IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This reverts commit 508c218eb2.
This lets make test fail.
Matthias: please make sure make test still passes when you change things like
this...(maybe add something to knownfail or so)
metze
Collect all data that is needed, and use only one talloc_asprintf
operation to create the string of common data. This simplifies
the code a bit and is most probably faster than the old method.
Also, #define SMBTA_COMMON_DATA_COUNT as a complete string,
speeding things up because we know the value at compile time.
static char *smb_traffic_analyzer_anonymize
This takes a lot of code out of the main functions,
and makes it a bit simpler. Do the anonymization in a function.
Since we already anonymized the username we don't need to do
this a second time in the v2 marshalling function.
smb_traffic_analyzer_encrypt - doing the encryption of a data block,
smb_traffic_analyzer_create_header - create the protocol header,
smb_traffic_analyzer_write_data - actually write the data to the
socket.
Always send the number of common data blocks first. This way, we
can make the protocol backwards compatible. A receiver running with
an older subprotocol can just ignore if a newer sender sends more
common data.
Add a few remarks to the marshalling function. Add two #define lines
defining the protocol subrelease number and the number of common
data blocks to the header file.
This program allows the administrator to enable or disable AES
encryption when using vfs_smb_traffic_analyzer. It also generates new
keys, stores them to a file, so that the file can be reused on another
client or server.
First try. This runs on 16 bytes long AES block size, and enlarges the
data block with 16 bytes, to make sure all bytes are in. The added
bytes are filled with '.'. It then creates a header featuring the new
length to be send, and finally sends the data block, then returns.
This code is untested, as creating the receiver will be my next step.
To simplify traffic_analyzer's code, this code should run as a function.
It's on the do-to-list.
Since we need to care for the SID too, do the anonymization in the
marshalling function and anonymize both the username and the SID.
Remove the 'A' status flag from the header definition. A listener
could see from the unencrypted header if the module is anonymizing
or not, which is certainly not wanted.
Since the header block of the protocol contains the number of bytes to
come, we always send the header itself unmodified.
If we compress or crypt the data we are about to send, the length of the
data to send may change. Therefore, we no longer create the header in
smb_traffic_analyzer_create_string, but shortly before we send the data.
For both cases, encryption and normal, we create our own header, and
send it before the actual data.
In case of protocol v1, we don't need to create an extra header.
Just send the data, and return from the function.
Change a debug message to say that the header for crypted data has
been created.
Add a status flags consisting of 6 bytes to the header. Their function
will be descriped in one of the next patches, which is descriping
the header in a longer comment.
When anonymization and/or encryption is used, set the flags accordingly.
From Holger:
Make smb_traffic_analyzer differ the protocol versions to enable the development of version 2 of the protocol. To do this, a new parameter "protocol_version" has been introduced, which can be set to "V1", "V2", or nothing. If protocol_version is not set, V1 will be chosen automatically.
Created an enum for identifying VFS functions in the upcoming protocol v2. Converted the existing VFS functions to use the identifier, and set the read/write bool used in protocol v1 accordingly, also ignore any other VFS functions except read/write/pread/pwrite in v1. Added a first new VFS function for mkdir, which I use for testing and implementing both the sender and receiver for v2.
At present the command supports only addition of control access rigts, done
so DRS access checks can be tested. It will be expanded to deal with most
ways to modify and view a DS ACL.
Shifted commands a bit. What used to be net acl is now "net acl nt" as apposed
to this, which is "net acl ds"
./bin/net acl ds set --help
Usage: set --objectdn=objectdn --car=control right --action=[deny|allow] --trusteedn=trustee-dn
Options:
-h, --help show this help message and exit
--host=HOST LDB URL for database or target server
--car=CAR The access control right to allow or deny
--action=ACTION Deny or allow access
--objectdn=OBJECTDN DN of the object whose SD to modify
--trusteedn=TRUSTEEDN
DN of the entity that gets access
Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
This choses an appropriate talloc context to attach the schema too,
long enough lived to ensure it does not go away before the operation
compleates.
Andrew Bartlett
dsdb_get_schema() isn't a very cheap call, due to the use of LDB
opaque pointers. We need to call it less, and instead pass it as a
parameter where possible.
This also changes to the new API with a talloc context.
Andrew Bartlett
When specified, we talloc_reference onto this context to ensure that
pointers found in it are valid for the life of the objects they are
placed into. (Such as the string form of LDAP attributes).
Andrew Bartlett
It's easier to just set it up when we can, then to deal with the
ordering issues in ldb startup. As long as we have it ready if a real
client ever asks for it, then we should be happy.
Andrew Bartlett
This torture testcase considers both cases for this infoType: when the flag
DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE is enabled and when not.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
