Stefan Metzmacher [Thu, 11 May 2017 13:34:08 +0000 (15:34 +0200)]
s4:lib/http: rewrite http_send_auth_request_*() using gensec_update_send/recv
The new logic makes it much clearer that we have a loop of
gensec_update_send()
gensec_update_recv()
http_send_request_send()
http_send_request_recv()
http_read_response_send()
http_read_response_recv()
Until the local gensec and the server are ready.
I've tested this against Windows 2008R2 like this:
bin/smbtorture \
-W BLA --realm=BLA.BASE \
-s /dev/null -Uadministrator%
A1b2C3d4 \
ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=basic] \
rpc.epmapper.epmapper.Lookup_simple \
and:
bin/smbtorture \
-W BLA --realm=BLA.BASE \
-s /dev/null -Uadministrator%
A1b2C3d4 \
ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=ntlm] \
rpc.epmapper.epmapper.Lookup_simple \
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 20 Jul 2017 21:28:51 +0000 (23:28 +0200)]
auth/gensec: introduce gensec_security_ops.glue in order to avoid depending on GENSEC_OID_SPNEGO being special
In future we have get more backends that can negotiate other backends,
we should keep all of them even if we require kerberos.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 20 Jul 2017 13:42:58 +0000 (15:42 +0200)]
auth/gensec: add some useful debugging to gensec_update_send/gensec_update_done
This makes it easier to spot problems with all the abstraction and async layers.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 19 Jul 2017 09:05:32 +0000 (11:05 +0200)]
auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_out()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 19 Jul 2017 09:02:39 +0000 (11:02 +0200)]
auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_in()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 19 Jul 2017 08:53:30 +0000 (10:53 +0200)]
auth/spnego: Rename gensec_spnego_update_sub_abort()
The name is not ideal as someone might think we will panic and abort the
process. So rename it to gensec_spnego_reset_sub_sec().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 09:01:23 +0000 (11:01 +0200)]
auth/spnego: replace gensec_spnego_neg_loop() by real async processing of {start,step,finish}_fn()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 13:40:41 +0000 (15:40 +0200)]
auth/spnego: split gensec_spnego_server_negTokenTarg() into subfunctions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 13:22:57 +0000 (15:22 +0200)]
auth/spnego: split gensec_spnego_server_negTokenInit() into subfunctions
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 11:56:02 +0000 (13:56 +0200)]
auth/spnego: split gensec_spnego_client_negTokenTarg() into subfunctions
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 10:59:43 +0000 (12:59 +0200)]
auth/spnego: split gensec_spnego_client_negTokenInit() into subfunctions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 23:52:09 +0000 (01:52 +0200)]
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions
This adds and uses the gensec_spnego_neg_loop() abstraction, which
abstracts start, step and finish hooks.
The start hook does the initial processing on the incoming paket and
may start the first possible subcontext. It indicates that
gensec_update() is required on the subcontext by returning
NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
caller should treat 'in_next' as const and don't attempt to free the
content. NT_STATUS_OK indicates the finish hook should be invoked
directly withing the need of gensec_update() on the subcontext.
Every other error indicates an error that's returned to the caller.
The step hook processes the result of a failed gensec_update() and
can decide to ignore a failure or continue the negotiation by
setting up the next possible subcontext. It indicates that
gensec_update() is required on the subcontext by returning
NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
caller should treat 'in_next' as const and don't attempt to free the
content. NT_STATUS_OK indicates the finish hook should be invoced
directly withing the need of gensec_update() on the subcontext.
Every other error indicated an error that's returned to the caller.
The finish hook processes the result of a successful gensec_update()
(NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the
response pdu that will be returned from the toplevel gensec_update()
together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It
may also alter the state machine to prepare receiving the next pdu
from the peer.
This is the start of using this abstraction for the initial client or server
start with on empty input token from the peer.
This abstraction will be applied to all four other spnego states,
gensec_spnego_{client,server}_negToken{Init,Targ}() in the following
commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 17 Jul 2017 20:00:10 +0000 (22:00 +0200)]
auth/spnego: don't produce an output token for errors in gensec_spnego_server_response()
gensec_spnego_server_response() is never called with a fatal error anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 17 Jul 2017 19:54:51 +0000 (21:54 +0200)]
auth/spnego: don't call gensec_spnego_server_response() with a fatal error
It doesn't make sense to produce an output token without
returning OK or MORE_PROCESSING_REQUIRED.
