IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This allows the easy addition of additional named pipes and removes the
circular dependencies between the CIFS, RPC and RAP servers.
Simple tests for a custom named pipe included.
(This used to be commit 898d15acbd)
dcerpc_interface_table struct rather then a tuple of interface
name, UUID and version.
This removes the requirement for having a global list of DCE/RPC interfaces,
except for these parts of the code that use that list explicitly
(ndrdump and the scanner torture test).
This should also allow us to remove the hack that put the authservice parameter
in the dcerpc_binding struct as it can now be read directly from
dcerpc_interface_table.
I will now modify some of these functions to take a dcerpc_syntax_id
structure rather then a full dcerpc_interface_table.
(This used to be commit 8aae0f168e)
BASIC_INFORMATION
DISPOSITION_INFORMATION
ALLOCATION_INFORMATION
END_OF_FILE_INFORMATION
POSITION_INFORMATION
MODE_INFORMATION
(This used to be commit 8804b6a7eb)
- added a SMB2-SCANGETINFO test for scanning for available info levels
- added names for the info levels I recognise to smb2.h
(This used to be commit fe5986067e)
metze
r8017@SERNOX: metze | 2005-06-30 13:44:23 +0200
create the SAMBA_4_0 branch for the Summer Of Code Project
metze
r8730@SERNOX: brad | 2005-07-24 03:09:48 +0200
Branching Samba 4
r8731@SERNOX: brad | 2005-07-24 06:39:00 +0200
added 'make installmisc' to howto.txt
added existing 'compression' option to level8 drsuapi torture test
added new 'neighbour_writeable' option to level8 drsuapi torture test
r8732@SERNOX: brad | 2005-07-24 06:42:38 +0200
added metze's dssync patch as source/torture/rpc/dssync.c
r8739@SERNOX: brad | 2005-07-25 00:24:46 +0200
added a test called RPC-DSSYNC to config.mk
hacking at dssync.c in an attempt to make it compile
r8754@SERNOX: brad | 2005-07-25 15:19:21 +0200
Changing dssync.c to use ldb routines for accessing ldap rather than raw ldap calls.
r8765@SERNOX: brad | 2005-07-26 03:35:38 +0200
more ldb changes to test_CompleteJoin(), it mostly kind of almost works now!
r8766@SERNOX: brad | 2005-07-26 03:56:00 +0200
Trying to fix the crazy nesting in the branch
r8769@SERNOX: brad | 2005-07-26 04:48:29 +0200
merging latest changes
r8770@SERNOX: brad | 2005-07-26 04:53:43 +0200
removing nested branch
r8793@SERNOX: jerry | 2005-07-27 05:04:57 +0200
merging on of Brad missing changes from the nested 4.0 branch debacle
r8794@SERNOX: jerry | 2005-07-27 05:14:42 +0200
syncing up with the main 4_0 branch for Brad
r8842@SERNOX: brad | 2005-07-29 00:26:30 +0200
merging changes from branches/SAMBA_4_0
r8850@SERNOX: brad | 2005-07-29 21:07:57 +0200
Bringing my tree up to date
r8851@SERNOX: brad | 2005-07-30 00:48:04 +0200
making dssync.c more ldb-centric, reverted samlogon.c from rev. 8845 to get my branch to compile again.
r8856@SERNOX: brad | 2005-07-30 03:20:33 +0200
I think I have the ldb code down in test_CompleteJoin (not complete yet though)
r8860@SERNOX: brad | 2005-07-30 07:08:13 +0200
Changed comments to C style /**/ (thanks Richard), some more changes to test_CompleteJoin().
r8862@SERNOX: brad | 2005-07-31 04:45:32 +0200
Bringing the SOC/SAMBA_4_0 branch up to date.
r8863@SERNOX: brad | 2005-07-31 20:00:41 +0200
Updated some missing files from the branch
r8864@SERNOX: brad | 2005-07-31 20:25:50 +0200
Removing autogenerated files from branch
r8865@SERNOX: brad | 2005-07-31 20:43:58 +0200
last of the unneeded files in SOC/SAMBA_4_0
r9004@SERNOX: brad | 2005-08-03 18:51:23 +0200
r5214@buttercup: j0j0 | 2005-08-03 10:44:30 -0600
r@buttercup: j0j0 | 2005-08-02 22:54:13 -0600
creating a local branch of branches/SAMBA_4_0
r9013@SERNOX: brad | 2005-08-03 20:57:48 +0200
r5228@buttercup: j0j0 | 2005-08-03 13:00:11 -0600
Fixing differences between this branch and /branches/SAMBA_4_0
r9014@SERNOX: brad | 2005-08-03 21:18:05 +0200
r5231@buttercup: j0j0 | 2005-08-03 13:23:12 -0600
Updating config.mk so that smbtorture builds again
r9061@SERNOX: brad | 2005-08-04 18:17:36 +0200
r5249@buttercup: j0j0 | 2005-08-03 21:01:02 -0600
Start using libnet_Join() for DC join.
