Volker Lendecke [Mon, 17 Aug 2009 21:13:48 +0000 (23:13 +0200)]
s3:winbind: Convert the GETPWENT routines to the new API
Volker Lendecke [Mon, 17 Aug 2009 20:50:39 +0000 (22:50 +0200)]
s3:winbind: Add async next_pwent
Volker Lendecke [Mon, 17 Aug 2009 20:44:55 +0000 (22:44 +0200)]
s3:winbind: Add async fill_pwent
Volker Lendecke [Mon, 17 Aug 2009 20:40:19 +0000 (22:40 +0200)]
s3:winbind: Add async query_user_list
Volker Lendecke [Tue, 25 Aug 2009 10:38:47 +0000 (12:38 +0200)]
s3:winbind: simplify wb_seqnums_done a bit
Volker Lendecke [Tue, 25 Aug 2009 10:29:25 +0000 (12:29 +0200)]
s3:winbind: Make wb_seqnums.c update the winbind cache seqnums
Volker Lendecke [Fri, 28 Aug 2009 12:25:11 +0000 (14:25 +0200)]
s3:winbind: Fix a bug found by RPC-SAMR
We need to enumerate passdb alias members
Thanks to gd for bugging me :-)
Volker Lendecke [Thu, 27 Aug 2009 14:13:51 +0000 (16:13 +0200)]
s3:winbind: Fix a typo
Volker Lendecke [Sun, 23 Aug 2009 10:43:43 +0000 (12:43 +0200)]
s3:winbind: Rename wbint_GroupMembers to wbint_Principals
Volker Lendecke [Sun, 23 Aug 2009 10:38:35 +0000 (12:38 +0200)]
s3:winbind: Rename wbint_GroupMember to wbint_Principal
Volker Lendecke [Sat, 29 Aug 2009 07:41:32 +0000 (09:41 +0200)]
tevent: Fix a segfault upon the first signal
When the first signal arrives, tevent_common_signal_handler() crashed: "ev" is
initialized to NULL, so the first "write(ev->pipe_fds[1], &c, 1);" dereferences
NULL.
Rusty, Tridge, please check. Also, can you tell me a bit more about the
environment you tested this in? I'd be curious to see where this survived.
Thanks,
Volker
Aravind Srinivasan [Wed, 26 Aug 2009 21:54:58 +0000 (14:54 -0700)]
s3: Add catia to the list of modules compiled by default
Signed-off-by: Tim Prouty <tprouty@samba.org>
Aravind Srinivasan [Wed, 26 Aug 2009 21:55:38 +0000 (14:55 -0700)]
s3: Major revamp for catia vfs module
This patch builds out catia to allow fully configurable mappings,
including mappings from single byte to multi-byte characters.
Additionally, a much more complete list of vfs operations are now
covered.
Signed-off-by: Tim Prouty <tprouty@samba.org>
Aravind Srinivasan [Wed, 26 Aug 2009 21:56:09 +0000 (14:56 -0700)]
s3: Add a new VFS op called SMB_VFS_TRANSLATE_NAME
This vop is designed to work in tandem with SMB_VFS_READDIR to allow
vfs modules to make modifications to arbitrary filenames before
they're consumed by callers. Subsequently the core directory
enumeration code in smbd is now changed to free the memory that may be
allocated in a module. This vop enables the new version of catia in
the following patch.
Signed-off-by: Tim Prouty <tprouty@samba.org>
Andrew Bartlett [Fri, 28 Aug 2009 09:26:53 +0000 (19:26 +1000)]
s4:ldb Don't sleep(100) in this error case, but debug the LDIF
Matthieu Patou [Wed, 26 Aug 2009 16:30:15 +0000 (20:30 +0400)]
s4: Create helpers functions related to provision
One for getting attributes with DN syntax, one for getting forward
linked attributes and one for getting the list of partition
Michael Adam [Fri, 28 Aug 2009 12:09:58 +0000 (14:09 +0200)]
s4-ldb: update dlinklist.h to match main copy (lib/util/dlinklist.h)
Michael
Michael Adam [Fri, 28 Aug 2009 12:06:28 +0000 (14:06 +0200)]
s3-ldb: update dlinklist.h to match main copy (lib/util/dlinklist.h)
This also removes build warnings of redefined macros
since it uses the embracing "#ifndef _DLINKLIST_H ... #endif".
Michael
Günther Deschner [Fri, 28 Aug 2009 11:42:39 +0000 (13:42 +0200)]
s4: include ntlmssp header in auth/ntlmssp/ntlmssp.h.
