summaryrefslogtreecommitdiff
path: root/source4/librpc/rpc
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11516: Fix a valgrind bug I introduce with queued requestsVolker Lendecke1-3/+6
(This used to be commit 3e4ab756f421acd747e9ea4c48b0f61d48dfa8fd)
2007-10-10r11515: Add some talloc_get_typeVolker Lendecke1-2/+2
(This used to be commit 558c29971d5855308a9d8dfd21e8ac7ec24abc01)
2007-10-10r11497: Don't name parameters 'floor'. Rename fl and floor to epm_floor forAndrew Bartlett1-58/+58
consistancy. Andrew Bartlett (This used to be commit 8787eb982f899c68a490fb9c71c21ec1d9ec0308)
2007-10-10r11473: Based on work by Jelmer, implement the [async] flag for rpc ↵Volker Lendecke2-29/+92
requests. If it's not there (it's not yet on *any* call... :-)), the rpc client strictly sequences calls to an rpc pipe. Might need some more work on the exact sequencing semantics when a pipe with both sync and async calls is actually deployed, but I want it in for winbind simplification. Volker (This used to be commit b8f324e4f000971b7dafc263c16dd4af958ee7f9)
2007-10-10r10699: fixed the dcerpc code so that you can shutdown the pipe safely fromAndrew Tridgell3-35/+36
within a callback on the pipe. This should fix a problem volker encountered with winbind. The fix invoolves making the recv_data handler free the memory for a packet, instead of having the transport layer free it after calling recv_data. When the transport layer freed it, it had no way of knowing if the callback had shutdown the pipe, so it had no way of knowing if it could safely use the pointer. Also changed the pipe shutdown hook for the smb transport to use an async SMB close. This ensures that when you shutdown the pipe, you don't block waiting for the server to ack the close of the pipe fnum. (This used to be commit c87d7f580e39245db181605f50883de07dd9632e)
2007-10-10r10683: Samba3's wbinfo -t should give the correct answer now.Volker Lendecke1-1/+1
Tridge, if you have time, you might want to look at the segfault I was still seeing. Now I store the handle to the netlogon pipe in the global winbind state and free it on the next entry into check_machacc. The problem seems to be that talloc_free()ing a pipe struct from within a callback function on that pipe is not possible. I think I can live with that, but it has been not really obvious. To reproduce the segfault you might want to look at putting a talloc_free(state->getcreds->out.netlogon) into wbsrv_samba3_check_machacc_receive_creds. This is called from a dcerpc callback function. In particular if the check failed it would be nice if I could delete the pipe directly and not post a different event to some winbind queue. I tried to delete the pipe from a timed event triggered immediately, but this also fails because the inner loop seems to hit the same event again, calling it twice. Volker (This used to be commit 5436d7764812bb632ba865e633005ed07923b57f)
2007-10-10r10681: Convert dcerpc_open_smb to a composite function.Volker Lendecke1-42/+113
Volker (This used to be commit 42ff218ac98fab00bd58c4f50f11843ef32b4698)
2007-10-10r10402: Make the RPC-SAMLOGON test pass against Win2k3 SP0 again.Andrew Bartlett1-2/+2
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own test for the moment, but I'm working on these issues :-) This required a change to the credentials API, so that the special case for NTLM logins using a principal was indeed handled as a special, not general case. Also don't set the realm from a ccache, as then it overrides --option=realm=. Andrew Bartlett (This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
2007-10-10r10368: when building the epm tower, don't put host names in the ip addressAndrew Tridgell1-1/+12
field, instead put a zero address. Note that zero is correct (ie. we shouldn't do the lookup) as in the client we want to send a zero for the server to fill in. When we make this call from the server we fill in a real IP. (This used to be commit e54c8b5658761c33d50a1a557d2ec77229b07b47)
2007-10-10r10184: Fix a stack of unhandled enumeration warnings.Tim Potter1-0/+6
(This used to be commit aeb42a446b3c28c5cf6800606b3f9b70c49cb94b)
2007-10-10r10153: This patch adds a new parameter to gensec_sig_size(), the size of theAndrew Bartlett1-5/+8
data to be signed/sealed. We can use this to split the data from the signature portion of the resultant wrapped packet. This required merging the gsskrb5_wrap_size patch from lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no longer use a static 45 byte value). This fixes one of the krb5 issues in my list. Andrew Bartlett (This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
