Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 128b5ea7b369df6e7433609a24128f8bf623c4fe)
|
|
- removed the struct dcerpc_request_state as all the state
information is already available on the dcerpc_pipe structure, so just
use that
- added a single dcerpc_recv_data() handler for receiving packets
from the transport layer. This then does the initial decoding of
the dcerpc packet, and then looks at the packet type in order to
work out who to dispatch it to. This should allow in-flight async
rpc requests to still work while a new bind or alter context is
happening
- ensure that if the transport indicates the connection is dead that
any in-flight bind or alter context requests are given an error
- removed full_request_private and instead use separate bind_private
and alter_private pointers
- added a few comments for some bits I found hard to understand
(This used to be commit 938e372bffbee1982ad8268b83c43514fd2e5633)
|
|
revision 11809 had removed the change to the session key function
after authentication succeeds.
(This used to be commit c04c78d617b0d8c9f8fa724d475fefbe9e478ef7)
|
|
ncacn_ip_tcp/ncalrpc. The problem was that svn revision 11809 removed
the logic that forced the CONNECT auth type for authenticated binds
which don't have an explicit SIGN or SEAL flag set.
(This used to be commit e7a1f11e8bcba3839f74c7303bd82533a6acfbcd)
|
|
hack for the
winbind "bug" :-)
Volker
(This used to be commit fb9a3c7ef376f289288c71bc47d67f548ddb7194)
|
|
(This used to be commit e1bf1c326f297321a6c8fdf9679130dba102669e)
|
|
This also removes dcerpc_bind_auth_password, the only user of
dcerpc_bind_auth. And this was not only passwords anyway.
Andrew Bartlett, as usual: Please take a close look.
Thanks,
Volker
(This used to be commit 2ff2dae3d035af6cb0c131573cfd983fc9a58eee)
|
|
closely. Survives RPC-ALTERCONTEXT.
Volker
(This used to be commit 1875c4808f8c30a6f750b88e166d43a736d5edc7)
|
|
(This used to be commit e75080b26d76199a6006fb076cf816ac023254ee)
|
|
(This used to be commit 16bc6b64f9053df3d08a05e7b7cfe77be6580d2b)
|
|
Tridge et al, please take a close look at this. It survives my basic rpc-login
test as well as rpc-lsa, but this is critical I think.
Volker
(This used to be commit bf1a55f44c84d9bb8b2f83f5d25727550ca8fcf2)
|
|
enabling of packet serialisation
(This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb)
|
|
allowing it to specify the initial read size (thus preventing
over-reading) and to stop the recv process when needed. This is used
by the dcerpc socket code, which relies on not getting packets when it
isn't ready for them
(This used to be commit f869fd674ec4b148dc9a264e94d19ce79d35131d)
|
|
(This used to be commit 4ea66e6e80de0d70b53bf9cd16c1dfd1c400f57e)
|
|
(This used to be commit 3e4ab756f421acd747e9ea4c48b0f61d48dfa8fd)
|
|
(This used to be commit 558c29971d5855308a9d8dfd21e8ac7ec24abc01)
|
|
consistancy.
Andrew Bartlett
(This used to be commit 8787eb982f899c68a490fb9c71c21ec1d9ec0308)
|
|
requests. If it's
not there (it's not yet on *any* call... :-)), the rpc client strictly
sequences calls to an rpc pipe. Might need some more work on the exact
sequencing semantics when a pipe with both sync and async calls is actually
deployed, but I want it in for winbind simplification.
Volker
(This used to be commit b8f324e4f000971b7dafc263c16dd4af958ee7f9)
|
|
within a callback on the pipe. This should fix a problem volker
encountered with winbind. The fix invoolves making the recv_data
handler free the memory for a packet, instead of having the transport
layer free it after calling recv_data. When the transport layer freed
it, it had no way of knowing if the callback had shutdown the pipe, so
it had no way of knowing if it could safely use the pointer.
Also changed the pipe shutdown hook for the smb transport to use an
async SMB close. This ensures that when you shutdown the pipe, you
don't block waiting for the server to ack the close of the pipe fnum.
