summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libcli/named_pipe_auth/npa_tstream.c51
-rw-r--r--libcli/named_pipe_auth/npa_tstream.h3
-rw-r--r--librpc/gen_ndr/named_pipe_auth.h22
-rw-r--r--librpc/gen_ndr/ndr_named_pipe_auth.c329
-rw-r--r--librpc/gen_ndr/ndr_named_pipe_auth.h2
-rw-r--r--librpc/idl/named_pipe_auth.idl23
-rw-r--r--source3/lib/dprintf.c4
-rw-r--r--source3/rpc_client/cli_lsarpc.c2
-rw-r--r--source3/smbd/trans2.c4
-rw-r--r--source3/utils/status.c62
-rw-r--r--source4/dsdb/samdb/ldb_modules/repl_meta_data.c42
-rw-r--r--source4/heimdal/lib/gssapi/krb5/creds.c1
-rw-r--r--source4/libcli/security/tests/bindings.py17
-rw-r--r--source4/librpc/ndr/py_security.c4
-rw-r--r--source4/ntvfs/config.mk4
-rw-r--r--source4/ntvfs/ipc/vfs_ipc.c884
-rw-r--r--source4/rpc_server/config.mk3
-rw-r--r--source4/rpc_server/dcerpc_server.c184
-rw-r--r--source4/rpc_server/dcerpc_server.h15
-rw-r--r--source4/rpc_server/service_rpc.c11
-rwxr-xr-xsource4/scripting/bin/fullschema2
-rwxr-xr-xsource4/scripting/bin/minschema2
-rwxr-xr-xsource4/scripting/bin/reorgldb.py60
-rw-r--r--source4/scripting/python/samba/idmap.py2
-rw-r--r--source4/scripting/python/samba/provision.py13
-rw-r--r--source4/scripting/python/samba/samdb.py90
-rwxr-xr-xsource4/setup/domainlevel187
-rwxr-xr-xsource4/setup/enableaccount72
-rwxr-xr-xsource4/setup/newuser10
-rw-r--r--source4/setup/provision.ldif15
-rw-r--r--source4/setup/provision_configuration.ldif263
-rw-r--r--source4/setup/provision_self_join.ldif82
-rwxr-xr-xsource4/setup/pwsettings47
-rwxr-xr-xsource4/setup/setexpiry50
-rwxr-xr-xsource4/setup/setpassword14
-rw-r--r--source4/smbd/config.mk4
-rw-r--r--source4/smbd/service_named_pipe.c100
-rw-r--r--source4/torture/rpc/spoolss_notify.c26
38 files changed, 2020 insertions, 686 deletions
diff --git a/libcli/named_pipe_auth/npa_tstream.c b/libcli/named_pipe_auth/npa_tstream.c
index fdb55c7e82..1c9ab8f626 100644
--- a/libcli/named_pipe_auth/npa_tstream.c
+++ b/libcli/named_pipe_auth/npa_tstream.c
@@ -66,8 +66,9 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
const char *client_name_in,
const struct tsocket_address *server,
const char *server_name,
- const struct netr_SamInfo3 *info3,
- DATA_BLOB session_key)
+ const struct netr_SamInfo3 *sam_info3,
+ DATA_BLOB session_key,
+ DATA_BLOB delegated_creds)
{
struct tevent_req *req;
struct tstream_npa_connect_state *state;
@@ -109,45 +110,48 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(state->auth_req);
if (client) {
- struct named_pipe_auth_req_info2 *info2;
+ struct named_pipe_auth_req_info3 *info3;
if (!server) {
tevent_req_error(req, EINVAL);
goto post;
}
- state->auth_req.level = 2;
- info2 = &state->auth_req.info.info2;
+ state->auth_req.level = 3;
+ info3 = &state->auth_req.info.info3;
- info2->client_name = client_name_in;
- info2->client_addr = tsocket_address_inet_addr_string(client, state);
- if (!info2->client_addr) {
+ info3->client_name = client_name_in;
+ info3->client_addr = tsocket_address_inet_addr_string(client, state);
+ if (!info3->client_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info2->client_port = tsocket_address_inet_port(client);
- if (!info2->client_name) {
- info2->client_name = info2->client_addr;
+ info3->client_port = tsocket_address_inet_port(client);
+ if (!info3->client_name) {
+ info3->client_name = info3->client_addr;
}
- info2->server_addr = tsocket_address_inet_addr_string(server, state);
- if (!info2->server_addr) {
+ info3->server_addr = tsocket_address_inet_addr_string(server, state);
+ if (!info3->server_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info2->server_port = tsocket_address_inet_port(server);
- if (!info2->server_name) {
- info2->server_name = info2->server_addr;
+ info3->server_port = tsocket_address_inet_port(server);
+ if (!info3->server_name) {
+ info3->server_name = info3->server_addr;
}
- info2->sam_info3 = discard_const_p(struct netr_SamInfo3, info3);
- info2->session_key_length = session_key.length;
- info2->session_key = session_key.data;
- } else if (info3) {
+ info3->sam_info3 = discard_const_p(struct netr_SamInfo3, sam_info3);
+ info3->session_key_length = session_key.length;
+ info3->session_key = session_key.data;
+ info3->gssapi_delegated_creds_length = delegated_creds.length;
+ info3->gssapi_delegated_creds = delegated_creds.data;
+
+ } else if (sam_info3) {
state->auth_req.level = 1;
- state->auth_req.info.info1 = *info3;
+ state->auth_req.info.info1 = *sam_info3;
} else {
state->auth_req.level = 0;
}
@@ -429,6 +433,11 @@ int _tstream_npa_connect_recv(struct tevent_req *req,
device_state = state->auth_rep.info.info2.device_state;
allocation_size = state->auth_rep.info.info2.allocation_size;
break;
+ case 3:
+ npas->file_type = state->auth_rep.info.info3.file_type;
+ device_state = state->auth_rep.info.info3.device_state;
+ allocation_size = state->auth_rep.info.info3.allocation_size;
+ break;
}
*_stream = stream;
diff --git a/libcli/named_pipe_auth/npa_tstream.h b/libcli/named_pipe_auth/npa_tstream.h
index 34f2058f76..bff010f094 100644
--- a/libcli/named_pipe_auth/npa_tstream.h
+++ b/libcli/named_pipe_auth/npa_tstream.h
@@ -34,7 +34,8 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
const struct tsocket_address *server,
const char *server_name,
const struct netr_SamInfo3 *info3,
- DATA_BLOB session_key);
+ DATA_BLOB session_key,
+ DATA_BLOB delegated_creds);
int _tstream_npa_connect_recv(struct tevent_req *req,
int *perrno,
TALLOC_CTX *mem_ctx,
diff --git a/librpc/gen_ndr/named_pipe_auth.h b/librpc/gen_ndr/named_pipe_auth.h
index e08aa477db..d292dfe356 100644
--- a/librpc/gen_ndr/named_pipe_auth.h
+++ b/librpc/gen_ndr/named_pipe_auth.h
@@ -21,9 +21,24 @@ struct named_pipe_auth_req_info2 {
uint8_t *session_key;/* [unique,size_is(session_key_length)] */
};
+struct named_pipe_auth_req_info3 {
+ const char *client_name;/* [unique,charset(UTF8)] */
+ const char *client_addr;/* [unique,charset(DOS)] */
+ uint16_t client_port;
+ const char *server_name;/* [unique,charset(UTF8)] */
+ const char *server_addr;/* [unique,charset(DOS)] */
+ uint16_t server_port;
+ struct netr_SamInfo3 *sam_info3;/* [unique] */
+ uint32_t session_key_length;
+ uint8_t *session_key;/* [unique,size_is(session_key_length)] */
+ uint32_t gssapi_delegated_creds_length;
+ uint8_t *gssapi_delegated_creds;/* [unique,size_is(gssapi_delegated_creds_length)] */
+};
+
union named_pipe_auth_req_info {
struct netr_SamInfo3 info1;/* [case] */
struct named_pipe_auth_req_info2 info2;/* [case(2)] */
+ struct named_pipe_auth_req_info3 info3;/* [case(3)] */
}/* [switch_type(uint32)] */;
struct named_pipe_auth_req {
@@ -39,8 +54,15 @@ struct named_pipe_auth_rep_info2 {
uint64_t allocation_size;
};
+struct named_pipe_auth_rep_info3 {
+ uint16_t file_type;
+ uint16_t device_state;
+ uint64_t allocation_size;
+};
+
union named_pipe_auth_rep_info {
struct named_pipe_auth_rep_info2 info2;/* [case(2)] */
+ struct named_pipe_auth_rep_info3 info3;/* [case(3)] */
}/* [switch_type(uint32)] */;
struct named_pipe_auth_rep {
diff --git a/librpc/gen_ndr/ndr_named_pipe_auth.c b/librpc/gen_ndr/ndr_named_pipe_auth.c
index 28bd85d4fa..cdd8a3d641 100644
--- a/librpc/gen_ndr/ndr_named_pipe_auth.c
+++ b/librpc/gen_ndr/ndr_named_pipe_auth.c
@@ -226,6 +226,261 @@ _PUBLIC_ void ndr_print_named_pipe_auth_req_info2(struct ndr_print *ndr, const c
ndr->depth--;
}
+static enum ndr_err_code ndr_push_named_pipe_auth_req_info3(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req_info3 *r)
+{
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 5));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->client_name));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->client_addr));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->client_port));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->server_name));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->server_addr));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->server_port));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->sam_info3));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->session_key_length));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->session_key));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, r->gssapi_delegated_creds_length));
+ NDR_CHECK(ndr_push_unique_ptr(ndr, r->gssapi_delegated_creds));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ if (r->client_name) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_name, CH_UTF8)));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_name, CH_UTF8)));
+ NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->client_name, ndr_charset_length(r->client_name, CH_UTF8), sizeof(uint8_t), CH_UTF8));
+ }
+ if (r->client_addr) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_addr, CH_DOS)));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->client_addr, CH_DOS)));
+ NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->client_addr, ndr_charset_length(r->client_addr, CH_DOS), sizeof(uint8_t), CH_DOS));
+ }
+ if (r->server_name) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_name, CH_UTF8)));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_name, CH_UTF8)));
+ NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->server_name, ndr_charset_length(r->server_name, CH_UTF8), sizeof(uint8_t), CH_UTF8));
+ }
+ if (r->server_addr) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_addr, CH_DOS)));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, 0));
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, ndr_charset_length(r->server_addr, CH_DOS)));
+ NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->server_addr, ndr_charset_length(r->server_addr, CH_DOS), sizeof(uint8_t), CH_DOS));
+ }
+ if (r->sam_info3) {
+ NDR_CHECK(ndr_push_netr_SamInfo3(ndr, NDR_SCALARS|NDR_BUFFERS, r->sam_info3));
+ }
+ if (r->session_key) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, r->session_key_length));
+ NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->session_key, r->session_key_length));
+ }
+ if (r->gssapi_delegated_creds) {
+ NDR_CHECK(ndr_push_uint3264(ndr, NDR_SCALARS, r->gssapi_delegated_creds_length));
+ NDR_CHECK(ndr_push_array_uint8(ndr, NDR_SCALARS, r->gssapi_delegated_creds, r->gssapi_delegated_creds_length));
+ }
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+static enum ndr_err_code ndr_pull_named_pipe_auth_req_info3(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req_info3 *r)
+{
+ uint32_t _ptr_client_name;
+ TALLOC_CTX *_mem_save_client_name_0;
+ uint32_t _ptr_client_addr;
+ TALLOC_CTX *_mem_save_client_addr_0;
+ uint32_t _ptr_server_name;
+ TALLOC_CTX *_mem_save_server_name_0;
+ uint32_t _ptr_server_addr;
+ TALLOC_CTX *_mem_save_server_addr_0;
+ uint32_t _ptr_sam_info3;
+ TALLOC_CTX *_mem_save_sam_info3_0;
+ uint32_t _ptr_session_key;
+ TALLOC_CTX *_mem_save_session_key_0;
+ uint32_t _ptr_gssapi_delegated_creds;
+ TALLOC_CTX *_mem_save_gssapi_delegated_creds_0;
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_pull_align(ndr, 5));
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_name));
+ if (_ptr_client_name) {
+ NDR_PULL_ALLOC(ndr, r->client_name);
+ } else {
+ r->client_name = NULL;
+ }
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_client_addr));
+ if (_ptr_client_addr) {
+ NDR_PULL_ALLOC(ndr, r->client_addr);
+ } else {
+ r->client_addr = NULL;
+ }
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->client_port));
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_name));
+ if (_ptr_server_name) {
+ NDR_PULL_ALLOC(ndr, r->server_name);
+ } else {
+ r->server_name = NULL;
+ }
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_server_addr));
+ if (_ptr_server_addr) {
+ NDR_PULL_ALLOC(ndr, r->server_addr);
+ } else {
+ r->server_addr = NULL;
+ }
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->server_port));
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sam_info3));
+ if (_ptr_sam_info3) {
+ NDR_PULL_ALLOC(ndr, r->sam_info3);
+ } else {
+ r->sam_info3 = NULL;
+ }
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->session_key_length));
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_session_key));
+ if (_ptr_session_key) {
+ NDR_PULL_ALLOC(ndr, r->session_key);
+ } else {
+ r->session_key = NULL;
+ }
+ NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->gssapi_delegated_creds_length));
+ NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_gssapi_delegated_creds));
+ if (_ptr_gssapi_delegated_creds) {
+ NDR_PULL_ALLOC(ndr, r->gssapi_delegated_creds);
+ } else {
+ r->gssapi_delegated_creds = NULL;
+ }
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ if (r->client_name) {
+ _mem_save_client_name_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->client_name, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->client_name));
+ NDR_CHECK(ndr_pull_array_length(ndr, &r->client_name));
+ if (ndr_get_array_length(ndr, &r->client_name) > ndr_get_array_size(ndr, &r->client_name)) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_name), ndr_get_array_length(ndr, &r->client_name));
+ }
+ NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_name, ndr_get_array_length(ndr, &r->client_name), sizeof(uint8_t), CH_UTF8));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_name_0, 0);
+ }
+ if (r->client_addr) {
+ _mem_save_client_addr_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->client_addr, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->client_addr));
+ NDR_CHECK(ndr_pull_array_length(ndr, &r->client_addr));
+ if (ndr_get_array_length(ndr, &r->client_addr) > ndr_get_array_size(ndr, &r->client_addr)) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->client_addr), ndr_get_array_length(ndr, &r->client_addr));
+ }
+ NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->client_addr, ndr_get_array_length(ndr, &r->client_addr), sizeof(uint8_t), CH_DOS));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_client_addr_0, 0);
+ }
+ if (r->server_name) {
+ _mem_save_server_name_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->server_name, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->server_name));
+ NDR_CHECK(ndr_pull_array_length(ndr, &r->server_name));
+ if (ndr_get_array_length(ndr, &r->server_name) > ndr_get_array_size(ndr, &r->server_name)) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_name), ndr_get_array_length(ndr, &r->server_name));
+ }
+ NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_name, ndr_get_array_length(ndr, &r->server_name), sizeof(uint8_t), CH_UTF8));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_name_0, 0);
+ }
+ if (r->server_addr) {
+ _mem_save_server_addr_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->server_addr, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->server_addr));
