IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This does an async port 137 transaction: It connects to /tmp/.nmbd/unexpected,
sends out the query and then waits for a reply on both the socket as well as
data from /tmp/.nmbd/unexpected. Every packet is passed through a validator. If
that returns true, the packet received is finally accepted.
This provides the framework to replace the unexpected.tdb file. Nmbd will
listen on /tmp/.nmbd/unexpected. A client interested in unexpected packets
connects there. It sends a nb_packet_query plus a potential mailslot name for
dgram packets. It waits for a single ack byte to avoid races. After that has
happened, nmbd will pass down all matching packets through that socket.
nb_packet_server_create and nb_packet_dispatch are the nmbd routines,
nb_packet_reader_send/recv and nb_packet_read_send/recv are the client ones.
It's the free_packet() that was missing. On the way, I've changed the
"return false;" to a "goto fail;", which makes the patch a bit larger.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Jan 2 14:27:56 CET 2011 on sn-devel-104
This fixes SMB session setups with kerberos against some closed
source SMB servers.
The new behavior matches heimdal and mit.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 23 09:38:43 CET 2010 on sn-devel-104
This connects to 445 and after 5 milliseconds also to 139. It treats a netbios
session setup failure as equivalent as a TCP connect failure. So if 139 is
faster but fails the nb session setup, the 445 still has the chance to succeed.
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
When winbind sees a signing error on the smb connection to a DC (for whatever
reason, our bug, network glitch, etc) it should recover properly. The "old"
code in clientgen.c just closed the socket in this case. This is the right
thing to do, this connection is spoiled anyway. The new, async code did not do
this so far, which led to the code in winbindd_cm.c not detect that we need to
reconnect.
transaction id of packets it was requested to send via a client, and
only store replies that match these ids. On the client side change
clients to always attempt to ask nmbd first for name_query and
node_status calls, and then fall back to doing socket calls if
we can't talk to nmbd (either nmbd is not running, or we're not
root and cannot open the messaging tdb's). Fix readers of unexpected.tdb
to delete packets they've successfully read.
This should fix a long standing problem of unexpected.tdb
growing out of control in noisy NetBIOS envioronments with
lots of bradcasts, yet still allow unprivileged client apps
to work mostly as well as they already did (nmblookup for
example) in an environment when nmbd isn't running.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sun Nov 14 05:22:45 UTC 2010 on sn-devel-104
The underlying problem is that the old code invoked by cli_write() increments
cli->mid directly when issuing outstanding writes. This should now be done only
in libsmb/clientgen.c to make metze's new signing engine works correctly. Just
deleting this code fixes the problem.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Nov 11 02:50:08 UTC 2010 on sn-devel-104
Following the review of this patch series by Derrell Lipman, remove
the seperate storage of the debug_stderr variable from the
libsmbclient SMBC_internal_data context.
Andrew Bartlett
This isn't quite what you would expect from this interface, but actually
avoids some really nasty situations if you ever have more than one
libsmbclient context in a process.
In the real world, if you have asked for DEBUG() to stderr in one part
of the code, you will want it globally, even in a different thread
(which in the past would have rest everything to stdout again, at
least while starting up).
Andrew Bartlett
All future assignments of the debug level should go via
lp_set_cmdline("log level", "x") because this will ensure the value is
not overwritten in an smb.conf load.
Andrew Bartlett
This change improves the setup_logging() API so that callers which
wish to set up logging to stderr can simply ask for it, rather than
directly modify the dbf global variable.
Andrew Bartlett
Based on an initial patch from H Hasegawa <hasegawa.hiroyuki@fujixerox.co.jp>.
Convert cli_list and associated functions to take calls that return NTSTATUS.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Oct 29 19:40:16 UTC 2010 on sn-devel-104
Based on a fix from Sven Neumann <s.neumann@raumfeld.com>.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Oct 27 22:02:11 UTC 2010 on sn-devel-104
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
TDB_CLEAR_IF_FIRST tdb's. For tdb's like gencache where we open
without CLEAR_IF_FIRST and then with CLEAR_IF_FIRST if corrupt
this is still safe to use as if opening an existing tdb the new
hash will be ignored - it's only used on creating a new tdb not
opening an old one.
Jeremy.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid NetBIOS session request is received the code in name_len() in
libsmb/nmblib.c can hit an assert.
Re-write name_len() and name_extract() to use "buf/len" pairs and
always limit reads.
Jeremy.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
The idea of this patch is: Don't support a mix of different kerberos
features.
Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).
Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.
Andrew Bartlett
