1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

2373 Commits

Author SHA1 Message Date
Garming Sam
5ccfd38156 dnsserver: Stop dns_name_equal doing OOB read
This has been the cause of a large number of flakey autobuilds. Every
now and again dns_name_equal would not be equal between two empty
strings, thus causing failures.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12813

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  1 19:34:38 CEST 2017 on sn-devel-144
2017-06-01 19:34:38 +02:00
Garming Sam
4b52f102be getncchanges: Do not filter EXOPs using highwatermark
Prior to this patch, any REPL_SECRETS could be filtered accidentally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
b22387cf85 rpc_server: Move SID helpers into common
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
d3e8bcbc9b netlogon: Add necessary security checks for SendToSam
We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
fd29e28d52 netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Stefan Metzmacher
f31c55fd9b s4:rpc_server: implement async AUTH3 using gensec_update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
0f55829940 s4:rpc_server: implement async ALTER_CONTEXT using gensec_update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
2681370cea s4:rpc_server: implement async BIND using gensec_update_send/recv
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
c449313df7 s4:rpc_server: remove unused dcesrv_auth_{bind_ack,auth3,alter_ack}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
b680e9e0ea s4:rpc_server: make use of dcesrv_auth_prepare_auth3() in dcesrv_auth3()
It means we also need to call gensec_update_ev() and dcesrv_auth_complete()
directly in dcesrv_auth3(). Doing that will make it easier to make dcesrv_auth3()
async in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
aa2df9efb5 s4:rpc_server: make use of dcesrv_auth_prepare_alter_ack() in dcesrv_alter()
It means we also need to call gensec_update_ev() and dcesrv_auth_complete()
directly in dcesrv_alter(). Doing that will make it easier to make dcesrv_alter()
async in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
7274dffa75 s4:rpc_server: make use of dcesrv_auth_prepare_bind_ack() in dcesrv_bind()
It means we also need to call gensec_update_ev() and dcesrv_auth_complete()
directly in dcesrv_bind(). Doing that will make it easier to make dcesrv_bind()
async in the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
5a408bbdc8 s4:rpc_server: make use of dcesrv_auth_reply() in dcesrv_alter()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
d698c83946 s4:rpc_server: split out dcesrv_auth_reply() from dcesrv_bind()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:13 +02:00
Stefan Metzmacher
6cc8d7880d s4:rpc_server: remove useless TALLOC_FREE(call->context) from dcesrv_bind()
This is not needed if we're terminating the connection anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
bcf33f3cb6 s4:rpc_server: split out dcesrv_auth_prepare_alter_ack()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
352b5ecca3 s4:rpc_server: split out dcesrv_auth_prepare_auth3()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
f65625e4e7 s4:rpc_server: split out dcesrv_auth_prepare_bind_ack()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
9f5110b5b5 s4:rpc_server: make use of dcesrv_auth_complete() in dcesrv_auth_auth3()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
f3be27c79c s4:rpc_server: prepare dcesrv_auth_complete() for AUTH3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
f9a2db82b9 s4:rpc_server: make use of dcesrv_auth_complete() in dcesrv_auth_alter_ack()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
8ec1254ab4 s4:rpc_server: split out dcesrv_auth_complete() from dcesrv_auth_bind_ack()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
3e94bd7576 s4:rpc_server: add wait_send/recv infrastructure
This will be used to implement async BIND/ALTER_CONTEXT/AUTH3
using gensec_update_send/recv.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
469e274b7d s4:rpc_server: introduce call->ack_pkt and avoid pkt variable for the response on the stack
This will be needed when we use async authentication using gensec_update_send/recv.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:12 +02:00
Stefan Metzmacher
e9ec93e5f2 s4:rpc_server: simplify the GENSEC_FEATURE_SIGN_PKT_HEADER logic
We can directly check this after gensec_start_mech_by_authtype(),
the backend either supports it or not. There's nothing that
can change during the authentication phase.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Jeremy Allison
560c37524b s4: Add TALLOC_CTX * to register_server_service().
Use the passed in context from callers. Remove one
talloc_autofree_context().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-11 20:30:13 +02:00
Günther Deschner
3a11a797a7 s4-rpc_server: remove some dead prototypes
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-10 15:53:20 +02:00
Volker Lendecke
277eac1a8e lsa4_srv: Factor out dcesrc_lsa_valid_AccountRight()
The previous code in dcesrv_lsa_AddRemoveAccountRights had the following snippet:

if (sec_privilege_id(rights->names[i].string) == SEC_PRIV_INVALID) {
        if (sec_right_bit(rights->names[i].string) == 0) {
                talloc_free(msg);
                return NT_STATUS_NO_SUCH_PRIVILEGE;
        }
        talloc_free(msg);
        return NT_STATUS_NO_SUCH_PRIVILEGE;
}