+ NDR_CHECK(ndr_pull_array_length(ndr, &r->server_addr));
+ if (ndr_get_array_length(ndr, &r->server_addr) > ndr_get_array_size(ndr, &r->server_addr)) {
+ return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->server_addr), ndr_get_array_length(ndr, &r->server_addr));
+ }
+ NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t)));
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->server_addr, ndr_get_array_length(ndr, &r->server_addr), sizeof(uint8_t), CH_DOS));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_server_addr_0, 0);
+ }
+ if (r->sam_info3) {
+ _mem_save_sam_info3_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->sam_info3, 0);
+ NDR_CHECK(ndr_pull_netr_SamInfo3(ndr, NDR_SCALARS|NDR_BUFFERS, r->sam_info3));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sam_info3_0, 0);
+ }
+ if (r->session_key) {
+ _mem_save_session_key_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->session_key, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->session_key));
+ NDR_PULL_ALLOC_N(ndr, r->session_key, ndr_get_array_size(ndr, &r->session_key));
+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->session_key, ndr_get_array_size(ndr, &r->session_key)));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_session_key_0, 0);
+ }
+ if (r->gssapi_delegated_creds) {
+ _mem_save_gssapi_delegated_creds_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->gssapi_delegated_creds, 0);
+ NDR_CHECK(ndr_pull_array_size(ndr, &r->gssapi_delegated_creds));
+ NDR_PULL_ALLOC_N(ndr, r->gssapi_delegated_creds, ndr_get_array_size(ndr, &r->gssapi_delegated_creds));
+ NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->gssapi_delegated_creds, ndr_get_array_size(ndr, &r->gssapi_delegated_creds)));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_gssapi_delegated_creds_0, 0);
+ }
+ if (r->session_key) {
+ NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->session_key, r->session_key_length));
+ }
+ if (r->gssapi_delegated_creds) {
+ NDR_CHECK(ndr_check_array_size(ndr, (void*)&r->gssapi_delegated_creds, r->gssapi_delegated_creds_length));
+ }
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_named_pipe_auth_req_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req_info3 *r)
+{
+ ndr_print_struct(ndr, name, "named_pipe_auth_req_info3");
+ ndr->depth++;
+ ndr_print_ptr(ndr, "client_name", r->client_name);
+ ndr->depth++;
+ if (r->client_name) {
+ ndr_print_string(ndr, "client_name", r->client_name);
+ }
+ ndr->depth--;
+ ndr_print_ptr(ndr, "client_addr", r->client_addr);
+ ndr->depth++;
+ if (r->client_addr) {
+ ndr_print_string(ndr, "client_addr", r->client_addr);
+ }
+ ndr->depth--;
+ ndr_print_uint16(ndr, "client_port", r->client_port);
+ ndr_print_ptr(ndr, "server_name", r->server_name);
+ ndr->depth++;
+ if (r->server_name) {
+ ndr_print_string(ndr, "server_name", r->server_name);
+ }
+ ndr->depth--;
+ ndr_print_ptr(ndr, "server_addr", r->server_addr);
+ ndr->depth++;
+ if (r->server_addr) {
+ ndr_print_string(ndr, "server_addr", r->server_addr);
+ }
+ ndr->depth--;
+ ndr_print_uint16(ndr, "server_port", r->server_port);
+ ndr_print_ptr(ndr, "sam_info3", r->sam_info3);
+ ndr->depth++;
+ if (r->sam_info3) {
+ ndr_print_netr_SamInfo3(ndr, "sam_info3", r->sam_info3);
+ }
+ ndr->depth--;
+ ndr_print_uint32(ndr, "session_key_length", r->session_key_length);
+ ndr_print_ptr(ndr, "session_key", r->session_key);
+ ndr->depth++;
+ if (r->session_key) {
+ ndr_print_array_uint8(ndr, "session_key", r->session_key, r->session_key_length);
+ }
+ ndr->depth--;
+ ndr_print_uint32(ndr, "gssapi_delegated_creds_length", r->gssapi_delegated_creds_length);
+ ndr_print_ptr(ndr, "gssapi_delegated_creds", r->gssapi_delegated_creds);
+ ndr->depth++;
+ if (r->gssapi_delegated_creds) {
+ ndr_print_array_uint8(ndr, "gssapi_delegated_creds", r->gssapi_delegated_creds, r->gssapi_delegated_creds_length);
+ }
+ ndr->depth--;
+ ndr->depth--;
+}
+
static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_req_info *r)
{
if (ndr_flags & NDR_SCALARS) {
@@ -243,6 +498,10 @@ static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr,
NDR_CHECK(ndr_push_named_pipe_auth_req_info2(ndr, NDR_SCALARS, &r->info2));
break; }
+ case 3: {
+ NDR_CHECK(ndr_push_named_pipe_auth_req_info3(ndr, NDR_SCALARS, &r->info3));
+ break; }
+
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -261,6 +520,10 @@ static enum ndr_err_code ndr_push_named_pipe_auth_req_info(struct ndr_push *ndr,
NDR_CHECK(ndr_push_named_pipe_auth_req_info2(ndr, NDR_BUFFERS, &r->info2));
break;
+ case 3:
+ NDR_CHECK(ndr_push_named_pipe_auth_req_info3(ndr, NDR_BUFFERS, &r->info3));
+ break;
+
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -290,6 +553,10 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_named_pipe_auth_req_info2(ndr, NDR_SCALARS, &r->info2));
break; }
+ case 3: {
+ NDR_CHECK(ndr_pull_named_pipe_auth_req_info3(ndr, NDR_SCALARS, &r->info3));
+ break; }
+
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -307,6 +574,10 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_req_info(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_named_pipe_auth_req_info2(ndr, NDR_BUFFERS, &r->info2));
break;
+ case 3:
+ NDR_CHECK(ndr_pull_named_pipe_auth_req_info3(ndr, NDR_BUFFERS, &r->info3));
+ break;
+
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -331,6 +602,10 @@ _PUBLIC_ void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const ch
ndr_print_named_pipe_auth_req_info2(ndr, "info2", &r->info2);
break;
+ case 3:
+ ndr_print_named_pipe_auth_req_info3(ndr, "info3", &r->info3);
+ break;
+
default:
ndr_print_bad_level(ndr, name, level);
}
@@ -431,6 +706,42 @@ _PUBLIC_ void ndr_print_named_pipe_auth_rep_info2(struct ndr_print *ndr, const c
ndr->depth--;
}
+static enum ndr_err_code ndr_push_named_pipe_auth_rep_info3(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep_info3 *r)
+{
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_push_align(ndr, 8));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->file_type));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, r->device_state));
+ NDR_CHECK(ndr_push_hyper(ndr, NDR_SCALARS, r->allocation_size));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info3(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep_info3 *r)
+{
+ if (ndr_flags & NDR_SCALARS) {
+ NDR_CHECK(ndr_pull_align(ndr, 8));
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->file_type));
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->device_state));
+ NDR_CHECK(ndr_pull_hyper(ndr, NDR_SCALARS, &r->allocation_size));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ void ndr_print_named_pipe_auth_rep_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep_info3 *r)
+{
+ ndr_print_struct(ndr, name, "named_pipe_auth_rep_info3");
+ ndr->depth++;
+ ndr_print_uint16(ndr, "file_type", r->file_type);
+ ndr_print_uint16(ndr, "device_state", r->device_state);
+ ndr_print_hyper(ndr, "allocation_size", r->allocation_size);
+ ndr->depth--;
+}
+
static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr, int ndr_flags, const union named_pipe_auth_rep_info *r)
{
if (ndr_flags & NDR_SCALARS) {
@@ -447,6 +758,10 @@ static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr,
NDR_CHECK(ndr_push_named_pipe_auth_rep_info2(ndr, NDR_SCALARS, &r->info2));
break; }
+ case 3: {
+ NDR_CHECK(ndr_push_named_pipe_auth_rep_info3(ndr, NDR_SCALARS, &r->info3));
+ break; }
+
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -463,6 +778,9 @@ static enum ndr_err_code ndr_push_named_pipe_auth_rep_info(struct ndr_push *ndr,
case 2:
break;
+ case 3:
+ break;
+
default:
return ndr_push_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -491,6 +809,10 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_named_pipe_auth_rep_info2(ndr, NDR_SCALARS, &r->info2));
break; }
+ case 3: {
+ NDR_CHECK(ndr_pull_named_pipe_auth_rep_info3(ndr, NDR_SCALARS, &r->info3));
+ break; }
+
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -506,6 +828,9 @@ static enum ndr_err_code ndr_pull_named_pipe_auth_rep_info(struct ndr_pull *ndr,
case 2:
break;
+ case 3:
+ break;
+
default:
return ndr_pull_error(ndr, NDR_ERR_BAD_SWITCH, "Bad switch value %u at %s", level, __location__);
}
@@ -529,6 +854,10 @@ _PUBLIC_ void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const ch
ndr_print_named_pipe_auth_rep_info2(ndr, "info2", &r->info2);
break;
+ case 3:
+ ndr_print_named_pipe_auth_rep_info3(ndr, "info3", &r->info3);
+ break;
+
default:
ndr_print_bad_level(ndr, name, level);
}
diff --git a/librpc/gen_ndr/ndr_named_pipe_auth.h b/librpc/gen_ndr/ndr_named_pipe_auth.h
index cd8e065f18..027a3262b3 100644
--- a/librpc/gen_ndr/ndr_named_pipe_auth.h
+++ b/librpc/gen_ndr/ndr_named_pipe_auth.h
@@ -8,12 +8,14 @@
#define NDR_NAMED_PIPE_AUTH_CALL_COUNT (0)
void ndr_print_named_pipe_auth_req_info2(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req_info2 *r);
+void ndr_print_named_pipe_auth_req_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req_info3 *r);
void ndr_print_named_pipe_auth_req_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_req_info *r);
enum ndr_err_code ndr_push_named_pipe_auth_req(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_req *r);
enum ndr_err_code ndr_pull_named_pipe_auth_req(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_req *r);
void ndr_print_named_pipe_auth_req(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_req *r);
size_t ndr_size_named_pipe_auth_req(const struct named_pipe_auth_req *r, struct smb_iconv_convenience *ic, int flags);
void ndr_print_named_pipe_auth_rep_info2(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep_info2 *r);
+void ndr_print_named_pipe_auth_rep_info3(struct ndr_print *ndr, const char *name, const struct named_pipe_auth_rep_info3 *r);
void ndr_print_named_pipe_auth_rep_info(struct ndr_print *ndr, const char *name, const union named_pipe_auth_rep_info *r);
enum ndr_err_code ndr_push_named_pipe_auth_rep(struct ndr_push *ndr, int ndr_flags, const struct named_pipe_auth_rep *r);
enum ndr_err_code ndr_pull_named_pipe_auth_rep(struct ndr_pull *ndr, int ndr_flags, struct named_pipe_auth_rep *r);
diff --git a/librpc/idl/named_pipe_auth.idl b/librpc/idl/named_pipe_auth.idl
index fd3f563c53..43db989327 100644
--- a/librpc/idl/named_pipe_auth.idl
+++ b/librpc/idl/named_pipe_auth.idl
@@ -24,10 +24,26 @@ interface named_pipe_auth
[size_is(session_key_length)] uint8 *session_key;
} named_pipe_auth_req_info2;
+ typedef struct {
+ [charset(UTF8),string] uint8 *client_name;
+ [charset(DOS),string] uint8 *client_addr;
+ uint16 client_port;
+ [charset(UTF8),string] uint8 *server_name;
+ [charset(DOS),string] uint8 *server_addr;
+ uint16 server_port;
+ netr_SamInfo3 *sam_info3;
+ uint32 session_key_length;
+ [size_is(session_key_length)] uint8 *session_key;
+ uint32 gssapi_delegated_creds_length;
+ [size_is(gssapi_delegated_creds_length)]
+ uint8 *gssapi_delegated_creds;
+ } named_pipe_auth_req_info3;
+
typedef [switch_type(uint32)] union {
[case(0)] ;/* anonymous */
[case(1)] netr_SamInfo3 info1;
[case(2)] named_pipe_auth_req_info2 info2;
+ [case(3)] named_pipe_auth_req_info3 info3;
} named_pipe_auth_req_info;
typedef [public,gensize] struct {
@@ -45,10 +61,17 @@ interface named_pipe_auth
hyper allocation_size;
} named_pipe_auth_rep_info2;
+ typedef struct {
+ uint16 file_type;
+ uint16 device_state;
+ hyper allocation_size;
+ } named_pipe_auth_rep_info3;
+
typedef [switch_type(uint32)] union {
[case(0)] ;
[case(1)] ;
[case(2)] named_pipe_auth_rep_info2 info2;
+ [case(3)] named_pipe_auth_rep_info3 info3;
} named_pipe_auth_rep_info;
typedef [public,gensize] struct {
diff --git a/source3/lib/dprintf.c b/source3/lib/dprintf.c
index 631c45a807..835d34076e 100644
--- a/source3/lib/dprintf.c
+++ b/source3/lib/dprintf.c
@@ -66,6 +66,10 @@ again:
}
clen = convert_string(CH_UNIX, CH_DISPLAY, p, ret, p2, maxlen, True);
+ if (clen == -1) {
+ ret = -1;
+ goto out;
+ }
if (clen >= maxlen) {
/* it didn't fit - try a larger buffer */
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index aa883d3cf1..d49fa47f57 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -152,6 +152,8 @@ static NTSTATUS rpccli_lsa_lookup_sids_noalloc(struct rpc_pipe_client *cli,
struct lsa_TransNameArray2 lsa_names2;
uint32_t n;
+ ZERO_STRUCT(lsa_names2);
+
result = rpccli_lsa_LookupSids3(cli, mem_ctx,
&sid_array,
&ref_domains,
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 85eb73749a..ce458126d3 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -156,7 +156,9 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
ssize_t sizeret = -1;
if (!lp_ea_support(SNUM(conn))) {
- *pnames = NULL;
+ if (pnames) {
+ *pnames = NULL;
+ }
*pnum_names = 0;
return NT_STATUS_OK;
}
diff --git a/source3/utils/status.c b/source3/utils/status.c
index fa7d1eba2b..6d616149d7 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -2,17 +2,17 @@
Unix SMB/CIFS implementation.
status reporting
Copyright (C) Andrew Tridgell 1994-1998
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
@@ -61,25 +61,25 @@ static unsigned int Ucrit_checkUid(uid_t uid)
{
if ( !Ucrit_IsActive )
return 1;
-
+
if ( uid == Ucrit_uid )
return 1;
-
+
return 0;
}
static unsigned int Ucrit_checkPid(struct server_id pid)
{
int i;
-
+
if ( !Ucrit_IsActive )
return 1;
-
+
for (i=0;i<Ucrit_MaxPid;i++) {
if (cluster_id_equal(&pid, &Ucrit_pid[i]))
return 1;
}
-
+
return 0;
}
@@ -96,7 +96,7 @@ static bool Ucrit_addPid( struct server_id pid )
}
Ucrit_pid[Ucrit_MaxPid++] = pid;
-
+
return True;
}
@@ -276,7 +276,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
numeric_only ? uid_str : uidtoname(sessionid.uid),
numeric_only ? gid_str : gidtoname(sessionid.gid),
sessionid.remote_machine, sessionid.hostname);
-
+
return 0;
}
@@ -312,9 +312,9 @@ static int traverse_sessionid(struct db_record *db, void *state)
load_case_tables();
setup_logging(argv[0],True);
-
+
dbf = x_stderr;
-
+
if (getuid() != geteuid()) {
d_printf("smbstatus should not be run setuid\n");
ret = 1;
@@ -323,7 +323,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
POPT_CONTEXT_KEEP_FIRST);
-
+
while ((c = poptGetNextOpt(pc)) != -1) {
switch (c) {
case 'p':
@@ -377,18 +377,20 @@ static int traverse_sessionid(struct db_record *db, void *state)
goto done;
}
- /*
- * This implicitly initializes the global ctdbd connection, usable by
- * the db_open() calls further down.
- */
-
- msg_ctx = messaging_init(NULL, procid_self(),
- event_context_init(NULL));
- if (msg_ctx == NULL) {
- fprintf(stderr, "messaging_init failed\n");
- ret = -1;
- goto done;
+ if (lp_clustering()) {
+ /*
+ * This implicitly initializes the global ctdbd
+ * connection, usable by the db_open() calls further
+ * down.
