IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
this because I don't want our torture suite to leave behind accounts
with known passwords if it is stopped in the wrong place. It is now
run behind the -X (dangerous) wrapper.
Andrew Bartlett
(This used to be commit 057a81d81e)
cli_credentials_set_conf(), not cli_credentials_guess().
Also, clarify why for particular flags, we don't do a DCERPC-level
authentication.
Andrew Bartlett
(This used to be commit 838925761d)
track the use of un-initialised values.
This change will require a recompile from clean, as the enum
describing the status of each element now has a default of
CRED_UNINITIALISED.
Andrew Bartlett
(This used to be commit 83c2eb806d)
behaviour on session setups, and because we no longer need do deal
with the linked list as much, the code is much simpiler too.
We may be able to compleatly remove the tid and vuid linked lists, but
I need to check.
This patch also tries to clean up the VUID handling and session setups
in general. To avoid security issues, we now have a distinction
between VUIDs allocated for the session setup (to tie togeather the
multiple round trips) and those used after authentication.
Andrew Bartlett
(This used to be commit 3e5775146d)
now tries to bind to port 138 if possible, so if you run it as root
and smbd/nmbd is not running then it works against windows servers
(This used to be commit 52ccdb79bc)
suite. The NBT-DGRAM test does a UDP/138 netlogon request, to which a
windows server sends a reply, but the windows server sends the reply
to the wrong port (it always sends to 138), so the test suite doesn't
see it.
(This used to be commit a7634625db)
Implement DomainHandle.LookupNames() function.
UserHandle.DeleteUser() closes the handle so don't try and close it
when the GC destroys the class instance.
(This used to be commit 57680163bc)
datagrams. This adds the IDL to parse mailslot packets, plus mailslot
dispatch and listener registration code.
mailslots are used for UDP/138 browse and netlogon packets
(This used to be commit f20e7e5200)
need one call to get in sync again (except something like NT_STATUS_MORE_ENTRIES is returned)
also the pdc only need to know the current state values
metze
(This used to be commit f4e12b3893)
(sorry richard:-)
disable lookup for DefaultSpoolDirectory until, I have fixed the parsing when WERR_MORE_DATA
is returned
metze
(This used to be commit d5993337b8)
- fix GetPrinterData(), look inside the datablob
- add idl for RemoteFindFirstChangeNotify(), without meaning yet, just to not return a DCERPC_FAULT
when receiving this request
metze
(This used to be commit 92f3d5bd9c)
2. Also, don't try to delete directories.
I am not entirely happy with this patch, and the fact that there is a
define for HAVE_SYS_STAT_H suggests that there are some systems for which
stat will not be defined, which means that the patch is not entirely
portable.
(This used to be commit fe7ddad7d4)
server. Currently just listens on port 138 and parses the packets
(using IDL like the rest of NBT). This allows me to develop the
structures and test with real packets
(This used to be commit 10d64a5253)
a handle as parameter,
EnumPorts
EnumPrinterDrivers
EnumMonitors
EnumPrintProcessors
EnumPrinters
we now do cross checks between the different info levels
and sore the results in a global context,
so that we later can add cross checks between the different object types
- add idl for EnumMonitors and EnumPrintProcessors
metze
(This used to be commit 92a3721bc7)
Makefile fragments for the build system. This allows the file to be
edited without using quite as many backslashes. Some are still necessary
for interpolation of perl variables though.
I've diffed the new Makefile against the old and there are only some
extra newlines as a result of making things more consistent.
(This used to be commit 3808c5e092)
- talloc should always be done in the right context. For example, when creating
the userinfo_state structure, place it inside the composite
structure, not directly on the pipe. If this isn't done then
correct cleanup can't happen on errors (as cleanup destroys the top
level composite context only)
- define private structures like userinfo_state in the userinfo.c
code, not in the public header
- only keep the parameters we need in the state structure. For
example, the domain_handle is only needed in the first call, so we
don't need to keep it around in the state structure, but the level is
needed in later calls, so we need to keep it
- always initialise [out,ref] parameters in RPC calls. The [ref] part
means that the call assumes the pointer it has been given is
valid. If you don't initialise it then you will get a segv on
recv. This is why the code was dying.
- don't use internal strucrure elements like the pipe
pipe->conn->pending outside of the internal rpc implementation. That
is an internal list, trying to use it from external code will cause crashes.
