11 years agos4: remove SET_HWM and SET_DUAL_HWM from wb_samba3_protocol
Michael Adam [Thu, 22 Jan 2009 12:46:25 +0000 (13:46 +0100)]
s4: remove SET_HWM and SET_DUAL_HWM from wb_samba3_protocol


11 years agos3:winbind: remove SET_HWM from winbind's API.
Michael Adam [Sun, 27 Jun 2010 22:34:29 +0000 (00:34 +0200)]
s3:winbind: remove SET_HWM from winbind's API.

11 years agolibwbclient: unimplement wbcSetGidHwm()
Michael Adam [Thu, 22 Jan 2009 12:39:33 +0000 (13:39 +0100)]
libwbclient: unimplement wbcSetGidHwm()


11 years agolibwbclient: unimplement wbcSetUidHwm()
Michael Adam [Thu, 22 Jan 2009 12:37:11 +0000 (13:37 +0100)]
libwbclient: unimplement wbcSetUidHwm()


11 years agos3:net: rewrite "net idmap restore" using dbwrap
Michael Adam [Thu, 22 Jan 2009 12:33:54 +0000 (13:33 +0100)]
s3:net: rewrite "net idmap restore" using dbwrap

This removes the use of libwbclient from "net idmap".

This detects the idmap backend from the current smb.conf
and stores the id mapping tables in the corresponding data bases.
Currently, only tdb and tdb2 backends are supported.
Support for the ldap backend may be implemented later.

11 years agos3:net: change "net idmap dump" to use dbwrap instead of direct tdb access
Michael Adam [Mon, 14 Jun 2010 10:25:11 +0000 (12:25 +0200)]
s3:net: change "net idmap dump" to use dbwrap instead of direct tdb access

This way, it will also work in a samba-ctdb cluster.

11 years agos3:net sam provision: compose sid before getting uid for Guest
Michael Adam [Thu, 22 Jan 2009 11:20:46 +0000 (12:20 +0100)]
s3:net sam provision: compose sid before getting uid for Guest


11 years agos3:net sam provision: allocate the uid after composing the sid for Administrator
Michael Adam [Thu, 22 Jan 2009 11:12:43 +0000 (12:12 +0100)]
s3:net sam provision: allocate the uid after composing the sid for Administrator


11 years agos3:pdb_ldap: move some code in ldapsam_create_dom_group()
Michael Adam [Thu, 22 Jan 2009 11:01:16 +0000 (12:01 +0100)]
s3:pdb_ldap: move some code in ldapsam_create_dom_group()

to make the flow more similar to ldapsam_create_user().
This prepares for calling winbind_sid_to_gid() instead of
winbind_allocate_gid(): we need the group_sid for this...


11 years agos3:groupdb: allocate a gid after allocating a rid in pdb_default_create_alias()
Michael Adam [Thu, 22 Jan 2009 10:10:01 +0000 (11:10 +0100)]
s3:groupdb: allocate a gid after allocating a rid in pdb_default_create_alias()


11 years agos3:idmap_tdb2: fix a debug message
Michael Adam [Tue, 1 Jun 2010 12:03:32 +0000 (14:03 +0200)]
s3:idmap_tdb2: fix a debug message

11 years agos3:test: add a new "valgrindtestenv" target, similar to gdbtestenv
Michael Adam [Fri, 13 Aug 2010 23:54:37 +0000 (01:54 +0200)]
s3:test: add a new "valgrindtestenv" target, similar to gdbtestenv

this runs the daemins in xterm under valgrind instead of in gdb

11 years agos3:gdbtestenv: also start an xterm with nmbd. and start winbindd before smbd.
Michael Adam [Fri, 13 Aug 2010 23:52:41 +0000 (01:52 +0200)]
s3:gdbtestenv: also start an xterm with nmbd. and start winbindd before smbd.

11 years agos3:gdbtestenv: also set the xterm's window title appropriately
Michael Adam [Fri, 13 Aug 2010 23:49:52 +0000 (01:49 +0200)]
s3:gdbtestenv: also set the xterm's window title appropriately

11 years agos3:gdbtestenv: print the server's name in the icontitle instead of "server"
Michael Adam [Fri, 13 Aug 2010 23:48:09 +0000 (01:48 +0200)]
s3:gdbtestenv: print the server's name in the icontitle instead of "server"

11 years agopidl: fix printing of server side ndr request debug messages
Michael Adam [Fri, 13 Aug 2010 15:29:07 +0000 (17:29 +0200)]
pidl: fix printing of server side ndr request debug messages

The macros NDR_PRINT_IN_DEBUG and NDR_PRINT_OUT_DEBUG are made for
the client side. For the server side, the NDR_SET_VALUES flag needs
to be added for the OUT struct and not for the IN struct, otherwise,
the OUT part can print uninitialized data and the IN part may
recalculate string lengths illegally.