+ */
+ msg_ctx = messaging_init(NULL, procid_self(),
+ event_context_init(NULL));
+ if (msg_ctx == NULL) {
+ fprintf(stderr, "messaging_init failed\n");
+ ret = -1;
+ goto done;
+ }
}
if (!lp_load(get_dyn_CONFIGFILE(),False,False,False,True)) {
@@ -432,7 +434,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
goto done;
}
}
-
+
if ( show_shares ) {
if (verbose) {
d_printf("Opened %s\n", lock_path("connections.tdb"));
@@ -441,10 +443,10 @@ static int traverse_sessionid(struct db_record *db, void *state)
if (brief) {
goto done;
}
-
+
d_printf("\nService pid machine Connected at\n");
d_printf("-------------------------------------------------------\n");
-
+
connections_forall(traverse_fn1, NULL);
d_printf("\n");
@@ -475,7 +477,7 @@ static int traverse_sessionid(struct db_record *db, void *state)
ret = 1;
goto done;
}
-
+
result = share_mode_forall(print_share_mode, NULL);
if (result == 0) {
@@ -483,13 +485,13 @@ static int traverse_sessionid(struct db_record *db, void *state)
} else if (result == -1) {
d_printf("locked file list truncated\n");
}
-
+
d_printf("\n");
if (show_brl) {
brl_forall(print_brl, NULL);
}
-
+
locking_end();
}
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 26703528a7..283bdf7806 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2123,7 +2123,9 @@ linked_attributes[0]:
talloc_free(tmp_ctx);
return ret;
}
- ret_el->values = talloc_array(msg, struct ldb_val, 1);
+ /* we allocate two entries here, in case we need a remove/add
+ pair */
+ ret_el->values = talloc_array(msg, struct ldb_val, 2);
if (!ret_el->values) {
ldb_oom(ldb);
talloc_free(tmp_ctx);
@@ -2168,10 +2170,48 @@ linked_attributes[0]:
ret = ldb_wait(mod_req->handle, LDB_WAIT_ALL);
}
+ if (ret == LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS) {
+ /* the link destination exists, we need to update it
+ * by deleting the old one for the same DN then adding
+ * the new one */
+ msg->elements = talloc_realloc(msg, msg->elements,
+ struct ldb_message_element,
+ msg->num_elements+1);
+ if (msg->elements == NULL) {
+ ldb_oom(ldb);
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /* this relies on the backend matching the old entry
+ only by the DN portion of the extended DN */
+ msg->elements[1] = msg->elements[0];
+ msg->elements[0].flags = LDB_FLAG_MOD_DELETE;
+ msg->num_elements++;
+
+ ret = ldb_build_mod_req(&mod_req, ldb, tmp_ctx,
+ msg,
+ NULL,
+ NULL,
+ ldb_op_default_callback,
+ NULL);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
+
+ /* Run the new request */
+ ret = ldb_next_request(module, mod_req);
+
+ if (ret == LDB_SUCCESS) {
+ ret = ldb_wait(mod_req->handle, LDB_WAIT_ALL);
+ }
+ }
+
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_WARNING, "Failed to apply linked attribute change '%s' %s\n",
ldb_errstring(ldb),
ldb_ldif_message_string(ldb, tmp_ctx, LDB_CHANGETYPE_MODIFY, msg));
+ ret = LDB_SUCCESS;
}
talloc_free(tmp_ctx);
diff --git a/source4/heimdal/lib/gssapi/krb5/creds.c b/source4/heimdal/lib/gssapi/krb5/creds.c
index c9befe9d77..68cb766bc3 100644
--- a/source4/heimdal/lib/gssapi/krb5/creds.c
+++ b/source4/heimdal/lib/gssapi/krb5/creds.c
@@ -249,5 +249,6 @@ _gsskrb5_import_cred(OM_uint32 * minor_status,
handle->ccache = id;
handle->cred_flags = flags;
+ *cred_handle = (gss_cred_id_t)handle;
return GSS_S_COMPLETE;
}
diff --git a/source4/libcli/security/tests/bindings.py b/source4/libcli/security/tests/bindings.py
index f0d55f12ca..00fa05d070 100644
--- a/source4/libcli/security/tests/bindings.py
+++ b/source4/libcli/security/tests/bindings.py
@@ -57,6 +57,16 @@ class SecurityDescriptorTests(unittest.TestCase):
self.assertEquals(desc.sacl, None)
self.assertEquals(desc.type, 0x8004)
+ def test_from_sddl_invalidsddl(self):
+ self.assertRaises(TypeError,security.descriptor.from_sddl, "foo",security.dom_sid("S-2-0-0"))
+
+ def test_from_sddl_invalidtype1(self):
+ self.assertRaises(TypeError,security.descriptor.from_sddl, security.dom_sid('S-2-0-0-512'),security.dom_sid("S-2-0-0"))
+
+ def test_from_sddl_invalidtype1(self):
+ sddl = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
+ self.assertRaises(TypeError,security.descriptor.from_sddl, sddl,"S-2-0-0")
+
def test_as_sddl(self):
text = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
dom = security.dom_sid("S-2-0-0")
@@ -67,6 +77,13 @@ class SecurityDescriptorTests(unittest.TestCase):
self.assertEquals(desc1.sacl, desc2.sacl)
self.assertEquals(desc1.type, desc2.type)
+ def test_as_sddl_invalid(self):
+ text = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
+ dom = security.dom_sid("S-2-0-0")
+ desc1 = security.descriptor.from_sddl(text, dom)
+ self.assertRaises(TypeError, desc1.as_sddl,text)
+
+
def test_as_sddl_no_domainsid(self):
dom = security.dom_sid("S-2-0-0")
text = "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c
index 8ab790d470..02dc059f05 100644
--- a/source4/librpc/ndr/py_security.c
+++ b/source4/librpc/ndr/py_security.c
@@ -173,7 +173,7 @@ static PyObject *py_descriptor_from_sddl(PyObject *self, PyObject *args)
PyObject *py_sid;
struct dom_sid *sid;
- if (!PyArg_ParseTuple(args, "sO", &sddl, &py_sid))
+ if (!PyArg_ParseTuple(args, "sO!", &sddl, &dom_sid_Type, &py_sid))
return NULL;
sid = py_talloc_get_ptr(py_sid);
@@ -195,7 +195,7 @@ static PyObject *py_descriptor_as_sddl(PyObject *self, PyObject *args)
char *text;
PyObject *ret;
- if (!PyArg_ParseTuple(args, "|O", &py_sid))
+ if (!PyArg_ParseTuple(args, "|O!", &dom_sid_Type, &py_sid))
return NULL;
if (py_sid != Py_None)
diff --git a/source4/ntvfs/config.mk b/source4/ntvfs/config.mk
index 593c526edb..060ee19115 100644
--- a/source4/ntvfs/config.mk
+++ b/source4/ntvfs/config.mk
@@ -71,7 +71,9 @@ ntvfs_print_OBJ_FILES = $(ntvfssrcdir)/print/vfs_print.o
[MODULE::ntvfs_ipc]
SUBSYSTEM = ntvfs
INIT_FUNCTION = ntvfs_ipc_init
-PRIVATE_DEPENDENCIES = dcerpc_server DCERPC_COMMON
+PRIVATE_DEPENDENCIES = \
+ NDR_NAMED_PIPE_AUTH NAMED_PIPE_AUTH_TSTREAM \
+ HEIMDAL_GSSAPI CREDENTIALS
# End MODULE ntvfs_ipc
################################################
diff --git a/source4/ntvfs/ipc/vfs_ipc.c b/source4/ntvfs/ipc/vfs_ipc.c
index 95ad1c51fb..0cd909e351 100644
--- a/source4/ntvfs/ipc/vfs_ipc.c
+++ b/source4/ntvfs/ipc/vfs_ipc.c
@@ -29,9 +29,16 @@
#include "ntvfs/ntvfs.h"
#include "libcli/rap/rap.h"
#include "ntvfs/ipc/proto.h"
-#include "rpc_server/dcerpc_server.h"
#include "libcli/raw/ioctl.h"
#include "param/param.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../libcli/named_pipe_auth/npa_tstream.h"
+#include "auth/auth.h"
+#include "auth/auth_sam_reply.h"
+#include "lib/socket/socket.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_krb5.h"
+#include <gssapi/gssapi.h>
/* this is the private structure used to keep the state of an open
ipc$ connection. It needs to keep information about all open
@@ -39,16 +46,18 @@
struct ipc_private {
struct ntvfs_module_context *ntvfs;
- struct dcesrv_context *dcesrv;
-
/* a list of open pipes */
struct pipe_state {
struct pipe_state *next, *prev;
struct ipc_private *ipriv;
const char *pipe_name;
struct ntvfs_handle *handle;
- struct dcesrv_connection *dce_conn;
- uint16_t ipc_state;
+ struct tstream_context *npipe;
+ uint16_t file_type;
+ uint16_t device_state;
+ uint64_t allocation_size;
+ struct tevent_queue *write_queue;
+ struct tevent_queue *read_queue;
} *pipe_list;
};
@@ -91,7 +100,6 @@ static NTSTATUS ipc_connect(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req,
union smb_tcon* tcon)
{
- NTSTATUS status;
struct ipc_private *ipriv;
const char *sharename;
@@ -136,10 +144,6 @@ static NTSTATUS ipc_connect(struct ntvfs_module_context *ntvfs,
ipriv->ntvfs = ntvfs;
ipriv->pipe_list = NULL;
- /* setup the DCERPC server subsystem */
- status = dcesrv_init_ipc_context(ipriv, ntvfs->ctx->lp_ctx, &ipriv->dcesrv);
- NT_STATUS_NOT_OK_RETURN(status);
-
return NT_STATUS_OK;
}
@@ -207,32 +211,61 @@ static int ipc_fd_destructor(struct pipe_state *p)
return 0;
}
-static struct socket_address *ipc_get_my_addr(struct dcesrv_connection *dce_conn, TALLOC_CTX *mem_ctx)
-{
- struct ipc_private *ipriv = dce_conn->transport.private_data;
-
- return ntvfs_get_my_addr(ipriv->ntvfs, mem_ctx);
-}
-
-static struct socket_address *ipc_get_peer_addr(struct dcesrv_connection *dce_conn, TALLOC_CTX *mem_ctx)
-{
- struct ipc_private *ipriv = dce_conn->transport.private_data;
+struct ipc_open_state {
+ struct ipc_private *ipriv;
+ struct pipe_state *p;
+ struct ntvfs_request *req;
+ union smb_open *oi;
+ struct netr_SamInfo3 *info3;
+};
- return ntvfs_get_peer_addr(ipriv->ntvfs, mem_ctx);
-}
+static void ipc_open_done(struct tevent_req *subreq);
/*
- open a file backend - used for MSRPC pipes
+ open a file - used for MSRPC pipes
*/
-static NTSTATUS ipc_open_generic(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, const char *fname,
- struct pipe_state **ps)
+static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs,
+ struct ntvfs_request *req, union smb_open *oi)
{
- struct pipe_state *p;
NTSTATUS status;
- struct dcerpc_binding *ep_description;
- struct ipc_private *ipriv = ntvfs->private_data;
+ struct pipe_state *p;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
+ struct smb_iconv_convenience *smb_ic
+ = lp_iconv_convenience(ipriv->ntvfs->ctx->lp_ctx);
struct ntvfs_handle *h;
+ struct ipc_open_state *state;
+ struct tevent_req *subreq;
+ const char *fname;
+ const char *directory;
+ struct socket_address *client_sa;
+ struct tsocket_address *client_addr;
+ struct socket_address *server_sa;
+ struct tsocket_address *server_addr;
+ int ret;
+ DATA_BLOB delegated_creds = data_blob_null;
+
+ switch (oi->generic.level) {
+ case RAW_OPEN_NTCREATEX:
+ fname = oi->ntcreatex.in.fname;
+ break;
+ case RAW_OPEN_OPENX:
+ fname = oi->openx.in.fname;
+ break;
+ case RAW_OPEN_SMB2:
+ fname = oi->smb2.in.fname;
+ break;
+ default:
+ status = NT_STATUS_NOT_SUPPORTED;
+ break;
+ }
+
+ directory = talloc_asprintf(req, "%s/np",
+ lp_ncalrpc_dir(ipriv->ntvfs->ctx->lp_ctx));
+ NT_STATUS_HAVE_NO_MEMORY(directory);
+
+ state = talloc(req, struct ipc_open_state);
+ NT_STATUS_HAVE_NO_MEMORY(state);
status = ntvfs_handle_new(ntvfs, req, &h);
NT_STATUS_NOT_OK_RETURN(status);
@@ -240,156 +273,192 @@ static NTSTATUS ipc_open_generic(struct ntvfs_module_context *ntvfs,
p = talloc(h, struct pipe_state);
NT_STATUS_HAVE_NO_MEMORY(p);
- ep_description = talloc(req, struct dcerpc_binding);
- NT_STATUS_HAVE_NO_MEMORY(ep_description);
-
while (fname[0] == '\\') fname++;
p->pipe_name = talloc_asprintf(p, "\\pipe\\%s", fname);
NT_STATUS_HAVE_NO_MEMORY(p->pipe_name);
p->handle = h;
- p->ipc_state = 0x5ff;
-
- /*
- we're all set, now ask the dcerpc server subsystem to open the
- endpoint. At this stage the pipe isn't bound, so we don't
- know what interface the user actually wants, just that they want
- one of the interfaces attached to this pipe endpoint.
- */
- ep_description->transport = NCACN_NP;
- ep_description->endpoint = talloc_strdup(ep_description, p->pipe_name);
- NT_STATUS_HAVE_NO_MEMORY(ep_description->endpoint);
-
- /* The session info is refcount-increased in the
- * dcesrv_endpoint_search_connect() function
- */
- status = dcesrv_endpoint_search_connect(ipriv->dcesrv,
- p,
- ep_description,
- h->session_info,
- ntvfs->ctx->event_ctx,
- ntvfs->ctx->msg_ctx,
- ntvfs->ctx->server_id,
- 0,
- &p->dce_conn);
- NT_STATUS_NOT_OK_RETURN(status);
+ p->ipriv = ipriv;
- p->dce_conn->transport.private_data = ipriv;
- p->dce_conn->transport.report_output_data = NULL;
- p->dce_conn->transport.get_my_addr = ipc_get_my_addr;
- p->dce_conn->transport.get_peer_addr = ipc_get_peer_addr;
-
- DLIST_ADD(ipriv->pipe_list, p);
+ p->write_queue = tevent_queue_create(p, "ipc_write_queue");
+ NT_STATUS_HAVE_NO_MEMORY(p->write_queue);
- p->ipriv = ipriv;
+ p->read_queue = tevent_queue_create(p, "ipc_read_queue");
+ NT_STATUS_HAVE_NO_MEMORY(p->read_queue);
- talloc_set_destructor(p, ipc_fd_destructor);
+ state->ipriv = ipriv;
+ state->p = p;
+ state->req = req;
+ state->oi = oi;
- status = ntvfs_handle_set_backend_data(h, ipriv->ntvfs, p);
+ status = auth_convert_server_info_saminfo3(state,
+ req->session_info->server_info,
+ &state->info3);
NT_STATUS_NOT_OK_RETURN(status);
- *ps = p;
- return NT_STATUS_OK;
-}
+ client_sa = ntvfs_get_peer_addr(ntvfs, state);
+ if (!client_sa) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
-/*
- open a file with ntcreatex - used for MSRPC pipes
-*/
-static NTSTATUS ipc_open_ntcreatex(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, union smb_open *oi)
-{
- struct pipe_state *p;
- NTSTATUS status;
+ server_sa = ntvfs_get_my_addr(ntvfs, state);
+ if (!server_sa) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
- status = ipc_open_generic(ntvfs, req, oi->ntcreatex.in.fname, &p);
- if (!NT_STATUS_IS_OK(status)) {
+ ret = tsocket_address_inet_from_strings(state, "ip",
+ client_sa->addr,
+ client_sa->port,
+ &client_addr);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
return status;
}
- ZERO_STRUCT(oi->ntcreatex.out);
- oi->ntcreatex.out.file.ntvfs= p->handle;
- oi->ntcreatex.out.ipc_state = p->ipc_state;
- oi->ntcreatex.out.file_type = FILE_TYPE_MESSAGE_MODE_PIPE;
+ ret = tsocket_address_inet_from_strings(state, "ip",
+ server_sa->addr,
+ server_sa->port,
+ &server_addr);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(errno);
+ return status;
+ }
- return status;
-}
+ if (req->session_info->credentials) {
+ struct gssapi_creds_container *gcc;
+ OM_uint32 gret;
+ OM_uint32 minor_status;
+ gss_buffer_desc cred_token;
+
+ ret = cli_credentials_get_client_gss_creds(req->session_info->credentials,
