IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This reworks the notes file to be less stream-of-consciousness and more
task for porting, with a very particular focus on a potential port of
Samba4 to use MIT Kerberos.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
The function LDB_lookup_principal() has been eliminated, and it's
contents spread back to it's callers. Removing the abstraction makes
the code clearer.
Also ensure we never pass unescaped user input to a LDB search
function.
Andrew Bartlett
This test talks to a DC as a joined workstation member - in the same way
winbindd does, in particular the calls used in this test's query pattern
will all request for SEC_FLAG_MAXIMUM_ALLOWED access_mask
(which pretty much all of samba's client code does as well).
In fact this test verifies that winbind can correctly talk to a samba dc using
samr dcerpc calls.
Guenther
On calls where both NT_STATUS and WERROR results are returned and consulted
we have to make sure to form function results considering both.
This errors have been found through a run against SAMBA 4.
ntvfs_map_fsinfo, ntvfs_map_qpathinfo, ntvfs_map_qfileinfo used an
old synchronous mapping technique, acceptable on the grounds that
they were only used by the simple vfs which was synchronous.
Other vfs may/do use these functions, and by upgrading them to use the
ntvfs_map_async_setup/ntvfs_map_async_finish framework, they can now be
used asynchronously.
Signed-off-by: Sam Liddicott <sam@liddicott.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
It seems that the samba4 part of the merged build does not pick up the
DEVELOPER flag from the s3 configure.
Jelmer, can you fix that properly?
Thanks,
Volker
This makes it clear to our users that this particular implementation
isn't final (all parties are agreed that an EXTERNAL bind is the right
way to do this, but it has not been implemented yet).
Andrew Bartlett
- LDB handles now all 32-bit integer attributes correctly (also with overflows)
according to the schema
- LDAP backends handle the attributes "groupType", "userAccountControl" and
"sAMAccountType" correctly. This handling doesn't yet use the schema but
the conversion file "simple_ldap.map.c" which contains them hardcoded.
Did also a refactoring of the conversion function there.
- Bug #6136 should be gone
We have made a lot of useful changes to LDB since the last realese,
that Samba4 now relies on. This ensures that a build against a system
LDB will only succeed against the right version.
Andrew Bartlett
We need to pass down flags to the DCE/RPC layer to allow fallback to
anonymous connections, as we can't log in with an expired password.
The anonymous connection can then change the password with SAMR.
Andrew Bartlett
This requires a rework on Heimdal's windc plugin layer, as we want
full control over what tickets Heimdal will issue. (In particular, in
case our requirements become more complex in future).
The original problem was that Heimdal's check would permit the ticket,
but Samba would then deny it, not knowing it was for kadmin/changepw
Also (in hdb-samba4) be a bit more careful on what entries we will
make the 'change_pw' service mark that this depends on.
Andrew Bartlett
While tdb has not changed ABI in a way that requires this, we don't
want Samba4 somehow built against the old version with
performance problems on large, growing databases.
Andrew Bartlett
- Insert a check after the "tsocket" library call to make sure that the call
terminated correctly
- Add a comment to explain why on further calls of "cldap_socket_init" the
destination address hasn't to be specified
This corrects the issues reaised in bug #6129, and some others that were not
originally identified. It also accounts for some code that was in the original
bug report but appears to have since been made common between S3 and S4.
Thanks to Erik Hovland <erik@hovland.org> for the original bug report.
Patch for bug #4939
This refactors the NETLOGON code related to this bug:
- Introduces a new "SYNCSTATE" enum required by the "DatabaseSync2" call (acc.
to WSPP)
- Make "DatabaseSync" dependant from "DatabaseSync2" (acc. to WSPP)
- Let "DatabaseSync2" return NT_STATUS_NOT_IMPLEMENTED (I'm not sure if this is
also true when a domain is running in mixed mode)
- Make "LogonControl" and "LogonControl2" dependant form "LogonControl2Ex"
(acc. to WSPP)
- Let "LogonControl2Ex" return WERR_NOT_SUPPORTED for now
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
This script walks the schema, configuration and domain partitions of the locally
installed Ldb and a remote hosts and compares the descriptors disregarding the
difference in domain SID. The goal is to make sure a freshly provisioned Samba
has the correct descriptors so ACLs work correctly. It outputs the descriptors
in short SDDL, where the correct SIDs are to be replaced during provisioning.
