Michael Adam [Fri, 8 Aug 2008 23:04:55 +0000 (01:04 +0200)]
nmbd: add support for delayed initial samlogon packages.
The hosts or networks configured with "init logon delayed hosts"
have their initial samlogon packages (empty username) delayed
by the value configured with "init logon delay" (defaulting
to 100 milliseconds).
This gives the administrator some control over what clients would
consider the preferred logon server: they choose the server that
repsonds most quickly.
Michael Adam [Fri, 8 Aug 2008 22:31:48 +0000 (00:31 +0200)]
loadparm: add two parameters "init logon delay hosts" and "init logon delay"
"init logon delays hosts" takes a list of hosts names or addresses
or networks for which the initial SAMLOGON reply should be delayed
(so other DCs get preferred by XP workstations if there are any).
This option takes the same type of list as "hosts allow" does.
"init logon delay" allows one to configure the delay for the hosts
configured for delayed initial samlogon with "init logon delayed hosts".
The value is interpreted as milliseconds. The default value is 100.
This commit only introduces the parameters.
They will be activated in a subsequent commit.
Michael Adam [Wed, 6 Aug 2008 11:56:52 +0000 (13:56 +0200)]
libnetapi: fix build of shared library after libnet_join changes.
This needs create_builtin_administrators() and create_builtin_users()
from token_utils now. Did not pop up because the only users of the
shared lib currently are the examples in lib/netapi/examples/
which are not automatically built.
Andrew Tridgell [Wed, 6 Aug 2008 04:02:45 +0000 (14:02 +1000)]
fixed a fd leak when trying to regain contact to a domain controller
in winbind
When a w2k3 DC is rebooted the 139/445 ports come up before the
udp/389 cldap port. During this brief period, winbind manages to
connect to 139/445 but not to udp 389. It then enters a tight loop
where it leaks one fd each time. In a couple of seconds it runs out of
file descriptors, and leaves winbind crippled after the DC does
finally come up
Michael Adam [Tue, 5 Aug 2008 21:14:05 +0000 (23:14 +0200)]
secrets: fix replacemend random seed generator (security issue).
This is a regression introduced by the change to dbwrap.
The replacement dbwrap_change_int32_atomic() does not
correctly mimic the behaviour of tdb_change_int32_atomic():
The intended behaviour is to use *oldval as an initial
value when the entry does not yet exist in the db and to
return the old value in *oldval.
The effect was that:
1. get_rand_seed() always returns sys_getpid() in *new_seed
instead of the incremented seed from the secrets.tdb.
2. the seed stored in the tdb is always starting at 0 instead
of sys_getpid() + 1 and incremented in subsequent calls.
In principle this is a security issue, but i think the danger is
low, since this is only used as a fallback when there is no useable
/dev/urandom, and this is at most called on startup or via
reinit_after_fork.
Michael Adam [Tue, 5 Aug 2008 20:38:44 +0000 (22:38 +0200)]
idmap_tdb2: fix a race condition in idmap_tdb2_allocate_id().
The race is a regression introduced by the change to dbwrap.
It might have led to two concurrent processes returning the same id.
This fix is achieved by changing dbwrap_change_uint32_atomic() to
match the original behaviour of tdb_change_uint32_atomic(), which
is the following: *oldval is used as initial value when
the value does not yet exist and that the old value should be
returned in *oldval.
dbwrap_change_uint32_atomic() is used (only) in idmap_tdb2.c,
to get new ids.
Steve French [Tue, 5 Aug 2008 18:15:46 +0000 (13:15 -0500)]
Backing out most of changeset 5222b8db3fb692e5071bfd1b41849a8eb0a17995
(so parsing for domain parameter in mount.cifs matches online help)
and rephrasing original code to make it more clear.
The check for "domain" was meant to allow for "dom" or "DOM" and the
option ("dom") described in the help (e.g. "/sbin/mount.cifs -?") is the
shorter ("dom") form. The reason that the string we compare against
is larger was to improve readability (we could compare against "dom"
but note /* "domain" or "DOMAIN" or "dom" or "DOM" */ but it seemed
terser to just show the larger string in the strcmp target. The
change to "workgoup" from workg* (anything which begins with "workg"
doesn't matter - it is a minor behavior change - but probably few
scripts depend on the "alias" for this option).
Rework code so that it is clearer what we are comparing against.
clikrb5: don't use krb5_keyblock_init() when no salt is specified
If the caller wants to create a key with no salt we should
not use krb5_keyblock_init() (only used when using heimdal)
because it does sanity checks on the key length.
