName to calculate the salt via
cli_credentials_get_salt_principal(). Changing the sAMAccountName means that
cli_credentials_get_keytab() will generate AES Kerberos keys using the wrong
salt, and gensec authentication will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
As part of the gse_krb5 processing the following call chain
gensec_gse_client_start()
---> gensec_kerberos_possible()
---> cli_credentials_authentication_requested()
gensec_kerberos_possible() will always fail when
cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
It seems since use kerberos == desired is the default that it isn't
necessary to see if credentials were modified to indicated authentication
was requested. gensec_kerberos_possible() should afaics return true
if kerberos is desired OR required (regardless of whether credentials
were requested)
This commit removes the knownfail associated with this bug.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Add tests to call smbclient without passing credentials to
demonstrate failure with --use-kereros=desired
Also add knownfail
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Add unit tests for the new JSON debugging macros DBGJSON and DBGJSONC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15898
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
|
|
This will do something later when MIT Kerberos supports this option. For Heimdal
it shouldn’t make a difference.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan 21 04:46:43 UTC 2026 on atb-devel-224
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
This puts promoted_dc and ad_dc_ntvfs in sync, and avoids an issue in the former
environment where the Heimdal KDC will use the smb.conf from one of the two DCs,
and the MIT KDC will use the smb.conf from the other.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
MIT Kerberos maps this error code to KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, avoiding
problems from the KDC returning KRB5KRB_ERR_GENERIC.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
These are modelled after the kdc-canon-heimdal tests.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
These have gone unused since commit bd60c605ca1cf3f3568646dc3c0ca3501f0bfbec.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
An LDB request interprets an empty attribute list as a request for no
attributes, but LDAP interprets an empty list as a request for all attributes,
and ["1.1"] as a request for no attributes, as per
RFC4511:4.5.1.8(SearchRequest.attributes). We need to convert [] to ["1.1"]
in the ildap module before the request goes out.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13852
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jan 21 03:29:23 UTC 2026 on atb-devel-224
|
|
Test VFS aio_ratelimit module: ensure that a (read) delay is indeed
injected.
Signed-off-by: Shachar Sharon <ssharon@redhat.com>
Reviewed-by: Avan Thakkar <athakkar@redhat.com>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Gunther Deschner <gd@samba.org>
|
|
The schema_dc environment has the 'require canonicalization = yes' option,
which we want to test with MIT kerberos, but only with relevant tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
If the test is run against a
require canonicalization = yes
server, requests that do not use the canonicalize flag will be
rejected at the preauth stage, so we check that and nothing more.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
The combination of the server 'require canonicalization' option with a
lack of a 'canonicalize' flag from the client will result in AS_REPs
with PRINCIPAL UNKNOWN.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
The client doesn't request canonicalization here, so we always expect
its AS_REP to be C_PRINCIPAL_UNKNOWN.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
We check here instead of selftest/expectedfail.d/* in part because
on MIT some of these cases will fail to fail to ask for preauth.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
The smb.conf option
kdc name match implicit dollar without canonicalization = no
is supposed to avoid the dollar ticket attack by refusing to consider
"foo$" as a match for "foo" unless canonicalization is requested.
This was rather blunt however, as the only time we care about this is for
the client name in an AS_REQ, and we can easily check whether that is the
case.
This makes the option less intrusive, allowing the use of "SERVER" for a
server name rather than "SERVER$". A number of tests no longer fail.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
If 'python3-testscenarios' is installed, the test is bound to fail,
like this:
$ make test TESTS=subunit
[...]
[1(0)/2 at 0s] subunit.tests.test_suite
subunit.tests.test_suite.unittest.loader._FailedTest.subunit(none)
REASON: Exception: Exception: ImportError: Failed to import test module: subunit
Traceback (most recent call last):
File "/usr/lib/python3.12/unittest/loader.py", line 137, in loadTestsFromName
module = __import__(module_name)
^^^^^^^^^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named 'subunit'
I am not certain when "subunit.tests.test_suite" would have
successfully resolved.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
fl2008r2dc environment
So that we test with and without the option enabled.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
principal name
Andrew Bartlett says:
“These days, we can trust that the PAC has been validated by the library, and I
think also that nobody could have put in a false PAC anyway (the KDC should stop
clients setting pre-auth data of that type), so the validation step that fails
isn't doing as much as it did 20 years ago. So I think we could simply patch
[this] check to accept the canonical name and know that we just are working with
that option [‘krb5 acceptor report canonical client name’] having been set.”
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Resets are unwilling, not constrained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
As always, a reset returns UNWILLING_TO_PERFORM even though it is
pretending to be a change due to the control.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
preventing this message:
/usr/lib/python3.12/unittest/case.py:580: RuntimeWarning: TestResult has no addDuration method
warnings.warn("TestResult has no addDuration method",
as far as I can tell we have no real use for addDuration, since we
already measure time in other ways.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Tue Dec 23 09:43:56 UTC 2025 on atb-devel-224
|