Optionally it can be output as an LDIF file with the current local domain and
domain SIDs.
Compiled with Andrew over a series of phone calls and gobby sessions,
with the aim of documenting Kerberos requirements for Samba to us an
alternate (ie, MIT) Kerberos library.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Compiled with Andrew over a series of phone calls and gobby sessions
with Andrew, with the aim of documenting Kerberos requirements for
Samba to us an alternate (ie, MIT) Kerberos library.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The sort module uses ldb_comparison_fold() as the comparison function
for case-insensitive attributes. In other places the function is being
used to produce a boolean, but for sorting we care about ordering.
The n1 - n2 return was sorting by length, not value
[Metze; "make test" on git master outputs exactly the same test summary
with our without this patch (apart from the "using seed" lines)]
If the transport socket is writable, then push the queue along
rather than wait until the caller returns back to the tevent loop.
This strategy keeps the sockets piping hot, and is particularly good
for cases where reading requests from one socket causes lots of
writes on another socket, or where lots of writes are made in a batch.
It doesn't matter if the socket is not writeable yet, packet_queue_run
will return quite cheaply in such a case.
Signed-off-by: Sam Liddicott <sam@liddicott.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Patch from Timur I. Bakeyev sent to samba-technical:
Heimdal requires openpty() presence. FreeBSD has in in standard libc, so
autodetection works, but compilation fails, as declaration of this function is
missing.
This patch adds proper header detection and inclusion for openpty().
This patch is for Samba4. It adds configure tunable for modulesdir -
location, where modules should be installed. In the case, when no
FHS compliance is used and libdir is redefined, modulesdir still
points to $PREFIX/modules. In some installations it may be not desired.
I'd rather set it myself :)
So, here is the patch.
With regards,
Timur Bakeyev.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This patch is relevant for Samba4 source mostly. The way, how readline
compiled under FreeBSD makes it require stdio.h to get all the necessary
declarations. Without this addition rl_event_hook is not properly detected.
With regards,
Timur Bakeyev.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This patch creates ldap_priv/ as a subdirectory under the private dir with the
appropriate permissions to only allow the same access as the privileged winbind
socket allows. Connecting to ldap_priv/ldapi gives SYSTEM access to the ldap
database.
When the notify buffer overruns and there are no pending notify
requests, the notify buffer doesn't actually get destroyed, it just
gets put in a state where new notifies are discarded and the next
notify change request will return 0 changes.
This removes the validation of the estimated number of accounts,
because MS-SAMR 3.1.5.5.1.1 makes clear the number returned cannot be
relied apon.
I've also converted a bit more of the test to use torture_assert(),
and where that is impractical, to print error messages when things
fail.
Andrew Bartlett
Logs showed that every SAM authentication was causing a non-indexed
ldb search for member=XXX. This was previously indexed in Samba4, but
since we switched to using the indexes from the full AD schema it now
isn't.
The fix is to use the extended DN operations to allow us to ask the
server for the memberOf attribute instead, with with the SIDs attached
to the result. This also means one less search on every
authentication.
The patch is made more complex by the fact that some common routines
use the result of these user searches, so we had to update all
searches that uses user_attrs and those common routines to make sure
they all returned a ldb_message with a memberOf filled in and the SIDs
attached.
With unique indexes, any rename of a record that has an attribute that
is uniquely indexed needs to be done as a delete followed by an add,
otherwse you'll get an error that the attribute value already exists.
