The branch, master has been updated
via f7d249d s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send()
via f595031 s3:libsmb: pass cli_credentials to cli_check_msdfs_proxy()
via c19232b s3:client: use cli_cm_force_encryption_creds in smbspool.c (in a #if 0 section)
via 0c52239 s3:libsmb: make use of cli_cm_force_encryption_creds() where we already have creds
via ff23ee7 s3:libsmb: split out cli_cm_force_encryption_creds()
via b4340ea s3:libsmb: make use of cli_tree_connect_creds() in SMBC_server_internal()
via 5fd8db9 s3:libsmb: make use of cli_tree_connect_creds() in clidfs.c:do_connect()
via 1221236 s3:libsmb: remove now unused cli_session_setup()
via 151e37b s3:libsmb: avoid using cli_session_setup() in SMBC_server_internal()
via c478f68 s3:libsmb: make use of get_cmdline_auth_info_creds() in clidfs.c:do_connect()
via 9e79433 s3:libsmb: remove unused cli_*_encryption* functions
via b9ff137 s3:libsmb: make use of cli_smb1_setup_encryption() in cli_cm_force_encryption()
via 19bbd37 s3:client: make use of cli_smb1_setup_encryption() in cmd_posix_encrypt()
via 791847f s3:torture: make use of cli_smb1_setup_encryption() in force_cli_encryption()
via b9b0815 s3:libsmb: add cli_smb1_setup_encryption*() functions
via 9b39377 s3:printing: remove double PRINT_SPOOL_PREFIX define
via 1aa765d testprogs: Use better KRB5CCNAME in test_password_settings.sh
from 1a59014 docs-xml: Remove duplicate listing of configfile option in man pages

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f7d249da4e79bb4f35b9b57b21f0f5e66380402d
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 8 12:25:22 2016 +0100

s3:libsmb: Always use GENSEC_OID_SPNEGO in cli_smb1_setup_encryption_send()

Also old servers should be able to handle NTLMSSP via SPNEGO.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Wed Dec 21 22:21:08 CET 2016 on sn-devel-144

commit f595031cb8203d4184b81976c22644e86a30cabe
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Nov 4 12:25:34 2016 +0100

s3:libsmb: pass cli_credentials to cli_check_msdfs_proxy()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit c19232b4bcfe80e7501c5600bbbec2b27832c1ce
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Nov 4 12:37:08 2016 +0100

s3:client: use cli_cm_force_encryption_creds in smbspool.c (in a #if 0 section)

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 0c522398684ae34d4306285cb6b30ecc5b5a0e98
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 17:27:49 2016 +0100

s3:libsmb: make use of cli_cm_force_encryption_creds() where we already have creds

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit ff23ee7ef209b74856426df6bf4e36d9a7ed8f94
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 17:26:41 2016 +0100

s3:libsmb: split out cli_cm_force_encryption_creds()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b4340ea7743cdfff91a08eb4fe656ddbe0794cc7
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Dec 12 06:00:32 2016 +0100

s3:libsmb: make use of cli_tree_connect_creds() in SMBC_server_internal()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 5fd8db91efe24e0da8321197b8b568fed9ea4d78
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 09:06:38 2016 +0100

s3:libsmb: make use of cli_tree_connect_creds() in clidfs.c:do_connect()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 12212363bf756c6ba33804f859d67395e4cf71d3
Author: Stefan Metzmacher <***@samba.org>
Date: Sun Oct 30 16:46:54 2016 +0100

s3:libsmb: remove now unused cli_session_setup()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 151e37b548bdba582bcbe7a216cd9b420d29b7b6
Author: Stefan Metzmacher <***@samba.org>
Date: Sun Oct 30 16:42:45 2016 +0100

s3:libsmb: avoid using cli_session_setup() in SMBC_server_internal()

Using cli_session_creds_init() will allow it to be passed to other sub functions
later.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit c478f688c29f0b9ff114cf2554c1c6cb273c98e4
Author: Stefan Metzmacher <***@samba.org>
Date: Sun Oct 30 16:45:39 2016 +0100

s3:libsmb: make use of get_cmdline_auth_info_creds() in clidfs.c:do_connect()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 9e794330d0399777cb6cc4c9b036ba1b4f7ea470
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 14:50:28 2016 +0100

s3:libsmb: remove unused cli_*_encryption* functions

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b9ff137e03ef4ba2cc42e886d6133c5ad61b7ea6
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 14:50:28 2016 +0100

s3:libsmb: make use of cli_smb1_setup_encryption() in cli_cm_force_encryption()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 19bbd37b8df6315efc09b8e4007f4c4ddc155244
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 14:50:28 2016 +0100

s3:client: make use of cli_smb1_setup_encryption() in cmd_posix_encrypt()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 791847f90ce0c0fc42c75ec6283906a0c5f5b926
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 14:50:28 2016 +0100

s3:torture: make use of cli_smb1_setup_encryption() in force_cli_encryption()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b9b0815d0f566923fe7442c35e2f321e442bb6bb
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Oct 31 23:02:27 2016 +0100

s3:libsmb: add cli_smb1_setup_encryption*() functions

This will allow us to setup SMB1 encryption by just passing
cli_credentials.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 9b3937704d2b3a03590758bec7bdbe838d4e83be
Author: Stefan Metzmacher <***@samba.org>
Date: Mon Dec 19 23:04:17 2016 +0100

s3:printing: remove double PRINT_SPOOL_PREFIX define

We already have this in source3/include/printing.h
which is also included in source3/printing/printspoolss.c

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 1aa765d344e148826c75d65c502ee45bc9e8f42c
Author: Andreas Schneider <***@samba.org>
Date: Tue Sep 20 09:46:34 2016 +0200

testprogs: Use better KRB5CCNAME in test_password_settings.sh

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/client/client.c | 46 ++-
source3/client/smbspool.c | 6 +-
source3/libsmb/cliconnect.c | 452 ++++++++++++++++++++++++---
source3/libsmb/clidfs.c | 96 +++---
source3/libsmb/clifsinfo.c | 245 ---------------
source3/libsmb/libsmb_server.c | 47 ++-
source3/libsmb/proto.h | 22 +-
source3/printing/printspoolss.c | 3 -
source3/torture/torture.c | 10 +-
testprogs/blackbox/test_password_settings.sh | 8 +
10 files changed, 556 insertions(+), 379 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/client/client.c b/source3/client/client.c
index cde9776..226eb27 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -2535,35 +2535,53 @@ static int cmd_posix_encrypt(void)
{
TALLOC_CTX *ctx = talloc_tos();
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ char *domain = NULL;
+ char *user = NULL;
+ char *password = NULL;
+ struct cli_credentials *creds = NULL;
+ struct cli_credentials *lcreds = NULL;

- if (cli->use_kerberos) {
- status = cli_gss_smb_encryption_start(cli);
- } else {
- char *domain = NULL;
- char *user = NULL;
- char *password = NULL;
+ if (next_token_talloc(ctx, &cmd_ptr, &domain, NULL)) {

- if (!next_token_talloc(ctx, &cmd_ptr,&domain,NULL)) {
+ if (!next_token_talloc(ctx, &cmd_ptr, &user, NULL)) {
d_printf("posix_encrypt domain user password\n");
return 1;
}

- if (!next_token_talloc(ctx, &cmd_ptr,&user,NULL)) {
+ if (!next_token_talloc(ctx, &cmd_ptr, &password, NULL)) {
d_printf("posix_encrypt domain user password\n");
return 1;
}

- if (!next_token_talloc(ctx, &cmd_ptr,&password,NULL)) {
+ lcreds = cli_session_creds_init(ctx,
+ user,
+ domain,
+ NULL, /* realm */
+ password,
+ false, /* use_kerberos */
+ false, /* fallback_after_kerberos */
+ false, /* use_ccache */
+ false); /* password_is_nt_hash */
+ if (lcreds == NULL) {
+ d_printf("cli_session_creds_init() failed.\n");
+ return -1;
+ }
+ creds = lcreds;
+ } else {
+ bool auth_requested = false;
+
+ creds = get_cmdline_auth_info_creds(auth_info);
+
+ auth_requested = cli_credentials_authentication_requested(creds);
+ if (!auth_requested) {
d_printf("posix_encrypt domain user password\n");
return 1;
}
-
- status = cli_raw_ntlm_smb_encryption_start(cli,
- user,
- password,
- domain);
}

+ status = cli_smb1_setup_encryption(cli, creds);
+ /* gensec currently references the creds so we can't free them here */
+ talloc_unlink(ctx, lcreds);
if (!NT_STATUS_IS_OK(status)) {
d_printf("posix_encrypt failed with error %s\n", nt_errstr(status));
} else {
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index a447836..10e89c7 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -474,11 +474,7 @@ smb_complete_connection(const char *myname,
#if 0
/* Need to work out how to specify this on the URL. */
if (smb_encrypt) {
- if (!cli_cm_force_encryption(cli,
- username,
- password,
- workgroup,
- share)) {
+ if (!cli_cm_force_encryption_creds(cli, creds, share)) {
fprintf(stderr, "ERROR: encryption setup failed\n");
cli_shutdown(cli);
return NULL;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 02c465c..55768bf 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -37,6 +37,7 @@
#include "libsmb/nmblib.h"
#include "librpc/ndr/libndr.h"
#include "../libcli/smb/smbXcli_base.h"
+#include "../libcli/smb/smb_seal.h"
#include "lib/param/param.h"

#define STAR_SMBSERVER "*SMBSERVER"
@@ -1774,43 +1775,6 @@ NTSTATUS cli_session_setup_anon(struct cli_state *cli)
return NT_STATUS_OK;
}

-NTSTATUS cli_session_setup(struct cli_state *cli,
- const char *user,
- const char *pass,
- const char *workgroup)
-{
- NTSTATUS status = NT_STATUS_NO_MEMORY;
- const char *dest_realm = NULL;
- struct cli_credentials *creds = NULL;
-
- /*
- * dest_realm is only valid in the winbindd use case,
- * where we also have the account in that realm.
- */
- dest_realm = cli_state_remote_realm(cli);
-
- creds = cli_session_creds_init(cli,
- user,
- workgroup,
- dest_realm,
- pass,
- cli->use_kerberos,
- cli->fallback_after_kerberos,
- cli->use_ccache,
- cli->pw_nt_hash);
- if (creds == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = cli_session_setup_creds(cli, creds);
- TALLOC_FREE(creds);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- return NT_STATUS_OK;
-}
-
/****************************************************************************
Send a uloggoff.
*****************************************************************************/
@@ -2864,6 +2828,420 @@ fail:
return status;
}

+struct cli_smb1_setup_encryption_blob_state {
+ uint16_t setup[1];
+ uint8_t param[4];
+ NTSTATUS status;
+ DATA_BLOB out;
+ uint16_t enc_ctx_id;
+};
+
+static void cli_smb1_setup_encryption_blob_done(struct tevent_req *subreq);
+
+static struct tevent_req *cli_smb1_setup_encryption_blob_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+ const DATA_BLOB in)
+{
+ struct tevent_req *req = NULL;
+ struct cli_smb1_setup_encryption_blob_state *state = NULL;
+ struct tevent_req *subreq = NULL;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct cli_smb1_setup_encryption_blob_state);
+ if (req == NULL) {
+ return NULL;
+ }
+
+ if (in.length > CLI_BUFFER_SIZE) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+
+ SSVAL(state->setup+0, 0, TRANSACT2_SETFSINFO);
+ SSVAL(state->param, 0, 0);
+ SSVAL(state->param, 2, SMB_REQUEST_TRANSPORT_ENCRYPTION);
+
+ subreq = smb1cli_trans_send(state, ev, cli->conn,
+ SMBtrans2,
+ 0, 0, /* _flags */
+ 0, 0, /* _flags2 */
+ cli->timeout,
+ cli->smb1.pid,
+ cli->smb1.tcon,
+ cli->smb1.session,
+ NULL, /* pipe_name */
+ 0, /* fid */
+ 0, /* function */
+ 0, /* flags */
+ state->setup, 1, 0,
+ state->param, 4, 2,
+ in.data, in.length, CLI_BUFFER_SIZE);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq,
+ cli_smb1_setup_encryption_blob_done,
+ req);
+
+ return req;
+}
+
+static void cli_smb1_setup_encryption_blob_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct cli_smb1_setup_encryption_blob_state *state =
+ tevent_req_data(req,
+ struct cli_smb1_setup_encryption_blob_state);
+ uint8_t *rparam=NULL, *rdata=NULL;
+ uint32_t num_rparam, num_rdata;
+ NTSTATUS status;
+
+ status = smb1cli_trans_recv(subreq, state,
+ NULL, /* recv_flags */
+ NULL, 0, NULL, /* rsetup */
+ &rparam, 0, &num_rparam,
+ &rdata, 0, &num_rdata);
+ TALLOC_FREE(subreq);
+ state->status = status;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ status = NT_STATUS_OK;
+ }
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ if (num_rparam == 2) {
+ state->enc_ctx_id = SVAL(rparam, 0);
+ }
+ TALLOC_FREE(rparam);
+
+ state->out = data_blob_const(rdata, num_rdata);
+
+ tevent_req_done(req);
+}
+
+static NTSTATUS cli_smb1_setup_encryption_blob_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *out,
+ uint16_t *enc_ctx_id)
+{
+ struct cli_smb1_setup_encryption_blob_state *state =
+ tevent_req_data(req,
+ struct cli_smb1_setup_encryption_blob_state);
+ NTSTATUS status;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ tevent_req_received(req);
+ return status;
+ }
+
+ status = state->status;
+
+ *out = state->out;
+ talloc_steal(mem_ctx, out->data);
+
+ *enc_ctx_id = state->enc_ctx_id;
+
+ tevent_req_received(req);
+ return status;
+}
+
+struct cli_smb1_setup_encryption_state {
+ struct tevent_context *ev;
+ struct cli_state *cli;
+ struct smb_trans_enc_state *es;
+ DATA_BLOB blob_in;
+ DATA_BLOB blob_out;
+ bool local_ready;
+ bool remote_ready;
+};
+
+static void cli_smb1_setup_encryption_local_next(struct tevent_req *req);
+static void cli_smb1_setup_encryption_local_done(struct tevent_req *subreq);
+static void cli_smb1_setup_encryption_remote_next(struct tevent_req *req);
+static void cli_smb1_setup_encryption_remote_done(struct tevent_req *subreq);
+static void cli_smb1_setup_encryption_ready(struct tevent_req *req);
+
+static struct tevent_req *cli_smb1_setup_encryption_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+ struct cli_credentials *creds)
+{
+ struct tevent_req *req = NULL;
+ struct cli_smb1_setup_encryption_state *state = NULL;
+ struct auth_generic_state *ags = NULL;
+ const DATA_BLOB *b = NULL;
+ bool auth_requested = false;
+ const char *target_service = NULL;
+ const char *target_hostname = NULL;
+ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct cli_smb1_setup_encryption_state);
+ if (req == NULL) {
+ return NULL;
+ }
+ state->ev = ev;
+ state->cli = cli;
+
+ auth_requested = cli_credentials_authentication_requested(creds);
+ if (!auth_requested) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+
+ target_service = "cifs";
+ target_hostname = smbXcli_conn_remote_name(cli->conn);
+
+ status = cli_session_creds_prepare_krb5(cli, creds);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ state->es = talloc_zero(state, struct smb_trans_enc_state);
+ if (tevent_req_nomem(state->es, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ status = auth_generic_client_prepare(state->es, &ags);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ gensec_want_feature(ags->gensec_security,
+ GENSEC_FEATURE_SIGN);
+ gensec_want_feature(ags->gensec_security,
+ GENSEC_FEATURE_SEAL);
+
+ status = auth_generic_set_creds(ags, creds);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ if (target_service != NULL) {
+ status = gensec_set_target_service(ags->gensec_security,
+ target_service);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ if (target_hostname != NULL) {
+ status = gensec_set_target_hostname(ags->gensec_security,
+ target_hostname);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+
+ gensec_set_max_update_size(ags->gensec_security,
+ CLI_BUFFER_SIZE);
+
+ b = smbXcli_conn_server_gss_blob(state->cli->conn);
+ if (b != NULL) {
+ state->blob_in = *b;
+ }
+
+ status = auth_generic_client_start(ags, GENSEC_OID_SPNEGO);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * We only need the gensec_security part from here.
+ */
+ state->es->gensec_security = talloc_move(state->es,
+ &ags->gensec_security);
+ TALLOC_FREE(ags);
+
+ cli_smb1_setup_encryption_local_next(req);
+ if (!tevent_req_is_in_progress(req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ return req;
+}
+
+static void cli_smb1_setup_encryption_local_next(struct tevent_req *req)
+{
+ struct cli_smb1_setup_encryption_state *state =
+ tevent_req_data(req,
+ struct cli_smb1_setup_encryption_state);
+ struct tevent_req *subreq = NULL;
+
+ if (state->local_ready) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+
+ subreq = gensec_update_send(state, state->ev,
+ state->es->gensec_security,
+ state->blob_in);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, cli_smb1_setup_encryption_local_done, req);
+}
+
+static void cli_smb1_setup_encryption_local_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct cli_smb1_setup_encryption_state *state =
+ tevent_req_data(req,
+ struct cli_smb1_setup_encryption_state);
+ NTSTATUS status;
+
+ status = gensec_update_recv(subreq, state, &state->blob_out);
+ TALLOC_FREE(subreq);
+ state->blob_in = data_blob_null;
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
+ {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+ state->local_ready = true;
+ }
+
+ /*
+ * We always get NT_STATUS_OK from the server even if it is not ready.
+ * So guess the server is ready when we are ready and already sent
+ * our last blob to the server.
+ */
+ if (state->local_ready && state->blob_out.length == 0) {
+ state->remote_ready = true;
+ }
+
+ if (state->local_ready && state->remote_ready) {
+ cli_smb1_setup_encryption_ready(req);
+ return;
+ }
+
+ cli_smb1_setup_encryption_remote_next(req);
+}
+
+static void cli_smb1_setup_encryption_remote_next(struct tevent_req *req)
+{
+ struct cli_smb1_setup_encryption_state *state =
+ tevent_req_data(req,
+ struct cli_smb1_setup_encryption_state);
+ struct tevent_req *subreq = NULL;
+
+ if (state->remote_ready) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+
+ subreq = cli_smb1_setup_encryption_blob_send(state, state->ev,
+ state->cli, state->blob_out);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq,
+ cli_smb1_setup_encryption_remote_done,
+ req);
+}
+
+static void cli_smb1_setup_encryption_remote_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req =
+ tevent_req_callback_data(subreq,
+ struct tevent_req);
+ struct cli_smb1_setup_encryption_state *state =
+ tevent_req_data(req,
+ struct cli_smb1_setup_encryption_state);
+ NTSTATUS status;
+
+ status = cli_smb1_setup_encryption_blob_recv(subreq, state,
+ &state->blob_in,
+ &state->es->enc_ctx_num);
+ TALLOC_FREE(subreq);
+ data_blob_free(&state->blob_out);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
+ {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ /*
+ * We always get NT_STATUS_OK even if the server is not ready.
+ * So guess the server is ready when we are ready and sent
+ * our last blob to the server.
+ */
+ if (state->local_ready) {
+ state->remote_ready = true;
+ }

The branch, master has been updated
via 1a59014 docs-xml: Remove duplicate listing of configfile option in man pages
from 0383034 WHATSNEW: CTDB updates

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1a5901440272158025a01a4619c1d178dfefc732
Author: Anoop C S <***@redhat.com>
Date: Thu Dec 15 16:06:35 2016 +0530

docs-xml: Remove duplicate listing of configfile option in man pages

stdarg.configfile option is hierarchically included within
common.samba.client entity. So explicit inclusion of this
term will generate man pages with configfile option listed
twice.

Signed-off-by: Anoop C S <***@redhat.com>
Reviewed-by: Guenther Deschner <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): Günther Deschner <***@samba.org>
Autobuild-Date(master): Wed Dec 21 13:13:16 CET 2016 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/net.8.xml | 1 -
docs-xml/manpages/smbcontrol.1.xml | 1 -
2 files changed, 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 6e852fd..8ce2413 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -108,7 +108,6 @@
</varlistentry>

&stdarg.netbios.name;
- &stdarg.configfile;

<varlistentry>
<term>-S|--server server</term>
diff --git a/docs-xml/manpages/smbcontrol.1.xml b/docs-xml/manpages/smbcontrol.1.xml
index 03836aa..ebbb8dc 100644
--- a/docs-xml/manpages/smbcontrol.1.xml
+++ b/docs-xml/manpages/smbcontrol.1.xml
@@ -50,7 +50,6 @@

<variablelist>
&popt.autohelp;
- &stdarg.configfile;
&popt.common.samba.client;
<varlistentry>
<term>-t|--timeout</term>

The branch, master has been updated
via 0383034 WHATSNEW: CTDB updates
from c94f824 getncchanges: use the uptodateness_vector to filter links to replicate

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0383034633a113aa0c54f39b17a1a3dfbb53ade7
Author: Martin Schwenke <***@meltin.net>
Date: Tue Dec 20 22:40:36 2016 +1100

WHATSNEW: CTDB updates

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: Amitay Isaacs <***@gmail.com>

Autobuild-User(master): Amitay Isaacs <***@samba.org>
Autobuild-Date(master): Wed Dec 21 08:36:32 CET 2016 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index e5ce010..f542a5b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -81,6 +81,57 @@ A new option, "unix only", enables this feature only for the UNIX owner
of the file, not affecting the SID owner in the Windows NT ACL of the
file. This can be used to emulate something very similar to folder quotas.

+CTDB changes
+------------
+
+* "ctdb event" is a new top-level command for interacting with event scripts
+
+ "ctdb event status" replaces "ctdb scriptstatus" - the latter is
+ maintained for backward compatibility but the output format has been
+ cleaned up
+
+ "ctdb event run" replaces "ctdb eventscript"
+
+ "ctdb event script enable" replaces "ctdb enablescript"
+
+ "ctdb event script disable" replaces "ctdb disablescript"
+
+ The new command "ctdb event script list" lists event scripts.
+
+* CTDB's back-end for running event scripts has been replaced by a
+ separate, long-running daemon ctdbd_eventd.
+
+* Running ctdb interactively will log to stderr
+
+* CTDB logs now include process id for each process
+
+* CTDB tags log messages differently. Changes include:
+
+ ctdb-recoverd: Messages from CTDB's recovery daemon
+ ctdb-recovery: Messages from CTDB database recovery
+ ctdb-eventd: Messages from CTDB's event daemon
+ ctdb-takeover: Messgaes from CTDB's public IP takeover subsystem
+
+* The mapping between symbolic and numeric debug levels has changed
+
+ Configurations containing numeric debug levels should be updated.
+ Symbolic debug levels are recommended. See the DEBUG LEVEL section
+ of ctdb(7) for details.
+
+* Tunable IPAllocAlgorithm replaces LCP2PublicIPs, DeterministicIPs
+
+ See ctdb-tunables(7) for details
+
+* CTDB's configuration tunables should be consistently set across a cluster
+
+ This has always been the cases for most tunables but this fact is
+ now documented.
+
+* CTDB ships with recovery lock helper call-outs for etcd and Ceph RADOS
+
+ To build/install these, use the --enable-etcd-reclock and
+ --enable-ceph-reclock configure options.
+

REMOVED FEATURES
================

The branch, master has been updated
via c94f824 getncchanges: use the uptodateness_vector to filter links to replicate
via 5631421 torture/drs: test link replication with hwm and utdv
via e130c46 torture/drs: move ExopBaseTest into DrsBaseTest and extend
from 8989725 s3-rpc_client: Pass NULL as no password

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c94f82417035c8fdae9bb2631162798ba167e6b6
Author: Garming Sam <***@catalyst.net.nz>
Date: Wed Dec 14 16:05:05 2016 +1300

getncchanges: use the uptodateness_vector to filter links to replicate

This is to mirror the check in get_nc_changes_build_object.

Signed-off-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Garming Sam <***@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144

commit 56314211439b281647a2f11e7a94bd874a5df337
Author: Bob Campbell <***@catalyst.net.nz>
Date: Mon Dec 19 12:27:31 2016 +1300

torture/drs: test link replication with hwm and utdv

Signed-off-by: Bob Campbell <***@catalyst.net.nz>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit e130c46e87a9dbda51a6ca7611f8bc4887ea6c7f
Author: Bob Campbell <***@catalyst.net.nz>
Date: Thu Dec 15 14:23:58 2016 +1300

torture/drs: move ExopBaseTest into DrsBaseTest and extend

Signed-off-by: Bob Campbell <***@catalyst.net.nz>
Reviewed-by: Garming Sam <***@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source4/rpc_server/drsuapi/getncchanges.c | 19 +-
source4/torture/drs/python/drs_base.py | 324 ++++++++++++++++++++-
source4/torture/drs/python/getnc_exop.py | 198 ++++++++-----
.../torture/drs/python/linked_attributes_drs.py | 40 +--
source4/torture/drs/python/ridalloc_exop.py | 40 +--
5 files changed, 476 insertions(+), 145 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 70ec04c..705c8cf 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -605,8 +605,10 @@ static WERROR get_nc_changes_add_links(struct ldb_context *sam_ctx,
for (j=0; j<el->num_values; j++) {
struct dsdb_dn *dsdb_dn;
uint64_t local_usn;
- NTSTATUS status;
+ uint64_t originating_usn;
+ NTSTATUS status, status2;
WERROR werr;
+ struct GUID originating_invocation_id;

dsdb_dn = dsdb_dn_parse(tmp_ctx, sam_ctx, &el->values[j], sa->syntax->ldap_oid);
if (dsdb_dn == NULL) {
@@ -635,6 +637,21 @@ static WERROR get_nc_changes_add_links(struct ldb_context *sam_ctx,
continue;
}

+ status = dsdb_get_extended_dn_guid(dsdb_dn->dn,
+ &originating_invocation_id,
+ "RMD_INVOCID");
+ status2 = dsdb_get_extended_dn_uint64(dsdb_dn->dn,
+ &originating_usn,
+ "RMD_ORIGINATING_USN");
+
+ if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(status2)) {
+ if (udv_filter(uptodateness_vector,
+ &originating_invocation_id,
+ originating_usn)) {
+ continue;
+ }
+ }
+
werr = get_nc_changes_add_la(mem_ctx, sam_ctx, schema,
sa, msg, dsdb_dn, la_list,
la_count, is_schema_nc);
diff --git a/source4/torture/drs/python/drs_base.py b/source4/torture/drs/python/drs_base.py
index aa0a7f6..e6f6e48 100644
--- a/source4/torture/drs/python/drs_base.py
+++ b/source4/torture/drs/python/drs_base.py
@@ -3,6 +3,8 @@
#
# Unix SMB/CIFS implementation.
# Copyright (C) Kamen Mazdrashki <***@samba.org> 2011
+# Copyright (C) Andrew Bartlett <***@samba.org> 2016
+# Copyright (C) Catalyst IT Ltd. 2016
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -18,15 +20,18 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#

