David Disseldorp [Fri, 27 Feb 2015 14:52:47 +0000 (14:52 +0000)]
selftest: shuffle msdfs-share DFS referral responses
Add a secondary server path to the msdfs-src1 DFS link, and test "msdfs
shuffle referrals" behaviour during selftest using the existing
samba3.blackbox.smbclient_s3 suite.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Feb 28 01:22:36 CET 2015 on sn-devel-104
Robin McCorkell [Fri, 27 Feb 2015 14:52:46 +0000 (14:52 +0000)]
MSDFS referral shuffling
Shuffle MSDFS referral list in smbd in accordance with [MS-DFSC] 3.2.1.1
When parsing an MSDFS symlink, the names are shuffled with a Fisher-Yates
algorithm.
Signed-off-by: Robin McCorkell <rmccorkell@karoshi.org.uk>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 23 Jan 2015 13:32:45 +0000 (13:32 +0000)]
winbind: Slightly simplify wb_sids2xids
We only needs "names" and "domains" wb_sids2xids_lookupsids_done. It confused
me when reading this code that these variables are stored in "state".
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 27 Feb 2015 14:04:36 +0000 (14:04 +0000)]
lib: Fix talloc hierarchy in init_lsa_ref_domain_list
The sid is copied, so the name should also be copied.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Amitay Isaacs [Thu, 26 Feb 2015 00:09:09 +0000 (11:09 +1100)]
lib/util: Build iov_buf library only when building samba
lib/util can be built with SAMBA_UTIL_CORE_ONLY for building standalone
ctdb. Any new libraries if not required by ctdb should be built only
when SAMBA_UTIL_CORE_ONLY is not specified.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Feb 27 09:06:01 CET 2015 on sn-devel-104
Volker Lendecke [Wed, 25 Feb 2015 21:17:57 +0000 (21:17 +0000)]
libsmb: Make "ip_service_compare" static
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 27 06:20:58 CET 2015 on sn-devel-104
Michael Adam [Thu, 26 Feb 2015 23:27:29 +0000 (00:27 +0100)]
tevent: version 0.9.23
* Add Solaris ports as tevent backend.
* Improvements to the tevent_data tutorial.
* Remove use of the 'staticforward' macro.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Feb 27 03:48:57 CET 2015 on sn-devel-104
Volker Lendecke [Fri, 12 Dec 2014 22:00:41 +0000 (23:00 +0100)]
winbind: Simplify winbindd_dsgetdcname_recv
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 27 01:16:10 CET 2015 on sn-devel-104
Volker Lendecke [Tue, 24 Feb 2015 14:03:11 +0000 (14:03 +0000)]
vfs_catia: Simplify init_mappings()
No else required after return
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 26 21:22:30 CET 2015 on sn-devel-104
Volker Lendecke [Tue, 24 Feb 2015 13:46:09 +0000 (13:46 +0000)]
smbd: Simplify ReadDirName
In the if-branches we return, so no "else" necessary
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 23 Feb 2015 11:17:59 +0000 (11:17 +0000)]
smbd: ZERO_STRUCT -> struct init
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 23 Feb 2015 11:08:30 +0000 (11:08 +0000)]
smbd: ZERO_STRUCT -> struct assignment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 23 Feb 2015 11:07:32 +0000 (11:07 +0000)]
smbd: ZERO_STRUCT -> struct assignment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 23 Feb 2015 11:04:58 +0000 (11:04 +0000)]
smbd: ZERO_STRUCTP -> talloc_zero()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 2 Jan 2015 10:46:28 +0000 (11:46 +0100)]
param: Remove lib/param/generic.c
This seems completely unused.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 25 Feb 2015 20:42:33 +0000 (20:42 +0000)]
libsmb: Use tevent_req_poll_ntstatus
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 19 Jan 2015 09:52:11 +0000 (10:52 +0100)]
lib: Simplify pidfile.c
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 26 18:28:31 CET 2015 on sn-devel-104
Volker Lendecke [Wed, 14 Jan 2015 16:11:12 +0000 (17:11 +0100)]
Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Disseldorp [Wed, 25 Feb 2015 10:33:25 +0000 (11:33 +0100)]
ntdb: always return int from tdb_store_flag_to_ntdb()
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Feb 26 13:49:05 CET 2015 on sn-devel-104
Volker Lendecke [Wed, 21 Jan 2015 10:44:58 +0000 (11:44 +0100)]
registry: Fix an aligment increase warning
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 26 05:35:33 CET 2015 on sn-devel-104