Even in v4-0-test we had gensec_spnego_update_wrapper()
which only passed the constructed output token to the caller
with OK or MORE_PROCESSING_REQUIRED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 18 Jul 2017 09:42:43 +0000 (11:42 +0200)]
auth/spnego: generate a valid packet if gensec_spnego_client_negTokenTarg() gives MORE_PROCESSING_REQUIRED
If we wait for the mechListMIC from the server we should send a valid paket
instead of an empty blob.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 17 Jul 2017 18:49:34 +0000 (20:49 +0200)]
auth/spnego: make sure we don't return OK without sub_sec_ready in gensec_spnego_client_negTokenTarg()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 17 Jul 2017 18:47:57 +0000 (20:47 +0200)]
auth/spnego: do an early return for the success case in gensec_spnego_client_negTokenTarg()
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 14:26:42 +0000 (16:26 +0200)]
auth/spnego: use better variable names in gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 14:20:59 +0000 (16:20 +0200)]
auth/spnego: introduce an early return in gensec_spnego_create_negTokenInit()
This avoids print two debug message for the same failure.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 14:16:35 +0000 (16:16 +0200)]
auth/spnego: add more error checking to gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 14:08:05 +0000 (16:08 +0200)]
auth/spnego: rename 'nt_status' to 'status' in gensec_spnego_create_negTokenInit()
This makes future diffs smaller.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 14:05:39 +0000 (16:05 +0200)]
auth/spnego: make the debug messages in gensec_spnego_create_negTokenInit() more useful
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 13:49:32 +0000 (15:49 +0200)]
auth/spnego: remove one more useless indentation level in gensec_spnego_create_negTokenInit()
Check with git show -w -U20
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 13:44:53 +0000 (15:44 +0200)]
auth/spnego: introduce an early goto reply: for the server in gensec_spnego_create_negTokenInit()
This removes a useless indentation level and simplifies future patches.
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 13:41:23 +0000 (15:41 +0200)]
auth/spnego: move the output generation to the end of gensec_spnego_create_negTokenInit()
This will simplify the diff of future patches.
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 21:43:01 +0000 (23:43 +0200)]
auth/spnego: make the SPNEGO_FALLBACK continuation completely async
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 13 Jul 2017 14:49:57 +0000 (16:49 +0200)]
auth/spnego: invert the fallback logic in gensec_spnego_client_negTokenInit()
We should do the return first, that will simplify further changes.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 13 Jun 2017 21:43:01 +0000 (23:43 +0200)]
auth/spnego: split out gensec_spnego_update_pre/post() functions
For now we keep doing sync processing only, in future
we'll do some preprocessing before a gensec_update_send()
on the subcontext in gensec_spnego_update_pre()
and handle the the result of gensec_update_recv()
in gensec_spnego_update_post().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 09:39:39 +0000 (11:39 +0200)]
auth/spnego: inline gensec_spnego_parse_negTokenInit() into gensec_spnego_server_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 09:11:57 +0000 (11:11 +0200)]
auth/spnego: remove more dead code from gensec_spnego_parse_negTokenInit()
Now we finally have a logic that someone can understand while reading it.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 09:09:59 +0000 (11:09 +0200)]
auth/spnego: add an early return for OK or MORE PROCESSING in gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 09:07:41 +0000 (11:07 +0200)]
auth/spnego: add an early return for a hard error in gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 09:05:39 +0000 (11:05 +0200)]
auth/spnego: do an early return when we downgraded the mech in gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 09:03:37 +0000 (11:03 +0200)]
auth/spnego: remove one more useless indentation level from gensec_spnego_parse_negTokenInit()
Check with 'git show -w -U45' and carefully check the 'break' vs. 'continue'
changes.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 08:57:52 +0000 (10:57 +0200)]
auth/spnego: remove dead code from gensec_spnego_parse_negTokenInit()
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 08:54:54 +0000 (10:54 +0200)]
auth/spnego: remove unused indentation level from gensec_spnego_parse_negTokenInit()
gensec_spnego_parse_negTokenInit() is only used as server now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 08:11:43 +0000 (10:11 +0200)]
auth/spnego: inline gensec_spnego_parse_negTokenInit() client logic into gensec_spnego_client_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 08:44:00 +0000 (10:44 +0200)]
auth/spnego: let gensec_spnego_parse_negTokenInit() require client provides mechs
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 07:22:25 +0000 (09:22 +0200)]
auth/spnego: inline gensec_spnego_update_server() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 07:22:25 +0000 (09:22 +0200)]
auth/spnego: inline gensec_spnego_update_client() into gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 07:18:18 +0000 (09:18 +0200)]
