Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 23 14:37:05 CEST 2015 on sn-devel-104
Ralph Boehme [Wed, 22 Apr 2015 20:29:16 +0000 (22:29 +0200)]
vfs:fruit: implement copyfile style copy_chunk
Implement Apple's special copy_chunk ioctl that requests a copy of the
whole file along with all attached metadata.
These copy_chunk requests have a chunk count of 0 that we translate to a
copy_chunk_send VFS call overloading the parameters src_off = dest_off =
num = 0.
Ralph Boehme [Wed, 22 Apr 2015 20:29:16 +0000 (22:29 +0200)]
smb2:ioctl: support for OS X AAPL copyfile style copy_chunk
Apple's special copy_chunk ioctl that requests a copy of the whole file
along with all attached metadata.
These copy_chunk requests have a chunk count of 0 that we translate to a
copy_chunk_send VFS call overloading the parameters src_off = dest_off =
num = 0.
Felix Janda [Sun, 21 Jun 2015 10:03:56 +0000 (12:03 +0200)]
replace: Replace BSD strtoll by wrapping strtoll instead of strtoq
When it is detected that strtoll returns EINVAL not only in the case
that the base is not supported, HAVE_BSD_STRTOLL is declared and
strtoll is replaced. The current replacement code wraps strtoq in
order to replace strtoll and errors out when strtoq is missing.
In order to remove this possible error path, we can use strtoll instead
of strtoq since the code is only used when it is known that strtoll exists.
The fixes a compilation problem on linux systems using musl libc, which
has a BSD-like strtoll but no strtoq.
Signed-off-by: Felix Janda <felix.janda@posteo.de> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jun 22 12:49:10 CEST 2015 on sn-devel-104
Anoop C S [Fri, 19 Jun 2015 06:23:23 +0000 (11:53 +0530)]
lib/sysquota_linux: Handle the quota flags properly
sys_set_vfs_quota() expects the quota flags i.e, qflags
to be updated in the dp structure for which the routines
sys_get_linux_gen_quota(), sys_get_linux_v2_quota() and
sys_get_linux_v1_quota() failed to do so in their
respective definitions. Th error was uncovered by
compiler warnings [-Wunused-but-set-variable] displayed
for qflags variables in the above mentioned functions
and this patch fixes the same.
Signed-off-by: Anoop C S <achiraya@redhat.com> Reviewed-by: Jose A. Rivera <jarrpa@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Sat Jun 20 03:11:19 CEST 2015 on sn-devel-104
Volker Lendecke [Sat, 14 Feb 2015 15:30:33 +0000 (16:30 +0100)]
rpc: Simplify dcerpc_binding_handle_raw_call()
Align it with dcerpc_binding_handle_call()
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Autobuild-User(master): José A. Rivera <jarrpa@samba.org>
Autobuild-Date(master): Fri Jun 19 20:17:24 CEST 2015 on sn-devel-104
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 19 12:51:48 CEST 2015 on sn-devel-104
Volker Lendecke [Fri, 12 Jun 2015 09:03:21 +0000 (09:03 +0000)]
Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jun 19 01:05:17 CEST 2015 on sn-devel-104
which returns NULL when given invalid pkt data from the Codenomicon fuzzer.
This gets passed directly to smb_probe_module(), which then calls
do_smb_load_module() which tries to deref the (NULL) module name.
https://bugzilla.samba.org/show_bug.cgi?id=11342
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 22:14:01 CEST 2015 on sn-devel-104
Codenomicon found a code path that allows the client to send a
request that calls into this function without ever having set
up security. So call->conn->auth_state.gensec_security exists
(gensec has been initialized when the RPC pipe is set up)
but call->conn->auth_state.gensec_security->ops has not been
initialized. We dereference the NULL pointer and crash.
An alternate way to fix this would be to create a new
public bool gensec_initialized(() function and call that
inside dcesrv_request() instead of doing a null
check on call->conn->auth_state.gensec_security,
but that's a more invasive fix we can add later.
Signed-off-by: Rowland Penny <repenny241155@gmail.com> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
Autobuild-User(master): José A. Rivera <jarrpa@samba.org>
Autobuild-Date(master): Thu Jun 18 10:24:48 CEST 2015 on sn-devel-104
Selecting encryption in 3.11 depends on the negprot contexts being present.
