summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2010-02-17Got back to 16-byte padding on auth RPC. S3 clients and servers now cope ↵Jeremy Allison1-4/+6
with this. Jeremy
2010-02-18s4:param Modify secrets_get_domain_sid to give more useful errorsAndrew Bartlett5-87/+55
This also moves the calls to secrets_get_domain_sid back into winbind_task_init(), so that we can terminate with a much more detailed error message. (The previous message was simply NT_STATUS_CANT_ACCESS_DOMAIN_INFO). Andrew Bartlett
2010-02-17Fix bug #7146 - Samba miss-parses authenticated RPC packets.Jeremy Allison4-138/+363
Parts of the Samba RPC client and server code misinterpret authenticated packets. DCE authenticated packets actually look like this : +--------------------------+ |header | | ... frag_len (packet len)| | ... auth_len | +--------------------------+ | | | Data payload | ... .... | | +--------------------------+ | | | auth_pad_len bytes | +--------------------------+ | | | Auth footer | | auth_pad_len value | +--------------------------+ | | | Auth payload | | (auth_len bytes long) | +--------------------------+ That's right. The pad bytes come *before* the footer specifying how many pad bytes there are. In order to read this you must seek to the end of the packet and subtract the auth_len (in the packet header) and the auth footer length (a known value). The client and server code gets this right (mostly) in 3.0.x -> 3.4.x so long as the pad alignment is on an 8 byte boundary (there are some special cases in the code for this). Tridge discovered there are some (DRS replication) cases where on 64-bit machines where the pad alignment is on a 16-byte boundary. This breaks the existing S3 hand-optimized rpc code. This patch removes all the special cases in client and server code, and allows the pad alignment for generated packets to be specified by changing a constant in include/local.h (this doesn't affect received packets, the new code always handles them correctly whatever pad alignment is used). This patch also works correctly with rpcclient using sign+seal from the 3.4.x and 3.3.x builds (testing with 3.0.x and 3.2.x to follow) so even as a server it should still work with older libsmbclient and winbindd code. Jeremy
2010-02-17Fix bug #6557 - Do not work VFS full_auditJeremy Allison1-51/+34
Re-arrange the operations order so SMB_VFS_CONNECT is done first as root (to allow modules to correctly initialize themselves). Reviewed modules to check if they needed CONNECT invoked as a user (which we previously did) and it turns out any of them that cared needed root permissions anyway. Jeremy.
2010-02-17s3: go straight to winbindd_dual_pam_auth() in case of !NT_STATUS_OKLars Müller1-1/+1
At the formerly used process_result statement we have alone one NT_STATUS_IS_OK() which never could be hit in our case as we only go here if NT_STATUS_EQUAL is not ok.
2010-02-17s3: let the pam_winbind po files reference the correct locationLars Müller20-644/+644
2010-02-17Fix commit d07cd37b993d3c9beded20323174633b806196b5Jeremy Allison1-1/+4
Which was: tsocket/bsd: fix bug #7115 FreeBSD includes the UDP header in FIONREAD Metze, this has to have been wrong - you are throwing away the talloc_realloc pointer returned. Also no error checking. Please review. Thank goodness for gcc warnings :-). Jeremy.