- rpc calls assume that rpc call strucrures remain valid for the
duration of the call. This means you need to keep the structures
(such as "struct samr_Close") in the userinfo_state strucrure,
otherwise it will go out of scope during the async processing
- need to remember to change c->state to SMBCLI_REQUEST_DONE when the
request has finished in the close handler, otherwise it will loop
forever trying to close
Mimir, please look at the diff carefully for more detailed info on the fixes
(This used to be commit 01ea1e7762)
- now works properly with UDP, so the NBT tests work
- fixed byte order in a few places
- connect() now fails to non-localhost
- fixed some places that tested for < 0, which should be == -1 (most syscalls
return -1 on error, not "negative")
(This used to be commit 61e1eea0fd)
can be enabled on the buildfarm without requiring --enable-developer
- Support tcp and udp being used on the same port
- FIx some portability issues (should fix the build on
some hosts on the buildfarm)
- Ignore setting TCP_NODELAY on (semi-)TCP sockets rather then complain about
it not being supported (saves us from a couple of error messages for each
connection that is opened)
(This used to be commit 443fb7853b)
(this fixes parsing of w2k blob, which some times have random gargabe data in the sid buffer)
- make the names of the DsReplicaCoursor*Ctr* 's more consistent
and fix DsGetNCchangesCtr6 parsing
metze
(This used to be commit 75e427dca9)
(taken from cabextract.c from KDE)
this code maybe need to be rewritten and the
compression side needs to be done,
but for now it seems to works
- remove the dependency to zlib
metze
(This used to be commit 5e8558c5b4)
auth/gensec and auth/kerberos.
This also pulls the kerberos configure code out of libads (which is
otherwise dead), and into auth/kerberos/kerberos.m4
Andrew Bartlett
(This used to be commit e074d63f3d)
up issues I introduced during the merge, that caused a segfault.
I've still not got the keytab code to work for me (using Samba3 to
generate the keytab) so this is still not fully tested, but it's
better than it was.
To add debugging, I now use the krb5_get_error_message() function from
Heimdal when present, to return the custom error string, which
contains far, far more information than the simple error code does.
(This last point may well be worth merging back into 3.0)
Andrew Bartlett
(This used to be commit ed5755d9d1)
redirects traffic (currently just IP traffic) over unix domain sockets
if the SOCKET_WRAPPER_DIR environment variable has been set.
Aim is to use this for the Samba4 torture suite on the buildfarm.
The socket_wrapper library can only be used if Samba was compiled with
--enable-developer.
test_rpc.sh passes against a local smbd with SOCKET_WRAPPER_DIR set.
(and ethereal showed no traffic whatsoever)
Stuff that still needs to be fixed in socketwrapper:
- Give ENETUNREACH if target is not localhost
- A given port number can only be used for UDP /or/ TCP, not both.
- Perhaps allow some calls to circumvent socketwrapper (do we need DNS?)
(This used to be commit f8a63a843c)
made into something that isn't a maze of #ifdefs)
- when a module is not found, make it a non-fatal error. Otherwise the standalone ldb
tools just bail out. The previous code meant that if you had a
module listed and it wasn't present then you could _never_ fix it,
as you coudln't open the ldb to remove that module from @MODULES !
(This used to be commit c4728625c0)
- This module will take care of properly filling an user or group object
with required fields. You just need to provide the dn and the objectclass
and a user/group get created
Simo.
(This used to be commit fb9afcaf53)
client. The issue was actually a cut-and-paste bug, I was filling in
the .old not the .nt1 part of the union.
I've also removed the 'error checks' - I'll shortly document the API
for the credentials code to clarify that it will always return a
pointer here, except in cases of programmer error.
Tridge: I hope this is OK.
Andrew Bartlett
(This used to be commit 6439de9ec8)
this is not complete cuurently...
but I want other people to test it and help me on finishing it.
(try to change the #if 0 in torture/rpc/drsuapi.c into #if 1)
metze
(This used to be commit 335adef370)
has the patience to run test_w2k3.sh to completion :-)
It looks to me that the Windows server runs the RC4 over the C struct,
not the NDR data.
Andrew Bartlett
(This used to be commit c324d97413)
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a)
painful, so don't call lp_*() functions until the post stage (rather
than in the cli_credentails_init(), which is called in the pre stage),
and don't open the secrets.ldb looking for the machine account details
until we actually need them (well after popt is done, and we know we have the other things right).
Set the domain and realm, as well as the account and password for -P
(fetch machine password) operation.
Allow NETLOGON credentials to be stored in this structure - will allow
SCHANNEL to be made more generic.
Clarify why we don't do special checks for NULL pointers, particularly
in the anonymous check (it indicates a programmer error, not a
run-time condition).
Also make lib/credentials.c a little more consistant.
Andrew Bartlett
(This used to be commit 730e6056b7)
option, rather than all binding options for each transport.
This means that we get to most of the tests earlier, with at least
some binding options. (And allows us to have some confidence before
waiting for an RPC-SAMR test to finish with bigendian).
Andrew Bartlett
(This used to be commit 5c3e4df804)
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619)
This adds the auth_domain module to the auth subsystem, and cleans up
some small details around the join process (ensuring all the right
info is in the DB).
Andrew Bartlett
(This used to be commit 858cbfb821)
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d)
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50)
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc2)
a good variety of things to test against.
Add code to testjoin to handle this just like test machine accounts
Soon I'll remove the 'must change password' flag, so we can do logins with it.
Andrew Bartlett
(This used to be commit 08b47e2dc0)
to a new ndr.pm.
Add function that can generate a "OrderTable" describing the order
in which the NDR data will be pushed/pulled.
(This used to be commit 2603a7326d)
I'm going to add a ndr.pm later on that'll generate a
tree with necessary information for the two NDR backends
(eparser, ndr_parser) containing alignment info, etc.
(This used to be commit 5162daa946)
