IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Add the blobs required to allow the storing of an sha256 or sha512 hash of
the password in supplemental credentials
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The wscript_build files convey what header files belong to which
logical package. For example,
# lib/util/wscript_build:
bld.SAMBA_LIBRARY('samba-util',
public_headers='... data_blob.h ...'
# auth/credentials/wscript_build:
bld.SAMBA_LIBRARY('samba-credentials',
public_headers='credentials.h',
Now, credentials.h #includes <util/data_blob.h> and therefore,
samba-credentials.pc must have a Requires: samba-util.
Similarly for other parts.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
This will allow AUTH_EVENT_NAME and MSG_AUTH_LOG to be accessed from python
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 13:19:03 CEST 2017 on sn-devel-144
This makes it easy to ensure we use the same name in the python and the C
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
The ndr token code keeps a temporary store of tokens which are
referred to a small number of times (often once) before being
discarded. The access patterns are somewhat stack-like, with recently
placed tokens being accessed most often.
The old code kept these tokens in a linked list, which we replace with
a self-resizing array.
This keeps everything roughly the same in big-O terms, but makes it
all faster in practice by vastly reducing the amount of tallocing and
pointer-chasing.
The peak memory use is strictly reduced. On a 64 bit machine each core
token struct fits in 16 bytes (after padding) while the two pointers
used by the DLIST add another 16 bytes, so the overall list allocation
is the same as the peak 2n array allocation -- except in the list case
it is dwarfed by the talloc and malloc metadata overhead.
Before settling on the resized arrays, we tried red-black trees, which
are bound to be better for large ndr structures. As it happens, we
don't deal with large structures (the size of replication clumps is
limited to 400 objects) and the asymptotic benefits of the trees are
not realised in practice.
With luck you should find graphs comparing the performance of these
various techniques at:
https://www.samba.org/~dbagnall/perf-tests/ndr-token/
This necessarily breaks the ABI because the linked list implementation
was publicly exposed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 2 08:38:22 CET 2017 on sn-devel-144
Commit 1eef708729 changed the mapping for
DCERPC_NCA_S_FAULT_INVALID_TAG from NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12585
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This allows the user to input a hexdump that has been generated by the dump option.
Signed-off-by: Cody Harrington <cody@harringtonca.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We were crashing earlier when calculating the length of NULL strings in
fixed size arrays (noticed while replying with an empty
spoolss_CorePrinterDriver struct within the spoolss_GetCorePrinterDrivers
call).
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Microsoft got their docs wrong in MS-RPRN Section 2.2.1.10.1 (footnote
65): PROCESSOR_AMD_X8664 must be 0x000021D8 and not 0x000022A0.
This is what recent windows versions report back from a spoolss
getprinter level 0 RPC call.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is an equivalent of QueryUserList with simpler output. The next
commit will use it to go through wb_getpwsid for getent passwd, to
make sure we get the same results. Eventually, this might get a simpler
backend.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This call will be done in the idmap child. It is not 100% the right place,
but there is no better one available to me. It will become a replacement
for the "winbind nss info" parameter: This global parameter is good
for just one domain. It might be possible to have idmap backend AD for
different domains, and the NSS info like primary gid, homedir and shell
might be done with different policies per domain. As we already have a
domain-specific idmap configuration, doing the NSS info configuration
there also is the closest way to do it.
The alternative, if we did not want to put this call into the idmap child
would be to establish an equivalent engine like the whole "idmap config
*" just for the nss info. But as I believe this is closely related,
I'll just keep it in the idmap child.
This also extends the wbint_userinfo structure with pretty much all user
related fields. The idea is that the GetNssInfo call can do whatever it
wants with it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
When asking for gid2sid with an idmap backend that does ID_TYPE_BOTH
and the sid in question is actually a user, the parent winbind needs
to know about it. The next commit will prime the gencache also after
xid2sid calls, and if we filled it with a ID_TYPE_GID entry, a later
sid2uid call would fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
This prevents making the netlogon process multi-threaded.
This works on Windows becuase NETLOGON is part of lsad
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows the netlogon server to be moved into a multi-process model
while still supporting clients that use a challenge from a different
network connection.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 20:12:14 CET 2016 on sn-devel-144
GUID_from_data_blob() was relying on sscanf to parse strings, which was
slow and quite accepting of invalid GUIDs. Instead we directly read a
fixed number of hex bytes for each field.
This now passes the samba4.local.ndr.*.guid_from_string_invalid tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Dec 14 08:55:42 CET 2016 on sn-devel-144
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 1 05:53:43 CET 2016 on sn-devel-144
This allows processing of Windows Cabinet files (required for the MS-PAR
print protocol implementation)
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
ULONG_PTR needs to be decoded as a uint3264 and not as a 'uint32 *'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11197
Guenther
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Oct 26 15:06:44 CEST 2016 on sn-devel-144
Now that all callers of dcerpc_binding_handle_create() are fixed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
If there's an object set on the binding handle, we need to use that
and disallow per request passing of object.
