samba.git
3 years agoCVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with...
Stefan Metzmacher [Wed, 23 Dec 2015 14:39:48 +0000 (15:39 +0100)]
CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert with the ca cert

The generated ca cert (in ca.pem) was completely useless,
it could be replaced by cert.pem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: docs-xml: change the default of "ldap server require strong auth"...
Stefan Metzmacher [Fri, 25 Mar 2016 18:24:20 +0000 (19:24 +0100)]
CVE-2016-2112: docs-xml: change the default of "ldap server require strong auth" to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and...
Stefan Metzmacher [Mon, 21 Dec 2015 09:04:48 +0000 (10:04 +0100)]
CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc

We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: selftest: servers with explicit "ldap server require strong auth"...
Stefan Metzmacher [Mon, 21 Dec 2015 09:27:33 +0000 (10:27 +0100)]
CVE-2016-2112: selftest: servers with explicit "ldap server require strong auth" options

The default is "ldap server require strong auth = yes",
ad_dc_ntvfs uses "ldap server require strong auth = allow_sasl_over_tls",
fl2008r2dc uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc
Stefan Metzmacher [Sat, 26 Mar 2016 17:07:02 +0000 (18:07 +0100)]
CVE-2016-2112: s4:selftest: run samba4.ldap.bind against fl2008r2dc

This uses "ldap server require strong auth = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option
Stefan Metzmacher [Fri, 28 Aug 2015 10:19:37 +0000 (12:19 +0200)]
CVE-2016-2112: s4:ldap_server: implement "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: docs-xml: add "ldap server require strong auth" option
Stefan Metzmacher [Mon, 21 Dec 2015 11:03:56 +0000 (12:03 +0100)]
CVE-2016-2112: docs-xml: add "ldap server require strong auth" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable
Stefan Metzmacher [Fri, 18 Dec 2015 11:45:56 +0000 (12:45 +0100)]
CVE-2016-2112: s4:ldap_server: reduce scope of old_session_info variable

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain conne...
Stefan Metzmacher [Fri, 18 Dec 2015 10:56:29 +0000 (11:56 +0100)]
CVE-2016-2112: s4:selftest: use --option=clientldapsaslwrapping=plain for plain connections

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: auto upgrade to SIGN after STRONG_AUTH_REQUIRED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option
Stefan Metzmacher [Fri, 18 Dec 2015 07:29:50 +0000 (08:29 +0100)]
CVE-2016-2112: s4:libcli/ldap: honour "client ldap sasl wrapping" option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2112: s3:libads: make sure we detect downgrade attacks
Stefan Metzmacher [Thu, 24 Mar 2016 14:50:49 +0000 (15:50 +0100)]
CVE-2016-2112: s3:libads: make sure we detect downgrade attacks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
3 years agoCVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"
Stefan Metzmacher [Tue, 15 Mar 2016 20:59:42 +0000 (21:59 +0100)]
CVE-2016-2111: docs-xml/smbdotconf: default "raw NTLMv2 auth" to "no"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc
Stefan Metzmacher [Sat, 26 Mar 2016 21:08:38 +0000 (22:08 +0100)]
CVE-2016-2111: selftest:Samba3: use "raw NTLMv2 auth = yes" for nt4_dc

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks
Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]
CVE-2016-2111: s4:smb_server: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks
Stefan Metzmacher [Tue, 1 Mar 2016 09:25:54 +0000 (10:25 +0100)]
CVE-2016-2111: s3:auth: implement "raw NTLMv2 auth" checks

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"
Stefan Metzmacher [Tue, 15 Mar 2016 20:02:34 +0000 (21:02 +0100)]
CVE-2016-2111: docs-xml: add "raw NTLMv2 auth" defaulting to "yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego...
Stefan Metzmacher [Sun, 27 Mar 2016 00:09:05 +0000 (01:09 +0100)]
CVE-2016-2111: docs-xml: document the new "client NTLMv2 auth" and "client use spnego" interaction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s3:libsmb: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:libcli: don't send a raw NTLMv2 response when we want to use spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:param: use "client use spnego" to initialize options->use_spnego

