IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
- Collect the generic utility functions into a lib/util/ (a la GLib is
for the GNOME folks)
- Remove even more files from include/
(This used to be commit ba62880f5b)
This allows the easy addition of additional named pipes and removes the
circular dependencies between the CIFS, RPC and RAP servers.
Simple tests for a custom named pipe included.
(This used to be commit 898d15acbd)
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
BASIC_INFORMATION
DISPOSITION_INFORMATION
ALLOCATION_INFORMATION
END_OF_FILE_INFORMATION
POSITION_INFORMATION
MODE_INFORMATION
(This used to be commit 8804b6a7eb)
- added a SMB2-SCANGETINFO test for scanning for available info levels
- added names for the info levels I recognise to smb2.h
(This used to be commit fe5986067e)
metze
r8017@SERNOX: metze | 2005-06-30 13:44:23 +0200
create the SAMBA_4_0 branch for the Summer Of Code Project
metze
r8730@SERNOX: brad | 2005-07-24 03:09:48 +0200
Branching Samba 4
r8731@SERNOX: brad | 2005-07-24 06:39:00 +0200
added 'make installmisc' to howto.txt
added existing 'compression' option to level8 drsuapi torture test
added new 'neighbour_writeable' option to level8 drsuapi torture test
r8732@SERNOX: brad | 2005-07-24 06:42:38 +0200
added metze's dssync patch as source/torture/rpc/dssync.c
r8739@SERNOX: brad | 2005-07-25 00:24:46 +0200
added a test called RPC-DSSYNC to config.mk
hacking at dssync.c in an attempt to make it compile
r8754@SERNOX: brad | 2005-07-25 15:19:21 +0200
Changing dssync.c to use ldb routines for accessing ldap rather than raw ldap calls.
r8765@SERNOX: brad | 2005-07-26 03:35:38 +0200
more ldb changes to test_CompleteJoin(), it mostly kind of almost works now!
r8766@SERNOX: brad | 2005-07-26 03:56:00 +0200
Trying to fix the crazy nesting in the branch
r8769@SERNOX: brad | 2005-07-26 04:48:29 +0200
merging latest changes
r8770@SERNOX: brad | 2005-07-26 04:53:43 +0200
removing nested branch
r8793@SERNOX: jerry | 2005-07-27 05:04:57 +0200
merging on of Brad missing changes from the nested 4.0 branch debacle
r8794@SERNOX: jerry | 2005-07-27 05:14:42 +0200
syncing up with the main 4_0 branch for Brad
r8842@SERNOX: brad | 2005-07-29 00:26:30 +0200
merging changes from branches/SAMBA_4_0
r8850@SERNOX: brad | 2005-07-29 21:07:57 +0200
Bringing my tree up to date
r8851@SERNOX: brad | 2005-07-30 00:48:04 +0200
making dssync.c more ldb-centric, reverted samlogon.c from rev. 8845 to get my branch to compile again.
r8856@SERNOX: brad | 2005-07-30 03:20:33 +0200
I think I have the ldb code down in test_CompleteJoin (not complete yet though)
r8860@SERNOX: brad | 2005-07-30 07:08:13 +0200
Changed comments to C style /**/ (thanks Richard), some more changes to test_CompleteJoin().
r8862@SERNOX: brad | 2005-07-31 04:45:32 +0200
Bringing the SOC/SAMBA_4_0 branch up to date.
