Andrew Bartlett [Wed, 20 May 2015 09:06:22 +0000 (11:06 +0200)]
dsdb: Parse linked attributes using their DN+Binary or DN+String syntax, if needed
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Thu, 22 Dec 2016 21:27:30 +0000 (10:27 +1300)]
ldbdump: Parse the -i option
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Thu, 8 Dec 2016 11:25:22 +0000 (12:25 +0100)]
s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send()
Also old servers should be able to handle NTLMSSP via SPNEGO.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144
Stefan Metzmacher [Fri, 4 Nov 2016 11:25:34 +0000 (12:25 +0100)]
s3:libsmb: pass cli_credentials to cli_check_msdfs_proxy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 4 Nov 2016 11:37:08 +0000 (12:37 +0100)]
s3:client: use cli_cm_force_encryption_creds in smbspool.c (in a #if 0 section)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 16:27:49 +0000 (17:27 +0100)]
s3:libsmb: make use of cli_cm_force_encryption_creds() where we already have creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 16:26:41 +0000 (17:26 +0100)]
s3:libsmb: split out cli_cm_force_encryption_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 12 Dec 2016 05:00:32 +0000 (06:00 +0100)]
s3:libsmb: make use of cli_tree_connect_creds() in SMBC_server_internal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 08:06:38 +0000 (09:06 +0100)]
s3:libsmb: make use of cli_tree_connect_creds() in clidfs.c:do_connect()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:46:54 +0000 (16:46 +0100)]
s3:libsmb: remove now unused cli_session_setup()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:42:45 +0000 (16:42 +0100)]
s3:libsmb: avoid using cli_session_setup() in SMBC_server_internal()
Using cli_session_creds_init() will allow it to be passed to other sub functions
later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sun, 30 Oct 2016 15:45:39 +0000 (16:45 +0100)]
s3:libsmb: make use of get_cmdline_auth_info_creds() in clidfs.c:do_connect()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:libsmb: remove unused cli_*_encryption* functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:libsmb: make use of cli_smb1_setup_encryption() in cli_cm_force_encryption()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:client: make use of cli_smb1_setup_encryption() in cmd_posix_encrypt()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 13:50:28 +0000 (14:50 +0100)]
s3:torture: make use of cli_smb1_setup_encryption() in force_cli_encryption()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 31 Oct 2016 22:02:27 +0000 (23:02 +0100)]
s3:libsmb: add cli_smb1_setup_encryption*() functions
This will allow us to setup SMB1 encryption by just passing
cli_credentials.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 19 Dec 2016 22:04:17 +0000 (23:04 +0100)]
s3:printing: remove double PRINT_SPOOL_PREFIX define
We already have this in source3/include/printing.h
which is also included in source3/printing/printspoolss.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Tue, 20 Sep 2016 07:46:34 +0000 (09:46 +0200)]
testprogs: Use better KRB5CCNAME in test_password_settings.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Anoop C S [Thu, 15 Dec 2016 10:36:35 +0000 (16:06 +0530)]
docs-xml: Remove duplicate listing of configfile option in man pages
stdarg.configfile option is hierarchically included within
common.samba.client entity. So explicit inclusion of this
term will generate man pages with configfile option listed
twice.
Signed-off-by: Anoop C S <anoopcs@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Dec 21 13:13:16 CET 2016 on sn-devel-144
Martin Schwenke [Tue, 20 Dec 2016 11:40:36 +0000 (22:40 +1100)]
WHATSNEW: CTDB updates
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Dec 21 08:36:32 CET 2016 on sn-devel-144
Garming Sam [Wed, 14 Dec 2016 03:05:05 +0000 (16:05 +1300)]
getncchanges: use the uptodateness_vector to filter links to replicate
This is to mirror the check in get_nc_changes_build_object.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144
Bob Campbell [Sun, 18 Dec 2016 23:27:31 +0000 (12:27 +1300)]
torture/drs: test link replication with hwm and utdv
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Bob Campbell [Thu, 15 Dec 2016 01:23:58 +0000 (14:23 +1300)]
torture/drs: move ExopBaseTest into DrsBaseTest and extend
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 19 Sep 2016 12:40:42 +0000 (14:40 +0200)]
s3-rpc_client: Pass NULL as no password
GENSEC expects NULL as no password.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 17:37:56 CET 2016 on sn-devel-144
Andreas Schneider [Sat, 1 Oct 2016 09:27:54 +0000 (11:27 +0200)]
auth/credentials: Add NULL check to free_dccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Sat, 1 Oct 2016 09:25:44 +0000 (11:25 +0200)]
auth/credentials: Add NULL check in free_mccache()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 6 Oct 2016 07:22:29 +0000 (09:22 +0200)]
auth/credentials: Move function to free ccaches to the top
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 6 Oct 2016 06:16:57 +0000 (08:16 +0200)]