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanma...
Stefan Metzmacher [Sat, 26 Mar 2016 17:08:16 +0000 (18:08 +0100)]
CVE-2016-2111: s4:libcli: don't allow the LANMAN2 session setup without "client lanman auth = yes"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error
Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]
CVE-2016-2111: s4:torture/base: don't use ntlmv2 for dos connection in base.samba3error

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath
Stefan Metzmacher [Sat, 26 Mar 2016 21:24:23 +0000 (22:24 +0100)]
CVE-2016-2111: s4:torture/raw: don't use ntlmv2 for dos connection in raw.samba3badpath

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
3 years agoCVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]
CVE-2016-2111: s3:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA
Stefan Metzmacher [Wed, 9 Dec 2015 12:12:43 +0000 (13:12 +0100)]
CVE-2016-2111: s4:rpc_server/netlogon: check NTLMv2_RESPONSE values for SEC_CHAN_WKSTA

This prevents spoofing like Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function
Stefan Metzmacher [Tue, 23 Feb 2016 18:08:31 +0000 (19:08 +0100)]
CVE-2016-2111: libcli/auth: add NTLMv2_RESPONSE_verify_netlogon_creds() helper function

This is the function that prevents spoofing like
Microsoft's CVE-2015-0005.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test
Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]
CVE-2016-2111: s4:torture/rpc: fix rpc.pac ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test
Stefan Metzmacher [Sat, 12 Dec 2015 21:23:18 +0000 (22:23 +0100)]
CVE-2016-2111: s4:torture/rpc: fix rpc.samba3.netlogon ntlmv2 test

The computer name of the NTLMv2 blob needs to match
the schannel connection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validati...
Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]
CVE-2016-2111: s3:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validati...
Stefan Metzmacher [Fri, 7 Aug 2015 11:33:17 +0000 (13:33 +0200)]
CVE-2016-2111: s4:rpc_server/netlogon: require DCERPC_AUTH_LEVEL_PRIVACY for validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()
Günther Deschner [Fri, 25 Sep 2015 23:29:10 +0000 (01:29 +0200)]
CVE-2016-2111: s3:rpc_server/netlogon: always go through netr_creds_server_step_check()

The ensures we apply the "server schannel = yes" restrictions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
3 years agoCVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction
Stefan Metzmacher [Wed, 9 Mar 2016 14:31:23 +0000 (15:31 +0100)]
CVE-2016-2111: s4:rpc_server: implement 'server schannel = yes' restriction

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_h...
Stefan Metzmacher [Tue, 15 Dec 2015 14:10:20 +0000 (15:10 +0100)]
CVE-2016-2111: auth/gensec: correctly report GENSEC_FEATURE_{SIGN,SEAL} in schannel_have_feature()

This depends on the DCERPC auth level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel...
Stefan Metzmacher [Tue, 15 Dec 2015 14:11:32 +0000 (15:11 +0100)]
CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel_update()

It doesn't make any sense to allow other auth levels.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation...
Stefan Metzmacher [Thu, 19 Nov 2015 15:26:49 +0000 (16:26 +0100)]
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC generation (as client)

We now detect a MsvAvTimestamp in target info as indication
of the server to support NTLMSSP_MIC in the AUTH_MESSAGE.

If the client uses NTLMv2 we provide
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking...
Stefan Metzmacher [Thu, 19 Nov 2015 15:02:58 +0000 (16:02 +0100)]
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC checking (as server)

We now include a MsvAvTimestamp in our target info as indication
for the client to include a NTLMSSP_MIC in the AUTH_MESSAGE.
If the client uses NTLMv2 we check NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE
and require a valid MIC.