(This used to be commit c87d7f580e39245db181605f50883de07dd9632e)
|
|
Tridge, if you have time, you might want to look at the segfault I was still
seeing. Now I store the handle to the netlogon pipe in the global winbind
state and free it on the next entry into check_machacc. The problem seems to
be that talloc_free()ing a pipe struct from within a callback function on that
pipe is not possible. I think I can live with that, but it has been not really
obvious. To reproduce the segfault you might want to look at putting a
talloc_free(state->getcreds->out.netlogon) into
wbsrv_samba3_check_machacc_receive_creds. This is called from a dcerpc
callback function.
In particular if the check failed it would be nice if I could delete the pipe
directly and not post a different event to some winbind queue.
I tried to delete the pipe from a timed event triggered immediately, but this
also fails because the inner loop seems to hit the same event again, calling
it twice.
Volker
(This used to be commit 5436d7764812bb632ba865e633005ed07923b57f)
|
|
Volker
(This used to be commit 42ff218ac98fab00bd58c4f50f11843ef32b4698)
|
|
I still have issues with Win2k3 SP1, and Samba4 doesn't pass it's own
test for the moment, but I'm working on these issues :-)
This required a change to the credentials API, so that the special
case for NTLM logins using a principal was indeed handled as a
special, not general case.
Also don't set the realm from a ccache, as then it overrides --option=realm=.
Andrew Bartlett
(This used to be commit 194e8f07c0cb4685797c5a7a074577c62dfdebe3)
|
|
field, instead put a zero address. Note that zero is correct (ie. we
shouldn't do the lookup) as in the client we want to send a zero for
the server to fill in. When we make this call from the server we fill
in a real IP.
(This used to be commit e54c8b5658761c33d50a1a557d2ec77229b07b47)
|
|
(This used to be commit aeb42a446b3c28c5cf6800606b3f9b70c49cb94b)
|
|
data to be signed/sealed. We can use this to split the data from the
signature portion of the resultant wrapped packet.
This required merging the gsskrb5_wrap_size patch from
lorikeet-heimdal, and fixes AES encrption issues on DCE/RPC (we no
longer use a static 45 byte value).
This fixes one of the krb5 issues in my list.
Andrew Bartlett
(This used to be commit e4f2afc34362953f56a026b66ae1aea81e9db104)
|
|
Kerberos CCACHE into the system.
This again allows the use of the system ccache when no username is
specified, and brings more code in common between gensec_krb5 and
gensec_gssapi.
It also has a side-effect that may (or may not) be expected: If there
is a ccache, even if it is not used (perhaps the remote server didn't
want kerberos), it will change the default username.
Andrew Bartlett
(This used to be commit 6202267f6ec1446d6bd11d1d37d05a977bc8d315)
|
|
requirements, and for better error reporting.
In particular, the composite session setup (extended security/SPNEGO)
code now returns errors, rather than NT_STATUS_NO_MEMORY. This is
seen particularly when GENSEC fails to start.
The tighter interface rules apply to NTLMSSP, which must be called
exactly the right number of times. This is to match some of our other
less-tested modules, where adding flexablity is harder. (and this is
security code, so let's just get it right). As such, the DCE/RPC and
LDAP clients have been updated.
Andrew Bartlett
(This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
|
|
Use talloc_steal() rather than talloc_reference().
Andrew Bartlett
(This used to be commit 8774f971f3926c5c37aad1e8dfeafa394de87d63)
|
|
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
|
|
S390. This is an attempt to avoid the panic we're seeing in the
automatic builds.
The main fixes are:
- assumptions that sizeof(size_t) == sizeof(int), mostly in printf formats
- use of NULL format statements to perform dn searches.
- assumption that sizeof() returns an int
(This used to be commit a58ea6b3854973b694d2b1e22323ed7eb00e3a3f)
|
|
the ejs_echo.c code is the stuff that needs to be auto-generated by
pidl. It only does echo_AddOne so far.
We also need a table for registering these calls. The code is
hard-wired for echo_AddOne for now.
