1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1672 Commits

Author SHA1 Message Date
Günther Deschner
2f4f9a086c s3-rpc_client: add spoolss_driver_version_to_qword()
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-09-26 20:24:18 +02:00
Günther Deschner
56949a1c32 s3-rpc_client: add spoolss_timestr_to_NTTIME()
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-09-26 20:24:18 +02:00
Günther Deschner
23a3abfe00 s3-rpc_client: add winreg_set_printserver_secdesc.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-09-22 12:29:27 +02:00
Günther Deschner
302cb086a6 s3-rpc_client: add winreg_get_printserver_secdesc.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-09-22 12:29:27 +02:00
Günther Deschner
23f404b7f5 spoolss: rename spoolss_EnumPrintProcDataTypes to spoolss_EnumPrintProcessorDataTypes
This change makes automatic mapping for PAR->RPRN opcodes easier.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-09-22 12:29:26 +02:00
Günther Deschner
a9a1a16cc8 s3-spoolss: fix winreg_printer_ver_to_qword
We were reporting the OS minor number as the driver version number in all
GetDriver/EnumDriver calls.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-15 20:50:06 +02:00
Günther Deschner
88fc7a74b5 s3-rpc_client: make it more clear printer driver version is a QWORD not a DWORD.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 19:57:26 +02:00
Stefan Metzmacher
d491c6c496 s3:rpc_client: remove unused rpc_pipe_client->max_recv_frag
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-06-24 14:09:01 +02:00
Stefan Metzmacher
7e0b9c2f4b CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
f37f965e23 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
f56428760a CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use auth_context_id = 1 for authenticated
connections, as old Samba server (before this patchset)
will use a hardcoded value of 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
69236215a9 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
2e561921bc CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
574eca7655 CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
a4811d325a CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
712320489d CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
The does much more validation than dcerpc_pull_dcerpc_auth().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
642fe0aa16 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
This simplifies the callers a lot.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
8cba1c3550 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
dcerpc_pull_ncacn_packet() already verifies this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
6cef082193 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Anoop C S
e45b0d49be source3/rpc_client: Fix CID 1273041 Condition is redundant
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Aug  7 01:31:23 CEST 2015 on sn-devel-104
2015-08-07 01:31:23 +02:00
Stefan Metzmacher
b2e042ad96 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
The padding needs to be relative to the payload start not to the pdu start.
We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Volker Lendecke
d87fd39501 Use tevent_req_poll_ntstatus
Kill 41 lines ..

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-18 02:34:24 +02:00
Richard Sharpe
8bcdd677ce Convert all uses of uint32/16/8 to _t in source3/rpc_client.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-12 01:32:12 +02:00
Stefan Metzmacher
7d36141ba3 s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
6d31763de1 s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel()
This is only allowed with special config options ("client schannel = no",
"require strong key = no" and "reject md5 servers = no").
By default we require NETLOGON_NEG_AUTHENTICATED_RPC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
c3b7e6e218 s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel()
This simplifies the code and allows the previous password to be passed
through the stack.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
0994e0a3e3 s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
8d73127462 s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds()
This way we'll fallback to use the previous machine/trust account password
if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:42 +01:00
Stefan Metzmacher
fb42b02c9f s3:rpc_client: add cli_rpc_pipe_open_schannel_with_creds() helper function
This will simplify the callers and add potential support for SEC_CHAN_DNS_DOMAIN
as cli_credentials_get_realm() will return the correct value compared to
cli_credentials_get_domain().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Stefan Metzmacher
995cf54b31 s3:cli_netlogon: add rpccli_{create,setup}_netlogon_creds_with_creds() helper functions
This simplifies the callers, then can just pass in a cli_credentials structure.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Andrew Bartlett
295b323b1c s3-librpc: Add cli_rpc_pipe_open_with_creds()
This provides a credentials-based interface.  In the long term, we
will want to change this not to reference the credentials, but for now
this suits the caller in winbindd_cm.c