r9062@SERNOX: brad | 2005-08-04 18:17:47 +0200
r5250@buttercup: j0j0 | 2005-08-04 10:21:34 -0600
Some more work towards performing a dc join.
r9064@SERNOX: brad | 2005-08-04 18:53:51 +0200
r5253@buttercup: j0j0 | 2005-08-04 10:53:00 -0600
Fixed a bug (passing a TALLOC_CTX to libnet_context_init() )
r9069@SERNOX: brad | 2005-08-04 21:59:55 +0200
r5279@buttercup: j0j0 | 2005-08-04 14:04:55 -0600
Some more work on the domain join
r9117@SERNOX: brad | 2005-08-05 16:50:26 +0200
r5281@buttercup: j0j0 | 2005-08-05 08:55:58 -0600
Committing minor changes before merge
r9180@SERNOX: brad | 2005-08-07 17:25:25 +0200
r5314@buttercup: j0j0 | 2005-08-07 09:30:12 -0600
Reworked libnet_join to use two join levels, AUTOMATIC and SPECIFIED.
r9181@SERNOX: brad | 2005-08-07 17:25:36 +0200
r5315@buttercup: j0j0 | 2005-08-07 09:31:22 -0600
Working with libnet_Join(), code cleanup needed in the near future.
r9192@SERNOX: brad | 2005-08-07 21:40:22 +0200
r5373@buttercup: j0j0 | 2005-08-07 13:46:09 -0600
Some code cleanup to make things a little more readable.
r9249@SERNOX: brad | 2005-08-12 01:31:48 +0200
r5375@buttercup: j0j0 | 2005-08-11 17:38:44 -0600
Split libnet_JoinDomain() into libnet_JoinDomain() and libnet_JoinADSDomain().
r9256@SERNOX: brad | 2005-08-12 04:55:11 +0200
r5413@buttercup: j0j0 | 2005-08-11 21:02:27 -0600
Clean up libnet_JoinADSDomain() a little, added a comment to the test_join struct.
r9314@SERNOX: brad | 2005-08-16 03:53:20 +0200
r5436@buttercup: j0j0 | 2005-08-15 20:01:21 -0600
libnet_JoinDomain() should honour LIBNET_JOIN_TORTURE now.
torture_join_domain() should properly use libnet_JoinDomain().
dssync.c uses torture_join_domain() again.
r9351@SERNOX: brad | 2005-08-17 07:15:31 +0200
r5438@buttercup: j0j0 | 2005-08-16 23:23:58 -0600
Removed LIBNET_JOIN_TORTURE level, as it became unnecessary once libnet_Join_primary_domain() handled netbios names better.
Corrected libnet_JoinDomain() and libnet_JoinADSDomain().
r9352@SERNOX: brad | 2005-08-17 07:24:49 +0200
r5440@buttercup: j0j0 | 2005-08-16 23:33:25 -0600
Fixed a typo.
r9354@SERNOX: metze | 2005-08-17 10:28:25 +0200
remove object files from svn
metze
r9376@SERNOX: brad | 2005-08-18 05:15:48 +0200
r5476@buttercup: j0j0 | 2005-08-17 21:24:33 -0600
Proof that I shouldn't code when i'm tired (silly bugfixes).
r9405@SERNOX: brad | 2005-08-19 22:50:10 +0200
r5500@buttercup: j0j0 | 2005-08-19 14:56:25 -0600
Get dssync.c compiling again after merge (ldb_dn changes from rev. 9391).
r9407@SERNOX: brad | 2005-08-20 03:22:42 +0200
r5502@buttercup: j0j0 | 2005-08-19 19:28:22 -0600
libnet/libnet_join.c
Some more fixes so ldb uses ldb_dn's.
torture/rpc/dssync.c
Some debugging printf()'s.
ldb_dn fixes.
torture/rpc/testjoin.c
Change torture_join_domain() to use libnet_JoinDomain() rather than libnet_Join().
Some more debugging statements.
I'm not sure why, but GUID_all_zero(user_handle.uuid) is returning true in torture_leave_domain() when called it from torture_destroy_context() in torture/rpc/dssync.c.