Michael Adam [Fri, 1 Aug 2008 15:10:59 +0000 (17:10 +0200)]
libnet dssync: fix memory allocation for error/result messages.
Use the libnet_dssync_context as a talloc context for the
result_message and error_message string members.
Using the passed in mem_ctx makes the implicit assumption
that mem_ctx is at least as long-lived as the libnet_dssync_context,
which is wrong.
Michael Adam [Thu, 31 Jul 2008 22:12:18 +0000 (00:12 +0200)]
vampire keytab: add command line switch --clean-old-entries .
This allows to control cleaning the keytab.
It will only clean old occurences of keys that are replicated in
this run. So if you want to ensure things are cleaned up, combine
this switch with --force-full-repl or --single-obj-repl (+dn list).
Michael Adam [Thu, 31 Jul 2008 22:09:28 +0000 (00:09 +0200)]
dssync: add clean_old_entries flag to dssync_ctx.
Initialize it to false.
And pass it down to the libnet_keytab context in
libnet_dssync_keytab.c:keytab_startup().
Unused yet.
Michael
Note: This might not be not 100% clean design to put this into the
toplevel dssync context while it is keytab specific. But then, on the
other hand, other imaginable backends might want to use this flag, too...
This controls whether single object replication is to be used.
This only has an effect when at least one object dn is given
on the commandline.
NOTE: Now the default is to use normal replication with uptodateness
vectors and use object dns given on the command line as a positive
write filter. Single object replication is only performed when this
new switch is specified.
Michael Adam [Wed, 30 Jul 2008 11:02:36 +0000 (13:02 +0200)]
libnet dssync: support lists of dns (instead of one dn) for single object replication.
Just specify several DNs separated by spaces on the command line of
"net rpc vampire keytab" to get the passwords for each of these
accouns via single object replication.
Michael Adam [Tue, 29 Jul 2008 16:07:07 +0000 (18:07 +0200)]
dssync keytab: store the samaccountname in the keytab for diff replication.
When retreiving a diff replication, the sAMAccountName attribute is usually
not replicated. So in order to build the principle, we need to store the
sAMAccounName in the keytab, referenced by the DN of the object, so that
it can be retrieved if necessary.
It is stored in the form of SAMACCOUNTNAME/object_dn@dns_domain_name
with kvno=0 and ENCTYPE_NONE.
Michael Adam [Tue, 29 Jul 2008 16:05:13 +0000 (18:05 +0200)]
dssync keytab: move handling of removal of duplicates to libnet_keytab_add_entry().
This makes libnet_keytab_remove_entries static and moves it up.
libnet_keytab_add_entry() now removes the duplicates in advance.
No special handling neede for the UTDV - this is also needed
for other entries...
Michael Adam [Tue, 29 Jul 2008 13:19:18 +0000 (15:19 +0200)]
libnet keytab: add function libnet_keytab_add_entry()
This is a stripped down version of smb_krb5_kt_add_entry() that
takes one explicit enctype instead of an array. And it does
not neither salting of keys nor cleanup of old entries.
Michael Adam [Thu, 17 Jul 2008 22:18:40 +0000 (00:18 +0200)]
dssync: allow replications of a single obj with net rpc vampire keytab.
This is triggered by setting the new "single" flag in the dssync_context
and filling the "object_dn" member with the dn of the object to be
fetched.
This call is accomplished by specifying the DRSUAPI_EXOP_REPL_OBJ
extended operation in the DsGetNCCHanges request. This variant does
honor an up-to-date-ness vectore passed in, but the answer does not
return a new up-to-dateness vector.
Call this operation as "net rpc vampire keytab /path/keytab object_dn" .
Michael Adam [Wed, 16 Jul 2008 22:54:35 +0000 (00:54 +0200)]
dssync keytab: add support for keeping track of the up-to-date-ness vector.
The startup operation should get the old up-to-date-ness vector from the backend
and the finish operation should store the new vector to the backend after replication.
This adds the change of the signatures of the operations ot the dssync_ops struct
and the implementation for the keytab ops. The up-to-date-ness vector is stored
under the principal constructed as UTDV/$naming_context_dn@$dns_domain_name.
The vector is still uninterpreted in libnet_dssync_process().
This will be the next step...
Michael Adam [Wed, 16 Jul 2008 15:12:04 +0000 (17:12 +0200)]
dssync: replace the processing_fn by startup/process/finish ops.
This remove static a variable for the keytab context in the keytab
processing function and simplifies the signature. The keytab context
is instead in the new private data member of the dssync_context struct.
This is in preparation of adding support for keeping track of the
up-to-date-ness vector, in order to be able to sync diffs instead
of the whole database.
projects / thirdparty / samba.git / log