If I'm not mistaken, the inner if-statement is essentially dead code,
as regardless of the outcome of the if-condition we execute the same
code. The effect of this is that you can't "net rpc rights grant" a right,
for example SeInteractiveLogonRight. A quick test against a W2k12 server
shows that W2k12 allows this call.

This patch changes the semantics of dcesrv_lsa_AddRemoveAccountRights
to also allow "rights" to be granted and revoked. At the same
time, it centralizes the check for validity of user input from
dcesrv_lsa_EnumAccountsWithUserRight into dcesrc_lsa_valid_AccountRight
too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 29 09:20:02 CEST 2017 on sn-devel-144
2017-04-29 09:20:02 +02:00
Jeremy Allison
306783d6f5 lib: modules: Change XXX_init interface from XXX_init(void) to XXX_init(TALLOC_CTX *)
Not currently used - no logic changes inside.

This will make it possible to pass down a long-lived talloc
context from the loading function for modules to use instead
of having them internally all use talloc_autofree_context()
which is a hidden global.

Updated all known module interface numbers, and added a
WHATSNEW.

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
2017-04-22 01:17:00 +02:00
Garming Sam
63c6209f5c updaterefs: Do not open transaction even when unnecessary
This can be called during GetNCChanges (a generally read-only call), it
is not wise to be blocking the database for no reason.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Apr 13 11:25:06 CEST 2017 on sn-devel-144
2017-04-13 11:25:06 +02:00
Garming Sam
d055b20298 drepl_server: Allow refresh of partitions on UpdateRef
When we call UpdateRef, the push replication will not begin until the
drepl_server has done its periodic refresh. If UpdateRefs is called, we
should just send an IRPC message to call the refresh.

NOTE: This has the same dependencies and issues as repl_secrets in
auth_sam.c in terms of IRPC implementation.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:18 +02:00
Andrew Bartlett
008843463f samr: Add logging of password change success and failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
d004196036 auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.

We pass in a messaging context from the callers

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
366f8cf090 auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
f6dd784814 s4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Gary Lockyer
3bc5685445 rpc: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.

The local address allows us to know which interface an authentication is on

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:27 +02:00
Andrew Bartlett
6adcaf1648 s4-rpc_server: Correct comment about where the current iface can be found
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
ea3f00f2b5 auth: Add "auth_description" to allow logs to distinguish simple bind (etc)
This will allow the authentication log to indicate clearly how the password was
supplied to the server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Andrew Bartlett
c048918959 auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Andrew Bartlett
2d6066dbbf gensec: Add gensec_{get,set}_target_service_description()
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Andrew Bartlett
9e09e68d47 s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
This will allow a very verbose JSON line to be logged that others can audit from in the future

