1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

102173 Commits

Author SHA1 Message Date
Amitay Isaacs
ad5b9c3df2 ctdb-client: Increase the timeout for TRANS3_COMMIT control
On a busy system, TRANS3_COMMIT control can take upto or longer than
3 seconds.  On timeout, there are few possible outcomes.

1. The transaction has completed on all nodes and TRANS3_COMMIT control
   has returned.  In such a case, there is no problem.

2. The transaction has completed on the local node, but TRANS3_COMMIT
   control is still active.  In such a case, ctdb_transaction_commit()
   can return successfully.  If this is being called from ctdb, then
   ctdb will exit.  This will cause ctdb daemon to trigger recovery
   since the client exited while transaction is active.  This will cause
   unnecessary recovery.

3. Database recovery was started and ctdb_transaction_commit() will
   retry till the recovery completes the transaction.

Increasing the timeout to 30 seconds will avoid the spurious database
recoveries when TRANS3_COMMIT control takes longer to finish.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Mar 11 19:59:53 CET 2016 on sn-devel-144
2016-03-11 19:59:53 +01:00
Volker Lendecke
9341c02a89 smbd: Prevent a crash
smb2srv_session_close_previous_check crashes if
ndr_pull_smbXsrv_session_globalB fails for some reason. It depends on "is_free"
to be correctly set. All we can do for an invalid database is to discard the
record and set it free.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 11 00:12:18 CET 2016 on sn-devel-144
2016-03-11 00:12:18 +01:00
Jeremy Allison
a971cfe0ef s3: smbd: Simplify logic inside rename_internals_fsp() part 2
Removes the use of an extraneous 'struct smb_filename *'
which wasn't being created correctly, only as a place
holder for two char * pointers.

Use split_stream_filename() to create the char * pointers
directly and make it clearer what we're up to here.

The logic here is still complex, but I'm satified
it does the correct thing.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 20:55:09 +01:00
Jeremy Allison
bffa598c04 s3: smbd: Simplify logic inside rename_internals_fsp() part 1.
Use standard parent_dirname() function instead of hand-hacking
using strrchr_m(xxx, '/'). Next commit should enable removal
of synthetic_smb_fname_split().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 20:55:09 +01:00
Jeremy Allison
b4246f863c s3:lib: Move internal lp_posix_pathnames() call out of utility function synthetic_smb_fname_split().
Make it a passed in parameter instead.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 20:55:09 +01:00
Jeremy Allison
153af65e44 s3:lib: Remove the const SMB_STRUCT_STAT * parameter from synthetic_smb_fname_split().
Only one caller uses this, and this can be handled externally.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 20:55:09 +01:00
Jeremy Allison
e2056f843d s3:lib: Rewrite synthetic_smb_fname_split() to use split_stream_filename().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 20:55:09 +01:00
Jeremy Allison
59f6a73c93 s3:lib. Add split_stream_filename() Not yet used.
Will replace internals of synthetic_smb_fname_split().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2016-03-10 20:55:09 +01:00
Uri Simchoni
b96511f81b selftest: add some test cases to net ads join
Perform a testjoin between steps to verify join status
Perform most testjoins with machine account because that's
the more common case.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Thu Mar 10 14:41:13 CET 2016 on sn-devel-144
2016-03-10 14:41:13 +01:00
Uri Simchoni
b27cf10c0c selftest: run net ads join test in a private client env
net ads join command changes machine password, thus affecting
the test environment beyond the thing we want to test.

This cange runs the test in a private client env, with its
own hostname, newly-generated machine SID, and a separate
secrets.tdb, thus not affecting the running AD member server,

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-03-10 11:27:29 +01:00
Stefan Metzmacher
645e777b0a s4:rpc_server: dcesrv_generic_session_key should only work on local transports
This matches modern Windows servers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144
2016-03-10 10:15:21 +01:00
Stefan Metzmacher
58b33896b6 s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error
Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
5a397216d4 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
af8c4ebf9b s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top
This is the only way to get a reliable transport session key.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
f699eb3b1a s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp
It requires a transport session key, which is only reliable available
over SMB.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
c793b23ddb s4:torture: the backupkey tests need to use ncacn_np: for LSA calls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
0400f301e3 s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np
ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Stefan Metzmacher
1433501822 s3:libsmb: remove unused functions in clispnego.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
95b953950d s3:libsmb: remove unused cli_session_setup_kerberos*() functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
0e1b2ebf88 s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
907e2b1f66 s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
285c342f01 s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair
It will be possible to use this for more than just NTLMSSP in future.

This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
576257f6e1 s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
afffe79754 s3:libsmb: unused ntlmssp.c
Everything uses the top level ntlmssp code via gensec now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
4f6fe27c70 s3:libsmb: make use gensec based SPNEGO/NTLMSSP
This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
2cb07ba50d s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
c5d7956364 s3:libads: keep service and hostname separately in ads_service_principal
Caller will use them instead of the full principal in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
0c204e1192 s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
139ce7d8b6 s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function
It will be possible to use this for more than just NTLMSSP in future.

Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
c6f79cfa86 s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()
This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
357d37fa11 s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE
This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:30 +01:00
Stefan Metzmacher
8f9a9633e4 s3:libads: add missing TALLOC_FREE(frame) in error path
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
0ebe929810 s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
c431543fb9 s4:selftest: simplify the loops over samba4.ldb.ldap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
5cf8546674 s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true
The LDAP client library uses tstream and that handles non blocking
sockets natively.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
d9d0d2d5a2 s4:libcli/ldap: fix retry authentication after a bad password
We need to start with an empty input buffer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
d04663b8b0 s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
59301830e2 auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP
This is now handled by GENSEC_FEATURE_LDAP_STYLE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
122a5f6b58 auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE
We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
f3dbe19e14 auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE
We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.

This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
069aee42c2 auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define
This will be used for LDAP connections and may trigger
backend specific behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Günther Deschner
f6b9e1feab auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
c1e2a1f0a7 librpc/ndr: add ndr_ntlmssp_find_av() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
f4ff351016 ntlmssp.idl: make AV_PAIR_LIST public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
ab54e0fd70 ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
1f88812316 security.idl: add LSAP_TOKEN_INFO_INTEGRITY
This is used in [MS-KILE] and implicit in [MS-NLMP].

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:29 +01:00
Stefan Metzmacher
8af6b8d2eb auth/ntlmssp: use ntlmssp_version_blob() in the server
We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
4a1809cb14 auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION
This matches a modern Windows client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
a61ab398cc auth/ntlmssp: add ntlmssp_version_blob()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00
Stefan Metzmacher
4fca8eaaae auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE
We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.

This matches modern Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-03-10 06:52:28 +01:00