That's what i'm working out now.
r9427@SERNOX: brad | 2005-08-20 18:38:29 +0200
r5504@buttercup: j0j0 | 2005-08-20 10:44:52 -0600
Some bugfixes.
Removed a bunch of debugging code.
torture_leave_domain() works again! not 100% perfect yet though...
r9428@SERNOX: brad | 2005-08-20 19:09:26 +0200
r5506@buttercup: j0j0 | 2005-08-20 11:15:54 -0600
Restructure torture_join_domain() so that it joins itself, removes itself, and joins itself to the domain again to ensure that its account information is all current and as expected.
r9452@SERNOX: brad | 2005-08-21 19:33:51 +0200
r5508@buttercup: j0j0 | 2005-08-21 11:40:36 -0600
Bugfixes, trying to get things straight between contexts.
r9467@SERNOX: brad | 2005-08-22 04:00:48 +0200
r5510@buttercup: j0j0 | 2005-08-21 20:06:55 -0600
Another round of bugfixing.
r9521@SERNOX: brad | 2005-08-23 15:26:44 +0200
r5596@buttercup: j0j0 | 2005-08-23 07:33:06 -0600
Merging changes
r9524@SERNOX: metze | 2005-08-23 16:09:42 +0200
- fix the build caused by changes in the main samba4 tree,
- add an option "dssync:german=yes" to allow me to run against my german w2k3 server
this should be replaces by CLDAP calls to get the Default-First-Site-Name dynamicly
- remove some temporary comments, as DsAddEntry works now
metze
r9528@SERNOX: metze | 2005-08-23 18:22:22 +0200
the RPC-DSSYNC test is now able to fetch the whole tree,
including the unicodePwd, ntPwdHistory fields
metze
r9559@SERNOX: brad | 2005-08-24 04:11:47 +0200
r5612@buttercup: j0j0 | 2005-08-23 20:19:12 -0600
Some fixes around using talloc in a hierarchical fashion.
Still not right, but better.
r9564@SERNOX: brad | 2005-08-24 05:43:11 +0200
r5614@buttercup: j0j0 | 2005-08-23 21:50:38 -0600
Gave libnet_JoinADSDomain() its own tmp_ctx rather than passing it from libnet_JoinDomain() as a parameter (yuk).
As a side effect, it proves that my bug lies in libnet_JoinDomain(), not libnet_JoinADSDomain().
r9565@SERNOX: brad | 2005-08-24 06:09:46 +0200
r5616@buttercup: j0j0 | 2005-08-23 22:17:12 -0600
Small fix, if r->out.error_string and r2->samr_handle.out.error_string weren't set to NULL, torture_join_domain() would segfault on the second join.
r9630@SERNOX: brad | 2005-08-26 06:42:50 +0200
Commented out the parts of the dssync test which perform the dc join and create/remove associated ldap entries.
Commented out the test for the 'german' dssync option, because now we detect the Site-Name using CLDAP. If cldap_netlogon() does not return ok, the code defaults to 'Default-First-Site-Name'.
r9670@SERNOX: brad | 2005-08-27 02:30:11 +0200
Added a patch from metze.
To showcase what i've learned today, i've created two new parameters which can be set at runtime, drsuapi:last_usn and drsuapi:partition.
drsuapi:last_usn takes an integer representing the USN of the last recieved replication update for a particular partition (uses the domain dn if drsuapi:parition isn't set).
That value is passed in the DsGetNCChanges() call so that only info which has been updated since that point in time is returned. If this option is not set, 0 is used by default, and all updates for that partition are returned.
drsuapi:partition takes a string dn and uses that as the name of the AD partition to replicate.
Some debugging output was also added.
r9723@SERNOX: brad | 2005-08-29 01:07:51 +0200
Added some copyright notices.
Changed some things in net_join.c to try and figure out why 'net join <domain> bdc' segfaults.
It occurs when the last talloc_free() happens, so i'm sure it's something to do with the memory fiddling i'm doing in libnet_join.
Added some drsuapi attribute ids that I figured out today.
I put some (many, dry) notes together while doing that, so i'll try to put them up on a blog at samba.org a little later tonight.
r9740@SERNOX: metze | 2005-08-29 16:58:03 +0200
fix up the DsGetNCchanges loop,
and remove misleading comments
metze
r9743@SERNOX: metze | 2005-08-29 17:26:45 +0200
make the logic a bit clearer
metze
r9815@SERNOX: brad | 2005-08-31 02:36:21 +0200
Added cldap_netlogon() AD Site-Name lookup into libnet/libnet_join.c.
