IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
e.g when you supply an invalid TID or VUID)
- as we don't yet understand how to check the smb_signing of this
replies, we just ignore the whole packet
abartlet,jra,tridge:
can someone try to find out how to create and verify
the signatures for this replies.
what I noticed is that still use the increment by one for the request,
and later requests are still generated fine, only the generating and verifying
of the ntcancel replies make problems
metze
this was cause of the PANIC on the build farm on metze01
as we use req->out.buffer from the old request in the smb_raw_ntcancel()
and send a 0 TID, that causes our server code to crash
(a fix for the server code will follow)
metze
that some values aren't handled. The remaining warnings I think are
actual bugs or required functionality that is missing (mostly lack of
server side Unix extensions).
support cldap and other stuff in the future.
This temporarily disables wbinfo -t, but that will come back soon.
Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3
and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION
tgs-rep error.
Volker
determining a mechanism to use.
Currently it doesn't to fallbacks like SPNEGO does, but this could be
added (to GENSEC, not to here).
This also adds a new function to GENSEC, which returns a list of SASL
names in our preference order (currently determined by the build
system of all things...).
Also make the similar function used for OIDs in SPNEGO do the same.
This is all a very long-winded way of moving from a hard-coded NTLM to
GSS-SPNEGO in our SASL client...
Andrew Bartlett
this only happens with socket_wrapper as socket_connect() returns NT_STATUS_OK
instead of NT_STATUS_MORE_PROCESSING_REQUIRED, and we missed to replace the
fde event handler...
metze
- Adds -rpath bin/ so you don't have to install Samba in order to use compiled binaries.
- Writes out pkg-config files when building shared libs
- Supports automatic fallback to MERGEDOBJ (which is the default) or
OBJ_LIST (if ld -r is not supported)
Building with shared libs reduces the size of the Samba binaries from
197 Mb to 60 Mb (including libraries) on my system (GCC4, with debugging).
To build with shared libraries support enabled, run:
LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY ./config.status
init functions don't get called correctly yet when using shared libs, so
you won't be able to actually run anything with success :-)
Once init functions are done, I'll look at support for loading shared
modules once again.
Based on a patch by Peter Novodvorsky (nidd on IRC).
composite_connect, so in io.in.dest_host I'm setting the IP address. Gensec
does not like that as a target hostname, so if a called name is present, use
that. So we can session setup using kerberos now.
Volker
Tridge, if you have the time, you might want to look at a problem I'm having
with unix domain stream sockets. From a comment in this commit:
/* Using composite_trigger_error here causes problems with the client
* socket. Linux 2.6.8 gives me a ECONNRESET on the next read after
* writing the reply when I don't wait the 100 milliseconds. */
This is in winbind/wb_cmd_userdomgroups.c:93.
The problem I have is that I can not *immediately* send an error reply to the
client because the next receive fails. Waiting 100 milliseconds helps. It
might also be a problem with epoll(), I don't really know.
I'd appreciate if you took a brief look at this, maybe I'm doing something
wrong.
Thanks,
Volker
add struct nbt_peer_socket and use it instead of passing const char *addr, uint16 port everyhwere
(tridge: can you review this please, (make test works)
metze
authentication out of the various callers and into the kitchen
sink.. err, credentials subsystem.
This should ensure consistant logic, as well as get us one step closer
to security=server operation in future.
Andrew Bartlett
most of the changes are fixes to make all the ldb code compile without
warnings on gcc4. Unfortunately That required a lot of casts :-(
I have also added the start of an 'operational' module, which will
replace the timestamp module, plus add support for some other
operational attributes
In ldb_msg_*() I added some new utility functions to make the
operational module sane, and remove the 'ldb' argument from the
ldb_msg_add_*() functions. That argument was only needed back in the
early days of ldb when we didn't use the hierarchical talloc and thus
needed a place to get the allocation function from. Now its just a
pain to pass around everywhere.
Also added a ldb_debug_set() function that calls ldb_debug() plus sets
the result using ldb_set_errstring(). That saves on some awkward
coding in a few places.
* rename the composite helper functions from comp_* to composite_*
* Move the lsa initialization to wb_connect_lsa.c
* Equip smb_composite_connect with a fallback_to_anonymous
The latter two simplify wb_init_domain.c quite a bit.
Volker
Initialize a domain structure properly. Excerpt from wb_init_domain.c:
/*
* Initialize a domain:
*
* - With schannel credentials, try to open the SMB connection with the machine
* creds. Fall back to anonymous.
*
* - If we have schannel creds, do the auth2 and open the schannel'ed netlogon
* pipe.
*
* - Open LSA. If we have machine creds, try to open with ntlmssp. Fall back
* to schannel and then to anon bind.
*
* - With queryinfopolicy, verify that we're talking to the right domain
*
* A bit complex, but with all the combinations I think it's the best we can
* get. NT4, W2k3SP1 and W2k all have different combinations, but in the end we
* have a signed&sealed lsa connection on all of them.
*
* Is this overkill? In particular the authenticated SMB connection seems a
* bit overkill, given that we do schannel for netlogon and ntlmssp for
* lsa later on w2k3, the others don't do this anyway.
*/
Thanks to Jeremy for his detective work, and to the Samba4 team for providing
such a great infrastructure.
Next step is to connect to SAM. Do it via LDAP if we can, fall back to samr
with all we have.
Volker
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
used for WREPL_REPL_INFORM* messsages
- make it possible to close the connection after a request was send
used for WREPL_ASSOCIATION_STOP
- fix the torture test that tests the assoc context handling
between connections, you can issue a request and get the reply
on another connection, I think we should not implement that in our server
code, as I think it's a security hole, you can cause a windows server
to send the replies to someone another client, that doesn't wait for data,
and as there're no massage_id in the protocol the client would be confused
by a replies that doesn't belong to a query
metze