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Douglas Bagnall
a6c00aed11 getncchanges: remove whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-27 20:08:19 +02:00
Garming Sam
6ccdd3f53c repl_secret: Prevent null deref on DEBUG
Code path with has_get_all_changes could not be exercised until
recently.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-27 20:08:18 +02:00
Stefan Metzmacher
4af89d534d auth4: let auth_check_password* return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Stefan Metzmacher
74deb488e9 netlogon4: make use of auth_context_create_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:09 +01:00
Garming Sam
af664b94dc getncchanges: Remove O(n) loop in link parsing
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 13 08:57:24 CET 2017 on sn-devel-144
2017-03-13 08:57:24 +01:00
Garming Sam
f9d570d5a3 getncchanges: generalize samdb_result_sid_array_ndr a little
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
2863551e90 getncchanges: Add a comment regarding sIDHistory for allow/deny in repl_secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
6b2425343b getncchanges: include object SID in tokenGroups calculation for repl secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
c8eac3cc40 getncchanges: Reorder and comment code for clarity
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
2e02f3602d getncchanges: Prevent a small, but possible race condition in build_object
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
cf9552effe getncchanges: Refactor filter_attrs from build_object
This makes it easier to have a transaction around it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
4b4a4c1063 getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
a9e3830473 getncchanges: Implement functionality for msDS-RevealedUsers
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Bob Campbell
d3576a95d4 getncchanges: Do not filter secrets by PAS in EXOP_REPL_SECRET
This conforms with Windows' behaviour.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Garming Sam
c91c237963 getncchanges: Let security of RWDC+ manually replicate secrets to RODCs
This correctly passes has_get_all_changes through to repl_secrets.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Garming Sam
b0d37f6ca1 getncchanges: Return correct denied REPL_SECRET error code
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Chris Lamb
bca0d8ee67 Correct "defered" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:23 +01:00
Chris Lamb
5482e5426e Correct "existence" typos.
Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-02-22 08:26:22 +01:00
Volker Lendecke
2251c30528 rpc_server: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-02-15 02:28:15 +01:00
Stefan Metzmacher
5109e777f7 getncchanges: implement DRSUAPI_DRS_GET_ANC more correctly
The most important case is the combination of
DRSUAPI_DRS_CRITICAL_ONLY and DRSUAPI_DRS_GET_ANC.

With DRSUAPI_DRS_GET_ANC we need to make sure all ancestors
included even if they're not marked with
isCriticalSystemObject=TRUE.

I guess we still don't behave exactly as Windows, but it's much
better than before and fixes the initial replication if
someone moved the administrator account to an OU.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Pair-Programmed-With: Bob Campbell <bobcampbell@catalyst.net.nz>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:19 +01:00
Stefan Metzmacher
c61d0c8957 getncchanges: calculate getnc_state->min_usn calculation based on the uptodateness vector
This should improve initial replication of a fresh destination dsa with
a zero highwatermark.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:19 +01:00
Stefan Metzmacher
02f11b925c getncchanges: improve get_nc_changes_add_links() by checking uSNChanged
This will make a difference once we handle DRSUAPI_DRS_GET_ANC correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:19 +01:00
Stefan Metzmacher
c31777a701 getncchanges: improve get_nc_changes_build_object() by checking uSNChanged
This will make a difference once we handle DRSUAPI_DRS_GET_ANC correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
51386342d5 getncchanges: fix highest_usn off by one calculation in get_nc_changes_add_links()
highest_usn is the the highest usn the destination dsa already knows about.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
7d8c409792 getncchanges: remove unused c++ comments/code in getncchanges_collect_objects()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Garming Sam
1a328bf404 getncchanges: do not replicate links for non critical objects if DRSUAPI_DRS_CRITICAL_ONLY is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
1e15cdaa01 getncchanges: don't process DRSUAPI_DRS_CRITICAL_ONLY for EXOPs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
488eed6977 getncchanges: remember the ncRoot_guid on the getncchanges state
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
23e45b4938 getncchanges: pass struct ldb_message as const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
e935a04afb getncchanges: only set nc_{object,linked_attributes}_count with DRSUAPI_DRS_GET_NC_SIZE
The main change is that we return 0 values if DRSUAPI_DRS_GET_NC_SIZE is not
present in order to get the same result as a Windows server in that case.

If DRSUAPI_DRS_GET_NC_SIZE is return the number of links we found so far
during the cycle in addition the number of objects returned in this cycle.
Both values doesn't match what Windows returns, but doing that
correctly and efficient is a task for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Garming Sam
c94f824170 getncchanges: use the uptodateness_vector to filter links to replicate
This is to mirror the check in get_nc_changes_build_object.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144
2016-12-21 04:37:54 +01:00
Andrew Bartlett
787cf39ce6 s4-rpc_server: Add braces to better follow coding style
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andrew Bartlett
abbd0a88de s4-netlogon: Push the netlogon server in the AD DC into multiple processes
This allows the NETLOGON server to scale better, as it is often a bottleneck

What we are doing here is keeping the forced single process only for
other servers that declare they use DCE/RPC handles.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andrew Bartlett
b81cf02834 s4-rpc_server: Do not check association groups for NETLOGON
If this RPC server is not going to use handles (actually a generic
flag) then do not check the assocation group provided.  This in turn
allows us to easily make NETLOGON run in multiple processes.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andrew Bartlett
6dc14b0a5d s4-rpc_server: Allow listener for RPC servers to use multiple processes
To do this we must get the ncacn_ip_tcp listener to split out (for example)
netlogon onto a distinct port, so we change the registration code to split up each
ncacn_ip_tcp registration to create a new interface for indicated services.

