IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Do the assignment as the last action to make sure it's not overwritten
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Thu Mar 24 17:31:57 CET 2011 on sn-devel-104
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
Now that we don't need to pass in the function name and string,
another level of indirection can be safely removed, and the operation
of these macros made much clearer.
Andrew Bartlett
This code wrote to the full buffer in fstrcpy(), pstrcpy() and other
fixed-length string manipulation functions.
The hope of this code was to find out at run time if we were mixing up
pstring and fstring etc, and to record where this came from. It has a
runtime performance impact (particularly if compiled with
--enable-developer).
It is being removed because of the complexity it adds, and the
distinct lack of bugs that this complexity has been credited in
finding.
The macro-based compile-time checking of string sizes remains.
Andrew Bartlett
Instead use new header smb_ldap.h where all LDAP API related things are handled,
while smbldap.h only deals with our smbldap_X() API.
Guenther
Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed Mar 16 10:54:51 CET 2011 on sn-devel-104
Looking in [MS-RAP].pdf - these strings are always 4 bytes as an
offset in the rparam area, the string length is the size in the rdata area.
Se we must always return we have consumed 4 param bytes.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Mon Mar 14 20:09:09 CET 2011 on sn-devel-104
in case the cli was closed before (e.g. via a dropped ip message)
it can be expected that the read here returns with an error and so
we should not log that a connection is dead when it was closed before
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Wed Feb 23 16:51:03 CET 2011 on sn-devel-104
When called from a library, we don't want to call this, as we may
overwrite some of our calling program's context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Fri Feb 18 09:29:35 CET 2011 on sn-devel-104
In many other places we already assume that if asprintf returns !=-1 then the
result is allocated.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sat Jan 29 15:00:09 CET 2011 on sn-devel-104
Do this by keeping a linked list of delete on close tokens, one for
each filename that identifies a path to the dev/inode. Use the
jenkins hash of the pathname to identify the correct token.
When the TCP RST came before the 5 msecs timeout kicked in, we
viewed this as final, as state->req_139 was not set yet.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sat Jan 22 17:42:41 CET 2011 on sn-devel-104
This does an async port 137 transaction: It connects to /tmp/.nmbd/unexpected,
sends out the query and then waits for a reply on both the socket as well as
data from /tmp/.nmbd/unexpected. Every packet is passed through a validator. If
that returns true, the packet received is finally accepted.
This provides the framework to replace the unexpected.tdb file. Nmbd will
listen on /tmp/.nmbd/unexpected. A client interested in unexpected packets
connects there. It sends a nb_packet_query plus a potential mailslot name for
dgram packets. It waits for a single ack byte to avoid races. After that has
happened, nmbd will pass down all matching packets through that socket.
nb_packet_server_create and nb_packet_dispatch are the nmbd routines,
nb_packet_reader_send/recv and nb_packet_read_send/recv are the client ones.
It's the free_packet() that was missing. On the way, I've changed the
"return false;" to a "goto fail;", which makes the patch a bit larger.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Sun Jan 2 14:27:56 CET 2011 on sn-devel-104
This fixes SMB session setups with kerberos against some closed
source SMB servers.
The new behavior matches heimdal and mit.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Dec 23 09:38:43 CET 2010 on sn-devel-104
This connects to 445 and after 5 milliseconds also to 139. It treats a netbios
session setup failure as equivalent as a TCP connect failure. So if 139 is
faster but fails the nb session setup, the 445 still has the chance to succeed.
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
When winbind sees a signing error on the smb connection to a DC (for whatever
reason, our bug, network glitch, etc) it should recover properly. The "old"
code in clientgen.c just closed the socket in this case. This is the right
thing to do, this connection is spoiled anyway. The new, async code did not do
this so far, which led to the code in winbindd_cm.c not detect that we need to
reconnect.
transaction id of packets it was requested to send via a client, and
only store replies that match these ids. On the client side change
clients to always attempt to ask nmbd first for name_query and
node_status calls, and then fall back to doing socket calls if
we can't talk to nmbd (either nmbd is not running, or we're not
root and cannot open the messaging tdb's). Fix readers of unexpected.tdb
to delete packets they've successfully read.
This should fix a long standing problem of unexpected.tdb
growing out of control in noisy NetBIOS envioronments with
lots of bradcasts, yet still allow unprivileged client apps
to work mostly as well as they already did (nmblookup for
example) in an environment when nmbd isn't running.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Sun Nov 14 05:22:45 UTC 2010 on sn-devel-104
The underlying problem is that the old code invoked by cli_write() increments
cli->mid directly when issuing outstanding writes. This should now be done only
in libsmb/clientgen.c to make metze's new signing engine works correctly. Just
deleting this code fixes the problem.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Thu Nov 11 02:50:08 UTC 2010 on sn-devel-104
Following the review of this patch series by Derrell Lipman, remove
the seperate storage of the debug_stderr variable from the
libsmbclient SMBC_internal_data context.
Andrew Bartlett
This isn't quite what you would expect from this interface, but actually
avoids some really nasty situations if you ever have more than one
libsmbclient context in a process.
In the real world, if you have asked for DEBUG() to stderr in one part
of the code, you will want it globally, even in a different thread
(which in the past would have rest everything to stdout again, at
least while starting up).
Andrew Bartlett
All future assignments of the debug level should go via
lp_set_cmdline("log level", "x") because this will ensure the value is
not overwritten in an smb.conf load.
Andrew Bartlett
This change improves the setup_logging() API so that callers which
wish to set up logging to stderr can simply ask for it, rather than
directly modify the dbf global variable.
Andrew Bartlett
Based on an initial patch from H Hasegawa <hasegawa.hiroyuki@fujixerox.co.jp>.
Convert cli_list and associated functions to take calls that return NTSTATUS.
Jeremy.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Fri Oct 29 19:40:16 UTC 2010 on sn-devel-104
Based on a fix from Sven Neumann <s.neumann@raumfeld.com>.
Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Wed Oct 27 22:02:11 UTC 2010 on sn-devel-104
This will reduce the noise from merges of the rest of the
libcli/security code, without this commit changing what code
is actually used.
This includes (along with other security headers) dom_sid.h and
security_token.h
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
TDB_CLEAR_IF_FIRST tdb's. For tdb's like gencache where we open
without CLEAR_IF_FIRST and then with CLEAR_IF_FIRST if corrupt
this is still safe to use as if opening an existing tdb the new
hash will be ignored - it's only used on creating a new tdb not
opening an old one.
Jeremy.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid NetBIOS session request is received the code in name_len() in
libsmb/nmblib.c can hit an assert.
Re-write name_len() and name_extract() to use "buf/len" pairs and
always limit reads.
Jeremy.
Found by the CodeNomicon test suites at the SNIA plugfest.
http://www.codenomicon.com/
If an invalid SPNEGO packet contains no OIDs we crash in the SMB1/SMB2 server
as we indirect the first returned value OIDs[0], which is returned as NULL.
Jeremy.
The idea of this patch is: Don't support a mix of different kerberos
features.
Either we should prepare a GSSAPI (8003) checksum and mark the request as
such, or we should use the old behaviour (a normal kerberos checksum of 0 data).
Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
Samba4, and seems well outside the expected behaviour, even if Windows accepts it.
Andrew Bartlett
