sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code
94,502 Commits 60 Branches 1,145 Tags 452 MiB
d1ee35dc36
Commit Graph

1631 Commits

Author SHA1 Message Date
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-03-27 00:36:32 +01:00
David Disseldorp
ebe6627c1f rpc_client: retry open on STATUS_PIPE_NOT_AVAILABLE 
Windows Server starts some named pipe services on demand, and responds
to initial open requests with STATUS_PIPE_NOT_AVAILABLE. The FssagentRpc
named pipe on Windows Server 2012 exhibits this behaviour.

This change sees rpcclient retry named pipe open requests when the
server responds with STATUS_PIPE_NOT_AVAILABLE. The retry logic is
contained in an asynchronous tevent_timer callback, to allow for
non-blocking callers.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2014-03-04 03:03:24 +01:00
Stefan Metzmacher
a1e013505c s3:rpc_client: avoid using dcerpc_binding internals in rpc_pipe_get_tcp_port() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2014-02-13 11:54:16 +01:00
Stefan Metzmacher
ded957614b s3:rpc_client: use address "0.0.0.0" and port "135" for epmapper requests 
Note: binding->host = NULL lets dcerpc_binding_build_tower()
use "0.0.0.0".

This matches Windows clients.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2014-02-11 16:20:31 +01:00
Stefan Metzmacher
aeab9602c0 s3:librpc/rpc: only propose header signing if we use sign or seal 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2014-02-11 16:02:14 +01:00
Michael Adam
020fab300d s3:rpc_client: optimize the netlogon_creds_cli.tdb for read-only access 
Usually a record in this DB will be written once and then read
many times by winbindd processes on multiple nodes (when run in
a cluster). In order not to introduce a big performance penalty
with the increased correctness achieved by storing the netlogon
creds, in a cluster setup, we should activate ctdb's read only
record copies on this db.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-02-07 16:06:06 +01:00
Michael Adam
cf0cb0add9 dbwrap: add a dbwrap_flags argument to db_open() 
This is in preparation to support handing flags to backends,
in particular activating read only record support for ctdb
databases. For a start, this does nothing but adding the
parameter, and all databases use DBWRAP_FLAG_NONE.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2014-02-07 16:06:06 +01:00
Stefan Metzmacher
8cf4eff201 s3:rpc_client: use db_open() to open "netlogon_creds_cli.tdb" 
This uses dbwrap_ctdb if running in a cluster.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-22 17:11:54 +01:00
Stefan Metzmacher
dc561b7e2d dcerpc.idl: make use of union dcerpc_bind_ack_reason and fix all callers. 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jan 16 18:21:40 CET 2014 on sn-devel-104
 2014-01-16 18:21:40 +01:00
Stefan Metzmacher
c0761c3eae s3:rpc_client: finally remove unused rpc_pipe_client->netlogon_creds 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:16 +01:00
Stefan Metzmacher
3f41b58384 s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:16 +01:00
Stefan Metzmacher
e4fea80693 s3:rpc_client: remove unused rpccli_netlogon_sam_logon() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:16 +01:00
Stefan Metzmacher
a4faf57b47 s3:rpc_client: remove unused rpccli_netlogon_setup_creds() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:15 +01:00
Stefan Metzmacher
6d457ad9c1 s3:rpc_client: remove unused rpccli_netlogon_set_trust_password() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:15 +01:00
Stefan Metzmacher
660150b12a s3:rpc_client: make cli_rpc_pipe_open_schannel() more flexible 
It expects a messaging_context now
and returns a netlogon_creds_cli_context.

This way we can finally avoid having a rpc_pipe_client->netlogon_creds.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:15 +01:00
Stefan Metzmacher
94caf7e190 s3:rpc_client: use rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:10 +01:00
Stefan Metzmacher
b7dc3fb204 s3:rpc_client: add rpccli_netlogon_password_logon() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:08 +01:00
Stefan Metzmacher
5196493c9e s3:rpc_client: add rpccli_netlogon_network_logon() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:08 +01:00
Stefan Metzmacher
a07cc9a1c6 s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon_ex() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:08 +01:00
Stefan Metzmacher
3c025af657 s3:rpc_client: add rpccli_pre_open_netlogon_creds() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:07 +01:00
Stefan Metzmacher
14ceb7b501 s3:rpc_client: add rpccli_{create,setup}_netlogon_creds() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:07 +01:00
Stefan Metzmacher
5adfc5f9f7 s3:rpc_client: use netlogon_creds_cli_auth_level() in cli_rpc_pipe_open_schannel_with_key() 
This means the auth level is now based on the "winbindd sealed pipes" option,
defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:07 +01:00
Stefan Metzmacher
38d4dba374 s3:rpc_client: make use of the new netlogon_creds_cli_context 
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.

This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 12:47:06 +01:00
Stefan Metzmacher
0059929601 libcli/smb: s/tstream_cli_np/tstream_smbXcli_np 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2014-01-07 08:37:42 +01:00
Stefan Metzmacher
024fc73047 libcli/smb: move source3/libsmb/cli_np_tstream.c to tstream_smbXcli_np.c 
This code is generic enough to have it in the top level now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2014-01-07 08:37:42 +01:00
Gregor Beck
46d29d46bc s3:libsmb: do not use cli_state internally within cli_np_tstream 
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2014-01-07 08:37:41 +01:00
Stefan Metzmacher
6ab9164c74 s3:rpc_client: send a dcerpc_sec_verification_trailer if needed 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  7 02:24:42 CET 2014 on sn-devel-104
 2014-01-07 02:24:41 +01:00
Stefan Metzmacher
f0532fe0cd s3:rpc_client: fill alloc_hint with the remaining data not the total data. 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 00:27:12 +01:00
Stefan Metzmacher
61bdbc23cd s3:rpc_client: implement DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 00:27:11 +01:00
Stefan Metzmacher
f7bf7e705e s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as any other gensec backend 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 00:27:11 +01:00
Stefan Metzmacher
4d3376e919 s3:rpc_client: add some const to rpc_api_pipe_req_send() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 00:27:11 +01:00
Stefan Metzmacher
946e29dbc1 s3:rpc_client: make rpc_api_pipe_req_send/recv static 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 00:27:11 +01:00
Stefan Metzmacher
5b39a351a8 s3:rpc_client: talloc_zero pipe_auth_data 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2014-01-07 00:27:11 +01:00
Jeremy Allison
0dc6181894 CVE-2013-4408:s3:Ensure LookupNames replies arrays are range checked. 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
 2013-12-09 07:05:46 +01:00
Jeremy Allison
b0ba4a5621 CVE-2013-4408:s3:Ensure LookupSids replies arrays are range checked. 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
 2013-12-09 07:05:46 +01:00
Jeremy Allison
a516ae6868 CVE-2013-4408:s3:Ensure we always check call_id when validating an RPC reply. 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2013-12-09 07:05:46 +01:00
Stefan Metzmacher
8b7c862bab CVE-2013-4408:s3:rpc_client: verify frag_len at least contains the header size 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
 2013-12-09 07:05:45 +01:00
Gregor Beck
412af28e1e s3:rpc_client: fix a leaked talloc_stackframe 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10241

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2013-11-04 10:38:50 +01:00
Andreas Schneider
5990de5d89 s3-rpc_client: Make data pointer const in trans_send(). 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 30 01:32:08 CET 2013 on sn-devel-104
 2013-10-30 01:32:08 +01:00
Gregor Beck
1974dbe30c s3:rpc_client: remove unused rpc_pipe_np_smb_conn() 
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2013-10-17 08:48:50 +13:00
Stefan Metzmacher
872486bbd0 s3:rpc_client: pass object and table to rpccli_bh_create() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2013-10-17 08:48:45 +13:00
Stefan Metzmacher
f773ed2cf7 s3:rpc_client: implement dcerpc_binding_handle_auth_info() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2013-10-17 08:48:44 +13:00
Günther Deschner
b73e2d927b s3-rpc: use dcerpc_default_transport_endpoint function. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2013-09-20 13:07:30 +02:00
Günther Deschner
a94e278883 s3-rpc: use table->name directly in DEBUG contexts. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2013-09-20 13:07:10 +02:00
Günther Deschner
45949d7218 s3-rpc_cli: remove unused schannel calls from cli_pipe.c 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2013-09-19 11:09:55 +02:00
Günther Deschner
89d0b89b5d s3-rpc_cli: use gensec for schannel bind. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2013-09-19 11:09:36 +02:00
Günther Deschner
7b570b4128 s3-rpc_cli: allow to pass down a netlogon CredentialState struct to gensec. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2013-09-19 11:09:27 +02:00
Stefan Metzmacher
af4dc30684 s3:cli_pipe.c: return NO_USER_SESSION_KEY in cli_get_session_key() for schannel 
SCHANNEL connections don't have a user session key,
they're like anonymous connections.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2013-08-10 09:18:58 +02:00
Stefan Metzmacher
838cb53962 s3:cli_pipe: pass down creds->computer_name to NL_AUTH_MESSAGE 
We need to use the same computer_name value as in the netr_Authenticate3()
request.

We abuse cli->auth->user_name to pass the value down.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2013-08-10 09:18:57 +02:00
Stefan Metzmacher
e96142fc43 s3:cli_pipe: make use of netsec_create_state() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2013-08-10 09:18:57 +02:00