r8863@SERNOX: brad | 2005-07-31 20:00:41 +0200
Updated some missing files from the branch
r8864@SERNOX: brad | 2005-07-31 20:25:50 +0200
Removing autogenerated files from branch
r8865@SERNOX: brad | 2005-07-31 20:43:58 +0200
last of the unneeded files in SOC/SAMBA_4_0
r9004@SERNOX: brad | 2005-08-03 18:51:23 +0200
r5214@buttercup: j0j0 | 2005-08-03 10:44:30 -0600
r@buttercup: j0j0 | 2005-08-02 22:54:13 -0600
creating a local branch of branches/SAMBA_4_0
r9013@SERNOX: brad | 2005-08-03 20:57:48 +0200
r5228@buttercup: j0j0 | 2005-08-03 13:00:11 -0600
Fixing differences between this branch and /branches/SAMBA_4_0
r9014@SERNOX: brad | 2005-08-03 21:18:05 +0200
r5231@buttercup: j0j0 | 2005-08-03 13:23:12 -0600
Updating config.mk so that smbtorture builds again
r9061@SERNOX: brad | 2005-08-04 18:17:36 +0200
r5249@buttercup: j0j0 | 2005-08-03 21:01:02 -0600
Start using libnet_Join() for DC join.
r9062@SERNOX: brad | 2005-08-04 18:17:47 +0200
r5250@buttercup: j0j0 | 2005-08-04 10:21:34 -0600
Some more work towards performing a dc join.
r9064@SERNOX: brad | 2005-08-04 18:53:51 +0200
r5253@buttercup: j0j0 | 2005-08-04 10:53:00 -0600
Fixed a bug (passing a TALLOC_CTX to libnet_context_init() )
r9069@SERNOX: brad | 2005-08-04 21:59:55 +0200
r5279@buttercup: j0j0 | 2005-08-04 14:04:55 -0600
Some more work on the domain join
r9117@SERNOX: brad | 2005-08-05 16:50:26 +0200
r5281@buttercup: j0j0 | 2005-08-05 08:55:58 -0600
Committing minor changes before merge
r9180@SERNOX: brad | 2005-08-07 17:25:25 +0200
r5314@buttercup: j0j0 | 2005-08-07 09:30:12 -0600
Reworked libnet_join to use two join levels, AUTOMATIC and SPECIFIED.
r9181@SERNOX: brad | 2005-08-07 17:25:36 +0200
r5315@buttercup: j0j0 | 2005-08-07 09:31:22 -0600
Working with libnet_Join(), code cleanup needed in the near future.
r9192@SERNOX: brad | 2005-08-07 21:40:22 +0200
r5373@buttercup: j0j0 | 2005-08-07 13:46:09 -0600
Some code cleanup to make things a little more readable.
r9249@SERNOX: brad | 2005-08-12 01:31:48 +0200
r5375@buttercup: j0j0 | 2005-08-11 17:38:44 -0600
Split libnet_JoinDomain() into libnet_JoinDomain() and libnet_JoinADSDomain().
r9256@SERNOX: brad | 2005-08-12 04:55:11 +0200
r5413@buttercup: j0j0 | 2005-08-11 21:02:27 -0600
Clean up libnet_JoinADSDomain() a little, added a comment to the test_join struct.
r9314@SERNOX: brad | 2005-08-16 03:53:20 +0200
r5436@buttercup: j0j0 | 2005-08-15 20:01:21 -0600
libnet_JoinDomain() should honour LIBNET_JOIN_TORTURE now.
torture_join_domain() should properly use libnet_JoinDomain().
dssync.c uses torture_join_domain() again.
r9351@SERNOX: brad | 2005-08-17 07:15:31 +0200
r5438@buttercup: j0j0 | 2005-08-16 23:23:58 -0600
Removed LIBNET_JOIN_TORTURE level, as it became unnecessary once libnet_Join_primary_domain() handled netbios names better.
Corrected libnet_JoinDomain() and libnet_JoinADSDomain().
r9352@SERNOX: brad | 2005-08-17 07:24:49 +0200
r5440@buttercup: j0j0 | 2005-08-16 23:33:25 -0600
Fixed a typo.
r9354@SERNOX: metze | 2005-08-17 10:28:25 +0200
remove object files from svn
metze
r9376@SERNOX: brad | 2005-08-18 05:15:48 +0200
r5476@buttercup: j0j0 | 2005-08-17 21:24:33 -0600
Proof that I shouldn't code when i'm tired (silly bugfixes).