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
ae72733874 s3-winbindd: Attempt to connect to NETLOGON over NCACN_IP_TCP if we can
This is very helpful in the trusted domain situation, as we may not
have a two-way trust but we can use our domain trust account to set up
a connection to NETLOGON

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 12:48:15 CEST 2014 on sn-devel-104
2014-10-08 12:48:15 +02:00
Andrew Bartlett
6f97237edb s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove cli_rpc_pipe_open_spnego
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 03:36:52 CEST 2014 on sn-devel-104
2014-10-08 03:36:52 +02:00
Andrew Bartlett
8166ecaaa0 s3-rpc_client: Adapt cli_rpc_pipe_open_generic_auth to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials structure in winbindd, once we merge this with cli_rpc_pipe_open_spnego().

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
74dcde5347 s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials
structure in winbindd.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
d0a0af3550 librpc: gensec is our security provider abstraction, remove a void *
Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
f8643b9f5f librpc: Remove user/domain from struct pipe_auth_data
This does require that we always fill in the gensec pointer, but the
simplification is worth the extra allocations.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
8485cc9448 s3-rpc_client: Do not give NT_STATUS_NO_MEMORY when the source string was NULL
Change-Id: I25a4dcc2239267ee7c219e965693027ca2981983
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Günther Deschner
b722167b2c s3-rpc_client: return info3 in rpccli_netlogon_password_logon().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-07-15 16:00:40 +02:00
Stefan Metzmacher
6a5cd1857f s3:rpc_client: Use gensec for NCALRPC_AS_SYSTEM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
2ed1789e4d s3:rpc_client: pass everything to gensec by default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00
David Disseldorp
ebe6627c1f rpc_client: retry open on STATUS_PIPE_NOT_AVAILABLE
Windows Server starts some named pipe services on demand, and responds
to initial open requests with STATUS_PIPE_NOT_AVAILABLE. The FssagentRpc
named pipe on Windows Server 2012 exhibits this behaviour.

This change sees rpcclient retry named pipe open requests when the
server responds with STATUS_PIPE_NOT_AVAILABLE. The retry logic is
contained in an asynchronous tevent_timer callback, to allow for
non-blocking callers.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-03-04 03:03:24 +01:00
Stefan Metzmacher
a1e013505c s3:rpc_client: avoid using dcerpc_binding internals in rpc_pipe_get_tcp_port()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:16 +01:00
Stefan Metzmacher
ded957614b s3:rpc_client: use address "0.0.0.0" and port "135" for epmapper requests
Note: binding->host = NULL lets dcerpc_binding_build_tower()
use "0.0.0.0".

This matches Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:20:31 +01:00
Stefan Metzmacher
aeab9602c0 s3:librpc/rpc: only propose header signing if we use sign or seal
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-11 16:02:14 +01:00
Michael Adam
020fab300d s3:rpc_client: optimize the netlogon_creds_cli.tdb for read-only access
Usually a record in this DB will be written once and then read
many times by winbindd processes on multiple nodes (when run in
a cluster). In order not to introduce a big performance penalty
with the increased correctness achieved by storing the netlogon
creds, in a cluster setup, we should activate ctdb's read only
record copies on this db.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:06 +01:00
Michael Adam
cf0cb0add9 dbwrap: add a dbwrap_flags argument to db_open()
This is in preparation to support handing flags to backends,
in particular activating read only record support for ctdb
databases. For a start, this does nothing but adding the
parameter, and all databases use DBWRAP_FLAG_NONE.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-02-07 16:06:06 +01:00
Stefan Metzmacher
8cf4eff201 s3:rpc_client: use db_open() to open "netlogon_creds_cli.tdb"
This uses dbwrap_ctdb if running in a cluster.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-01-22 17:11:54 +01:00
Stefan Metzmacher
dc561b7e2d dcerpc.idl: make use of union dcerpc_bind_ack_reason and fix all callers.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jan 16 18:21:40 CET 2014 on sn-devel-104
2014-01-16 18:21:40 +01:00