auth/credentials: Add talloc NULL check in cli_credentials_set_principal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 10:23:10 +0000 (11:23 +0100)]
WHATSNEW: Add some information about ID mapping
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 11:40:07 CET 2016 on sn-devel-144
Andreas Schneider [Wed, 14 Dec 2016 07:25:45 +0000 (08:25 +0100)]
WHATSNEW: Add Printing changes
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 14 Dec 2016 07:15:38 +0000 (08:15 +0100)]
WHATSNEW: Use capital K for Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Fri, 18 Nov 2016 18:02:30 +0000 (18:02 +0000)]
HEIMDAL:lib/krb5: Harden _krb5_derive_key()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Fri, 18 Nov 2016 18:02:30 +0000 (18:02 +0000)]
HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 22 Nov 2016 12:53:53 +0000 (13:53 +0100)]
HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
This allows the optimized checksum->verify() function to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 22 Nov 2016 12:42:31 +0000 (13:42 +0100)]
HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Tue, 22 Nov 2016 16:08:46 +0000 (17:08 +0100)]
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 23 Nov 2016 10:44:22 +0000 (11:44 +0100)]
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Stefan Metzmacher [Wed, 23 Nov 2016 10:42:59 +0000 (11:42 +0100)]
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Stefan Metzmacher [Wed, 23 Nov 2016 10:41:10 +0000 (11:41 +0100)]
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Volker Lendecke [Sat, 5 Nov 2016 20:22:46 +0000 (21:22 +0100)]
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
Stefan Metzmacher [Fri, 28 Oct 2016 10:14:37 +0000 (12:14 +0200)]
s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally
This way we can have a very simple get_cmdline_auth_info_creds() function,
which can be used pass cli_credentials down the stack instead of
constantly translating from user_auth_info to cli_credentials, while
loosing information.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 20 04:57:05 CET 2016 on sn-devel-144
Stefan Metzmacher [Fri, 9 Dec 2016 15:04:38 +0000 (16:04 +0100)]
s3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading
All users of POPT_COMMON_CREDENTIALS basically need the same logic,
while some ignore a broken smb.conf and some complain about it.
This will allow the future usage of config options in the
credential post processing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 14:30:28 +0000 (15:30 +0100)]
tests/credentials.py: demonstrate the last 'username' line of creds.parse_file() beats other lines
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 11:41:58 +0000 (12:41 +0100)]
auth/credentials: change the parsing order of cli_credentials_parse_file()
We now first just remember the domain, realm, username, password values
(the last value wins).
At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.
It means the last 'username' line beats the domain, realm or password lines, e.g.:
username=USERDOMAIN\username
domain=DOMAIN
will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 13:01:35 +0000 (14:01 +0100)]
tests/credentials.py: verify the new cli_credentials_parse_file() 'username' parsing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sun, 11 Dec 2016 21:50:53 +0000 (22:50 +0100)]
auth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credentials_parse_string()
Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:
username=DOMAIN/username
password=password
domain=DOMAIN
This change allows us to parse the same.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 13:12:31 +0000 (14:12 +0100)]
tests/credentials.py: add tests to verify realm/principal behaviour of cli_credentials_parse_string()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Dec 2016 15:47:57 +0000 (16:47 +0100)]
auth/credentials: let cli_credentials_parse_string() always reset principal and realm
If we reset username we need to reset principal if it was set at the same level.
If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 11:20:19 +0000 (12:20 +0100)]
auth/credentials: let cli_credentials_parse_string() always reset username and domain
If cli_credentials_parse_string() is used we should no longer use
any guessed values and need to make sure username and domain
are reset if principal and realm are set.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 13:49:18 +0000 (14:49 +0100)]
tests/credentials.py: add tests with a realm from smb.conf
As we don't want to create a new smb.conf file
we just simulate it with "creds.set_realm(realm, credentials.UNINITIALISED)".
That's basically the same as the cli_credentials_set_conf() behaviour
if a realm is specified in the configuration.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 10:04:02 +0000 (11:04 +0100)]
auth/credentials: handle situations without a configured (default) realm
We should not have cli_credentials_get_realm() return "" without a
configured (default) realm in smb.conf.
Note that the existing tests with creds.get_realm() == lp.get("realm")
also work with "" as string.
At the same time we should never let cli_credentials_get_principal()
return "@REALM.EXAMPLE.COM" nor "username@".