r9405@SERNOX: brad | 2005-08-19 22:50:10 +0200
r5500@buttercup: j0j0 | 2005-08-19 14:56:25 -0600
Get dssync.c compiling again after merge (ldb_dn changes from rev. 9391).
r9407@SERNOX: brad | 2005-08-20 03:22:42 +0200
r5502@buttercup: j0j0 | 2005-08-19 19:28:22 -0600
libnet/libnet_join.c
Some more fixes so ldb uses ldb_dn's.
torture/rpc/dssync.c
Some debugging printf()'s.
ldb_dn fixes.
torture/rpc/testjoin.c
Change torture_join_domain() to use libnet_JoinDomain() rather than libnet_Join().
Some more debugging statements.
I'm not sure why, but GUID_all_zero(user_handle.uuid) is returning true in torture_leave_domain() when called it from torture_destroy_context() in torture/rpc/dssync.c.
That's what i'm working out now.
r9427@SERNOX: brad | 2005-08-20 18:38:29 +0200
r5504@buttercup: j0j0 | 2005-08-20 10:44:52 -0600
Some bugfixes.
Removed a bunch of debugging code.
torture_leave_domain() works again! not 100% perfect yet though...
r9428@SERNOX: brad | 2005-08-20 19:09:26 +0200
r5506@buttercup: j0j0 | 2005-08-20 11:15:54 -0600
Restructure torture_join_domain() so that it joins itself, removes itself, and joins itself to the domain again to ensure that its account information is all current and as expected.
r9452@SERNOX: brad | 2005-08-21 19:33:51 +0200
r5508@buttercup: j0j0 | 2005-08-21 11:40:36 -0600
Bugfixes, trying to get things straight between contexts.
r9467@SERNOX: brad | 2005-08-22 04:00:48 +0200
r5510@buttercup: j0j0 | 2005-08-21 20:06:55 -0600
Another round of bugfixing.
r9521@SERNOX: brad | 2005-08-23 15:26:44 +0200
r5596@buttercup: j0j0 | 2005-08-23 07:33:06 -0600
Merging changes
r9524@SERNOX: metze | 2005-08-23 16:09:42 +0200
- fix the build caused by changes in the main samba4 tree,
- add an option "dssync:german=yes" to allow me to run against my german w2k3 server
this should be replaces by CLDAP calls to get the Default-First-Site-Name dynamicly
- remove some temporary comments, as DsAddEntry works now
metze
r9528@SERNOX: metze | 2005-08-23 18:22:22 +0200
the RPC-DSSYNC test is now able to fetch the whole tree,
including the unicodePwd, ntPwdHistory fields
metze
r9559@SERNOX: brad | 2005-08-24 04:11:47 +0200
r5612@buttercup: j0j0 | 2005-08-23 20:19:12 -0600
Some fixes around using talloc in a hierarchical fashion.
Still not right, but better.
r9564@SERNOX: brad | 2005-08-24 05:43:11 +0200
r5614@buttercup: j0j0 | 2005-08-23 21:50:38 -0600
Gave libnet_JoinADSDomain() its own tmp_ctx rather than passing it from libnet_JoinDomain() as a parameter (yuk).
As a side effect, it proves that my bug lies in libnet_JoinDomain(), not libnet_JoinADSDomain().
r9565@SERNOX: brad | 2005-08-24 06:09:46 +0200
r5616@buttercup: j0j0 | 2005-08-23 22:17:12 -0600
Small fix, if r->out.error_string and r2->samr_handle.out.error_string weren't set to NULL, torture_join_domain() would segfault on the second join.
r9630@SERNOX: brad | 2005-08-26 06:42:50 +0200
Commented out the parts of the dssync test which perform the dc join and create/remove associated ldap entries.
Commented out the test for the 'german' dssync option, because now we detect the Site-Name using CLDAP. If cldap_netlogon() does not return ok, the code defaults to 'Default-First-Site-Name'.
r9670@SERNOX: brad | 2005-08-27 02:30:11 +0200
Added a patch from metze.