auth/spnego: split out a gensec_spnego_server_negTokenTarg() function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 07:05:29 +0000 (09:05 +0200)]
auth/spnego: introduce a 'struct spnego_negTokenTarg *ta' helper variable in gensec_spnego_update_server()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 07:01:18 +0000 (09:01 +0200)]
auth/spnego: split out a gensec_spnego_client_negTokenTarg() function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 06:42:08 +0000 (08:42 +0200)]
auth/spnego: make more use of the 'ta' helper variable in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 06:30:24 +0000 (08:30 +0200)]
auth/spnego: split out a gensec_spnego_server_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 06:11:32 +0000 (08:11 +0200)]
auth/spnego: split out a gensec_spnego_client_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 06:00:00 +0000 (08:00 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 05:58:51 +0000 (07:58 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 28 Jun 2017 12:53:49 +0000 (14:53 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 7 Jul 2017 05:53:29 +0000 (07:53 +0200)]
auth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()
We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.
Check with git show -U10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 6 Jul 2017 13:36:36 +0000 (15:36 +0200)]
auth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_update_send()
This simplifies further refactoring.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 01:39:02 +0000 (03:39 +0200)]
auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()
It's easier to have this in one central place.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 5 Jul 2017 07:59:16 +0000 (09:59 +0200)]
auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 5 Jul 2017 07:59:16 +0000 (09:59 +0200)]
auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 30 Dec 2016 11:59:01 +0000 (12:59 +0100)]
auth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spnego_update_server()
This matches the flow already used in the client case.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 14 Jun 2017 01:39:02 +0000 (03:39 +0200)]
auth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()
This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 19 Jul 2017 08:47:37 +0000 (10:47 +0200)]
auth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Tue, 11 Jul 2017 08:59:59 +0000 (10:59 +0200)]
s3:tests: Add tests for smbspool_krb5_wrapper
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 25 13:17:13 CEST 2017 on sn-devel-144
Andreas Schneider [Wed, 12 Jul 2017 14:07:25 +0000 (16:07 +0200)]
s3:client: Use KRB5CCNAME in smbspool_krb5_wrapper if set
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Tue, 11 Jul 2017 08:58:11 +0000 (10:58 +0200)]
s3:tests: Add test for smbspool
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andreas Schneider [Tue, 11 Jul 2017 07:41:08 +0000 (09:41 +0200)]
s3:client: Only use kerberos if credential cache exists in smbspool
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 24 Jul 2017 10:27:50 +0000 (12:27 +0200)]
s3:client: Make it possible use smbspool in selftest
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andreas Schneider [Tue, 11 Jul 2017 08:40:39 +0000 (10:40 +0200)]
s3:client: Fix the usage of argv in smbspool
We use argv[0] to print the name of the binary, but have shifted it
away. Do not do that.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 12 Jul 2017 11:14:08 +0000 (13:14 +0200)]
s3:printing: Fix setting the first jobnum
This is just something logical. The define is called first jobnum but
the first one was always 101.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 12 Jul 2017 11:07:08 +0000 (13:07 +0200)]
s3:printing: Do not segfault in vlp if no command has been specified
We should just print the usage() and return
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 13 Jul 2017 06:57:13 +0000 (08:57 +0200)]
uwrap: Update to version 1.2.4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 17 Jul 2017 21:03:17 +0000 (09:03 +1200)]
selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144
Andrew Bartlett [Mon, 17 Jul 2017 20:57:03 +0000 (08:57 +1200)]
s4-netlogon: Use log_escape to protect against un-validated strings
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andrew Bartlett [Mon, 17 Jul 2017 20:46:08 +0000 (08:46 +1200)]
s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
This splits out the username into the input, mapped and obtained
just as we do elsewhere.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Gary Lockyer [Sun, 9 Jul 2017 19:48:08 +0000 (07:48 +1200)]
source4 netlogon: Add authentication logging for ServerAuthenticate3
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Gary Lockyer [Sun, 9 Jul 2017 19:46:26 +0000 (07:46 +1200)]
tests auth_log: Add new tests for NETLOGON
Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing
Test code based on the existing auth_log tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Gary Lockyer [Sun, 9 Jul 2017 19:45:16 +0000 (07:45 +1200)]
tests auth_log: Modify existing tests to handle NETLOGON messages
Modify the existing tests to ignore auth logging for NETLOGON messages.