If cli_credentials_parse_string() gets "OTHERDOMAIN\username"
we must not use cli_credentials_get_realm() to generate
a principal unless cli_credentials_get_domain() returns
also "OTHERDOMAIN". What we need to do is using
username@OTHERDOMAIN as principal, whild we still
use cli_credentials_get_realm to get a default kdc,
(which may route us to the correct kdc with WRONG_REALM
messages).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 10:37:33 +0000 (11:37 +0100)]
auth/credentials: add python bindings for enum credentials_obtained
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 09:30:29 +0000 (10:30 +0100)]
tests/credentials.py: add very simple test for py_creds_parse_file
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 09:06:25 +0000 (10:06 +0100)]
auth/credentials: add py_creds_parse_file()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 08:42:20 +0000 (09:42 +0100)]
tests/credentials.py: verify the difference of parse_string("someone") and parse_string("someone%")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Dec 2016 08:34:45 +0000 (09:34 +0100)]
tests/credentials.py: add test for cli_credentials_set_password_will_be_nt_hash()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Dec 2016 09:02:10 +0000 (10:02 +0100)]
auth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the related logic
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Dec 2016 07:52:12 +0000 (08:52 +0100)]
auth/credentials: let cli_credentials_set_password() fail if talloc_strdup() fails
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Dec 2016 07:50:51 +0000 (08:50 +0100)]
auth/credentials: make use of talloc_zero() in cli_credentials_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 13 Dec 2016 22:58:48 +0000 (11:58 +1300)]
s4-rpc_server: Add braces to better follow coding style
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 21 Nov 2016 00:31:39 +0000 (13:31 +1300)]
s4-netlogon: Push the netlogon server in the AD DC into multiple processes
This allows the NETLOGON server to scale better, as it is often a bottleneck
What we are doing here is keeping the forced single process only for
other servers that declare they use DCE/RPC handles.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 13 Nov 2016 21:15:39 +0000 (10:15 +1300)]
selftest: Use 'rpc server port:netlogon' and 'rpc server port' smb.conf option
We need this because once we make NETLOGON run in multiple processes,
it will need its own port, and socket_wrapper can not currently allocate
and ephemeral port. It also tests the option, which others have asked be
made available to firewall drsuapi.
Likewise the 'rpc server port' option is used to confirm it
functions for the default port'.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@samba.org>
Andrew Bartlett [Sun, 13 Nov 2016 21:11:05 +0000 (10:11 +1300)]
s4-rpc_server: Do not check association groups for NETLOGON
If this RPC server is not going to use handles (actually a generic
flag) then do not check the assocation group provided. This in turn
allows us to easily make NETLOGON run in multiple processes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 17 Oct 2016 21:36:51 +0000 (10:36 +1300)]
s4-rpc_server: Allow listener for RPC servers to use multiple processes
To do this we must get the ncacn_ip_tcp listener to split out (for example)
netlogon onto a distinct port, so we change the registration code to split up each
ncacn_ip_tcp registration to create a new interface for indicated services.
The new option "rpc server port" allows control of the default port and
"rpc server port:netlogon" (also valid for any other pipe from the IDL name)
allows us to both work around limitations in socket_wrapper against
double-binding and allows specification of the port by the administrator.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 13 Nov 2016 22:24:03 +0000 (11:24 +1300)]
s4-rpc_server: Allow each interface to declare if it uses handles
This will allow the NETLOGON server in the AD DC to declare that it does not use
handles, and so allow some more flexibility with association groups
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 13 Dec 2016 20:38:28 +0000 (09:38 +1300)]
s4-rpc_server: Add comments explaining the control flow around dcesrv_bind()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Nov 2016 14:11:29 +0000 (15:11 +0100)]
s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()
This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 19 13:41:15 CET 2016 on sn-devel-144
Stefan Metzmacher [Thu, 3 Nov 2016 14:11:29 +0000 (15:11 +0100)]
s3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()
This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 16 Dec 2016 00:26:29 +0000 (01:26 +0100)]
s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 8 Dec 2016 11:11:45 +0000 (12:11 +0100)]
s3:libsmb: split out a cli_session_creds_prepare_krb5() function
This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.