To showcase what i've learned today, i've created two new parameters which can be set at runtime, drsuapi:last_usn and drsuapi:partition.
drsuapi:last_usn takes an integer representing the USN of the last recieved replication update for a particular partition (uses the domain dn if drsuapi:parition isn't set).
That value is passed in the DsGetNCChanges() call so that only info which has been updated since that point in time is returned. If this option is not set, 0 is used by default, and all updates for that partition are returned.
drsuapi:partition takes a string dn and uses that as the name of the AD partition to replicate.
Some debugging output was also added.
r9723@SERNOX: brad | 2005-08-29 01:07:51 +0200
Added some copyright notices.
Changed some things in net_join.c to try and figure out why 'net join <domain> bdc' segfaults.
It occurs when the last talloc_free() happens, so i'm sure it's something to do with the memory fiddling i'm doing in libnet_join.
Added some drsuapi attribute ids that I figured out today.
I put some (many, dry) notes together while doing that, so i'll try to put them up on a blog at samba.org a little later tonight.
r9740@SERNOX: metze | 2005-08-29 16:58:03 +0200
fix up the DsGetNCchanges loop,
and remove misleading comments
metze
r9743@SERNOX: metze | 2005-08-29 17:26:45 +0200
make the logic a bit clearer
metze
r9815@SERNOX: brad | 2005-08-31 02:36:21 +0200
Added cldap_netlogon() AD Site-Name lookup into libnet/libnet_join.c.
Bugfixing rampage in libnet_join.c to resolve misunderstanding of talloc_steal().
libnet_join now creates the CN=<netbios name>,CN=Servers,CN=<site name>,CN=Sites,CN=Configuration,<domain dn> container on a dc join.
r9858@SERNOX: brad | 2005-09-01 03:17:17 +0200
Removed extraneous NDR_ALL subsystem requirement from torture/config.mk.
Added lots of error checking as per metze's advice.
Removed commented out code.
More bug chasing.
r9863@SERNOX: brad | 2005-09-01 05:53:19 +0200
Cleaned up dssync.c, removed the unneeded DsCrackNames() call, removed DC join/leave related stuff.
It no longer looks like my house does!
r9887@SERNOX: metze | 2005-09-01 11:34:03 +0200
- fix dssync:highest_usn parameter handling
- ask for LINKED_ATTRIBUTE replication
metze
r9891@SERNOX: metze | 2005-09-01 14:13:18 +0200
make the code more readable, and fix a few bugs
metze
r9911@SERNOX: brad | 2005-09-01 20:36:27 +0200
Bugfixes in libnet_join.c.
Cleaned up comments.
Added domain_dn_str and account_dn_str to struct libnet_JoinDomain.
Removed struct dcerpc_pipe *samr_pipe and struct policy_handle user_handle from struct libnet_Join.
r9920@SERNOX: brad | 2005-09-01 23:34:13 +0200
Added disclaimer (I can't seem to get libnet_JoinDomain() to keep the samr_pipe and u_handle open past the function call, grrrr....).
r9921@SERNOX: brad | 2005-09-01 23:37:54 +0200
Added copyright statement.
Cleaned up unneeded variables from torture_join_domain().
r9932@SERNOX: brad | 2005-09-02 01:49:42 +0200
Really rushed project notes.
r10841@SERNOX: metze | 2005-10-08 20:01:45 +0200
remove diff to main SAMBA_4_0 branch
metze
r10862@SERNOX: metze | 2005-10-10 10:31:52 +0200
remove the differences between SAMBA_4_0 and SOC/SAMBA_4_0
metze
r10863@SERNOX: metze | 2005-10-10 10:34:26 +0200
fix the build
metze
r10864@SERNOX: metze | 2005-10-10 11:10:08 +0200
remove README file to reduce, diffs to main SAMBA_4_0 branch:
metze
README:
This project was centered around adding a torture test to Samba 4, which used drsuapi_DsGetNCChanges() to retrieve the contents of an Active Directory in the same manner as an Active Directory DC replication event.