This is still disabled if the "map to guest" feature is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}
Stefan Metzmacher [Mon, 30 Nov 2015 08:13:14 +0000 (09:13 +0100)]
CVE-2016-2110: ntlmssp.idl: add NTLMSSP_MIC_{OFFSET,SIZE}

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()
Stefan Metzmacher [Fri, 20 Nov 2015 08:31:35 +0000 (09:31 +0100)]
CVE-2016-2110: libcli/auth: pass server_timestamp to SMBNTLMv2encrypt_hash()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_re...
Stefan Metzmacher [Fri, 20 Nov 2015 08:29:11 +0000 (09:29 +0100)]
CVE-2016-2110: auth/credentials: pass server_timestamp to cli_credentials_get_ntlm_response()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get...
Stefan Metzmacher [Tue, 24 Nov 2015 20:24:47 +0000 (21:24 +0100)]
CVE-2016-2110: auth/credentials: clear the LMv2 key for NTLMv2 in cli_credentials_get_ntlm_response()

If we clear CLI_CRED_LANMAN_AUTH and we should also clear the lm_response buffer
and don't send it over the net.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()
Stefan Metzmacher [Tue, 17 Dec 2013 10:49:31 +0000 (11:49 +0100)]
CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN
Stefan Metzmacher [Mon, 16 Dec 2013 10:27:27 +0000 (11:27 +0100)]
CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN

It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.

The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure
Stefan Metzmacher [Tue, 17 Dec 2013 10:49:31 +0000 (11:49 +0100)]
CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

This provides the infrastructure for this feature.

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends
Stefan Metzmacher [Tue, 24 Nov 2015 19:13:24 +0000 (20:13 +0100)]
CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends

This used to work more or less before, but only for krb5 with the
server finishing first.

With NTLMSSP and new_spnego the client will finish first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade
Stefan Metzmacher [Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)]
CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade

New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange
Stefan Metzmacher [Fri, 20 Nov 2015 10:42:55 +0000 (11:42 +0100)]
CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange

Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult
Stefan Metzmacher [Tue, 17 Dec 2013 11:42:35 +0000 (12:42 +0100)]
CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult

This is defined in http://www.ietf.org/rfc/rfc4178.txt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t
Stefan Metzmacher [Tue, 17 Dec 2013 11:42:06 +0000 (12:42 +0100)]
CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response
Stefan Metzmacher [Fri, 20 Nov 2015 13:06:18 +0000 (14:06 +0100)]
CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response

We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_...
Stefan Metzmacher [Tue, 1 Dec 2015 13:54:13 +0000 (14:54 +0100)]
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending...
Stefan Metzmacher [Tue, 1 Dec 2015 13:54:13 +0000 (14:54 +0100)]
CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_stat...
Stefan Metzmacher [Tue, 1 Dec 2015 14:06:09 +0000 (15:06 +0100)]
CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2

ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH
Stefan Metzmacher [Tue, 1 Dec 2015 14:01:09 +0000 (15:01 +0100)]
CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH

man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":

  ...
  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
  logins will be attempted.
  ...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key
Stefan Metzmacher [Tue, 1 Dec 2015 13:58:19 +0000 (14:58 +0100)]
CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables
Stefan Metzmacher [Tue, 1 Dec 2015 10:01:24 +0000 (11:01 +0100)]
CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables

We now give an error when required flags are missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoCVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS
Stefan Metzmacher [Tue, 1 Dec 2015 07:46:45 +0000 (08:46 +0100)]
CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS

In future we can do a more fine granted negotiation
and assert specific security features.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
3 years agoRevert "selftest: dbcheck should not be marked flapping"
Stefan Metzmacher [Mon, 14 Mar 2016 01:00:14 +0000 (02:00 +0100)]
Revert "selftest: dbcheck should not be marked flapping"

This reverts commit a7b242aa61429fc41449d2d8f3f96d3b76ff12a1.