Guenther
Günther Deschner [Wed, 12 Aug 2009 18:22:58 +0000 (20:22 +0200)]
s3-ntlmssp: use generated ntlmssp code for debugging purpose.
Guenther
Günther Deschner [Fri, 28 Aug 2009 09:37:28 +0000 (11:37 +0200)]
s3-ntlmssp: add NDR helper routines for ntlmssp.
Guenther
Günther Deschner [Fri, 28 Aug 2009 09:36:28 +0000 (11:36 +0200)]
s4: fix the build after ntlmssp header change.
Guenther
Günther Deschner [Tue, 25 Aug 2009 10:30:48 +0000 (12:30 +0200)]
libcli/auth: remove unused NTLMSSP_NAME_TYPE_ flags.
Guenther
Günther Deschner [Tue, 25 Aug 2009 10:27:51 +0000 (12:27 +0200)]
s4-ntlmssp: use interface constants in TargetInfo blob.
Guenther
Günther Deschner [Tue, 25 Aug 2009 10:12:59 +0000 (12:12 +0200)]
s4-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants.
Guenther
Günther Deschner [Fri, 14 Aug 2009 12:08:45 +0000 (14:08 +0200)]
s3-ntlmssp: use interface constants in TargetInfo blob.
Guenther
Günther Deschner [Wed, 12 Aug 2009 18:22:04 +0000 (20:22 +0200)]
s3-ntlmssp: use NTLMSSP headers from IDL and remove duplicate constants.
Guenther
Günther Deschner [Fri, 21 Aug 2009 18:41:03 +0000 (20:41 +0200)]
ntlmssp: add ndr_print_ntlmssp_{nt,lm}_response() function.
Guenther
Günther Deschner [Wed, 12 Aug 2009 18:19:47 +0000 (20:19 +0200)]
ntlmssp: re-run make samba3-idl and add generated files.
Guenther
Günther Deschner [Thu, 13 Aug 2009 23:01:21 +0000 (01:01 +0200)]
ntlmssp: add NTLMSSP_MESSAGE_SIGNATURE to IDL.
Guenther
Günther Deschner [Wed, 12 Aug 2009 21:18:52 +0000 (23:18 +0200)]
ntlmssp: add AUTHENTICATE_MESSAGE to idl.
Guenther
Günther Deschner [Wed, 12 Aug 2009 16:14:31 +0000 (18:14 +0200)]
ntlmssp: add CHALLENGE_MESSAGE to IDL.
Guenther
Günther Deschner [Thu, 13 Aug 2009 22:31:53 +0000 (00:31 +0200)]
ntlmssp: add NEGOTIATE_MESSAGE to IDL.
Guenther
Günther Deschner [Thu, 13 Aug 2009 22:48:58 +0000 (00:48 +0200)]
ntlmssp: add string helper functions to handle OEM and UNICODE charset.
Guenther
Günther Deschner [Thu, 13 Aug 2009 15:11:07 +0000 (17:11 +0200)]
ntlmssp: add ntlmssp helper skeleton.
Guenther
Günther Deschner [Wed, 12 Aug 2009 13:23:28 +0000 (15:23 +0200)]
ntlmssp: add IDL.
Guenther
Rusty Russell [Fri, 28 Aug 2009 02:41:23 +0000 (12:11 +0930)]
lib/tevent: close pipe_fds on event_context destruction
The "hack_fds" were never closed before; now they're inside event_context
they should be closed when that is destroyed.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Rusty Russell [Fri, 28 Aug 2009 02:38:47 +0000 (12:08 +0930)]
lib/tevent: handle tevent_common_add_signal on different event contexts.
I don't know if this is a problem in real life.
The code assumes there's only one tevent_context; all signals will notify
the first event context. That's counter-intuitive if you ever use more
than one, and there's nothing else in this code which prevents it AFAICT.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Rusty Russell [Fri, 28 Aug 2009 02:34:22 +0000 (12:04 +0930)]
lib/tevent: fix race with signals and tevent_common_add_signal
We carefully preserve the old signal handler, but we replace it before
we've set up everything; in particular, if we fail setting up the
pipe_hack we could write a NUL char to stdout (fd 0), instead of
calling the old signal handler.
Replace the signal handler as the very last thing we do.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Rusty Russell [Fri, 28 Aug 2009 02:26:34 +0000 (11:56 +0930)]
lib/tdb: don't overwrite TDBs with different version numbers.