2010-02-17s4/rodc: change the libnet_become_dc code to do RODC joinAnatoliy Atanasov3-6/+59
2010-02-17s4/drs: add DRSUAPI_ATTRIBUTE_options attributeAnatoliy Atanasov3-1/+5
2010-02-17s4/drs:kccdrs_replica_get_info_obj_metadata implementationAnatoliy Atanasov6-132/+208
Fix the names of the drsuapi_DsReplicaInfoType enum and rebuild the .idl The get_info_obj_metadata implementation is ported from implementation i developed and tested at the samba io lab 2009
2010-02-17s4/ldap: Refactor the fix for ldap nested searchesKamen Mazdrashki2-13/+15
Current implementation synchronizes processing for all types of LDAP request, not only LDAP_Search ones. Synchronization for ldap replies processing is done locally in ldb_ildap module as this concerns only ildb_callback() function. Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
2010-02-17tsocket/bsd: fix bug #7115 FreeBSD includes the UDP header in FIONREADStefan Metzmacher1-4/+6
metze
2010-02-17tsocket/bsd: set IPV6_V6ONLY on AF_INET6 socketsStefan Metzmacher1-0/+36
Some system already have this as default. It's easier to behave the same way on all systems and handle ipv6 and ipv4 sockets separate. metze
2010-02-17tsocket/bsd: fix bug #7140 autodetect ipv4 and ipv6 based on the remote ↵Stefan Metzmacher1-2/+53
address if the local address is any metze
2010-02-17tsocket/bsd: fix bug #7140 use calculated sa_socklen for bind() in ↵Stefan Metzmacher1-1/+1
tstream_bsd_connect_send() This is needed because, we can't use sizeof(sockaddr_storage) for AF_UNIX sockets. Also some platforms require exact values for AF_INET and AF_INET6. metze
2010-02-17tsocket/bsd: fix do_bind logic for AF_INETStefan Metzmacher1-2/+2
We want the explicit bind() when we don't use the any address. metze
2010-02-17socket_wrapper: also ignore AF_INET6 in swrap_setsockopt()Stefan Metzmacher1-0/+4
metze
2010-02-17cifs.upcall: allocate a talloc context for smb_krb5_unparse_nameJeff Layton1-1/+4
cifs.upcall calls smb_krb5_unparse_name with a NULL talloc context. Older versions of this function though will conditionally use SMB_REALLOC instead of TALLOC_REALLOC when a NULL context is passed in. To make it more consistent, just spawn a talloc context that we can pass into this function. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=565446 https://bugzilla.samba.org/show_bug.cgi?id=6868 Reported-by: Ludek Finstrle <luf@seznam.cz> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Günther Deschner <gd@samba.org>
2010-02-17s3: Fix bug 7139Volker Lendecke1-2/+32
To provide the user with the same SID when doing Kerberos logins, attempt to do a make_server_info_sam instead of a make_server_info_pw.
2010-02-17s4-smbtorture: unify test list to run against single created printers in ↵Günther Deschner1-18/+28
RPC-SPOOLSS-PRINTER. This is to make sure we run the same tests for printers created via AddPrinter and via AddPrinterEx. Guenther
2010-02-17s4-smbtorture: also test level 2 sets for devicemodes and see if they persist.Günther Deschner1-0/+21
Guenther
2010-02-17s4-smbtorture: refactor setprinter devicemode calls in RPC-SPOOLSS-PRINTER.Günther Deschner1-19/+71
Guenther
2010-02-17s4-provision: freeze the DNS zone before creating the zone fileAndrew Tridgell1-2/+10
This prevents bind from getting confused if it has a journal for the zone.
2010-02-17s4-dnsupdate: use samba_runcmd() in the dns update taskAndrew Tridgell2-17/+37
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-17s4-param: added "rndc command" smb.conf optionAndrew Tridgell2-0/+5
2010-02-17util: added samba_runcmd()Andrew Tridgell3-0/+275
This allows us to run a child command in an async fashion, with control over logging of stdout and stderr (which appears in the Samba log file). This is useful for ensuring we don't miss important messages from rndc commands (for example). Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-17examples: add bind9 patches for TSIG-GSS supportAndrew Tridgell6-0/+250
We will point at these from the Samba4 HOWTO
2010-02-17s4-provision: fix permissions on generated DNS zone fileAndrew Tridgell1-9/+11
The zone file needs to be writeable by bind to allow for it to flush its journal on dynamic updates Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s3:rpc streamline memory handlingSimo Sorce1-13/+5
2010-02-17s4-rpc: paranoid check for auth_lengthAndrew Tridgell1-0/+11
This is not strictly needed as the ndr_pull_advance() checks it a few lines further down, but I want to save Jeremy getting more grey hairs :-)
2010-02-16testprogs: add rather simple device mode tests to spoolss test.Günther Deschner2-1/+127
Guenther
2010-02-16s3: Fix timeout calculation if g_lock_lock is given a timeout < 60sVolker Lendecke1-1/+6
Detected while showing this code to obnox :-)
2010-02-16s3: Slightly increase parallelism in g_lockVolker Lendecke1-1/+7
There's no need to still hold the g_lock tdb-level lock while telling the waiters to retry
2010-02-16s3: Avoid starving locks when many processes die at the same timeVolker Lendecke1-6/+4
In g_lock_unlock we have a little race between the process_exists and messaging_send call: We only send to 5 waiters now, they all might have died between us checking their existence and sending the message. This change makes g_lock_lock retry at least once every minute.