-
import sys
import time
import os
+import ldb

sys.path.insert(0, "bin/python")
import samba.tests
from samba.tests.samba_tool.base import SambaToolCmdTest
from samba import dsdb
+from samba.dcerpc import drsuapi, misc, drsblobs, security
+from samba.ndr import ndr_unpack, ndr_pack
+from samba.drs_utils import drs_DsBind

from ldb import (
SCOPE_BASE,
@@ -143,3 +148,320 @@ class DrsBaseTestCase(SambaToolCmdTest):
# disable replication
self.check_run("%s %s --dsa-option=+DISABLE_INBOUND_REPL" %(samba_tool_cmd, DC))
self.check_run("%s %s --dsa-option=+DISABLE_OUTBOUND_REPL" %(samba_tool_cmd, DC))
+
+ def _get_highest_hwm_utdv(self, ldb_conn):
+ res = ldb_conn.search("", scope=ldb.SCOPE_BASE, attrs=["highestCommittedUSN"])
+ hwm = drsuapi.DsReplicaHighWaterMark()
+ hwm.tmp_highest_usn = long(res[0]["highestCommittedUSN"][0])
+ hwm.reserved_usn = 0
+ hwm.highest_usn = hwm.tmp_highest_usn
+
+ utdv = drsuapi.DsReplicaCursorCtrEx()
+ cursors = []
+ c1 = drsuapi.DsReplicaCursor()
+ c1.source_dsa_invocation_id = misc.GUID(ldb_conn.get_invocation_id())
+ c1.highest_usn = hwm.highest_usn
+ cursors.append(c1)
+ utdv.count = len(cursors)
+ utdv.cursors = cursors
+ return (hwm, utdv)
+
+ def _get_indentifier(self, ldb_conn, dn):
+ res = ldb_conn.search(dn, scope=ldb.SCOPE_BASE,
+ attrs=["objectGUID", "objectSid"])
+ id = drsuapi.DsReplicaObjectIdentifier()
+ id.guid = ndr_unpack(misc.GUID, res[0]['objectGUID'][0])
+ if "objectSid" in res[0]:
+ id.sid = ndr_unpack(security.dom_sid, res[0]['objectSid'][0])
+ id.dn = str(res[0].dn)
+ return id
+
+ def _check_replication(self, expected_dns, replica_flags, expected_links=[],
+ drs_error=drsuapi.DRSUAPI_EXOP_ERR_NONE, drs=None, drs_handle=None,
+ highwatermark=None, uptodateness_vector=None,
+ more_flags=0, more_data=False,
+ dn_ordered=True, links_ordered=True,
+ max_objects=133, exop=0,
+ dest_dsa=drsuapi.DRSUAPI_DS_BIND_GUID_W2K3,
+ source_dsa=None, invocation_id=None, nc_dn_str=None,
+ nc_object_count=0, nc_linked_attributes_count=0):
+ """
+ Makes sure that replication returns the specific error given.
+ """
+ if source_dsa is None:
+ source_dsa = self.ldb_dc1.get_ntds_GUID()
+ if invocation_id is None:
+ invocation_id = self.ldb_dc1.get_invocation_id()
+ if nc_dn_str is None:
+ nc_dn_str = self.ldb_dc1.domain_dn()
+
+ if highwatermark is None:
+ if self.default_hwm is None:
+ (highwatermark, _) = self._get_highest_hwm_utdv(self.ldb_dc1)
+ else:
+ highwatermark = self.default_hwm
+
+ if drs is None:
+ drs = self.drs
+ if drs_handle is None:
+ drs_handle = self.drs_handle
+
+ req10 = self._getnc_req10(dest_dsa=dest_dsa,
+ invocation_id=invocation_id,
+ nc_dn_str=nc_dn_str,
+ exop=exop,
+ max_objects=max_objects,
+ replica_flags=replica_flags)
+ req10.highwatermark = highwatermark
+ if uptodateness_vector is not None:
+ uptodateness_vector_v1 = drsuapi.DsReplicaCursorCtrEx()
+ cursors = []
+ for i in xrange(0, uptodateness_vector.count):
+ c = uptodateness_vector.cursors[i]
+ c1 = drsuapi.DsReplicaCursor()
+ c1.source_dsa_invocation_id = c.source_dsa_invocation_id
+ c1.highest_usn = c.highest_usn
+ cursors.append(c1)
+ uptodateness_vector_v1.count = len(cursors)
+ uptodateness_vector_v1.cursors = cursors
+ req10.uptodateness_vector = uptodateness_vector_v1
+ (level, ctr) = drs.DsGetNCChanges(drs_handle, 10, req10)
+
+ self.assertEqual(level, 6, "expected level 6 response!")
+ self.assertEqual(ctr.source_dsa_guid, misc.GUID(source_dsa))
+ self.assertEqual(ctr.source_dsa_invocation_id, misc.GUID(invocation_id))
+ ctr6 = ctr
+ self.assertEqual(ctr6.extended_ret, drs_error)
+ self._check_ctr6(ctr6, expected_dns, expected_links,
+ nc_object_count=nc_object_count)
+ return (ctr6.new_highwatermark, ctr6.uptodateness_vector)
+
+ def _check_ctr6(self, ctr6, expected_dns=[], expected_links=[],
+ dn_ordered=True, links_ordered=True,
+ more_data=False, nc_object_count=0,
+ nc_linked_attributes_count=0, drs_error=0):
+ """
+ Check that a ctr6 matches the specified parameters.
+ """
+ self.assertEqual(ctr6.object_count, len(expected_dns))
+ self.assertEqual(ctr6.linked_attributes_count, len(expected_links))
+ self.assertEqual(ctr6.more_data, more_data)
+ self.assertEqual(ctr6.nc_object_count, nc_object_count)
+ self.assertEqual(ctr6.nc_linked_attributes_count, nc_linked_attributes_count)
+ self.assertEqual(ctr6.drs_error[0], drs_error)
+
+ ctr6_dns = []
+ next_object = ctr6.first_object
+ for i in range(0, ctr6.object_count):
+ ctr6_dns.append(next_object.object.identifier.dn)
+ next_object = next_object.next_object
+ self.assertEqual(next_object, None)
+
+ i = 0
+ for dn in expected_dns:
+ # Expect them back in the exact same order as specified.
+ if dn_ordered:
+ self.assertNotEqual(ctr6_dns[i], None)
+ self.assertEqual(ctr6_dns[i], dn)
+ i = i + 1
+ # Don't care what order
+ else:
+ self.assertTrue(dn in ctr6_dns, "Couldn't find DN '%s' anywhere in ctr6 response." % dn)
+
+ ctr6_links = []
+ expected_links.sort()
+ lidx = 0
+ for lidx in range(0, ctr6.linked_attributes_count):
+ l = ctr6.linked_attributes[lidx]
+ try:
+ target = ndr_unpack(drsuapi.DsReplicaObjectIdentifier3,
+ l.value.blob)
+ except:
+ target = ndr_unpack(drsuapi.DsReplicaObjectIdentifier3Binary,
+ l.value.blob)
+ al = AbstractLink(l.attid, l.flags,
+ l.identifier.guid,
+ target.guid)
+ ctr6_links.append(al)
+
+ lidx = 0
+ for el in expected_links:
+ if links_ordered:
+ self.assertEqual(el, ctr6_links[lidx])
+ lidx += 1
+ else:
+ self.assertTrue(el in ctr6_links, "Couldn't find link '%s' anywhere in ctr6 response." % el)
+
+ def _exop_req8(self, dest_dsa, invocation_id, nc_dn_str, exop,
+ replica_flags=0, max_objects=0, partial_attribute_set=None,
+ partial_attribute_set_ex=None, mapping_ctr=None):
+ req8 = drsuapi.DsGetNCChangesRequest8()
+
+ req8.destination_dsa_guid = misc.GUID(dest_dsa) if dest_dsa else misc.GUID()
+ req8.source_dsa_invocation_id = misc.GUID(invocation_id)
+ req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
+ req8.naming_context.dn = unicode(nc_dn_str)
+ req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
+ req8.highwatermark.tmp_highest_usn = 0
+ req8.highwatermark.reserved_usn = 0
+ req8.highwatermark.highest_usn = 0
+ req8.uptodateness_vector = None
+ req8.replica_flags = replica_flags
+ req8.max_object_count = max_objects
+ req8.max_ndr_size = 402116
+ req8.extended_op = exop
+ req8.fsmo_info = 0
+ req8.partial_attribute_set = partial_attribute_set
+ req8.partial_attribute_set_ex = partial_attribute_set_ex
+ if mapping_ctr:
+ req8.mapping_ctr = mapping_ctr
+ else:
+ req8.mapping_ctr.num_mappings = 0
+ req8.mapping_ctr.mappings = None
+
+ return req8
+
+ def _getnc_req10(self, dest_dsa, invocation_id, nc_dn_str, exop,
+ replica_flags=0, max_objects=0, partial_attribute_set=None,
+ partial_attribute_set_ex=None, mapping_ctr=None,
+ more_flags=0):
+ req10 = drsuapi.DsGetNCChangesRequest10()
+
+ req10.destination_dsa_guid = misc.GUID(dest_dsa) if dest_dsa else misc.GUID()
+ req10.source_dsa_invocation_id = misc.GUID(invocation_id)
+ req10.naming_context = drsuapi.DsReplicaObjectIdentifier()
+ req10.naming_context.dn = unicode(nc_dn_str)
+ req10.highwatermark = drsuapi.DsReplicaHighWaterMark()
+ req10.highwatermark.tmp_highest_usn = 0
+ req10.highwatermark.reserved_usn = 0
+ req10.highwatermark.highest_usn = 0
+ req10.uptodateness_vector = None
+ req10.replica_flags = replica_flags
+ req10.max_object_count = max_objects
+ req10.max_ndr_size = 402116
+ req10.extended_op = exop
+ req10.fsmo_info = 0
+ req10.partial_attribute_set = partial_attribute_set
+ req10.partial_attribute_set_ex = partial_attribute_set_ex
+ if mapping_ctr:
+ req10.mapping_ctr = mapping_ctr
+ else:
+ req10.mapping_ctr.num_mappings = 0
+ req10.mapping_ctr.mappings = None
+ req10.more_flags = more_flags
+
+ return req10
+
+ def _ds_bind(self, server_name):
+ binding_str = "ncacn_ip_tcp:%s[seal]" % server_name
+
+ drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.get_credentials())
+ (drs_handle, supported_extensions) = drs_DsBind(drs)
+ return (drs, drs_handle)
+
+
+class AbstractLink:
+ def __init__(self, attid, flags, identifier, targetGUID):
+ self.attid = attid
+ self.flags = flags
+ self.identifier = str(identifier)
+ self.selfGUID_blob = ndr_pack(identifier)
+ self.targetGUID = str(targetGUID)
+ self.targetGUID_blob = ndr_pack(targetGUID)
+
+ def __repr__(self):
+ return "AbstractLink(0x%08x, 0x%08x, %s, %s)" % (
+ self.attid, self.flags, self.identifier, self.targetGUID)
+
+ def __internal_cmp__(self, other, verbose=False):
+ """See CompareLinks() in MS-DRSR section 4.1.10.5.17"""
+ if not isinstance(other, AbstractLink):
+ if verbose:
+ print "AbstractLink.__internal_cmp__(%r, %r) => wrong type" % (self, other)
+ return NotImplemented
+
+ c = cmp(self.selfGUID_blob, other.selfGUID_blob)
+ if c != 0:
+ if verbose:
+ print "AbstractLink.__internal_cmp__(%r, %r) => %d different identifier" % (self, other, c)
+ return c
+
+ c = other.attid - self.attid
+ if c != 0:
+ if verbose:
+ print "AbstractLink.__internal_cmp__(%r, %r) => %d different attid" % (self, other, c)
+ return c
+
+ self_active = self.flags & drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
+ other_active = other.flags & drsuapi.DRSUAPI_DS_LINKED_ATTRIBUTE_FLAG_ACTIVE
+
+ c = self_active - other_active
+ if c != 0:
+ if verbose:
+ print "AbstractLink.__internal_cmp__(%r, %r) => %d different FLAG_ACTIVE" % (self, other, c)
+ return c
+
+ c = cmp(self.targetGUID_blob, other.targetGUID_blob)
+ if c != 0:
+ if verbose:
+ print "AbstractLink.__internal_cmp__(%r, %r) => %d different target" % (self, other, c)
+ return c
+
+ c = self.flags - other.flags
+ if c != 0:
+ if verbose:
+ print "AbstractLink.__internal_cmp__(%r, %r) => %d different flags" % (self, other, c)
+ return c
+
+ return 0
+
+ def __lt__(self, other):
+ c = self.__internal_cmp__(other)
+ if c == NotImplemented:
+ return NotImplemented
+ if c < 0:
+ return True
+ return False
+
+ def __le__(self, other):
+ c = self.__internal_cmp__(other)
+ if c == NotImplemented:
+ return NotImplemented
+ if c <= 0:
+ return True
+ return False
+
+ def __eq__(self, other):
+ c = self.__internal_cmp__(other, verbose=True)
+ if c == NotImplemented:
+ return NotImplemented
+ if c == 0:
+ return True
+ return False
+
+ def __ne__(self, other):
+ c = self.__internal_cmp__(other)
+ if c == NotImplemented:
+ return NotImplemented
+ if c != 0:
+ return True
+ return False
+
+ def __gt__(self, other):
+ c = self.__internal_cmp__(other)
+ if c == NotImplemented:
+ return NotImplemented
+ if c > 0:
+ return True
+ return False
+
+ def __ge__(self, other):
+ c = self.__internal_cmp__(other)
+ if c == NotImplemented:
+ return NotImplemented
+ if c >= 0:
+ return True
+ return False
+
+ def __hash__(self):
+ return hash((self.attid, self.flags, self.identifier, self.targetGUID))
diff --git a/source4/torture/drs/python/getnc_exop.py b/source4/torture/drs/python/getnc_exop.py
index 246d859..d9e06f2 100644
--- a/source4/torture/drs/python/getnc_exop.py
+++ b/source4/torture/drs/python/getnc_exop.py
@@ -28,7 +28,11 @@
# PYTHONPATH="$PYTHONPATH:$samba4srcdir/torture/drs/python" $SUBUNITRUN getnc_exop -U"$DOMAIN/$DC_USERNAME"%"$DC_PASSWORD"
#

+import random
+
import drs_base
+from drs_base import AbstractLink
+
import samba.tests

import ldb
@@ -62,60 +66,8 @@ def _linked_attribute_compare(la1, la2):
# Ascending target object GUID
return cmp(ndr_pack(la1_target), ndr_pack(la2_target))

-class AbstractLink:
- def __init__(self, attid, flags, identifier, targetGUID):
- self.attid = attid
- self.flags = flags
- self.identifier = identifier
- self.targetGUID = targetGUID
-
- def __eq__(self, other):
- return isinstance(other, AbstractLink) and \
- ((self.attid, self.flags, self.identifier, self.targetGUID) ==
- (other.attid, other.flags, other.identifier, other.targetGUID))
-
- def __hash__(self):
- return hash((self.attid, self.flags, self.identifier, self.targetGUID))
-
-class ExopBaseTest:
- def _exop_req8(self, dest_dsa, invocation_id, nc_dn_str, exop,
- replica_flags=0, max_objects=0, partial_attribute_set=None,
- partial_attribute_set_ex=None, mapping_ctr=None):
- req8 = drsuapi.DsGetNCChangesRequest8()
-
- req8.destination_dsa_guid = misc.GUID(dest_dsa) if dest_dsa else misc.GUID()
- req8.source_dsa_invocation_id = misc.GUID(invocation_id)
- req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
- req8.naming_context.dn = unicode(nc_dn_str)
- req8.highwatermark = drsuapi.DsReplicaHighWaterMark()
- req8.highwatermark.tmp_highest_usn = 0
- req8.highwatermark.reserved_usn = 0
- req8.highwatermark.highest_usn = 0
- req8.uptodateness_vector = None
- req8.replica_flags = replica_flags
- req8.max_object_count = max_objects
- req8.max_ndr_size = 402116
- req8.extended_op = exop
- req8.fsmo_info = 0
- req8.partial_attribute_set = partial_attribute_set
- req8.partial_attribute_set_ex = partial_attribute_set_ex
- if mapping_ctr:
- req8.mapping_ctr = mapping_ctr
- else:
- req8.mapping_ctr.num_mappings = 0
- req8.mapping_ctr.mappings = None
-
- return req8
-
- def _ds_bind(self, server_name):
- binding_str = "ncacn_ip_tcp:%s[seal]" % server_name
-
- drs = drsuapi.drsuapi(binding_str, self.get_loadparm(), self.get_credentials())
- (drs_handle, supported_extensions) = drs_DsBind(drs)
- return (drs, drs_handle)
-

-class DrsReplicaSyncTestCase(drs_base.DrsBaseTestCase, ExopBaseTest):
+class DrsReplicaSyncTestCase(drs_base.DrsBaseTestCase):
"""Intended as a semi-black box test case for DsGetNCChanges
implementation for extended operations. It should be testing
how DsGetNCChanges handles different input params (mostly invalid).
@@ -124,8 +76,20 @@ class DrsReplicaSyncTestCase(drs_base.DrsBaseTestCase, ExopBaseTest):

def setUp(self):
super(DrsReplicaSyncTestCase, self).setUp()
+ self.base_dn = self.ldb_dc1.get_default_basedn()
+ self.ou = "OU=test_getncchanges,%s" % self.base_dn
+ self.ldb_dc1.add({
+ "dn": self.ou,
+ "objectclass": "organizationalUnit"})
+ (self.drs, self.drs_handle) = self._ds_bind(self.dnsname_dc1)
+ (self.default_hwm, self.default_utdv) = self._get_highest_hwm_utdv(self.ldb_dc1)

def tearDown(self):
+ try:
+ self.ldb_dc1.delete(self.ou, ["tree_delete:1"])
+ except ldb.LdbError as (enum, string):
+ if enum == ldb.ERR_NO_SUCH_OBJECT:
+ pass
super(DrsReplicaSyncTestCase, self).tearDown()

def _determine_fSMORoleOwner(self, fsmo_obj_dn):
@@ -170,6 +134,106 @@ class DrsReplicaSyncTestCase(drs_base.DrsBaseTestCase, ExopBaseTest):
self.assertEqual(ctr6.linked_attributes, [])
self.assertEqual(ctr6.drs_error[0], 0)

+ def test_link_utdv_hwm(self):
+ ou1 = "OU=get_anc1,%s" % self.ou
+ self.ldb_dc1.add({
+ "dn": ou1,
+ "objectclass": "organizationalUnit"

The branch, master has been updated
via 8989725 s3-rpc_client: Pass NULL as no password
via ae5e654 auth/credentials: Add NULL check to free_dccache()
via c406bf6 auth/credentials: Add NULL check in free_mccache()
via d1ad71e auth/credentials: Move function to free ccaches to the top
via 59cc352 auth/credentials: Add talloc NULL check in cli_credentials_set_principal()
from 9b566e7 WHATSNEW: Add some information about ID mapping

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8989725b67b4510b05a6819f86fc364293b5a814
Author: Andreas Schneider <***@samba.org>
Date: Mon Sep 19 14:40:42 2016 +0200

s3-rpc_client: Pass NULL as no password

GENSEC expects NULL as no password.

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Tue Dec 20 17:37:56 CET 2016 on sn-devel-144

commit ae5e654f88539b3b7ab55ae11b048479523138aa
Author: Andreas Schneider <***@samba.org>
Date: Sat Oct 1 11:27:54 2016 +0200

auth/credentials: Add NULL check to free_dccache()

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit c406bf6cd6907b43301752169054c0d30b1f8544
Author: Andreas Schneider <***@samba.org>
Date: Sat Oct 1 11:25:44 2016 +0200

auth/credentials: Add NULL check in free_mccache()

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit d1ad71ef9f0fe9379eb396ee38909d28c7797ee9
Author: Andreas Schneider <***@samba.org>
Date: Thu Oct 6 09:22:29 2016 +0200

auth/credentials: Move function to free ccaches to the top

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 59cc352ac6c5b763ae9cbf81fe367dd8769863d2
Author: Andreas Schneider <***@samba.org>
Date: Thu Oct 6 08:16:57 2016 +0200

auth/credentials: Add talloc NULL check in cli_credentials_set_principal()

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
auth/credentials/credentials.c | 4 ++++
auth/credentials/credentials_krb5.c | 39 +++++++++++++++++++++++--------------
source3/rpc_client/cli_pipe.c | 2 +-
3 files changed, 29 insertions(+), 16 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 9a935c6..06648c7 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -268,7 +268,11 @@ _PUBLIC_ bool cli_credentials_set_principal(struct cli_credentials *cred,
{
if (obtained >= cred->principal_obtained) {
cred->principal = talloc_strdup(cred, val);
+ if (cred->principal == NULL) {
+ return false;
+ }
cred->principal_obtained = obtained;
+
cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
return true;
}
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 4c903f2..ca62e30 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -39,6 +39,30 @@ static void cli_credentials_invalidate_client_gss_creds(
struct cli_credentials *cred,
enum credentials_obtained obtained);

+/* Free a memory ccache */
+static int free_mccache(struct ccache_container *ccc)
+{
+ if (ccc->ccache != NULL) {
+ krb5_cc_destroy(ccc->smb_krb5_context->krb5_context,
+ ccc->ccache);
+ ccc->ccache = NULL;
+ }
+
+ return 0;
+}
+
+/* Free a disk-based ccache */
+static int free_dccache(struct ccache_container *ccc)
+{
+ if (ccc->ccache != NULL) {
+ krb5_cc_close(ccc->smb_krb5_context->krb5_context,
+ ccc->ccache);
+ ccc->ccache = NULL;
+ }
+
+ return 0;
+}
+
_PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
@@ -122,21 +146,6 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return 0;
}

-/* Free a memory ccache */
-static int free_mccache(struct ccache_container *ccc)
-{
- krb5_cc_destroy(ccc->smb_krb5_context->krb5_context, ccc->ccache);
-
- return 0;
-}
-
-/* Free a disk-based ccache */
-static int free_dccache(struct ccache_container *ccc) {
- krb5_cc_close(ccc->smb_krb5_context->krb5_context, ccc->ccache);
-
- return 0;
-}
-
_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *name,
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 5418fbe..14f7fbc 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2629,7 +2629,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
"host", /* target_service */
NAME_NT_AUTHORITY, /* domain */
"SYSTEM",
- "", /* password */
+ NULL, /* password */
CRED_DONT_USE_KERBEROS,
NULL, /* netlogon_creds_CredentialState */
presult);

The branch, master has been updated
via 9b566e7 WHATSNEW: Add some information about ID mapping
via cabd1df WHATSNEW: Add Printing changes
via c9c8010 WHATSNEW: Use capital K for Kerberos
via afd8c38 HEIMDAL:lib/krb5: Harden _krb5_derive_key()
via c15464f8 HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()
via fb318ab HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()
via 05cc099 HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()
via ab25cdf CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via 6459543 CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via f52ca0c CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via ee30821 CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via ce9e4a3 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
from 0bb3490 s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9b566e7b3cd5d3efd510076e9fdec97730df4883
Author: Andreas Schneider <***@samba.org>
Date: Wed Dec 14 11:23:10 2016 +0100

WHATSNEW: Add some information about ID mapping

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Karolin Seeger <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Tue Dec 20 11:40:07 CET 2016 on sn-devel-144

commit cabd1df66ab6aba4c5f0017f8da0e2cac3adcd74
Author: Andreas Schneider <***@samba.org>
Date: Wed Dec 14 08:25:45 2016 +0100

WHATSNEW: Add Printing changes

Signed-off-by: Andreas Schneider <***@samba.org>

commit c9c8010cbd15bfc864a3425a51d9d1a0449d00c4
Author: Andreas Schneider <***@samba.org>
Date: Wed Dec 14 08:15:38 2016 +0100

WHATSNEW: Use capital K for Kerberos

Signed-off-by: Andreas Schneider <***@samba.org>

commit afd8c389c92e38aa59a55127b2594023561b2ddd
Author: Volker Lendecke <***@samba.org>
Date: Fri Nov 18 18:02:30 2016 +0000

HEIMDAL:lib/krb5: Harden _krb5_derive_key()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit c15464f886f9734982123d38594073601d49f151
Author: Volker Lendecke <***@samba.org>
Date: Fri Nov 18 18:02:30 2016 +0000

HEIMDAL:lib/krb5: Harden ARCFOUR_sub{en,de}crypt()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit fb318ab0203297019c5e47c6bef4a9abfdeea8a5
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Nov 22 13:53:53 2016 +0100

HEIMDAL:lib/krb5: use krb5_verify_checksum() in krb5_c_verify_checksum()

This allows the optimized checksum->verify() function to be used.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit 05cc099499ef3a07d140981ef82937c842a3ffef
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Nov 22 13:42:31 2016 +0100

HEIMDAL:lib/krb5: move checksum vs. enctype checks into get_checksum_key()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Jeremy Allison <***@samba.org>

commit ab25cdfa9dd071652985eb9ab98255cda3c3de57
Author: Stefan Metzmacher <***@samba.org>
Date: Tue Nov 22 17:08:46 2016 +0100

CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()

aes based checksums can only be checked with the
corresponding aes based keytype.

Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446

Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 6459543b5a4782eeac5d78290918cced7de4790f
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 23 11:44:22 2016 +0100

CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default

This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>
Reviewed-by: Simo Sorce <***@samba.org>

commit f52ca0cbb6412c1d3abc5dc9983b0493ef915a3f
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 23 11:42:59 2016 +0100

CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG

We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>
Reviewed-by: Simo Sorce <***@samba.org>

commit ee30821ecaff86f9f62da48c8a0d154cc118f058
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Nov 23 11:41:10 2016 +0100

CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss

This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Alexander Bokovoy <***@samba.org>
Reviewed-by: Simo Sorce <***@samba.org>

commit ce9e4a350135c985133af807dfaf8af95088b571
Author: Volker Lendecke <***@samba.org>
Date: Sat Nov 5 21:22:46 2016 +0100

CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995

Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.

Signed-off-by: Volker Lendecke <***@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 25 +++++++++++-
auth/kerberos/kerberos_pac.c | 22 +++++++++++
librpc/ndr/ndr_dnsp.c | 9 +++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/heimdal/lib/krb5/crypto-arcfour.c | 8 ++++
source4/heimdal/lib/krb5/crypto.c | 66 +++++++++++++++----------------
source4/heimdal/lib/krb5/mit_glue.c | 17 ++++----
source4/scripting/bin/nsupdate-gss | 2 +-
9 files changed, 106 insertions(+), 46 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 39445cc..e5ce010 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -30,10 +30,24 @@ next Samba version 4.7 will not accept the wrong spelling.
Users who were using the wrong spelling "ressource" with two "s" can keep the
setting, but are advised to switch to the correct spelling.

+ID Mapping
+----------
+We discovered that the majority of users have an invalid or incorrect
+ID mapping configuration. We implemented checks in the 'testparm' tool to
+validate the ID mapping configuration. You should run it and check if it prints
+any warnings or errors after upgrading! If it does you should fix them. See the
+'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
+There are some ID mapping backends which are not allowed to be used for the
+default backend. Winbind will no longer start if an invalid backend is
+configured as the default backend.
+
+To avoid problems in future we advise all users to run 'testparm' after
+changing the smb.conf file!
+
NEW FEATURES/CHANGES
====================

-kerberos client encryption types
+Kerberos client encryption types
--------------------------------
Some parts of Samba (most notably winbindd) perform Kerberos client
operations based on a Samba-generated krb5.conf file. A new
@@ -48,6 +62,15 @@ only allows AES-based algorithms to be negotiated. Setting the parameter to
This can solves some corner cases of mixed environments with Server 2003R2 and
newer DCs.