+ ipriv->ntvfs->ctx->event_ctx,
+ ipriv->ntvfs->ctx->lp_ctx,
+ &gcc);
+ if (ret) {
+ goto skip;
+ }
-/*
- open a file with openx - used for MSRPC pipes
-*/
-static NTSTATUS ipc_open_openx(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, union smb_open *oi)
-{
- struct pipe_state *p;
- NTSTATUS status;
- const char *fname = oi->openx.in.fname;
+ gret = gss_export_cred(&minor_status,
+ gcc->creds,
+ &cred_token);
+ if (gret != GSS_S_COMPLETE) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
- status = ipc_open_generic(ntvfs, req, fname, &p);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (cred_token.length) {
+ delegated_creds = data_blob_talloc(req,
+ cred_token.value,
+ cred_token.length);
+ gss_release_buffer(&minor_status, &cred_token);
+ NT_STATUS_HAVE_NO_MEMORY(delegated_creds.data);
+ }
}
- ZERO_STRUCT(oi->openx.out);
- oi->openx.out.file.ntvfs= p->handle;
- oi->openx.out.ftype = 2;
- oi->openx.out.devstate = p->ipc_state;
-
- return status;
+skip:
+
+ subreq = tstream_npa_connect_send(p,
+ ipriv->ntvfs->ctx->event_ctx,
+ smb_ic,
+ directory,
+ fname,
+ client_addr,
+ NULL,
+ server_addr,
+ NULL,
+ state->info3,
+ req->session_info->session_key,
+ delegated_creds);
+ NT_STATUS_HAVE_NO_MEMORY(subreq);
+ tevent_req_set_callback(subreq, ipc_open_done, state);
+
+ req->async_states->state |= NTVFS_ASYNC_STATE_ASYNC;
+ return NT_STATUS_OK;
}
-/*
- open a file with SMB2 Create - used for MSRPC pipes
-*/
-static NTSTATUS ipc_open_smb2(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, union smb_open *oi)
+static void ipc_open_done(struct tevent_req *subreq)
{
- struct pipe_state *p;
+ struct ipc_open_state *state = tevent_req_callback_data(subreq,
+ struct ipc_open_state);
+ struct ipc_private *ipriv = state->ipriv;
+ struct pipe_state *p = state->p;
+ struct ntvfs_request *req = state->req;
+ union smb_open *oi = state->oi;
+ int ret;
+ int sys_errno;
NTSTATUS status;
- status = ipc_open_generic(ntvfs, req, oi->smb2.in.fname, &p);
- NT_STATUS_NOT_OK_RETURN(status);
-
- ZERO_STRUCT(oi->smb2.out);
- oi->smb2.out.file.ntvfs = p->handle;
- oi->smb2.out.oplock_level = oi->smb2.in.oplock_level;
- oi->smb2.out.create_action = NTCREATEX_ACTION_EXISTED;
- oi->smb2.out.create_time = 0;
- oi->smb2.out.access_time = 0;
- oi->smb2.out.write_time = 0;
- oi->smb2.out.change_time = 0;
- oi->smb2.out.alloc_size = 4096;
- oi->smb2.out.size = 0;
- oi->smb2.out.file_attr = FILE_ATTRIBUTE_NORMAL;
- oi->smb2.out.reserved2 = 0;
+ ret = tstream_npa_connect_recv(subreq, &sys_errno,
+ p, &p->npipe,
+ &p->file_type,
+ &p->device_state,
+ &p->allocation_size);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
+ }
- return status;
-}
+ DLIST_ADD(ipriv->pipe_list, p);
+ talloc_set_destructor(p, ipc_fd_destructor);
-/*
- open a file - used for MSRPC pipes
-*/
-static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs,
- struct ntvfs_request *req, union smb_open *oi)
-{
- NTSTATUS status;
+ status = ntvfs_handle_set_backend_data(p->handle, ipriv->ntvfs, p);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto reply;
+ }
switch (oi->generic.level) {
case RAW_OPEN_NTCREATEX:
- status = ipc_open_ntcreatex(ntvfs, req, oi);
+ ZERO_STRUCT(oi->ntcreatex.out);
+ oi->ntcreatex.out.file.ntvfs = p->handle;
+ oi->ntcreatex.out.oplock_level = 0;
+ oi->ntcreatex.out.create_action = NTCREATEX_ACTION_EXISTED;
+ oi->ntcreatex.out.create_time = 0;
+ oi->ntcreatex.out.access_time = 0;
+ oi->ntcreatex.out.write_time = 0;
+ oi->ntcreatex.out.change_time = 0;
+ oi->ntcreatex.out.attrib = FILE_ATTRIBUTE_NORMAL;
+ oi->ntcreatex.out.alloc_size = p->allocation_size;
+ oi->ntcreatex.out.size = 0;
+ oi->ntcreatex.out.file_type = p->file_type;
+ oi->ntcreatex.out.ipc_state = p->device_state;
+ oi->ntcreatex.out.is_directory = 0;
break;
case RAW_OPEN_OPENX:
- status = ipc_open_openx(ntvfs, req, oi);
+ ZERO_STRUCT(oi->openx.out);
+ oi->openx.out.file.ntvfs = p->handle;
+ oi->openx.out.attrib = FILE_ATTRIBUTE_NORMAL;
+ oi->openx.out.write_time = 0;
+ oi->openx.out.size = 0;
+ oi->openx.out.access = 0;
+ oi->openx.out.ftype = p->file_type;
+ oi->openx.out.devstate = p->device_state;
+ oi->openx.out.action = 0;
+ oi->openx.out.unique_fid = 0;
+ oi->openx.out.access_mask = 0;
+ oi->openx.out.unknown = 0;
break;
case RAW_OPEN_SMB2:
- status = ipc_open_smb2(ntvfs, req, oi);
+ ZERO_STRUCT(oi->smb2.out);
+ oi->smb2.out.file.ntvfs = p->handle;
+ oi->smb2.out.oplock_level = oi->smb2.in.oplock_level;
+ oi->smb2.out.create_action = NTCREATEX_ACTION_EXISTED;
+ oi->smb2.out.create_time = 0;
+ oi->smb2.out.access_time = 0;
+ oi->smb2.out.write_time = 0;
+ oi->smb2.out.change_time = 0;
+ oi->smb2.out.alloc_size = p->allocation_size;
+ oi->smb2.out.size = 0;
+ oi->smb2.out.file_attr = FILE_ATTRIBUTE_NORMAL;
+ oi->smb2.out.reserved2 = 0;
break;
default:
- status = NT_STATUS_NOT_SUPPORTED;
break;
}
- return status;
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
}
/*
@@ -428,28 +497,108 @@ static NTSTATUS ipc_copy(struct ntvfs_module_context *ntvfs,
return NT_STATUS_ACCESS_DENIED;
}
-static NTSTATUS ipc_readx_dcesrv_output(void *private_data, DATA_BLOB *out, size_t *nwritten)
+struct ipc_readv_next_vector_state {
+ uint8_t *buf;
+ size_t len;
+ off_t ofs;
+ size_t remaining;
+};
+
+static void ipc_readv_next_vector_init(struct ipc_readv_next_vector_state *s,
+ uint8_t *buf, size_t len)
+{
+ ZERO_STRUCTP(s);
+
+ s->buf = buf;
+ s->len = MIN(len, UINT16_MAX);
+ //DEBUG(0,("readv_next_vector_init[%u 0x%04X]\n", s->len, s->len));
+}
+
+static int ipc_readv_next_vector(struct tstream_context *stream,
+ void *private_data,
+ TALLOC_CTX *mem_ctx,
+ struct iovec **_vector,
+ size_t *count)
{
- DATA_BLOB *blob = private_data;
+ struct ipc_readv_next_vector_state *state =
+ (struct ipc_readv_next_vector_state *)private_data;
+ struct iovec *vector;
+ ssize_t pending;
+ size_t wanted;
+
+ if (state->ofs == state->len) {
+ *_vector = NULL;
+ *count = 0;
+// DEBUG(0,("readv_next_vector done ofs[%u 0x%04X]\n",
+// state->ofs, state->ofs));
+ return 0;
+ }
- if (out->length < blob->length) {
- blob->length = out->length;
+ pending = tstream_pending_bytes(stream);
+ if (pending == -1) {
+ return -1;
}
- memcpy(blob->data, out->data, blob->length);
- *nwritten = blob->length;
- return NT_STATUS_OK;
+
+ if (pending == 0 && state->ofs != 0) {
+ /* return a short read */
+ *_vector = NULL;
+ *count = 0;
+// DEBUG(0,("readv_next_vector short read ofs[%u 0x%04X]\n",
+// state->ofs, state->ofs));
+ return 0;
+ }
+
+ if (pending == 0) {
+ /* we want at least one byte and recheck again */
+ wanted = 1;
+ } else {
+ size_t missing = state->len - state->ofs;
+ if (pending > missing) {
+ /* there's more available */
+ state->remaining = pending - missing;
+ wanted = missing;
+ } else {
+ /* read what we can get and recheck in the next cycle */
+ wanted = pending;
+ }
+ }
+
+ vector = talloc_array(mem_ctx, struct iovec, 1);
+ if (!vector) {
+ return -1;
+ }
+
+ vector[0].iov_base = state->buf + state->ofs;
+ vector[0].iov_len = wanted;
+
+ state->ofs += wanted;
+
+ *_vector = vector;
+ *count = 1;
+ return 0;
}
+struct ipc_read_state {
+ struct ipc_private *ipriv;
+ struct pipe_state *p;
+ struct ntvfs_request *req;
+ union smb_read *rd;
+ struct ipc_readv_next_vector_state next_vector;
+};
+
+static void ipc_read_done(struct tevent_req *subreq);
+
/*
read from a file
*/
static NTSTATUS ipc_read(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, union smb_read *rd)
{
- struct ipc_private *ipriv = ntvfs->private_data;
- DATA_BLOB data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p;
- NTSTATUS status = NT_STATUS_OK;
+ struct ipc_read_state *state;
+ struct tevent_req *subreq;
if (rd->generic.level != RAW_READ_GENERIC) {
return ntvfs_map_read(ntvfs, req, rd);
@@ -460,58 +609,143 @@ static NTSTATUS ipc_read(struct ntvfs_module_context *ntvfs,
return NT_STATUS_INVALID_HANDLE;
}
- data.length = rd->readx.in.maxcnt;
- data.data = rd->readx.out.data;
- if (data.length > UINT16_MAX) {
- data.length = UINT16_MAX;
+ state = talloc(req, struct ipc_read_state);
+ NT_STATUS_HAVE_NO_MEMORY(state);
+
+ state->ipriv = ipriv;
+ state->p = p;
+ state->req = req;
+ state->rd = rd;
+
+ /* rd->readx.out.data is already allocated */
+ ipc_readv_next_vector_init(&state->next_vector,
+ rd->readx.out.data,
+ rd->readx.in.maxcnt);
+
+ subreq = tstream_readv_pdu_queue_send(req,
+ ipriv->ntvfs->ctx->event_ctx,
+ p->npipe,
+ p->read_queue,
+ ipc_readv_next_vector,
+ &state->next_vector);
+ NT_STATUS_HAVE_NO_MEMORY(subreq);
+ tevent_req_set_callback(subreq, ipc_read_done, state);
+
+ req->async_states->state |= NTVFS_ASYNC_STATE_ASYNC;
+ return NT_STATUS_OK;
+}
+
+static void ipc_read_done(struct tevent_req *subreq)
+{
+ struct ipc_read_state *state =
+ tevent_req_callback_data(subreq,
+ struct ipc_read_state);
+ struct ntvfs_request *req = state->req;
+ union smb_read *rd = state->rd;
+ int ret;
+ int sys_errno;
+ NTSTATUS status;
+
+ ret = tstream_readv_pdu_queue_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
}
- if (data.length != 0) {
- status = dcesrv_output(p->dce_conn, &data, ipc_readx_dcesrv_output);
- if (NT_STATUS_IS_ERR(status)) {
- return status;
- }
+ status = NT_STATUS_OK;
+ if (state->next_vector.remaining > 0) {
+ status = STATUS_BUFFER_OVERFLOW;
}
- rd->readx.out.remaining = 0;
+ rd->readx.out.remaining = state->next_vector.remaining;
rd->readx.out.compaction_mode = 0;
- rd->readx.out.nread = data.length;
+ rd->readx.out.nread = ret;
- return status;
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
}
+struct ipc_write_state {
+ struct ipc_private *ipriv;
+ struct pipe_state *p;
+ struct ntvfs_request *req;
+ union smb_write *wr;
+ struct iovec iov;
+};
+
+static void ipc_write_done(struct tevent_req *subreq);
+
/*
write to a file
*/
static NTSTATUS ipc_write(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, union smb_write *wr)
{
- struct ipc_private *ipriv = ntvfs->private_data;
- DATA_BLOB data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p;
- NTSTATUS status;
+ struct tevent_req *subreq;
+ struct ipc_write_state *state;
if (wr->generic.level != RAW_WRITE_GENERIC) {
return ntvfs_map_write(ntvfs, req, wr);
}
- data.data = discard_const_p(void, wr->writex.in.data);
- data.length = wr->writex.in.count;
-
p = pipe_state_find(ipriv, wr->writex.in.file.ntvfs);
if (!p) {
return NT_STATUS_INVALID_HANDLE;
}
- status = dcesrv_input(p->dce_conn, &data);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ state = talloc(req, struct ipc_write_state);
+ NT_STATUS_HAVE_NO_MEMORY(state);
+
+ state->ipriv = ipriv;
+ state->p = p;
+ state->req = req;
+ state->wr = wr;
+ state->iov.iov_base = discard_const_p(void, wr->writex.in.data);
+ state->iov.iov_len = wr->writex.in.count;
+
+ subreq = tstream_writev_queue_send(state,
+ ipriv->ntvfs->ctx->event_ctx,
+ p->npipe,
+ p->write_queue,
+ &state->iov, 1);
+ NT_STATUS_HAVE_NO_MEMORY(subreq);
+ tevent_req_set_callback(subreq, ipc_write_done, state);
+
+ req->async_states->state |= NTVFS_ASYNC_STATE_ASYNC;
+ return NT_STATUS_OK;
+}
+
+static void ipc_write_done(struct tevent_req *subreq)
+{
+ struct ipc_write_state *state =
+ tevent_req_callback_data(subreq,
+ struct ipc_write_state);
+ struct ntvfs_request *req = state->req;
+ union smb_write *wr = state->wr;
+ int ret;
+ int sys_errno;
+ NTSTATUS status;
+
+ ret = tstream_writev_queue_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
}
- wr->writex.out.nwritten = data.length;
+ status = NT_STATUS_OK;
+
+ wr->writex.out.nwritten = ret;
wr->writex.out.remaining = 0;
- return NT_STATUS_OK;
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
}
/*
@@ -540,7 +774,8 @@ static NTSTATUS ipc_flush(struct ntvfs_module_context *ntvfs,
static NTSTATUS ipc_close(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, union smb_close *io)
{
- struct ipc_private *ipriv = ntvfs->private_data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p;
if (io->generic.level != RAW_CLOSE_CLOSE) {
@@ -563,7 +798,8 @@ static NTSTATUS ipc_close(struct ntvfs_module_context *ntvfs,
static NTSTATUS ipc_exit(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req)
{
- struct ipc_private *ipriv = ntvfs->private_data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p, *next;
for (p=ipriv->pipe_list; p; p=next) {
@@ -583,7 +819,8 @@ static NTSTATUS ipc_exit(struct ntvfs_module_context *ntvfs,
static NTSTATUS ipc_logoff(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req)
{
- struct ipc_private *ipriv = ntvfs->private_data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p, *next;
for (p=ipriv->pipe_list; p; p=next) {
@@ -639,7 +876,8 @@ static NTSTATUS ipc_setfileinfo(struct ntvfs_module_context *ntvfs,
static NTSTATUS ipc_qfileinfo(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, union smb_fileinfo *info)
{
- struct ipc_private *ipriv = ntvfs->private_data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p = pipe_state_find(ipriv, info->generic.in.file.ntvfs);
if (!p) {
return NT_STATUS_INVALID_HANDLE;
@@ -724,32 +962,29 @@ static NTSTATUS ipc_search_close(struct ntvfs_module_context *ntvfs,
return NT_STATUS_ACCESS_DENIED;
}
-static NTSTATUS ipc_trans_dcesrv_output(void *private_data, DATA_BLOB *out, size_t *nwritten)
-{
- NTSTATUS status = NT_STATUS_OK;
- DATA_BLOB *blob = private_data;
-
- if (out->length > blob->length) {
- status = STATUS_BUFFER_OVERFLOW;
- }
+struct ipc_trans_state {
+ struct ipc_private *ipriv;
+ struct pipe_state *p;
+ struct ntvfs_request *req;
+ struct smb_trans2 *trans;
+ struct iovec writev_iov;