The Open Group says:
"The useconds argument [of usleep] must be less than 1,000,000."
NetBSD takes this seriously. usleep of more than 999999 are effectless.
We need to set SMB_ENABLE(TORTURE_LIBNETAPI,NO) first
to overwrite the default of YES for MODULES and
then only set it to YES if netapi was found.
metze
When a attribute is marked unique we know that if we find a match
it will be the only possible match. This means that in a list of
subtrees connected by an &, it is best to first load the index values
for the unique entries, as if they find something then we know we
won't have to look any further.
This helps with searches like this:
(&(objectclass=user)(samaccountname=tridge))
the old code would first have loaded the very large index for the
objectclass=user attribute, and then loaded the single entry for
samaccountname=tridge. Now we load the samaccountname=tridge entry
first, notice that it gives us a single result, and stop, thereby
skipping the load of the objectclass=user index record completely.
The recently added LIBNETAPI torture tests use NET_API_STATUS as a return type
for some functions. The torture/libnetapi/proto.h private header that was being
generated by mkproto.pl did not include a prototype for the test_netuseradd()
function, as it did not know how to handle the NET_API_STATUS return type.
When a attribute is marked as LDB_ATTR_FLAG_UNIQUE_INDEX then attempts
to add a 2nd record that has the same attribute value for this
attribute as another record will fail.
This provides a much more efficient mechanism for ensuring that
attributes like objectGUID are unique
This is surely the wrong fix, but I could not figure out why the samba4 build
system adds the init function although the m4 macro had switched off the torture
libnetapi subsystem when the headers and libs were not found.
Can one of the samba4 build gurus please have a look ?
Guenther
By using SamLogonEx we avoid setting up the credentials chain for each
request.
(Needs to be pushed further up the stack, to only connect to NETLOGON once).
Andrew Bartlett
When looking at performance problems with ldb it can be useful to see
which searches causes unindexed full searches. This makes it easy to
enable that.
one-level indexing was not always effective due to some broken logic
in the indexing code. This change means that if normal indexing fails,
we can still fall back on one-level indexing.
This reduces the number of full unindexed searches in s4 quite a lot
It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary
way the krbtgt account is recognised as special is that RID. This
should fix issues such as 'password expired' on the kpasswd service.
Andrew Bartlett
The sheer volume of messages generated by tevent when the trace level is set to
10 makes it difficult to debug issues in a level 10 log. Increasing this to
50 allows tevent tracing to be enabled if needed, but otherwise keeps the extra
chatter out of a level 10 log.
Without this entry, opening the COM+ tab under the properties of an OU within
ADUC results in the following error:
"Unable to retrieve all user properties, 0x80072030"
Without these entries, using the 'Delegate Control' option in ADUC results in
the following error message in the Delegation of Control Wizard:
"The templates could not be applied. One or more of the templates is not
applicable. Click Back and select different templates, and then try again."
The classDisplayName attribute controls the actual text displayed to the user
for the top-level menus, so added it to the existing entries.
The attributeDisplayNames attribute contains both the text displayed to the
user and a mapping to the internal directory attribute name for the particular
field, so added these to the existing entries as well.
Added new entries as appropriate to properly complete all menus and labels
within ADUC.
A single AD server can only host a single domain, so don't stuff about
with looking up our crossRef record in the cn=Partitions container.
We instead trust that lp_realm() and lp_workgroup() works correctly.
Andrew Bartlett
File descriptor leaks only when we use file instead of stdout.
Found by cppcheck:
[./source3/torture/smbiconv.c:219]: (error) Resource leak: out
[./source4/torture/smbiconv.c:211]: (error) Resource leak: out
This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
The client side code was not falling back to older routines correctly
as it didn't check for the operation range error appropriately. It
also used the old rpc semantics.
Samba4 cannot pass this test currently as in Samba4 (unlike Samba3)
the LSA and SAMR account are stored in the same db.