Bugfixing rampage in libnet_join.c to resolve misunderstanding of talloc_steal().
libnet_join now creates the CN=<netbios name>,CN=Servers,CN=<site name>,CN=Sites,CN=Configuration,<domain dn> container on a dc join.
r9858@SERNOX: brad | 2005-09-01 03:17:17 +0200
Removed extraneous NDR_ALL subsystem requirement from torture/config.mk.
Added lots of error checking as per metze's advice.
Removed commented out code.
More bug chasing.
r9863@SERNOX: brad | 2005-09-01 05:53:19 +0200
Cleaned up dssync.c, removed the unneeded DsCrackNames() call, removed DC join/leave related stuff.
It no longer looks like my house does!
r9887@SERNOX: metze | 2005-09-01 11:34:03 +0200
- fix dssync:highest_usn parameter handling
- ask for LINKED_ATTRIBUTE replication
metze
r9891@SERNOX: metze | 2005-09-01 14:13:18 +0200
make the code more readable, and fix a few bugs
metze
r9911@SERNOX: brad | 2005-09-01 20:36:27 +0200
Bugfixes in libnet_join.c.
Cleaned up comments.
Added domain_dn_str and account_dn_str to struct libnet_JoinDomain.
Removed struct dcerpc_pipe *samr_pipe and struct policy_handle user_handle from struct libnet_Join.
r9920@SERNOX: brad | 2005-09-01 23:34:13 +0200
Added disclaimer (I can't seem to get libnet_JoinDomain() to keep the samr_pipe and u_handle open past the function call, grrrr....).
r9921@SERNOX: brad | 2005-09-01 23:37:54 +0200
Added copyright statement.
Cleaned up unneeded variables from torture_join_domain().
r9932@SERNOX: brad | 2005-09-02 01:49:42 +0200
Really rushed project notes.
r10841@SERNOX: metze | 2005-10-08 20:01:45 +0200
remove diff to main SAMBA_4_0 branch
metze
r10862@SERNOX: metze | 2005-10-10 10:31:52 +0200
remove the differences between SAMBA_4_0 and SOC/SAMBA_4_0
metze
r10863@SERNOX: metze | 2005-10-10 10:34:26 +0200
fix the build
metze
r10864@SERNOX: metze | 2005-10-10 11:10:08 +0200
remove README file to reduce, diffs to main SAMBA_4_0 branch:
metze
README:
This project was centered around adding a torture test to Samba 4, which used drsuapi_DsGetNCChanges() to retrieve the contents of an Active Directory in the same manner as an Active Directory DC replication event.
As the project unfolded, I also applied some changes to the functionality of the libnet library related to joining a machine account to a domain.
One of the first things that I implemented in this project was a 'neighbour_writeable' option for the RPC-DRSUAPI torture test. The command line to execute this torture test is as follows:
smbtorture --option=drsuapi:neighbour_writeable=True -W <domain name> -U <admin username>%<password> ncacn_ip_tcp:<domain controller dns name> RPC-DRSUAPI
This option provides us with runtime control over the DRSUAPI_DS_REPLICA_NEIGHBOUR_WRITEABLE flag in the struct drsuapi_DsGetNCChanges.in.req.req<level>.replica_flags, allowing us to easily test for differences in the behaviour of AD replication with the switch on or off.
In the course of the project, I also implemented two more flags for the RPC-DSSYNC test. dssync:last_usn takes an integer representing the USN (Universal Serial Number) of the last recieved replication update for a particular partition (uses the domain DN if drsuapi:parition isn't set). That value is passed in the DsGetNCChanges() call so that only info which has been updated since that point in time is returned. If this option is not set, 0 is used by default, and all updates for that partition are returned. dssync:partition takes a string DN and uses that as the name of the AD partition to replicate.
Based initially on a patch provided to me by one of my mentors, Stephan (metze) Metzmacher, the RPC-DSSYNC test was implemented for this project. Initially functionality was included to perform a DC join prior to initiating replication, but the code was removed when it was realized that replication could indeed take place without being a member of the domain in any way. It has been recently suggested that we may need a DC join after all to get all of the information we may want from the AD replication. This is probably best added using a torture_join_domain() call once the libnet code is able to keep the user policy handle and SAMR RPC pipe open.
The DC join code was taken out of the RPC-DSSYNC and implemented for the most part in the libnet libraries. To test this, the RPC-NETLOGON test was modified to perform a domain join, leave and rejoin. Currently, the test has a fault in that it is unable to leave the domain using the same SAMR RPC pipe and user_policy information as was used for the first join. This is because I was unable to get the code working properly in libnet to provide that functionality. Currently missing from the DC join in libnet is the code to create the CN=NTDS Settings,CN=<DC NETBIOS NAME>,CN=<Site-Name>,CN=Sites,CN=Configuration,<domain DN> container using the dcerpc_drsuapi_DsAddEntry() call. I did not want to implement this functionality in libnet while there were still problems with the code.