11 years agos3: Fix some error messages
Volker Lendecke [Fri, 13 Aug 2010 20:51:29 +0000 (22:51 +0200)]
s3: Fix some error messages

11 years agoEliminate any chance of a class of "uninitialized auto variable" errors.
Jeremy Allison [Fri, 13 Aug 2010 17:47:08 +0000 (10:47 -0700)]
Eliminate any chance of a class of "uninitialized auto variable" errors.


11 years agotdb: workaround starvation problem in locking entire database.
Rusty Russell [Fri, 13 Aug 2010 16:43:26 +0000 (02:13 +0930)]
tdb: workaround starvation problem in locking entire database.

We saw tdb_lockall() take 71 seconds under heavy load; this is because Linux
(at least) doesn't prevent new small locks being obtained while we're waiting
for a big log.

The workaround is to do divide and conquer using non-blocking chainlocks: if
we get down to a single chain we block.  Using a simple test program where
children did "hold lock for 100ms, sleep for 1 second" the time to do
tdb_lockall() dropped signifiantly.  There are ln(hashsize) locks taken in
the contended case, but that's slow anyway.

More analysis is given in my blog at

This may also help transactions, though in that case it's the initial
read lock which uses this gradual locking routine; the update-to-write-lock
code is separate and still tries to update in one go.

Even though ABI doesn't change, minor version bumped so behavior change
can be easily detected.

Signed-off-by: Rusty Russell <>
11 years agos3-selftest: move make test to selftest.
Günther Deschner [Tue, 10 Aug 2010 09:33:03 +0000 (11:33 +0200)]
s3-selftest: move make test to selftest.

The old "make test" can be still called as "make oldtest".


11 years agos3-selftest: fix testparm tests as non-root.
Günther Deschner [Fri, 13 Aug 2010 16:28:48 +0000 (18:28 +0200)]
s3-selftest: fix testparm tests as non-root.

Thanks to Andreas for pointing this out.


11 years agos3-smbd: Publish nt printers.
Andreas Schneider [Tue, 10 Aug 2010 11:45:55 +0000 (13:45 +0200)]
s3-smbd: Publish nt printers.

Reloading of the printers requires rpc services up and running! The
first call in reload_services will be skipped.

Signed-off-by: Simo Sorce <>
11 years agos3-smbd: Move rpc services init to smbd parent.
Andreas Schneider [Tue, 10 Aug 2010 10:29:27 +0000 (12:29 +0200)]
s3-smbd: Move rpc services init to smbd parent.

The move to the parent makes it possible to use an internal rpc pipe
really early and as we migrated serveral parts of samba to rpc function
this is required. This should speed up the fork of a smbd a bit cause
the rpc services are already running.

We still have several problems here which aren't solved. We don't have a
dependency tree here. For example we have to make sure that the registry
is initialized before we can use the winreg pipe. The spoolss server
requires winreg, so we have to start winreg before we can start the
spoolss server. I'm sure there are more dependencies.

Signed-off-by: Simo Sorce <>
11 years agos3-smbd: Regroup some init functions.
Andreas Schneider [Tue, 10 Aug 2010 10:28:46 +0000 (12:28 +0200)]
s3-smbd: Regroup some init functions.

Signed-off-by: Simo Sorce <>
11 years agos3-smbd: Fixed indent.
Andreas Schneider [Mon, 9 Aug 2010 13:57:38 +0000 (15:57 +0200)]
s3-smbd: Fixed indent.

Signed-off-by: Simo Sorce <>
11 years agos3-loadparm: Added some comments to lp_load_ex calls.
Andreas Schneider [Mon, 9 Aug 2010 12:50:12 +0000 (14:50 +0200)]
s3-loadparm: Added some comments to lp_load_ex calls.

Signed-off-by: Simo Sorce <>
11 years agos3-smbd: Cleanup the order of the init functions.
Andreas Schneider [Mon, 9 Aug 2010 12:49:08 +0000 (14:49 +0200)]
s3-smbd: Cleanup the order of the init functions.