+ struct ipc_readv_next_vector_state next_vector;
+};
- if (out->length < blob->length) {
- blob->length = out->length;
- }
- memcpy(blob->data, out->data, blob->length);
- *nwritten = blob->length;
- return status;
-}
+static void ipc_trans_writev_done(struct tevent_req *subreq);
+static void ipc_trans_readv_done(struct tevent_req *subreq);
/* SMBtrans - handle a DCERPC command */
static NTSTATUS ipc_dcerpc_cmd(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, struct smb_trans2 *trans)
{
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p;
- struct ipc_private *ipriv = ntvfs->private_data;
- NTSTATUS status;
DATA_BLOB fnum_key;
uint16_t fnum;
+ struct ipc_trans_state *state;
+ struct tevent_req *subreq;
/*
* the fnum is in setup[1], a 16 bit value
@@ -765,43 +1000,122 @@ static NTSTATUS ipc_dcerpc_cmd(struct ntvfs_module_context *ntvfs,
return NT_STATUS_INVALID_HANDLE;
}
- trans->out.data = data_blob_talloc(req, NULL, trans->in.max_data);
- if (!trans->out.data.data) {
- return NT_STATUS_NO_MEMORY;
- }
-
- /* pass the data to the dcerpc server. Note that we don't
- expect this to fail, and things like NDR faults are not
- reported at this stage. Those sorts of errors happen in the
- dcesrv_output stage */
- status = dcesrv_input(p->dce_conn, &trans->in.data);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
/*
- now ask the dcerpc system for some output. This doesn't yet handle
- async calls. Again, we only expect NT_STATUS_OK. If the call fails then
- the error is encoded at the dcerpc level
- */
- status = dcesrv_output(p->dce_conn, &trans->out.data, ipc_trans_dcesrv_output);
- if (NT_STATUS_IS_ERR(status)) {
- return status;
+ * Trans requests are only allowed
+ * if no other Trans or Read is active
+ */
+ if (tevent_queue_length(p->read_queue) > 0) {
+ return NT_STATUS_PIPE_BUSY;
}
+ state = talloc(req, struct ipc_trans_state);
+ NT_STATUS_HAVE_NO_MEMORY(state);
+
trans->out.setup_count = 0;
trans->out.setup = NULL;
trans->out.params = data_blob(NULL, 0);
+ trans->out.data = data_blob_talloc(req, NULL, trans->in.max_data);
+ NT_STATUS_HAVE_NO_MEMORY(trans->out.data.data);
+
+ state->ipriv = ipriv;
+ state->p = p;
+ state->req = req;
+ state->trans = trans;
+ state->writev_iov.iov_base = trans->in.data.data;
+ state->writev_iov.iov_len = trans->in.data.length;
+
+ ipc_readv_next_vector_init(&state->next_vector,
+ trans->out.data.data,
+ trans->out.data.length);
+
+ subreq = tstream_writev_queue_send(state,
+ ipriv->ntvfs->ctx->event_ctx,
+ p->npipe,
+ p->write_queue,
+ &state->writev_iov, 1);
+ NT_STATUS_HAVE_NO_MEMORY(subreq);
+ tevent_req_set_callback(subreq, ipc_trans_writev_done, state);
+
+ req->async_states->state |= NTVFS_ASYNC_STATE_ASYNC;
+ return NT_STATUS_OK;
+}
- return status;
+static void ipc_trans_writev_done(struct tevent_req *subreq)
+{
+ struct ipc_trans_state *state =
+ tevent_req_callback_data(subreq,
+ struct ipc_trans_state);
+ struct ipc_private *ipriv = state->ipriv;
+ struct pipe_state *p = state->p;
+ struct ntvfs_request *req = state->req;
+ int ret;
+ int sys_errno;
+ NTSTATUS status;
+
+ ret = tstream_writev_queue_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret == 0) {
+ status = NT_STATUS_PIPE_DISCONNECTED;
+ goto reply;
+ } else if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
+ }
+
+ subreq = tstream_readv_pdu_queue_send(state,
+ ipriv->ntvfs->ctx->event_ctx,
+ p->npipe,
+ p->read_queue,
+ ipc_readv_next_vector,
+ &state->next_vector);
+ if (!subreq) {
+ status = NT_STATUS_NO_MEMORY;
+ goto reply;
+ }
+ tevent_req_set_callback(subreq, ipc_trans_readv_done, state);
+ return;
+
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
}
+static void ipc_trans_readv_done(struct tevent_req *subreq)
+{
+ struct ipc_trans_state *state =
+ tevent_req_callback_data(subreq,
+ struct ipc_trans_state);
+ struct ntvfs_request *req = state->req;
+ struct smb_trans2 *trans = state->trans;
+ int ret;
+ int sys_errno;
+ NTSTATUS status;
+
+ ret = tstream_readv_pdu_queue_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
+ }
+
+ status = NT_STATUS_OK;
+ if (state->next_vector.remaining > 0) {
+ status = STATUS_BUFFER_OVERFLOW;
+ }
+
+ trans->out.data.length = ret;
+
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
+}
/* SMBtrans - set named pipe state */
static NTSTATUS ipc_set_nm_pipe_state(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, struct smb_trans2 *trans)
{
- struct ipc_private *ipriv = ntvfs->private_data;
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p;
DATA_BLOB fnum_key;
@@ -816,7 +1130,11 @@ static NTSTATUS ipc_set_nm_pipe_state(struct ntvfs_module_context *ntvfs,
if (trans->in.params.length != 2) {
return NT_STATUS_INVALID_PARAMETER;
}
- p->ipc_state = SVAL(trans->in.params.data, 0);
+
+ /*
+ * TODO: pass this to the tstream_npa logic
+ */
+ p->device_state = SVAL(trans->in.params.data, 0);
trans->out.setup_count = 0;
trans->out.setup = NULL;
@@ -855,12 +1173,26 @@ static NTSTATUS ipc_trans(struct ntvfs_module_context *ntvfs,
return status;
}
+struct ipc_ioctl_state {
+ struct ipc_private *ipriv;
+ struct pipe_state *p;
+ struct ntvfs_request *req;
+ union smb_ioctl *io;
+ struct iovec writev_iov;
+ struct ipc_readv_next_vector_state next_vector;
+};
+
+static void ipc_ioctl_writev_done(struct tevent_req *subreq);
+static void ipc_ioctl_readv_done(struct tevent_req *subreq);
+
static NTSTATUS ipc_ioctl_smb2(struct ntvfs_module_context *ntvfs,
struct ntvfs_request *req, union smb_ioctl *io)
{
+ struct ipc_private *ipriv = talloc_get_type_abort(ntvfs->private_data,
+ struct ipc_private);
struct pipe_state *p;
- struct ipc_private *ipriv = ntvfs->private_data;
- NTSTATUS status;
+ struct ipc_ioctl_state *state;
+ struct tevent_req *subreq;
switch (io->smb2.in.function) {
case FSCTL_NAMED_PIPE_READ_WRITE:
@@ -875,31 +1207,113 @@ static NTSTATUS ipc_ioctl_smb2(struct ntvfs_module_context *ntvfs,
return NT_STATUS_INVALID_HANDLE;
}
- io->smb2.out.out = data_blob_talloc(req, NULL, io->smb2.in.max_response_size);
- NT_STATUS_HAVE_NO_MEMORY(io->smb2.out.out.data);
-
- /* pass the data to the dcerpc server. Note that we don't
- expect this to fail, and things like NDR faults are not
- reported at this stage. Those sorts of errors happen in the
- dcesrv_output stage */
- status = dcesrv_input(p->dce_conn, &io->smb2.in.out);
- NT_STATUS_NOT_OK_RETURN(status);
-
/*
- now ask the dcerpc system for some output. This doesn't yet handle
- async calls. Again, we only expect NT_STATUS_OK. If the call fails then
- the error is encoded at the dcerpc level
- */
- status = dcesrv_output(p->dce_conn, &io->smb2.out.out, ipc_trans_dcesrv_output);
- NT_STATUS_IS_ERR_RETURN(status);
+ * Trans requests are only allowed
+ * if no other Trans or Read is active
+ */
+ if (tevent_queue_length(p->read_queue) > 0) {
+ return NT_STATUS_PIPE_BUSY;
+ }
+
+ state = talloc(req, struct ipc_ioctl_state);
+ NT_STATUS_HAVE_NO_MEMORY(state);
io->smb2.out._pad = 0;
io->smb2.out.function = io->smb2.in.function;
io->smb2.out.unknown2 = 0;
io->smb2.out.unknown3 = 0;
io->smb2.out.in = io->smb2.in.out;
+ io->smb2.out.out = data_blob_talloc(req, NULL, io->smb2.in.max_response_size);
+ NT_STATUS_HAVE_NO_MEMORY(io->smb2.out.out.data);
- return status;
+ state->ipriv = ipriv;
+ state->p = p;
+ state->req = req;
+ state->io = io;
+ state->writev_iov.iov_base = io->smb2.in.out.data;
+ state->writev_iov.iov_len = io->smb2.in.out.length;
+
+ ipc_readv_next_vector_init(&state->next_vector,
+ io->smb2.out.out.data,
+ io->smb2.out.out.length);
+
+ subreq = tstream_writev_queue_send(state,
+ ipriv->ntvfs->ctx->event_ctx,
+ p->npipe,
+ p->write_queue,
+ &state->writev_iov, 1);
+ NT_STATUS_HAVE_NO_MEMORY(subreq);
+ tevent_req_set_callback(subreq, ipc_ioctl_writev_done, state);
+
+ req->async_states->state |= NTVFS_ASYNC_STATE_ASYNC;
+ return NT_STATUS_OK;
+}
+
+static void ipc_ioctl_writev_done(struct tevent_req *subreq)
+{
+ struct ipc_ioctl_state *state =
+ tevent_req_callback_data(subreq,
+ struct ipc_ioctl_state);
+ struct ipc_private *ipriv = state->ipriv;
+ struct pipe_state *p = state->p;
+ struct ntvfs_request *req = state->req;
+ int ret;
+ int sys_errno;
+ NTSTATUS status;
+
+ ret = tstream_writev_queue_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
+ }
+
+ subreq = tstream_readv_pdu_queue_send(state,
+ ipriv->ntvfs->ctx->event_ctx,
+ p->npipe,
+ p->read_queue,
+ ipc_readv_next_vector,
+ &state->next_vector);
+ if (!subreq) {
+ status = NT_STATUS_NO_MEMORY;
+ goto reply;
+ }
+ tevent_req_set_callback(subreq, ipc_ioctl_readv_done, state);
+ return;
+
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
+}
+
+static void ipc_ioctl_readv_done(struct tevent_req *subreq)
+{
+ struct ipc_ioctl_state *state =
+ tevent_req_callback_data(subreq,
+ struct ipc_ioctl_state);
+ struct ntvfs_request *req = state->req;
+ union smb_ioctl *io = state->io;
+ int ret;
+ int sys_errno;
+ NTSTATUS status;
+
+ ret = tstream_readv_pdu_queue_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret == -1) {
+ status = map_nt_error_from_unix(sys_errno);
+ goto reply;
+ }
+
+ status = NT_STATUS_OK;
+ if (state->next_vector.remaining > 0) {
+ status = STATUS_BUFFER_OVERFLOW;
+ }
+
+ io->smb2.out.out.length = ret;
+
+reply:
+ req->async_states->status = status;
+ req->async_states->send_fn(req);
}
/*
diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk
index 93617c2c98..527770a8cd 100644
--- a/source4/rpc_server/config.mk
+++ b/source4/rpc_server/config.mk
@@ -230,3 +230,6 @@ SUBSYSTEM = service
PRIVATE_DEPENDENCIES = dcerpc_server
DCESRV_OBJ_FILES = $(rpc_serversrcdir)/service_rpc.o
+
+$(eval $(call proto_header_template,$(rpc_serversrcdir)/service_rpc.h,$(DCESRV_OBJ_FILES:.o=.c)))
+
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index f2402605d9..e055d1671b 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -339,44 +339,6 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
return NT_STATUS_OK;
}
-/*
- search and connect to a dcerpc endpoint
-*/
-_PUBLIC_ NTSTATUS dcesrv_endpoint_search_connect(struct dcesrv_context *dce_ctx,
- TALLOC_CTX *mem_ctx,
- const struct dcerpc_binding *ep_description,
- struct auth_session_info *session_info,
- struct tevent_context *event_ctx,
- struct messaging_context *msg_ctx,
- struct server_id server_id,
- uint32_t state_flags,
- struct dcesrv_connection **dce_conn_p)
-{
- NTSTATUS status;
- const struct dcesrv_endpoint *ep;
-
- /* make sure this endpoint exists */
- ep = find_endpoint(dce_ctx, ep_description);
- if (!ep) {
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
- status = dcesrv_endpoint_connect(dce_ctx, mem_ctx, ep, session_info,
- event_ctx, msg_ctx, server_id,
- state_flags, dce_conn_p);
- NT_STATUS_NOT_OK_RETURN(status);
-
- (*dce_conn_p)->auth_state.session_key = dcesrv_inherited_session_key;
-
- /* TODO: check security descriptor of the endpoint here
- * if it's a smb named pipe
- * if it's failed free dce_conn_p
- */
-
- return NT_STATUS_OK;
-}
-
-
static void dcesrv_init_hdr(struct ncacn_packet *pkt, bool bigendian)
{
pkt->rpc_vers = 5;
@@ -1255,133 +1217,6 @@ NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
return status;
}
-
-/*
- provide some input to a dcerpc endpoint server. This passes data
- from a dcerpc client into the server
-*/
-_PUBLIC_ NTSTATUS dcesrv_input(struct dcesrv_connection *dce_conn, const DATA_BLOB *data)
-{
- dce_conn->partial_input.data = talloc_realloc(dce_conn,
- dce_conn->partial_input.data,
- uint8_t,
- dce_conn->partial_input.length + data->length);
- if (!dce_conn->partial_input.data) {
- return NT_STATUS_NO_MEMORY;
- }
- memcpy(dce_conn->partial_input.data + dce_conn->partial_input.length,
- data->data, data->length);
- dce_conn->partial_input.length += data->length;
-
- while (dce_full_packet(&dce_conn->partial_input)) {
- NTSTATUS status;
- struct ndr_pull *ndr;
- enum ndr_err_code ndr_err;
- DATA_BLOB blob;
- struct ncacn_packet *pkt;
-
- blob = dce_conn->partial_input;
- blob.length = dcerpc_get_frag_length(&blob);
- blob = data_blob_talloc(dce_conn, blob.data, blob.length);
- if (!blob.data) {
- data_blob_free(&dce_conn->partial_input);
- return NT_STATUS_NO_MEMORY;
- }
-
- dce_partial_advance(dce_conn, blob.length);
-
- pkt = talloc(dce_conn, struct ncacn_packet);
- if (!pkt) {
- data_blob_free(&blob);
- return NT_STATUS_NO_MEMORY;
- }
-
- ndr = ndr_pull_init_blob(&blob, pkt, lp_iconv_convenience(dce_conn->dce_ctx->lp_ctx));
- if (!ndr) {
- data_blob_free(&blob);
- talloc_free(pkt);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (!(CVAL(blob.data, DCERPC_DREP_OFFSET) & DCERPC_DREP_LE)) {
- ndr->flags |= LIBNDR_FLAG_BIGENDIAN;
- }
-
- if (CVAL(blob.data, DCERPC_PFC_OFFSET) & DCERPC_PFC_FLAG_OBJECT_UUID) {
- ndr->flags |= LIBNDR_FLAG_OBJECT_PRESENT;
- }
-
- ndr_err = ndr_pull_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt);
- TALLOC_FREE(ndr);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- data_blob_free(&blob);
- talloc_free(pkt);
- return ndr_map_error2ntstatus(ndr_err);
- }
-
- status = dcesrv_process_ncacn_packet(dce_conn, pkt, blob);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- }
-
- return NT_STATUS_OK;
-}
-
-/*
- retrieve some output from a dcerpc server
- The caller supplies a function that will be called to do the
- actual output.
-
- The first argument to write_fn() will be 'private', the second will
- be a pointer to a buffer containing the data to be sent and the 3rd
- will be a pointer to a size_t variable that will be set to the
- number of bytes that are consumed from the output.