I also provided the ability in libnet and the RPC-DSSYNC test to look up the proper site name using the cldap library.
In my investigations, I was unable to find out any information regarding the UnicodePwd attribute, except that the same password is represented differently for two different users in the same directory.
I was also able to resolve and confirm the meaning of some DRSUAPI_ATTRIBUTE ID's.
DRSUAPI_OBJECTCLASS_domain (0xA0042)
DRSUAPI_OBJECTCLASS_domainDNS (0xA0043)
wellKnownObjects (0x9026A)
fSMORoleOwner (0x90171)
name or dc (0x90001)
whenCreated (0x20002)
instanceType (0x20001)
gPLink (0x9037B)
These were added to the IDL for drsuapi (source/librpc/idl/drsuapi.idl).
I would like to thank everyone on the Samba team who worked with me and assisted me with this project, specifically all the work done by Stephan Metzmacher, Andrew Bartlett and Jerry Carter. Working on this project with the Samba team really has been a life changing experience, as corny as that sounds.
I've realized that I was born to be a systems developer, and it has helped confirm in my mind that Open Source (specifically Samba) development is exactly what i've been missing!
I would also like to take this opportunity to thank Chris Dibona and Google for the amazing opportunity. I don't know if I would have taken the leap in other circumstances.
I know these notes sound a little rushed, but it is 23:55 after all! :)
(This used to be commit 55552b41cb)
Also add torture tests for this function and file_{load,save}. I've hardcoded
a file name here.. should I handle that neater somehow?
(This used to be commit 8fa383f182)
an ADS join, particularly as a DC. This represents the bulk of his
Google SOC work, and I'm very pleased to intergrate it into the tree.
(Metze will intergrate the DRSUAPI work later).
Both metze and myself have also put a lot of time into this patch, and
in mentoring Brad in general. In return, Brad has been a very good
student, and has taken the comments well.
Since it's last appearance on samba-technical@, I have made
correctness and valgrind fixups, as well as adding a new 'BINDING'
mode to the libnet_rpc routines. This allows the exact binding string
to be passed down from the torture code, including options and exact
target host.
Andrew Bartlett
(This used to be commit d6fa105fda)
that a given set of (working) POSIX functions are available (without
prefixes to their names, etc). See lib/replace/README for a list.
Functions that behave different from their POSIX specification
(such as sys_select, sys_read, etc) have kept the sys_ prefix.
(This used to be commit 29919a7105)
NTCREATEX_DISP_CREATE (create if not exists, else fail) they might end up with
two or more times NT_STATUS_OK as EEXIST is not correctly handled.
Jeremy, please look closely at this. You can easily verify this by adding a
smb_msleep(100) to the top of open_file_ntcreate and run the new samba4
torture test. It does also happen without the msleep, but not as reliably.
Thanks,
Volker
(This used to be commit c803d4c9a5)
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.
The main fixes are:
- assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats
- use of NULL format statements to perform dn searches.
- assumption that sizeof() returns an int
(This used to be commit a58ea6b385)
file_load() to use talloc, which impacted quite a few bits of code,
including our smb.conf processing.
took the opportunity to remove the gloabls in params.c while doing this
(This used to be commit b220756cb4)
NT_STATUS_INVALID_HANDLE on a per call basis for a bad vuid. That
means it is doing checking for a valid vuid in each backend function,
rather than globally. I don't want to emulate that as it is way too
error prone, and could easily lead to a security hole, so instead
accept either error code in our test suite.
(This used to be commit aefa9e53fa)
The biggest change was fixing the RAW-CONTEXT test. It was forcing
capabilities to zero in an attempt to not negotiated extended
security, but as a side effect it was forcing negotiation of dos error
codes. This confused the hell out of the test code!
Also fixed a bunch of places incorrectly using NT_STATUS_V() instead
of NT_STATUS_EQUAL() and several places that had the wrong dos status
codes
(This used to be commit 0b22744f40)
much closer.
This changes PIDL to allow a subcontext to have a pad8 flag, saying to
pad behind to an 8 byte boundary. This is the only way I can explain
the 4 trainling zeros in the signature struct.
Far more importantly, the PAC code is now under self-test, both in
creating/parsing our own PAC, but also a PAC from my win2k3 server.