As the project unfolded, I also applied some changes to the functionality of the libnet library related to joining a machine account to a domain.
One of the first things that I implemented in this project was a 'neighbour_writeable' option for the RPC-DRSUAPI torture test. The command line to execute this torture test is as follows:
smbtorture --option=drsuapi:neighbour_writeable=True -W <domain name> -U <admin username>%<password> ncacn_ip_tcp:<domain controller dns name> RPC-DRSUAPI
This option provides us with runtime control over the DRSUAPI_DS_REPLICA_NEIGHBOUR_WRITEABLE flag in the struct drsuapi_DsGetNCChanges.in.req.req<level>.replica_flags, allowing us to easily test for differences in the behaviour of AD replication with the switch on or off.
In the course of the project, I also implemented two more flags for the RPC-DSSYNC test. dssync:last_usn takes an integer representing the USN (Universal Serial Number) of the last recieved replication update for a particular partition (uses the domain DN if drsuapi:parition isn't set). That value is passed in the DsGetNCChanges() call so that only info which has been updated since that point in time is returned. If this option is not set, 0 is used by default, and all updates for that partition are returned. dssync:partition takes a string DN and uses that as the name of the AD partition to replicate.
Based initially on a patch provided to me by one of my mentors, Stephan (metze) Metzmacher, the RPC-DSSYNC test was implemented for this project. Initially functionality was included to perform a DC join prior to initiating replication, but the code was removed when it was realized that replication could indeed take place without being a member of the domain in any way. It has been recently suggested that we may need a DC join after all to get all of the information we may want from the AD replication. This is probably best added using a torture_join_domain() call once the libnet code is able to keep the user policy handle and SAMR RPC pipe open.
The DC join code was taken out of the RPC-DSSYNC and implemented for the most part in the libnet libraries. To test this, the RPC-NETLOGON test was modified to perform a domain join, leave and rejoin. Currently, the test has a fault in that it is unable to leave the domain using the same SAMR RPC pipe and user_policy information as was used for the first join. This is because I was unable to get the code working properly in libnet to provide that functionality. Currently missing from the DC join in libnet is the code to create the CN=NTDS Settings,CN=<DC NETBIOS NAME>,CN=<Site-Name>,CN=Sites,CN=Configuration,<domain DN> container using the dcerpc_drsuapi_DsAddEntry() call. I did not want to implement this functionality in libnet while there were still problems with the code.
I also provided the ability in libnet and the RPC-DSSYNC test to look up the proper site name using the cldap library.
In my investigations, I was unable to find out any information regarding the UnicodePwd attribute, except that the same password is represented differently for two different users in the same directory.
I was also able to resolve and confirm the meaning of some DRSUAPI_ATTRIBUTE ID's.
DRSUAPI_OBJECTCLASS_domain (0xA0042)
DRSUAPI_OBJECTCLASS_domainDNS (0xA0043)
wellKnownObjects (0x9026A)
fSMORoleOwner (0x90171)
name or dc (0x90001)
whenCreated (0x20002)
instanceType (0x20001)
gPLink (0x9037B)
These were added to the IDL for drsuapi (source/librpc/idl/drsuapi.idl).
I would like to thank everyone on the Samba team who worked with me and assisted me with this project, specifically all the work done by Stephan Metzmacher, Andrew Bartlett and Jerry Carter. Working on this project with the Samba team really has been a life changing experience, as corny as that sounds.
I've realized that I was born to be a systems developer, and it has helped confirm in my mind that Open Source (specifically Samba) development is exactly what i've been missing!
I would also like to take this opportunity to thank Chris Dibona and Google for the amazing opportunity. I don't know if I would have taken the leap in other circumstances.
I know these notes sound a little rushed, but it is 23:55 after all! :)
(This used to be commit 55552b41cb)
Also add torture tests for this function and file_{load,save}. I've hardcoded
a file name here.. should I handle that neater somehow?
