1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

30138 Commits

Author SHA1 Message Date
Stefan Metzmacher
71c63e85e7 auth/gensec: introduce gensec_internal.h
We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:02 +02:00
Stefan Metzmacher
e90e1b5c76 s4:gensec/schannel: only require librpc/gen_ndr/dcerpc.h
We just need DCERPC_AUTH_TYPE_SCHANNEL

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:01 +02:00
Stefan Metzmacher
9b9ab1ae69 s4:gensec/schannel: there's no point in having schannel_session_key()
gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
before calling schannel_session_key(), as we don't provide
GENSEC_FEATURE_SESSION_KEY.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:01 +02:00
Stefan Metzmacher
a07049a839 s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is not supported
There's a sequence number attached to the connection,
which needs to be incremented with each message...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:01 +02:00
Stefan Metzmacher
b510476822 s4:gensec/schannel: use the correct computer_name from netlogon_creds_CredentialState
We need to use the same computer_name we used in the netr_Authenticate3
request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:00 +02:00
Stefan Metzmacher
49f347eb11 s4:gensec/schannel: simplify the code by using netsec_create_state()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:19:00 +02:00
Stefan Metzmacher
4cad5dcb6d s4:gensec/schannel: remove unused dcerpc_schannel_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:59 +02:00
Stefan Metzmacher
2ea3a24dce s4:torture: avoid usage of dcerpc_schannel_creds()
We use cli_credentials_get_netlogon_creds() which returns the same value.

dcerpc_schannel_creds() is a layer violation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:59 +02:00
Stefan Metzmacher
c0144273af s4:libnet: avoid usage of dcerpc_schannel_creds()
We use cli_credentials_get_netlogon_creds() which returns the same value.

dcerpc_schannel_creds() is a layer violation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-10 09:18:59 +02:00
David Disseldorp
d944841211 torture: add smb2 FSCTL_[GET/SET]_COMPRESSION test
This test simply creates a file and checks the compression state before
and after FSCTL_SET_COMPRESSION(COMPRESSION_FORMAT_DEFAULT).

The test expects the compression state to be COMPRESSION_FORMAT_LZNT1
after set, conforming to Windows Server behaviour.

If the server responds to the first FSCTL_GET_COMPRESSION request with
NT_STATUS_NOT_SUPPORTED or NT_STATUS_INVALID_DEVICE_REQUEST, then the
test is skipped. This allows it to run during selftest.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug  9 22:03:39 CEST 2013 on sn-devel-104
2013-08-09 22:03:38 +02:00
David Disseldorp
86c79f1ab3 torture: split out ioctl test file creation helper
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-08-09 11:09:46 -07:00
Matthieu Patou
f6d157858f drs-cracknames: Add some debugs in the torture to know better which test has failed
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-By: Andrew Bartlett <abarlett@samba.org>

Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Wed Aug  7 08:10:58 CEST 2013 on sn-devel-104
2013-08-07 08:10:58 +02:00
Matthieu Patou
7fe4630bad drs-cracksname: fix problems that prevented to pass our torture tests
Some of the problems where also reported by Microsoft testing tools

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:22:10 -07:00
Matthieu Patou
029e80da9d drs-crackname: Fix error code so that we have the same as windows
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:22:07 -07:00
Matthieu Patou
552b4f3e02 drs-cracknames: When cracking NT4 names we should just look at netbios for the match
Looking at dnsRoot will yield a result for domain.tld\username when it
shouldn't work.

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:22:05 -07:00
Matthieu Patou
aa17a2c01d drs-crackname: Fix cracknames for the format UNKNOWN when the data is actually a GUID
The cannonical crackname expect a "/" or it returns
DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR, when doing UNKNOWN format it's not
an error to not have a "/" in the name to crack it's just a sign the
name is not a cannonical one.