In future, this may happen, and we don't want to clobber them.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Rusty Russell [Wed, 26 Aug 2009 08:00:32 +0000 (17:30 +0930)]
lib/tevent: remove spectacularly complicated manual subtraction
To be completely honest, I don't quite know whether to laugh or cry at
this one:
1 + (0xFFFFFFFF & ~(s.seen - s.count))
== 1 + (~(s.seen - s.count)) # s.seen, s.count are uint32_t
== s.count - s.seen # -A == ~A + 1
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Michael Adam [Wed, 26 Aug 2009 10:58:47 +0000 (12:58 +0200)]
util: fix comment and clarify argument name in DLIST_DEMOTE()
Michael
Stefan Metzmacher [Wed, 19 Aug 2009 07:58:38 +0000 (09:58 +0200)]
s3:smbd: teach filename_convert() about fake files (2nd fix for bug #6642)
metze
Stefan Metzmacher [Wed, 19 Aug 2009 07:57:47 +0000 (09:57 +0200)]
s3:smbd: add is_fake_file_path() that takes only the raw path as string
metze
Stefan Metzmacher [Tue, 18 Aug 2009 09:34:54 +0000 (11:34 +0200)]
s3:streams: check for :$DATA only in the backend (fix bug #6642)
We need to allow "\\$Extend\\$Quota:$Q:$INDEX_ALLOCATION" to pass
check_path(), so that the Quota Dialog works.
metze
Stefan Metzmacher [Tue, 18 Aug 2009 09:32:37 +0000 (11:32 +0200)]
s3:error_map: make NTSTATUS -> errno -> NTSTATUS mapping consistent for NT_STATUS_INVALID_PARAMETER
Why have we mapped EINVAL -> NT_STATUS_INVALID_HANDLE before?
metze
Günther Deschner [Thu, 13 Aug 2009 22:36:21 +0000 (00:36 +0200)]
s3-ntlmssp: remove trailing whitespace.
Guenther
Stefan Metzmacher [Tue, 25 Aug 2009 09:25:47 +0000 (11:25 +0200)]
libcli/auth: add netlogon_creds_step_crypt() and netlogon_creds_first_step()
This abstracts the usage of crypto functions instead of directly calling
des_crypt112().
metze
Signed-off-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 25 Aug 2009 09:12:48 +0000 (11:12 +0200)]
libcli/auth: remove some useless lines
metze
Signed-off-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 25 Aug 2009 10:02:38 +0000 (12:02 +0200)]
libcli/auth: remember schannel type in netlogon_creds_server_init()
metze
Signed-off-by: Günther Deschner <gd@samba.org>
Günther Deschner [Tue, 25 Aug 2009 22:45:02 +0000 (00:45 +0200)]
s3-schannel: remove remaining code that was using "struct dcinfo".
Guenther
Günther Deschner [Tue, 25 Aug 2009 20:45:15 +0000 (22:45 +0200)]
s3-credentials: remove unused code.
Guenther
Günther Deschner [Wed, 26 Aug 2009 09:46:58 +0000 (11:46 +0200)]
s3-schannel: upgrade old format schannel_store.tdb.
Guenther
Günther Deschner [Tue, 25 Aug 2009 20:38:55 +0000 (22:38 +0200)]
s3-netlogon: use shared credential and schannel storage infrastructure for netlogon server.
Guenther
Günther Deschner [Tue, 25 Aug 2009 20:26:34 +0000 (22:26 +0200)]
s3-netlogon: add netr_creds_server_step_check() convenience wrapper.
Guenther
Günther Deschner [Tue, 25 Aug 2009 22:31:27 +0000 (00:31 +0200)]
s3-schannel: add simple wrappers to fetch and store schannel auth info.
Guenther
Günther Deschner [Tue, 25 Aug 2009 19:45:24 +0000 (21:45 +0200)]
s3-schannel: make open_schannel_session_store() public.
Guenther
Günther Deschner [Tue, 25 Aug 2009 19:16:27 +0000 (21:16 +0200)]
libcli/auth: add tdb backend for schannel state.
Guenther
Günther Deschner [Wed, 26 Aug 2009 13:08:32 +0000 (15:08 +0200)]
libcli/auth: move netlogon_creds_CredentialState out of libcli.
Guenther
Günther Deschner [Wed, 26 Aug 2009 12:45:35 +0000 (14:45 +0200)]
schannel: add netlogon_creds_CredentialState to IDL.
Guenther
Günther Deschner [Tue, 25 Aug 2009 19:09:53 +0000 (21:09 +0200)]
s4-schannel: add ldb suffix to schannel functions.