The new option "rpc server port" allows control of the default port and
"rpc server port:netlogon" (also valid for any other pipe from the IDL name)
allows us to both work around limitations in socket_wrapper against
double-binding and allows specification of the port by the administrator.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andrew Bartlett
ffb8b50e3c s4-rpc_server: Allow each interface to declare if it uses handles
This will allow the NETLOGON server in the AD DC to declare that it does not use
handles, and so allow some more flexibility with association groups

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andrew Bartlett
5ea6708d81 s4-rpc_server: Add comments explaining the control flow around dcesrv_bind()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-20 01:11:23 +01:00
Andrew Bartlett
31d625bcd2 s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
The idea here is that perhaps some real client relies on this (and not just Samba torture
commands), so we need a way to support it for the 4.6 release.

If no such client emerges, it can be deprecated and removed in the normal way.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-15 08:21:12 +01:00
Douglas Bagnall
a7598fb53b rpc_server:netlogon Move from memcache to a tdb cache
This allows the netlogon server to be moved into a multi-process model
while still supporting clients that use a challenge from a different
network connection.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
2016-12-14 20:12:13 +01:00
Bob Campbell
4408df2493 dnsserver: add dns name checking
This may also prevent deletion of existing corrupted records through
DNS, but should be resolvable through RPC, or at worst LDAP.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 05:00:18 +01:00
Andrew Bartlett
0e2f03f9bd s4-rpc_server: Avoid extern reference to dcesrv_mgmt_interface and memcpy()
Use a typesafe struct-returning function instead

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-08 09:28:26 +01:00
Andrew Bartlett
d4990bcf7f s4-rpc_server: Use an initialised static const struct in dcerpc_server_remote_init
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-12-01 05:54:22 +01:00
Andrew Bartlett
a6357d9949 s4-rpc_server: Use a type-safe struct signature in dcerpc_register_ep_server
This is much safer than void *, and the void * feature appears no longer
to be needed after 31ded4901b

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-12-01 05:54:22 +01:00
Andrew Bartlett
5a1dcf2385 s4/rpc_server: Show what RPC interfaces are listening on which TCP port
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-12-01 05:54:22 +01:00
Andreas Schneider
f1cc938451 s4-rpc_server: Use DCERPC_NCA_S_UNKNOWN_IF for fault code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-10-26 11:20:20 +02:00
Stefan Metzmacher
a9be262daa s4:rpc_server: implement DCERPC_PFC_FLAG_CONC_MPX ordering restrictions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
50392a9252 s4:rpc_server/remote: pass through DCERPC_PFC_FLAG_CONC_MPX if it was used by the client
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
d2d09474dd s4:rpc_server: support DCESRV_CALL_STATE_FLAG_MULTIPLEXED by default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
7d530e962f s4:rpc_server: return the context_id of a RESPONSE in the same way as windows
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
505a1fdf0d s4:rpc_server: return the context_id of a FAULT in a same way as windows
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
077df7f08a s4:rpc_server: fill call->context on the first fragment
This allows us to get fault responses right.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
133130d263 s4:rpc_server: implement DCERPC_BIND_TIME_KEEP_CONNECTION_ON_ORPHAN support
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
a70f528949 s4:rpc_server: ignore CO_CANCEL and ORPHANED PDUs
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
b4345f232b s4:rpc_server: list all connection oriented pdu types explicitly
See DCE-RPC-1.1.pdf Section 12.6 Connection-oriented RPC PDUs Page 588.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:17 +02:00
Stefan Metzmacher
1a46ff2a0f s4:rpc_server: convert dcesrv_auth_response() into a generic dcesrv_auth_pkt_push()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00
Stefan Metzmacher
bc73cd97ee s4:rpc_server: make use of dcerpc_ncacn_push_pkt_auth() in dcesrv_auth_response()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00
Stefan Metzmacher
2e8c496ef5 s4:rpc_server: convert dcesrv_auth_request() into a generic dcesrv_auth_pkt_pull()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00
Stefan Metzmacher
cb94ec8424 s4:rpc_server: make use of dcerpc_ncacn_pull_pkt_auth() in dcesrv_auth_request()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00