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:22:02 -07:00
Matthieu Patou
beead4d431 drs-cracknames: Reorganise the cracknames list so that similar format names are group together
It makes easier when reviewing failed test case in DRSR testsuite

Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:22:00 -07:00
Matthieu Patou
2f7d772583 Add Notes related to DRSUAPI
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-by: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:56 -07:00
Matthieu Patou
b67085de7f s4-netlogon: honnor DS_RETURN_DNS_NAME flag
Reviewed-By: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:52 -07:00
Matthieu Patou
927a1030d7 s4-netlogon: do not add \\ it has already be done in the fill_netlogon_samlogon_response
Reviewed-By: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:47 -07:00
Matthieu Patou
530098440e torture: Quiet a warning about set but not used variable
Signed-off-by: Matthieu Patou <mat@matws.net>
Reviewed-By: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:41 -07:00
Matthieu Patou
0eb304d536 torture-drsuapi: Make the name of the dc variable
In case some tests fails or if the removal takes sometime to replicate
to all the DCs

Reviewed-By: Andrew Bartlett <abarlett@samba.org>
2013-08-06 21:21:09 -07:00
Jeremy Allison
c4cba824d9 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS.
Fix client-side parsing also. Found by David Disseldorp <ddiss@suse.de>

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Aug  5 14:39:04 CEST 2013 on sn-devel-104
2013-08-05 14:39:04 +02:00
Stefan Metzmacher
9d548318da s4:netlogon: make use of netlogon_creds_decrypt_samlogon_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:01 +02:00
Stefan Metzmacher
34fa794699 s4:librpc: fix netlogon connections against servers without AES support
LogonGetCapabilities() only works on the credential chain if
the server supports AES, so we need to work on a temporary copy
until we know the server replied a valid return authenticator.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:01 +02:00
Günther Deschner
a9d5b2fdf0 libcli/auth: also set secure channel type in netlogon_creds_client_init().
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2013-08-05 10:30:00 +02:00
Stefan Metzmacher
bbd63dd8a1 s4:ntlm_auth: make use of cli_credentials_[set_]callback_data*
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:04 +12:00
Stefan Metzmacher
d47bf469b8 s4:torture/rpc: make use of cli_credentials_set_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:04 +12:00
Stefan Metzmacher
d36fcaa5f3 s4:torture/gentest: make use of cli_credentials_get_username()
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:03 +12:00
Stefan Metzmacher
36b3c9506c s4:torture/shell: simplify cli_credentials_set_password() call
All we want is to avoid a possible callback...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-08-05 17:48:03 +12:00
Andrew Bartlett
f2afdb6169 dsdb: Include MS-ADTS doc references on deleted object contstraints
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30 08:37:11 +02:00
Andrew Bartlett
a9e565a5a4 dsdb tests: Add member/memberOf checking to delete_objects testing
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-30 08:37:08 +02:00
Andrew Bartlett
0162be32ab dsdb: Improve DRS deleted link source/target handing in repl_meta_data
We now correctly ignore the link updates if the source or target is
deleted locally.

This fixes the long-standing failure in the vampire_dc dbcheck test.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-30 08:36:58 +02:00
Andrew Bartlett
32955a1dec dsdb: Ensure we always force deleted objects back under the deleted objects DN
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30 08:36:55 +02:00
Stefan Metzmacher
a796cad90f dsdb/repl_meta_data: split out replmd_deletion_state()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-07-30 08:36:51 +02:00
Andrew Bartlett
d3aad891c5 dsdb: Prune deleted objects of links and extra attributes of replicated deletes
When an object is deleted, the links to be removed are not propogated,
you have to watch out for them manually!

We do this by calling back into the originating update delete code (ie
what is called if you ldb_delete() locally) so that any extra
attribute found locally and not on the remote server becomes removed
remotely too.

We currently do the same with links, but that isn't strictly correct,
but for now our getNCChanges server code filters these out, so only
the usn is bumped.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-30 08:36:41 +02:00
Kai Blin
45f5ea0b57 dns: Update TODO list
A lot of the todo items have been resolved, avoid confusing people.