-
- from the current fragment
-*/
-_PUBLIC_ NTSTATUS dcesrv_output(struct dcesrv_connection *dce_conn,
- void *private_data,
- NTSTATUS (*write_fn)(void *private_data, DATA_BLOB *output, size_t *nwritten))
-{
- NTSTATUS status;
- struct dcesrv_call_state *call;
- struct data_blob_list_item *rep;
- size_t nwritten;
-
- call = dce_conn->call_list;
- if (!call || !call->replies) {
- if (dce_conn->pending_call_list) {
- /* TODO: we need to say act async here
- * as we know we have pending requests
- * which will be finished at a time
- */
- return NT_STATUS_FOOBAR;
- }
- return NT_STATUS_FOOBAR;
- }
- rep = call->replies;
-
- status = write_fn(private_data, &rep->blob, &nwritten);
- NT_STATUS_IS_ERR_RETURN(status);
-
- rep->blob.length -= nwritten;
- rep->blob.data += nwritten;
-
- if (rep->blob.length == 0) {
- /* we're done with this section of the call */
- DLIST_REMOVE(call->replies, rep);
- }
-
- if (call->replies == NULL) {
- /* we're done with the whole call */
- dcesrv_call_set_list(call, DCESRV_LIST_NONE);
- talloc_free(call);
- }
-
- return status;
-}
-
_PUBLIC_ NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char **endpoint_servers, struct dcesrv_context **_dce_ctx)
@@ -1534,22 +1369,3 @@ const struct dcesrv_critical_sizes *dcerpc_module_version(void)
return &critical_sizes;
}
-/*
- initialise the dcerpc server context for ncacn_np based services
-*/
-_PUBLIC_ NTSTATUS dcesrv_init_ipc_context(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
- struct dcesrv_context **_dce_ctx)
-{
- NTSTATUS status;
- struct dcesrv_context *dce_ctx;
-
- dcerpc_server_init(lp_ctx);
-
- status = dcesrv_init_context(mem_ctx, lp_ctx, lp_dcerpc_endpoint_servers(lp_ctx), &dce_ctx);
- NT_STATUS_NOT_OK_RETURN(status);
-
- *_dce_ctx = dce_ctx;
- return NT_STATUS_OK;
-}
-
-
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 23806630d2..0c4d4d413d 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -298,21 +298,6 @@ NTSTATUS dcerpc_register_ep_server(const void *_ep_server);
NTSTATUS dcesrv_init_context(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char **endpoint_servers, struct dcesrv_context **_dce_ctx);
-NTSTATUS dcesrv_init_ipc_context(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx,
- struct dcesrv_context **_dce_ctx);
-NTSTATUS dcesrv_endpoint_search_connect(struct dcesrv_context *dce_ctx,
- TALLOC_CTX *mem_ctx,
- const struct dcerpc_binding *ep_description,
- struct auth_session_info *session_info,
- struct tevent_context *event_ctx,
- struct messaging_context *msg_ctx,
- struct server_id server_id,
- uint32_t state_flags,
- struct dcesrv_connection **dce_conn_p);
-NTSTATUS dcesrv_output(struct dcesrv_connection *dce_conn,
- void *private_data,
- NTSTATUS (*write_fn)(void *private_data, DATA_BLOB *output, size_t *nwritten));
-NTSTATUS dcesrv_input(struct dcesrv_connection *dce_conn, const DATA_BLOB *data);
NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
TALLOC_CTX *mem_ctx,
const struct dcesrv_endpoint *ep,
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
index 01bc00762d..3d5c364ec9 100644
--- a/source4/rpc_server/service_rpc.c
+++ b/source4/rpc_server/service_rpc.c
@@ -28,6 +28,7 @@
#include "../lib/util/dlinklist.h"
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/dcerpc_server_proto.h"
+#include "rpc_server/service_rpc.h"
#include "lib/events/events.h"
#include "smbd/service_task.h"
#include "smbd/service_stream.h"
@@ -658,11 +659,11 @@ static NTSTATUS dcesrv_add_ep_tcp(struct dcesrv_context *dce_ctx,
return NT_STATUS_OK;
}
-
-static NTSTATUS dcesrv_add_ep(struct dcesrv_context *dce_ctx,
- struct loadparm_context *lp_ctx,
- struct dcesrv_endpoint *e,
- struct tevent_context *event_ctx, const struct model_ops *model_ops)
+NTSTATUS dcesrv_add_ep(struct dcesrv_context *dce_ctx,
+ struct loadparm_context *lp_ctx,
+ struct dcesrv_endpoint *e,
+ struct tevent_context *event_ctx,
+ const struct model_ops *model_ops)
{
switch (e->ep_description->transport) {
case NCACN_UNIX_STREAM:
diff --git a/source4/scripting/bin/fullschema b/source4/scripting/bin/fullschema
index 4c73100492..4a01b6aed0 100755
--- a/source4/scripting/bin/fullschema
+++ b/source4/scripting/bin/fullschema
@@ -1,6 +1,6 @@
#!/usr/bin/python
#
-# work out the minimal schema for a set of objectclasses
+# Works out the full schema
#
import base64
diff --git a/source4/scripting/bin/minschema b/source4/scripting/bin/minschema
index c860495e96..43f7816116 100755
--- a/source4/scripting/bin/minschema
+++ b/source4/scripting/bin/minschema
@@ -1,6 +1,6 @@
#!/usr/bin/python
#
-# work out the minimal schema for a set of objectclasses
+# Works out the minimal schema for a set of objectclasses
#
import base64
diff --git a/source4/scripting/bin/reorgldb.py b/source4/scripting/bin/reorgldb.py
new file mode 100755
index 0000000000..571363fdc7
--- /dev/null
+++ b/source4/scripting/bin/reorgldb.py
@@ -0,0 +1,60 @@
+#!/usr/bin/python
+#
+# Copyright (C) Matthieu Patou <mat@matws.net> 2009
+# This script realize an offline reorganisation of an LDB
+# file it helps to reduce (sometime drastically) the
+# size of LDB files.
+import sys
+import optparse
+import os
+sys.path.insert(0, "bin/python")
+
+import samba
+from samba.credentials import DONT_USE_KERBEROS
+from samba.auth import system_session
+from samba import Ldb, substitute_var, valid_netbios_name, check_all_substituted
+from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError
+import ldb
+import samba.getopt as options
+from samba.samdb import SamDB
+from samba import param
+from samba.provision import ProvisionPaths, ProvisionNames,provision_paths_from_lp, Schema
+
+parser = optparse.OptionParser("provision [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+parser.add_option("--database", type="string", metavar="FILE",
+ help="LDB to reorganize")
+opts = parser.parse_args()[0]
+lp = sambaopts.get_loadparm()
+smbconf = lp.configfile
+
+if not opts.database:
+ print "Parameter database is mandatory"
+ sys.exit(1)
+creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+session = system_session()
+empty = ldb.Message()
+newname="%s.new"%(opts.database)
+if os.path.exists(newname):
+ os.remove(newname)
+old_ldb = Ldb(opts.database, session_info=session, credentials=creds,lp=lp)
+new_ldb = Ldb(newname,session_info=session, credentials=creds,lp=lp)
+
+new_ldb.transaction_start()
+res = old_ldb.search(expression="(dn=*)",base="", scope=SCOPE_SUBTREE)
+for i in range(0,len(res)):
+ if str(res[i].dn) == "@BASEINFO":
+ continue
+ if str(res[i].dn).startswith("@INDEX:"):
+ continue
+ delta = new_ldb.msg_diff(empty,res[i])
+ delta.dn = res[i].dn
+ delta.remove("distinguishedName")
+ new_ldb.add(delta)
+
+new_ldb.transaction_commit()
diff --git a/source4/scripting/python/samba/idmap.py b/source4/scripting/python/samba/idmap.py
index acc98a56e8..ad209f42de 100644
--- a/source4/scripting/python/samba/idmap.py
+++ b/source4/scripting/python/samba/idmap.py
@@ -34,7 +34,7 @@ class IDmapDB(samba.Ldb):
def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
credentials=None, flags=0, options=None):
- """Opens the IDmap Database.
+ """Opens the IDMap Database
For parameter meanings see the super class (samba.Ldb)
"""
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 4840efcb63..065677fa68 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -44,7 +44,7 @@ from credentials import Credentials, DONT_USE_KERBEROS
from auth import system_session, admin_session
from samba import version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted
-from samba import DS_DOMAIN_FUNCTION_2008_R2, DS_DC_FUNCTION_2008_R2
+from samba import DS_DOMAIN_FUNCTION_2000, DS_DC_FUNCTION_2008_R2
from samba.samdb import SamDB
from samba.idmap import IDmapDB
from samba.dcerpc import security
@@ -835,8 +835,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
:note: This will wipe the main SAM database file!
"""
- domainFunctionality = DS_DOMAIN_FUNCTION_2008_R2
- forestFunctionality = DS_DOMAIN_FUNCTION_2008_R2
+ domainFunctionality = DS_DOMAIN_FUNCTION_2000
+ forestFunctionality = DS_DOMAIN_FUNCTION_2000
domainControllerFunctionality = DS_DC_FUNCTION_2008_R2
# Also wipes the database
@@ -978,6 +978,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
"DOMAINDN": names.domaindn})
message("Setting up sam.ldb data")
setup_add_ldif(samdb, setup_path("provision.ldif"), {
+ "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks
"DOMAINDN": names.domaindn,
"NETBIOSNAME": names.netbiosname,
"DEFAULTSITE": names.sitename,
@@ -1005,10 +1006,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
policyguid_dc=policyguid_dc,
setup_path=setup_path,
domainControllerFunctionality=domainControllerFunctionality)
- # add the NTDSGUID based SPNs
+
ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
- names.ntdsguid = samdb.searchone(basedn=ntds_dn, attribute="objectGUID",
- expression="", scope=SCOPE_BASE)
+ names.ntdsguid = samdb.searchone(basedn=ntds_dn,
+ attribute="objectGUID", expression="", scope=SCOPE_BASE)
assert isinstance(names.ntdsguid, str)
except:
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py
index a58d6c5b12..ef2a0b1644 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -37,7 +37,7 @@ class SamDB(samba.Ldb):
def __init__(self, url=None, lp=None, modules_dir=None, session_info=None,
credentials=None, flags=0, options=None):
- """Opens the Sam Database.
+ """Opens the SAM Database
For parameter meanings see the super class (samba.Ldb)
"""
@@ -55,13 +55,25 @@ class SamDB(samba.Ldb):
super(SamDB, self).connect(url=self.lp.private_path(url), flags=flags,
options=options)
- def enable_account(self, user_dn):
- """Enable an account.
+ def domain_dn(self):
+ # find the DNs for the domain
+ res = self.search(base="",
+ scope=ldb.SCOPE_BASE,
+ expression="(defaultNamingContext=*)",
+ attrs=["defaultNamingContext"])
+ assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
+ return res[0]["defaultNamingContext"][0]
+
+ def enable_account(self, filter):
+ """Enables an account
- :param user_dn: Dn of the account to enable.
+ :param filter: LDAP filter to find the user (eg samccountname=name)
"""
- res = self.search(user_dn, ldb.SCOPE_BASE, None, ["userAccountControl"])
- assert len(res) == 1
+ res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
+ expression=filter, attrs=["userAccountControl"])
+ assert(len(res) == 1)
+ user_dn = res[0].dn
+
userAccountControl = int(res[0]["userAccountControl"][0])
if (userAccountControl & 0x2):
userAccountControl = userAccountControl & ~0x2 # remove disabled bit
@@ -76,11 +88,16 @@ userAccountControl: %u
""" % (user_dn, userAccountControl)
self.modify_ldif(mod)
- def force_password_change_at_next_login(self, user_dn):
- """Force a password change at next login
+ def force_password_change_at_next_login(self, filter):
+ """Forces a password change at next login
- :param user_dn: Dn of the account to force password change on
+ :param filter: LDAP filter to find the user (eg samccountname=name)
"""
+ res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
+ expression=filter, attrs=[])
+ assert(len(res) == 1)
+ user_dn = res[0].dn
+
mod = """
dn: %s
changetype: modify
@@ -89,17 +106,12 @@ pwdLastSet: 0
""" % (user_dn)
self.modify_ldif(mod)
- def domain_dn(self):
- # find the DNs for the domain
- res = self.search(base="",
- scope=ldb.SCOPE_BASE,
- expression="(defaultNamingContext=*)",
- attrs=["defaultNamingContext"])
- assert(len(res) == 1 and res[0]["defaultNamingContext"] is not None)
- return res[0]["defaultNamingContext"][0]
-
def newuser(self, username, unixname, password, force_password_change_at_next_login=False):
- """add a new user record.
+ """Adds a new user
+
+ Note: This call uses the "userPassword" attribute to set the password.
+ This works correctly on SAMBA 4 DCs and on Windows DCs with
+ "2003 Native" or higer domain function level.
:param username: Name of the new user.
:param unixname: Name of the unix user to map to.
@@ -110,11 +122,8 @@ pwdLastSet: 0
try:
user_dn = "CN=%s,CN=Users,%s" % (username, self.domain_dn())
- #
- # the new user record. note the reliance on the samdb module to
- # fill in a sid, guid etc
- #
- # now the real work
+ # The new user record. Note the reliance on the SAMLDB module which
+ # fills in the default informations
self.add({"dn": user_dn,
"sAMAccountName": username,
"userPassword": password,
@@ -130,30 +139,34 @@ pwdLastSet: 0
idmap = IDmapDB(lp=self.lp)
user = pwd.getpwnam(unixname)
+
# setup ID mapping for this UID
-
idmap.setup_name_mapping(user_sid, idmap.TYPE_UID, user[2])
except KeyError:
pass
if force_password_change_at_next_login:
- self.force_password_change_at_next_login(user_dn)
+ self.force_password_change_at_next_login("(dn=" + user_dn + ")")
# modify the userAccountControl to remove the disabled bit
- self.enable_account(user_dn)
+ self.enable_account("(dn=" + user_dn + ")")
except:
self.transaction_cancel()
raise
self.transaction_commit()
def setpassword(self, filter, password, force_password_change_at_next_login=False):
- """Set a password on a user record
+ """Sets the password for a user
+ Note: This call uses the "userPassword" attribute to set the password.
+ This works correctly on SAMBA 4 DCs and on Windows DCs with
+ "2003 Native" or higer domain function level.
+
:param filter: LDAP filter to find the user (eg samccountname=name)
:param password: Password for the user
+ :param force_password_change_at_next_login: Force password change
"""
- # connect to the sam
self.transaction_start()
try:
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
@@ -174,24 +187,27 @@ userPassword:: %s
self.force_password_change_at_next_login(user_dn)
# modify the userAccountControl to remove the disabled bit
- self.enable_account(user_dn)
+ self.enable_account(filter)
except:
self.transaction_cancel()
raise
self.transaction_commit()
- def setexpiry(self, user, expiry_seconds, noexpiry):
- """Set the account expiry for a user
+ def setexpiry(self, filter, expiry_seconds, noexpiry=False):
+ """Sets the account expiry for a user
+ :param filter: LDAP filter to find the user (eg samccountname=name)
:param expiry_seconds: expiry time from now in seconds
:param noexpiry: if set, then don't expire password
"""
self.transaction_start()
try:
res = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
- expression=("(samAccountName=%s)" % user),
+ expression=filter,
attrs=["userAccountControl", "accountExpires"])
assert len(res) == 1
+ user_dn = res[0].dn
+
userAccountControl = int(res[0]["userAccountControl"][0])
accountExpires = int(res[0]["accountExpires"][0])
if noexpiry:
@@ -201,16 +217,16 @@ userPassword:: %s
userAccountControl = userAccountControl & ~0x10000
accountExpires = glue.unix2nttime(expiry_seconds + int(time.time()))
- mod = """
+ setexp = """
dn: %s
changetype: modify
replace: userAccountControl
userAccountControl: %u
replace: accountExpires
accountExpires: %u
-""" % (res[0].dn, userAccountControl, accountExpires)
- # now change the database
- self.modify_ldif(mod)
+""" % (user_dn, userAccountControl, accountExpires)
+
+ self.modify_ldif(setexp)
except:
self.transaction_cancel()
raise
diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel
new file mode 100755
index 0000000000..811e29cb2d
--- /dev/null
+++ b/source4/setup/domainlevel
@@ -0,0 +1,187 @@
+#!/usr/bin/python
+#
+# Raises domain and forest function levels
+#
+# Copyright Matthias Dieter Wallnoefer 2009
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
+import samba.getopt as options
+import optparse
+import ldb
+
+from samba.auth import system_session
+from samba.samdb import SamDB
+from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003
+from samba import DS_DOMAIN_FUNCTION_2008, DS_DOMAIN_FUNCTION_2008_R2
+
+parser = optparse.OptionParser("domainlevel (show | raise <options>)")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+parser.add_option("--quiet", help="Be quiet", action="store_true")
+parser.add_option("--forest",
+ help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
+parser.add_option("--domain",
+ help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str)
+opts, args = parser.parse_args()
+
+#
+# print a message if quiet is not set
+#
+def message(text):
+ if not opts.quiet:
+ print text
+
+if len(args) == 0:
+ parser.print_usage()
+ sys.exit(1)
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
+ credentials=creds, lp=lp)
+
+domain_dn = SamDB.domain_dn(samdb)
+
+res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn,
+ scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"])
+assert(len(res_forest) == 1)
+
+res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
+ attrs=["msDS-Behavior-Version"])
+assert(len(res_domain) == 1)
+
+try:
+ level_forest = int(res_forest[0]["msDS-Behavior-Version"][0])
+ level_domain = int(res_domain[0]["msDS-Behavior-Version"][0])
+
+ if level_forest < 0 or level_forest == 1 or level_forest > 4 or level_domain < 0 or level_domain == 1 or level_domain > 4:
+ print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!"
+ sys.exit(1)
+ if level_forest > level_domain:
+ print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!"
+ sys.exit(1)
+except:
+ print "ERROR: Could not retrieve the actual domain and forest level!"
+ if args[0] == "show":
+ print "So the levels can't be displayed!"
+ sys.exit(1)
+
+if args[0] == "show":
+ message("Domain and forest function level for domain '" + domain_dn + "'")
+ message("")
+
+ if level_forest == DS_DOMAIN_FUNCTION_2000:
+ outstr = "2000"
+ elif level_forest == DS_DOMAIN_FUNCTION_2003:
+ outstr = "2003"
+ elif level_forest == DS_DOMAIN_FUNCTION_2008:
+ outstr = "2008"
+ elif level_forest == DS_DOMAIN_FUNCTION_2008_R2:
+ outstr = "2008 R2"
+ message("Forest function level: (Windows) " + outstr)
+
+ if level_domain == DS_DOMAIN_FUNCTION_2000:
+ outstr = "2000"
+ elif level_domain == DS_DOMAIN_FUNCTION_2003:
+ outstr = "2003"
+ elif level_domain == DS_DOMAIN_FUNCTION_2008:
+ outstr = "2008"
+ elif level_domain == DS_DOMAIN_FUNCTION_2008_R2:
+ outstr = "2008 R2"
+ message("Domain function level: (Windows) " + outstr)
+
+elif args[0] == "raise":
+ msgs = []
+
+ if opts.domain is not None:
+ arg = opts.domain
+
+ if arg == "2000":
+ new_level_domain = DS_DOMAIN_FUNCTION_2000
+ elif arg == "2003":
+ new_level_domain = DS_DOMAIN_FUNCTION_2003
+ elif arg == "2008":
+ new_level_domain = DS_DOMAIN_FUNCTION_2008
+ elif arg == "2008_R2":
+ new_level_domain = DS_DOMAIN_FUNCTION_2008_R2
+ else:
+ print "ERROR: Wrong argument '" + arg + "'!"
