1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00

560 Commits

Author SHA1 Message Date
Simo Sorce
a72a455e29 r17433: remove obsoleted RFCs
(This used to be commit 7dffabc744271b0ab98d00c0cc23600d1b536d29)
2007-10-10 14:15:25 -05:00
Stefan Metzmacher
7a845bcb01 r17341: pass a messaging context to auth_context_create()
and gensec_server_start().

calling them with NULL for event context or messaging context
is no longer allowed!

metze
(This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10 14:15:17 -05:00
Stefan Metzmacher
04d776a409 r17251: - split out the starttls into its own function
- give an operations error when tls is already on the socket

metze
(This used to be commit 9190d134c9be774c53f6dae52b7c4cdcc053d00f)
2007-10-10 14:10:23 -05:00
Stefan Metzmacher
aeb8077b96 r17240: move extended operations to a new file
metze
(This used to be commit 0b16350fa2da39a66c4479dbf74182b06f7ed91a)
2007-10-10 14:10:23 -05:00
Stefan Metzmacher
4cdcc17893 r17237: - keep pointer to the different sockets
- we need this to later:
  - to disallow a StartTLS when TLS is already in use
  - to place the TLS socket between the raw and sasl socket
    when we had a sasl bind before the StartTLS
  - and rfc4513 says that the server may allow to remove the TLS from
    the tcp connection again and reuse raw tcp
  - and also a 2nd sasl bind should replace the old sasl socket

metze
(This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba)
2007-10-10 14:10:22 -05:00
Stefan Metzmacher
79f7b58630 r17226: add some comments about ldap binds and pending requests
metze
(This used to be commit e8db1fb55833ab7b9e0be391ff822b34682cb38c)
2007-10-10 14:10:22 -05:00
Andrew Bartlett
a6629e037a r17224: Accept the start-tls extended request. Getting OpenLDAP to recognise
our certificate, and proceed with the connection is left as an
exercise for the reader...

Andrew Bartlett
(This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c)
2007-10-10 14:10:21 -05:00
Andrew Bartlett
9d6f276717 r17222: Change the function prototypes for the GENSEc and TLS socket creation
routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10 14:10:20 -05:00
Andrew Bartlett
d8f1e27b19 r17215: Prepare the SASL socket before actually settting it. This allows
errors to be reported corectly, rather than just dropping the socket.

Andrew Bartlett
(This used to be commit 83dd22accfd565e86d831490043d6beaa9648c96)
2007-10-10 14:10:19 -05:00
Andrew Bartlett
ba07fa43d0 r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10 14:10:18 -05:00
Simo Sorce
fcea638657 r17193: Remove ancient stuff never really used
(This used to be commit a6709196ca4d50fdb84a562cd8f49db4275bb1dc)
2007-10-10 14:10:17 -05:00
Simo Sorce
3faab3e6dd r17189: Add the new LDAP rfc series
(This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2)
2007-10-10 14:10:17 -05:00
Simo Sorce
49f68caed2 r17186: "async" word abuse clean-up part 2
(This used to be commit c6aa60c7e69abf1f83efc150b1c3ed02751c45fc)
2007-10-10 14:10:17 -05:00
Simo Sorce
c93817b36d r17185: Oh, I wanted to do this for sooo long time.
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore
Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply
to reflect the real function of this structure.

Simo.
(This used to be commit 25fc7354049d62efeba17681ef1cdd326bc3f2ef)
2007-10-10 14:10:16 -05:00
Andrew Bartlett
32ab518767 r16972: Replace the sequence_number function pointer in ldb with the ldb flags.
The function pointer was meant to be unused, this patch fixes
partition.c to use ldb_sequence_number().  (No backend provided the
pointer any more).

Set the flags onto the ldb structure, so that all backends opened by
the partitions module inherit the flags.

Set the read-ony flag when accessed as the global catalog

Modify the LDAP server to track that this query is for the global
catalog (by incoming port), and set a opqaue pointer.

Next step is to read that opaque pointer in the partitions module.

Andrew Bartlett
(This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
2007-10-10 14:10:04 -05:00
Andrew Bartlett
9da5d4fd69 r16795: Fix crash found by Dave Fenwick <djf@samba.org>.
The session_info was not being attached to the connection, so
subsequent checks in the kludge_acl module were looking at free()ed
memory.

Andrew Bartlett
(This used to be commit 7e9079ac7af0bcd5d22040c7418cf58f86a72a1d)
2007-10-10 14:09:46 -05:00
Andrew Bartlett
d4c5627073 r16234: Set the request timeout from the LDAP search. Without this, the
initial request time is uninitialised, and this causes havoc later.
This also allows us to honour the client's wishes.

We should be doing this for all the operations...