NETLOGON authentication is logged once per session, and is tested
separately. Ignoring it in these tests avoids order dependencies.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Gary Lockyer [Sun, 23 Jul 2017 22:59:18 +0000 (10:59 +1200)]
auth_log: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of
string literal "/root/ncalrpc_as_system"
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Gary Lockyer [Sun, 23 Jul 2017 23:00:45 +0000 (11:00 +1200)]
rpc: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Gary Lockyer [Sun, 23 Jul 2017 22:55:48 +0000 (10:55 +1200)]
dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system
This is string is used several places in the code and tests, so it
should be a constant.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Andreas Schneider [Mon, 24 Jul 2017 10:19:27 +0000 (12:19 +0200)]
mit-kdb: Fix NULL pointer check after malloc
This fixes building with GCC 7.1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144
Andreas Schneider [Mon, 24 Jul 2017 10:13:50 +0000 (12:13 +0200)]
s4:kcc: Add a NULL check before qsort()
This fixes building with GCC 7.1.1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Mon, 24 Jul 2017 02:09:19 +0000 (14:09 +1200)]
smb.conf: Explain that "ntlm auth" is a per-passdb setting
This parameter has always applied to this passdb only, not to domain
authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Bob Campbell [Wed, 5 Jul 2017 04:08:11 +0000 (16:08 +1200)]
samdb/cracknames: support user and service principal as desired format
This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.
This also causes the test in cracknames.py to no longer fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144
Bob Campbell [Tue, 4 Jul 2017 23:15:04 +0000 (11:15 +1200)]
samdb/cracknames: do not show recycled when a guid is desired
Previously, when a GUID was desired to
cracknames, it would include recycled objects as well. This would
sometimes result in two objects being returned from a query which is
supposed to return a unique GUID. For example, if a deleted user had
the same sAMAccountName as a non-deleted user and cracknames was used to
find the GUID of this account, it would return two GUIDs, and so would
fail with DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Bob Campbell [Tue, 4 Jul 2017 23:08:45 +0000 (11:08 +1200)]
python/tests: add python test for cracknames
This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 21 Jul 2017 08:10:43 +0000 (20:10 +1200)]
selftest: Make --include-env and --exclude-env use the base env name
The code as deployed would have required (eg) '--include-env=ktest
--include-env=ktest:local' which was not done in autobuild, causing
tests to be skipped. This patch restores the intended behaviour.
This causes 33 testsuites to run, one more test (the newly added
samba.tests.ntlmauth) than the old regex provided (before
602772159dfd1213385f42ecbf31136f57693b63).
(The regression dropped us down to matching only 7 tests).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12922
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 24 03:33:01 CEST 2017 on sn-devel-144
Martin Schwenke [Tue, 18 Jul 2017 20:09:15 +0000 (06:09 +1000)]
ctdb-tests: Add event script startup/shutdown tests
For vsftpd, httpd, winbind. These should help to catch typo
regressions.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sun Jul 23 19:31:08 CEST 2017 on sn-devel-144
Martin Schwenke [Mon, 17 Jul 2017 05:36:42 +0000 (15:36 +1000)]
ctdb-scripts: Fix a typo
This is a regression introduced in commit
e847ec3ae24cc6c8c69284c7fe0791a319cf7142
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Andrew Bartlett [Sat, 22 Jul 2017 10:00:59 +0000 (22:00 +1200)]
s4-drepl: Block GetNCChanges during a DsReplicaSync
If we do not block these, we can get RPC faults
(DCERPC_NCA_S_PROTO_ERROR) which gives WERR_WRITE_FAULT back to the
DsReplicaSync call as there are two outstanding requests on the wire
at the one time.