(This used to be commit 8fa383f182)
an ADS join, particularly as a DC. This represents the bulk of his
Google SOC work, and I'm very pleased to intergrate it into the tree.
(Metze will intergrate the DRSUAPI work later).
Both metze and myself have also put a lot of time into this patch, and
in mentoring Brad in general. In return, Brad has been a very good
student, and has taken the comments well.
Since it's last appearance on samba-technical@, I have made
correctness and valgrind fixups, as well as adding a new 'BINDING'
mode to the libnet_rpc routines. This allows the exact binding string
to be passed down from the torture code, including options and exact
target host.
Andrew Bartlett
(This used to be commit d6fa105fda)
that a given set of (working) POSIX functions are available (without
prefixes to their names, etc). See lib/replace/README for a list.
Functions that behave different from their POSIX specification
(such as sys_select, sys_read, etc) have kept the sys_ prefix.
(This used to be commit 29919a7105)
NTCREATEX_DISP_CREATE (create if not exists, else fail) they might end up with
two or more times NT_STATUS_OK as EEXIST is not correctly handled.
Jeremy, please look closely at this. You can easily verify this by adding a
smb_msleep(100) to the top of open_file_ntcreate and run the new samba4
torture test. It does also happen without the msleep, but not as reliably.
Thanks,
Volker
(This used to be commit c803d4c9a5)
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.
The main fixes are:
- assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats
- use of NULL format statements to perform dn searches.
- assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
file_load() to use talloc, which impacted quite a few bits of code,
including our smb.conf processing.
took the opportunity to remove the gloabls in params.c while doing this
(This used to be commit b220756cb4)
NT_STATUS_INVALID_HANDLE on a per call basis for a bad vuid. That
means it is doing checking for a valid vuid in each backend function,
rather than globally. I don't want to emulate that as it is way too
error prone, and could easily lead to a security hole, so instead
accept either error code in our test suite.
(This used to be commit aefa9e53fa)
The biggest change was fixing the RAW-CONTEXT test. It was forcing
capabilities to zero in an attempt to not negotiated extended
security, but as a side effect it was forcing negotiation of dos error
codes. This confused the hell out of the test code!
Also fixed a bunch of places incorrectly using NT_STATUS_V() instead
of NT_STATUS_EQUAL() and several places that had the wrong dos status
codes
(This used to be commit 0b22744f40)
much closer.
This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary. This is the only way I can explain
the 4 trainling zeros in the signature struct.
Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.
I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.
Andrew Bartlett
(This used to be commit 50a54bf4e9)
with 'nt status support' option.
- make nt_errstr() display nice strings for dos status codes encoded
using NT_STATUS_DOS()
- no longer map between dos and nt status codes in the client library,
instead return using NT_STATUS_DOS()
- fixed the RAW-CONTEXT test to look for
NT_STATUS_DOS(ERRSRV, ERRbaduid) instead of NT_STATUS_INVALID_HANDLE
(This used to be commit ff5549e87f)
don't like to bother with netbios type names when looking for common
types: hosts (servers) and domain controllers. Also, apropriate tests
rafal
(This used to be commit 50cd94be0f)
server as to the CIFS session key.
JRA had pain with this being wrong against NT4 (without spnego), hence
this specific test.
Andrew Bartlett
(This used to be commit 47f433708b)
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485b)
There is now a new --debug-stderr option to enable debug to STDERR.
popt isn't perfect, but the callbacks are used in all the main Samba
binaries, and should be used in the rest. This avoids duplicated
code, and ensures every binary is setup correctly.
This also ensures the setup happens early enough to have -s function,
and have a correct impact on the credentials code. (Fixing a bug that
frustrated tridge earlier today).
The only 'subtle' aspect of all this is that I'm pretty sure that the
SAMBA_COMMON popt code must be above the CREDENTIALS code, in the
popt tables.