In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 08:49:17 +0000 (09:49 +0100)]
s3:torture/masktest: masktest only works with SMB1 currently
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 08:49:17 +0000 (09:49 +0100)]
s3:torture/masktest: Use cli_tree_connect_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 08:06:21 +0000 (09:06 +0100)]
s3:torture: Use cli_tree_connect_creds() where we may use share level auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 9 Dec 2016 08:48:06 +0000 (09:48 +0100)]
s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Martin Schwenke [Sat, 10 Dec 2016 22:09:44 +0000 (09:09 +1100)]
ctdb-tests: Remove the python LCP2 simulation
It isn't used anywhere and doesn't contain some of the optimisations
that have since gone into the C code.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Mon Dec 19 07:58:45 CET 2016 on sn-devel-144
Martin Schwenke [Fri, 9 Dec 2016 08:19:49 +0000 (19:19 +1100)]
ctdb-takeover: Drop unused ctdb_takeover_run() and related code
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 9 Dec 2016 05:21:39 +0000 (16:21 +1100)]
ctdb-recoverd: Integrate takeover helper
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 9 Dec 2016 04:04:03 +0000 (15:04 +1100)]
ctdb-recoverd: Generalise helper state, handler and launching
These can also be used for takeover handler.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 6 Dec 2016 22:42:46 +0000 (09:42 +1100)]
ctdb-tests: Add tests for takeover helper
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 13 Dec 2016 20:18:57 +0000 (07:18 +1100)]
ctdb-tests: New function unit_test_notrace()
Avoids valgrind and such, so a function can be passed.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 10 Nov 2016 05:47:38 +0000 (16:47 +1100)]
ctdb-takeover: Add takeover helper
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 15 Dec 2016 03:09:16 +0000 (14:09 +1100)]
ctdb-takeover: IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
Introduce a single new tunable IPAllocAlgorithm to set the IP
allocation algorithm. This defaults to 2 for LCP2 IP address
allocation.
Tunables LCP2PublicIPs and DeterministicIPs are obsolete.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 10 Dec 2016 09:03:38 +0000 (20:03 +1100)]
ctdb-takeover: NoIPHostOnAllDisabled is global across cluster
Instead of gathering the value from all nodes, just use the value on
the recovery master and have it affect all nodes.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 10 Dec 2016 08:39:11 +0000 (19:39 +1100)]
ctdb-takeover: NoIPTakeover is global across cluster
Instead of gathering the value from all nodes, just use the value on
the recovery master and have it affect all nodes.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 10 Dec 2016 03:50:21 +0000 (14:50 +1100)]
ctdb-docs: Document that tunables should be set the same on all nodes
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 7 Dec 2016 00:52:30 +0000 (11:52 +1100)]
ctdb-tests: Add faking of control failures/timeouts to fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Dec 2016 08:11:13 +0000 (19:11 +1100)]
ctdb-tests: Add IPREALLOCATED control to fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Dec 2016 01:58:08 +0000 (12:58 +1100)]
ctdb-tests: Add TAKEOVER_IP control to fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Dec 2016 01:53:53 +0000 (12:53 +1100)]
ctdb-tests: Add RELEASE_IP control to fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Dec 2016 14:04:39 +0000 (01:04 +1100)]
ctdb-tests: Add tool tests for "ctdb ip"
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Dec 2016 14:01:48 +0000 (01:01 +1100)]
ctdb-tests: Implement GET_PUBLIC_IPS control in fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 5 Dec 2016 00:08:39 +0000 (11:08 +1100)]
ctdb-tests: Add tool tests for "ctdb ipinfo"
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Dec 2016 14:02:24 +0000 (01:02 +1100)]
ctdb-tests: Implement GET_PUBLIC_IP_INFO control in fake_ctdbd
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Dec 2016 13:59:29 +0000 (00:59 +1100)]
ctdb-tests: Factor out get_ctdb_iface_list()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Dec 2016 06:11:25 +0000 (17:11 +1100)]
ctdb-tests: Add public IP state to fake_ctdbd
Read it via a PUBLICIPS section.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Sat, 3 Dec 2016 05:20:01 +0000 (16:20 +1100)]
ctdb-tests: Factor out reading of known public IP addresses
One change in behaviour is to actually copy the known IPs per node
instead of just assigning the pointer. When this is used by
fake_ctdbd the resulting structure will be used to keep state for
individual nodes, so data for nodes needs to be independent.
Also, drop some asserts in the factored code and do (slightly) better
error handling.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 8 Dec 2016 00:41:31 +0000 (11:41 +1100)]
ctdb-tests: Allow FAKE_CTDBD_DEBUGLEVEL to be specified
This is useful for debugging when doing developer testing.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 12 Dec 2016 05:43:43 +0000 (16:43 +1100)]
ctdb-tests: Make fake_ctdbd use logging_init()
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 10 Nov 2016 05:11:12 +0000 (16:11 +1100)]
ctdb-client: Add available-only option public IP fetching
Update tool accordingly.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>