Signed-off-by: Simo Sorce <>
11 years agos3-smbd: Make sure the event context is initialized.
Andreas Schneider [Mon, 9 Aug 2010 12:47:55 +0000 (14:47 +0200)]
s3-smbd: Make sure the event context is initialized.

Signed-off-by: Simo Sorce <>
11 years agos3-build: remove pointless RPC_PARSE_OBJ2.
Günther Deschner [Fri, 13 Aug 2010 14:01:56 +0000 (16:01 +0200)]
s3-build: remove pointless RPC_PARSE_OBJ2.


11 years agos3-waf: remove pointless RPC_PARSE_SRC2.
Günther Deschner [Fri, 13 Aug 2010 14:02:28 +0000 (16:02 +0200)]
s3-waf: remove pointless RPC_PARSE_SRC2.


11 years agos3: Replace some cli_errstr calls by nt_errstr
Volker Lendecke [Fri, 13 Aug 2010 13:08:38 +0000 (15:08 +0200)]
s3: Replace some cli_errstr calls by nt_errstr

11 years agos3-libnet: also remove libnet/libnet_samsync_keytab.c.orig.
Günther Deschner [Fri, 13 Aug 2010 13:24:00 +0000 (15:24 +0200)]
s3-libnet: also remove libnet/libnet_samsync_keytab.c.orig.

Guys, what are you doing here ? ;-)


11 years agos3-libnet: remove source3/libnet/libnet_join.c.orig, added by a previous commit.
Günther Deschner [Fri, 13 Aug 2010 13:22:06 +0000 (15:22 +0200)]
s3-libnet: remove source3/libnet/libnet_join.c.orig, added by a previous commit.


11 years agos3-dcerpc: fix build warning seen with -O3.
Günther Deschner [Fri, 13 Aug 2010 13:12:29 +0000 (15:12 +0200)]
s3-dcerpc: fix build warning seen with -O3.

"warning: assuming signed overflow does not occur when assuming that (X + c) < X is always false"


11 years agos3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Andrew Bartlett [Mon, 9 Aug 2010 22:25:02 +0000 (08:25 +1000)]
s3-krb5 Only build ADS support if arcfour-hmac-md5 is available

Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult.  This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.

The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time.  We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.

If not found, ADS support will not be compiled in.

This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use

A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.

Andrew Bartlett

Signed-off-by: Simo Sorce <>
11 years agos3:libnet Add other required headers for libnet_samsync_keytab.c
Andrew Bartlett [Tue, 10 Aug 2010 02:00:29 +0000 (12:00 +1000)]
s3:libnet Add other required headers for libnet_samsync_keytab.c

Due to missing defines in modern kerberos libraries, this code was
not compiled and so this wasn't noticed.

Andrew Bartlett

Signed-off-by: Simo Sorce <>
11 years agotdb: add TDB_DEPS variable filled with required libraries
Björn Jacke [Fri, 13 Aug 2010 12:53:22 +0000 (14:53 +0200)]
tdb: add TDB_DEPS variable filled with required libraries

This is required for Solaris, which needs to link in librt to make use of

11 years agos3-build: pointless to link in libads and dcutils into smbcacls.
Günther Deschner [Fri, 13 Aug 2010 11:33:40 +0000 (13:33 +0200)]
s3-build: pointless to link in libads and dcutils into smbcacls.


11 years agos3-build: separate out libads_printer.
Günther Deschner [Thu, 12 Aug 2010 15:08:08 +0000 (17:08 +0200)]
s3-build: separate out libads_printer.


11 years agos3-waf: separate out libads_printer.
Günther Deschner [Thu, 12 Aug 2010 15:04:12 +0000 (17:04 +0200)]
s3-waf: separate out libads_printer.


11 years agos3-selftest: add testparm tests to selftest.
Günther Deschner [Thu, 12 Aug 2010 13:43:03 +0000 (15:43 +0200)]
s3-selftest: add testparm tests to selftest.


11 years agoFix bug #7617 - smbd coredump due to uninitialized variables in the performance count...
Jeremy Allison [Thu, 12 Aug 2010 21:24:01 +0000 (14:24 -0700)]
Fix bug #7617 - smbd coredump due to uninitialized variables in the performance counter code.