Andrew Bartlett
(This used to be commit 50f3c2b3a2)
get stuck waiting on no file descriptors, with no timeout, so it sits
forever. I need to fix that bug separately, but to prevent build farm
machines being totally stuck, this timeout will be used.
(This used to be commit 5cccf0a770)
management system I proposed on samba-technical a couple of days
ago. Essentially it is a very lightweight way for any code in Samba to
make IDL based rpc calls to anywhere else in the code, without the
client or server having to go to the trouble of setting up a full rpc
service.
It can be used with any of our existing IDL, but I expect it will
mostly be used for a new set of Samba specific management calls.
The LOCAL-IRPC torture test demonstrates how it can be used by calling
the echo_AddOne() call over this transport.
(This used to be commit 3d589a0995)
interestingly, w2k3 seems to have 4 different varients of the netlogon
cldap response. We decode two of them so far. The other two are tricky
as they aren't distinguished by a command code, they use the same
command codes (0x13 and 0x17) but have quite a different format. Very
strange!
(This used to be commit 58f1c39282)
suite. The NBT-DGRAM test does a UDP/138 netlogon request, to which a
windows server sends a reply, but the windows server sends the reply
to the wrong port (it always sends to 138), so the test suite doesn't
see it.
(This used to be commit a7634625db)
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a)
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d)
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50)
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc2)
DCOM paper in lorikeet. This is the result of 1.5 months work (mainly
figuring out how things *really* work) at the end of 2004.
In general:
- Clearer distinction between COM and DCOM. DCOM is now merely
the glue between DCE/RPC+ORPC and COM. COM can also work without
DCOM now. This makes the code a lot clearer.
- Clearer distinction between NDR and DCOM. Before, NDR had a couple of
"if"s to cope with DCOM, which are now gone.
- Use "real" arguments rather then structures for function arguments in
COM, mainly because most of these calls are local so packing/unpacking
data for every call is too much overhead (both speed- and code-wise)
- Support several mechanisms to load class objects:
- from memory (e.g. part of the current executable, registered at start-up)
- from shared object files
- remotely
- Most things are now also named COM rather then DCOM because that's what it
really is. After an object is created, it no longer matters whether it
was created locally or remotely.
There is a very simple example class that contains
both a class factory and a class that implements the IStream interface.
It can be tested (locally only, remotely is broken at the moment)
by running the COM-SIMPLE smbtorture test.
Still to-do:
- Autogenerate parts of the class implementation code (using the coclass definitions in IDL)
- Test server-side
- Implement some of the common classes, add definitions for common interfaces.
(This used to be commit 71fd3e5c3a)
- Disable all current DCOM functionality (I hope to commit
a large bunch of COM and DCOM changes later today)
- Make remact and oxidresolver depend on orpc rather then dcom
(This used to be commit f298f2a547)
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e90)
- change the iface_n_*() functions to return a "const char *" instead of a "struct ipv4_addr"
I think that in general we should move towards "const char *" for
all IP addresses, as this makes IPv6 much easier, and is also easier
to debug. Andrew, when you get a chance, could you fix some of the
auth code to use strings for IPs ?
- return a NTSTATUS error on bad name queries and node status instead
of using rcode. This makes the calling code simpler.
- added low level name release code in libcli/nbt/
- use a real IP in the register and wins nbt torture tests, as w2k3
WINS server silently rejects some operations that don't come from the
IP being used (eg. it says "yes" to a release, but does not in fact
release the name)
(This used to be commit bb1ab11d8e)
NBT-REGISTER test that tests that a server correctly defends its name
against broadcast name registrations.
Jeremy, you might like to look at this. Samba3 nmbd fails to respond.
(This used to be commit bb1298a2eb)
which will eventually try all resolution methods setup in smb.conf
- only resolution backend at the moment is bcast, which does a
parallel broadcast to all configured network interfaces, and takes
the first reply that comes in (this nicely demonstrates how to do
parallel requests using the async APIs)
- converted all the existing code to use the new resolve_name() api
- removed all the old nmb code (yay!)
(This used to be commit 239c310f25)