Signed-off-by: Kai Blin <kai@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 29 09:12:17 CEST 2013 on sn-devel-104
2013-07-29 09:12:17 +02:00
Andrew Bartlett
a74c7d780c torture/drs: Expand an error message to aid debugging
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 25 13:51:44 CEST 2013 on sn-devel-104
2013-07-25 13:51:44 +02:00
Stefan Metzmacher
63c05e820f dsdb/samdb: use RECYCLED it implies DELETED...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-25 09:01:08 +02:00
Andrew Bartlett
5e1f2795f2 rpc_server-drsuapi: Improve comments and DEBUG lines
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24 16:35:37 +02:00
Andrew Bartlett
e9faf50ee1 dsdb: Add assert in drepl_take_FSMO_role
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2013-07-24 16:35:32 +02:00
Andrew Bartlett
db9c3c62c8 dsdb-ridalloc: Rework ridalloc to return error strings where RID allocation fails
We now also only poke the RID manager once per request.

This may help track down why RID allocation can fail, as while we
never wait for the RID set to be created/updated, it may be the only
clue the admin gets as to why the async allocations were failing.

Andrew Bartlett

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24 16:35:04 +02:00
Andrew Bartlett
31fb7f9c1b dsdb: Rework subtree_rename module to use recursive LDB_SCOPE_ONELEVEL searches
This should be more efficient, particularly in the leaf node case when renaming and
deleting entries on large databases.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24 16:35:01 +02:00
Andrew Bartlett
03b44d26fd dsdb-descriptor: Do not do a subtree search unless we have child entries
This avoids a subtree search here in most cases where an object is deleted.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-07-24 16:34:58 +02:00
Stefan Metzmacher
077dfd0a89 s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr()
This caused crashes in _tsocket_address_bsd_from_sockaddr() when we
read past the end of the allocation.

(similar to commit e9ae36e968)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10042

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 24 14:37:43 CEST 2013 on sn-devel-104
2013-07-24 14:37:43 +02:00
Andrew Bartlett
e9ae36e968 s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr()
This caused crashes in _tsocket_address_bsd_from_sockaddr() when we
read past the end of the allocation.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2013-07-23 15:35:08 -07:00
Jeremy Allison
bb21fc51e4 Add torture tests to raw.eas to check sending Windows invalid names in the middle of an EA list.
Add torture tests to probe the set of invalid
Windows EA names.

Bug 9992 - Windows error 0x800700FE when copying files with xattr names containing ":"

Signed-off-by: Jeremy Allison <jra@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 19 11:50:25 CEST 2013 on sn-devel-104
2013-07-19 11:50:25 +02:00
Bill Parker
9b58da9866 Fix bug 10025 - Lack of Sanity Checking in calls to malloc()/calloc().
In reviewing various files in Samba-4.0.7, I found a number
of instances where malloc()/calloc() were called without the
checking the return value for a value of NULL, which would
indicate failure.

(NB. The changes needed to ccan, iniparser, popt and heimdal
will be reported upstream, not patched inside Samba).

Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Source <idra@samba.org>
2013-07-17 16:12:19 -07:00
Stefan Metzmacher
596b51c666 s4:server: avoid calling into nss_winbind from within 'samba'
The most important part is that the 'winbind_server' doesn't
recurse into itself. This could happen if the krb5 libraries
call getlogin().

As we may run in single process mode, we need to set
_NO_WINBINDD=1 everywhere, the only exception is the forked
'smbd'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 10 23:18:06 CEST 2013 on sn-devel-104
2013-07-10 23:18:06 +02:00
Stefan Metzmacher
e6a58d3704 s4:rpc_server: make sure we don't terminate a connection with pending requests (bug #9820)
Sadly we may have nested event loops, which won't work correctly with
broken connections, that's why we have to do this...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 10 08:47:38 CEST 2013 on sn-devel-104
2013-07-10 08:47:38 +02:00