+Printing
+--------
+Support for uploading printer drivers from newer Windows clients (Windows 10)
+has been added until our implementation of [MS-PAR] protocol is ready.
+Several issues with uploading different printing drivers have been addressed.
+
+The OS Version for the printing server has been increased to announce
+Windows Server 2003 R2 SP2. If a driver needs a newer version then you should
+check the smb.conf manpage for details.

new option for owner inheritance
--------------------------------
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;

+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index ff77bc7..974ff5e 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index d0ae53c..e4ceed1 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));

gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 18bb011..a37a0a9 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/heimdal/lib/krb5/crypto-arcfour.c b/source4/heimdal/lib/krb5/crypto-arcfour.c
index e16b70c..2289e7d 100644
--- a/source4/heimdal/lib/krb5/crypto-arcfour.c
+++ b/source4/heimdal/lib/krb5/crypto-arcfour.c
@@ -139,6 +139,10 @@ ARCFOUR_subencrypt(krb5_context context,
unsigned char k1_c_data[16], k2_c_data[16], k3_c_data[16];
krb5_error_code ret;

+ if (len < 16) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
@@ -207,6 +211,10 @@ ARCFOUR_subdecrypt(krb5_context context,
unsigned char cksum_data[16];
krb5_error_code ret;

+ if (len < 16) {
+ return KRB5KRB_AP_ERR_INAPP_CKSUM;
+ }
+
t[0] = (usage >> 0) & 0xFF;
t[1] = (usage >> 8) & 0xFF;
t[2] = (usage >> 16) & 0xFF;
diff --git a/source4/heimdal/lib/krb5/crypto.c b/source4/heimdal/lib/krb5/crypto.c
index 75d0a09..7dd2af5 100644
--- a/source4/heimdal/lib/krb5/crypto.c
+++ b/source4/heimdal/lib/krb5/crypto.c
@@ -305,6 +305,24 @@ get_checksum_key(krb5_context context,
struct _krb5_key_data **key)
{
krb5_error_code ret = 0;
+ struct _krb5_checksum_type *kct = NULL;
+
+ if (crypto == NULL) {
+ krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+ N_("Checksum type %s is keyed but no "
+ "crypto context (key) was passed in", ""),
+ ct->name);
+ return KRB5_BAD_ENCTYPE;
+ }
+ kct = crypto->et->keyed_checksum;
+ if (kct == NULL || kct->type != ct->type) {
+ krb5_set_error_message(context, KRB5_BAD_ENCTYPE,
+ N_("Checksum type %s is keyed, but "
+ "the key type %s passed didnt have that checksum "
+ "type as the keyed type", ""),
+ ct->name, crypto->et->name);
+ return KRB5_BAD_ENCTYPE;
+ }

if(ct->flags & F_DERIVED)
ret = _get_derived_key(context, crypto, usage, key);
@@ -340,21 +358,12 @@ create_checksum (krb5_context context,
{
krb5_error_code ret;
struct _krb5_key_data *dkey;
- int keyed_checksum;

if (ct->flags & F_DISABLED) {
krb5_clear_error_message (context);
return KRB5_PROG_SUMTYPE_NOSUPP;
}
- keyed_checksum = (ct->flags & F_KEYED) != 0;
- if(keyed_checksum && crypto == NULL) {
- krb5_set_error_message (context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed but no "
- "crypto context (key) was passed in", ""),
- ct->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
- if(keyed_checksum) {
+ if (ct->flags & F_KEYED) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
if (ret)
return ret;
@@ -422,7 +431,6 @@ verify_checksum(krb5_context context,
{
krb5_error_code ret;
struct _krb5_key_data *dkey;
- int keyed_checksum;
Checksum c;
struct _krb5_checksum_type *ct;

@@ -443,26 +451,7 @@ verify_checksum(krb5_context context,

return KRB5KRB_AP_ERR_BAD_INTEGRITY; /* XXX */
}
- keyed_checksum = (ct->flags & F_KEYED) != 0;
- if(keyed_checksum) {
- struct _krb5_checksum_type *kct;
- if (crypto == NULL) {
- krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed but no "
- "crypto context (key) was passed in", ""),
- ct->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
- kct = crypto->et->keyed_checksum;
- if (kct == NULL || kct->type != ct->type) {
- krb5_set_error_message(context, KRB5_PROG_SUMTYPE_NOSUPP,
- N_("Checksum type %s is keyed, but "
- "the key type %s passed didnt have that checksum "
- "type as the keyed type", ""),
- ct->name, crypto->et->name);
- return KRB5_PROG_SUMTYPE_NOSUPP; /* XXX */
- }
-
+ if (ct->flags & F_KEYED) {
ret = get_checksum_key(context, crypto, usage, ct, &dkey);
if (ret)
return ret;
@@ -1866,8 +1855,12 @@ _krb5_derive_key(krb5_context context,
memcpy(k + i * et->blocksize,
k + (i - 1) * et->blocksize,
et->blocksize);
- (*et->encrypt)(context, key, k + i * et->blocksize, et->blocksize,
- 1, 0, NULL);
+ ret = (*et->encrypt)(context, key, k + i * et->blocksize,
+ et->blocksize, 1, 0, NULL);
+ if (ret) {
+ krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+ goto out;
+ }
}
} else {
/* this case is probably broken, but won't be run anyway */
@@ -1880,7 +1873,12 @@ _krb5_derive_key(krb5_context context,
goto out;
}
memcpy(c, constant, len);
- (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+ ret = (*et->encrypt)(context, key, c, len, 1, 0, NULL);
+ if (ret) {
+ free(c);
+ krb5_set_error_message(context, ret, N_("encrypt failed", ""));
+ goto out;
+ }
k = malloc(res_len);
if(res_len != 0 && k == NULL) {
free(c);
diff --git a/source4/heimdal/lib/krb5/mit_glue.c b/source4/heimdal/lib/krb5/mit_glue.c
index 16c230a..53b20fd 100644
--- a/source4/heimdal/lib/krb5/mit_glue.c
+++ b/source4/heimdal/lib/krb5/mit_glue.c
@@ -67,22 +67,23 @@ krb5_c_verify_checksum(krb5_context context, const krb5_keyblock *key,
const krb5_checksum *cksum, krb5_boolean *valid)
{
krb5_error_code ret;
- krb5_checksum data_cksum;
+ krb5_crypto crypto;

*valid = 0;

- ret = krb5_c_make_checksum(context, cksum->cksumtype,
- key, usage, data, &data_cksum);
+ ret = krb5_crypto_init(context, key, 0, &crypto);
if (ret)
return ret;

- if (data_cksum.cksumtype == cksum->cksumtype
- && krb5_data_ct_cmp(&data_cksum.checksum, &cksum->checksum) == 0)
- *valid = 1;
+ ret = krb5_verify_checksum(context, crypto, usage,
+ data->data, data->length, cksum);
+ krb5_crypto_destroy(context, crypto);

- krb5_free_checksum_contents(context, &data_cksum);
+ if (ret == 0) {
+ *valid = 1;
+ }

- return 0;
+ return ret;
}

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;


$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,

The branch, master has been updated
via 0bb3490 s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally
via 4fb0e65 s3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading
via d7fb3bb tests/credentials.py: demonstrate the last 'username' line of creds.parse_file() beats other lines
via 05e8bfd auth/credentials: change the parsing order of cli_credentials_parse_file()
via 250df9d tests/credentials.py: verify the new cli_credentials_parse_file() 'username' parsing
via d487591 auth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credentials_parse_string()
via 6b6c07f tests/credentials.py: add tests to verify realm/principal behaviour of cli_credentials_parse_string()
via eaf3d44 auth/credentials: let cli_credentials_parse_string() always reset principal and realm
via 6b18ac6 auth/credentials: let cli_credentials_parse_string() always reset username and domain
via 86558b5 tests/credentials.py: add tests with a realm from smb.conf
via dab9456 auth/credentials: handle situations without a configured (default) realm
via 7c344fb auth/credentials: add python bindings for enum credentials_obtained
via 9fa7f59 tests/credentials.py: add very simple test for py_creds_parse_file
via df652c3 auth/credentials: add py_creds_parse_file()
via 63dabd2 tests/credentials.py: verify the difference of parse_string("someone") and parse_string("someone%")
via d29f7dc tests/credentials.py: add test for cli_credentials_set_password_will_be_nt_hash()
via 1565469 auth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the related logic
via a3f03df auth/credentials: let cli_credentials_set_password() fail if talloc_strdup() fails
via 8415cca auth/credentials: make use of talloc_zero() in cli_credentials_init()
via 787cf39 s4-rpc_server: Add braces to better follow coding style
via abbd0a8 s4-netlogon: Push the netlogon server in the AD DC into multiple processes
via 86e706a selftest: Use 'rpc server port:netlogon' and 'rpc server port' smb.conf option
via b81cf02 s4-rpc_server: Do not check association groups for NETLOGON
via 6dc14b0 s4-rpc_server: Allow listener for RPC servers to use multiple processes
via ffb8b50 s4-rpc_server: Allow each interface to declare if it uses handles
via 5ea6708 s4-rpc_server: Add comments explaining the control flow around dcesrv_bind()
from b38f1ae s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0bb3490329310e81147c56f42fa7b07350cfb384
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Oct 28 12:14:37 2016 +0200

s3:user_auth_info: let struct user_auth_info use struct cli_credentials internally

This way we can have a very simple get_cmdline_auth_info_creds() function,
which can be used pass cli_credentials down the stack instead of
constantly translating from user_auth_info to cli_credentials, while
loosing information.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

Autobuild-User(master): Andrew Bartlett <***@samba.org>
Autobuild-Date(master): Tue Dec 20 04:57:05 CET 2016 on sn-devel-144

commit 4fb0e65a857f601562da72c6d6087d86ba3196a0
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 16:04:38 2016 +0100

s3:popt_common: let POPT_COMMON_CREDENTIALS imply logfile and conffile loading

All users of POPT_COMMON_CREDENTIALS basically need the same logic,
while some ignore a broken smb.conf and some complain about it.

This will allow the future usage of config options in the
credential post processing.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d7fb3bb5721f3903fd985d2121f893a42761fc07
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 15:30:28 2016 +0100

tests/credentials.py: demonstrate the last 'username' line of creds.parse_file() beats other lines

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 05e8bfdc95437c4a0ac087f1767bae7f5b930283
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 12:41:58 2016 +0100

auth/credentials: change the parsing order of cli_credentials_parse_file()

We now first just remember the domain, realm, username, password values
(the last value wins).

At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.

It means the last 'username' line beats the domain, realm or password lines, e.g.:

username=USERDOMAIN\username
domain=DOMAIN

will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 250df9d6374b690daea2839ba7eecb350a42d8e6
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 14:01:35 2016 +0100

tests/credentials.py: verify the new cli_credentials_parse_file() 'username' parsing

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d487591f0b8e875093d77edfba66435705240161
Author: Stefan Metzmacher <***@samba.org>
Date: Sun Dec 11 22:50:53 2016 +0100

auth/credentials: let cli_credentials_parse_file() handle 'username' with cli_credentials_parse_string()

Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:

username=DOMAIN/username
password=password
domain=DOMAIN

This change allows us to parse the same.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 6b6c07f61f439c37e8b226660b23486b8fa546f2
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 14:12:31 2016 +0100

tests/credentials.py: add tests to verify realm/principal behaviour of cli_credentials_parse_string()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit eaf3d44641370514169b74f7e564122354b6cfdf
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 14 16:47:57 2016 +0100

auth/credentials: let cli_credentials_parse_string() always reset principal and realm

If we reset username we need to reset principal if it was set at the same level.

If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 6b18ac69156de588ec44d812e74ec8391c07d633
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 12:20:19 2016 +0100

auth/credentials: let cli_credentials_parse_string() always reset username and domain

If cli_credentials_parse_string() is used we should no longer use
any guessed values and need to make sure username and domain
are reset if principal and realm are set.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 86558b5ce8c4df9a6e5b86536c81cd584cdeb20e
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 14:49:18 2016 +0100

tests/credentials.py: add tests with a realm from smb.conf

As we don't want to create a new smb.conf file
we just simulate it with "creds.set_realm(realm, credentials.UNINITIALISED)".

That's basically the same as the cli_credentials_set_conf() behaviour
if a realm is specified in the configuration.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit dab9456cfc4f42e4a7d95443e02460e59816ecbd
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 11:04:02 2016 +0100

auth/credentials: handle situations without a configured (default) realm

We should not have cli_credentials_get_realm() return "" without a
configured (default) realm in smb.conf.
Note that the existing tests with creds.get_realm() == lp.get("realm")
also work with "" as string.

At the same time we should never let cli_credentials_get_principal()
return "@REALM.EXAMPLE.COM" nor "username@".

If cli_credentials_parse_string() gets "OTHERDOMAIN\username"
we must not use cli_credentials_get_realm() to generate
a principal unless cli_credentials_get_domain() returns
also "OTHERDOMAIN". What we need to do is using
***@OTHERDOMAIN as principal, whild we still
use cli_credentials_get_realm to get a default kdc,
(which may route us to the correct kdc with WRONG_REALM
messages).

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 7c344fbbe0568734beb982bb6e0f3c81e6eb5843
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 11:37:33 2016 +0100

auth/credentials: add python bindings for enum credentials_obtained

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 9fa7f59f88cb0350c0616d6f0a6a06b4e7a52228
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 10:30:29 2016 +0100

tests/credentials.py: add very simple test for py_creds_parse_file

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit df652c3ede181576f63ae20ccd993203b744952d
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 10:06:25 2016 +0100

auth/credentials: add py_creds_parse_file()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 63dabd2f35224a7ee7468d435e67baa0e059358c
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 09:42:20 2016 +0100

tests/credentials.py: verify the difference of parse_string("someone") and parse_string("someone%")

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit d29f7dc13bb705a0cab6de2aeac70c42d83a7af8
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 15 09:34:45 2016 +0100

tests/credentials.py: add test for cli_credentials_set_password_will_be_nt_hash()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 1565469bf22cb8aee7467ab76ba64fb5c54b59fe
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 14 10:02:10 2016 +0100

auth/credentials: add cli_credentials_set_password_will_be_nt_hash() and the related logic

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit a3f03df706f3dc8d7875226aa162154a0194f331
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 14 08:52:12 2016 +0100

auth/credentials: let cli_credentials_set_password() fail if talloc_strdup() fails

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 8415cca557cc556c0524cdf5ef66820d22577fb0
Author: Stefan Metzmacher <***@samba.org>
Date: Wed Dec 14 08:50:51 2016 +0100

auth/credentials: make use of talloc_zero() in cli_credentials_init()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andrew Bartlett <***@samba.org>

commit 787cf39ce6cb6695b7eeee88e1dee32d33853884
Author: Andrew Bartlett <***@samba.org>
Date: Wed Dec 14 11:58:48 2016 +1300

s4-rpc_server: Add braces to better follow coding style

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit abbd0a88dee8715dbddc1a2478fe18aafefa385c
Author: Andrew Bartlett <***@samba.org>
Date: Mon Nov 21 13:31:39 2016 +1300

s4-netlogon: Push the netlogon server in the AD DC into multiple processes

This allows the NETLOGON server to scale better, as it is often a bottleneck

What we are doing here is keeping the forced single process only for
other servers that declare they use DCE/RPC handles.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 86e706a32dbd2259a428009f7097e7ea6c3f4f8d
Author: Andrew Bartlett <***@samba.org>
Date: Mon Nov 14 10:15:39 2016 +1300

selftest: Use 'rpc server port:netlogon' and 'rpc server port' smb.conf option

We need this because once we make NETLOGON run in multiple processes,
it will need its own port, and socket_wrapper can not currently allocate
and ephemeral port. It also tests the option, which others have asked be
made available to firewall drsuapi.

Likewise the 'rpc server port' option is used to confirm it
functions for the default port'.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Garming Sam <***@samba.org>

commit b81cf02834bdd5b0925949cc9d42897aa3054746
Author: Andrew Bartlett <***@samba.org>
Date: Mon Nov 14 10:11:05 2016 +1300

s4-rpc_server: Do not check association groups for NETLOGON

If this RPC server is not going to use handles (actually a generic
flag) then do not check the assocation group provided. This in turn
allows us to easily make NETLOGON run in multiple processes.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 6dc14b0a5d225ca8752088a1ee25edee46c1f956
Author: Andrew Bartlett <***@samba.org>
Date: Tue Oct 18 10:36:51 2016 +1300

s4-rpc_server: Allow listener for RPC servers to use multiple processes

To do this we must get the ncacn_ip_tcp listener to split out (for example)
netlogon onto a distinct port, so we change the registration code to split up each
ncacn_ip_tcp registration to create a new interface for indicated services.

The new option "rpc server port" allows control of the default port and
"rpc server port:netlogon" (also valid for any other pipe from the IDL name)
allows us to both work around limitations in socket_wrapper against
double-binding and allows specification of the port by the administrator.

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit ffb8b50e3c07c833fb7b1a583d21f9dc1166a0a6
Author: Andrew Bartlett <***@samba.org>
Date: Mon Nov 14 11:24:03 2016 +1300

s4-rpc_server: Allow each interface to declare if it uses handles

This will allow the NETLOGON server in the AD DC to declare that it does not use
handles, and so allow some more flexibility with association groups

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 5ea6708d819c392096413e53196d65108b1e9283
Author: Andrew Bartlett <***@samba.org>
Date: Wed Dec 14 09:38:28 2016 +1300

s4-rpc_server: Add comments explaining the control flow around dcesrv_bind()

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
auth/credentials/credentials.c | 348 +++++++++++++++++--------
auth/credentials/credentials.h | 2 +
auth/credentials/credentials_internal.h | 2 +
auth/credentials/credentials_ntlm.c | 19 ++
auth/credentials/pycredentials.c | 63 ++++-
docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +
pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm | 21 +-
python/samba/tests/credentials.py | 243 ++++++++++++++++-
selftest/target/Samba4.pm | 4 +
source3/client/client.c | 11 +-
source3/include/auth_info.h | 6 +
source3/include/popt_common.h | 1 +
source3/lib/popt_common.c | 197 ++------------
source3/lib/util_cmdline.c | 346 ++++++++++++++++--------
source3/rpcclient/rpcclient.c | 15 --
source3/utils/regedit.c | 5 -
source3/utils/smbcacls.c | 5 +-
source3/utils/smbcquotas.c | 12 -
source3/utils/smbtree.c | 5 +-
source4/rpc_server/dcerpc_server.c | 198 ++++++++++++--
source4/rpc_server/dcerpc_server.h | 10 +
source4/rpc_server/dcesrv_mgmt.c | 10 +
source4/rpc_server/handles.c | 10 +
source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +
source4/rpc_server/remote/dcesrv_remote.c | 1 +
source4/rpc_server/service_rpc.c | 46 +++-
26 files changed, 1102 insertions(+), 501 deletions(-)
create mode 100644 docs-xml/smbdotconf/protocol/rpcserverport.xml


Changeset truncated at 500 lines:

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index c8f86ba..9a935c6 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -36,85 +36,11 @@
*/
_PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
{
- struct cli_credentials *cred = talloc(mem_ctx, struct cli_credentials);
+ struct cli_credentials *cred = talloc_zero(mem_ctx, struct cli_credentials);
if (cred == NULL) {
return cred;
}

- cred->workstation_obtained = CRED_UNINITIALISED;
- cred->username_obtained = CRED_UNINITIALISED;
- cred->password_obtained = CRED_UNINITIALISED;
- cred->domain_obtained = CRED_UNINITIALISED;
- cred->realm_obtained = CRED_UNINITIALISED;
- cred->ccache_obtained = CRED_UNINITIALISED;
- cred->client_gss_creds_obtained = CRED_UNINITIALISED;
- cred->principal_obtained = CRED_UNINITIALISED;
- cred->keytab_obtained = CRED_UNINITIALISED;
- cred->server_gss_creds_obtained = CRED_UNINITIALISED;
-
- cred->ccache_threshold = CRED_UNINITIALISED;
- cred->client_gss_creds_threshold = CRED_UNINITIALISED;
-
- cred->workstation = NULL;
- cred->username = NULL;
- cred->password = NULL;
- cred->old_password = NULL;
- cred->domain = NULL;
- cred->realm = NULL;
- cred->principal = NULL;
- cred->salt_principal = NULL;
- cred->impersonate_principal = NULL;
- cred->self_service = NULL;
- cred->target_service = NULL;
-
- cred->bind_dn = NULL;
-
- cred->nt_hash = NULL;
- cred->old_nt_hash = NULL;
-
- cred->lm_response.data = NULL;
- cred->lm_response.length = 0;
- cred->nt_response.data = NULL;
- cred->nt_response.length = 0;
-
- cred->ccache = NULL;
- cred->client_gss_creds = NULL;
- cred->keytab = NULL;
- cred->server_gss_creds = NULL;
-
- cred->workstation_cb = NULL;
- cred->password_cb = NULL;
- cred->username_cb = NULL;
- cred->domain_cb = NULL;
- cred->realm_cb = NULL;
- cred->principal_cb = NULL;
-
- cred->priv_data = NULL;
-
- cred->netlogon_creds = NULL;
- cred->secure_channel_type = SEC_CHAN_NULL;
-
- cred->kvno = 0;
-
- cred->password_last_changed_time = 0;
-
- cred->smb_krb5_context = NULL;
-
- cred->machine_account_pending = false;
- cred->machine_account_pending_lp_ctx = NULL;
-
- cred->machine_account = false;
-
- cred->password_tries = 0;
-
- cred->callback_running = false;
-
- cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
- cli_credentials_set_gensec_features(cred, 0);
- cli_credentials_set_krb_forwardable(cred, CRED_AUTO_KRB_FORWARDABLE);
-
- cred->forced_sasl_mech = NULL;
-
cred->winbind_separator = '\\';

return cred;
@@ -287,16 +213,37 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede

if (cred->principal_obtained < cred->username_obtained
|| cred->principal_obtained < MAX(cred->domain_obtained, cred->realm_obtained)) {
+ const char *effective_username = NULL;
+ const char *effective_realm = NULL;
+ enum credentials_obtained effective_obtained;
+
+ effective_username = cli_credentials_get_username(cred);
+ if (effective_username == NULL || strlen(effective_username) == 0) {
+ *obtained = cred->username_obtained;
+ return NULL;
+ }
+
if (cred->domain_obtained > cred->realm_obtained) {
- *obtained = MIN(cred->domain_obtained, cred->username_obtained);
- return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred),
- cli_credentials_get_domain(cred));
+ effective_realm = cli_credentials_get_domain(cred);
+ effective_obtained = MIN(cred->domain_obtained,
+ cred->username_obtained);
} else {
- *obtained = MIN(cred->realm_obtained, cred->username_obtained);
+ effective_realm = cli_credentials_get_realm(cred);
+ effective_obtained = MIN(cred->realm_obtained,
+ cred->username_obtained);
+ }
+
+ if (effective_realm == NULL || strlen(effective_realm) == 0) {
+ effective_realm = cli_credentials_get_domain(cred);
+ effective_obtained = MIN(cred->domain_obtained,
+ cred->username_obtained);
+ }
+
+ if (effective_realm != NULL && strlen(effective_realm) != 0) {
+ *obtained = effective_obtained;
return talloc_asprintf(mem_ctx, "%s@%s",
- cli_credentials_get_username(cred),
- cli_credentials_get_realm(cred));
+ effective_username,
+ effective_realm);
}
}
*obtained = cred->principal_obtained;
@@ -392,7 +339,8 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
}

if (cred->password_obtained == CRED_CALLBACK &&
- !cred->callback_running) {
+ !cred->callback_running &&
+ !cred->password_will_be_nt_hash) {
cred->callback_running = true;
cred->password = cred->password_cb(cred);
cred->callback_running = false;
@@ -413,18 +361,54 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
enum credentials_obtained obtained)
{
if (obtained >= cred->password_obtained) {
+
+ cred->lm_response = data_blob_null;
+ cred->nt_response = data_blob_null;
+ cred->nt_hash = NULL;
+ cred->password = NULL;
+
+ cli_credentials_invalidate_ccache(cred, obtained);
+
cred->password_tries = 0;
+
+ if (val == NULL) {
+ cred->password_obtained = obtained;
+ return true;
+ }
+
+ if (cred->password_will_be_nt_hash) {
+ struct samr_Password *nt_hash = NULL;
+ size_t val_len = strlen(val);
+ size_t converted;
+
+ nt_hash = talloc(cred, struct samr_Password);
+ if (nt_hash == NULL) {
+ return false;
+ }
+
+ converted = strhex_to_str((char *)nt_hash->hash,
+ sizeof(nt_hash->hash),
+ val, val_len);
+ if (converted != sizeof(nt_hash->hash)) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ cred->nt_hash = nt_hash;
+ cred->password_obtained = obtained;
+ return true;
+ }
+
cred->password = talloc_strdup(cred, val);
- if (cred->password) {
- /* Don't print the actual password in talloc memory dumps */
- talloc_set_name_const(cred->password, "password set via cli_credentials_set_password");
+ if (cred->password == NULL) {
+ return false;
}
+
+ /* Don't print the actual password in talloc memory dumps */
+ talloc_set_name_const(cred->password,
+ "password set via cli_credentials_set_password");
cred->password_obtained = obtained;
- cli_credentials_invalidate_ccache(cred, cred->password_obtained);

- cred->nt_hash = NULL;
- cred->lm_response = data_blob(NULL, 0);
- cred->nt_response = data_blob(NULL, 0);
return true;
}

@@ -485,32 +469,85 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
TALLOC_CTX *mem_ctx)
{
+ enum credentials_obtained password_obtained;
+ enum credentials_obtained ccache_threshold;
+ enum credentials_obtained client_gss_creds_threshold;
+ bool password_is_nt_hash;
const char *password = NULL;
+ struct samr_Password *nt_hash = NULL;

if (cred->nt_hash != NULL) {
- struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
- if (!nt_hash) {
- return NULL;
- }
+ /*
+ * If we already have a hash it's easy.
+ */
+ goto return_hash;
+ }

- *nt_hash = *cred->nt_hash;
+ /*
+ * This is a bit tricky, with password_will_be_nt_hash
+ * we still need to get the value via the password_callback
+ * but if we did that we should not remember it's state
+ * in the long run so we need to undo it.
+ */

- return nt_hash;
- }
+ password_obtained = cred->password_obtained;
+ ccache_threshold = cred->ccache_threshold;
+ client_gss_creds_threshold = cred->client_gss_creds_threshold;
+ password_is_nt_hash = cred->password_will_be_nt_hash;

+ cred->password_will_be_nt_hash = false;
password = cli_credentials_get_password(cred);
- if (password) {
- struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
- if (!nt_hash) {
- return NULL;
- }

+ cred->password_will_be_nt_hash = password_is_nt_hash;
+ if (password_is_nt_hash && password_obtained == CRED_CALLBACK) {
+ /*
+ * We got the nt_hash as string via the callback,
+ * so we need to undo the state change.
+ *
+ * And also don't remember it as plaintext password.
+ */
+ cred->client_gss_creds_threshold = client_gss_creds_threshold;
+ cred->ccache_threshold = ccache_threshold;
+ cred->password_obtained = password_obtained;
+ cred->password = NULL;
+ }
+
+ if (password == NULL) {
+ return NULL;
+ }
+
+ nt_hash = talloc(cred, struct samr_Password);
+ if (nt_hash == NULL) {
+ return NULL;
+ }
+
+ if (password_is_nt_hash) {
+ size_t password_len = strlen(password);
+ size_t converted;
+
+ converted = strhex_to_str((char *)nt_hash->hash,
+ sizeof(nt_hash->hash),
+ password, password_len);
+ if (converted != sizeof(nt_hash->hash)) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+ } else {
E_md4hash(password, nt_hash->hash);
+ }

- return nt_hash;
+ cred->nt_hash = nt_hash;
+ nt_hash = NULL;
+
+return_hash:
+ nt_hash = talloc(mem_ctx, struct samr_Password);
+ if (nt_hash == NULL) {
+ return NULL;
}

- return NULL;
+ *nt_hash = *cred->nt_hash;
+
+ return nt_hash;
}

/**
@@ -744,6 +781,14 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
}

if ((p = strchr_m(uname,'@'))) {
+ /*
+ * We also need to set username and domain
+ * in order to undo the effect of
+ * cli_credentials_guess().
+ */
+ cli_credentials_set_username(credentials, uname, obtained);
+ cli_credentials_set_domain(credentials, "", obtained);
+
cli_credentials_set_principal(credentials, uname, obtained);
*p = 0;
cli_credentials_set_realm(credentials, p+1, obtained);
@@ -752,9 +797,40 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
|| (p = strchr_m(uname, '/'))
|| (p = strchr_m(uname, credentials->winbind_separator)))
{
+ const char *domain = NULL;
+
+ domain = uname;
*p = 0;
- cli_credentials_set_domain(credentials, uname, obtained);
uname = p+1;
+
+ if (obtained == credentials->realm_obtained &&
+ !strequal_m(credentials->domain, domain))
+ {
+ /*
+ * We need to undo a former set with the same level
+ * in order to get the expected result from
+ * cli_credentials_get_principal().
+ *
+ * But we only need to do that if the domain
+ * actually changes.
+ */
+ cli_credentials_set_realm(credentials, domain, obtained);
+ }
+ cli_credentials_set_domain(credentials, domain, obtained);
+ }
+ if (obtained == credentials->principal_obtained &&
+ !strequal_m(credentials->username, uname))
+ {
+ /*
+ * We need to undo a former set with the same level
+ * in order to get the expected result from
+ * cli_credentials_get_principal().
+ *
+ * But we only need to do that if the username
+ * actually changes.
+ */
+ credentials->principal_obtained = CRED_UNINITIALISED;
+ credentials->principal = NULL;
}
cli_credentials_set_username(credentials, uname, obtained);
}
@@ -800,6 +876,7 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
const char *sep = NULL;
+ const char *realm = lpcfg_realm(lp_ctx);

cli_credentials_set_username(cred, "", CRED_UNINITIALISED);
if (lpcfg_parm_is_cmdline(lp_ctx, "workgroup")) {
@@ -812,10 +889,13 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
} else {
cli_credentials_set_workstation(cred, lpcfg_netbios_name(lp_ctx), CRED_UNINITIALISED);
}
+ if (realm != NULL && strlen(realm) == 0) {
+ realm = NULL;
+ }
if (lpcfg_parm_is_cmdline(lp_ctx, "realm")) {
- cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
+ cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
} else {
- cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_UNINITIALISED);
+ cli_credentials_set_realm(cred, realm, CRED_UNINITIALISED);
}

sep = lpcfg_winbind_separator(lp_ctx);
@@ -1037,6 +1117,10 @@ _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const cha
char *ptr, *val, *param;
char **lines;
int i, numlines;
+ const char *realm = NULL;
+ const char *domain = NULL;
+ const char *password = NULL;
+ const char *username = NULL;

lines = file_lines_load(file, &numlines, 0, NULL);

@@ -1067,17 +1151,57 @@ _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const cha
val++;

if (strwicmp("password", param) == 0) {
- cli_credentials_set_password(cred, val, obtained);
+ password = val;
} else if (strwicmp("username", param) == 0) {
- cli_credentials_set_username(cred, val, obtained);
+ username = val;
} else if (strwicmp("domain", param) == 0) {
- cli_credentials_set_domain(cred, val, obtained);
+ domain = val;
} else if (strwicmp("realm", param) == 0) {
- cli_credentials_set_realm(cred, val, obtained);
+ realm = val;
}
- memset(lines[i], 0, len);
+
+ /*
+ * We need to readd '=' in order to let
+ * the strlen() work in the last loop
+ * that clears the memory.
+ */
+ *ptr = '=';
+ }
+
+ if (realm != NULL && strlen(realm) != 0) {
+ /*
+ * only overwrite with a valid string
+ */
+ cli_credentials_set_realm(cred, realm, obtained);
}

+ if (domain != NULL && strlen(domain) != 0) {
+ /*
+ * only overwrite with a valid string
+ */
+ cli_credentials_set_domain(cred, domain, obtained);
+ }
+
+ if (password != NULL) {
+ /*
+ * Here we allow "".
+ */
+ cli_credentials_set_password(cred, password, obtained);
+ }
+
+ if (username != NULL) {
+ /*
+ * The last "username" line takes preference
+ * if the string also contains domain, realm or
+ * password.
+ */
+ cli_credentials_parse_string(cred, username, obtained);
+ }
+
+ for (i = 0; i < numlines; i++) {
+ len = strlen(lines[i]);
+ memset(lines[i], 0, len);
+ }
talloc_free(lines);

return true;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 523793f..6b0d83b 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -201,6 +201,8 @@ bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
enum credentials_obtained obtained);
bool cli_credentials_set_old_utf16_password(struct cli_credentials *cred,
const DATA_BLOB *password_utf16);
+void cli_credentials_set_password_will_be_nt_hash(struct cli_credentials *cred,
+ bool val);
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index f88ae70..68f1f25 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -115,6 +115,8 @@ struct cli_credentials {
bool callback_running;

char winbind_separator;
+
+ bool password_will_be_nt_hash;
};

#endif /* __CREDENTIALS_INTERNAL_H__ */
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 2a4c141..e6859bf 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -301,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
const DATA_BLOB *password_utf16,
enum credentials_obtained obtained)
{
+ cred->password_will_be_nt_hash = false;
+
if (password_utf16 == NULL) {

The branch, master has been updated
via b38f1ae s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()
via 6e122ee s3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()
via cb83be2 s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""
via a579151 s3:libsmb: split out a cli_session_creds_prepare_krb5() function
via b17543a s3:torture/masktest: masktest only works with SMB1 currently
via 6a5943c s3:torture/masktest: Use cli_tree_connect_creds()
via 65be3af s3:torture: Use cli_tree_connect_creds() where we may use share level auth
via af97833 s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()
from 59dc07e ctdb-tests: Remove the python LCP2 simulation

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b38f1aee4092cd621081614dce34a86d0d70afff
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 15:11:29 2016 +0100

s3:utils: Use cli_cm_force_encryption() instead of cli_force_encryption()

This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Andreas Schneider <***@cryptomilk.org>
Autobuild-Date(master): Mon Dec 19 13:41:15 CET 2016 on sn-devel-144

commit 6e122eef71c05c76d26ffce0ce7c4c4750f428f8
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Nov 3 15:11:29 2016 +0100

s3:libsmb: Use cli_cm_force_encryption() instead of cli_force_encryption()

This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit cb83be2f01585cad35e6dba7b60cff301ce08058
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 16 01:26:29 2016 +0100

s3:libsmb: don't let cli_session_creds_init() overwrite the default domain with ""

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit a579151ee7a613b11d66a56938e7d894bd4e89a6
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 8 12:11:45 2016 +0100

s3:libsmb: split out a cli_session_creds_prepare_krb5() function

This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.