Andrew Bartlett
(This used to be commit c8f5b1c9281072179cd3f3cf282cf376dca24ba0)
2007-10-10 14:09:07 -05:00
Simo Sorce
2d19dca9c8 r15944: rename LDB_ASYNC_ADD -> LDB_ADD, LDB_ASYNC_MODIFY -> LDB_MODIFY, etc...
(This used to be commit 55d97ef88f377ef1dbf7b1774a15cf9035e2f320)
2007-10-10 14:08:43 -05:00
Simo Sorce
2613d19937 r15933: remove the last sync call to ldb_request
(This used to be commit 10d66aa61dab2e59e5a510cf34b1cfad86fc2529)
2007-10-10 14:08:41 -05:00
Andrew Bartlett
742c110cd6 r15400: Move the TLS code behind the socket interface.
This reduces caller complexity, because the TLS code is now called
just like any other socket.  (A new socket context is returned by the
tls_init_server and tls_init_client routines).

When TLS is not available, the original socket is returned.

Andrew Bartlett
(This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10 14:05:32 -05:00
Jelmer Vernooij
5c3a1d76ff r15379: Fix shared library build's unresolved dependencies
(This used to be commit 0fafa2e59566f8f892d7dfd7dd33d0100b96a780)
2007-10-10 14:05:29 -05:00
Andrew Bartlett
26259ce98b r15317: Because LDB is now async, there are more places were we might run the
even context again.  We need to ensure we don't process packets until
we are finished setting up the connection, have the ldb in place etc.

We may need to do the same in other servers.

Andrew Bartlett
(This used to be commit 9bbc93bef2881251b734732d84bf0b2e5cf8b285)
2007-10-10 14:05:11 -05:00
Jelmer Vernooij
b00c236906 r15301: Use static libraries internally. This required a few hacks in the build
system - these should be removed later on.
(This used to be commit 06547391669e064d2b92f5841b7df5f101a34cb9)
2007-10-10 14:05:07 -05:00
Jelmer Vernooij
69b51f702a r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacement
for REQUIRED_SUBSYSTEMS.
(This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10 14:04:18 -05:00
Stefan Metzmacher
f53e12b41b r14857: fix bugs noticed by the ibm code checker
metze
(This used to be commit 07626bf3c7dc7162b852cc27e5a7c313ede3862a)
2007-10-10 13:59:43 -05:00
Andrew Bartlett
13f45733a3 r14673: Don't double-free conn, it is below 'c' free'ed by
stream_terminate_connection()

Andrew Bartlett
(This used to be commit a6c797986053ecf6bbce54028d7ea4106635c558)
2007-10-10 13:59:07 -05:00
Jelmer Vernooij
9565c70898 r14567: Make some more functions public.
(This used to be commit 8e84e6cb6b172c89072723e07f344da8f4476c1f)
2007-10-10 13:58:48 -05:00
Stefan Metzmacher
651ca6553e r14079: I just found the setproctitle library from alt linux:-)
- add set_title hook to the process models
- use setproctitle library in process_model standard if available
- the the title for the task servers and on connections

metze
(This used to be commit 526f20bbecc9bbd607595637c15fc4001d3f0c70)
2007-10-10 13:56:49 -05:00
Stefan Metzmacher
60823d1878 r14078: move ldb_global_init() to the main smbd code,
to fix the process_model standard

metze
(This used to be commit a465126e15490c5605064eb2387fb589d312db7b)
2007-10-10 13:56:49 -05:00
Simo Sorce
82da2d401e r13998: From now on ldb_request() will require an alloced request
By freeing the request you will be sure everything down the path get freed.

this also means you have to steal the results if you want to keep them :)

simo.
(This used to be commit e8075e6a062ce5edb84485e45d0b841c2ee2af7d)
2007-10-10 13:52:36 -05:00
Stefan Metzmacher
c9e5d884fc r13941: fix the build
metze
(This used to be commit d9da948b0f7f9698decc140a0a549d27675d14e4)
2007-10-10 13:52:29 -05:00
Jelmer Vernooij
9bd7dd9121 r13926: More header splitups.
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
2007-10-10 13:52:26 -05:00
Jelmer Vernooij
4ac2be9958 r13924: Split more prototypes out of include/proto.h + initial work on header
file dependencies
(This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10 13:52:24 -05:00
Stefan Metzmacher
20c7347f43 r13812: fix compiler warning
metze
(This used to be commit 1340cb1f3bdbde4d3759d77b28631611c4e150bb)
2007-10-10 13:52:13 -05:00
Jelmer Vernooij
26af14c39b r13786: [merge] Add registration functions for LDB modules
Applications that use LDB modules will now have to run ldb_global_init()
before they can use LDB.

