1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

97689 Commits

Author SHA1 Message Date
Garming Sam
bc0b90a300 backupkey: Improve IDL
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-02-25 01:08:11 +01:00
Garming Sam
a4e6873c43 backupkey: begin by factoring out the server wrap functions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-02-25 01:08:11 +01:00
Andrew Bartlett
286223f150 torture-backupkey: Assert dcerpc_bkrp_BackupKey_r call was successful
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Andrew Bartlett
d9529dbab6 torture-backupkey: Add consistent assertions that createRestoreGUIDStruct() suceeds
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
16ad6de6b8 s4:torture/rpc/backupkey: Require 2048 bit RSA key
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

(fixed cleanup of memory)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
e6e9e490ae s4-backupkey: consistent naming of werr variable
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
e25c61c5f1 s4-backupkey: improve variable name
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
8473f6da69 s4-backupkey: typo fix
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
879b65710b s4-backupkey: IDL for ServerWrap subprotocol
This adds some IDL structs for the ServerWrap subprotocol, allowing
parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED
instead of WERR_INVALID_PARAM.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
3bc3bec6d7 s4-backupkey: fix ndr_pull error on empty input
[MS-BKRP] 3.1.4.1 specifies for BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID that
the server must ignore the input data. This patch fixes
  ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148)

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
6af3cf60e3 s4-backupkey: Initialize ndr->switchlist for print
ndr_print_bkrp_data_in_blob requires the level to be set in the
proper ndr->switch_list context.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
007c3978a4 s4-backupkey: Comply with [MS-BKRP] 2.2.1
[MS-BKRP] 2.2.1 specifies "The Common Name field of the Subject name
field SHOULD contain the name of the DNS domain assigned to the server."

In fact Windows 7 clients don't seem to care. Also in certificates
generated by native AD the domain name (after CN=) is encoded as
UTF-16LE. Since hx509_parse_name only supports UTF-8 strings currently
we just leave the encoding as it is for now.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
577fa69b52 s4-backupkey: Set defined cert serialnumber
[MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate
should be set identical to the subjectUniqueID. In fact certificates
generated by native AD have this field encoded in little-endian format.
See also
https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
525c93caa6 s4-backupkey: de-duplicate error handling
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:11 +01:00
Arvid Requate
d633fcb566 s4-backupkey: check for talloc failure
Check for talloc_memdup failure for uniqueid.data.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:10 +01:00
Arvid Requate
89803009b9 s4-backupkey: Cert lifetime of 365 days, not secs
hx509_ca_tbs_set_notAfter_lifetime expects the lifetime value in
in seconds. The Windows 7 client didn't seem to care that the lifetime
was only 6'03''. Two other TODOs in this implementation:

* Since notBefore is not set explicietely to "now", the heimdal code
  default of now-(24 hours) is applied.

* Server side validity checks and cert renewal are missing.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-02-25 01:08:10 +01:00
Arvid Requate
9b2ff26c89 s4-backupkey: Ensure RSA modulus is 2048 bits
RSA_generate_key_ex doesn't always generate a modulus of requested
bit length. Tests with Windows 7 clients showed that they decline
x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length
is smaller than the specified 2048 bits. For the user this resulted
in DPAPI failing to retrieve stored credentials after the user password
has been changed at least two times. On the server side log.samba showed
that the client also called the as yet unlimplemented ServerWrap sub-
protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the
ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After
enabling DPAPI auditing on the Windows Clients the Event Viewer showed
Event-ID 4692 failing with a FailureReason value of 0x7a in these cases.

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
2015-02-25 01:08:10 +01:00
Alexander Bokovoy
a00d72bf5d wafsamba: make sure build fails when uninitialized variable is detected
In developer build, fail if uninitialized variable is found by GCC.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 24 20:21:52 CET 2015 on sn-devel-104
2015-02-24 20:21:52 +01:00
Volker Lendecke
b3a472d976 lib: Use iov_buflen in smb1cli_req_chain_submit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
eaf9fd4b7a lib: Use iov_buflen in smb1cli_req_writev_submit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
c7fe434d48 lib: Use iov_buflen in smb1cli_req_create
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
7bcd7e2f5c lib: Use iov_buf in smbXcli_iov_concat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
4c000545c0 libcli: Use iov_buflen in smbXcli_iov_len
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
cab45cb765 smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
ce9ae131fe smb2_server: Use iov_advance
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
1c2562e691 smb2_server: Add range checking to nbt_length
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
d6f70d3346 tsocket: Use iov_advance
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
6e94f695c4 iov_buf: Add an explaining comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:09 +01:00
Volker Lendecke
0a20ffb17d tsocket: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:08 +01:00
Volker Lendecke
a610336886 lib: Move "iov_buf.[ch]" to lib/util
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:08 +01:00
Volker Lendecke
d5de29b860 rpc: Use tevent_req_poll_ntstatus
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-24 17:52:08 +01:00
Amitay Isaacs
04a061e4d1 ctdb-io: Do not use sys_write to write to client sockets
When sending messages to clients, ctdb checks for EAGAIN error code and
schedules next write in the subsequent event loop.  Using sys_write in
these places causes ctdb to loop hard till a client is able to read from
the socket.  With real time scheduling, ctdb daemon spins consuming 100%
of CPU trying to write to the client sockets.  This can be quite harmful
when running under VMs or machines with single CPU.