In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b17543a584f0919b7491bcfc3cd20cf47a9beed1
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 09:49:17 2016 +0100

s3:torture/masktest: masktest only works with SMB1 currently

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 6a5943cfd010ce54787fd404fffb4003f4ed6363
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 09:49:17 2016 +0100

s3:torture/masktest: Use cli_tree_connect_creds()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 65be3af952791de16a683a1fefc6d5721822245a
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 09:06:21 2016 +0100

s3:torture: Use cli_tree_connect_creds() where we may use share level auth

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit af9783300c8f2c8c56e958139750e4df7a868a44
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 9 09:48:06 2016 +0100

s3:lib/netapi: Use lp_client_ipc_max_protocol() in libnetapi_open_ipc_connection()

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
source3/lib/netapi/cm.c | 2 +-
source3/libsmb/cliconnect.c | 300 ++++++++++++++++++++++-------------------
source3/libsmb/libsmb_server.c | 24 ++--
source3/libsmb/proto.h | 2 +
source3/torture/masktest.c | 4 +-
source3/torture/torture.c | 4 +-
source3/utils/net_util.c | 28 +---
7 files changed, 188 insertions(+), 176 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index 2649422..57e44ac 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -111,7 +111,7 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
server_name, "IPC$",
auth_info,
false, false,
- lp_client_max_protocol(),
+ lp_client_ipc_max_protocol(),
0, 0x20, &cli_ipc);
if (!NT_STATUS_IS_OK(status)) {
cli_ipc = NULL;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 559712e..02c465c 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -72,10 +72,6 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
}
cli_credentials_set_conf(creds, lp_ctx);

- if (domain == NULL) {
- domain = "";
- }
-
if (username == NULL) {
username = "";
}
@@ -159,11 +155,13 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
goto fail;
}

- ok = cli_credentials_set_domain(creds,
- domain,
- CRED_SPECIFIED);
- if (!ok) {
- goto fail;
+ if (domain != NULL) {
+ ok = cli_credentials_set_domain(creds,
+ domain,
+ CRED_SPECIFIED);
+ if (!ok) {
+ goto fail;
+ }
}

if (principal != NULL) {
@@ -219,6 +217,154 @@ fail:
return NULL;
}

+NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ struct cli_credentials *creds)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const char *user_principal = NULL;
+ const char *user_account = NULL;
+ const char *user_domain = NULL;
+ const char *pass = NULL;
+ const char *target_hostname = NULL;
+ const DATA_BLOB *server_blob = NULL;
+ enum credentials_use_kerberos krb5_state;
+ bool try_kerberos = false;
+ bool need_kinit = false;
+ bool auth_requested = true;
+ int ret;
+
+ target_hostname = smbXcli_conn_remote_name(cli->conn);
+ if (!cli->got_kerberos_mechanism) {
+ server_blob = smbXcli_conn_server_gss_blob(cli->conn);
+ }
+
+ /* the server might not even do spnego */
+ if (server_blob != NULL && server_blob->length != 0) {
+ char *OIDs[ASN1_MAX_OIDS] = { NULL, };
+ size_t i;
+ bool ok;
+
+ /*
+ * The server sent us the first part of the SPNEGO exchange in the
+ * negprot reply. It is WRONG to depend on the principal sent in the
+ * negprot reply, but right now we do it. If we don't receive one,
+ * we try to best guess, then fall back to NTLM.
+ */
+ ok = spnego_parse_negTokenInit(frame,
+ *server_blob,
+ OIDs,
+ NULL,
+ NULL);
+ if (!ok) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ if (OIDs[0] == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* make sure the server understands kerberos */
+ for (i = 0; OIDs[i] != NULL; i++) {
+ if (i == 0) {
+ DEBUG(3,("got OID=%s\n", OIDs[i]));
+ } else {
+ DEBUGADD(3,("got OID=%s\n", OIDs[i]));
+ }
+
+ if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
+ strcmp(OIDs[i], OID_KERBEROS5) == 0) {
+ cli->got_kerberos_mechanism = true;
+ break;
+ }
+ }
+ }
+
+ auth_requested = cli_credentials_authentication_requested(creds);
+ if (auth_requested) {
+ user_principal = cli_credentials_get_principal(creds, frame);
+ if (user_principal == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ user_account = cli_credentials_get_username(creds);
+ user_domain = cli_credentials_get_domain(creds);
+ pass = cli_credentials_get_password(creds);
+
+ krb5_state = cli_credentials_get_kerberos_state(creds);
+
+ if (krb5_state != CRED_DONT_USE_KERBEROS) {
+ try_kerberos = true;
+ }
+
+ if (target_hostname == NULL) {
+ try_kerberos = false;
+ } else if (is_ipaddress(target_hostname)) {
+ try_kerberos = false;
+ } else if (strequal(target_hostname, "localhost")) {
+ try_kerberos = false;
+ } else if (strequal(target_hostname, STAR_SMBSERVER)) {
+ try_kerberos = false;
+ } else if (!auth_requested) {
+ try_kerberos = false;
+ }
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
+ DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access "
+ "'%s' not possible\n",
+ user_principal, user_domain, user_account,
+ target_hostname));
+ TALLOC_FREE(frame);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (pass == NULL || strlen(pass) == 0) {
+ need_kinit = false;
+ } else if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ need_kinit = try_kerberos;
+ } else if (!cli->got_kerberos_mechanism) {
+ /*
+ * Most likely the server doesn't support
+ * Kerberos, don't waste time doing a kinit
+ */
+ need_kinit = false;
+ } else {
+ need_kinit = try_kerberos;
+ }
+
+ if (!need_kinit) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+
+ /*
+ * TODO: This should be done within the gensec layer
+ * only if required!
+ */
+ setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
+ ret = kerberos_kinit_password(user_principal, pass,
+ 0 /* no time correction for now */,
+ NULL);
+ if (ret != 0) {
+ DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
+ user_principal, target_hostname,
+ error_message(ret)));
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ TALLOC_FREE(frame);
+ return krb5_to_nt_status(ret);
+ }
+
+ /*
+ * Ignore the error and hope that NTLM will work
+ */
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/********************************************************
Utility function to ensure we always return at least
a valid char * pointer to an empty string for the
@@ -689,14 +835,6 @@ static NTSTATUS cli_sesssetup_blob_recv(struct tevent_req *req,
}

/****************************************************************************
- Use in-memory credentials cache
-****************************************************************************/
-
-static void use_in_memory_ccache(void) {
- setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
-}
-
-/****************************************************************************
Do a spnego/NTLMSSP encrypted session setup.
****************************************************************************/

@@ -1089,16 +1227,9 @@ static struct tevent_req *cli_session_setup_spnego_send(
{
struct tevent_req *req, *subreq;
struct cli_session_setup_spnego_state *state;
- const char *user_principal = NULL;
- const char *user_account = NULL;
- const char *user_domain = NULL;
- const char *pass = NULL;
+ const char *target_service = NULL;
const char *target_hostname = NULL;
- const DATA_BLOB *server_blob = NULL;
- enum credentials_use_kerberos krb5_state;
- bool try_kerberos = false;
- bool need_kinit = false;
- bool auth_requested = true;
+ NTSTATUS status;

req = tevent_req_create(mem_ctx, &state,
struct cli_session_setup_spnego_state);
@@ -1106,123 +1237,16 @@ static struct tevent_req *cli_session_setup_spnego_send(
return NULL;
}

+ target_service = "cifs";
target_hostname = smbXcli_conn_remote_name(cli->conn);
- server_blob = smbXcli_conn_server_gss_blob(cli->conn);
-
- /* the server might not even do spnego */
- if (server_blob != NULL && server_blob->length != 0) {
- char *principal = NULL;
- char *OIDs[ASN1_MAX_OIDS];
- int i;
-
- /* The server sent us the first part of the SPNEGO exchange in the
- * negprot reply. It is WRONG to depend on the principal sent in the
- * negprot reply, but right now we do it. If we don't receive one,
- * we try to best guess, then fall back to NTLM. */
- if (!spnego_parse_negTokenInit(state, *server_blob, OIDs,
- &principal, NULL) ||
- OIDs[0] == NULL) {
- state->result = ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
- TALLOC_FREE(principal);

- /* make sure the server understands kerberos */
- for (i = 0; OIDs[i] != NULL; i++) {
- if (i == 0) {
- DEBUG(3,("got OID=%s\n", OIDs[i]));
- } else {
- DEBUGADD(3,("got OID=%s\n", OIDs[i]));
- }
-
- if (strcmp(OIDs[i], OID_KERBEROS5_OLD) == 0 ||
- strcmp(OIDs[i], OID_KERBEROS5) == 0) {
- cli->got_kerberos_mechanism = True;
- }
- talloc_free(OIDs[i]);
- }
- }
-
- auth_requested = cli_credentials_authentication_requested(creds);
- if (auth_requested) {
- user_principal = cli_credentials_get_principal(creds, state);
- if (tevent_req_nomem(user_principal, req)) {
- return tevent_req_post(req, ev);
- }
- }
- user_account = cli_credentials_get_username(creds);
- user_domain = cli_credentials_get_domain(creds);
- pass = cli_credentials_get_password(creds);
-
- krb5_state = cli_credentials_get_kerberos_state(creds);
-
- if (krb5_state != CRED_DONT_USE_KERBEROS) {
- try_kerberos = true;
- }
-
- if (target_hostname == NULL) {
- try_kerberos = false;
- } else if (is_ipaddress(target_hostname)) {
- try_kerberos = false;
- } else if (strequal(target_hostname, "localhost")) {
- try_kerberos = false;
- } else if (strequal(target_hostname, STAR_SMBSERVER)) {
- try_kerberos = false;
- } else if (!auth_requested) {
- try_kerberos = false;
- }
-
- if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
- DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access "
- "'%s' not possible\n",
- user_principal, user_domain, user_account,
- target_hostname));
- tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
- return tevent_req_post(req, ev);
- }
-
- if (pass == NULL || strlen(pass) == 0) {
- need_kinit = false;
- } else if (krb5_state == CRED_MUST_USE_KERBEROS) {
- need_kinit = try_kerberos;
- } else if (!cli->got_kerberos_mechanism) {
- /*
- * Most likely the server doesn't support
- * Kerberos, don't waste time doing a kinit
- */
- need_kinit = false;
- } else {
- need_kinit = try_kerberos;
- }
-
- if (need_kinit) {
- int ret;
-
- use_in_memory_ccache();
- ret = kerberos_kinit_password(user_principal, pass,
- 0 /* no time correction for now */,
- NULL);
-
- if (ret != 0) {
- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
- user_principal, target_hostname,
- error_message(ret)));
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
- state->result = ADS_ERROR_KRB5(ret);
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
-
- /*
- * Ignore the error and hope that NTLM will work
- */
- ret = 0;
- }
+ status = cli_session_creds_prepare_krb5(cli, creds);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);;
}

subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
- "cifs", target_hostname);
+ target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 438b7e6..e0cdc97 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -587,11 +587,13 @@ SMBC_server_internal(TALLOC_CTX *ctx,
}

if (context->internal->smb_encryption_level) {
- /* Attempt UNIX smb encryption. */
- if (!NT_STATUS_IS_OK(cli_force_encryption(c,
- username_used,
- password_used,
- *pp_workgroup))) {
+ /* Attempt encryption. */
+ status = cli_cm_force_encryption(c,
+ username_used,
+ password_used,
+ *pp_workgroup,
+ share);
+ if (!NT_STATUS_IS_OK(status)) {

/*
* context->smb_encryption_level == 1
@@ -787,11 +789,13 @@ SMBC_attr_server(TALLOC_CTX *ctx,
}

if (context->internal->smb_encryption_level) {
- /* Attempt UNIX smb encryption. */
- if (!NT_STATUS_IS_OK(cli_force_encryption(ipc_cli,
- *pp_username,
- *pp_password,
- *pp_workgroup))) {
+ /* Attempt encryption. */
+ nt_status = cli_cm_force_encryption(ipc_cli,
+ *pp_username,
+ *pp_password,
+ *pp_workgroup,
+ "IPC$");
+ if (!NT_STATUS_IS_OK(nt_status)) {

/*
* context->smb_encryption_level ==
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index e1cd185..290183c 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -43,6 +43,8 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx,
bool fallback_after_kerberos,
bool use_ccache,
bool password_is_nt_hash);
+NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
+ struct cli_credentials *creds);
struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct cli_state *cli,
diff --git a/source3/torture/masktest.c b/source3/torture/masktest.c
index 537cfb0..95e0b04 100644
--- a/source3/torture/masktest.c
+++ b/source3/torture/masktest.c
@@ -218,8 +218,7 @@ static struct cli_state *connect_one(char *share)

DEBUG(4,(" session setup ok\n"));

- status = cli_tree_connect(c, share, "?????", password,
- strlen(password)+1);
+ status = cli_tree_connect_creds(c, share, "?????", test_creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("tree connect failed: %s\n", nt_errstr(status)));
cli_shutdown(c);
@@ -537,6 +536,7 @@ static void usage(void)
argv += optind;

max_protocol = lp_client_max_protocol();
+ max_protocol = MIN(max_protocol, PROTOCOL_NT1);

if (!got_pass) {
char pwd[256] = {0};
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 8f0f136..7072f3c 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -1341,7 +1341,7 @@ static bool run_tcon_test(int dummy)
return False;
}

- status = cli_tree_connect(cli, share, "?????", password);
+ status = cli_tree_connect_creds(cli, share, "?????", torture_creds);
if (!NT_STATUS_IS_OK(status)) {
printf("%s refused 2nd tree connect (%s)\n", host,
nt_errstr(status));
@@ -1466,7 +1466,7 @@ static bool tcon_devtest(struct cli_state *cli,
NTSTATUS status;
bool ret;

- status = cli_tree_connect(cli, myshare, devtype, password);
+ status = cli_tree_connect_creds(cli, myshare, devtype, torture_creds);

if (NT_STATUS_IS_OK(expected_error)) {
if (NT_STATUS_IS_OK(status)) {
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index cc65457..86a4667 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -155,29 +155,11 @@ NTSTATUS connect_to_service(struct net_context *c,
}

if (c->smb_encrypt) {
- nt_status = cli_force_encryption(*cli_ctx,
- c->opt_user_name,
- c->opt_password,
- c->opt_workgroup);
-
- if (NT_STATUS_EQUAL(nt_status,NT_STATUS_NOT_SUPPORTED)) {
- d_printf(_("Encryption required and "
- "server that doesn't support "
- "UNIX extensions - failing connect\n"));
- } else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNKNOWN_REVISION)) {
- d_printf(_("Encryption required and "
- "can't get UNIX CIFS extensions "
- "version from server.\n"));
- } else if (NT_STATUS_EQUAL(nt_status,NT_STATUS_UNSUPPORTED_COMPRESSION)) {
- d_printf(_("Encryption required and "
- "share %s doesn't support "
- "encryption.\n"), service_name);
- } else if (!NT_STATUS_IS_OK(nt_status)) {
- d_printf(_("Encryption required and "
- "setup failed with error %s.\n"),
- nt_errstr(nt_status));
- }
-
+ nt_status = cli_cm_force_encryption(*cli_ctx,
+ c->opt_user_name,
+ c->opt_password,
+ c->opt_workgroup,
+ service_name);

The branch, master has been updated
via 1e52bb9 krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5
via 6308671 auth/credentials: Add missing error code check for MIT Kerberos
via fd98174 auth/gensec: Fix typo in log message
via 99d8788 auth/gensec: Remove unneeded cli_credentials_set_conf() call
via 5aa00d9 WHATSNEW: Add text for AD DC changes
from 77b51ba ldb_tdb: avoid erroneous error messages

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1e52bb9c34a77c8c79f0bfc81317aded183ada59
Author: Stefan Metzmacher <***@samba.org>
Date: Fri Dec 23 07:22:27 2016 +0100

krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5

krb5_cc_copy_creds() expects an already initialized output cache.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Sat Dec 24 21:04:23 CET 2016 on sn-devel-144

commit 630867196b9e9d1096443f979b32957c5a0d2be2
Author: Andreas Schneider <***@samba.org>
Date: Thu Dec 22 17:01:35 2016 +0100

auth/credentials: Add missing error code check for MIT Kerberos

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit fd98174443543ee3a150a10b056b45c4663bd7f7
Author: Andreas Schneider <***@samba.org>
Date: Tue Dec 13 11:33:06 2016 +0100

auth/gensec: Fix typo in log message

Signed-off-by: Andreas Schneider <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

commit 99d87880282dad4f9a5a6d9f1018329bb00e5112
Author: David Mulder <***@suse.com>
Date: Wed Dec 21 21:49:36 2016 +0100

auth/gensec: Remove unneeded cli_credentials_set_conf() call

The cli_credentials_set_client_gss_creds() will set the correct realm
from the gss creds.

Pair-Programmed-With: Andreas Schneider <***@samba.org>
Pair-Programmed-With: Stefan Metzmacher <***@samba.org>

Signed-off-by: David Mulder <***@suse.com>
Signed-off-by: Andreas Schneider <***@samba.org>
Signed-off-by: Stefan Metzmacher <***@samba.org>

commit 5aa00d92ad31a241376263029318182165ee6707
Author: Andrew Bartlett <***@samba.org>
Date: Fri Dec 23 13:55:30 2016 +1300

WHATSNEW: Add text for AD DC changes

Signed-off-by: Andrew Bartlett <***@samba.org>
Reviewed-by: Stefan Metzmacher <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 44 +++++++++++++++++++++++++++++++++++++
auth/credentials/credentials_krb5.c | 6 ++++-
lib/krb5_wrap/krb5_samba.c | 12 ++++++++++
source4/auth/gensec/gensec_gssapi.c | 16 ++++++++------
4 files changed, 70 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index f542a5b..b512796 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -81,6 +81,48 @@ A new option, "unix only", enables this feature only for the UNIX owner
of the file, not affecting the SID owner in the Windows NT ACL of the
file. This can be used to emulate something very similar to folder quotas.

+Multi-process Netlogon support
+------------------------------
+
+The Netlogon server in the Samba AD DC can now run as multiple
+processes. The Netlogon server is a part of the AD DC that handles
+NTLM authentication on behalf of domain members, including file
+servers, NTLM-authenticated web servers and 802.1x gateways. The
+previous restriction to running as a single process has been removed,
+and it will now run in the same process model as the rest of the
+'samba' binary.
+
+As part of this change, the NETLOGON service will now run on a distinct
+TCP port, rather than being shared with all other RPC services (LSA,
+SAMR, DRSUAPI etc).
+
+new options for controlling TCP ports used for RPC services
+-----------------------------------------------------------
+
+The new 'rpc server port' option controls the default port used for
+RPC services other than Netlogon. The Netlogon server honours instead
+the 'rpc server port:netlogon' option. The default value for both
+these options is the first available port including or after 1024.
+
+Improve AD performance and replication improvements
+---------------------------------------------------
+
+Samba's LDB and replication code continues to improve, particularly in
+respect to the handling of large numbers of linked attributes. We now
+respect an 'uptodateness vector' which will dramatically reduce the
+over-replication of links from new DCs. We have also made the parsing
+of on-disk linked attributes much more efficient.
+
+DNS improvements
+---------------------------
+
+The samba-tool dns subcommand is now much more robust and can delete
+records in a number of situations where it was not possible to do so
+in the past.
+
+On the server side, DNS names are now more strictly validated.
+
+
CTDB changes
------------

@@ -145,6 +187,8 @@ smb.conf changes
kerberos encryption types New all
inherit owner New option
fruit:resource Spelling correction
+ lsa over netlogon New (deprecated) no
+ rpc server port New 0


KNOWN ISSUES
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index ca62e30..e974df9 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -581,7 +581,11 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,

maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
&gcc->creds);
- if ((maj_stat == GSS_S_FAILURE) && (min_stat == (OM_uint32)KRB5_CC_END || min_stat == (OM_uint32) KRB5_CC_NOTFOUND)) {
+ if ((maj_stat == GSS_S_FAILURE) &&
+ (min_stat == (OM_uint32)KRB5_CC_END ||
+ min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
+ min_stat == (OM_uint32)KRB5_FCC_NOFILE))
+ {
/* This CCACHE is no good. Ensure we don't use it again */
cli_credentials_unconditionally_invalidate_ccache(cred);

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a8eafcd..307be93 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2899,6 +2899,18 @@ krb5_error_code smb_krb5_cc_copy_creds(krb5_context context,
#ifdef HAVE_KRB5_CC_COPY_CACHE /* Heimdal */
return krb5_cc_copy_cache(context, incc, outcc);
#elif defined(HAVE_KRB5_CC_COPY_CREDS)
+ krb5_error_code ret;
+ krb5_principal princ = NULL;
+
+ ret = krb5_cc_get_principal(context, incc, &princ);
+ if (ret != 0) {
+ return ret;
+ }
+ ret = krb5_cc_initialize(context, outcc, princ);
+ krb5_free_principal(context, princ);
+ if (ret != 0) {
+ return ret;
+ }
return krb5_cc_copy_creds(context, incc, outcc);
#else
#error UNKNOWN_KRB5_CC_COPY_CACHE_OR_CREDS_FUNCTION
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a37a0a9..a6c4019 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -221,7 +221,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
ret = cli_credentials_get_server_gss_creds(machine_account,
gensec_security->settings->lp_ctx, &gcc);
if (ret) {
- DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
+ DEBUG(1, ("Acquiring acceptor credentials failed: %s\n",
error_message(ret)));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -1311,16 +1311,18 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
const char *error_string;

DEBUG(10, ("gensec_gssapi: delegated credentials supplied by client\n"));
- session_info->credentials = cli_credentials_init(session_info);
- if (!session_info->credentials) {
+
+ /*
+ * Create anonymous credentials for now.
+ *
+ * We will update them with the provided client gss creds.
+ */
+ session_info->credentials = cli_credentials_init_anon(session_info);
+ if (session_info->credentials == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}

- cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
- /* Just so we don't segfault trying to get at a username */
- cli_credentials_set_anonymous(session_info->credentials);
-
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,

The branch, master has been updated
via a25fb5c idmap_rid: Add the error string in a debug
via 3d875e7 idmap_autorid: Add the error string in a debug
via 462e8ce ctdb: Fix CID 1398175 Dereference after null check
via 96924f7 ctdb: Fix CID 1398178 Argument cannot be negative
via 93e8876 ctdb: Fix CID 1398179 Argument cannot be negative
via 055650e lib: Fix a comment in idmap_cache.c
via 92daaa9 lib: Fix whitespace in lmhosts.c
via b26d441 idl: Fix a comment typo
from 1e52bb9 krb5_wrap: fix smb_krb5_cc_copy_creds() for MIT krb5

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit a25fb5cae26a26aa3b994824b57e34624727b2a5
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 11 19:57:20 2016 +0100

idmap_rid: Add the error string in a debug

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): David Disseldorp <***@samba.org>
Autobuild-Date(master): Tue Dec 27 18:05:13 CET 2016 on sn-devel-144

commit 3d875e7e9ee1df368532b7962dd5de12faf1c87a
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 11 19:57:12 2016 +0100

idmap_autorid: Add the error string in a debug

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit 462e8cea04856eb5c82260a817f7d70770724d2e
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 10:50:29 2016 +0000

ctdb: Fix CID 1398175 Dereference after null check

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit 96924f75535f12ad4eb971a2b713b3ba3590ee1e
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 10:48:21 2016 +0000

ctdb: Fix CID 1398178 Argument cannot be negative

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit 93e8876635f56da419ae050223503cec524bfd9e
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 10:47:10 2016 +0000

ctdb: Fix CID 1398179 Argument cannot be negative

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit 055650ecb65f1d1d98ca97f9b938d33fe84bd28e
Author: Volker Lendecke <***@samba.org>
Date: Wed Dec 21 09:48:15 2016 +0000

lib: Fix a comment in idmap_cache.c

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit 92daaa97904a713236ebe3fb5cd53601fbe1c5b7
Author: Volker Lendecke <***@samba.org>
Date: Mon Dec 19 19:32:46 2016 +0100

lib: Fix whitespace in lmhosts.c

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit b26d441deab0fc79e0a5bae984a296ec2263b353
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 6 12:23:33 2016 +0000

idl: Fix a comment typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
ctdb/common/sock_daemon.c | 2 +-
ctdb/common/sock_io.c | 1 -
ctdb/server/ctdb_takeover_helper.c | 2 +-
libcli/nbt/lmhosts.c | 8 ++++----
librpc/idl/dnsserver.idl | 2 +-
source3/lib/idmap_cache.c | 8 ++++----
source3/winbindd/idmap_autorid.c | 5 +++--
source3/winbindd/idmap_rid.c | 4 +++-
8 files changed, 17 insertions(+), 15 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/common/sock_daemon.c b/ctdb/common/sock_daemon.c
index 0a6573c..dc5dba0 100644
--- a/ctdb/common/sock_daemon.c
+++ b/ctdb/common/sock_daemon.c
@@ -282,7 +282,7 @@ static int sock_socket_init(TALLOC_CTX *mem_ctx, const char *sockpath,

static int sock_socket_destructor(struct sock_socket *sock)
{
- if (sock->fd == -1) {
+ if (sock->fd != -1) {
close(sock->fd);
sock->fd = -1;
}
diff --git a/ctdb/common/sock_io.c b/ctdb/common/sock_io.c
index 7245d4e..b3581fc 100644
--- a/ctdb/common/sock_io.c
+++ b/ctdb/common/sock_io.c
@@ -53,7 +53,6 @@ int sock_connect(const char *sockpath)
fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (fd == -1) {
D_ERR("socket() failed, errno=%d\n", errno);
- close(fd);
return -1;
}

diff --git a/ctdb/server/ctdb_takeover_helper.c b/ctdb/server/ctdb_takeover_helper.c
index 847a49d..3057528 100644
--- a/ctdb/server/ctdb_takeover_helper.c
+++ b/ctdb/server/ctdb_takeover_helper.c
@@ -111,7 +111,7 @@ static struct tevent_req *get_public_ips_send(

req = tevent_req_create(mem_ctx, &state, struct get_public_ips_state);
if (req == NULL) {
- return tevent_req_post(req, ev);
+ return NULL;
}

state->pnns = pnns;
diff --git a/libcli/nbt/lmhosts.c b/libcli/nbt/lmhosts.c
index 722f6ad..f47d8b9 100644
--- a/libcli/nbt/lmhosts.c
+++ b/libcli/nbt/lmhosts.c
@@ -159,9 +159,9 @@ void endlmhosts(FILE *fp)
Resolve via "lmhosts" method.
*********************************************************/