Once you delete a SAMR user the LSA privilege account is deleted
at the same time (which is wrong).
Guenther
This change brings ntvfs_connect into compliance with other ntvfs functions
which take an ntvfs module, an ntvfs request and an smb io union.
It now becomes the responsibility of ntvfs modules to examine
tcon->generic.level themselves and derive the share name and any other
options
directly; e.g.
const char *sharename;
switch (tcon->generic.level) {
case RAW_TCON_TCON:
sharename = tcon->tcon.in.service;
break;
case RAW_TCON_TCONX:
sharename = tcon->tconx.in.path;
break;
case RAW_TCON_SMB2:
default:
return NT_STATUS_INVALID_LEVEL;
}
if (strncmp(sharename, "\\\\", 2) == 0) {
char *p = strchr(sharename+2, '\\');
if (p) {
sharename = p + 1;
}
}
service.c smbsrv_tcon_backend() is called before ntvfs_connect and fills in
some of the tcon->..out values.
For the case of RAW_TCON_TCONX, it filles out tcon->tconx.out.tid and
tcon->tconx.out.options
For the case of RAW_TCON_TCON it fills out tcon->tcon.out.tid and
tcon->tcon.out.max_xmit
Thus the ntvfs_connect function for vfs modules may override these values
if desired, but are not required to.
ntvfs_connect functions are required to fill in the tcon->tconx.out.*_type
fields, for RAW_TCON_TCONX, perhaps something like:
if (tcon->generic.level == RAW_TCON_TCONX) {
tcon->tconx.out.fs_type = ntvfs->ctx->fs_type;
tcon->tconx.out.dev_type = ntvfs->ctx->dev_type;
}
Signed-off-by: Sam Liddicott <sam@liddicott.com>
(I fixed the ntvfs_connect() in the smb_server/smb2/
and the RAW_TCON_SMB2 switch case in the modules)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stop packet_recv getting greedy and reading the whole socket
and then dispatching te extra packets in a timer loop
Signed-off-by: Sam Liddicott <sam@liddicott.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This module didn't have any functionality that we actually used yet, and
it was quite small.
Tevent is quite low level and perhaps doesn't make much sense to expose
directly as a Python module. It was also causing build problems when used with a
system-tevent. We can always back later if necessary.
security.descriptor.as_sddl() method did not work correctly when invoked without
supplying the domain sid. Returned the same value as when the sid was provided.
Test added for this case in libcli/security/tests/bindings.py
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
smbsrv_tcon_backend no longer creates the ntvfs_request wrapper,
so smbsrv_reply_tcon* can now do this and then invoke ntvfs_connect
in the typical manner using SMBSRV_SETUP_NTVFS_REQUEST and
SMBSRV_CALL_NTVFS_BACKEND
Previously smbsrv_tcon_backend has been responsible for instantiating
the ntvfs_module_context to service a tree-connect request, and
then create an ntvfs_request wrapper around the smbsrv_request
and pass this to ntvfs_connect for the newly created ntvfs.
These actions could not be invoked asynchronously.
This meant that any client requests made while instantiating the
ntvfs module, including any composite's used during authentication
(or related client connections for the case of proxy modules)
would block other ntvfs modules and requests in the current process as
they executed a nested event loop to await completion.
Signed-off-by: Sam Liddicott <sam@liddicott.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This reverts commit b57c8ff440.
This actually breaks the merged build...
Doing a merged build and a samba4 build within the same
checkout, without a git clean -x -d -f (this removes everything that's
not checked into git! save files you don't want to delete!) running in the
toplevel directory, is not supported.
metze
Only gpt.ini remaining. Not suitable for merge yet, samba 3 is currently broken due to some changed public API.
Signed-off-by: Günther Deschner <gd@samba.org>
Over named pipes we can only do one smb_trans at a time,
otherwise we're getting NT_STATUS_PIPE_BUSY.
Async rpc calls need to use smb_read/write only.
metze