3 years agotdb mutex check: Fix CID 1358473 Uninitialized scalar variable
Volker Lendecke [Tue, 12 Apr 2016 05:49:40 +0000 (07:49 +0200)]
tdb mutex check: Fix CID 1358473 Uninitialized scalar variable

This comes via a "goto cleanup" before suspend_mask is initialized

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Apr 12 11:39:35 CEST 2016 on sn-devel-144

3 years agotdb: version 1.3.9 tdb-1.3.9
Stefan Metzmacher [Tue, 29 Mar 2016 16:01:32 +0000 (18:01 +0200)]
tdb: version 1.3.9

* avoid a race condition when checking for robust mutexes
  (bug #11808)
* Remove use of strcpy in tdb test.
* eliminate deprecation warnings in python tests
* Only set public headers field when installing as a public library.
* Refuse to load a database with hash size 0
* Fix various spelling errors

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 11 18:48:26 CEST 2016 on sn-devel-144

3 years agotdb: rework cleanup logic in tdb_runtime_check_for_robust_mutexes()
Uri Simchoni [Tue, 29 Mar 2016 18:36:17 +0000 (21:36 +0300)]
tdb: rework cleanup logic in tdb_runtime_check_for_robust_mutexes()

The cleanup logic used six goto lables, at least I'm not able to make
sane modifications to such a beast.

By using state flags that track which objects are initialized and need
cleanup, we get rid of the goto labels. It comes at a cost though: you
have to be careful to correctly set the cleanup flags.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
3 years agovfs_catia: Fix bug 11827, memleak
Volker Lendecke [Sun, 10 Apr 2016 10:51:15 +0000 (12:51 +0200)]
vfs_catia: Fix bug 11827, memleak

add_srt should add the mappings to the linked list even if
mappings==NULL (the default)

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11827
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 11 14:25:59 CEST 2016 on sn-devel-144

3 years agovfs_catia: Align loop index with terminator
Volker Lendecke [Sun, 10 Apr 2016 11:09:29 +0000 (13:09 +0200)]
vfs_catia: Align loop index with terminator

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
3 years agoexamples/smb.conf.default: Fix typo in comment line: sever -> server
Santiago Vila [Fri, 8 Apr 2016 11:05:56 +0000 (13:05 +0200)]
examples/smb.conf.default: Fix typo in comment line: sever -> server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11823

Signed-off-by: Santiago Vila <sanvila@debian.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  9 02:35:23 CEST 2016 on sn-devel-144

3 years agos3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.
Jeremy Allison [Tue, 5 Apr 2016 20:07:06 +0000 (13:07 -0700)]
s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.

Reported by Thomas Dvorachek <tdvorachek@yahoo.com> from a Windows 10 server.
Confirmed in MS-CIFS 2.2.8.1.7.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11822

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr  6 03:46:55 CEST 2016 on sn-devel-144

3 years agoselftest: Load time_audit and full_audit
Christof Schmitt [Fri, 1 Apr 2016 05:31:19 +0000 (22:31 -0700)]
selftest: Load time_audit and full_audit

This triggers the check for missing VFS functions in these modules.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agovfs_time_audit: Assert that all VFS functions are implemented
Christof Schmitt [Fri, 1 Apr 2016 05:30:41 +0000 (22:30 -0700)]
vfs_time_audit: Assert that all VFS functions are implemented

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agovfs_full_audit: Assert that all VFS functions are implemented
Christof Schmitt [Fri, 1 Apr 2016 05:30:14 +0000 (22:30 -0700)]
vfs_full_audit: Assert that all VFS functions are implemented

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agovfs: Add helper to check for missing VFS functions
Christof Schmitt [Fri, 1 Apr 2016 16:47:31 +0000 (09:47 -0700)]
vfs: Add helper to check for missing VFS functions

Some VFS modules want to ensure that they implement all VFS functions.
This helper can be used to detect missing functions in the developer
build.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agoconfigure: Don't check for inotify on illumos
Jorge Schrauwen [Sun, 3 Apr 2016 09:43:50 +0000 (11:43 +0200)]
configure: Don't check for inotify on illumos

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11816
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agonwrap: Fix the build on Solaris
Volker Lendecke [Mon, 4 Apr 2016 11:43:02 +0000 (13:43 +0200)]
nwrap: Fix the build on Solaris