The normal client code will always have the object on the binding handle.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
typedef struct {
uint32 alloc_hint;
uint16 context_id;
uint16 opnum;
/*
* NDR_DCERPC_REQUEST_OBJECT_PRESENT
* is defined differently for ndr_dcerpc.c and py_dcerpc.c
*/
[switch_is(NDR_DCERPC_REQUEST_OBJECT_PRESENT)] dcerpc_object object;
[flag(NDR_REMAINING)] DATA_BLOB stub_and_verifier;
} dcerpc_request;
- the generic dcerpc header has a size of 16 bytes.
- alloc_hint, context_id and opnum are 8 bytes together.
- dcerpc_object is 0 or 16 bytes.
That means stub_and_verifier is always aligned to 8 bytes
(either at offset 24 or 40).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
typedef struct {
uint32 alloc_hint;
uint16 context_id;
uint8 cancel_count;
[value(0)] uint8 reserved;
[flag(NDR_REMAINING)] DATA_BLOB stub_and_verifier;
} dcerpc_response;
- the generic dcerpc header has a size of 16 bytes
- alloc_hint, context_id, cancel_count and reserved are 8 bytes together
So stub_and_verifier is 8 byte aligned at offset 24.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
The 4 bytes of padding are always present and part of the header.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Also the default should not be DCERPC_AUTH_LEVEL_CONNECT
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
ntlmssp_NTLM_RESPONSE and NTLM_RESPONSE will both result in
"ntlmssp.NTLM_RESPONSE".
The same applies to ntlmssp_LM_RESPONSE and LM_RESPONSE.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Oct 13 21:56:27 CEST 2016 on sn-devel-144
Add Samba specific well known SIDs for
Unix UID and GID owner.
Signed-off-by: Steve French <smfrench@gmail.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
This idl was based on an earlier draft documentation version. The
current documentation now shows:
"SourceFileID (16 bytes): An SMB2_FILEID structure, as specified in
[MS-SMB2] section 2.2.14.1, that is an identifier of the open to the
source file.".
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We should try to avoid the RPC_ prefix in structs, enums for spoolss.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This change makes automatic mapping for PAR->RPRN opcodes easier.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows us to allocate only the correct size, not a default of 1024 bytes
per push.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This will be used to store the cleartext utf16 password
GPG encrypted in the supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
This difference is the reason why we can't fully (ndr)validate some
PAC blobs.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
We need to have two subcontexts to get the padding right,
the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
the inner subcontext only uses _ndr_size.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit moves the autogenerated ndr_{pull,push}_supplementalCredentialsSubBlob()
function to the handwritten librpc/ndr/ndr_drsblobs.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
When notifyd is restarted, the parent will broadcast that fact to all workers.
They will then re-register their notify requests.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is often found in inner loops in the dsdb code, because LDB DNs often contain a GUID string
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This is a workarround for a bug in old Samba releases.
For BIND_ACK <= 3.5.x and for ALTER_RESP <= 4.2.x (see bug #11061).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11982
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte),
this limit is too strict for some workloads, e.g. DRSUAPI replication
with large objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Cf RFC2845, 3.4.2. "TSIG Variables", the request id (original_id) is not
used in the MAC calculation. This also explains the mysterious 2 bytes
padding.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Certain DNS clients fail TSIG record MAC validation if the TSIG record
contains compressed strings.
Windows DNS server behaviour seems to be to not send compressed names in
TKEY and TSIG records.
This patch ensures we conform to this behaviour.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This flag can be used to change marshalling behaviour with regard to
compression.
Example: DNS packets make use of so called DNS name compression which
means that for identical strings in a DNS packet, the second string is
replaced with a reference (an offset) to the first.
Setting this flag requests to turns off the marshalling compression.
This will be used in the next commit to prevent name compression in DNS
TSIG records.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This allows us to remove talloc() calls from GUID_from_ndr_blob().
To do this the struct ndr_pull is placed on the stack, and filled in there.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
All callers should have already checked that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is often a hot path, particularly with complex structures like
nt-acls.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Switch values currently only have a peek variant, instead of a retrieve
variant for getting their values. This can create performance issues
with complex structures as the token list simply grows longer.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This is used in [MS-KILE] and implicit in [MS-NLMP].
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
While using a charset is not entirely logical, it allows testing of non
UTF-8 data (like inserting 0xFF into the TXT string).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
From RFC 1035:
3.3.14. TXT RDATA format
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
TXT-DATA One or more <character-string>s.
TXT RRs are used to hold descriptive text. The semantics of the text
depends on the domain where it is found.
Each record contains an array of strings instead of just one string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The idmap backend function is doing multiple conversions in one run, but this
is not used so far. First step in exposing plural xid2sid. This is a fake
routine in that it does the one-element calls, but you have to start somewhere.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
These might be usefull in future if we want to fast check
against dsdb_attribute->attributeID_id, instead of an expensive
ldb_attr_cmp(). They will never appear in replPropertyMetaData.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>