-NTSTATUS resolve_lmhosts_file_as_sockaddr(const char *lmhosts_file,
+NTSTATUS resolve_lmhosts_file_as_sockaddr(const char *lmhosts_file,
const char *name, int name_type,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct sockaddr_storage **return_iplist,
int *return_count)
{
@@ -205,8 +205,8 @@ NTSTATUS resolve_lmhosts_file_as_sockaddr(const char *lmhosts_file,
TALLOC_FREE(lmhost_name);
continue;
}
-
- *return_iplist = talloc_realloc(ctx, (*return_iplist),
+
+ *return_iplist = talloc_realloc(ctx, (*return_iplist),
struct sockaddr_storage,
(*return_count)+1);

diff --git a/librpc/idl/dnsserver.idl b/librpc/idl/dnsserver.idl
index c7742e7..50cbfbe 100644
--- a/librpc/idl/dnsserver.idl
+++ b/librpc/idl/dnsserver.idl
@@ -1,7 +1,7 @@
#include "idl_types.h"
/*
dnsserver interface definition
- for a protocol descrition see [MS-DNSP].pdf
+ for a protocol description see [MS-DNSP].pdf
*/

import "misc.idl", "dnsp.idl";
diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c
index 11bda39..1e8a1eb 100644
--- a/source3/lib/idmap_cache.c
+++ b/source3/lib/idmap_cache.c
@@ -274,12 +274,12 @@ bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired)
/**
* Store a mapping in the idmap cache
* @param[in] sid the sid to map
- * @param[in] gid the gid to map
+ * @param[in] unix_id the unix_id to map
*
* If both parameters are valid values, then a positive mapping in both
* directions is stored. If "is_null_sid(sid)" is true, then this will be a
- * negative mapping of gid, we want to cache that for this gid we could not
- * find anything. Likewise if "gid==-1", then we want to cache that we did not
+ * negative mapping of xid, we want to cache that for this xid we could not
+ * find anything. Likewise if "xid==-1", then we want to cache that we did not
* find a mapping for the sid passed here.
*/

@@ -315,7 +315,7 @@ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_i
}
if (unix_id->id != -1) {
if (is_null_sid(sid)) {
- /* negative gid mapping */
+ /* negative xid mapping */
fstrcpy(value, "-");
timeout = lp_idmap_negative_cache_time();
}
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index c27c503..786f839 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -343,8 +343,9 @@ static NTSTATUS idmap_autorid_unixids_to_sids(struct idmap_domain *dom,
if ((!NT_STATUS_IS_OK(ret)) &&
(!NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
/* some fatal error occurred, log it */
- DEBUG(3, ("Unexpected error resolving an ID "
- " (%d)\n", ids[i]->xid.id));
+ DBG_NOTICE("Unexpected error resolving an ID "
+ "(%d): %s\n", ids[i]->xid.id,
+ nt_errstr(ret));
goto failure;
}

diff --git a/source3/winbindd/idmap_rid.c b/source3/winbindd/idmap_rid.c
index d68dbf7..ac53705 100644
--- a/source3/winbindd/idmap_rid.c
+++ b/source3/winbindd/idmap_rid.c
@@ -143,7 +143,9 @@ static NTSTATUS idmap_rid_unixids_to_sids(struct idmap_domain *dom, struct id_ma
if (( ! NT_STATUS_IS_OK(ret)) &&
( ! NT_STATUS_EQUAL(ret, NT_STATUS_NONE_MAPPED))) {
/* some fatal error occurred, log it */
- DEBUG(3, ("Unexpected error resolving an ID (%d)\n", ids[i]->xid.id));
+ DBG_NOTICE("Unexpected error resolving an ID "
+ "(%d): %s\n", ids[i]->xid.id,
+ nt_errstr(ret));
}
}

The branch, master has been updated
via 91d0275 winbindd: Use idmap cache in xids2sids
via f7f49a2 idmap: Prime gencache after xids2sids calls
via 9079dc4 idmap: Pass up the xid2sids unix-ids from the idmap child
from a25fb5c idmap_rid: Add the error string in a debug

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 91d027554e414f371b3237110d1c92033d929992
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 10:19:17 2016 +0000

winbindd: Use idmap cache in xids2sids

Typically smbd should have looked into the idmap cache itself before
contacting winbind. But winbind has internal users of this API (getpwuid
and getgrgid for example), and those need to use the cache too.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

Autobuild-User(master): Uri Simchoni <***@samba.org>
Autobuild-Date(master): Wed Dec 28 00:06:41 CET 2016 on sn-devel-144

commit f7f49a2354c99d95a302f070fe3aa97a949063c8
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 20 16:22:48 2016 +0100

idmap: Prime gencache after xids2sids calls

This fixes a performance regression for "hide unreadable". With an empty
gencache, we only do xid2sid calls when reading a large number of acls. We
lost caching the xid2sid calls while implmenting the multiple-id calls,
probably because at that time the bug with ID_TYPE_BOTH backends was still
pending. This patch restores the xid2sid caching hopefully correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit 9079dc4f4501c4e868f46de41b82927b69dc78d5
Author: Volker Lendecke <***@samba.org>
Date: Wed Dec 21 11:29:08 2016 +0100

idmap: Pass up the xid2sids unix-ids from the idmap child

When asking for gid2sid with an idmap backend that does ID_TYPE_BOTH
and the sid in question is actually a user, the parent winbind needs
to know about it. The next commit will prime the gencache also after
xid2sid calls, and if we filled it with a ID_TYPE_GID entry, a later
sid2uid call would fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12484

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
librpc/idl/winbind.idl | 2 +-
source3/winbindd/wb_xids2sids.c | 41 +++++++++++++++++++++++++++++++++++-
source3/winbindd/winbindd_dual_srv.c | 1 +
3 files changed, 42 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 60c875b..ec472c5 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -59,7 +59,7 @@ interface winbind
NTSTATUS wbint_UnixIDs2Sids(
[in,string,charset(UTF8)] char *domain_name,
[in] uint32 num_ids,
- [in] unixid xids[num_ids],
+ [in,out] unixid xids[num_ids],
[out] dom_sid sids[num_ids]
);

diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 7fc8a72..7ac1998 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -262,7 +262,20 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq)
continue;
}

- sid_copy(&state->all_sids[i], &state->dom_sids[dom_sid_idx++]);
+ sid_copy(&state->all_sids[i], &state->dom_sids[dom_sid_idx]);
+
+ /*
+ * Prime the cache after an xid2sid call. It's
+ * important that we use state->dom_xids for the xid
+ * value, not state->all_xids: state->all_xids carries
+ * what we asked for, e.g. a
+ * ID_TYPE_UID. state->dom_xids holds something the
+ * idmap child possibly changed to ID_TYPE_BOTH.
+ */
+ idmap_cache_set_sid2unixid(
+ &state->all_sids[i], &state->dom_xids[dom_sid_idx]);
+
+ dom_sid_idx += 1;
}

tevent_req_done(req);
@@ -340,6 +353,32 @@ struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}

+ if (winbindd_use_idmap_cache()) {
+ uint32_t i;
+
+ for (i=0; i<num_xids; i++) {
+ struct dom_sid sid;
+ bool ok, expired;
+
+ switch (xids[i].type) {
+ case ID_TYPE_UID:
+ ok = idmap_cache_find_uid2sid(
+ xids[i].id, &sid, &expired);
+ break;
+ case ID_TYPE_GID:
+ ok = idmap_cache_find_gid2sid(
+ xids[i].id, &sid, &expired);
+ break;
+ default:
+ ok = false;
+ }
+
+ if (ok && !expired) {
+ sid_copy(&state->sids[i], &sid);
+ }
+ }
+ }
+
wb_xids2sids_init_dom_maps();
num_domains = talloc_array_length(dom_maps);

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 4a581d33..7b80418 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -233,6 +233,7 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p,
}

for (i=0; i<r->in.num_ids; i++) {
+ r->out.xids[i] = maps[i]->xid;
sid_copy(&r->out.sids[i], maps[i]->sid);
}

The branch, master has been updated
via 3660c76 ctdb-takeover: Clean up when exiting on error
via 3b0b29b ctdb-takeover: Fix CID 1398169 Unchecked return value
via bdaa2bc ctdbd_conn: remove unused fde from struct ctdbd_connection
via dd3868a ctdbd_conn: fix a resource leak
from 91d0275 winbindd: Use idmap cache in xids2sids

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3660c76dce8bfb8b20832cd10151f832d367d9bb
Author: Martin Schwenke <***@meltin.net>
Date: Wed Dec 28 06:18:26 2016 +1100

ctdb-takeover: Clean up when exiting on error

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: David Disseldorp <***@samba.org>

Autobuild-User(master): David Disseldorp <***@samba.org>
Autobuild-Date(master): Wed Dec 28 05:18:08 CET 2016 on sn-devel-144

commit 3b0b29bcb6fe5fa3555b234cb30f64e1473b2472
Author: Martin Schwenke <***@meltin.net>
Date: Wed Dec 28 06:14:56 2016 +1100

ctdb-takeover: Fix CID 1398169 Unchecked return value

Signed-off-by: Martin Schwenke <***@meltin.net>
Reviewed-by: David Disseldorp <***@samba.org>

commit bdaa2bcc1dd768d27d3696de23c1e9c6084d58d3
Author: Ralph Boehme <***@samba.org>
Date: Tue Dec 27 15:41:51 2016 +0100

ctdbd_conn: remove unused fde from struct ctdbd_connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12485

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

commit dd3868a5c76cc6d177c393215c6755d1b42d74a6
Author: Ralph Boehme <***@samba.org>
Date: Tue Dec 27 09:19:16 2016 +0100

ctdbd_conn: fix a resource leak

When reinitializing the ctdb messaging subsystem we must free the ctdb
connection fde.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12485

Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: David Disseldorp <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
ctdb/server/ctdb_takeover_helper.c | 10 ++++++++--
source3/lib/ctdbd_conn.c | 2 --
source3/lib/messages_ctdbd.c | 2 ++
3 files changed, 10 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/server/ctdb_takeover_helper.c b/ctdb/server/ctdb_takeover_helper.c
index 3057528..f83b914 100644
--- a/ctdb/server/ctdb_takeover_helper.c
+++ b/ctdb/server/ctdb_takeover_helper.c
@@ -1160,11 +1160,17 @@ int main(int argc, const char *argv[])
force_rebalance_nodes = parse_node_list(mem_ctx, argv[3]);
if (force_rebalance_nodes == NULL) {
usage(argv[0]);
- exit(1);
+ ret = EINVAL;
+ goto done;
}
}

- logging_init(mem_ctx, NULL, NULL, "ctdb-takeover");
+ ret = logging_init(mem_ctx, NULL, NULL, "ctdb-takeover");
+ if (ret != 0) {
+ fprintf(stderr,
+ "ctdb-takeover: Unable to initialize logging\n");
+ goto done;
+ }

ev = tevent_context_init(mem_ctx);
if (ev == NULL) {
diff --git a/source3/lib/ctdbd_conn.c b/source3/lib/ctdbd_conn.c
index 118f3a0..d16796f 100644
--- a/source3/lib/ctdbd_conn.c
+++ b/source3/lib/ctdbd_conn.c
@@ -50,7 +50,6 @@ struct ctdbd_connection {
uint64_t rand_srvid;
struct ctdbd_srvid_cb *callbacks;
int fd;
- struct tevent_fd *fde;
int timeout;
};

@@ -394,7 +393,6 @@ static int ctdb_read_req(struct ctdbd_connection *conn, uint32_t reqid,

static int ctdbd_connection_destructor(struct ctdbd_connection *c)
{
- TALLOC_FREE(c->fde);
if (c->fd != -1) {
close(c->fd);
c->fd = -1;
diff --git a/source3/lib/messages_ctdbd.c b/source3/lib/messages_ctdbd.c
index 5964894..bee2685 100644
--- a/source3/lib/messages_ctdbd.c
+++ b/source3/lib/messages_ctdbd.c
@@ -183,6 +183,8 @@ static int messaging_ctdbd_init_internal(struct messaging_context *msg_ctx,
int ret, ctdb_fd;

if (reinit) {
+ TALLOC_FREE(ctx->fde);
+
ret = ctdbd_reinit_connection(ctx,
lp_ctdbd_socket(),
lp_ctdb_timeout(),

The branch, master has been updated
via 2e1dc95 idmap4: Use sid_check_is_in_unix_groups()
via e06a342 idmap4: Use sid_check_is_in_unix_users()
via 166e23d lib: Avoid an includes.h
via c66f57d lib: Add required prerequisites for librpc/gen_ndr/security.h
via 24f0878 passdb: Move lookup_unix_[user|group]_name to lookup_sid.c
via c5b9c58 lib: Add lib/util_unixsids.h
via 6830a6a idmap4: Slightly simplify idmap_xid_to_sid
via 2146df2 idmap4: Fix error path memleaks in idmap_init
via f39ed43 idmap4: Fix idmap_ctx talloc hierarchy
from 3660c76 ctdb-takeover: Clean up when exiting on error

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2e1dc952f0505154f649c04da4b2194f433a6cbe
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 13:08:58 2016 +0000

idmap4: Use sid_check_is_in_unix_groups()

This avoids the need for the special unix groups sid

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

Autobuild-User(master): Uri Simchoni <***@samba.org>
Autobuild-Date(master): Thu Dec 29 00:05:25 CET 2016 on sn-devel-144

commit e06a342f80bf75863d0c0f057c19aeab2bcb3c29
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 13:08:58 2016 +0000

idmap4: Use sid_check_is_in_unix_users()

This avoids the need for the special unix users sid

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit 166e23d98b90a814450164eb363bbbcbad0a2163
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 13:05:49 2016 +0000

lib: Avoid an includes.h

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit c66f57d1de9bb95b61e7208c7c13900ec98ce643
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 13:04:57 2016 +0000

lib: Add required prerequisites for librpc/gen_ndr/security.h

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit 24f08784a3a577699895f95d087dd5be085d032a
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 12:57:23 2016 +0000

passdb: Move lookup_unix_[user|group]_name to lookup_sid.c

This is the only user and reduces the dependencies of util_unixsids.c

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit c5b9c58032e4daba49e1119001bab9c93a0c2c77
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 12:52:00 2016 +0000

lib: Add lib/util_unixsids.h

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit 6830a6a35026664a70f012dce973a9805c85b82d
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 12:32:13 2016 +0000

idmap4: Slightly simplify idmap_xid_to_sid

No need to parse "S-1-22-1", we have global_sid_Unix_Users

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit 2146df24d86eff3cbe6ca713db3bee546f2c7de7
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 12:21:09 2016 +0000

idmap4: Fix error path memleaks in idmap_init

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit f39ed433dc6393e82e82ad734a79473abe01ee75
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 12:19:54 2016 +0000

idmap4: Fix idmap_ctx talloc hierarchy

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
libcli/security/security.h | 3 ++
source3/auth/auth_util.c | 1 +
source3/auth/server_info.c | 1 +
source3/auth/token_util.c | 1 +
source3/include/proto.h | 13 -------
source3/lib/util_sid_passdb.c | 1 +
source3/lib/util_unixsids.c | 40 ++--------------------
.../winbindd_async.c => lib/util_unixsids.h} | 32 +++++++++--------
...passdb-0.25.0.sigs => samba-passdb-0.26.0.sigs} | 2 --
source3/passdb/lookup_sid.c | 36 +++++++++++++++++++
source3/winbindd/wb_lookupsids.c | 1 +
source3/winbindd/winbindd_samr.c | 1 +
source3/winbindd/winbindd_util.c | 1 +
source3/wscript_build | 2 +-
source4/winbind/idmap.c | 35 +++++++------------
source4/winbind/idmap.h | 2 --
16 files changed, 79 insertions(+), 93 deletions(-)
copy source3/{winbindd/winbindd_async.c => lib/util_unixsids.h} (54%)
copy source3/passdb/ABI/{samba-passdb-0.25.0.sigs => samba-passdb-0.26.0.sigs} (99%)


Changeset truncated at 500 lines:

diff --git a/libcli/security/security.h b/libcli/security/security.h
index 6e4b172..4df18eb 100644
--- a/libcli/security/security.h
+++ b/libcli/security/security.h
@@ -20,6 +20,9 @@
#ifndef _LIBCLI_SECURITY_SECURITY_H_
#define _LIBCLI_SECURITY_SECURITY_H_

+#include "lib/util/data_blob.h"
+#include "lib/util/time.h"
+
#include "librpc/gen_ndr/security.h"

#define PRIMARY_USER_SID_INDEX 0
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 2da2896..25f27e8 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -23,6 +23,7 @@

#include "includes.h"
#include "auth.h"
+#include "lib/util_unixsids.h"
#include "../libcli/auth/libcli_auth.h"
#include "../lib/crypto/arcfour.h"
#include "rpc_client/init_lsa.h"
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index d2b7823..8461d20 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -19,6 +19,7 @@

#include "includes.h"
#include "auth.h"
+#include "lib/util_unixsids.h"
#include "../lib/crypto/arcfour.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "../libcli/security/security.h"
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index 375905a..77b63e4 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -25,6 +25,7 @@
/* functions moved from auth/auth_util.c to minimize linker deps */

#include "includes.h"
+#include "lib/util_unixsids.h"
#include "system/passwd.h"
#include "auth.h"
#include "secrets.h"
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 53a2d6a..4535a14 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1104,19 +1104,6 @@ bool lookup_wellknown_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
bool lookup_wellknown_name(TALLOC_CTX *mem_ctx, const char *name,
struct dom_sid *sid, const char **domain);

-/* The following definitions come from lib/util_unixsids.c */
-
-bool sid_check_is_unix_users(const struct dom_sid *sid);
-bool sid_check_is_in_unix_users(const struct dom_sid *sid);
-void uid_to_unix_users_sid(uid_t uid, struct dom_sid *sid);
-void gid_to_unix_groups_sid(gid_t gid, struct dom_sid *sid);
-const char *unix_users_domain_name(void);
-bool lookup_unix_user_name(const char *name, struct dom_sid *sid);
-bool sid_check_is_unix_groups(const struct dom_sid *sid);
-bool sid_check_is_in_unix_groups(const struct dom_sid *sid);
-const char *unix_groups_domain_name(void);
-bool lookup_unix_group_name(const char *name, struct dom_sid *sid);
-
/* The following definitions come from lib/util_specialsids.c */
bool sid_check_is_asserted_identity(const struct dom_sid *sid);
bool sid_check_is_in_asserted_identity(const struct dom_sid *sid);
diff --git a/source3/lib/util_sid_passdb.c b/source3/lib/util_sid_passdb.c
index 0ff64cc..e67a27d 100644
--- a/source3/lib/util_sid_passdb.c
+++ b/source3/lib/util_sid_passdb.c
@@ -20,6 +20,7 @@

#include "includes.h"
#include "lib/util_sid_passdb.h"
+#include "lib/util_unixsids.h"
#include "passdb/machine_sid.h"
#include "passdb.h"

diff --git a/source3/lib/util_unixsids.c b/source3/lib/util_unixsids.c
index 4a38c57..387232c 100644
--- a/source3/lib/util_unixsids.c
+++ b/source3/lib/util_unixsids.c
@@ -17,10 +17,9 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

-#include "includes.h"
-#include "system/passwd.h"
+#include "replace.h"
+#include "util_unixsids.h"
#include "../libcli/security/security.h"
-#include "../lib/util/util_pw.h"

bool sid_check_is_unix_users(const struct dom_sid *sid)
{
@@ -60,25 +59,6 @@ const char *unix_users_domain_name(void)
return "Unix User";
}

-bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
-{
- struct passwd *pwd;
- bool ret;
-
- pwd = Get_Pwnam_alloc(talloc_tos(), name);
- if (pwd == NULL) {
- return False;
- }
-
- /*
- * For 64-bit uid's we have enough space in the whole SID,
- * should they become necessary
- */
- ret = sid_compose(sid, &global_sid_Unix_Users, pwd->pw_uid);
- TALLOC_FREE(pwd);
- return ret;
-}
-
bool sid_check_is_unix_groups(const struct dom_sid *sid)
{
return dom_sid_equal(sid, &global_sid_Unix_Groups);
@@ -98,19 +78,3 @@ const char *unix_groups_domain_name(void)
{
return "Unix Group";
}
-
-bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
-{
- struct group *grp;
-
- grp = getgrnam(name);
- if (grp == NULL) {
- return False;
- }
-
- /*
- * For 64-bit gid's we have enough space in the whole SID,
- * should they become necessary
- */
- return sid_compose(sid, &global_sid_Unix_Groups, grp->gr_gid);
-}
diff --git a/source3/winbindd/winbindd_async.c b/source3/lib/util_unixsids.h
similarity index 54%
copy from source3/winbindd/winbindd_async.c
copy to source3/lib/util_unixsids.h
index 75dfa0e..b90a746 100644
--- a/source3/winbindd/winbindd_async.c
+++ b/source3/lib/util_unixsids.h
@@ -1,10 +1,7 @@
-/*
+/*
Unix SMB/CIFS implementation.
-
- Async helpers for blocking functions
-
+ Translate unix-defined names to SIDs and vice versa
Copyright (C) Volker Lendecke 2005
- Copyright (C) Gerald Carter 2006

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -20,15 +17,20 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

-#include "includes.h"
-#include "winbindd.h"
-#include "../libcli/security/security.h"
+#ifndef __UTIL_UNIXSIDS_H__
+#define __UTIL_UNIXSIDS_H__
+
+#include "replace.h"
+
+struct dom_sid;

-#undef DBGC_CLASS
-#define DBGC_CLASS DBGC_WINBIND
+bool sid_check_is_unix_users(const struct dom_sid *sid);
+bool sid_check_is_in_unix_users(const struct dom_sid *sid);
+void uid_to_unix_users_sid(uid_t uid, struct dom_sid *sid);
+void gid_to_unix_groups_sid(gid_t gid, struct dom_sid *sid);
+const char *unix_users_domain_name(void);
+bool sid_check_is_unix_groups(const struct dom_sid *sid);
+bool sid_check_is_in_unix_groups(const struct dom_sid *sid);
+const char *unix_groups_domain_name(void);

-enum winbindd_result winbindd_dual_ping(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
-{
- return WINBINDD_OK;
-}
+#endif
diff --git a/source3/passdb/ABI/samba-passdb-0.25.0.sigs b/source3/passdb/ABI/samba-passdb-0.26.0.sigs
similarity index 99%
copy from source3/passdb/ABI/samba-passdb-0.25.0.sigs
copy to source3/passdb/ABI/samba-passdb-0.26.0.sigs
index 546374c..f3762e5 100644
--- a/source3/passdb/ABI/samba-passdb-0.25.0.sigs
+++ b/source3/passdb/ABI/samba-passdb-0.26.0.sigs
@@ -56,8 +56,6 @@ lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **
lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *)
lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *)
lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **)
-lookup_unix_group_name: bool (const char *, struct dom_sid *)
-lookup_unix_user_name: bool (const char *, struct dom_sid *)
lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **)
lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **)
make_pdb_method: NTSTATUS (struct pdb_methods **)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 110bdd3..b06dd1b 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -21,6 +21,7 @@

#include "includes.h"
#include "passdb.h"
+#include "lib/util_unixsids.h"
#include "../librpc/gen_ndr/ndr_security.h"
#include "secrets.h"
#include "../lib/util/memcache.h"
@@ -29,6 +30,41 @@
#include "lib/winbind_util.h"
#include "../librpc/gen_ndr/idmap.h"

+static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
+{
+ struct passwd *pwd;
+ bool ret;
+
+ pwd = Get_Pwnam_alloc(talloc_tos(), name);
+ if (pwd == NULL) {
+ return False;
+ }
+
+ /*
+ * For 64-bit uid's we have enough space in the whole SID,
+ * should they become necessary
+ */
+ ret = sid_compose(sid, &global_sid_Unix_Users, pwd->pw_uid);
+ TALLOC_FREE(pwd);
+ return ret;
+}
+
+static bool lookup_unix_group_name(const char *name, struct dom_sid *sid)
+{
+ struct group *grp;
+
+ grp = getgrnam(name);
+ if (grp == NULL) {
+ return False;
+ }
+
+ /*
+ * For 64-bit gid's we have enough space in the whole SID,
+ * should they become necessary
+ */
+ return sid_compose(sid, &global_sid_Unix_Groups, grp->gr_gid);
+}
+
/*****************************************************************
Dissect a user-provided name into domain, name, sid and type.

diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
index 2480547..a4bcbad 100644
--- a/source3/winbindd/wb_lookupsids.c
+++ b/source3/winbindd/wb_lookupsids.c
@@ -19,6 +19,7 @@

#include "includes.h"
#include "winbindd.h"
+#include "lib/util_unixsids.h"
#include "librpc/gen_ndr/ndr_winbind_c.h"
#include "../libcli/security/security.h"
#include "passdb/machine_sid.h"
diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c
index 3d0914a..dce26d2 100644
--- a/source3/winbindd/winbindd_samr.c
+++ b/source3/winbindd/winbindd_samr.c
@@ -26,6 +26,7 @@
#include "includes.h"
#include "winbindd.h"
#include "winbindd_rpc.h"
+#include "lib/util_unixsids.h"
#include "rpc_client/rpc_client.h"
#include "../librpc/gen_ndr/ndr_samr_c.h"
#include "rpc_client/cli_samr.h"
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 38e4b8b..c98b3ef 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -22,6 +22,7 @@

#include "includes.h"
#include "winbindd.h"
+#include "lib/util_unixsids.h"
#include "secrets.h"
#include "../libcli/security/security.h"
#include "../libcli/auth/pam_errors.h"
diff --git a/source3/wscript_build b/source3/wscript_build
index d45a440..815a540 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -168,7 +168,7 @@ bld.SAMBA3_LIBRARY('samba-passdb',
''',
abi_match=private_pdb_match,
abi_directory='passdb/ABI',
- vnum='0.25.0')
+ vnum='0.26.0')

bld.SAMBA3_SUBSYSTEM('pdb',
source='''
diff --git a/source4/winbind/idmap.c b/source4/winbind/idmap.c
index 26a4664..edeb724 100644
--- a/source4/winbind/idmap.c
+++ b/source4/winbind/idmap.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "auth/auth.h"
#include "librpc/gen_ndr/ndr_security.h"
+#include "lib/util_unixsids.h"
#include <ldb.h>
#include "ldb_wrap.h"
#include "param/param.h"
@@ -166,31 +167,24 @@ struct idmap_context *idmap_init(TALLOC_CTX *mem_ctx,

idmap_ctx->lp_ctx = lp_ctx;

- idmap_ctx->ldb_ctx = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx,
+ idmap_ctx->ldb_ctx = ldb_wrap_connect(idmap_ctx, ev_ctx, lp_ctx,
"idmap.ldb",
system_session(lp_ctx),
NULL, 0);
if (idmap_ctx->ldb_ctx == NULL) {
- return NULL;
- }
-
- idmap_ctx->unix_groups_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-2");
- if (idmap_ctx->unix_groups_sid == NULL) {
- return NULL;
+ goto fail;
}

- idmap_ctx->unix_users_sid = dom_sid_parse_talloc(mem_ctx, "S-1-22-1");
- if (idmap_ctx->unix_users_sid == NULL) {
- return NULL;
- }
-
idmap_ctx->samdb = samdb_connect(idmap_ctx, ev_ctx, lp_ctx, system_session(lp_ctx), 0);
if (idmap_ctx->samdb == NULL) {
DEBUG(0, ("Failed to load sam.ldb in idmap_init\n"));
- return NULL;
+ goto fail;
}

return idmap_ctx;
+fail:
+ TALLOC_FREE(idmap_ctx);
+ return NULL;
}

/**
@@ -216,7 +210,8 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,
struct ldb_context *ldb = idmap_ctx->ldb_ctx;
struct ldb_result *res = NULL;
struct ldb_message *msg;
- struct dom_sid *unix_sid, *new_sid;
+ const struct dom_sid *unix_sid;
+ struct dom_sid *new_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const char *id_type;

@@ -354,13 +349,9 @@ static NTSTATUS idmap_xid_to_sid(struct idmap_context *idmap_ctx,

/* For local users/groups , we just create a rid = uid/gid */
if (unixid->type == ID_TYPE_UID) {
- unix_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-1");
+ unix_sid = &global_sid_Unix_Users;
} else {
- unix_sid = dom_sid_parse_talloc(tmp_ctx, "S-1-22-2");
- }
- if (unix_sid == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto failed;
+ unix_sid = &global_sid_Unix_Groups;
}

new_sid = dom_sid_add_rid(mem_ctx, unix_sid, unixid->id);
@@ -410,7 +401,7 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
const char *sam_attrs[] = {"uidNumber", "gidNumber", "samAccountType", NULL};

- if (dom_sid_in_domain(idmap_ctx->unix_users_sid, sid)) {
+ if (sid_check_is_in_unix_users(sid)) {
uint32_t rid;
DEBUG(6, ("This is a local unix uid, just calculate that.\n"));
status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
@@ -426,7 +417,7 @@ static NTSTATUS idmap_sid_to_xid(struct idmap_context *idmap_ctx,
return NT_STATUS_OK;
}

- if (dom_sid_in_domain(idmap_ctx->unix_groups_sid, sid)) {
+ if (sid_check_is_in_unix_groups(sid)) {
uint32_t rid;
DEBUG(6, ("This is a local unix gid, just calculate that.\n"));
status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
diff --git a/source4/winbind/idmap.h b/source4/winbind/idmap.h
index 676955c..04770c3 100644
--- a/source4/winbind/idmap.h
+++ b/source4/winbind/idmap.h
@@ -27,8 +27,6 @@
struct idmap_context {
struct loadparm_context *lp_ctx;
struct ldb_context *ldb_ctx;
- struct dom_sid *unix_groups_sid;
- struct dom_sid *unix_users_sid;
struct ldb_context *samdb;
};

The branch, master has been updated
via 2487a42 Happy New Year 2017!
from 2e1dc95 idmap4: Use sid_check_is_in_unix_groups()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 2487a423b7b5ae153690564202a582de5d8334aa
Author: Stefan Metzmacher <***@samba.org>
Date: Sun Jan 1 10:03:49 2017 +0100

Happy New Year 2017!