Setting SMB2_CAP_ENCRYPTION from the 3.11 client is optional. The absence
of it should not remove the negprot context.
Found by the Microsoft testsuites at the Redmond plugfest.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Steve French <sfrench@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 04:09:04 CEST 2015 on sn-devel-104
Andrew Bartlett [Tue, 16 Jun 2015 23:59:49 +0000 (11:59 +1200)]
selftest: Change chgdcpass environment to use winbindd
This allows us to test that winbindd starts up without secrets.tdb, as happens after
a classicupgrade.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 00:59:54 CEST 2015 on sn-devel-104
Andrew Bartlett [Thu, 11 Jun 2015 23:57:07 +0000 (11:57 +1200)]
winbindd: Sync secrets.ldb into secrets.tdb on startup
This ensures that the domain SID and machine account password are written into
secrets.tdb if the secrets.tdb file was either never written or was deleted.
Jeremy Allison [Tue, 16 Jun 2015 22:50:30 +0000 (15:50 -0700)]
smbd: Fix clients connecting unencrypted with PROTOCOL_SMB2_24 or higher.
Nonce code was terminating connections where xconn->smb2.server.cipher == 0.
If no negotiated cipher (smb2.server.cipher is zero) set nonce_high_max to zero.
smb2_get_new_nonce() returns NT_STATUS_ENCRYPTION_FAILED if it is ever called with
session->nonce_high_max == 0.
Uri Simchoni [Mon, 15 Jun 2015 19:33:28 +0000 (22:33 +0300)]
heimdal: fix endless loop for specific KDC error code
When sending a Kerberos request, if at least one of the available
KDCs repeatedly replies with an error response of
KRB5KDC_ERR_SVC_UNAVAILABLE, and all other KDCs, if there are any,
do not reply at all or cannot be contacted, then the code repeatedly
retries to send the request in an endless loop.
This is fixed in upstream (post 1.5 branch) heimdal but the code
there is vastly refactored, so this is an independent fix to the issue.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 17 02:34:31 CEST 2015 on sn-devel-104
Volker Lendecke [Tue, 16 Jun 2015 06:20:56 +0000 (06:20 +0000)]
lib: Fix CID 1306765 Unchecked return value from library
This one might be a bit controversial. I don't see from man fcntl how this
could fail. But if it does, we definitely do want to know about it. And here we
don't have any good way to tell our caller, so abort.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jun 16 19:22:52 CEST 2015 on sn-devel-104
Marc Muehlfeld [Thu, 11 Jun 2015 19:20:55 +0000 (21:20 +0200)]
Group creation: Add msSFU30Name only when --nis-domain was given
This fixes a bug, that all new created groups automatically get an
msSFU30Name attribute added. This should only be the case, when
we also have a nis-domain (samba-tool --nis-domain=...).
Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org> Reviewed-by: Christian Ambach <ambi@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Tue Jun 16 11:58:02 CEST 2015 on sn-devel-104
Jeremy Allison [Mon, 15 Jun 2015 22:49:07 +0000 (15:49 -0700)]
lib: ldap: Properly check talloc error returns.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 16 04:16:13 CEST 2015 on sn-devel-104
Uri Simchoni [Thu, 11 Jun 2015 11:24:36 +0000 (14:24 +0300)]
libads: further split resolve_and_ping into dns and netbios implementations
split the resolve_and_ping function, which does name lookup followed by
cldap ping, into two variants:
- resolve_and_ping_dns() which uses AD name resolution
- resolve_and_ping_netbios() which uses pre-AD name resolution
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Uri Simchoni [Tue, 9 Jun 2015 11:30:14 +0000 (14:30 +0300)]
libads: Fix fallback logic when finding a domain controller
This is a patch to fix bug 11321.
When finding a domain controller, the method is to resolve
the IP address of candidate servers, and then do an ldap ping until a
suitable server answers.
In case of failure, there's fallback from DNS lookup to netbios lookup
(if netbios is enabled) and then back to site-less DNS lookup. The two
problems here are:
1. It makes more sense to try site-less DNS before NetBIOS because the
fallback to NetBIOS is not likely to give better results.