Guenther
Günther Deschner [Tue, 25 Aug 2009 16:59:39 +0000 (18:59 +0200)]
libcli/auth: rename schannel_state.c to schannel_state_ldb.c.
Guenther
Günther Deschner [Wed, 26 Aug 2009 14:48:00 +0000 (16:48 +0200)]
s3-build: add SCHANNEL_OBJ to Makefile.in.
Guenther
Volker Lendecke [Thu, 27 Aug 2009 12:55:41 +0000 (14:55 +0200)]
s3:winbind: Convert WINBINDD_GETUSERSIDS to the new API
Volker Lendecke [Thu, 27 Aug 2009 12:34:59 +0000 (14:34 +0200)]
s3:winbind: Fix a typo
Volker Lendecke [Thu, 27 Aug 2009 12:16:22 +0000 (14:16 +0200)]
s3:winbind: Remove the manual caching for the async wb_ functions
The generic NDR-based cache in winbindd_dual_ndr.c replaces this.
Volker Lendecke [Tue, 25 Aug 2009 10:25:12 +0000 (12:25 +0200)]
s3:winbind: Some calls are not cacheable
Volker Lendecke [Tue, 25 Aug 2009 09:26:14 +0000 (11:26 +0200)]
s3:winbind: Factor out wcache_store_seqnum()
Volker Lendecke [Sun, 23 Aug 2009 22:13:02 +0000 (00:13 +0200)]
s3:winbind: Add a generic cache for NDR based parent-child requests
Volker Lendecke [Sun, 23 Aug 2009 22:08:14 +0000 (00:08 +0200)]
s3:winbind: Factor out wcache_fetch_seqnum
Günther Deschner [Thu, 27 Aug 2009 11:37:06 +0000 (13:37 +0200)]
s4-smbtorture: do not hard code BDC secure channel type into RPC-NETLOGON tests.
Guenther
Günther Deschner [Thu, 27 Aug 2009 10:32:56 +0000 (12:32 +0200)]
s4-smbtorture: add test_SetPassword_flags to RPC-NETLOGON-S3 testsuite.
Guenther
Andrew Bartlett [Thu, 27 Aug 2009 09:38:04 +0000 (19:38 +1000)]
s4:python Add helper to get at the domain SID
Steven Danneman [Wed, 26 Aug 2009 23:17:38 +0000 (16:17 -0700)]
s3/smbd: open the share_info.tdb on startup instead of tconx
This is a small performance optimization. Instead of opening the tdb
on every smb connection in the forked child process, we now open it in
the parent and share the fd.
This also reduces the total fd usage in the system.
Steven Danneman [Wed, 26 Aug 2009 17:36:48 +0000 (10:36 -0700)]
s3/debug: make SPENGO OID list appear under one debug header
Steven Danneman [Wed, 29 Jul 2009 23:13:44 +0000 (16:13 -0700)]
s3/winbindd: Remove unnecessary check for NULL SID
There's a known bug in some Windows implementations of
DsEnumerateDomainTrusts() where domain SIDs are not returned for
transitively trusted domains within the same forest.
Jerry originally worked around this in the winbindd parent by checking
for S-0-0 and converting it to S-1-0 in
8b0fce0b. Guenter later moved
these checks into the child process in commit
3bdfcbac making the
initial patch unecessary.
I've removed it and added a clarifying comment to the child process.
If ever this SID is needed we could add an extra DsEnumerateDomainTrusts()
call in trusted_domains() as suggested by the Microsoft KB.
Günther Deschner [Wed, 26 Aug 2009 21:03:42 +0000 (23:03 +0200)]
s3-selftest: enable running RPC-NETLOGON-S3 against samba3.
Guenther
Günther Deschner [Wed, 26 Aug 2009 20:27:07 +0000 (22:27 +0200)]
s4-smbtorture: add RPC-NETLOGON-S3 to test samba3 netlogon server.
Guenther
tprouty [Wed, 26 Aug 2009 01:38:17 +0000 (01:38 +0000)]
s3 onefs: Canonicalize the ACL in the correct order
tprouty [Wed, 26 Aug 2009 01:38:14 +0000 (01:38 +0000)]
s3: Allow full_audit to play nice with smbd if it's using syslog
Explictly pass the facility from both smbd and full_audit to syslog.
Really the only major change is to not call openlog() in full_audit if
WITH_SYSLOG is defined, which implies that smbd is already using
syslog. This allows full audit to piggy-back on the same ident as
smbd, while still differentiating the logging via the facility.
tprouty [Wed, 26 Aug 2009 01:38:07 +0000 (01:38 +0000)]
s3 audit: Change create_file in full_audit to print whether a directory or file was requested
full_audit will now print out whether the createfile was requested for
a file or directory. The create disposition is also printed out.