This required changing auth_anonymous, because I wanted to reuse the
anonymous 'server_info' generation code.
I'm still having trouble with PIDL, particulary as surrounds value(),
but I'll follow up on the list.
Andrew Bartlett
(This used to be commit 50a54bf4e9)
with 'nt status support' option.
- make nt_errstr() display nice strings for dos status codes encoded
using NT_STATUS_DOS()
- no longer map between dos and nt status codes in the client library,
instead return using NT_STATUS_DOS()
- fixed the RAW-CONTEXT test to look for
NT_STATUS_DOS(ERRSRV, ERRbaduid) instead of NT_STATUS_INVALID_HANDLE
(This used to be commit ff5549e87f)
don't like to bother with netbios type names when looking for common
types: hosts (servers) and domain controllers. Also, apropriate tests
rafal
(This used to be commit 50cd94be0f)
server as to the CIFS session key.
JRA had pain with this being wrong against NT4 (without spnego), hence
this specific test.
Andrew Bartlett
(This used to be commit 47f433708b)
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485b)
There is now a new --debug-stderr option to enable debug to STDERR.
popt isn't perfect, but the callbacks are used in all the main Samba
binaries, and should be used in the rest. This avoids duplicated
code, and ensures every binary is setup correctly.
This also ensures the setup happens early enough to have -s function,
and have a correct impact on the credentials code. (Fixing a bug that
frustrated tridge earlier today).
The only 'subtle' aspect of all this is that I'm pretty sure that the
SAMBA_COMMON popt code must be above the CREDENTIALS code, in the
popt tables.
Andrew Bartlett
(This used to be commit 50f3c2b3a2)
get stuck waiting on no file descriptors, with no timeout, so it sits
forever. I need to fix that bug separately, but to prevent build farm
machines being totally stuck, this timeout will be used.
(This used to be commit 5cccf0a770)
management system I proposed on samba-technical a couple of days
ago. Essentially it is a very lightweight way for any code in Samba to
make IDL based rpc calls to anywhere else in the code, without the
client or server having to go to the trouble of setting up a full rpc
service.
It can be used with any of our existing IDL, but I expect it will
mostly be used for a new set of Samba specific management calls.
The LOCAL-IRPC torture test demonstrates how it can be used by calling
the echo_AddOne() call over this transport.
(This used to be commit 3d589a0995)
interestingly, w2k3 seems to have 4 different varients of the netlogon
cldap response. We decode two of them so far. The other two are tricky
as they aren't distinguished by a command code, they use the same
command codes (0x13 and 0x17) but have quite a different format. Very
strange!
(This used to be commit 58f1c39282)
suite. The NBT-DGRAM test does a UDP/138 netlogon request, to which a
windows server sends a reply, but the windows server sends the reply
to the wrong port (it always sends to 138), so the test suite doesn't
see it.
(This used to be commit a7634625db)
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a)
The main volume of this patch was what I started working on today:
- Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context.
- Uses sepereate inner loops for some of the DCE/RPC tests
The other and more important part of this patch fixes issues
surrounding the new credentials framwork:
This makes the struct cli_credentials always a talloc() structure,
rather than on the stack. Parts of the cli_credentials code already
assumed this.
There were other issues, particularly in the DCERPC over SMB handling,
as well as little things that had to be tidied up before test_w2k3.sh
would start to pass.
Andrew Bartlett
(This used to be commit 0453f9d05d)
puts support for it into popt_common, adds a few utility functions
(in lib/credentials.c) and the callback functions for the command-line
(lib/cmdline/credentials.c). Comments are welcome :-)
(This used to be commit 1d49b57c50)
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc2)
DCOM paper in lorikeet. This is the result of 1.5 months work (mainly
figuring out how things *really* work) at the end of 2004.
In general:
- Clearer distinction between COM and DCOM. DCOM is now merely
the glue between DCE/RPC+ORPC and COM. COM can also work without
DCOM now. This makes the code a lot clearer.
- Clearer distinction between NDR and DCOM. Before, NDR had a couple of
"if"s to cope with DCOM, which are now gone.
- Use "real" arguments rather then structures for function arguments in
COM, mainly because most of these calls are local so packing/unpacking
data for every call is too much overhead (both speed- and code-wise)
- Support several mechanisms to load class objects:
- from memory (e.g. part of the current executable, registered at start-up)
- from shared object files
- remotely
- Most things are now also named COM rather then DCOM because that's what it
really is. After an object is created, it no longer matters whether it
was created locally or remotely.
There is a very simple example class that contains
both a class factory and a class that implements the IStream interface.
It can be tested (locally only, remotely is broken at the moment)
by running the COM-SIMPLE smbtorture test.