Signed-off-by: Stefan Metzmacher <***@samba.org>

Autobuild-User(master): Stefan Metzmacher <***@samba.org>
Autobuild-Date(master): Sun Jan 1 13:47:26 CET 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
source3/include/smb.h | 2 +-
source4/smbd/server.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/smb.h b/source3/include/smb.h
index 75fcb02..7de47c8 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -30,7 +30,7 @@
#include "libds/common/roles.h"

/* logged when starting the various Samba daemons */
-#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2016"
+#define COPYRIGHT_STARTUP_MESSAGE "Copyright Andrew Tridgell and the Samba Team 1992-2017"

#define SAFETY_MARGIN 1024
#define LARGE_WRITEX_HDR_SIZE 65
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 28ecaca..407f258 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -376,7 +376,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
umask(0);

DEBUG(0,("%s version %s started.\n", binary_name, SAMBA_VERSION_STRING));
- DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team 1992-2016\n"));
+ DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team 1992-2017\n"));

if (sizeof(uint16_t) < 2 || sizeof(uint32_t) < 4 || sizeof(uint64_t) < 8) {
DEBUG(0,("ERROR: Samba is not configured correctly for the word size on your machine\n"));

The branch, master has been updated
via 59abfcb WAF: Fix detection of IPv6
via be12f82 WAF: Fix detection os sysname ...
via f4c0a75 WAF: Fix detection of linker features
via b7ae41e lib replace: Fix detection of features
from 2487a42 Happy New Year 2017!

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 59abfcb7945103cd4031abac86d51cd51ce052ca
Author: Lukas Slebodnik <***@redhat.com>
Date: Tue Dec 6 18:07:50 2016 +0100

WAF: Fix detection of IPv6

Detection of IPv6 failed with strict CFLAGS due to missing
header file.

Checking for HAVE_IPV6 : not found

../test.c: In function ‘main’:
../test.c:226:34: error: implicit declaration of function
‘if_nametoindex’ [-Werror=implicit-function-declaration]
int idx = if_nametoindex("iface1");
^~~~~~~~~~~~~~

Signed-off-by: Lukas Slebodnik <***@redhat.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Mon Jan 2 18:03:20 CET 2017 on sn-devel-144

commit be12f82cf1ca652b06995e84971c878621315d24
Author: Lukas Slebodnik <***@redhat.com>
Date: Tue Dec 6 18:07:43 2016 +0100

WAF: Fix detection os sysname ...

Detection of sysname failed with stricter CFLAGS
"-Werrorr=implicit-function-declaration -Werror=implicit-int"

Checking uname sysname type : not found
Checking uname machine type : not found
Checking uname release type : not found
Checking uname version type : not found

../test.c: In function ‘main’:
../test.c:8:32: error: implicit declaration of function ‘printf’
[-Werror=implicit-function-declaration]
printf("%s", n.sysname);
^~~~~~
../test.c:8:32: warning: incompatible implicit declaration
of built-in function ‘printf’
../test.c:8:32: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’

Signed-off-by: Lukas Slebodnik <***@redhat.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f4c0a750d4adebcf2342a44e85f04526c34268c8
Author: Lukas Slebodnik <***@redhat.com>
Date: Tue Dec 6 18:07:36 2016 +0100

WAF: Fix detection of linker features

Following check of linker feature failed with strict CFLAGS
"-Werrorr=implicit-function-declaration -Werror=implicit-int"

Checking for rpath library support : not found
Checking for -Wl,--version-script support : not found

../main.c: In function ‘main’:
../main.c:1:26: error: implicit declaration of function ‘lib_func’
[-Werror=implicit-function-declaration]
int main(void) {return !(lib_func() == 42);}
^~~~~~~~

Signed-off-by: Lukas Slebodnik <***@redhat.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b7ae41e6ca133e08f1dc62bd49436f51f490f46b
Author: Lukas Slebodnik <***@redhat.com>
Date: Tue Dec 6 18:07:18 2016 +0100

lib replace: Fix detection of features

If configure script is executed with stricter cflags
"-Werrorr=implicit-function-declaration -Werror=implicit-int"
then detection of few features will fail.

Checking for C99 vsnprintf : not found
Checking for HAVE_SHARED_MMAP : not found
Checking for HAVE_MREMAP : not found

lib/replace/test/shared_mmap.c:18:1:
error: return type defaults to ‘int’ [-Werror=implicit-int]
main()
^~~~
lib/replace/test/shared_mmap.c: In function ‘main’:
lib/replace/test/shared_mmap.c:25:16:
error: implicit declaration of function ‘exit’
[-Werror=implicit-function-declaration]
if (fd == -1) exit(1);
^~~~
lib/replace/test/shared_mmap.c:25:16:
warning: incompatible implicit declaration of built-in function ‘exit’
lib/replace/test/shared_mmap.c:25:16:
note: include ‘<stdlib.h>’ or provide a declaration of ‘exit’

Signed-off-by: Lukas Slebodnik <***@redhat.com>
Reviewed-by: Andreas Schneider <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
buildtools/wafsamba/samba_conftests.py | 5 ++++-
lib/replace/test/shared_mmap.c | 5 ++++-
lib/replace/test/shared_mremap.c | 5 ++++-
lib/replace/test/snprintf.c | 2 +-
lib/replace/wscript | 2 +-
5 files changed, 14 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_conftests.py b/buildtools/wafsamba/samba_conftests.py
index 045f858..72e4321 100644
--- a/buildtools/wafsamba/samba_conftests.py
+++ b/buildtools/wafsamba/samba_conftests.py
@@ -286,7 +286,9 @@ def CHECK_LIBRARY_SUPPORT(conf, rpath=False, version_script=False, msg=None):
os.makedirs(subdir)

Utils.writef(os.path.join(subdir, 'lib1.c'), 'int lib_func(void) { return 42; }\n')
- Utils.writef(os.path.join(dir, 'main.c'), 'int main(void) {return !(lib_func() == 42);}\n')
+ Utils.writef(os.path.join(dir, 'main.c'),
+ 'int lib_func(void);\n'
+ 'int main(void) {return !(lib_func() == 42);}\n')

bld = Build.BuildContext()
bld.log = conf.log
@@ -436,6 +438,7 @@ def CHECK_UNAME(conf):
ret = True
for v in "sysname machine release version".split():
if not conf.CHECK_CODE('''
+ int printf(const char *format, ...);
struct utsname n;
if (uname(&n) == -1) return -1;
printf("%%s", n.%s);
diff --git a/lib/replace/test/shared_mmap.c b/lib/replace/test/shared_mmap.c
index 50dad8d..9d6e3fc 100644
--- a/lib/replace/test/shared_mmap.c
+++ b/lib/replace/test/shared_mmap.c
@@ -4,6 +4,9 @@
#if defined(HAVE_UNISTD_H)
#include <unistd.h>
#endif
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -15,7 +18,7 @@
#define MAP_FILE 0
#endif

-main()
+int main(void)
{
int *buf;
int i;
diff --git a/lib/replace/test/shared_mremap.c b/lib/replace/test/shared_mremap.c
index 05032ad..08040e2 100644
--- a/lib/replace/test/shared_mremap.c
+++ b/lib/replace/test/shared_mremap.c
@@ -3,6 +3,9 @@
#if defined(HAVE_UNISTD_H)
#include <unistd.h>
#endif
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -18,7 +21,7 @@
#define MAP_FAILED (int *)-1
#endif

-main()
+int main(void)
{
int *buf;
int fd;
diff --git a/lib/replace/test/snprintf.c b/lib/replace/test/snprintf.c
index d06630b..77473f0 100644
--- a/lib/replace/test/snprintf.c
+++ b/lib/replace/test/snprintf.c
@@ -26,4 +26,4 @@ void foo(const char *format, ...)
printf("1");
exit(0);
}
-main() { foo("hello"); }
+int main(void) { foo("hello"); }
diff --git a/lib/replace/wscript b/lib/replace/wscript
index 1dfd902..ea0d5d0 100644
--- a/lib/replace/wscript
+++ b/lib/replace/wscript
@@ -189,7 +189,7 @@ def configure(conf):
''',
define='HAVE_IPV6',
lib='nsl socket',
- headers='sys/socket.h netdb.h netinet/in.h')
+ headers='sys/socket.h netdb.h netinet/in.h net/if.h')

if conf.CONFIG_SET('HAVE_SYS_UCONTEXT_H') and conf.CONFIG_SET('HAVE_SIGNAL_H'):
conf.CHECK_CODE('''

The branch, master has been updated
via ec62194 winbind: Remove find_builtin_domain helper function
via 7981c6f winbind: Remove wb_fill_pwent
via c4e9ec5 winbind: Go throught wb_getpwsid for listing users
via 901d2bd winbind: Add wbint_QueryUserRidList
via a1ba988 winbind: Fix a confusing indentation
via 730b176 winbind: Simplify wb_gettoken
via 7bc161d winbind: Don't do supplementary group lookup manually
via cff1924 idmap_ad: Restore querying SFU nss info
via bce19a6 winbind: Restructure wb_getpwsid
via d0f1d76 winbind: Adapt cache to extended wbint_userinfo
via 2022ec8 winbind: Add a GetNssInfo parent/child call
via c98ad0a winbind: Make "idmap_find_domain" public
via 2702114 winbind: It's legitmate to have 0 groups in info3
via 2562d19 idmap: Simplify idmap_ad_nss_init()
via c2e1f4e winbind: Fix wb_lookupsids for AD DCs
via 22b2151 winbind4: Remove unused code
via 2481584 winbind: Initialize user list info to 0
via 7c3ea9f s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()
via b61a937 s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED
via 6f029d5 s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails
via e838347 s4:librpc/rpc: make sure we handle DCERPC_PACKET before DCERPC_CONNECT
via 94fc5c4 s4:librpc/rpc: don't do an anonymous bind over ncacn_np:server[packet]
from 59abfcb WAF: Fix detection of IPv6

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ec621945670bc023ad4a849f2e9af4eb8c299c20
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 30 11:51:37 2016 +0000

winbind: Remove find_builtin_domain helper function

There was only one caller, and the function was pretty small anyway.

This makes a "git grep find_domain_from" more obvious :-)

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Mon Jan 2 21:52:02 CET 2017 on sn-devel-144

commit 7981c6f9b5ce7ce294bfc9932286b7da03390c01
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 30 11:47:45 2016 +0000

winbind: Remove wb_fill_pwent

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit c4e9ec55f10efb1d8eb39ed54580194973bb26ad
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 19:05:40 2016 +0000

winbind: Go throught wb_getpwsid for listing users

This makes sure we get the same results for getpwnam and getpwent.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 901d2bd99b208cf3a87243da2a2c7e8a8656efab
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 18:13:28 2016 +0000

winbind: Add wbint_QueryUserRidList

This is an equivalent of QueryUserList with simpler output. The next
commit will use it to go through wb_getpwsid for getent passwd, to
make sure we get the same results. Eventually, this might get a simpler
backend.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit a1ba988c03f45ee21d04d4b27409ebdb3db9fa4c
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 15:34:41 2016 +0000

winbind: Fix a confusing indentation

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 730b176ffb3ba2e1452d04e1c75a4405b90132e6
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 25 10:19:38 2016 +0000

winbind: Simplify wb_gettoken

All we need from the domain struct is it's sid. Directly use it.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 7bc161db7a5c5c3b05160a92abfd5f646c4ea8f0
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 25 10:16:31 2016 +0000

winbind: Don't do supplementary group lookup manually

This can never be done successfully without a valid samlogon_cache entry.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit cff192413031a8bafe0b2b27e1aecd162422f855
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 10:27:58 2016 +0000

idmap_ad: Restore querying SFU nss info

With the last commit the getpwsid call did not look at the winbind
nss info parameter anymore. This restores it for the idmap ad backend
with slightly different semantics and configuration: We now have the
unix_primary_group and unix_nss_info domain-specific parameters for
idmap config. This enables overriding the Windows primary group with
the unix one.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit bce19a6efe11980933531f0349c8f5212419366a
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 10:05:28 2016 +0000

winbind: Restructure wb_getpwsid

This patch moves the responsibility to create a winbind user from the
winbind backends into wb_queryuser.c. The name comes from lsa_lookupsids,
the uid from idmap. If we have a netsamlogon_cache, we get the primary
group sid from there. Without netsamlogon_cache, we default to -513, as
we do right now as default for non-reachable ADS domains anyway. Shell
and homedir default to template. This can all be done in the parent
without contacting any LDAP-related calls and is correct once we have
a netsamlogon_cache.

Once the parent has filled in the userinfo, the idmap child is queried
with the GetNssInfo call, taking the userinfo [in,out]. The child is
free to override the whole thing, something the AD backend will do in
the next patch.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit d0f1d761b5765df8525f991554ffd333d4a247d6
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 30 10:57:50 2016 +0000

winbind: Adapt cache to extended wbint_userinfo

Separate commit, UL/ was missing some fields already

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 2022ec8770ff05d91f6eaf2ae3da7a4150697d56
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 09:56:29 2016 +0000

winbind: Add a GetNssInfo parent/child call

This call will be done in the idmap child. It is not 100% the right place,
but there is no better one available to me. It will become a replacement
for the "winbind nss info" parameter: This global parameter is good
for just one domain. It might be possible to have idmap backend AD for
different domains, and the NSS info like primary gid, homedir and shell
might be done with different policies per domain. As we already have a
domain-specific idmap configuration, doing the NSS info configuration
there also is the closest way to do it.

The alternative, if we did not want to put this call into the idmap child
would be to establish an equivalent engine like the whole "idmap config
*" just for the nss info. But as I believe this is closely related,
I'll just keep it in the idmap child.

This also extends the wbint_userinfo structure with pretty much all user
related fields. The idea is that the GetNssInfo call can do whatever it
wants with it.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit c98ad0accae2b32526cfdc4577cc6d5adafc5f00
Author: Volker Lendecke <***@samba.org>
Date: Thu Dec 29 09:54:56 2016 +0000

winbind: Make "idmap_find_domain" public

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 2702114a94100fd07696438a6acc73c7f934ccd1
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 25 10:12:59 2016 +0000

winbind: It's legitmate to have 0 groups in info3

At least a Samba DC can send an info3 struct with base.groups.count==0. We
should not fail with that and just return 0 groups.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 2562d195802d69d9f485a6c59a1854fc9345d5f5
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 17 15:03:59 2016 +0100

idmap: Simplify idmap_ad_nss_init()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit c2e1f4eec972ba31b225d5941c1d491fdb75ffaa
Author: Volker Lendecke <***@samba.org>
Date: Sun Dec 25 11:33:53 2016 +0000

winbind: Fix wb_lookupsids for AD DCs

Not yet a fix, but the IS_DC macro also contains the
ROLE_ACTIVE_DIRECTORY_DC, and once we start to fully do this we'll
need it.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 22b2151fb52655b06e62edcda080ea9392045237
Author: Volker Lendecke <***@samba.org>
Date: Tue Dec 27 14:01:13 2016 +0000

winbind4: Remove unused code

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 2481584b8b5c6d0b742fb9b5cc5e72223a80028b
Author: Volker Lendecke <***@samba.org>
Date: Fri Dec 30 11:08:22 2016 +0000

winbind: Initialize user list info to 0

Further down wbint_userinfo will be extended. Make sure we don't
have uninitialized memory hanging around

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 7c3ea9fe96336483752adb821f8062a883d52998
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 22 08:49:38 2016 +0100

s3:librpc/gse: make use of gss_krb5_import_cred() instead of gss_acquire_cred()

This avoids the usage of the ccselect_realm logic in MIT krb5,
which leads to unpredictable results.

The problem is the usage of gss_acquire_cred(), that just creates
a credential handle without ccache.

As result gss_init_sec_context() will trigger a code path
where it use "ccselect" plugins. And the ccselect_realm
module just chooses a random ccache from a global list
where the realm of the provides target principal matches
the realm of the ccache user principal.

In the winbindd case we're using MEMORY:cliconnect to setup
the smb connection to the DC. For ldap connections we use
MEMORY:winbind_ccache.

The typical case is that we do the smb connection first.
If we try to create a new ldap connection, while the
credentials in MEMORY:cliconnect are expired,
we'll do the required kinit into MEMORY:winbind_ccache,
but the ccselect_realm module will select MEMORY:cliconnect
and tries to get a service ticket for the ldap server
using the already expired TGT from MEMORY:cliconnect.

The solution will be to use gss_krb5_import_cred() and explicitly
pass the desired ccache, which avoids the ccselect logic.

We could also use gss_acquire_cred_from(), but that's only available
in modern MIT krb5 versions, while gss_krb5_import_cred() is available
in heimdal and all supported MIT versions (>=1.9).
As far as I can see both call the same internal function in MIT
(at least for the ccache case).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b61a93755ca59a58775c1c8c21baee49fef42fbf
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 22 08:47:32 2016 +0100

s3:librpc/gse: remove unused #ifdef HAVE_GSS_KRB5_IMPORT_CRED

We always have gss_krb5_import_cred(), it available in heimdal
and also the oldest version (1.9) of MIT krb5 that we support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 6f029d58703f657e46fee35fc663128157db4d9f
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 22 08:46:21 2016 +0100

s3:librpc/gse: include ccache_name in DEBUG message if krb5_cc_resolve() fails

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12480

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit e8383471056805233588e1ecc79c1d590cbc93f0
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 29 11:13:55 2016 +0100

s4:librpc/rpc: make sure we handle DCERPC_PACKET before DCERPC_CONNECT

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 94fc5c48b756d2938589c0b9363f29995a08ea2f
Author: Stefan Metzmacher <***@samba.org>
Date: Thu Dec 29 11:11:50 2016 +0100

s4:librpc/rpc: don't do an anonymous bind over ncacn_np:server[packet]

DCERPC_AUTH_LEVEL_PACKET is basically the same as
DCERPC_AUTH_LEVEL_INTEGRITY.

Signed-off-by: Stefan Metzmacher <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
docs-xml/manpages/idmap_ad.8.xml | 14 +
librpc/idl/winbind.idl | 11 +
source3/include/idmap.h | 4 +
source3/librpc/crypto/gse.c | 38 +--
source3/winbindd/idmap.c | 2 +-
source3/winbindd/idmap_ad.c | 110 ++++++++
source3/winbindd/idmap_ad_nss.c | 31 +--
source3/winbindd/idmap_proto.h | 1 +
source3/winbindd/wb_fill_pwent.c | 248 ------------------
source3/winbindd/wb_getpwsid.c | 117 +++------
source3/winbindd/wb_gettoken.c | 72 ++---
source3/winbindd/wb_lookupsids.c | 3 +-
source3/winbindd/wb_next_pwent.c | 36 +--
source3/winbindd/wb_queryuser.c | 286 +++++++++++++++++++-
source3/winbindd/winbindd.h | 5 +-
source3/winbindd/winbindd_cache.c | 23 +-
source3/winbindd/winbindd_dual_srv.c | 61 +++++
source3/winbindd/winbindd_proto.h | 8 -
source3/winbindd/winbindd_rpc.c | 2 +
source3/winbindd/winbindd_util.c | 17 --
source3/winbindd/wscript_build | 1 -
source4/librpc/rpc/dcerpc.c | 4 +-
source4/librpc/rpc/dcerpc_util.c | 2 +-
source4/winbind/wb_async_helpers.c | 494 -----------------------------------
source4/winbind/wb_async_helpers.h | 37 ---
source4/winbind/wb_utils.c | 1 -
source4/winbind/wscript_build | 2 +-
27 files changed, 630 insertions(+), 1000 deletions(-)
delete mode 100644 source3/winbindd/wb_fill_pwent.c
delete mode 100644 source4/winbind/wb_async_helpers.c
delete mode 100644 source4/winbind/wb_async_helpers.h


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
index 5876c46..58e7f52 100644
--- a/docs-xml/manpages/idmap_ad.8.xml
+++ b/docs-xml/manpages/idmap_ad.8.xml
@@ -74,6 +74,20 @@
via the "primaryGroupID" LDAP attribute.
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>unix_primary_group = yes/no</term>
+ <listitem><para>
+ Defines whether to retrieve the user's primary group
+ from the SFU attributes.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>unix_nss_info = yes/no</term>
+ <listitem><para>
+ Defines whether to retrieve the login shell and
+ home directory from the SFU attributes.
+ </para></listitem>
+ </varlistentry>
</variablelist>
</refsect1>

diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index ec472c5..d38b17a 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -72,11 +72,14 @@ interface winbind
);

typedef [public] struct {
+ [string,charset(UTF8)] char *domain_name;
[string,charset(UTF8)] char *acct_name;
[string,charset(UTF8)] char *full_name;
[string,charset(UTF8)] char *homedir;
[string,charset(UTF8)] char *shell;
+ hyper uid;
hyper primary_gid;
+ [string,charset(UTF8)] char *primary_group_name;
dom_sid user_sid;
dom_sid group_sid;
} wbint_userinfo;
@@ -86,6 +89,10 @@ interface winbind
[out] wbint_userinfo *info
);

+ NTSTATUS wbint_GetNssInfo(
+ [in,out] wbint_userinfo *info
+ );
+
typedef [public] struct {
uint32 num_sids;
[size_is(num_sids)] dom_sid sids[];
@@ -140,6 +147,10 @@ interface winbind
[out] wbint_Principals *groups
);

+ NTSTATUS wbint_QueryUserRidList(
+ [out] wbint_RidArray *rids
+ );
+
NTSTATUS wbint_DsGetDcName(
[in,string,charset(UTF8)] char *domain_name,
[in,unique] GUID *domain_guid,
diff --git a/source3/include/idmap.h b/source3/include/idmap.h
index 800e694..c379eba 100644
--- a/source3/include/idmap.h
+++ b/source3/include/idmap.h
@@ -32,9 +32,13 @@

#include "librpc/gen_ndr/idmap.h"

+struct wbint_userinfo;
+
struct idmap_domain {
const char *name;
struct idmap_methods *methods;
+ NTSTATUS (*query_user)(struct idmap_domain *domain,
+ struct wbint_userinfo *info);
uint32_t low_id;
uint32_t high_id;
bool read_only;
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index e4ceed1..792700e 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -172,8 +172,8 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
k5ret = krb5_cc_resolve(gse_ctx->k5ctx, ccache_name,
&gse_ctx->ccache);
if (k5ret) {
- DEBUG(1, ("Failed to resolve credential cache! (%s)\n",
- error_message(k5ret)));
+ DEBUG(1, ("Failed to resolve credential cache '%s'! (%s)\n",
+ ccache_name, error_message(k5ret)));
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
@@ -204,7 +204,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx;
OM_uint32 gss_maj, gss_min;
gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER;
- gss_OID_set_desc mech_set;
#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X);
@@ -253,20 +252,26 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */

- mech_set.count = 1;
- mech_set.elements = &gse_ctx->gss_mech;
-
- gss_maj = gss_acquire_cred(&gss_min,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mech_set,
- GSS_C_INITIATE,
- &gse_ctx->creds,
- NULL, NULL);
+ gss_maj = gss_krb5_import_cred(&gss_min,
+ gse_ctx->ccache,
+ NULL, /* keytab_principal */
+ NULL, /* keytab */
+ &gse_ctx->creds);
if (gss_maj) {
- DEBUG(5, ("gss_acquire_creds failed for GSS_C_NO_NAME with [%s] -"
+ char *ccache = NULL;
+ int kret;
+
+ kret = krb5_cc_get_full_name(gse_ctx->k5ctx,
+ gse_ctx->ccache,
+ &ccache);
+ if (kret != 0) {
+ ccache = NULL;
+ }
+
+ DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
"the caller may retry after a kinit.\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
+ ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
+ SAFE_FREE(ccache);
status = NT_STATUS_INTERNAL_ERROR;
goto err_out;
}
@@ -390,8 +395,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
goto done;
}

-#ifdef HAVE_GSS_KRB5_IMPORT_CRED
-
/* This creates a GSSAPI cred_id_t with the keytab set */
gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
&gse_ctx->creds);
@@ -410,7 +413,6 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
* principal in request'. Work around the issue by
* falling back to the alternate approach below. */
} else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
-#endif
/* FIXME!!!
* This call sets the default keytab for the whole server, not
* just for this context. Need to find a way that does not alter
diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c
index 84834f1..6a52633 100644
--- a/source3/winbindd/idmap.c
+++ b/source3/winbindd/idmap.c
@@ -500,7 +500,7 @@ fail:
* add_trusted_domain.
*/

-static struct idmap_domain *idmap_find_domain(const char *domname)
+struct idmap_domain *idmap_find_domain(const char *domname)
{
bool ok;
int i;
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index c385cf0..f406392 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -39,8 +39,14 @@ struct idmap_ad_context {
struct tldap_context *ld;
struct idmap_ad_schema_names *schema;
const char *default_nc;
+
+ bool unix_primary_group;
+ bool unix_nss_info;
};

+static NTSTATUS idmap_ad_get_context(struct idmap_domain *dom,
+ struct idmap_ad_context **pctx);
+
static char *get_schema_path(TALLOC_CTX *mem_ctx, struct tldap_context *ld)
{
struct tldap_message *rootdse;
@@ -396,6 +402,11 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}