2007-10-10r9728: A *major* update to the credentials system, to incorporate theAndrew Bartlett1-2/+2
Kerberos CCACHE into the system. This again allows the use of the system ccache when no username is specified, and brings more code in common between gensec_krb5 and gensec_gssapi. It also has a side-effect that may (or may not) be expected: If there is a ccache, even if it is not used (perhaps the remote server didn't want kerberos), it will change the default username. Andrew Bartlett (This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
2007-10-10r9505: Work on GENSEC and the code that calls it, for tighter interfaceAndrew Bartlett1-28/+31
requirements, and for better error reporting. In particular, the composite session setup (extended security/SPNEGO) code now returns errors, rather than NT_STATUS_NO_MEMORY. This is seen particularly when GENSEC fails to start. The tighter interface rules apply to NTLMSSP, which must be called exactly the right number of times. This is to match some of our other less-tested modules, where adding flexablity is harder. (and this is security code, so let's just get it right). As such, the DCE/RPC and LDAP clients have been updated. Andrew Bartlett (This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
2007-10-10r8820: Push this common block of code into the caller.Andrew Bartlett1-39/+18
Use talloc_steal() rather than talloc_reference(). Andrew Bartlett (This used to be commit 8774f971f3926c5c37aad1e8dfeafa394de87d63)
2007-10-10r8811: Fix the build..Jelmer Vernooij2-0/+3
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
2007-10-10r8520: fixed a pile of warnings from the build farm gcc -Wall output onAndrew Tridgell1-1/+1
S390. This is an attempt to avoid the panic we're seeing in the automatic builds. The main fixes are: - assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats - use of NULL format statements to perform dn searches. - assumption that sizeof() returns an int (This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
2007-10-10r8073: a successful rpc call from ejs!Andrew Tridgell1-0/+14
the ejs_echo.c code is the stuff that needs to be auto-generated by pidl. It only does echo_AddOne so far. We also need a table for registering these calls. The code is hard-wired for echo_AddOne for now. (This used to be commit b1ea58ddc482c373783d16331dd07378010ba39a)
2007-10-10r8068: reduced the verbosity of the EPM codeAndrew Tridgell1-3/+3
(This used to be commit 4c5974fc3dabd090284b2ed455a0af114ddbec1d)
2007-10-10r8057: use our defined push/pull types in the validate code (fixes a warning)Andrew Tridgell1-2/+2
(This used to be commit 4e14ebf51e871d6d70a194e2725c2158675dc6fc)
2007-10-10r7932: don't use the nbt called name as server name, for dcerpc_server_name()Stefan Metzmacher1-9/+8
in the ncacn_np trnaport it's now supported to use the ip address in smbtorture for ncacn_np tests that use dcerpc_server_name(), and we can now pass the dns host name in the tree connect when we have the dns name on the smbtorture command line metze (This used to be commit e29edbc7e62c738564ae842c9c01c969f5c70e5d)
2007-10-10r7865: changed pidl to take a "const void *" instead of a "void *" for theAndrew Tridgell2-5/+5
structure in ndr_push_*() and ndr_print_*(). The push and print functions really should not modify the structure. metze, to make this work I had to change your spoolss hand marshaller. Can you please check it is OK? I think that the IN and OUT sides of that function are not ever called on the same structure, so I think that attempt at remembering the value by assigning to r->in._offered was not doing anything anyway, but please correct me if I have misunderstood it. If you really do need to remember something on those structures I'd suggest the ndr_token_store() and ndr_token_retrieve() functions, which are used by pidl for just this sort of thing. (This used to be commit eee528be97fa43ca53bdc5652b4d29a0a2caf563)
2007-10-10r7690: Move the NT hash generation into the credentials system, rather thanAndrew Bartlett1-3/+4
in all the callers. This also allows us to be more flexible in the type of password we store. Andrew Bartlett (This used to be commit 00b8588c68526e1d86fda0bd81c0b86f690b62c3)