Still to-do:
- Autogenerate parts of the class implementation code (using the coclass definitions in IDL)
- Test server-side
- Implement some of the common classes, add definitions for common interfaces.
(This used to be commit 71fd3e5c3a)
- Disable all current DCOM functionality (I hope to commit
a large bunch of COM and DCOM changes later today)
- Make remact and oxidresolver depend on orpc rather then dcom
(This used to be commit f298f2a547)
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e90)
- change the iface_n_*() functions to return a "const char *" instead of a "struct ipv4_addr"
I think that in general we should move towards "const char *" for
all IP addresses, as this makes IPv6 much easier, and is also easier
to debug. Andrew, when you get a chance, could you fix some of the
auth code to use strings for IPs ?
- return a NTSTATUS error on bad name queries and node status instead
of using rcode. This makes the calling code simpler.
- added low level name release code in libcli/nbt/
- use a real IP in the register and wins nbt torture tests, as w2k3
WINS server silently rejects some operations that don't come from the
IP being used (eg. it says "yes" to a release, but does not in fact
release the name)
(This used to be commit bb1ab11d8e)
NBT-REGISTER test that tests that a server correctly defends its name
against broadcast name registrations.
Jeremy, you might like to look at this. Samba3 nmbd fails to respond.
(This used to be commit bb1298a2eb)
which will eventually try all resolution methods setup in smb.conf
- only resolution backend at the moment is bcast, which does a
parallel broadcast to all configured network interfaces, and takes
the first reply that comes in (this nicely demonstrates how to do
parallel requests using the async APIs)
- converted all the existing code to use the new resolve_name() api
- removed all the old nmb code (yay!)
(This used to be commit 239c310f25)
I decided to incorporate the udp support into the socket_ipv4.c
backend (and later in socket_ipv6.c) rather than doing a separate
backend, as so much of the code is shareable. Basically this adds a
socket_sendto() and a socket_recvfrom() call and not much all.
For udp servers, I decided to keep the call as socket_listen(), even
though dgram servers don't actually call listen(). This keeps the API
consistent.
I also added a simple local sockets testsuite in smbtorture,
LOCAL-SOCKET
(This used to be commit 9f12a45a05)
- added async support to the negprot client code
- removed two unused parameters from smbcli_full_connection() code
- converted smbclient to use smbcli_full_connection() rather than
reinventing everything itself
(This used to be commit 71cbe28734)
socket connections. This was complicated by a few factors:
- it meant moving the event context from clitransport to clisocket,
so lots of structures changed
- we need to asynchronously handle connection to lists of port
numbers, not just one port number. The code internally tries each
port in the list in turn, without ever blocking
- the man page on how connect() is supposed to work asynchronously
doesn't work in practice (now why doesn't this surprise me?). The
getsockopt() for SOL_ERROR is supposed to retrieve the error, but
in fact the next (unrelated) connect() call on the same socket also
gets an error, though not the right error. To work around this I
need to tear down the whole socket between each attempted port. I
hate posix.
Note that clisocket.c still does a blocking name resolution call in
smbcli_sock_connect_byname(). That will be fixed when we add the async
NBT resolution code.
Also note that I arranged things so that every SMB connection is now
async internally, so using plain smbclient or smbtorture tests all the
async features of this new code.
(This used to be commit 468f8ebbfd)
change was in the ldb_msg_add_*() routines, which now use the msg as a context,
and thus it needs to be a talloc ptr)
(This used to be commit 1a4713bfd0)
- change smbcli_read/write to take void * for the buffers to match read(2)/write(2)
all this fixes a lot of gcc-4 warnings
metze
(This used to be commit b94f92bc66)
This removes the duplicate named SEC_RIGHTS_MAXIMUM_ALLOWED and
SEC_RIGHTS_FULL_CONTROL, which are just other names for
SEC_FLAG_MAXIMUM_ALLOWED and SEC_RIGHTS_FILE_ALL. The latter names
match the new naming conventions in security.idl
Also added names for the generic->specific mappings for files are
directories
(This used to be commit 17a4e0b3ac)
- removed the clitar code. It is unmaintained, and a horribly badly done hack
- removed client.h as it contained mostly unused definitions
- removed the unused clidfs.c code
(This used to be commit 31a7bddbb3)
definitions for security access masks, in security.idl
The previous definitions were inconsistently named, and contained many
duplicate and misleading entries. I kept finding myself tripping up
while using them.
(This used to be commit 01c0fa722f)
clear what the correct behaviour is for delayed stat info update.