In the file rpc_server.c, function _winreg_QueryValue()

uint8_t *outbuf

Should be :

uint8_t *outbuf = NULL;

As it is later freed by

      if (free_buf) SAFE_FREE(outbuf);

in some cases, this frees the unintialized outbuf, which causes a coredump.

11 years agos3-libnet: fix bug #6364: Pull realm from supplied username on libnet join
Jim McDonough [Thu, 12 Aug 2010 21:51:02 +0000 (17:51 -0400)]
s3-libnet: fix bug #6364: Pull realm from supplied username on libnet join

11 years agos3-waf: fix the build.
Günther Deschner [Thu, 12 Aug 2010 14:51:24 +0000 (16:51 +0200)]
s3-waf: fix the build.


11 years agos3: fall back to cups-config for underlinked libs
Björn Jacke [Thu, 12 Aug 2010 14:18:45 +0000 (16:18 +0200)]
s3: fall back to cups-config for underlinked libs

some OpenBSD systems have underlinked cups libraries. If linking against cups
alone fails, try to link against all the cups-config --libs cruft, which we
usually don't want. (bugzila #7244)

11 years agoRevert "s3: Use cups-config --libs"
Björn Jacke [Mon, 9 Aug 2010 16:37:58 +0000 (18:37 +0200)]
Revert "s3: Use cups-config --libs"

This reverts commit 911db761148. This was introduced in 18f1f5b56b140

11 years agontlmssp: fix unitialized variable in ntlmssp_server_postauth().
Günther Deschner [Thu, 12 Aug 2010 14:28:10 +0000 (16:28 +0200)]
ntlmssp: fix unitialized variable in ntlmssp_server_postauth().


11 years agopidl:Samba3/ClientNDR: implement rpccli_ stubs on top of dcerpc_ stubs
Stefan Metzmacher [Thu, 5 Aug 2010 19:01:25 +0000 (21:01 +0200)]
pidl:Samba3/ClientNDR: implement rpccli_ stubs on top of dcerpc_ stubs


11 years agos3:Makefile: link in dcerpc client stubs
Stefan Metzmacher [Fri, 6 Aug 2010 10:20:07 +0000 (12:20 +0200)]
s3:Makefile: link in dcerpc client stubs


11 years agos3:winbindd: add wbint dcerpc_binding_handle backend
Stefan Metzmacher [Fri, 6 Aug 2010 09:50:09 +0000 (11:50 +0200)]
s3:winbindd: add wbint dcerpc_binding_handle backend


11 years agos3:rpc_server: add rpc_pipe_open_internal dcerpc_binding_handle backend
Stefan Metzmacher [Sat, 7 Aug 2010 12:37:21 +0000 (14:37 +0200)]
s3:rpc_server: add rpc_pipe_open_internal dcerpc_binding_handle backend


11 years agos3:rpc_client: add dcerpc_binding_handle backend
Stefan Metzmacher [Fri, 6 Aug 2010 09:30:51 +0000 (11:30 +0200)]
s3:rpc_client: add dcerpc_binding_handle backend


11 years agos4:librpc/rpc: make struct dcerpc_binding_handle private
Stefan Metzmacher [Sat, 7 Aug 2010 12:48:57 +0000 (14:48 +0200)]
s4:librpc/rpc: make struct dcerpc_binding_handle private


11 years agopidl:Samba4/NDR/Client: add sync dcerpc_pipe based stubs as compat for OpenChange
Stefan Metzmacher [Tue, 10 Aug 2010 11:27:12 +0000 (13:27 +0200)]
pidl:Samba4/NDR/Client: add sync dcerpc_pipe based stubs as compat for OpenChange

This will activate the compat wrappers for all functions of an interface:
 #include <ndr_myproto_c.h>

This will activates the compat wrappers just for specific functions:
 #include <ndr_myproto_c.h>


11 years agopidl:Samba4/NDR/Client: add non struct base dcerpc_binding_handle client stubs
Stefan Metzmacher [Thu, 5 Aug 2010 14:10:52 +0000 (16:10 +0200)]
pidl:Samba4/NDR/Client: add non struct base dcerpc_binding_handle client stubs


11 years agopidl:Samba4/NDR/Client: convert code to $self->pidl()
Stefan Metzmacher [Thu, 5 Aug 2010 11:29:56 +0000 (13:29 +0200)]
pidl:Samba4/NDR/Client: convert code to $self->pidl()


11 years agopidl:Samba4/NDR/Client: s/interface/if/
Stefan Metzmacher [Thu, 5 Aug 2010 10:59:46 +0000 (12:59 +0200)]
pidl:Samba4/NDR/Client: s/interface/if/