+ ctx->unix_primary_group = lp_parm_bool(
+ -1, schema_config_option, "unix_primary_group", false);
+ ctx->unix_nss_info = lp_parm_bool(
+ -1, schema_config_option, "unix_nss_info", false);
+
schema_mode = lp_parm_const_string(
-1, schema_config_option, "schema_mode", "rfc2307");
TALLOC_FREE(schema_config_option);
@@ -412,8 +423,107 @@ static NTSTATUS idmap_ad_context_create(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}

+static NTSTATUS idmap_ad_query_user(struct idmap_domain *domain,
+ struct wbint_userinfo *info)
+{
+ struct idmap_ad_context *ctx;
+ TLDAPRC rc;
+ NTSTATUS status;
+ char *sidstr, *filter;
+ const char *attrs[4];
+ size_t i, num_msgs;
+ struct tldap_message **msgs;
+
+ status = idmap_ad_get_context(domain, &ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!(ctx->unix_primary_group || ctx->unix_nss_info)) {
+ return NT_STATUS_OK;
+ }
+
+ attrs[0] = ctx->schema->gid;
+ attrs[1] = ctx->schema->gecos;
+ attrs[2] = ctx->schema->dir;
+ attrs[3] = ctx->schema->shell;
+
+ sidstr = ldap_encode_ndr_dom_sid(talloc_tos(), &info->user_sid);
+ if (sidstr == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ filter = talloc_asprintf(talloc_tos(), "(objectsid=%s)", sidstr);
+ TALLOC_FREE(sidstr);
+ if (filter == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DBG_DEBUG("Filter: [%s]\n", filter);
+
+ rc = tldap_search(ctx->ld, ctx->default_nc, TLDAP_SCOPE_SUB, filter,
+ attrs, ARRAY_SIZE(attrs), 0, NULL, 0, NULL, 0,
+ 0, 0, 0, talloc_tos(), &msgs);
+ if (!TLDAP_RC_IS_SUCCESS(rc)) {
+ return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+ }
+
+ TALLOC_FREE(filter);
+
+ num_msgs = talloc_array_length(msgs);
+
+ for (i=0; i<num_msgs; i++) {
+ struct tldap_message *msg = msgs[i];
+
+ if (tldap_msg_type(msg) != TLDAP_RES_SEARCH_ENTRY) {
+ continue;
+ }
+
+ if (ctx->unix_primary_group) {
+ bool ok;
+ uint32_t gid;
+
+ ok = tldap_pull_uint32(msg, ctx->schema->gid, &gid);
+ if (ok) {
+ DBG_DEBUG("Setting primary group "
+ "to %"PRIu32" from attr %s\n",
+ gid, ctx->schema->gid);
+ info->primary_gid = gid;
+ }
+ }
+
+ if (ctx->unix_nss_info) {
+ char *attr;
+
+ attr = tldap_talloc_single_attribute(
+ msg, ctx->schema->dir, talloc_tos());
+ if (attr != NULL) {
+ info->homedir = talloc_move(info, &attr);
+ }
+ TALLOC_FREE(attr);
+
+ attr = tldap_talloc_single_attribute(
+ msg, ctx->schema->shell, talloc_tos());
+ if (attr != NULL) {
+ info->shell = talloc_move(info, &attr);
+ }
+ TALLOC_FREE(attr);
+
+ attr = tldap_talloc_single_attribute(
+ msg, ctx->schema->gecos, talloc_tos());
+ if (attr != NULL) {
+ info->full_name = talloc_move(info, &attr);
+ }
+ TALLOC_FREE(attr);
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
static NTSTATUS idmap_ad_initialize(struct idmap_domain *dom)
{
+ dom->query_user = idmap_ad_query_user;
dom->private_data = NULL;
return NT_STATUS_OK;
}
diff --git a/source3/winbindd/idmap_ad_nss.c b/source3/winbindd/idmap_ad_nss.c
index 8c5a13d..d979231 100644
--- a/source3/winbindd/idmap_ad_nss.c
+++ b/source3/winbindd/idmap_ad_nss.c
@@ -502,29 +502,24 @@ static struct nss_info_methods nss_sfu20_methods = {

NTSTATUS idmap_ad_nss_init(void)
{
- static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
- static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
- static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS status;

- if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
- status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
- "rfc2307", &nss_rfc2307_methods );
- if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
- return status_nss_rfc2307;
+ status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "rfc2307", &nss_rfc2307_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

- if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
- status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
- "sfu", &nss_sfu_methods );
- if ( !NT_STATUS_IS_OK(status_nss_sfu) )
- return status_nss_sfu;
+ status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "sfu", &nss_sfu_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

- if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
- status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
- "sfu20", &nss_sfu20_methods );
- if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
- return status_nss_sfu20;
+ status = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
+ "sfu20", &nss_sfu20_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}

return NT_STATUS_OK;
diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h
index 84cc2f0..0e25963 100644
--- a/source3/winbindd/idmap_proto.h
+++ b/source3/winbindd/idmap_proto.h
@@ -36,6 +36,7 @@ NTSTATUS idmap_allocate_uid(struct unixid *id);
NTSTATUS idmap_allocate_gid(struct unixid *id);
NTSTATUS idmap_backend_unixids_to_sids(struct id_map **maps,
const char *domain_name);
+struct idmap_domain *idmap_find_domain(const char *domname);

/* The following definitions come from winbindd/idmap_nss.c */

diff --git a/source3/winbindd/wb_fill_pwent.c b/source3/winbindd/wb_fill_pwent.c
deleted file mode 100644
index 2229b05..0000000
--- a/source3/winbindd/wb_fill_pwent.c
+++ /dev/null
@@ -1,248 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
- async fill_pwent
- Copyright (C) Volker Lendecke 2009
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "winbindd.h"
-#include "librpc/gen_ndr/ndr_winbind_c.h"
-
-struct wb_fill_pwent_state {
- struct tevent_context *ev;
- const struct wbint_userinfo *info;
- struct winbindd_pw *pw;
-};
-
-static bool fillup_pw_field(const char *lp_template,
- const char *username,
- const char *grpname,
- const char *domname,
- uid_t uid,
- gid_t gid,
- const char *in,
- fstring out);
-
-static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq);
-static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq);
-
-struct tevent_req *wb_fill_pwent_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const struct wbint_userinfo *info,
- struct winbindd_pw *pw)
-{
- struct tevent_req *req, *subreq;
- struct wb_fill_pwent_state *state;
-
- req = tevent_req_create(mem_ctx, &state, struct wb_fill_pwent_state);
- if (req == NULL) {
- return NULL;
- }
- state->ev = ev;
- state->info = info;
- state->pw = pw;
-
- subreq = wb_sids2xids_send(state, state->ev, &state->info->user_sid, 1);
- if (tevent_req_nomem(subreq, req)) {
- return tevent_req_post(req, ev);
- }
- tevent_req_set_callback(subreq, wb_fill_pwent_sid2uid_done, req);
- return req;
-}
-
-static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(
- subreq, struct tevent_req);
- struct wb_fill_pwent_state *state = tevent_req_data(
- req, struct wb_fill_pwent_state);
- NTSTATUS status;
- struct unixid xids[1];
-
- status = wb_sids2xids_recv(subreq, xids, ARRAY_SIZE(xids));
- TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
- return;
- }
-
- /*
- * We are filtering further down in sids2xids, but that filtering
- * depends on the actual type of the sid handed in (as determined
- * by lookupsids). Here we need to filter for the type of object
- * actually requested, in this case uid.
- */
- if (!(xids[0].type == ID_TYPE_UID || xids[0].type == ID_TYPE_BOTH)) {
- tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
- return;
- }
-
- state->pw->pw_uid = (uid_t)xids[0].id;
-
- subreq = wb_getgrsid_send(state, state->ev, &state->info->group_sid, 0);
- if (tevent_req_nomem(subreq, req)) {
- return;
- }
- tevent_req_set_callback(subreq, wb_fill_pwent_getgrsid_done, req);
-}
-
-static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(
- subreq, struct tevent_req);
- struct wb_fill_pwent_state *state = tevent_req_data(
- req, struct wb_fill_pwent_state);
- struct winbindd_domain *domain;
- const char *dom_name;
- const char *grp_name;
- fstring user_name, output_username;
- char *mapped_name = NULL;
- struct talloc_dict *members;
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
- NTSTATUS status;
- bool ok;
-
- /* xid handling is done in getgrsid() */
- status = wb_getgrsid_recv(subreq,
- tmp_ctx,
- &dom_name,

The branch, master has been updated
via 5bcf3f1 WHATSNEW: Some small formal fixes.
from ec62194 winbind: Remove find_builtin_domain helper function

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5bcf3f1b74647869c8d7321b3c2b7fb07e65ca53
Author: Karolin Seeger <***@samba.org>
Date: Tue Jan 3 10:09:42 2017 +0100

WHATSNEW: Some small formal fixes.

Signed-off-by: Karolin Seeger <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Karolin Seeger <***@samba.org>
Autobuild-Date(master): Tue Jan 3 16:03:12 CET 2017 on sn-devel-144

-----------------------------------------------------------------------

Summary of changes:
WHATSNEW.txt | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b512796..7795523 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -44,6 +44,7 @@ configured as the default backend.
To avoid problems in future we advise all users to run 'testparm' after
changing the smb.conf file!

+
NEW FEATURES/CHANGES
====================

@@ -114,7 +115,7 @@ over-replication of links from new DCs. We have also made the parsing
of on-disk linked attributes much more efficient.

DNS improvements
----------------------------
+----------------

The samba-tool dns subcommand is now much more robust and can delete
records in a number of situations where it was not possible to do so
@@ -122,7 +123,6 @@ in the past.

On the server side, DNS names are now more strictly validated.

-
CTDB changes
------------

@@ -175,10 +175,6 @@ CTDB changes
--enable-ceph-reclock configure options.


-REMOVED FEATURES
-================
-
-
smb.conf changes
================

The branch, master has been updated
via 98bcdca torture-netlogon: Use "all_zero" where appropriate
via 015a41a torture-samlogon: Avoid static zeros
via b3d5fe9 torture-samlogon: Use "all_zero" where appropriate
via 6eeb3ec torture-dfs: Use "all_zero" where appropriate
via efb5f38 auth4: Use "all_zero" where appropriate
via a4bc275 kdc: Use "all_zero" where appropriate
via 80bb18d samr3: Use "all_zero" where appropriate
via c9955da libads: Use "all_zero" where appropriate
via 214abc9 lib: Use "all_zero" where appropriate
via 25465b1 librpc: Use "all_zero" where appropriate
via 20c56e2 libnet: Use "all_zero" where appropriate
via f5847b6 auth: Use "all_zero" where appropriate
via f46932a librpc: Use "all_zero" where appropriate
via 577418c libcli: Use "all_zero" where appropriate
via ac389ee passdb: Use "all_zero" where appropriate
via d3322cd auth3: Avoid some zeros footprint
via 9c72823 ntlm_auth: Use "all_zero" where appropriate
via 0eea65d libcli: Use "all_zero" where appropriate
via 38884b2 libcli: Use "all_zero" where appropriate
via f50b6e7 auth3: Use "all_zero" where appropriate
via 3d9b1bd libcli: Use "all_zero" where appropriate
via 66e4026 lib: Remove a duplicate prototype
via ebdce3c libsmb: Add name_status_lmhosts
from 5bcf3f1 WHATSNEW: Some small formal fixes.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 98bcdca632c7e508af2ecb3e8d6e005d04523c83
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

torture-netlogon: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

Autobuild-User(master): Ralph Böhme <***@samba.org>
Autobuild-Date(master): Tue Jan 3 19:56:17 CET 2017 on sn-devel-144

commit 015a41a5e358849bc5960f9bc7714f751ad0f7b7
Author: Volker Lendecke <***@samba.org>
Date: Sun Jan 1 16:28:36 2017 +0000

torture-samlogon: Avoid static zeros

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit b3d5fe9679a56ba20e9627fecda36c60a471a20c
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

torture-samlogon: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 6eeb3ec3ab19ddee11829f1d5ac2d13ef1c7b18c
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

torture-dfs: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit efb5f38f1f03d3f1326a8fa115d19101c41db95a
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

auth4: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit a4bc275d947932c0a72e4f6d395634224f903e1a
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

kdc: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 80bb18d896a5609adb526a39c8512a4bc94cb409
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

samr3: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit c9955da65ad1befe51ad21dd884956c199b4c9b5
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

libads: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 214abc98e667bfa529eec86e5f1ef7e2c1cb8f37
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

lib: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 25465b118a32d0f4dea777da5880195ed7f27ecf
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

librpc: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 20c56e21ca4a5f2abcc618deb7d23e432721c88a
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

libnet: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f5847b6e3484f7660535e60ba2d5df2fc8dad096
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

auth: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Signed-off-by: Ralph Boehme <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f46932abfcd6461f4aa61302312ba13f641fc3d7
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

librpc: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 577418c87ef7ead24bcc09149c5a54840b7bc287
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

libcli: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit ac389eedece4ed9917cbac8b759b83f2111b3b66
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

passdb: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit d3322cdd21a28968fb6442843cbf169dc1ae0737
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 13:11:10 2016 +0000

auth3: Avoid some zeros footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 9c72823a99c4355af23530db2f6e263ac2b58458
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

ntlm_auth: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 0eea65d3728aaac3a443f5b57172d7486ca1c893
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

libcli: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 38884b2b2b08d54311d3b927900c5a9b071f8a5e
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

libcli: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit f50b6e7cb4aa1891f4a6808cc7008f64aee79e49
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

auth3: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 3d9b1bdf6c8f969c5075f1e0b47714a8a534bc2a
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:45:51 2016 +0000

libcli: Use "all_zero" where appropriate

... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit 66e402653f9a7991d03c7d483a9186a5400ab70e
Author: Volker Lendecke <***@samba.org>
Date: Sat Dec 31 12:38:45 2016 +0000

lib: Remove a duplicate prototype

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

commit ebdce3c489a856f233067d806fa4e3fb35976919
Author: Volker Lendecke <***@samba.org>
Date: Mon Dec 19 20:18:41 2016 +0100

libsmb: Add name_status_lmhosts

Don't ask... Oh, you did? :-)

Try to figure out a hosts' name from lmhosts. This is for a setup I've
come across where for several reasons kerberos and ldap were unusable
(very organically grown but unchangeable Solaris 10 installation with
tons of ancient libs that ./configure incorrectly finds and where tar xf
samba-4.5.3.tar takes 5 minutes...), so I had to fall back to compile
with --without-ads. Unfortunately in that environment NetBIOS was also
turned off, but the "winbind rpc only" code relies on name_status to
get a DC's name from its IP address for the netlogon calls. This walks
the local lmhosts file to scan for the same information.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Ralph Boehme <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
lib/krb5_wrap/krb5_samba.c | 8 ++----
libcli/auth/credentials.c | 33 +++++++++------------
libcli/auth/ntlm_check.c | 5 ++--
libcli/samsync/decrypt.c | 15 ++++------
libcli/smb/smbXcli_base.c | 10 ++-----
librpc/ndr/ndr_sec_helper.c | 12 ++------
source3/auth/auth_util.c | 10 +++----
source3/auth/check_samsec.c | 5 ++--
source3/include/proto.h | 1 -
source3/libads/kerberos_keytab.c | 30 ++++---------------
source3/libnet/libnet_dssync_passdb.c | 7 ++---
source3/libnet/libnet_keytab.h | 1 -
source3/libnet/libnet_samsync_display.c | 6 ++--
source3/libnet/libnet_samsync_keytab.c | 2 +-
source3/libnet/libnet_samsync_ldif.c | 7 ++---
source3/libnet/libnet_samsync_passdb.c | 7 ++---
source3/librpc/crypto/gse_krb5.c | 38 +++++++-----------------
source3/libsmb/namequery.c | 43 ++++++++++++++++++++++++++++
source3/passdb/pdb_samba_dsdb.c | 4 +--
source3/rpc_server/samr/srv_samr_chgpasswd.c | 8 ++----
source3/utils/ntlm_auth.c | 22 ++++++--------
source4/auth/ntlm/auth_sam.c | 5 ++--
source4/kdc/pac-glue.c | 10 +++----
source4/torture/dfs/domaindfs.c | 7 ++---
source4/torture/rpc/netlogon.c | 7 ++---
source4/torture/rpc/samlogon.c | 16 +++--------
26 files changed, 131 insertions(+), 188 deletions(-)


Changeset truncated at 500 lines:

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 307be93..f8f3b16 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1229,17 +1229,13 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,
{
krb5_error_code ret;
krb5_kt_cursor cursor;
- krb5_kt_cursor zero_csr;
krb5_keytab_entry kt_entry;
- krb5_keytab_entry zero_kt_entry;
char *ktprinc = NULL;
krb5_kvno old_kvno = kvno - 1;
TALLOC_CTX *tmp_ctx;

ZERO_STRUCT(cursor);
- ZERO_STRUCT(zero_csr);
ZERO_STRUCT(kt_entry);
- ZERO_STRUCT(zero_kt_entry);

ret = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret == KRB5_KT_END || ret == ENOENT ) {
@@ -1374,10 +1370,10 @@ krb5_error_code smb_krb5_kt_seek_and_delete_old_entries(krb5_context context,

out:
talloc_free(tmp_ctx);
- if (memcmp(&zero_kt_entry, &kt_entry, sizeof(krb5_keytab_entry))) {
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
- if (memcmp(&cursor, &zero_csr, sizeof(krb5_kt_cursor)) != 0) {
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor))) {
krb5_kt_end_seq_get(context, keytab, &cursor);
}
return ret;
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 91f37b7..ddff5e9 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -512,7 +512,6 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
union netr_Validation *validation,
bool do_encrypt)
{
- static const char zeros[16];
struct netr_SamBaseInfo *base = NULL;

if (validation == NULL) {
@@ -549,8 +548,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
/* they aren't encrypted! */
} else if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- if (memcmp(base->key.key, zeros,
- sizeof(base->key.key)) != 0) {
+ if (!all_zero(base->key.key, sizeof(base->key.key))) {
if (do_encrypt) {
netlogon_creds_aes_encrypt(creds,
base->key.key,
@@ -562,8 +560,8 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
}
}

- if (memcmp(base->LMSessKey.key, zeros,
- sizeof(base->LMSessKey.key)) != 0) {
+ if (!all_zero(base->LMSessKey.key,
+ sizeof(base->LMSessKey.key))) {
if (do_encrypt) {
netlogon_creds_aes_encrypt(creds,
base->LMSessKey.key,
@@ -577,23 +575,22 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
}
} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- if (memcmp(base->key.key, zeros,
- sizeof(base->key.key)) != 0) {
+ if (!all_zero(base->key.key, sizeof(base->key.key))) {
netlogon_creds_arcfour_crypt(creds,
base->key.key,
sizeof(base->key.key));
}

- if (memcmp(base->LMSessKey.key, zeros,
- sizeof(base->LMSessKey.key)) != 0) {
+ if (!all_zero(base->LMSessKey.key,
+ sizeof(base->LMSessKey.key))) {
netlogon_creds_arcfour_crypt(creds,
base->LMSessKey.key,
sizeof(base->LMSessKey.key));
}
} else {
/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
- if (memcmp(base->LMSessKey.key, zeros,
- sizeof(base->LMSessKey.key)) != 0) {
+ if (!all_zero(base->LMSessKey.key,
+ sizeof(base->LMSessKey.key))) {
if (do_encrypt) {
netlogon_creds_des_encrypt_LMKey(creds,
&base->LMSessKey);
@@ -626,8 +623,6 @@ static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Credential
union netr_LogonLevel *logon,
bool do_encrypt)
{
- static const char zeros[16];
-
if (logon == NULL) {
return;
}
@@ -645,7 +640,7 @@ static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Credential
uint8_t *h;

h = logon->password->lmpassword.hash;
- if (memcmp(h, zeros, 16) != 0) {
+ if (!all_zero(h, 16)) {
if (do_encrypt) {
netlogon_creds_aes_encrypt(creds, h, 16);
} else {
@@ -654,7 +649,7 @@ static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Credential
}

h = logon->password->ntpassword.hash;
- if (memcmp(h, zeros, 16) != 0) {
+ if (!all_zero(h, 16)) {
if (do_encrypt) {
netlogon_creds_aes_encrypt(creds, h, 16);
} else {
@@ -665,19 +660,19 @@ static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Credential
uint8_t *h;

h = logon->password->lmpassword.hash;
- if (memcmp(h, zeros, 16) != 0) {
+ if (!all_zero(h, 16)) {
netlogon_creds_arcfour_crypt(creds, h, 16);
}

h = logon->password->ntpassword.hash;
- if (memcmp(h, zeros, 16) != 0) {
+ if (!all_zero(h, 16)) {
netlogon_creds_arcfour_crypt(creds, h, 16);
}
} else {
struct samr_Password *p;

p = &logon->password->lmpassword;
- if (memcmp(p->hash, zeros, 16) != 0) {
+ if (!all_zero(p->hash, 16)) {
if (do_encrypt) {
netlogon_creds_des_encrypt(creds, p);
} else {
@@ -685,7 +680,7 @@ static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Credential
}
}
p = &logon->password->ntpassword;
- if (memcmp(p->hash, zeros, 16) != 0) {
+ if (!all_zero(p->hash, 16)) {
if (do_encrypt) {
netlogon_creds_des_encrypt(creds, p);
} else {
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 7f91b52..d7fba34 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -293,7 +293,6 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
- const static uint8_t zeros[8];
DATA_BLOB tmp_sess_key;
const char *upper_client_domain = NULL;

@@ -314,8 +313,8 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,

/* Check for cleartext netlogon. Used by Exchange 5.5. */
if ((logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_ALLOWED)
- && challenge->length == sizeof(zeros)
- && (memcmp(challenge->data, zeros, challenge->length) == 0 )) {
+ && challenge->length == 8
+ && (all_zero(challenge->data, challenge->length))) {
struct samr_Password client_nt;
struct samr_Password client_lm;
char *unix_pw = NULL;
diff --git a/libcli/samsync/decrypt.c b/libcli/samsync/decrypt.c
index 117151e..66cc915 100644
--- a/libcli/samsync/decrypt.c
+++ b/libcli/samsync/decrypt.c
@@ -44,15 +44,12 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
struct netr_DELTA_USER *user = delta->delta_union.user;
struct samr_Password lm_hash;
struct samr_Password nt_hash;
- unsigned char zero_buf[16];
-
- memset(zero_buf, '\0', sizeof(zero_buf));

/* Note that win2000 may send us all zeros
* for the hashes if it doesn't
* think this channel is secure enough. */
if (user->lm_password_present) {
- if (memcmp(user->lmpassword.hash, zero_buf, 16) != 0) {
+ if (!all_zero(user->lmpassword.hash, 16)) {
sam_rid_crypt(rid, user->lmpassword.hash, lm_hash.hash, 0);
} else {
memset(lm_hash.hash, '\0', sizeof(lm_hash.hash));
@@ -61,7 +58,7 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
}

if (user->nt_password_present) {
- if (memcmp(user->ntpassword.hash, zero_buf, 16) != 0) {
+ if (!all_zero(user->ntpassword.hash, 16)) {
sam_rid_crypt(rid, user->ntpassword.hash, nt_hash.hash, 0);
} else {
memset(nt_hash.hash, '\0', sizeof(nt_hash.hash));
@@ -90,8 +87,8 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
* for the hashes if it doesn't
* think this channel is secure enough. */
if (keys.keys.keys2.lmpassword.length == 16) {
- if (memcmp(keys.keys.keys2.lmpassword.pwd.hash,
- zero_buf, 16) != 0) {
+ if (!all_zero(keys.keys.keys2.lmpassword.pwd.hash,
+ 16)) {
sam_rid_crypt(rid,
keys.keys.keys2.lmpassword.pwd.hash,
lm_hash.hash, 0);
@@ -102,8 +99,8 @@ static NTSTATUS fix_user(TALLOC_CTX *mem_ctx,
user->lm_password_present = true;
}
if (keys.keys.keys2.ntpassword.length == 16) {
- if (memcmp(keys.keys.keys2.ntpassword.pwd.hash,
- zero_buf, 16) != 0) {
+ if (!all_zero(keys.keys.keys2.ntpassword.pwd.hash,
+ 16)) {
sam_rid_crypt(rid,
keys.keys.keys2.ntpassword.pwd.hash,
nt_hash.hash, 0);
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index e24090d..a7b24f0 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3851,13 +3851,9 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
}
}
if (signing_key) {
- int cmp;
- static const uint8_t zeros[16];
-
- cmp = memcmp(inhdr+SMB2_HDR_SIGNATURE,
- zeros,
- 16);
- if (cmp == 0) {
+ bool zero;
+ zero = all_zero(inhdr+SMB2_HDR_SIGNATURE, 16);
+ if (zero) {
state->smb2.signing_skipped = true;
signing_key = NULL;
}
diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c
index ea082d1..ecc0511 100644
--- a/librpc/ndr/ndr_sec_helper.c
+++ b/librpc/ndr/ndr_sec_helper.c
@@ -128,13 +128,9 @@ size_t ndr_size_dom_sid(const struct dom_sid *sid, int flags)

size_t ndr_size_dom_sid28(const struct dom_sid *sid, int flags)
{
- struct dom_sid zero_sid;
-
if (!sid) return 0;

- ZERO_STRUCT(zero_sid);
-
- if (memcmp(&zero_sid, sid, sizeof(zero_sid)) == 0) {
+ if (all_zero((const uint8_t *)sid, sizeof(struct dom_sid))) {
return 0;
}

@@ -287,8 +283,6 @@ enum ndr_err_code ndr_pull_dom_sid0(struct ndr_pull *ndr, int ndr_flags, struct
*/
enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const struct dom_sid *sid)
{
- struct dom_sid zero_sid;
-
if (!(ndr_flags & NDR_SCALARS)) {
return NDR_ERR_SUCCESS;
}
@@ -297,9 +291,7 @@ enum ndr_err_code ndr_push_dom_sid0(struct ndr_push *ndr, int ndr_flags, const s
return NDR_ERR_SUCCESS;
}

- ZERO_STRUCT(zero_sid);
-
- if (memcmp(&zero_sid, sid, sizeof(zero_sid)) == 0) {
+ if (all_zero((const uint8_t *)sid, sizeof(struct dom_sid))) {
return NDR_ERR_SUCCESS;
}

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 25f27e8..ae6bfb3 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -811,7 +811,6 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,

static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_info, struct auth_serversupplied_info **server_info)
{
- static const char zeros[16] = {0};
const char *guest_account = lp_guest_account();
const char *domain = lp_netbios_name();
struct netr_SamInfo3 info3;
@@ -861,7 +860,7 @@ static NTSTATUS make_new_session_info_guest(struct auth_session_info **session_i

/* annoying, but the Guest really does have a session key, and it is
all zeros! */
- (*session_info)->session_key = data_blob(zeros, sizeof(zeros));
+ (*session_info)->session_key = data_blob_talloc_zero(NULL, 16);

status = NT_STATUS_OK;
done:
@@ -1358,8 +1357,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info **server_info,
const struct netr_SamInfo3 *info3)
{
- static const char zeros[16] = {0, };
-
NTSTATUS nt_status = NT_STATUS_OK;
char *found_username = NULL;
const char *nt_domain;
@@ -1460,7 +1457,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,

/* ensure we are never given NULL session keys */

- if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {
+ if (all_zero(info3->base.key.key, sizeof(info3->base.key.key))) {
result->session_key = data_blob_null;
} else {
result->session_key = data_blob_talloc(
@@ -1468,7 +1465,8 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
sizeof(info3->base.key.key));
}

- if (memcmp(info3->base.LMSessKey.key, zeros, 8) == 0) {
+ if (all_zero(info3->base.LMSessKey.key,
+ sizeof(info3->base.LMSessKey.key))) {
result->lm_session_key = data_blob_null;
} else {
result->lm_session_key = data_blob_talloc(
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index cbcde08..53b6da5 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -322,7 +322,6 @@ static bool need_to_increment_bad_pw_count(
username = pdb_get_username(sampass);

for (i=1; i < MIN(MIN(3, policy_pwhistory_len), pwhistory_len); i++) {
- static const uint8_t zero16[SALTED_MD5_HASH_LEN];
const uint8_t *salt;
const uint8_t *nt_pw;
NTSTATUS status;
@@ -332,12 +331,12 @@ static bool need_to_increment_bad_pw_count(
salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN];
nt_pw = salt + PW_HISTORY_SALT_LEN;

- if (memcmp(zero16, nt_pw, NT_HASH_LEN) == 0) {
+ if (all_zero(nt_pw, NT_HASH_LEN)) {
/* skip zero password hash */
continue;
}