- use a common torture_setup_dir() function for setting up a test
directory in torture tests.
(This used to be commit f7fb34715b)
Break out the samsync tests from RPC-NETLOGON into a new RPC-SAMSYNC,
that will cross-verify all the values.
Add support for the way netlogon credentials are shared between the
pipe that sets up schannel and the pipe that is encrypted with it.
Test this support, by calling both NETLOGON and SAMR operations in the
RPC-SCHANNEL test.
Move some of the Netlogon NEG flags into the .idl, now we have an idea
what a few of them really are.
Rename the sam_pwd_hash into a name that has meaning (all other crypto
functions were renamed in Samba4 ages ago).
Break out NTLMv2 functionality for operation on the NT hash - I intend
to do NTLMv2 logins in the samsync test in future, and naturally I
only have the hash.
Andrew Bartlett
(This used to be commit 6e6cc6fb98)
RPC-SAMLOGON of their own.
I have expanded the tests to validate the use of various flags, which
change some of the crypto behaviour.
Andrew Bartlett
(This used to be commit 3a140a3691)
Samba3/OpenLDAP for. For a concrete situation you have to adapt the domain,
pdcname and usernames/passwords. Sorry, not parametrized yet, but this should
be doable if necessary.
Volker
(This used to be commit 02f5205872)
parsing, so that module init can take account of lp_ parms (thats
why gensec:krb5=no wasn't working)
- added a BASE-DISCONNECT torture test that tests server response to
clients disconnecting with open lock and open requests pending
(This used to be commit 5205f598b8)
this test demonstrates how w2k3 handles the special semantics of
DENY_DOS when 2 opens happen on the same connection. The 2nd open
doesn't actually do a NTFS open, it happens as a secondary reference
to the same internal file handle in the CIFS layer. The evidence is
that the 2nd open shares the same POSITION_INFORMATION field as the
first open, but only for the special DENY_DOS cases that would
normally be refused.
(This used to be commit eeec57d4f6)
Both subsystems and modules can now have init functions, which can be
specified in .mk files (INIT_FUNCTION = ...)
The build system will define :
- SUBSYSTEM_init_static_modules that calls the init functions of all statically compiled modules. Failing to load will generate an error which is not fatal
- BINARY_init_subsystems that calls the init functions (if defined) for the subsystems the binary depends on
This removes the hack with the "static bool Initialised = " and the
"lazy_init" functions
(This used to be commit 7a8244761b)
- Support for sending over the object UUID in DCERPC calls
- Simple torture test for the DCOM "Simple" object
- Generate extra argument for "object" interfaces in pidl
- Some stubs for common DCOM functions
(This used to be commit c052f2e1ed)
deferred reply is short-circuited immediately when the file is
closed by another user, allowing it to be opened by the waiting user.
- added a sane set of timeval manipulation routines
- converted all the events code and code that uses it to use struct
timeval instead of time_t, which allows for microsecond resolution
instead of 1 second resolution. This was needed for doing the pvfs
deferred open code, and is why the patch is so big.
(This used to be commit 0d51511d40)
- tidied up some of the system includes
- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
knows about inter-IDL dependencies
(This used to be commit 7b7477ac42)
total include lines in compiling C files in Samba (the .gch file is
now 5M instead of 12M)
This also gets rid of the silly gtk compile warning for non-gtk code
(This used to be commit 8ebd20cf55)
Add torture test for RemoteActivation
The request is now send correctly and we get back a valid response
from Windows but r->in.Interfaces is set to 0 somewhere while parsing
the response...
(This used to be commit cabec03422)
- added new tests BASE-NTDENY1 and BASE-NTDENY2. These are the
ntcreatex equivalents of the BASE-DENY1 and BASE-DENY2
tests. Unfortunately, with ntcreatex there are 4 million combination
and trying each one takes 1 second, so randomised testing is the
only choice. The BASE-DENY1 test can operate in parallel with
hundreds of connections, speeding things up a bit (as most time is
spent waiting 1 second for a sharing violation to come back)
(This used to be commit b95493d3d1)
- made idtree return a "struct idr_context *" instead of a void*
- more efficient idr_remove for ids that are not present (patch from Jim Houston)
(This used to be commit f8d12d4b4a)
Add local test for testing the functions dcerpc_parse_binding(),
dcerpc_binding_string() and dcerpc_binding_build_tower()
(This used to be commit 7a07c2c769)
- added the new messaging system, based on unix domain sockets. It
gets over 10k messages/second on my laptop without any socket
cacheing, which is better than I expected.
- added a LOCAL-MESSAGING torture test
(This used to be commit 3af06478da)