The next step will be adding support for loading LDB modules from .so
files. This will also allow us to use one LDB without difference between the
standalone and the Samba-specific build
(This used to be commit 52a235650514039bf8ffee99a784bbc1b6ae6b92)
2007-10-10 13:52:11 -05:00
Simo Sorce
00fe70e5b9 r13609: Get in the initial work on making ldb async
Currently only ldb_ildap is async, the plan
is to first make all backend support the async calls,
and then remove the sync functions from backends and
keep the only in the API.

Modules will need to be transformed along the way.

Simo
(This used to be commit 1e2c13b2d52de7c534493dd79a2c0596a3e8c1f5)
2007-10-10 13:51:59 -05:00
Andrew Bartlett
f490434c0f r13606: An attempt to fix #3525.
The problem was that the supportedControls were being stolen into the
result sent to the client, then talloc_free()ed.  This caused them to
be invalid on the next rootDSE query.

This also tries to avoid attaching the result to the long-term samdb
context, and avoids an extra loop in the result processing (pointed
out by tridge).

Andrew BARtlett
(This used to be commit d0b8957f38fda4d84a318d6121ad87ba53a9ddb3)
2007-10-10 13:51:59 -05:00
Stefan Metzmacher
7449f4d803 r13508: some ASN.1 element in LDAP are optional,
make it possible to code the difference between a zero length and a NULL DATA_BLOB...

metze
(This used to be commit 54f0b19c55df8ad3882f31a114e2ea0e4cf940ae)
2007-10-10 13:51:56 -05:00
Simo Sorce
5972e01163 r13357: more docs
(This used to be commit 5af9086deafc88aa1f9256cc0090592ecbd62203)
2007-10-10 13:51:49 -05:00
Andrew Bartlett
15f73e6404 r13339: Propogate more error infomation into the error packet and reformat the
code a little.  This also fixes a segfault when we didn't fill in the
error message.

Andrew Bartlett
(This used to be commit 3be01a4ac7efe8d161910e8339bfe42584c0db86)
2007-10-10 13:51:46 -05:00
Simo Sorce
1d43fa6c9f r13307: docs
(This used to be commit e56630d1f8688ff3ff334893a4bc49dff8e36fe2)
2007-10-10 13:51:43 -05:00
Simo Sorce
eed0a95128 r12917: fix decoding of ldap controls
some more work on timeouts
(This used to be commit a7e2fe3cb33be2effff7eb764047567f2da3cd55)
2007-10-10 13:51:02 -05:00
Simo Sorce
d45a8de617 r12905: add some ldap policies
not yet enforced except for the initial connection timeout
(This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
2007-10-10 13:51:01 -05:00
Simo Sorce
a7a79d2b25 r12880: Remove ldap partitions useless now and probably we
will not use it anyway as we plan to support
partitions in ldb directly like with rootdse

Merge ldap_simple_ldb into ldap_backend, it is
not simple anymore and makes no sense to have
it separated now that ldap partitions are gone

Initial attempt at working to some limit to avoid DOSs
for the ldap server.

Simo.
(This used to be commit 97bff3e049eba48019f2b0f3eb5a19e32fef2e23)
2007-10-10 13:50:57 -05:00
Andrew Bartlett
f55ea8bb3d r12804: This patch reworks the Samba4 sockets layer to use a socket_address
structure that is more generic than just 'IP/port'.

It now passes make test, and has been reviewed and updated by
metze. (Thankyou *very* much).

This passes 'make test' as well as kerberos use (not currently in the
testsuite).

The original purpose of this patch was to have Samba able to pass a
socket address stucture from the BSD layer into the kerberos routines
and back again.   It also removes nbt_peer_addr, which was being used
for a similar purpose.

It is a large change, but worthwhile I feel.

Andrew Bartlett
(This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10 13:49:57 -05:00
Stefan Metzmacher
a36c172d46 r12792: fix compiler warning
metze
(This used to be commit 1eca5f46c60d09fccbef5e605c06b1b3e3b65feb)
2007-10-10 13:49:55 -05:00
Simo Sorce
c908d0b2aa r12733: Merge ldap/ldb controls into main tree
There's still lot of work to do but the patch is stable
enough to be pushed into the main samba4 tree.

Simo.
(This used to be commit 77125feaff252cab44d26593093a9c211c846ce8)
2007-10-10 13:49:47 -05:00
Jelmer Vernooij
78c50015bb r12694: Move some headers to the directory of the subsystem they belong to.
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10 13:49:39 -05:00
Andrew Bartlett
bedfb06326 r12686: Push the real SASL list into the rootdse.
Get this out of the server credentials, and push it down to ldb via an
opaque pointer.

Andrew Bartlett
(This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
2007-10-10 13:49:38 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10 13:49:03 -05:00