11 years agopidl:Samba4/NDR/Client: make use of the new dcerpc_binding_handle_call() infrastructure
Stefan Metzmacher [Thu, 5 Aug 2010 16:22:02 +0000 (18:22 +0200)]
pidl:Samba4/NDR/Client: make use of the new dcerpc_binding_handle_call() infrastructure


11 years agopidl:Samba4/NDR/Client: remove old dcerpc_pipe based sync stubs
Stefan Metzmacher [Wed, 10 Mar 2010 16:56:10 +0000 (17:56 +0100)]
pidl:Samba4/NDR/Client: remove old dcerpc_pipe based sync stubs

They're unused in Samba and only used by OpenChange.
I'll add a compat functions for OpenChange later.


11 years agos4:librpc/rpc: add dcerpc_binding_handle dcerpc_pipe backend
Stefan Metzmacher [Thu, 5 Aug 2010 16:18:30 +0000 (18:18 +0200)]
s4:librpc/rpc: add dcerpc_binding_handle dcerpc_pipe backend


11 years agolibrpc/rpc: add dcerpc_binding_handle abstration
Stefan Metzmacher [Thu, 5 Aug 2010 16:14:04 +0000 (18:14 +0200)]
librpc/rpc: add dcerpc_binding_handle abstration


11 years agos4:librpc/rpc: fix dcerpc_log_packet() prototype
Stefan Metzmacher [Tue, 10 Aug 2010 13:11:02 +0000 (15:11 +0200)]
s4:librpc/rpc: fix dcerpc_log_packet() prototype


11 years agos4:librpc/rpc: autodetect the need of async call logic
Stefan Metzmacher [Thu, 12 Aug 2010 08:50:47 +0000 (10:50 +0200)]
s4:librpc/rpc: autodetect the need of async call logic


11 years agopidl:Samba3/ClientNDR: ignore "todo" functions
Stefan Metzmacher [Tue, 10 Aug 2010 12:29:42 +0000 (14:29 +0200)]
pidl:Samba3/ClientNDR: ignore "todo" functions


11 years agotestprogs/midltests: add some example IDL files and there midltests.exe output
Stefan Metzmacher [Thu, 12 Aug 2010 07:31:38 +0000 (09:31 +0200)]
testprogs/midltests: add some example IDL files and there midltests.exe output


11 years agos3: Reduce the load on the echo handler
Volker Lendecke [Thu, 12 Aug 2010 10:55:11 +0000 (12:55 +0200)]
s3: Reduce the load on the echo handler

If the parent is fast enough, the echo handler should not step in. When the
socket becomes readable, the echo handler goes to sleep for a second. If within
that second, the parent has picked up the SMB request from the net, the echo
handler will just go back to select().

11 years agos3: Slightly simplify the logic in smbd_server_echo_handler
Volker Lendecke [Thu, 12 Aug 2010 10:48:43 +0000 (12:48 +0200)]
s3: Slightly simplify the logic in smbd_server_echo_handler

11 years agos3: Slightly simplify the logic in smbd_server_connection_handler
Volker Lendecke [Thu, 12 Aug 2010 10:48:30 +0000 (12:48 +0200)]
s3: Slightly simplify the logic in smbd_server_connection_handler

11 years agos3: ?true:false is a *bit* pointless :-)
Volker Lendecke [Thu, 12 Aug 2010 10:25:41 +0000 (12:25 +0200)]
s3: ?true:false is a *bit* pointless :-)

11 years agoFix a typo
Volker Lendecke [Tue, 10 Aug 2010 17:41:38 +0000 (19:41 +0200)]
Fix a typo

11 years agosmbtorture: Don't crash RAW-QFILEINFO if there's no alternate name.
James Peach [Fri, 6 Aug 2010 22:21:31 +0000 (15:21 -0700)]
smbtorture: Don't crash RAW-QFILEINFO if there's no alternate name.

11 years agosmbtorture: Make BASE-OPENATTR report a failure if it fails.
James Peach [Fri, 6 Aug 2010 22:25:12 +0000 (15:25 -0700)]
smbtorture: Make BASE-OPENATTR report a failure if it fails.

11 years agos3-waf: fix the waf build with more recent MIT krb5 libs.
Günther Deschner [Wed, 11 Aug 2010 10:45:51 +0000 (12:45 +0200)]
s3-waf: fix the waf build with more recent MIT krb5 libs.