Volker Lendecke [Wed, 25 Feb 2015 13:00:49 +0000 (13:00 +0000)]
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Günther Deschner [Thu, 5 Feb 2015 14:59:52 +0000 (15:59 +0100)]
vfs: Add a brief vfs_ceph manpage.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11088
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Feb 25 20:56:01 CET 2015 on sn-devel-104
Volker Lendecke [Wed, 25 Feb 2015 12:19:44 +0000 (12:19 +0000)]
Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
Volker Lendecke [Wed, 25 Feb 2015 12:19:40 +0000 (12:19 +0000)]
heimdal: Fix the developer O3 build
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Fri, 23 Jan 2015 09:38:31 +0000 (10:38 +0100)]
s3-pam_smbpass: Add a deprecation warning.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 25 03:37:34 CET 2015 on sn-devel-104
Andrew Bartlett [Mon, 23 Feb 2015 03:50:43 +0000 (16:50 +1300)]
s4/scripting/devel: Add tool to roll over the krbtgt password
This may be handy if this key is compromised, or along with chgtdcpass to isolate test copies
of production domains in such a way that they cannot mix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andrew Bartlett [Mon, 23 Feb 2015 03:22:29 +0000 (16:22 +1300)]
testprogs-test_chgdcpass.sh: Improve comments to explain why we check about changing the password twice
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andrew Bartlett [Mon, 23 Feb 2015 02:45:53 +0000 (15:45 +1300)]
selftest: Improve renamedc tests to confirm more than just the exit code
This now confirms that the DC has been renamed
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Andrew Bartlett [Mon, 23 Feb 2015 03:10:31 +0000 (16:10 +1300)]
s4/scripting/bin/renamedc: Fix up rename DC script
We now have a reliable handler for backlinks so this we can now rename both objects
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Michael Ledford [Tue, 24 Feb 2015 01:46:31 +0000 (20:46 -0500)]
lib/crypto: Document nettle supported crypto
Signed-off-by: Michael Ledford <michael@ledford.cc>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 15 Feb 2015 22:26:37 +0000 (11:26 +1300)]
backupkey: Explain more why we use GnuTLS here
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 11 Feb 2015 23:13:39 +0000 (12:13 +1300)]
build: amend typo for address sanitizer help
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 13 Feb 2015 03:55:07 +0000 (16:55 +1300)]
torture-backupkey: Check the dcerpc call return code before calling ndr pull
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 12 Feb 2015 20:54:50 +0000 (09:54 +1300)]
backupkey: replace heimdal rsa key generation with GnuTLS
We use GnuTLS because it can reliably generate 2048 bit keys every time.
Windows clients strictly require 2048, no more since it won't fit and no
less either. Heimdal would almost always generate a smaller key.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
Garming Sam [Fri, 13 Feb 2015 03:49:58 +0000 (16:49 +1300)]
build: Require GnuTLS if building with Active Directory
Without GnuTLS, we don't have ldaps:// support and we are unable to
readily create RSA keys of the correct length for the BackupKey
protocol.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 12 Feb 2015 23:59:45 +0000 (12:59 +1300)]
torture-backupkey: Add tests that read the secret from the server, and validate
These show that MS-BKRP 3.1.4.1.1 BACKUPKEY_BACKUP_GUID is incorrect when it
states that the key must be the leading 64 bytes, it must be the whole 256 byte
buffer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 12 Feb 2015 03:15:41 +0000 (16:15 +1300)]
backupkey: Better handling for different wrap version headers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 11 Feb 2015 04:46:42 +0000 (17:46 +1300)]
backupkey: Add tests for ServerWrap protocol
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Wed, 11 Feb 2015 00:37:16 +0000 (13:37 +1300)]
backupkey: Change expected error codes to match Windows 2008R2 and Windows 2012R2
This is done in both smbtoture and in our server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 20:53:58 +0000 (09:53 +1300)]
backupkey: Implement ServerWrap Decrypt
We implement both modes in BACKUPKEY_RESTORE_GUID, as it may decrypt
both ServerWrap and ClientWrap data, and we implement
BACKUPKEY_RESTORE_GUID_WIN2K.