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11816

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Apr  5 08:57:06 CEST 2016 on sn-devel-144

3 years agos3: vfs: time_audit. Add missing audit_file().
Jeremy Allison [Tue, 5 Apr 2016 00:01:53 +0000 (17:01 -0700)]
s3: vfs: time_audit. Add missing audit_file().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: time_audit: Add get/fget/set/fset dos_attributes functions.
Jeremy Allison [Mon, 4 Apr 2016 23:57:12 +0000 (16:57 -0700)]
s3: vfs: time_audit: Add get/fget/set/fset dos_attributes functions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: time_audit. Add missing fsctl().
Jeremy Allison [Mon, 4 Apr 2016 23:46:56 +0000 (16:46 -0700)]
s3: vfs: time_audit. Add missing fsctl().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: time_audit. Add missing get_dfs_referrals().
Jeremy Allison [Mon, 4 Apr 2016 23:42:49 +0000 (16:42 -0700)]
s3: vfs: time_audit. Add missing get_dfs_referrals().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: Sort vfs function entries in vfs_time_audit.
Jeremy Allison [Mon, 4 Apr 2016 23:39:22 +0000 (16:39 -0700)]
s3: vfs: Sort vfs function entries in vfs_time_audit.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: full_audit. Implement missing durable_XXX functions.
Jeremy Allison [Mon, 4 Apr 2016 23:29:32 +0000 (16:29 -0700)]
s3: vfs: full_audit. Implement missing durable_XXX functions.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: full_audit. Add audit_file_fn().
Jeremy Allison [Mon, 4 Apr 2016 23:27:05 +0000 (16:27 -0700)]
s3: vfs: full_audit. Add audit_file_fn().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: full_audit. Add missing fsctl_fn().
Jeremy Allison [Mon, 4 Apr 2016 23:25:47 +0000 (16:25 -0700)]
s3: vfs: full_audit. Add missing fsctl_fn().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: full_audit. Add missing get_dfs_referrals_fn().
Jeremy Allison [Mon, 4 Apr 2016 23:24:10 +0000 (16:24 -0700)]
s3: vfs: full_audit. Add missing get_dfs_referrals_fn().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agos3: vfs: full_audit. Sort vfs fn list and add comments on missing entries.
Jeremy Allison [Mon, 4 Apr 2016 23:22:06 +0000 (16:22 -0700)]
s3: vfs: full_audit. Sort vfs fn list and add comments on missing entries.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
3 years agolib:replace: Missing semicolon on function definition.
Jeremy Allison [Fri, 1 Apr 2016 23:44:21 +0000 (16:44 -0700)]
lib:replace: Missing semicolon on function definition.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Sat Apr  2 06:04:13 CEST 2016 on sn-devel-144

3 years agoBug 11818 : obvious missing word When trying to demote a dc, 'remove_dc.remove_sysvol...
Rowland Penny [Thu, 31 Mar 2016 12:24:28 +0000 (13:24 +0100)]
Bug 11818 : obvious missing word When trying to demote a dc, 'remove_dc.remove_sysvol_references' is sent 'remote_samdb, dc_name' , it expects 'remote_samdb, logger, dc_name'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11818

Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr  1 22:54:22 CEST 2016 on sn-devel-144

3 years agovfs_gpfs: Remove xattr functions
Christof Schmitt [Wed, 23 Mar 2016 05:43:49 +0000 (22:43 -0700)]
vfs_gpfs: Remove xattr functions

The xattr functions intercepted only the calls from dosmode. With the
implementation of the dos_attribute interface, the xattr codepaths never
get called and can be removed.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agovfs_gpfs: Implement new dos_attributes vfs functions
Christof Schmitt [Wed, 23 Mar 2016 05:39:11 +0000 (22:39 -0700)]
vfs_gpfs: Implement new dos_attributes vfs functions