(such as MIT krb5 1.7.1 on fedora 13).

This whole area needs more work and love later, for now it builds at least.

Kai, please check.


11 years agos4-test: Implement DRS-RPC-msDSIntId test case
Kamen Mazdrashki [Mon, 9 Aug 2010 22:08:19 +0000 (01:08 +0300)]
s4-test: Implement DRS-RPC-msDSIntId test case

11 years agos4-dsdb: fix attributes_by_msDS_IntId index sorting
Kamen Mazdrashki [Tue, 10 Aug 2010 18:05:47 +0000 (21:05 +0300)]
s4-dsdb: fix attributes_by_msDS_IntId index sorting

11 years agos4-test: Move dsdb_schema loading into public function
Kamen Mazdrashki [Sat, 7 Aug 2010 09:52:07 +0000 (12:52 +0300)]
s4-test: Move dsdb_schema loading into public function

I will use this function for tests implementation later

11 years agos4-test: Move RPC-DSSYNC test in DRS-RPC test suite
Kamen Mazdrashki [Thu, 5 Aug 2010 01:55:04 +0000 (04:55 +0300)]
s4-test: Move RPC-DSSYNC test in DRS-RPC test suite

11 years agos4-test: Move dssync.c to torture/drs/rpc
Kamen Mazdrashki [Thu, 5 Aug 2010 15:37:24 +0000 (18:37 +0300)]
s4-test: Move dssync.c to torture/drs/rpc

11 years agos4-test: strip trailing white-spaces
Kamen Mazdrashki [Thu, 5 Aug 2010 15:35:35 +0000 (18:35 +0300)]
s4-test: strip trailing white-spaces

11 years agos4:objectclass LDB module - weak the check for the "rIDSet" delete constraint
Matthias Dieter Wallnöfer [Tue, 10 Aug 2010 19:01:11 +0000 (21:01 +0200)]
s4:objectclass LDB module - weak the check for the "rIDSet" delete constraint

Perform it only when a "rIDSet" does exist. Requested by ekacnet for

11 years agos4:dsdb/common/util.c - provide a call which returns the forest function level
Matthias Dieter Wallnöfer [Mon, 9 Aug 2010 17:52:00 +0000 (19:52 +0200)]
s4:dsdb/common/util.c - provide a call which returns the forest function level

Sooner or later we'll need this too since not all operations depend only on the
current's domain function level (see the MS-ADTS docs).

11 years agolibds/common/flags.h - fix a comment's typo
Matthias Dieter Wallnöfer [Mon, 9 Aug 2010 17:48:03 +0000 (19:48 +0200)]
libds/common/flags.h - fix a comment's typo

11 years agos4:dsdb/common/util.c - use LDB constants whenever possible
Matthias Dieter Wallnöfer [Mon, 9 Aug 2010 17:45:45 +0000 (19:45 +0200)]
s4:dsdb/common/util.c - use LDB constants whenever possible

11 years agolibcli/auth Make the source3/ implementation of the NTLMSSP server common
Andrew Bartlett [Fri, 6 Aug 2010 11:31:21 +0000 (21:31 +1000)]
libcli/auth Make the source3/ implementation of the NTLMSSP server common

This means that the core logic (but not the initialisation) of the
NTLMSSP server is in common, but uses different authentication backends.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Split the NTLMSSP server into before and after authentication
Andrew Bartlett [Fri, 6 Aug 2010 10:53:39 +0000 (20:53 +1000)]
s3:ntlmssp Split the NTLMSSP server into before and after authentication

This allows for a future where the auth subsystem is async, and the
session key generation needs to happen in a callback.

This code is originally reworked into this style by metze for the
source4/ implementation.