- if (memcmp(zero16, salt, PW_HISTORY_SALT_LEN) != 0) {
+ if (!all_zero(salt, PW_HISTORY_SALT_LEN)) {
/* skip nonzero salt (old format entry) */
continue;
}
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 4535a14..642900e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -324,7 +324,6 @@ const char *my_sam_name(void);

enum protocol_types get_Protocol(void);
void set_Protocol(enum protocol_types p);
-bool all_zero(const uint8_t *ptr, size_t size);
void gfree_names(void);
void gfree_all( void );
const char *my_netbios_names(int i);
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 8c7c1c3..3c73b08 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -553,18 +553,10 @@ done:
TALLOC_FREE(frame);

if (context) {
- krb5_keytab_entry zero_kt_entry;
- krb5_kt_cursor zero_csr;
-
- ZERO_STRUCT(zero_kt_entry);
- ZERO_STRUCT(zero_csr);
-
- if (memcmp(&zero_kt_entry, &kt_entry,
- sizeof(krb5_keytab_entry))) {
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
smb_krb5_kt_free_entry(context, &kt_entry);
}
- if ((memcmp(&cursor, &zero_csr,
- sizeof(krb5_kt_cursor)) != 0) && keytab) {
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
krb5_kt_end_seq_get(context, keytab, &cursor);
}
if (keytab) {
@@ -657,21 +649,11 @@ int ads_keytab_list(const char *keytab_name)
ZERO_STRUCT(cursor);
out:

- {
- krb5_keytab_entry zero_kt_entry;
- ZERO_STRUCT(zero_kt_entry);
- if (memcmp(&zero_kt_entry, &kt_entry,
- sizeof(krb5_keytab_entry))) {
- smb_krb5_kt_free_entry(context, &kt_entry);
- }
+ if (!all_zero((uint8_t *)&kt_entry, sizeof(kt_entry))) {
+ smb_krb5_kt_free_entry(context, &kt_entry);
}
- {
- krb5_kt_cursor zero_csr;
- ZERO_STRUCT(zero_csr);
- if ((memcmp(&cursor, &zero_csr,
- sizeof(krb5_kt_cursor)) != 0) && keytab) {
- krb5_kt_end_seq_get(context, keytab, &cursor);
- }
+ if (!all_zero((uint8_t *)&cursor, sizeof(cursor)) && keytab) {
+ krb5_kt_end_seq_get(context, keytab, &cursor);
}

if (keytab) {
diff --git a/source3/libnet/libnet_dssync_passdb.c b/source3/libnet/libnet_dssync_passdb.c
index 99e65c2..8e2a459 100644
--- a/source3/libnet/libnet_dssync_passdb.c
+++ b/source3/libnet/libnet_dssync_passdb.c
@@ -1105,7 +1105,6 @@ static NTSTATUS sam_account_from_object(struct samu *account,
TALLOC_CTX *mem_ctx = account;
const char *old_string, *new_string;
time_t unix_time, stored_time;
- uchar zero_buf[16];
NTSTATUS status;

NTTIME lastLogon;
@@ -1134,8 +1133,6 @@ static NTSTATUS sam_account_from_object(struct samu *account,
uint32_t acct_flags;
uint32_t units_per_week;

- memset(zero_buf, '\0', sizeof(zero_buf));
-
objectSid = cur->object.identifier->sid;
GET_STRING_EX(sAMAccountName, true);
DEBUG(0,("sam_account_from_object(%s, %s) start\n",
@@ -1329,11 +1326,11 @@ static NTSTATUS sam_account_from_object(struct samu *account,
think this channel is secure enough - don't set the passwords at all
in that case
*/
- if (dBCSPwd.length == 16 && memcmp(dBCSPwd.data, zero_buf, 16) != 0) {
+ if (dBCSPwd.length == 16 && !all_zero(dBCSPwd.data, 16)) {
pdb_set_lanman_passwd(account, dBCSPwd.data, PDB_CHANGED);
}

- if (unicodePwd.length == 16 && memcmp(unicodePwd.data, zero_buf, 16) != 0) {
+ if (unicodePwd.length == 16 && !all_zero(unicodePwd.data, 16)) {
pdb_set_nt_passwd(account, unicodePwd.data, PDB_CHANGED);
}

diff --git a/source3/libnet/libnet_keytab.h b/source3/libnet/libnet_keytab.h
index 43071ce..df6e957 100644
--- a/source3/libnet/libnet_keytab.h
+++ b/source3/libnet/libnet_keytab.h
@@ -35,7 +35,6 @@ struct libnet_keytab_context {
const char *keytab_name;
struct ads_struct *ads;
const char *dns_domain_name;
- uint8_t zero_buf[16];
uint32_t count;
struct libnet_keytab_entry *entries;
bool clean_old_entries;
diff --git a/source3/libnet/libnet_samsync_display.c b/source3/libnet/libnet_samsync_display.c
index 034a23f..040742d 100644
--- a/source3/libnet/libnet_samsync_display.c
+++ b/source3/libnet/libnet_samsync_display.c
@@ -60,19 +60,17 @@ static void display_account_info(uint32_t rid,
struct netr_DELTA_USER *r)
{
fstring hex_nt_passwd, hex_lm_passwd;
- uchar zero_buf[16];

- memset(zero_buf, '\0', sizeof(zero_buf));

/* Decode hashes from password hash (if they are not NULL) */

- if (memcmp(r->lmpassword.hash, zero_buf, 16) != 0) {
+ if (!all_zero(r->lmpassword.hash, 16)) {
pdb_sethexpwd(hex_lm_passwd, r->lmpassword.hash, r->acct_flags);
} else {
pdb_sethexpwd(hex_lm_passwd, NULL, 0);
}

- if (memcmp(r->ntpassword.hash, zero_buf, 16) != 0) {
+ if (!all_zero(r->ntpassword.hash, 16)) {

The branch, master has been updated
via eb35afa winbind: Fix a typo
via b26ea7e winbind: Avoid a few explicit ZERO_STRUCT calls
via 319d602 winbind: remove nss_get_info backend functions
via 3081efb winbind: Remove nss_get_info()
via 2b722af winbind: Remove unused nss_get_info_cached
via 480c958 winbind: Simplify query_user_list to only return rids
via 67c0696 winbind: Remove wbint_QueryUserList
via 479ce28 winbind: Make list_users use wb_query_user_list
via 81e5770 winbind: Make wb_query_user_list just return names
via 91b73b1 winbind: Remove rpc_lookup_usergroups
via b231814 winbind: Remove "lookup_usergroups" winbind method
via 3f58a8c winbind: Remove validate_ug
via 876dc28 winbind: Remove wcache_lookup_usergroups
via f83863b winbind: Remove wb_cache_lookup_usergroups
via 256632e winbind: Remove wbint_LookupUserGroups
via c0570e6 winbind: Remove wb_lookupusergroups
via 13d7d46 winbind: Use wb_gettoken in getuserdomgroups
via bb050bf winbind: Add "expand_local_aliases" to wb_gettoken
via a8ab48e winbind: Remove rpc_query_user
via 241c81b winbind: Remove "query_user" backend function
via 81f3400 winbind: Remove unused wb_cache_query_user
via 5b2d74b winbind: Remove wbint_QueryUser
via b92cac8 s3: torture: Add test for cli_ftruncate calling cli_smb2_ftruncate.
via e0f1ed9 s3: libsmb: Add cli_smb2_ftruncate(), plumb into cli_ftruncate().
from 98bcdca torture-netlogon: Use "all_zero" where appropriate

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit eb35afacc145914478bc94bba9cbab6220b4f7ff
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 12:18:25 2017 +0000

winbind: Fix a typo

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

Autobuild-User(master): Volker Lendecke <***@samba.org>
Autobuild-Date(master): Wed Jan 4 16:10:32 CET 2017 on sn-devel-144

commit b26ea7ef5e34d8f838d41131002ff5d10dc07ac5
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 09:54:33 2017 +0000

winbind: Avoid a few explicit ZERO_STRUCT calls

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 319d60285c92bbf86bc0a3f872f9c9f9d0530129
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 12:35:15 2017 +0000

winbind: remove nss_get_info backend functions

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 3081efb74f4082a4a4b25d2ddb6a0e339183184f
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 12:32:07 2017 +0000

winbind: Remove nss_get_info()

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 2b722af4235e6cd01e53272bfe0747642bae624b
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 12:17:27 2017 +0000

winbind: Remove unused nss_get_info_cached

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 480c9581a13afc08b20e80d2ff8a45ac8d7f18d3
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 12:11:30 2017 +0000

winbind: Simplify query_user_list to only return rids

Unfortunately this is a pretty large patch, because many functions
implement this API. The alternative would have been to create a new
backend function, add the new one piece by piece and then remove the
original function.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 67c0696761dedb748b1e4dc02531acbbf5ff95ca
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 15:45:50 2017 +0000

winbind: Remove wbint_QueryUserList

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 479ce28fd7dd54a6ae76fbbe3cd0a870738d87c0
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 15:44:04 2017 +0000

winbind: Make list_users use wb_query_user_list

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 81e5770aeebccfe6c65a40a5ac0e9e3a7b4c5d60
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 15:19:14 2017 +0000

winbind: Make wb_query_user_list just return names

Yes, this compiles. Nobody call this right now. Hold on :-)

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 91b73b1e93bb8fb38e2f1cea6c1cbd012c952542
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:23:21 2017 +0000

winbind: Remove rpc_lookup_usergroups

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b231814c6b0ad17255139bc8934f269610348b2b
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:21:37 2017 +0000

winbind: Remove "lookup_usergroups" winbind method

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 3f58a8cabab75a594cff9088d5dd8ea439b36178
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:13:50 2017 +0000

winbind: Remove validate_ug

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 876dc28b9cf13343a2962b1a1b035fe78c1858a6
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:12:35 2017 +0000

winbind: Remove wcache_lookup_usergroups

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit f83863b4d1510a9519d15934c960fd1675235812
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:07:03 2017 +0000

winbind: Remove wb_cache_lookup_usergroups

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 256632ed3cc724bab0fc22132ca6b52faf680ab2
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:04:29 2017 +0000

winbind: Remove wbint_LookupUserGroups

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit c0570e6ae8f8f0057ece48d764580897ff2b6f62
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:02:48 2017 +0000

winbind: Remove wb_lookupusergroups

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 13d7d46a80949e2f8abd77c7dfc9dc9dcc03ae97
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 15:00:46 2017 +0000

winbind: Use wb_gettoken in getuserdomgroups

This makes sure we return the same information regardless of which call into
winbind is used

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit bb050bfd88e34c9d922ac2c26ab4cefc1bd07543
Author: Volker Lendecke <***@samba.org>
Date: Tue Jan 3 14:54:46 2017 +0000

winbind: Add "expand_local_aliases" to wb_gettoken

I hate passing down booleans, but we have the "domain_groups_only"
parameter in wbcLookupUserSids which we need to keep for API
compatibility. To make sure we use as few code paths as possible, this
basically passes down this flag.

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit a8ab48ee193f68217e7c53b71bf6c57d2d15f8d7
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 15:58:39 2017 +0000

winbind: Remove rpc_query_user

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 241c81b2763392439043261cf179cd2c8793faed
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 15:56:48 2017 +0000

winbind: Remove "query_user" backend function

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 81f340097436280a90ba252d00f37c644a6be084
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 10:35:02 2017 +0000

winbind: Remove unused wb_cache_query_user

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit 5b2d74bd1116ef182b4a2a58cb8949ae8f10638f
Author: Volker Lendecke <***@samba.org>
Date: Mon Jan 2 10:32:19 2017 +0000

winbind: Remove wbint_QueryUser

Signed-off-by: Volker Lendecke <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>
Reviewed-by: Andreas Schneider <***@samba.org>

commit b92cac857823ac2d29133fba2fde57cf58805b45
Author: Jeremy Allison <***@samba.org>
Date: Tue Jan 3 15:37:03 2017 -0800

s3: torture: Add test for cli_ftruncate calling cli_smb2_ftruncate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12479

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

commit e0f1ed9f450851bf5b7fec84577b50047309db3f
Author: Jeremy Allison <***@samba.org>
Date: Wed Dec 21 13:55:50 2016 -0800

s3: libsmb: Add cli_smb2_ftruncate(), plumb into cli_ftruncate().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12479

Signed-off-by: Jeremy Allison <***@samba.org>
Reviewed-by: Uri Simchoni <***@samba.org>

-----------------------------------------------------------------------

Summary of changes:
librpc/idl/winbind.idl | 14 -
source3/include/nss_info.h | 10 -
source3/libsmb/cli_smb2_fnum.c | 65 +++
source3/libsmb/cli_smb2_fnum.h | 3 +
source3/libsmb/clifile.c | 8 +-
source3/selftest/tests.py | 2 +-
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 157 +++++++
source3/torture/torture.c | 1 +
source3/winbindd/idmap_ad_nss.c | 106 -----
source3/winbindd/idmap_hash/idmap_hash.c | 41 --
source3/winbindd/nss_info.c | 26 --
source3/winbindd/nss_info_template.c | 27 --
source3/winbindd/wb_gettoken.c | 10 +-
source3/winbindd/wb_lookupusergroups.c | 97 -----
source3/winbindd/wb_query_user_list.c | 70 ++-
source3/winbindd/winbindd.h | 17 +-
source3/winbindd/winbindd_ads.c | 613 +--------------------------
source3/winbindd/winbindd_cache.c | 443 ++-----------------
source3/winbindd/winbindd_dual_srv.c | 74 +---
source3/winbindd/winbindd_getgroups.c | 2 +-
source3/winbindd/winbindd_getuserdomgroups.c | 15 +-
source3/winbindd/winbindd_getusersids.c | 2 +-
source3/winbindd/winbindd_list_users.c | 106 ++---
source3/winbindd/winbindd_msrpc.c | 172 +-------
source3/winbindd/winbindd_proto.h | 37 +-
source3/winbindd/winbindd_reconnect.c | 50 +--
source3/winbindd/winbindd_reconnect_ads.c | 50 +--
source3/winbindd/winbindd_rpc.c | 212 +--------
source3/winbindd/winbindd_rpc.h | 20 +-
source3/winbindd/winbindd_samr.c | 204 +--------
source3/winbindd/wscript_build | 1 -
32 files changed, 453 insertions(+), 2203 deletions(-)
delete mode 100644 source3/winbindd/wb_lookupusergroups.c


Changeset truncated at 500 lines:

diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index d38b17a..6245e13 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -84,11 +84,6 @@ interface winbind
dom_sid group_sid;
} wbint_userinfo;

- NTSTATUS wbint_QueryUser(
- [in] dom_sid *sid,
- [out] wbint_userinfo *info
- );
-
NTSTATUS wbint_GetNssInfo(
[in,out] wbint_userinfo *info
);
@@ -108,11 +103,6 @@ interface winbind
[out] wbint_RidArray *rids
);

- NTSTATUS wbint_LookupUserGroups(
- [in] dom_sid *sid,
- [out] wbint_SidArray *sids
- );
-
NTSTATUS wbint_QuerySequenceNumber(
[out] uint32 *sequence
);
@@ -139,10 +129,6 @@ interface winbind
[size_is(num_userinfos)] wbint_userinfo userinfos[];
} wbint_userinfos;

- NTSTATUS wbint_QueryUserList(
- [out] wbint_userinfos *users
- );
-
NTSTATUS wbint_QueryGroupList(
[out] wbint_Principals *groups
);
diff --git a/source3/include/nss_info.h b/source3/include/nss_info.h
index f92937e..54b4399 100644
--- a/source3/include/nss_info.h
+++ b/source3/include/nss_info.h
@@ -61,11 +61,6 @@ struct nss_domain_entry {

struct nss_info_methods {
NTSTATUS (*init)( struct nss_domain_entry *e );
- NTSTATUS (*get_nss_info)( struct nss_domain_entry *e,
- const struct dom_sid *sid,
- TALLOC_CTX *ctx,
- const char **homedir, const char **shell,
- const char **gecos, gid_t *p_gid);
NTSTATUS (*map_to_alias)(TALLOC_CTX *mem_ctx,
struct nss_domain_entry *e,
const char *name, char **alias);
@@ -82,11 +77,6 @@ NTSTATUS smb_register_idmap_nss(int version,
const char *name,
struct nss_info_methods *methods);

-NTSTATUS nss_get_info( const char *domain, const struct dom_sid *user_sid,
- TALLOC_CTX *ctx,
- const char **homedir, const char **shell,
- const char **gecos, gid_t *p_gid);
-
NTSTATUS nss_map_to_alias( TALLOC_CTX *mem_ctx, const char *domain,
const char *name, char **alias );

diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 266f2d3..848e077 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -3574,3 +3574,68 @@ NTSTATUS cli_smb2_shadow_copy_data(TALLOC_CTX *mem_ctx,
TALLOC_FREE(frame);
return status;
}
+
+/***************************************************************
+ Wrapper that allows SMB2 to truncate a file.
+ Synchronous only.
+***************************************************************/
+
+NTSTATUS cli_smb2_ftruncate(struct cli_state *cli,
+ uint16_t fnum,
+ uint64_t newsize)
+{
+ NTSTATUS status;
+ DATA_BLOB inbuf = data_blob_null;
+ struct smb2_hnd *ph = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (smbXcli_conn_has_async_calls(cli->conn)) {
+ /*
+ * Can't use sync call while an async call is in flight
+ */
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ status = map_fnum_to_smb2_handle(cli,
+ fnum,
+ &ph);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ inbuf = data_blob_talloc_zero(frame, 8);
+ if (inbuf.data == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ SBVAL(inbuf.data, 0, newsize);
+
+ /* setinfo on the handle with info_type SMB2_SETINFO_FILE (1),
+ level 20 (SMB_FILE_END_OF_FILE_INFORMATION - 1000). */
+
+ status = smb2cli_set_info(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ 1, /* in_info_type */
+ /* in_file_info_class */
+ SMB_FILE_END_OF_FILE_INFORMATION - 1000,
+ &inbuf, /* in_input_buffer */
+ 0, /* in_additional_info */
+ ph->fid_persistent,
+ ph->fid_volatile);
+
+ fail:
+
+ cli->raw_status = status;
+
+ TALLOC_FREE(frame);
+ return status;
+}
diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h
index 3289f7e..12c42a2 100644
--- a/source3/libsmb/cli_smb2_fnum.h
+++ b/source3/libsmb/cli_smb2_fnum.h
@@ -208,4 +208,7 @@ NTSTATUS cli_smb2_shadow_copy_data(TALLOC_CTX *mem_ctx,
bool get_names,
char ***pnames,
int *pnum_names);
+NTSTATUS cli_smb2_ftruncate(struct cli_state *cli,
+ uint16_t fnum,
+ uint64_t newsize);
#endif /* __SMB2CLI_FNUM_H__ */
diff --git a/source3/libsmb/clifile.c b/source3/libsmb/clifile.c
index 5e667bd..03dd640 100644
--- a/source3/libsmb/clifile.c
+++ b/source3/libsmb/clifile.c
@@ -2819,11 +2819,17 @@ NTSTATUS cli_ftruncate_recv(struct tevent_req *req)

NTSTATUS cli_ftruncate(struct cli_state *cli, uint16_t fnum, uint64_t size)
{
- TALLOC_CTX *frame = talloc_stackframe();
+ TALLOC_CTX *frame = NULL;
struct tevent_context *ev = NULL;
struct tevent_req *req = NULL;
NTSTATUS status = NT_STATUS_OK;

+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
+ return cli_smb2_ftruncate(cli, fnum, size);
+ }
+
+ frame = talloc_stackframe();
+
if (smbXcli_conn_has_async_calls(cli->conn)) {
/*
* Can't use sync call while an async call is in flight
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index d9d32cc..3aecc9c 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -53,7 +53,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7"
"CHAIN3", "PIDHIGH",
"GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST",
"CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT",
- "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT",
+ "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE",
"CLEANUP1",
"CLEANUP2",
"CLEANUP4",
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index 7d2dedd..da0c69f 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -98,6 +98,7 @@ bool run_smb2_session_reconnect(int dummy);
bool run_smb2_tcon_dependence(int dummy);
bool run_smb2_multi_channel(int dummy);
bool run_smb2_session_reauth(int dummy);
+bool run_smb2_ftruncate(int dummy);
bool run_chain3(int dummy);
bool run_local_conv_auth_info(int dummy);
bool run_local_sprintf_append(int dummy);
diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
index 7819bc2..c0d11e6 100644
--- a/source3/torture/test_smb2.c
+++ b/source3/torture/test_smb2.c
@@ -27,6 +27,7 @@
#include "auth/gensec/gensec.h"
#include "auth_generic.h"
#include "../librpc/ndr/libndr.h"
+#include "libsmb/clirap.h"

extern fstring host, workgroup, share, password, username, myname;
extern struct cli_credentials *torture_creds;
@@ -1892,3 +1893,159 @@ bool run_smb2_session_reauth(int dummy)

return true;
}
+
+static NTSTATUS check_size(struct cli_state *cli,
+ uint16_t fnum,
+ const char *fname,
+ size_t size)
+{
+ off_t size_read = 0;
+
+ NTSTATUS status = cli_qfileinfo_basic(cli,
+ fnum,
+ NULL,
+ &size_read,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_smb2_qfileinfo_basic of %s failed (%s)\n",
+ fname,
+ nt_errstr(status));
+ return status;
+ }
+
+ if (size != size_read) {
+ printf("size (%u) != size_read(%u) for %s\n",
+ (unsigned int)size,
+ (unsigned int)size_read,
+ fname);
+ /* Use EOF to mean bad size. */
+ return NT_STATUS_END_OF_FILE;
+ }
+ return NT_STATUS_OK;
+}
+
+/* Ensure cli_ftruncate() works for SMB2. */
+
+bool run_smb2_ftruncate(int dummy)
+{
+ struct cli_state *cli = NULL;
+ const char *fname = "smb2_ftruncate.txt";
+ uint16_t fnum = (uint16_t)-1;
+ bool correct = false;
+ size_t buflen = 1024*1024;
+ uint8_t *buf = NULL;
+ unsigned int i;
+ NTSTATUS status;
+
+ printf("Starting SMB2-FTRUNCATE\n");
+
+ if (!torture_init_connection(&cli)) {
+ goto fail;
+ }
+
+ status = smbXcli_negprot(cli->conn, cli->timeout,
+ PROTOCOL_SMB2_02, PROTOCOL_SMB2_02);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+ goto fail;
+ }
+
+ status = cli_session_setup_creds(cli, torture_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_session_setup returned %s\n", nt_errstr(status));
+ goto fail;
+ }
+
+ status = cli_tree_connect(cli, share, "?????", NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_tree_connect returned %s\n", nt_errstr(status));
+ goto fail;
+ }
+
+ cli_setatr(cli, fname, 0, 0);
+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+
+ status = cli_ntcreate(cli,
+ fname,
+ 0,
+ GENERIC_ALL_ACCESS,
+ FILE_ATTRIBUTE_NORMAL,
+ FILE_SHARE_NONE,
+ FILE_CREATE,
+ 0,
+ 0,
+ &fnum,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("open of %s failed (%s)\n", fname, nt_errstr(status));
+ goto fail;
+ }
+
+ buf = talloc_zero_array(cli, uint8_t, buflen);
+ if (buf == NULL) {
+ goto fail;
+ }
+
+ /* Write 1MB. */
+ status = cli_writeall(cli,
+ fnum,
+ 0,
+ buf,
+ 0,
+ buflen,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("write of %u to %s failed (%s)\n",
+ (unsigned int)buflen,
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+
+ status = check_size(cli, fnum, fname, buflen);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ /* Now ftruncate. */
+ for ( i = 0; i < 10; i++) {
+ status = cli_ftruncate(cli, fnum, i*1024);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_ftruncate %u of %s failed (%s)\n",
+ (unsigned int)i*1024,
+ fname,
+ nt_errstr(status));
+ goto fail;
+ }
+ status = check_size(cli, fnum, fname, i*1024);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+ }
+
+ correct = true;
+
+ fail:
+
+ if (cli == NULL) {
+ return false;
+ }
+
+ if (fnum != (uint16_t)-1) {
+ cli_close(cli, fnum);
+ }
+ cli_setatr(cli, fname, 0, 0);
+ cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN);
+
+ if (!torture_close_connection(cli)) {
+ correct = false;
+ }
+ return correct;
+}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 1a57f41..ff3d68e 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -11070,6 +11070,7 @@ static struct {
{ "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence },
{ "SMB2-MULTI-CHANNEL", run_smb2_multi_channel },
{ "SMB2-SESSION-REAUTH", run_smb2_session_reauth },
+ { "SMB2-FTRUNCATE", run_smb2_ftruncate },
{ "CLEANUP1", run_cleanup1 },
{ "CLEANUP2", run_cleanup2 },
{ "CLEANUP3", run_cleanup3 },
diff --git a/source3/winbindd/idmap_ad_nss.c b/source3/winbindd/idmap_ad_nss.c
index d979231..8b27b36 100644
--- a/source3/winbindd/idmap_ad_nss.c
+++ b/source3/winbindd/idmap_ad_nss.c
@@ -197,109 +197,6 @@ static NTSTATUS nss_rfc2307_init( struct nss_domain_entry *e )
return nss_ad_generic_init(e, WB_POSIX_MAP_RFC2307);
}

-
-/************************************************************************
- ***********************************************************************/
-
-static NTSTATUS nss_ad_get_info( struct nss_domain_entry *e,
- const struct dom_sid *sid,
- TALLOC_CTX *mem_ctx,
- const char **homedir,
- const char **shell,
- const char **gecos,
- gid_t *p_gid )
-{
- const char *attrs[] = {NULL, /* attr_homedir */
- NULL, /* attr_shell */
- NULL, /* attr_gecos */
- NULL, /* attr_gidnumber */
- NULL };
- char *filter = NULL;
- LDAPMessage *msg_internal = NULL;
- ADS_STATUS ads_status = ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
- char *sidstr = NULL;
- struct idmap_domain *dom;
- struct idmap_ad_context *ctx;
-
- DEBUG(10, ("nss_ad_get_info called for sid [%s] in domain '%s'\n",
- sid_string_dbg(sid), e->domain?e->domain:"NULL"));
-
- /* Only do query if we are online */
- if (idmap_is_offline()) {
- return NT_STATUS_FILE_IS_OFFLINE;
- }
-
- dom = talloc_get_type(e->state, struct idmap_domain);
- ctx = talloc_get_type(dom->private_data, struct idmap_ad_context);
-
- ads_status = ad_idmap_cached_connection(dom);
- if (!ADS_ERR_OK(ads_status)) {
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
- if (!ctx->ad_schema) {
- DEBUG(10, ("nss_ad_get_info: no ad_schema configured!\n"));
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
- if (!sid || !homedir || !shell || !gecos) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* Have to do our own query */
-
- DEBUG(10, ("nss_ad_get_info: no ads connection given, doing our "
- "own query\n"));
-
- attrs[0] = ctx->ad_schema->posix_homedir_attr;
- attrs[1] = ctx->ad_schema->posix_shell_attr;
- attrs[2] = ctx->ad_schema->posix_gecos_attr;
- attrs[3] = ctx->ad_schema->posix_gidnumber_attr;
-
- sidstr = ldap_encode_ndr_dom_sid(mem_ctx, sid);
- filter = talloc_asprintf(mem_ctx, "(objectSid=%s)", sidstr);
- TALLOC_FREE(sidstr);
-
- if (!filter) {
- nt_status = NT_STATUS_NO_MEMORY;
- goto done;
- }
-
- ads_status = ads_search_retry(ctx->ads, &msg_internal, filter, attrs);
- if (!ADS_ERR_OK(ads_status)) {
- nt_status = ads_ntstatus(ads_status);
- goto done;
- }
-
- *homedir = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_homedir_attr);
- *shell = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_shell_attr);
- *gecos = ads_pull_string(ctx->ads, mem_ctx, msg_internal, ctx->ad_schema->posix_gecos_attr);
-
- if (p_gid != NULL) {
- uint32_t gid = UINT32_MAX;
- bool ok;
-
- ok = ads_pull_uint32(ctx->ads, msg_internal,
- ctx->ad_schema->posix_gidnumber_attr,
- &gid);
- if (ok) {
- *p_gid = gid;
- } else {
- *p_gid = (gid_t)-1;
- }
- }
-
- nt_status = NT_STATUS_OK;
-
-done:
- if (msg_internal) {
- ads_msgfree(ctx->ads, msg_internal);
- }
-
- return nt_status;
-}
-
/**********************************************************************
*********************************************************************/

@@ -475,21 +372,18 @@ done: