IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
didn't change since DCE RPC channel refactoring.
With the current code we return RPC faul as can be seen in the logs:
2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
in: struct netr_DsRGetForestTrustInformation
server_name : *
server_name : '\\some-dc.example.com'
trusted_domain_name : NULL
flags : 0x00000000 (0)
[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
api_rpcTNP: fault(5) return.
This is due to this check in processing a request:
if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
&& (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
return WERR_ACCESS_DENIED;
}
and since we get AuthZ response,
Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
"type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
"localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
"serviceDescription": "netlogon", "authType": "ncacn_np",
"domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
"sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
"transportProtection": "SMB", "accountFlags": "0x00000010"}}
this means we are actually getting anonymous DCE/RPC access to netlogon
on top of authenticated SMB connection. In such case we have exactly
auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
Update the code to follow the same security level check as in s4 variant
of the call.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184
This is a non-negative count. Fix remaing code to not mix int and size_t.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The members of struct utmp are marked as nonstring. This means they
might not be nil-terminated.
Found by covscan.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't need any substitution for elasticsearch options.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We currently have the following substitution functions:
talloc_sub_basic()
talloc_sub_advanced()
talloc_sub_basic() currently substitutes a subset of talloc_sub_advanced().
We'll need a function X that only substitutes what talloc_sub_advanced()
substitutes *without* what talloc_sub_basic() does.
To get there rename talloc_sub_advanced() to talloc_sub_full(). A subsequent
commit will then bring back talloc_sub_advanced() as described above.
Examples with fictional replacement letters A and B. Currently:
talloc_sub_basic: A
talloc_sub_advanced: AB
New:
talloc_sub_basic: A
talloc_sub_advanced: B
talloc_sub_full: AB
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13745
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
No change in behaviour, this just changes all functions to take the
policy_handle argument as pointer instead of passing it by value.
This is how all other IDLs pass it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Oct 9 15:52:55 UTC 2019 on sn-devel-184
Changes:
* Don't initialize the RPC service by calling setup_rpc_module() in the parent
mdssd. This is not needed in the parent, only in the worker childs.
* In the worker childs call setup_rpc_module() instead of init_rpc_module()
which ensures rpc_mdssvc_init() is called with the mdssvc callback which is
needed to initialize mdssvc via mdssvc_init_cb() -> init_service_mdssvc()
* Finally rpc_setup_mdssvc() is adjusted to be a noop if mdssvc is configured to
as external and when called by the main parent smbd via dcesrv_ep_setup() ->
setup_rpc_modules()
I've manually tested all 4 combinations of external=yes|no X module=yes|no with
the new mdfind command.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
No change in behaviour. Simplifies a subsequent logical change.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Now that mdssvc is built by default and also tested in CI, enable it by default,
running as embedded service.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
The mds_ctx object was created in _mdssvc_open() as a talloc child of the pipe
which means as long as the pipe is connected it's not freed.
To ensure we do proper rundown of all resources including backend connections
and pending queries, we must free the mds_ctx object.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Looks like this was never used, it's also available via mds_ctx->snum.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