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agogpfswrap: Add wrapper for gpfs_set_winattrs
Christof Schmitt [Wed, 23 Mar 2016 05:38:11 +0000 (22:38 -0700)]
gpfswrap: Add wrapper for gpfs_set_winattrs

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
3 years agoctdb-killtcp: Change default retry interval, batch size and attempts
Martin Schwenke [Tue, 29 Mar 2016 03:58:33 +0000 (14:58 +1100)]
ctdb-killtcp: Change default retry interval, batch size and attempts

Testing indicates that these are good reliable defaults that can kill
many connections in a reasonable amount of time.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Fri Apr  1 08:10:54 CEST 2016 on sn-devel-144

3 years agoctdb-killtcp: Send tickle ACKs in batches
Martin Schwenke [Thu, 24 Mar 2016 04:11:22 +0000 (15:11 +1100)]
ctdb-killtcp: Send tickle ACKs in batches

At the moment the batch size is "all".

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Store retry interval in killtcp structure
Martin Schwenke [Wed, 23 Mar 2016 00:03:41 +0000 (11:03 +1100)]
ctdb-killtcp: Store retry interval in killtcp structure

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Don't count attempts for individual connections
Martin Schwenke [Tue, 22 Mar 2016 21:26:36 +0000 (08:26 +1100)]
ctdb-killtcp: Don't count attempts for individual connections

This made sense when connections were individually queued in the
daemon.  However, they're now done in batch so just keep an overall
count.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Keep track of number of kill attempts and maximum allowed
Martin Schwenke [Tue, 22 Mar 2016 21:20:07 +0000 (08:20 +1100)]
ctdb-killtcp: Keep track of number of kill attempts and maximum allowed

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Filter out sent packets
Martin Schwenke [Mon, 21 Mar 2016 00:11:19 +0000 (11:11 +1100)]
ctdb-killtcp: Filter out sent packets

When previously killing TCP connections via the daemon there was some
latency due to each kill being sent to the daemon via a separate
control.  This probably meant that when doing a 2-way kill the tickle
ACKs sent to the client end of a connection would not interfere with
listening for the reply ACK from the server end.  Now that there is no
latency, the tickle ACK or RST sent to the client end can be seen as
the reply to the server end tickle ACK, and vice-versa.

To avoid this, throw away packets that look like we sent them.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-system: Return window size and RST bit when reading TCP packets
Martin Schwenke [Mon, 21 Mar 2016 00:07:19 +0000 (11:07 +1100)]
ctdb-system: Return window size and RST bit when reading TCP packets

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Clarify a debug message
Martin Schwenke [Mon, 21 Mar 2016 00:45:10 +0000 (11:45 +1100)]
ctdb-killtcp: Clarify a debug message

The end of the connection in parentheses is not the end being killed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Set debug level via environment variable CTDB_DEBUGLEVEL
Martin Schwenke [Mon, 21 Mar 2016 00:42:40 +0000 (11:42 +1100)]
ctdb-killtcp: Set debug level via environment variable CTDB_DEBUGLEVEL

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Don't send initial tickle ACK during setup
Martin Schwenke [Tue, 29 Mar 2016 02:49:11 +0000 (13:49 +1100)]
ctdb-killtcp: Don't send initial tickle ACK during setup

Since they're being done in batch, just schedule an event to traverse
all the connections.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Drop unnecessary casts
Martin Schwenke [Wed, 23 Mar 2016 03:49:05 +0000 (14:49 +1100)]
ctdb-killtcp: Drop unnecessary casts

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Drop check to see if capture socket can be read
Martin Schwenke [Wed, 23 Mar 2016 03:18:24 +0000 (14:18 +1100)]
ctdb-killtcp: Drop check to see if capture socket can be read

The handler won't be called unless there is something to read.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
3 years agoctdb-killtcp: Merge "common" killtcp code into helper
Martin Schwenke [Fri, 11 Mar 2016 05:04:30 +0000 (16:04 +1100)]
ctdb-killtcp: Merge "common" killtcp code into helper

ctdb_killtcp.c is now the only place it is needed.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>