2007-10-10r7659: fixup the ordering of socket destruction for ncacn_ip_tcp so we don't ↵Andrew Tridgell1-4/+3
try and remove an epoll descriptor for a closed fd (This used to be commit bec5e9f80a934e6472e8d227214a9baba4f15054)
2007-10-10r7658: don't timeout at the smb level for rpc requests as otherwise some rpcAndrew Tridgell1-0/+4
level sign/seal mechanisms can break (This used to be commit 9df569f023f9a1e0d8c35de8135a344933bc69bf)
2007-10-10r7653: when a dcerpc request times out, we need to ensure that if the serverAndrew Tridgell1-1/+11
does finally answer the request and it is on the smb transport that we don't die in the callback code as the rpc request state is gone. (This used to be commit d47477c5c3acbaa7242fa3a06d4095258db86297)
2007-10-10r7652: use event friendly connect in dcerpc socket codeAndrew Tridgell1-1/+1
(This used to be commit 154effd781c901abfcd8f89721c4a6d03c07b670)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell7-54/+49
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7497: add timeouts to all rpc requests. The default timeout is 60Andrew Tridgell3-0/+49
seconds. This should prevent the problem I am seeing on a solaris box where a rpc request gets stuck forever (This used to be commit c24ab34813d675b9b81f3062fb6f30aae5697805)
2007-10-10r7496: removed an unused variableAndrew Tridgell1-1/+0
(This used to be commit a8c99d0e37b5ca37cabc201c1290c6cd26a16549)
2007-10-10r7313: Prefix a few functions with ncacn_ rather then dcerpc_ because they areJelmer Vernooij2-19/+19
ncacn_ specific (This used to be commit 875cce126878172eedb43b4ecab3970ea9d82e4a)
2007-10-10r7312: Add IDL for ncadg packets.Jelmer Vernooij2-17/+16
(This used to be commit 2009a430b03c685dd65bd573e70d3618f2e0dd0f)
2007-10-10r6973: Merge new version of pidl into the main SAMBA_4_0 branch.Jelmer Vernooij1-1/+2
The main difference in this new version is the extra data structure generated between the IDL data structure and the NDR parser: IDL -> NDR -> { ndr_parser, ndr_header, eparser, etc } This makes the ndr_parser.pm internals much more sane. Other changes include: - Remove unnecessary calls with NDR_BUFFERS (for example, GUID doesn't have any buffers, just scalars) as well as some (unnecessary) nested setting of flags. - Parse array loops in the C code rather then calling ndr_pull_array(). This allows us to have, for example, arrays of pointers or arrays of pointers to arrays, etc.. - Use if() {} rather then if () goto foo; everywhere - NDR_IN no longer implies LIBNDR_FLAG_REF_ALLOC - By default, top level pointers are now "ref" (as is the default in most other IDL compilers). This can be overridden using the default_pointer_top() property. - initial work on new ethereal parser generators by Alan DeKok and me - pidl now writes errors in the standard format used by compilers, which is parsable by most editors - ability to warn about the fact that pidl extension(s) have been used, useful for making sure IDL files work with other IDL compilers. oh, and there's probably some other things I can't think of right now.. (This used to be commit 13cf227615f6b9e0e5fa62e59197024410254f01)
2007-10-10r6795: Make some functions static and remove some unused ones.Jelmer Vernooij1-1/+1
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
2007-10-10r6565: Cludge, cludge, cludge...Andrew Bartlett3-24/+9
We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
2007-10-10r6526: Rename this RPC fault. Everybody else calls this ACCESS_DENIED, andAndrew Bartlett1-1/+1
it certainly doesn't make sense as LOGON_FAILURE. Andrew Bartlett (This used to be commit 4bec3d3f378ed8b988e00441c9bb5718b8548ba6)
2007-10-10r6272: For 'programmed' use of an anonymous account, we should useAndrew Bartlett1-2/+9
cli_credentials_set_conf(), not cli_credentials_guess(). Also, clarify why for particular flags, we don't do a DCERPC-level authentication. Andrew Bartlett (This used to be commit 838925761d004a1426107f4c5c84d0276fddb2c0)
2007-10-10r6229: Back out these changes ...Richard Sharpe1-15/+1
(This used to be commit 321fbae51267153102e47845736f2c3a5abfe0be)
2007-10-10r6219: This change allows us to fall back to authenticating withoutRichard Sharpe1-1/+15
DCERPC_SCHANNEL_128 if we fail. Thus, it allows us to work with Windows NT DCs ... (This used to be commit 3034b226705c4736d57c9bf4e9470c4d44c72e8e)
2007-10-10r6178: fix ncacn_np connection without sign or seal against NT4Stefan Metzmacher1-1/+4