BUG: https://bugzilla.samba.org/attachment.cgi?bugid=11097
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 03:26:23 +0000 (16:26 +1300)]
backupkey: Handle more clearly the case where we find the secret, but it has no value
This happen on the RODC, a case that we try not to permit at all.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 03:23:17 +0000 (16:23 +1300)]
backupkey: Improve variable names to make clear this is client-provided data
The values we return here are client-provided passwords or other keys, that we decrypt for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 03:16:20 +0000 (16:16 +1300)]
backupkey: Use the name lsa_secret rather than just secret
This makes it clear that this is the data stored on the LSA secrets store
and not the client-provided data to be encrypted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 03:02:00 +0000 (16:02 +1300)]
backupkey: Implement ServerWrap Encrypt protocol
BUG: https://bugzilla.samba.org/attachment.cgi?bugid=11097
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 02:50:15 +0000 (15:50 +1300)]
backupkey: Improve function names and comments for clarity
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 02:48:06 +0000 (15:48 +1300)]
backupkey: Move SID comparison to inside get_and_verify_access_check()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Thu, 5 Feb 2015 05:17:58 +0000 (18:17 +1300)]
backupkey: Improve IDL
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 4 Feb 2015 22:07:30 +0000 (11:07 +1300)]
backupkey: begin by factoring out the server wrap functions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 10 Feb 2015 22:45:45 +0000 (11:45 +1300)]
torture-backupkey: Assert dcerpc_bkrp_BackupKey_r call was successful
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 10 Feb 2015 20:51:27 +0000 (09:51 +1300)]
torture-backupkey: Add consistent assertions that createRestoreGUIDStruct() suceeds
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Tue, 23 Dec 2014 17:56:20 +0000 (18:56 +0100)]
s4:torture/rpc/backupkey: Require 2048 bit RSA key
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(fixed cleanup of memory)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Tue, 8 Jul 2014 15:25:53 +0000 (17:25 +0200)]
s4-backupkey: consistent naming of werr variable
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Tue, 8 Jul 2014 14:12:13 +0000 (16:12 +0200)]
s4-backupkey: improve variable name
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:56:39 +0000 (18:56 +0200)]
s4-backupkey: typo fix
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:48:41 +0000 (18:48 +0200)]
s4-backupkey: IDL for ServerWrap subprotocol
This adds some IDL structs for the ServerWrap subprotocol, allowing
parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED
instead of WERR_INVALID_PARAM.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:43:05 +0000 (18:43 +0200)]
s4-backupkey: fix ndr_pull error on empty input
[MS-BKRP] 3.1.4.1 specifies for BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID that
the server must ignore the input data. This patch fixes
ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148)
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:36:49 +0000 (18:36 +0200)]
s4-backupkey: Initialize ndr->switchlist for print
ndr_print_bkrp_data_in_blob requires the level to be set in the
proper ndr->switch_list context.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:25:29 +0000 (18:25 +0200)]
s4-backupkey: Comply with [MS-BKRP] 2.2.1
[MS-BKRP] 2.2.1 specifies "The Common Name field of the Subject name
field SHOULD contain the name of the DNS domain assigned to the server."
In fact Windows 7 clients don't seem to care. Also in certificates
generated by native AD the domain name (after CN=) is encoded as
UTF-16LE. Since hx509_parse_name only supports UTF-8 strings currently
we just leave the encoding as it is for now.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:18:30 +0000 (18:18 +0200)]
s4-backupkey: Set defined cert serialnumber
[MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate
should be set identical to the subjectUniqueID. In fact certificates
generated by native AD have this field encoded in little-endian format.
See also
https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:15:37 +0000 (18:15 +0200)]
s4-backupkey: de-duplicate error handling
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 16:12:47 +0000 (18:12 +0200)]
s4-backupkey: check for talloc failure
Check for talloc_memdup failure for uniqueid.data.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 15:59:29 +0000 (17:59 +0200)]
s4-backupkey: Cert lifetime of 365 days, not secs
hx509_ca_tbs_set_notAfter_lifetime expects the lifetime value in
in seconds. The Windows 7 client didn't seem to care that the lifetime
was only 6'03''. Two other TODOs in this implementation:
* Since notBefore is not set explicietely to "now", the heimdal code
default of now-(24 hours) is applied.