We will get to the next operation as soon as this is finished
when we call run_pending_ops().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12926
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jul 23 12:32:49 CEST 2017 on sn-devel-144
Thomas Jarosch [Sat, 22 Jul 2017 16:36:18 +0000 (09:36 -0700)]
s3: libsmb: Fix use-after-free when accessing pointer *p.
talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927
Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144
Andrew Bartlett [Fri, 21 Jul 2017 05:52:04 +0000 (17:52 +1200)]
s4-drepl: Use tevent_schedule_immediate() in DsReplicaSync handler
When we are sent a DsReplicaSync() we should work on inbound replication
(ideally from the requested source, but so far we just start the whole queue)
right away, not after 1 second.
We should also target inbound replication, not any outbound replication
notification that may happen to be due.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12921
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jul 22 07:45:31 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 21 Jul 2017 12:36:08 +0000 (14:36 +0200)]
ldb: version 1.2.1
* Bug #12882: Do not install _ldb_text.py if we have system libldb
* Use libraries from build dir for testsuite
* Bug #12900: Fix index out of bound in ldb_msg_find_common_values
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jul 22 03:46:25 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 21 Jul 2017 12:34:59 +0000 (14:34 +0200)]
tevent: version 0.9.33
* make tevent_req_print() more robust against crashes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 20 Jul 2017 12:20:03 +0000 (14:20 +0200)]
tevent: handle passing req = NULL to tevent_req_print()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 20 Jul 2017 12:16:44 +0000 (14:16 +0200)]
tevent: avoid calling talloc_get_name(NULL) in tevent_req_default_print()
We have the same information available under req->internal.private_type.
This way it's possible to call tevent_req_print() after
tevent_req_received() was called.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 21 Jul 2017 12:33:57 +0000 (14:33 +0200)]
talloc: version 2.1.10
* build, documentation and python3 improvements
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 20 Jul 2017 09:56:21 +0000 (11:56 +0200)]
s4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done()
This was missing in commit
d718e92d5e145dccd492c46febc249e462ce50c6.
Sadly we can't have automated tests for this as we only implement
the client side for this protocol.
I've tested with using:
bin/smbtorture \
-W BLA --realm=BLA.BASE \
-s /dev/null -Uadministrator%
A1b2C3d4 \
ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=basic] \
rpc.epmapper.epmapper.Lookup_simple \
and:
bin/smbtorture \
-W BLA --realm=BLA.BASE \
-s /dev/null -Uadministrator%
A1b2C3d4 \
ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=ntlm] \
rpc.epmapper.epmapper.Lookup_simple \
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12919
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 21 23:29:39 CEST 2017 on sn-devel-144
Uri Simchoni [Wed, 7 Jun 2017 17:34:33 +0000 (20:34 +0300)]
winbindd: avoid refreshing sequence number when domain is offline
When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Wed, 7 Jun 2017 17:33:57 +0000 (20:33 +0300)]
winbindd: queryuser - only get group name if needed
When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).
Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Wed, 7 Jun 2017 17:33:24 +0000 (20:33 +0300)]
winbindd: cache name-to-sid from PAC based on lookup domain
The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
David Disseldorp [Fri, 14 Jul 2017 21:55:29 +0000 (23:55 +0200)]
vfs_ceph: fix cephwrap_chdir()
When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144
Tim Beale [Tue, 4 Jul 2017 05:27:27 +0000 (17:27 +1200)]
selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
Andrew Bartlett [Thu, 20 Apr 2017 02:00:21 +0000 (14:00 +1200)]
getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE
This should not happen, but we have seen this happen in autobuild
before the whole-DB locking issues were resolved by
https://bugzilla.samba.org/show_bug.cgi?id=12858
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
David Disseldorp [Thu, 20 Jul 2017 09:10:57 +0000 (11:10 +0200)]
build: fix ceph_statx check when configured with libcephfs_dir
When configured with a custom libcephfs_dir, the ceph_statx check fails
to link. This is due to the location of the ceph-common dependency,
which is installed under a ceph subdirectory.
ceph/build > make DESTDIR=./inst install
...
ceph/build > find inst/|grep -e /libcephfs -e /libceph-common
inst/usr/local/lib64/ceph/libceph-common.so.0
inst/usr/local/lib64/ceph/libceph-common.so
inst/usr/local/lib64/libcephfs.so.2.0.0
inst/usr/local/lib64/libcephfs.so.2
inst/usr/local/lib64/libcephfs.so
inst/usr/local/include/cephfs/libcephfs.h
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Jeff Layton <jlayton@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Jul 20 23:02:27 CEST 2017 on sn-devel-144
git.samba.org / sfrench / samba-autobuild / .git / log