+ sys.exit(1)
+
+ if new_level_domain <= level_domain:
+ print "ERROR: Domain function level can't be smaller equal to the actual one!"
+ sys.exit(1)
+
+ m = ldb.Message()
+ m.dn = ldb.Dn(samdb, domain_dn)
+ m["msDS-Behavior-Version"]= ldb.MessageElement(
+ str(new_level_domain), ldb.FLAG_MOD_REPLACE,
+ "msDS-Behavior-Version")
+ samdb.modify(m)
+
+ level_domain = new_level_domain
+
+ msgs.append("Domain function level changed!")
+
+ if opts.forest is not None:
+ arg = opts.forest
+
+ if arg == "2000":
+ new_level_forest = DS_DOMAIN_FUNCTION_2000
+ elif arg == "2003":
+ new_level_forest = DS_DOMAIN_FUNCTION_2003
+ elif arg == "2008":
+ new_level_forest = DS_DOMAIN_FUNCTION_2008
+ elif arg == "2008_R2":
+ new_level_forest = DS_DOMAIN_FUNCTION_2008_R2
+ else:
+ print "ERROR: Wrong argument '" + arg + "'!"
+ sys.exit(1)
+
+ if new_level_forest <= level_forest:
+ print "ERROR: Forest function level can't be smaller equal to the actual one!"
+ sys.exit(1)
+
+ if new_level_forest > level_domain:
+ print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!"
+ sys.exit(1)
+
+ m = ldb.Message()
+
+ m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration,"
+ + domain_dn)
+ m["msDS-Behavior-Version"]= ldb.MessageElement(
+ str(new_level_forest), ldb.FLAG_MOD_REPLACE,
+ "msDS-Behavior-Version")
+ samdb.modify(m)
+
+ msgs.append("Forest function level changed!")
+
+ msgs.append("All changes applied successfully!")
+
+ message("\n".join(msgs))
+else:
+ print "ERROR: Wrong argument '" + args[0] + "'!"
+ sys.exit(1)
diff --git a/source4/setup/enableaccount b/source4/setup/enableaccount
index d4e954074b..0ca5b39faa 100755
--- a/source4/setup/enableaccount
+++ b/source4/setup/enableaccount
@@ -1,18 +1,31 @@
#!/usr/bin/python
#
-# Enables a disabled user account on a Samba4 server
-# Copyright Andrew Tridgell 2005
-# Copyright Jelmer Vernooij 2008
-# Released under the GNU GPL version 3 or later
+# Enables an user account on a Samba4 server
+# Copyright Jelmer Vernooij 2008
+#
+# Based on the original in EJS:
+# Copyright Andrew Tridgell 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os, sys
-sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
+import sys
+
+sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
-import pwd
-import ldb
from samba.auth import system_session
from samba.samdb import SamDB
@@ -23,49 +36,24 @@ parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
-parser.add_option("-H", help="LDB URL for database or target server", type=str)
-parser.add_option("--base", help="Base DN to search for user under", type=str)
+parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
opts, args = parser.parse_args()
-#
-# print a message if quiet is not set
-#
-def message(text):
- if not opts.quiet:
- print text
+filter = opts.filter
-if len(args) == 0:
+if (len(args) == 0) and (filter is None):
+ print "Either the username or '--filter' must be specified!"
parser.print_usage()
sys.exit(1)
-username = args[0]
-
-if username is None:
- print "username must be specified"
+if filter is None:
+ username = args[0]
+ filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
-
creds = credopts.get_credentials(lp)
-if opts.H is not None:
- url = opts.H
-else:
- url = lp.get("sam database")
-
-samdb = SamDB(url=url, session_info=system_session(),
+samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
-
-domain_dn = opts.base
-if domain_dn is None:
- domain_dn = SamDB.domain_dn(samdb)
-
-filter = "(&(objectClass=user)(samAccountName=%s))" % username
-
-res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE,
- expression=filter,
- attrs=[])
-assert(len(res) == 1)
-user_dn = res[0].dn
-
-samdb.enable_account(user_dn)
+samdb.enable_account(filter)
diff --git a/source4/setup/newuser b/source4/setup/newuser
index cc89e922a7..422677c301 100755
--- a/source4/setup/newuser
+++ b/source4/setup/newuser
@@ -1,6 +1,6 @@
#!/usr/bin/python
#
-# Add a new user to a Samba4 server
+# Adds a new user to a Samba4 server
# Copyright Jelmer Vernooij 2008
#
# Based on the original in EJS:
@@ -18,6 +18,7 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
import sys
# Find right directory when running from source tree
@@ -25,8 +26,10 @@ sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
+
from getpass import getpass
from samba.auth import system_session
+from samba.samdb import SamDB
parser = optparse.OptionParser("newuser [options] <username> [<password>]")
sambaopts = options.SambaOptions(parser)
@@ -34,7 +37,6 @@ parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
-parser.add_option("--quiet", help="Be quiet", action="store_true")
parser.add_option("--unixname", help="Unix Username", type=str)
parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true")
@@ -56,6 +58,6 @@ if opts.unixname is None:
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
-samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(),
- credentials=creds)
+samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
+ credentials=creds, lp=lp)
samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login)
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 1690dc6c02..d46406e144 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -5,24 +5,25 @@
dn: CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: builtinDomain
+creationTime: ${CREATTIME}
forceLogoff: -9223372036854775808
+isCriticalSystemObject: TRUE
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -37108517437440
minPwdAge: 0
minPwdLength: 0
+modifiedCount: 1
modifiedCountAtLastProm: 0
nextRid: 1000
-pwdProperties: 0
-pwdHistoryLength: 0
objectSid: S-1-5-32
+pwdHistoryLength: 0
+pwdProperties: 0
serverState: 1
-uASCompat: 1
-modifiedCount: 1
-systemFlags: -1946157056
-isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
+systemFlags: -1946157056
+uASCompat: 1
dn: CN=Deleted Objects,${DOMAINDN}
objectClass: top
@@ -366,6 +367,8 @@ objectClass: nTFRSSettings
systemFlags: -1946157056
isCriticalSystemObject: TRUE
+# Here are missing the FRS objects since we don't support this technique yet
+
dn: CN=FileLinks,CN=System,${DOMAINDN}
objectClass: top
objectClass: fileLinkTracking
diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index ac641da775..506ff21641 100644
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -15,6 +15,8 @@ isDeleted: TRUE
isCriticalSystemObject: TRUE
systemFlags: -1946157056
+# Extended rights
+
dn: CN=Extended-Rights,${CONFIGDN}
objectClass: top
objectClass: container
@@ -637,6 +639,8 @@ appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2
localizationDisplayId: 28
validAccesses: 256
+# Forest updates
+
dn: CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
@@ -645,6 +649,154 @@ dn: CN=Operations,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
+dn: CN=6b800a81-affe-4a15-8e41-6ea0c7aa89e4,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=dd07182c-3174-4c95-902a-d64fee285bbf,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=ffa5ee3c-1405-476d-b344-7ad37d69cc25,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=099f1587-af70-49c6-ab6c-7b3e82be0fe2,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=1a3f6b15-55f2-4752-ba27-3d38a8232c4d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=dee21a17-4e8e-4f40-a58c-c0c009b685a7,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=9bd98bb4-4047-4de5-bf4c-7bd1d0f6d21d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=3fe80fbf-bf39-4773-b5bd-3e5767a30d2d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=f02915e2-9141-4f73-b8e7-2804662782da,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=39902c52-ef24-4b4b-8033-2c9dfdd173a2,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=20bf09b4-6d0b-4cd1-9c09-4231edf1209b,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94f238bb-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94f238bc-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94f238bd-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94f238be-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94f238bf-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=94f238c0-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=eda27b47-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=eda27b48-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=eda27b49-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=eda27b4a-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=26d9c510-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=26d9c511-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=3467dae5-dedd-4648-9066-f48ac186b20a,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=33b7ee33-1386-47cf-baa1-b03e06473253,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=e9ee8d55-c2fb-4723-a333-c80ff4dfbf45,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=ccfae63a-7fb5-454c-83ab-0e8e1214974e,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=26ad2ebf-f8f5-44a4-b97c-a616c8b9d09a,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=4444c516-f43a-4c12-9c4b-b5c064941d61,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=436a1a4b-f41a-46e6-ac86-427720ef29f3,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=b2b7fb45-f50d-41bc-a73b-8f580f3b636a,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=1bdf6366-c3db-4d0b-b8cb-f99ba9bce20f,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=63c0f51a-067c-4640-8a4f-044fb33f1049,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=dae441c0-366e-482e-98d9-60a99a1898cc,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=7dd09ca6-f0d6-43bf-b7f8-ef348f435617,CN=Operations,CN=ForestUpdates,${CONFIGDN}
+objectClass: top
+objectClass: container
+
dn: CN=Windows2003Update,CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
@@ -662,6 +814,8 @@ description: Quota specifications container
msDS-TombstoneQuotaFactor: 100
systemFlags: -2147483648
+# Partitions
+
dn: CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRefContainer
@@ -669,27 +823,30 @@ systemFlags: -2147483648
msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY}
showInAdvancedViewOnly: TRUE
+# Partitions for DNS are missing since we don't support AD DNS
+
dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-systemFlags: 1
-nCName: ${CONFIGDN}
dnsRoot: ${DNSDOMAIN}
+nCName: ${CONFIGDN}
+systemFlags: 1
dn: CN=Enterprise Schema,CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-systemFlags: 1
-nCName: ${SCHEMADN}
dnsRoot: ${DNSDOMAIN}
+nCName: ${SCHEMADN}
+systemFlags: 1
dn: CN=${DOMAIN},CN=Partitions,${CONFIGDN}
objectClass: top
objectClass: crossRef
-systemFlags: 3
+dnsRoot: ${DNSDOMAIN}
nCName: ${DOMAINDN}
nETBIOSName: ${DOMAIN}
-dnsRoot: ${DNSDOMAIN}
+nTMixedDomain: 0
+systemFlags: 3
dn: CN=Physical Locations,${CONFIGDN}
objectClass: top
@@ -699,11 +856,91 @@ l: Physical Locations tree root
# Schema located in "ad-schema/*.txt"
+# Services
+
dn: CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
systemFlags: -2147483648
+dn: CN=MsmqServices,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: mSMQEnterpriseSettings
+mSMQVersion: 200
+
+dn: CN=NetServices,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=Certificate Templates,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=Enrollment Services,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=Certification Authorities,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=AIA,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=CDP,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=KRA,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=OID,CN=Public Key Services,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: msPKI-Enterprise-Oid
+
+dn: CN=RRAS,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: container
+
+dn: CN=IdentityDictionary,CN=RRAS,CN=Services,${CONFIGDN}
+objectClass: top
+objectClass: rRASAdministrationDictionary
+msRRASVendorAttributeEntry: 311:6:803:RADIUS Accouting
+msRRASVendorAttributeEntry: 311:6:802:RADIUS Authentication
+msRRASVendorAttributeEntry: 311:6:801:NT Domain Authentication
+msRRASVendorAttributeEntry: 311:6:714:Point to point parallel connection
+msRRASVendorAttributeEntry: 311:6:713:Point to point serial connection
+msRRASVendorAttributeEntry: 311:6:712:Generic LAN
+msRRASVendorAttributeEntry: 311:6:711:Generic WAN
+msRRASVendorAttributeEntry: 311:6:710:X.25
+msRRASVendorAttributeEntry: 311:6:709:IrDA
+msRRASVendorAttributeEntry: 311:6:708:Switched 56
+msRRASVendorAttributeEntry: 311:6:707:SONET
+msRRASVendorAttributeEntry: 311:6:706:Modem
+msRRASVendorAttributeEntry: 311:6:705:ISDN
+msRRASVendorAttributeEntry: 311:6:704:ATM
+msRRASVendorAttributeEntry: 311:6:703:Frame Relay
+msRRASVendorAttributeEntry: 311:6:702:Layer 2 Tunneling Protocol
+msRRASVendorAttributeEntry: 311:6:701:Point-to-Point Tunneling Protocol
+msRRASVendorAttributeEntry: 311:6:604:Network Address and Port Translation
+msRRASVendorAttributeEntry: 311:6:603:Demand Dial Router
+msRRASVendorAttributeEntry: 311:6:602:Remote Access Server
+msRRASVendorAttributeEntry: 311:6:601:LAN-to- LAN Router
+msRRASVendorAttributeEntry: 311:6:503:AppleTalk Forwarding Enabled
+msRRASVendorAttributeEntry: 311:6:502:IPX Forwarding Enabled
+msRRASVendorAttributeEntry: 311:6:501:IP Forwarding Enabled
+msRRASVendorAttributeEntry: 311:5:2:IPX SAP
+msRRASVendorAttributeEntry: 311::5:1:IPX RIP
+msRRASVendorAttributeEntry: 311:1:10:IGMP Only
+msRRASVendorAttributeEntry: 311:0:13:OSPF
+msRRASVendorAttributeEntry: 311:0:8:RIP (version 1 or 2)
+
dn: CN=Windows NT,CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
@@ -711,7 +948,12 @@ objectClass: container
dn: CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
objectClass: top
objectClass: nTDSService
-sPNMappings: host=ldap,dns,cifs,http
+msDS-Other-Settings: DisableVLVSupport=0
+msDS-Other-Settings: DynamicObjectMinTTL=900
+msDS-Other-Settings: DynamicObjectDefaultTTL=86400
+# "sPNMappings" needs to be enhanced when we add features
+sPNMappings: host=dns,netlogon,rpc,cifs,wins,http
+tombstoneLifetime: 180
dn: CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
objectClass: top
@@ -734,6 +976,8 @@ lDAPAdminLimits: MaxConnIdleTime=900
lDAPAdminLimits: InitRecvTimeout=120
lDAPAdminLimits: MaxConnections=5000
+# Sites
+
dn: CN=Sites,${CONFIGDN}
objectClass: top
objectClass: sitesContainer
@@ -759,6 +1003,7 @@ objectClass: top
objectClass: interSiteTransport
transportAddressAttribute: dNSHostName
transportDLLName: ismip.dll
+systemFlags: -2147483648
dn: CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN}
objectClass: top
@@ -785,3 +1030,7 @@ objectClass: top
objectClass: serversContainer
systemFlags: 33554432
+dn: CN=Subnets,CN=Sites,${CONFIGDN}
+objectClass: top
+objectClass: subnetContainer
+systemFlags: -1073741824
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index c59c421b7f..639bc96040 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -1,41 +1,43 @@
-# Join the DC to itself
+# Accounts for selfjoin (joins DC to itself)
+# Object under "Domain Controllers"
dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
-userAccountControl: 532480
-localPolicyFlags: 0
-primaryGroupID: 516
accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
+dNSHostName: ${DNSNAME}
+# "frsComputerReferenceBL" doesn't exist since we still miss FRS support
+isCriticalSystemObject: TRUE
+localPolicyFlags: 0
operatingSystem: Samba
operatingSystemVersion: ${SAMBA_VERSION_STRING}
-dNSHostName: ${DNSNAME}
-userPassword:: ${MACHINEPASS_B64}
-servicePrincipalName: HOST/${DNSNAME}
+primaryGroupID: 516
+# "rIDSetReferences" doesn't exist since we still miss distributed RIDs
+sAMAccountName: ${NETBIOSNAME}$
+# "servicePrincipalName" for FRS doesn't exit since we still miss FRS support
+# "servicePrincipalName"s for DNS ("ldap/../ForestDnsZones",
+# "ldap/../DomainDnsZones", "DNS/..") don't exist since we don't support AD DNS
+servicePrincipalName: GC/${DNSNAME}/${REALM}
+servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
servicePrincipalName: HOST/${NETBIOSNAME}
+servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${DNSNAME}/${REALM}
-servicePrincipalName: HOST/${NETBIOSNAME}/${REALM}
-servicePrincipalName: HOST/${DNSNAME}/${DOMAIN}
-servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
-isCriticalSystemObject: TRUE
+# "servicePrincipalName"s with GUIDs are located in
+# "provision_self_join_modify.ldif"
+servicePrincipalName: ldap/${DNSNAME}/${DOMAIN}
+servicePrincipalName: ldap/${NETBIOSNAME}
+servicePrincipalName: ldap/${DNSNAME}
+servicePrincipalName: ldap/${DNSNAME}/${REALM}
+userAccountControl: 532480
+userPassword:: ${MACHINEPASS_B64}
-#Provide a account for DNS keytab export
-dn: CN=dns,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-description: DNS Service Account
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-servicePrincipalName: DNS/${DNSDOMAIN}
-userPassword:: ${DNSPASS_B64}
-isCriticalSystemObject: TRUE
+# Here are missing the objects for the NTFRS subscription and the RID set since
+# we don't support those techniques (FRS, distributed RIDs) yet.