Volker Lendecke [Wed, 26 Aug 2009 16:20:06 +0000 (18:20 +0200)]
s3:winbind: Fix Coverity ID 942: Resource Leak
Stefan Metzmacher [Wed, 26 Aug 2009 06:10:35 +0000 (08:10 +0200)]
s4:heimdal_build: lib/hcrypto/evp-aes-cts.o belongs to HEIMDAL_HCRYPTO
metze
Günther Deschner [Wed, 26 Aug 2009 09:35:40 +0000 (11:35 +0200)]
s3-netlogon: let get_md4pw() return a struct dom_sid.
Guenther
Günther Deschner [Tue, 24 Mar 2009 17:33:28 +0000 (18:33 +0100)]
schannel: add generated files.
Guenther
Günther Deschner [Mon, 23 Mar 2009 13:08:09 +0000 (14:08 +0100)]
schannel: move schannel.idl to main directory.
Guenther
Günther Deschner [Wed, 26 Aug 2009 12:46:17 +0000 (14:46 +0200)]
netlogon: make netr_NegotiateFlags a public bitmap.
Guenther
Volker Lendecke [Wed, 26 Aug 2009 12:56:41 +0000 (14:56 +0200)]
Add a parameter to disable the automatic creation of krb5.conf files
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.
The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.
Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
Jeff Layton [Wed, 26 Aug 2009 10:26:02 +0000 (06:26 -0400)]
cifs.upcall: make using ip address conditional on new option
Igor Mammedov pointed out that reverse resolving an IP address to get
the hostname portion of a principal could open a possible attack
vector. If an attacker were to gain control of DNS, then he could
redirect the mount to a server of his choosing, and fix the reverse
resolution to point to a hostname of his choosing (one where he has
the key for the corresponding cifs/ or host/ principal).
That said, we often trust DNS for other reasons and it can be useful
to do so. Make the code that allows trusting DNS to be enabled by
adding --trust-dns to the cifs.upcall invocation.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Jeff Layton [Wed, 26 Aug 2009 10:15:42 +0000 (06:15 -0400)]
cifs.upcall: switch to getopt_long
...to allow long option names.
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Andrew Bartlett [Wed, 26 Aug 2009 07:31:44 +0000 (17:31 +1000)]
s4:provision Ensure that @OPTIONS is mirrored into each partition
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 05:59:00 +0000 (15:59 +1000)]
s4:ldb Add ldb_ldif_write_string() and python wrappers
This allows us to turn a python LdbMessage back into a string.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 05:01:12 +0000 (15:01 +1000)]
s4:ldb Add hooks to get/set the flags on a ldb_message_element
Also add tests to prove that we got this correct, and correct the
existing tests which used the wrong constants.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 03:44:50 +0000 (13:44 +1000)]
s4:schema Rework dsdb_write_prefixes_from_schema_to_ldb() to use talloc
This changes dsdb_write_prefixes_from_schema_to_ldb() to use an
internal talloc hirarchy, so we can safely give it a NULL context from
the python.
It also fixes manual construction of the ldb_message - we now use the
right helper functions.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 03:43:33 +0000 (13:43 +1000)]
s4:provison Add prefixes to ldb using same code a later modify will use
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 02:39:44 +0000 (12:39 +1000)]
s4:provision Only create references to our server DN after the self join
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 02:32:47 +0000 (12:32 +1000)]
s4:scheam quiet a 'const' warning
Andrew Bartlett [Wed, 26 Aug 2009 02:29:45 +0000 (12:29 +1000)]
s4:dsdb Rework dsdb_write_prefixes_to_ldb() to take a schema
The aim is to create a function that is more easily wrapped for
python, so that we can write the updated prefixMap in an upgrade
script.
Andrew Bartlett
Andrew Bartlett [Wed, 26 Aug 2009 01:01:27 +0000 (11:01 +1000)]
s4:dsdb Use helper function to add 'show deleted' control
This revises tridge's commit
61ca4c491e1c13eb7d97847f743b0f540f1117c4
to use ldb_request_add_control() instead of a manual construction.
Andrew Bartlett
Günther Deschner [Tue, 25 Aug 2009 23:03:47 +0000 (01:03 +0200)]
s3-netlogon: fix default case when _netr_LogonSamLogon is called from other opcodes.
Guenther