metze (This used to be commit d92100fcc2066454df441a1ea2c7b9940fa19fa1)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett3-427/+30
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5980: Fix double free after unexpected disconnect.Jelmer Vernooij1-1/+5
(This used to be commit 6149bd3702a0293fc1f798de7c399e3e6858416d)
2007-10-10r5976: SIDs can't have more then 5 subauths (caught by [validate] andJelmer Vernooij1-0/+3
range()) (This used to be commit ec1eaa274b997197ca6996457229c802f1b76d56)
2007-10-10r5941: Commit this patch much earlier than I would normally prefer, but ↵Andrew Bartlett3-127/+101
metze needs a working tree... The main volume of this patch was what I started working on today: - Cleans up memory handling around DCE/RPC pipes, to have a parent talloc context. - Uses sepereate inner loops for some of the DCE/RPC tests The other and more important part of this patch fixes issues surrounding the new credentials framwork: This makes the struct cli_credentials always a talloc() structure, rather than on the stack. Parts of the cli_credentials code already assumed this. There were other issues, particularly in the DCERPC over SMB handling, as well as little things that had to be tidied up before test_w2k3.sh would start to pass. Andrew Bartlett (This used to be commit 0453f9d05d2e336fba1f85dbf2718d01fa2bf778)
2007-10-10r5932: Use cli_credentials somewhat more in the Gtk+ codeJelmer Vernooij1-6/+3
Support ncacn_spx in DCE/RPC bindings. (This used to be commit a0233a3a9a83176ae46873d3a25ed601758a1511)
2007-10-10r5930: Fix initialisation of dcerpc_binding->authserviceJelmer Vernooij1-0/+2
(This used to be commit f8cf161e0e59bd6b2a62135be8511403f4e9ca70)
2007-10-10r5929: Use cli_credentials for the SMB functions as well.Jelmer Vernooij1-6/+4
Fix a couple of bugs in the new cli_credentials code (This used to be commit 4ad481cfe5cde514d2ef9646147239f3faaa6173)
2007-10-10r5928: Use cli_credentials in:Jelmer Vernooij3-68/+48
- gtk+ (returned by GtkHostBindingDialog as well now) - torture/ - librpc/ - lib/com/dcom/ (This used to be commit ccefd782335e01e8e6ecb2bcd28a4f999c53b1a6)
2007-10-10r5902: A rather large change...Andrew Bartlett4-162/+194
I wanted to add a simple 'workstation' argument to the DCERPC authenticated binding calls, but this patch kind of grew from there. With SCHANNEL, the 'workstation' name (the netbios name of the client) matters, as this is what ties the session between the NETLOGON ops and the SCHANNEL bind. This changes a lot of files, and these will again be changed when jelmer does the credentials work. I also correct some schannel IDL to distinguish between workstation names and account names. The distinction matters for domain trust accounts. Issues in handling this (issues with lifetime of talloc pointers) caused me to change the 'creds_CredentialsState' and 'struct dcerpc_binding' pointers to always be talloc()ed pointers. In the schannel DB, we now store both the domain and computername, and query on both. This should ensure we fault correctly when the domain is specified incorrectly in the SCHANNEL bind. In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out, where the comment claimed we re-used a connection, but in fact we made a new connection. This was achived by breaking apart some of the dcerpc_secondary_connection() logic. The addition of workstation handling was also propogated to NTLMSSP and GENSEC, for completeness. The RPC-SAMSYNC test has been cleaned up a little, using a loop over usernames/passwords rather than manually expanded tests. This will be expanded further (the code in #if 0 in this patch) to use a newly created user account for testing. In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO server, caused by the removal of [ref] and the assoicated pointer from the IDL. This has been re-added, until the underlying pidl issues are solved. (This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2007-10-10r5667: Move schannel state into libcli/auth (as it belongs with schannel,Andrew Bartlett1-7/+0
which will move in with the rest of GENSEC shortly). Add the RID as another element in the schannel state. Andrew Bartlett (This used to be commit 69114b4a8e1c937ab5ff12ca91dd22bd83fd9a3b)
2007-10-10r5603: add "authservice()" property to the interface property listStefan Metzmacher3-5/+26
so we can specify allowed target service names in the idl file the default is "host" metze (This used to be commit bf40d5321f3257bf9354a42d31265f1a9b0d53ad)