The other change here is to introduce an 'out_mem_ctx', which makes
the API match that used in source4.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Always call ntlmssp_sign_init()
Andrew Bartlett [Fri, 6 Aug 2010 10:48:17 +0000 (20:48 +1000)]
s3:ntlmssp Always call ntlmssp_sign_init()

There is no code path that sets nt_status before this point, without
a return.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now
Andrew Bartlett [Fri, 6 Aug 2010 10:41:54 +0000 (20:41 +1000)]
s3:ntlmssp Don't use talloc_tos() for NTLMSSP blobs for now

This code will, I hope, soon be merged in common, and the Samba4
use case does not currently support talloc_tos() properly.  Use another
context for now.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Don't permit LM_KEY in combination with NTLMv2
Andrew Bartlett [Fri, 6 Aug 2010 10:24:35 +0000 (20:24 +1000)]
s3:ntlmssp Don't permit LM_KEY in combination with NTLMv2

This is another 'belts and braces' check to avoid the use of the
weak 'LM_KEY' encryption when the client has chosen NTLMv2.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available
Andrew Bartlett [Fri, 6 Aug 2010 09:43:06 +0000 (19:43 +1000)]
s3:ntlmssp Don't reply with the LM_KEY negotiation flag when not available

This ensures the client isn't confused and we don't enter this
weaker authentication scheme when we don't really, really need to.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Don't use the lm key if the user didn't supply one.
Andrew Bartlett [Fri, 6 Aug 2010 09:01:34 +0000 (19:01 +1000)]
s3:ntlmssp Don't use the lm key if the user didn't supply one.

This may help to avoid a number of possible MITM attacks where LM_KEY is
spoofed into the session.  If the login wasn't with lanman
(and so the user chose to disclose their lanman response),
don't disclose back anything based on their lanman password.

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Add extra DEBUG() message for auth system failures
Andrew Bartlett [Fri, 6 Aug 2010 08:35:25 +0000 (18:35 +1000)]
s3:ntlmssp Add extra DEBUG() message for auth system failures

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agos3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key'
Andrew Bartlett [Fri, 6 Aug 2010 08:18:51 +0000 (18:18 +1000)]
s3:ntlmssp Redirect lp_lanman_auth() via 'allow_lm_key'

This will allow this to be handled via common code in the future

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agolibcli/auth/ntlmssp: remove outdated comment. The version flag is well understood...
Günther Deschner [Tue, 10 Aug 2010 09:51:01 +0000 (11:51 +0200)]
libcli/auth/ntlmssp: remove outdated comment. The version flag is well understood now.


11 years agos3: fix the waf build.
Günther Deschner [Tue, 10 Aug 2010 09:39:04 +0000 (11:39 +0200)]
s3: fix the waf build.


11 years agolibcli/auth Move some source3/ NTLMSSP functions to the common code.
Andrew Bartlett [Fri, 6 Aug 2010 08:16:32 +0000 (18:16 +1000)]
libcli/auth Move some source3/ NTLMSSP functions to the common code.
libcli/auth Use true and false rather than True and False in common code

Andrew Bartlett

Signed-off-by: Günther Deschner <>
11 years agoFix bug #7608 - Win7 SMB2 authentication causes smbd panic
Jeremy Allison [Mon, 9 Aug 2010 23:16:24 +0000 (16:16 -0700)]
Fix bug #7608 - Win7 SMB2 authentication causes smbd panic

We need to call setup_ntlmssp_server_info() if status==NT_STATUS_OK,
or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
as this can trigger map to guest.


11 years agos4 upgradeprovision, fix a typo preventing the ridset to be correctly identified
Matthieu Patou [Mon, 9 Aug 2010 20:54:50 +0000 (00:54 +0400)]
s4 upgradeprovision, fix a typo preventing the ridset to be correctly identified

11 years agopidl:NDR: correctly handle no pointer bracket arrays with 'string'
Stefan Metzmacher [Mon, 9 Aug 2010 17:38:30 +0000 (19:38 +0200)]
pidl:NDR: correctly handle no pointer bracket arrays with 'string'


11 years agos3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure...
Günther Deschner [Mon, 9 Aug 2010 12:31:24 +0000 (14:31 +0200)]
s3-winbind: Fix Bug #7568: Make sure cm_connect_lsa_tcp does not reset the secure channel.

This is an important fix as the following could and is happening:

* winbind authenticates a user via schannel secured netlogon samlogonex call,
current secure channel cred state is stored in winbind state, winbind
sucessfully decrypts session key from the info3

* winbind sets up a new schannel ncacn_ip_tcp lsa pipe (and thereby resets the
secure channel on the dc)

* subsequent samlogonex calls use the new secure channel creds on the dc to
encrypt info3 session key, while winbind tries to use old schannel creds for


11 years agos4-rpc_server: Fixed the build of the dcerpc_server library.
Andreas Schneider [Mon, 9 Aug 2010 09:47:23 +0000 (11:47 +0200)]
s4-rpc_server: Fixed the build of the dcerpc_server library.

Brad please check!