* Server side validity checks and cert renewal are missing.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Arvid Requate [Mon, 7 Jul 2014 15:39:51 +0000 (17:39 +0200)]
s4-backupkey: Ensure RSA modulus is 2048 bits
RSA_generate_key_ex doesn't always generate a modulus of requested
bit length. Tests with Windows 7 clients showed that they decline
x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length
is smaller than the specified 2048 bits. For the user this resulted
in DPAPI failing to retrieve stored credentials after the user password
has been changed at least two times. On the server side log.samba showed
that the client also called the as yet unlimplemented ServerWrap sub-
protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the
ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After
enabling DPAPI auditing on the Windows Clients the Event Viewer showed
Event-ID 4692 failing with a FailureReason value of 0x7a in these cases.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
Alexander Bokovoy [Tue, 24 Feb 2015 13:12:39 +0000 (15:12 +0200)]
wafsamba: make sure build fails when uninitialized variable is detected
In developer build, fail if uninitialized variable is found by GCC.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 24 20:21:52 CET 2015 on sn-devel-104
Volker Lendecke [Tue, 17 Feb 2015 20:19:33 +0000 (20:19 +0000)]
lib: Use iov_buflen in smb1cli_req_chain_submit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Feb 2015 20:19:10 +0000 (20:19 +0000)]
lib: Use iov_buflen in smb1cli_req_writev_submit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Feb 2015 20:18:37 +0000 (20:18 +0000)]
lib: Use iov_buflen in smb1cli_req_create
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Feb 2015 20:17:35 +0000 (20:17 +0000)]
lib: Use iov_buf in smbXcli_iov_concat
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Feb 2015 20:16:45 +0000 (20:16 +0000)]
libcli: Use iov_buflen in smbXcli_iov_len
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 16 Feb 2015 14:36:28 +0000 (14:36 +0000)]
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 16 Feb 2015 14:35:03 +0000 (14:35 +0000)]
smb2_server: Use iov_advance
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 16 Feb 2015 14:29:36 +0000 (14:29 +0000)]
smb2_server: Add range checking to nbt_length
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 16 Feb 2015 13:50:25 +0000 (13:50 +0000)]
tsocket: Use iov_advance
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 16 Feb 2015 13:26:29 +0000 (13:26 +0000)]
iov_buf: Add an explaining comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 16 Feb 2015 13:24:04 +0000 (13:24 +0000)]
tsocket: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 14 Feb 2015 15:48:54 +0000 (16:48 +0100)]
lib: Move "iov_buf.[ch]" to lib/util
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 14 Feb 2015 15:28:06 +0000 (16:28 +0100)]
rpc: Use tevent_req_poll_ntstatus
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Amitay Isaacs [Mon, 23 Feb 2015 01:38:11 +0000 (12:38 +1100)]
ctdb-io: Do not use sys_write to write to client sockets
When sending messages to clients, ctdb checks for EAGAIN error code and
schedules next write in the subsequent event loop. Using sys_write in
these places causes ctdb to loop hard till a client is able to read from
the socket. With real time scheduling, ctdb daemon spins consuming 100%
of CPU trying to write to the client sockets. This can be quite harmful
when running under VMs or machines with single CPU.
This regression was introduced when all read/write calls were replaced to
use sys_read/sys_write wrappers (
c1558adeaa980fb4bd6177d36250ec8262e9b9fe).
The existing code backs off in case of EAGAIN failures and waits for an
event loop to process the write again. This should give ctdb clients
a chance to get scheduled and to process the ctdb socket.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Feb 24 12:29:30 CET 2015 on sn-devel-104
Andreas Schneider [Fri, 30 Jan 2015 13:37:06 +0000 (14:37 +0100)]
nmblookup: Warn user if netbios name is too long.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 24 01:01:10 CET 2015 on sn-devel-104
Andreas Schneider [Fri, 30 Jan 2015 13:29:26 +0000 (14:29 +0100)]
nss-wins: Do not lookup invalid netbios names
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 30 Jan 2015 13:28:48 +0000 (14:28 +0100)]
libsmb: Do not lookup invalid netbios names.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 23 Feb 2015 18:15:05 +0000 (10:15 -0800)]
Revert "s3: smbd: signing. Ensure we respond correctly to an SMB2 negprot with SMB2_NEGOTIATE_SIGNING_REQUIRED."
Even though the MS-SMB2 spec says so, Windows doesn't behave
like this.