2010-02-16s3: Avoid a thundering herd in g_lock_unlockVolker Lendecke1-1/+16
Only notify the first 5 pending lock waiters. This avoids a thundering herd problem that is really nasty in a cluster. It also makes acquiring a lock a bit more FIFO, lock waiters are added to the end of the array.
2010-02-16s3: Optimize g_lock_lock for a heavily contended caseVolker Lendecke1-3/+36
Only check the existence of the lock owner in g_lock_parse, check the rest of the records only when we got the lock successfully. This reduces the load on process_exists which can involve a network roundtrip in the clustered case.
2010-02-16s3: Fix handling of processes that died in g_lockVolker Lendecke1-3/+5
g_lock_parse might have thrown away entries from the locks array because the processes were not around anymore. Don't store the orphaned entries.
2010-02-16s4-kcc: remove a qsort() that snuck into the new topology codeAndrew Tridgell1-2/+1
2010-02-16s4-rpc: don't use auth padding in rpc bind requests as it breaks s3Andrew Tridgell1-0/+7
The s3 RPC server returns a bind_nak if it gets a rpc bind with auth padding. This change forces a padding length of zero to maximimise compatibility with s3 servers. I've left the padding code in as a #if 0 to make it easier for us to test/fix the s3 server code, which should be changed to correctly handle arbitrary auth padding in all rpc requests with auth trailers.
2010-02-16s4-dcerpc: fixed auth padding to be relative to the stub, not packetAndrew Tridgell2-10/+17
The recent dcerpc padding changes made our padding relative to the packet header, instead of the start of the stub. Surprisingly, this broke w2k8r2 doing a dcpromo join to a s4 server. It seems that w2k8r2 is very fussy about the padding it gets in some circumstances.
2010-02-16s4-dsdb: return LDB_ERR_CONSTRAINT_VIOLATION on num_recs != 1Andrew Tridgell1-1/+1
In a single record search, LDB_ERR_CONSTRAINT_VIOLATION is more useful than the generic LDB_ERR_OPERATIONS_ERROR Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s4-samdb: use dsdb_search() in cracknamesAndrew Tridgell1-57/+24
greatly simplifies some of the cracknames code Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s4-kcc: remove search_onelevel_with_deleted() in kccAndrew Tridgell1-52/+3
Use dsdb_search() instead Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s4-dsdb: removed gendb_search_single_extended_dn()Andrew Tridgell4-120/+19
Use dsdb_search_one() instead, which allows for arbitrary controls Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s4-dsdb: added dsdb_search_one() and cleanup dsdb_find_dn_by_guid()Andrew Tridgell5-33/+86
dsdb_find_dn_by_guid() now takes a struct GUID instead of a guid_string. All the callers in fact wanted a struct GUID, so we now avoid the extra conversion. Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s4-dsdb: replace dsdb_find_dn_by_guid() with a dsdb_search() callAndrew Tridgell1-67/+84
much simpler code by using dsdb_flags Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-16s4-dsdb: change dsdb_search_dn_with_deleted() to dsdb_search_dn() with ↵Andrew Tridgell1-56/+58
dsdb_flags Allows for arbitrary controls
2010-02-16s4-dsdb: change samdb_replace() to dsdb_replace() and allow for dsdb_flagsAndrew Tridgell12-95/+52
This allows for controls to be added easily where they are needed.
2010-02-16s4-dsdb: replace dsdb_modify_permissive() with dsdb_modify() and dsdb_flagsAndrew Tridgell4-40/+45
2010-02-16s4-dsdb: move dsdb_request_add_controls() into dsdb/common/util.cAndrew Tridgell6-85/+115
This will be used to allow the flag based ldb functions to work on both a ldb or a module, thus saving a lot of specialist functions.