2. The NetBIOS fallback screws the site-less fallback (I suppose the
"goto considered harmful fellows are sometimes right after all...).
This fix extracts the core code that does name resolving+ldap ping
into a separate function and then activates this function in up to
three modes - site-aware, site-less, and netbios, in that order.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Uri Simchoni [Mon, 8 Jun 2015 05:42:58 +0000 (08:42 +0300)]
namequery: remove dead code
When composing the list of servers out of the server affinity cache
and "password server" parameter, there's fallback to DNS-SRV-record-
based search if the "password server" + session affinity yield an empty
list. However:
1. The way the code is written, it never gets executed because the empty list
is not an empty string (it contains a comma)
2. This fallback is doe in any case just a few lines down the function
Therefore this patch simply removes this fallback code.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Uri Simchoni [Mon, 18 May 2015 10:36:46 +0000 (13:36 +0300)]
libads: Keep 'good' server at the head of custom KDC list
When creating a custom krb.conf file for a domain, make sure
that the DC which already answered the ldap ping is not queried
again, and is always first in the custom KDC list. This has two
advantages:
1. Avoid re-sending an ldap ping to this server
2. The generated list is made up of the servers that answered
first. Since the DC which already answered an LDAP ping
is typically the "last good server", this change keeps it
out of the contest and guarantees that we keep using last
good server as long as it works.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Uri Simchoni [Thu, 21 May 2015 07:38:42 +0000 (10:38 +0300)]
namequery: correctly merge kdc ip address list
When finding DCs, there are three sources of addresses:
1. "Last good server"
2. Configured password server
3. SRV DNS queries
Since those different sources may return the same addresses, the
IP list is checked for duplicates, e.g. in order to save on
the LDAP ping that usually follows. Both IP address and port are
compared.
This change fixes the address duplicate removal for the case of KDC
search, where the "last good server" or configured password server
also appears in the DNS SRV query response.
An (undocumented?) assumption is that the "password server" parameter
is applicable to KDCs as well, but if a port is specified (e.g.
dc1.example.com:390), then this is the ldap port.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Uri Simchoni [Wed, 3 Jun 2015 10:50:25 +0000 (13:50 +0300)]
namequery: fix get_kdc_list() to look for _kerberos records
get_kdc_list() should look for _kerberos.xxx SRV records rather
than _ldap.xxx records. This has significance in two cases:
- Non-default DNS configurations
- When building a custom krb5.conf file for a domain, an attempt is
made to get site-specific as well as site-less records, but the
search for _ldap records yields a cached site-specific result even
for the site-less query.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Uri Simchoni [Thu, 21 May 2015 05:40:24 +0000 (08:40 +0300)]
libads: fix indentation in generated krb5.conf
In case of multiple KDCs, the automatically-generated
domain-specific kerberos configuration file lists all the
KDCs it can find, but the indentation of additional KDCs
is not aligned with that of the first KDC.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Volker Lendecke [Mon, 15 Jun 2015 12:14:43 +0000 (12:14 +0000)]
net: Fix messaging_init for clustering
A full loadparm with include=registry implicitly initializes a
messaging_context. We need to use that.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jun 15 22:44:57 CEST 2015 on sn-devel-104
* Fix runtime detection for robust mutexes in the standalone build.
bug #11326
* Possible fix for the build with robust mutexes on solaris 11
bug #11319
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jun 12 19:55:34 CEST 2015 on sn-devel-104
And the build failed with PTHREAD_MUTEX_ROBUST being unknown.
Note that PTHREAD_MUTEX_ROBUST and PTHREAD_MUTEX_ROBUST_NP are enum values
while they're defines on solaris 11
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11319
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
* Fix compile error in Solaris ports backend.
* Fix access after free in tevent_common_check_signal(). bug #11308
* Improve pytevent bindings.
* Testsuite fixes.
* Improve the documentation of the tevent_add_fd()
assumtions. It must be talloc_free'ed before closing the fd!
See bug #11141 and bug #11316.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
s4:libcli/raw: make sure smbcli_transport_connect_send/recv correctly cleanup on error
We need to make sure that we remove any pending writev_send or read_smb_send
request before closing the socket fd. As a side effect we always close the
socket fd if we don't return success for any any reason.
projects / thirdparty / samba.git / log