This reverts commit
1cea6e5b6f8c0e28d5ba2d296c831c4878fca304.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Andreas Schneider [Mon, 23 Feb 2015 16:12:46 +0000 (17:12 +0100)]
waf: Only build the wrappers if we enable selftest
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 23 22:31:22 CET 2015 on sn-devel-104
Andreas Schneider [Mon, 23 Feb 2015 16:19:04 +0000 (17:19 +0100)]
swrap: Bump version to 1.1.3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Mon, 23 Feb 2015 16:18:16 +0000 (17:18 +0100)]
swrap: If we remove the socket_info also unlink the unix socket
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 23 Feb 2015 16:17:43 +0000 (17:17 +0100)]
swrap: Do not leak the socket_info we just removed.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Mon, 23 Feb 2015 16:16:00 +0000 (17:16 +0100)]
src: Add support for running with address sanitizer.
If address sanitzer will complain about our hack with variable function
attributes. This disables the checking of it.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 23 Feb 2015 16:15:12 +0000 (17:15 +0100)]
swrap: Fix the loop for older gcc versions.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Mon, 16 Feb 2015 07:56:28 +0000 (08:56 +0100)]
torture: Add netr_setPassword(2) schannel test.
Thanks to Florian Weimer <fweimer@redhat.com> for the help to write
this torture test.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Feb 23 20:01:01 CET 2015 on sn-devel-104
Andreas Schneider [Mon, 16 Feb 2015 09:59:23 +0000 (10:59 +0100)]
s3-netlogon: Make sure we do not deference a NULL pointer.
This is an additional patch for CVE-2015-0240.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Wed, 28 Jan 2015 22:47:31 +0000 (14:47 -0800)]
CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Fri, 20 Feb 2015 02:50:45 +0000 (18:50 -0800)]
s3: smbd: SMB2 close. If a file has delete on close, store the return info before deleting.
If we delete the file on close, the stat after the close
will fail so we fail to return the attributes requested.
Bug 11104 - SMB2/SMB3 close response does not include attributes when requested.
https://bugzilla.samba.org/show_bug.cgi?id=11104
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Feb 20 20:54:18 CET 2015 on sn-devel-104
Jeremy Allison [Fri, 20 Feb 2015 02:49:03 +0000 (18:49 -0800)]
s3: smbd: SMB2 close. Call utility function setup_close_full_information()
Replaces existing inline code.
Bug 11104 - SMB2/SMB3 close response does not include attributes when requested.
https://bugzilla.samba.org/show_bug.cgi?id=11104
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>
Jeremy Allison [Fri, 20 Feb 2015 02:46:55 +0000 (18:46 -0800)]
s3: smbd: SMB2 close. Add utility function setup_close_full_information()
Not yet used.
Bug 11104 - SMB2/SMB3 close response does not include attributes when requested.
https://bugzilla.samba.org/show_bug.cgi?id=11104
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Steve French <sfrench@samba.org>
Michael Adam [Thu, 19 Feb 2015 15:59:00 +0000 (16:59 +0100)]
doc:man:vfs_glusterfs: improve the configuration section.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Feb 20 14:29:21 CET 2015 on sn-devel-104
Michael Adam [Fri, 13 Feb 2015 00:04:11 +0000 (01:04 +0100)]
doc:man:vfs_glusterfs: improve and update description.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Michael Adam [Fri, 13 Feb 2015 00:03:21 +0000 (01:03 +0100)]
doc:man:vfs_glusterfs: remove extra % signs.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Jeremy Allison [Wed, 18 Feb 2015 19:51:53 +0000 (11:51 -0800)]
s4: smbtorture: leases - show stat opens grant leases and can be broken.
https://bugzilla.samba.org/show_bug.cgi?id=11102
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 19 23:10:43 CET 2015 on sn-devel-104
Jeremy Allison [Wed, 18 Feb 2015 19:49:27 +0000 (11:49 -0800)]
s3: smbd: leases - losen paranoia check. Stat opens can grant leases.
https://bugzilla.samba.org/show_bug.cgi?id=11102
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Jeremy Allison [Wed, 18 Feb 2015 19:48:31 +0000 (11:48 -0800)]
s3: smbd: leases - new torture test shows stat opens can get leases.
Can also issue breaks on these leases.
https://bugzilla.samba.org/show_bug.cgi?id=11102
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>