+
+# Objects under "Configuration/Sites/<Default sitename>/Servers"
dn: ${SERVERDN}
objectClass: top
@@ -48,14 +50,34 @@ dn: CN=NTDS Settings,${SERVERDN}
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
-options: 1
-systemFlags: 33554432
dMDLocation: ${SCHEMADN}
+hasMasterNCs: ${CONFIGDN}
+hasMasterNCs: ${SCHEMADN}
+hasMasterNCs: ${DOMAINDN}
invocationId: ${INVOCATIONID}
msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY}
+msDS-HasDomainNCs: ${DOMAINDN}
+# "msDS-HasInstantiatedNCs"s for DNS don't exist since we don't support AD DNS
+msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN}
+msDS-HasInstantiatedNCs: B:8:0000000D:${SCHEMADN}
+msDS-HasInstantiatedNCs: B:8:00000005:${DOMAINDN}
+# "msDS-hasMasterNCs"s for DNS don't exist since we don't support AD DNS
msDS-hasMasterNCs: ${CONFIGDN}
msDS-hasMasterNCs: ${SCHEMADN}
msDS-hasMasterNCs: ${DOMAINDN}
-hasMasterNCs: ${CONFIGDN}
-hasMasterNCs: ${SCHEMADN}
-hasMasterNCs: ${DOMAINDN}
+options: 1
+systemFlags: 33554432
+
+# Provides an account for DNS keytab export
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+description: DNS Service Account
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+servicePrincipalName: DNS/${DNSDOMAIN}
+userPassword:: ${DNSPASS_B64}
+isCriticalSystemObject: TRUE
diff --git a/source4/setup/pwsettings b/source4/setup/pwsettings
index cd9c07dfb5..6a5e18ef59 100755
--- a/source4/setup/pwsettings
+++ b/source4/setup/pwsettings
@@ -1,21 +1,32 @@
#!/usr/bin/python
#
-# Sets password settings (Password complexity, history length,
-# minimum password length, the minimum and maximum password age) on a
-# Samba4 server
+# Sets password settings (Password complexity, history length, minimum password
+# length, the minimum and maximum password age) on a Samba4 server
#
-# Copyright Jelmer Vernooij 2008
-# Copyright Matthias Dieter Wallnoefer 2009
-# Copyright Andrew Kroeger 2009
-# Released under the GNU GPL version 3 or later
+# Copyright Matthias Dieter Wallnoefer 2009
+# Copyright Andrew Kroeger 2009
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os, sys
-sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
+import sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
-import pwd
import ldb
from samba.auth import system_session
@@ -29,7 +40,6 @@ parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
parser.add_option("--quiet", help="Be quiet", action="store_true")
-parser.add_option("-H", help="LDB URL for database or target server", type=str)
parser.add_option("--complexity",
help="The password complexity (on | off | default). Default is 'on'", type=str)
parser.add_option("--history-length",
@@ -55,15 +65,9 @@ if len(args) == 0:
sys.exit(1)
lp = sambaopts.get_loadparm()
-
creds = credopts.get_credentials(lp)
-if opts.H is not None:
- url = opts.H
-else:
- url = lp.get("sam database")
-
-samdb = SamDB(url=url, session_info=system_session(),
+samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
credentials=creds, lp=lp)
domain_dn = SamDB.domain_dn(samdb)
@@ -79,13 +83,10 @@ try:
min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24))
max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
except:
+ print "ERROR: Could not retrieve password properties!"
if args[0] == "show":
- print "ERROR: Password informations missing in your AD domain object!"
print "So no settings can be displayed!"
- sys.exit(1)
- else:
- print "ERROR: Could not retrieve password properties (used for password complexity setting)"
- sys.exit(1)
+ sys.exit(1)
if args[0] == "show":
message("Password informations for domain '" + domain_dn + "'")
diff --git a/source4/setup/setexpiry b/source4/setup/setexpiry
index db7cdd412f..6c6305ceaf 100755
--- a/source4/setup/setexpiry
+++ b/source4/setup/setexpiry
@@ -1,9 +1,23 @@
#!/usr/bin/python
#
-# Sets the password expiry for a user on a Samba4 server
-# Copyright Andrew Tridgell 2005
-# Copyright Jelmer Vernooij 2008
-# Released under the GNU GPL version 3 or later
+# Sets the user password expiry on a Samba4 server
+# Copyright Jelmer Vernooij 2008
+#
+# Based on the original in EJS:
+# Copyright Andrew Tridgell 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
@@ -13,32 +27,38 @@ sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
-from getpass import getpass
+
from samba.auth import system_session
+from samba.samdb import SamDB
-parser = optparse.OptionParser("setexpiry [options] <username>")
+parser = optparse.OptionParser("setexpiry [username] [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
credopts = options.CredentialsOptions(parser)
parser.add_option_group(credopts)
+parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
parser.add_option("--days", help="Days to expiry", type=int)
-parser.add_option("--noexpiry", help="Never expire", action="store_true")
+parser.add_option("--noexpiry", help="Password does never expire", action="store_true")
opts, args = parser.parse_args()
-if len(args) == 0:
+if (len(args) == 0) and (filter is None):
+ print "Either the username or '--filter' must be specified!"
parser.print_usage()
sys.exit(1)
-username = args[0]
+days = opts.days
+if days is None:
+ days = 0
+
+if filter is None:
+ username = args[0]
+ filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
-samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(),
- credentials=creds)
-days = opts.days
-if days is None:
- days = 0
-samdb.setexpiry(username, days*24*3600, opts.noexpiry)
+samdb = SamDB(url=lp.get("sam database"), session_info=system_session(),
+ credentials=creds, lp=lp)
+samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry)
diff --git a/source4/setup/setpassword b/source4/setup/setpassword
index 513730d649..d8a2a1144a 100755
--- a/source4/setup/setpassword
+++ b/source4/setup/setpassword
@@ -20,15 +20,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os, sys
+import sys
# Find right directory when running from source tree
sys.path.insert(0, "bin/python")
import samba.getopt as options
import optparse
-import pwd
-import sys
+
from getpass import getpass
from samba.auth import system_session
from samba.samdb import SamDB
@@ -45,13 +44,6 @@ parser.add_option("--must-change-at-next-login", help="Force password to be chan
opts, args = parser.parse_args()
-#
-# print a message if quiet is not set
-#
-def message(text):
- if not opts.quiet:
- print text
-
filter = opts.filter
if (len(args) == 0) and (filter is None):
@@ -65,7 +57,7 @@ if password is None:
if filter is None:
username = args[0]
- filter = "(&(objectclass=user)(samAccountName=%s))" % (username)
+ filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
diff --git a/source4/smbd/config.mk b/source4/smbd/config.mk
index b850548b3d..b85beb0bc0 100644
--- a/source4/smbd/config.mk
+++ b/source4/smbd/config.mk
@@ -2,7 +2,9 @@
[SUBSYSTEM::service]
PRIVATE_DEPENDENCIES = \
- LIBTEVENT MESSAGING samba_socket NDR_NAMED_PIPE_AUTH NAMED_PIPE_AUTH_TSTREAM
+ LIBTEVENT MESSAGING samba_socket \
+ NDR_NAMED_PIPE_AUTH NAMED_PIPE_AUTH_TSTREAM \
+ HEIMDAL_GSSAPI CREDENTIALS
service_OBJ_FILES = $(addprefix $(smbdsrcdir)/, \
service.o \
diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c
index f82d91e867..940edf2cb5 100644
--- a/source4/smbd/service_named_pipe.c
+++ b/source4/smbd/service_named_pipe.c
@@ -30,6 +30,9 @@
#include "librpc/gen_ndr/ndr_named_pipe_auth.h"
#include "system/passwd.h"
#include "libcli/raw/smb.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_krb5.h"
+#include <gssapi/gssapi.h>
struct named_pipe_socket {
const char *pipe_name;
@@ -53,6 +56,11 @@ static void named_pipe_handover_connection(void *private_data)
TEVENT_FD_NOT_WRITEABLE(conn->event.fde);
+ packet_set_socket(pipe_conn->packet, NULL);
+ packet_set_event_context(pipe_conn->packet, NULL);
+ packet_set_fde(pipe_conn->packet, NULL);
+ TALLOC_FREE(pipe_conn->packet);
+
if (!NT_STATUS_IS_OK(pipe_conn->status)) {
stream_terminate_connection(conn, nt_errstr(pipe_conn->status));
return;
@@ -63,7 +71,7 @@ static void named_pipe_handover_connection(void *private_data)
*/
conn->ops = pipe_conn->pipe_sock->ops;
conn->private_data = pipe_conn->pipe_sock->private_data;
- talloc_free(pipe_conn);
+ talloc_unlink(conn, pipe_conn);
/* we're now ready to start receiving events on this stream */
TEVENT_FD_READABLE(conn->event.fde);
@@ -214,6 +222,94 @@ static NTSTATUS named_pipe_recv_auth_request(void *private_data,
talloc_steal(conn->session_info, req.info.info2.session_key);
break;
+ case 3:
+ rep.level = 3;
+ rep.info.info3.file_type = FILE_TYPE_MESSAGE_MODE_PIPE;
+ rep.info.info3.device_state = 0xff | 0x0400 | 0x0100;
+ rep.info.info3.allocation_size = 4096;
+
+ if (!req.info.info3.sam_info3) {
+ /*
+ * anon connection, we don't create a session info
+ * and leave it NULL
+ */
+ rep.status = NT_STATUS_OK;
+ break;
+ }
+
+ val.sam3 = req.info.info3.sam_info3;
+
+ rep.status = make_server_info_netlogon_validation(pipe_conn,
+ val.sam3->base.account_name.string,
+ 3, &val, &server_info);
+ if (!NT_STATUS_IS_OK(rep.status)) {
+ DEBUG(2, ("make_server_info_netlogon_validation returned "
+ "%s\n", nt_errstr(rep.status)));
+ goto reply;
+ }
+
+ /* setup the session_info on the connection */
+ rep.status = auth_generate_session_info(conn,
+ conn->event.ctx,
+ conn->lp_ctx,
+ server_info,
+ &conn->session_info);
+ if (!NT_STATUS_IS_OK(rep.status)) {
+ DEBUG(2, ("auth_generate_session_info failed: %s\n",
+ nt_errstr(rep.status)));
+ goto reply;
+ }
+
+ if (req.info.info3.gssapi_delegated_creds_length) {
+ OM_uint32 minor_status;
+ gss_buffer_desc cred_token;
+ gss_cred_id_t cred_handle;
+ int ret;
+
+ DEBUG(10, ("named_pipe_auth: delegated credentials supplied by client\n"));
+
+ cred_token.value = req.info.info3.gssapi_delegated_creds;
+ cred_token.length = req.info.info3.gssapi_delegated_creds_length;
+
+ ret = gss_import_cred(&minor_status,
+ &cred_token,
+ &cred_handle);
+ if (ret != GSS_S_COMPLETE) {
+ rep.status = NT_STATUS_INTERNAL_ERROR;
+ goto reply;
+ }
+
+ conn->session_info->credentials = cli_credentials_init(conn->session_info);
+ if (!conn->session_info->credentials) {
+ rep.status = NT_STATUS_NO_MEMORY;
+ goto reply;
+ }
+
+ cli_credentials_set_conf(conn->session_info->credentials,
+ conn->lp_ctx);
+ /* Just so we don't segfault trying to get at a username */
+ cli_credentials_set_anonymous(conn->session_info->credentials);
+
+ ret = cli_credentials_set_client_gss_creds(conn->session_info->credentials,
+ conn->event.ctx,
+ conn->lp_ctx,
+ cred_handle,
+ CRED_SPECIFIED);
+ if (ret) {
+ rep.status = NT_STATUS_INTERNAL_ERROR;
+ goto reply;
+ }
+
+ /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
+ cli_credentials_set_kerberos_state(conn->session_info->credentials,
+ CRED_MUST_USE_KERBEROS);
+ }
+
+ conn->session_info->session_key = data_blob_const(req.info.info3.session_key,
+ req.info.info3.session_key_length);
+ talloc_steal(conn->session_info, req.info.info3.session_key);
+
+ break;
default:
DEBUG(2, ("named_pipe_auth_req: unknown level %u\n",
req.level));
@@ -235,7 +331,7 @@ reply:
return status;
}
- DEBUG(10,("named_pipe_auth reply[%u]\n", rep_blob.length));
+ DEBUG(10,("named_pipe_auth reply[%u]\n", (unsigned)rep_blob.length));
dump_data(11, rep_blob.data, rep_blob.length);
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(named_pipe_auth_rep, &rep);
diff --git a/source4/torture/rpc/spoolss_notify.c b/source4/torture/rpc/spoolss_notify.c
index a8a0ca5df6..60f1175f27 100644
--- a/source4/torture/rpc/spoolss_notify.c
+++ b/source4/torture/rpc/spoolss_notify.c
@@ -20,10 +20,12 @@
*/
#include "includes.h"
+#include "system/filesys.h"
#include "torture/torture.h"
#include "torture/rpc/rpc.h"
#include "librpc/gen_ndr/ndr_spoolss_c.h"
#include "rpc_server/dcerpc_server.h"
+#include "rpc_server/service_rpc.h"
#include "lib/events/events.h"
#include "smbd/process_model.h"
#include "smb_server/smb_server.h"
@@ -191,6 +193,7 @@ static bool test_RFFPCNEx(struct torture_context *tctx,
NTSTATUS status;
struct dcesrv_context *dce_ctx;
const char *endpoints[] = { "spoolss", NULL };
+ struct dcesrv_endpoint *e;
struct spoolss_NotifyOption t1;
struct spoolss_ClosePrinter cp;
@@ -244,6 +247,23 @@ static bool test_RFFPCNEx(struct torture_context *tctx,
torture_assert_ntstatus_ok(tctx, status,
"unable to initialize DCE/RPC server");
+ /* Make sure the directory for NCALRPC exists */
+ if (!directory_exist(lp_ncalrpc_dir(tctx->lp_ctx))) {
+ int ret;
+ ret = mkdir(lp_ncalrpc_dir(tctx->lp_ctx), 0755);
+ torture_assert(tctx, (ret == 0), talloc_asprintf(tctx,
+ "failed to mkdir(%s) ret[%d] errno[%d - %s]",
+ lp_ncalrpc_dir(tctx->lp_ctx), ret,
+ errno, strerror(errno)));
+ }
+
+ for (e=dce_ctx->endpoint_list;e;e=e->next) {
+ status = dcesrv_add_ep(dce_ctx, tctx->lp_ctx,
+ e, tctx->ev, &single_ops);
+ torture_assert_ntstatus_ok(tctx, status,
+ "unable listen on dcerpc endpoint server");
+ }
+
r.in.flags = 0;
r.in.local_machine = talloc_asprintf(tctx, "\\\\%s", address);
r.in.options = 0;
@@ -293,7 +313,7 @@ static bool test_RFFPCNEx(struct torture_context *tctx,
* on Samba 4 will cause an irpc broadcast call.
*/
static bool test_ReplyOpenPrinter(struct torture_context *tctx,
- struct dcerpc_pipe *pipe)
+ struct dcerpc_pipe *p)
{
struct spoolss_ReplyOpenPrinter r;
struct spoolss_ReplyClosePrinter s;
@@ -307,7 +327,7 @@ static bool test_ReplyOpenPrinter(struct torture_context *tctx,
r.out.handle = &h;
torture_assert_ntstatus_ok(tctx,
- dcerpc_spoolss_ReplyOpenPrinter(pipe, tctx, &r),
+ dcerpc_spoolss_ReplyOpenPrinter(p, tctx, &r),
"spoolss_ReplyOpenPrinter call failed");
torture_assert_werr_ok(tctx, r.out.result, "error return code");
@@ -316,7 +336,7 @@ static bool test_ReplyOpenPrinter(struct torture_context *tctx,
s.out.handle = &h;
torture_assert_ntstatus_ok(tctx,
- dcerpc_spoolss_ReplyClosePrinter(pipe, tctx, &s),
+ dcerpc_spoolss_ReplyClosePrinter(p, tctx, &s),
"spoolss_ReplyClosePrinter call failed");
torture_assert_werr_ok(tctx, r.out.result, "error return code");