This regression was introduced when all read/write calls were replaced to
use sys_read/sys_write wrappers (c1558adeaa).

The existing code backs off in case of EAGAIN failures and waits for an
event loop to process the write again.  This should give ctdb clients
a chance to get scheduled and to process the ctdb socket.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Feb 24 12:29:30 CET 2015 on sn-devel-104
2015-02-24 12:29:30 +01:00
Andreas Schneider
84d4270c8e nmblookup: Warn user if netbios name is too long.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 24 01:01:10 CET 2015 on sn-devel-104
2015-02-24 01:01:10 +01:00
Andreas Schneider
a782ae1da4 nss-wins: Do not lookup invalid netbios names
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-23 22:32:48 +01:00
Andreas Schneider
a5e3a198d0 libsmb: Do not lookup invalid netbios names.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-02-23 22:32:48 +01:00
Jeremy Allison
eb05766a8c Revert "s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED."
Even though the MS-SMB2 spec says so, Windows doesn't behave
like this.

This reverts commit 1cea6e5b6f.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
2015-02-23 22:32:48 +01:00
Andreas Schneider
c0a463d94a waf: Only build the wrappers if we enable selftest
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 23 22:31:22 CET 2015 on sn-devel-104
2015-02-23 22:31:22 +01:00
Andreas Schneider
8e76e267fe swrap: Bump version to 1.1.3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-02-23 20:02:51 +01:00
Andreas Schneider
6ba81a483c swrap: If we remove the socket_info also unlink the unix socket
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-02-23 20:02:51 +01:00
Andreas Schneider
ca9c6c8a32 swrap: Do not leak the socket_info we just removed.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-02-23 20:02:51 +01:00
Andreas Schneider
e8f56be3da src: Add support for running with address sanitizer.
If address sanitzer will complain about our hack with variable function
attributes. This disables the checking of it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-02-23 20:02:51 +01:00
Andreas Schneider
8dcc02f89b swrap: Fix the loop for older gcc versions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-02-23 20:02:51 +01:00
Andreas Schneider
6e5debf33b torture: Add netr_setPassword(2) schannel test.
Thanks to Florian Weimer <fweimer@redhat.com> for the help to write
this torture test.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Feb 23 20:01:01 CET 2015 on sn-devel-104
2015-02-23 20:01:01 +01:00
Andreas Schneider
bb41484509 s3-netlogon: Make sure we do not deference a NULL pointer.
This is an additional patch for CVE-2015-0240.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-02-23 17:33:07 +01:00
Jeremy Allison
28f10a89e6 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-02-23 17:33:07 +01:00
Jeremy Allison
a6008b2de7 s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting.
If we delete the file on close, the stat after the close
will fail so we fail to return the attributes requested.

Bug 11104 - SMB2/SMB3 close response does not include attributes when requested.

https://bugzilla.samba.org/show_bug.cgi?id=11104

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 20 20:54:18 CET 2015 on sn-devel-104
2015-02-20 20:54:18 +01:00
Jeremy Allison
4a8c6988e3 s3: smbd: SMB2 close. Call utility function setup_close_full_information()
Replaces existing inline code.

Bug 11104 - SMB2/SMB3 close response does not include attributes when requested.

https://bugzilla.samba.org/show_bug.cgi?id=11104

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>
2015-02-20 18:25:06 +01:00
Jeremy Allison
2ccfdf760e s3: smbd: SMB2 close. Add utility function setup_close_full_information()
Not yet used.

Bug 11104 - SMB2/SMB3 close response does not include attributes when requested.

https://bugzilla.samba.org/show_bug.cgi?id=11104

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>
2015-02-20 18:25:06 +01:00
Michael Adam
e6e6f563e6 doc👨vfs_glusterfs: improve the configuration section.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Feb 20 14:29:21 CET 2015 on sn-devel-104
2015-02-20 14:29:21 +01:00
Michael Adam
7852dd9e4c doc👨vfs_glusterfs: improve and update description.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-02-20 11:59:05 +01:00