(This used to be commit b1ea58ddc482c373783d16331dd07378010ba39a)
|
|
(This used to be commit 4c5974fc3dabd090284b2ed455a0af114ddbec1d)
|
|
(This used to be commit 4e14ebf51e871d6d70a194e2725c2158675dc6fc)
|
|
in the ncacn_np trnaport
it's now supported to use the ip address in smbtorture for ncacn_np tests
that use dcerpc_server_name(),
and we can now pass the dns host name in the tree connect when we have the dns name
on the smbtorture command line
metze
(This used to be commit e29edbc7e62c738564ae842c9c01c969f5c70e5d)
|
|
structure in ndr_push_*() and ndr_print_*(). The push and print
functions really should not modify the structure.
metze, to make this work I had to change your spoolss hand
marshaller. Can you please check it is OK? I think that the IN and OUT
sides of that function are not ever called on the same structure, so I
think that attempt at remembering the value by assigning to
r->in._offered was not doing anything anyway, but please correct me if
I have misunderstood it.
If you really do need to remember something on those structures I'd
suggest the ndr_token_store() and ndr_token_retrieve() functions,
which are used by pidl for just this sort of thing.
(This used to be commit eee528be97fa43ca53bdc5652b4d29a0a2caf563)
|
|
in all the callers. This also allows us to be more flexible in the
type of password we store.
Andrew Bartlett
(This used to be commit 00b8588c68526e1d86fda0bd81c0b86f690b62c3)
|
|
try and
remove an epoll descriptor for a closed fd
(This used to be commit bec5e9f80a934e6472e8d227214a9baba4f15054)
|
|
level sign/seal mechanisms can break
(This used to be commit 9df569f023f9a1e0d8c35de8135a344933bc69bf)
|
|
does finally answer the request and it is on the smb transport that we
don't die in the callback code as the rpc request state is gone.
(This used to be commit d47477c5c3acbaa7242fa3a06d4095258db86297)
|
|
(This used to be commit 154effd781c901abfcd8f89721c4a6d03c07b670)
|
|
event_context for the socket_connect() call, so that when things that
use dcerpc are running alongside anything else it doesn't block the
whole process during a connect.
Then of course I needed to change any code that created a dcerpc
connection (such as the auth code) to also take an event context, and
anything that called that and so on .... thus the size of the patch.
There were 3 places where I punted:
- abartlet wanted me to add a gensec_set_event_context() call
instead of adding it to the gensec init calls. Andrew, my
apologies for not doing this. I didn't do it as adding a new
parameter allowed me to catch all the callers with the
compiler. Now that its done, we could go back and use
gensec_set_event_context()
- the ejs code calls auth initialisation, which means it should pass
in the event context from the web server. I punted on that. Needs fixing.
- I used a NULL event context in dcom_get_pipe(). This is equivalent
to what we did already, but should be fixed to use a callers event
context. Jelmer, can you think of a clean way to do that?
I also cleaned up a couple of things:
- libnet_context_destroy() makes no sense. I removed it.
- removed some unused vars in various places
(This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
|
|
seconds. This should prevent the problem I am seeing on a solaris box
where a rpc request gets stuck forever
(This used to be commit c24ab34813d675b9b81f3062fb6f30aae5697805)
|
|
(This used to be commit a8c99d0e37b5ca37cabc201c1290c6cd26a16549)
|
|
ncacn_ specific
(This used to be commit 875cce126878172eedb43b4ecab3970ea9d82e4a)
|
|
(This used to be commit 2009a430b03c685dd65bd573e70d3618f2e0dd0f)
|
|
The main difference in this new version is the extra data structure generated
between the IDL data structure and the NDR parser:
IDL -> NDR -> { ndr_parser, ndr_header, eparser, etc }
This makes the ndr_parser.pm internals much more sane.
Other changes include:
- Remove unnecessary calls with NDR_BUFFERS (for example, GUID doesn't have any buffers, just scalars) as well as some (unnecessary) nested setting of flags.
- Parse array loops in the C code rather then calling ndr_pull_array(). This allows us to have, for example, arrays of pointers or arrays of pointers to arrays, etc..
- Use if() {} rather then if () goto foo; everywhere
- NDR_IN no longer implies LIBNDR_FLAG_REF_ALLOC
- By default, top level pointers are now "ref" (as is the default in
most other IDL compilers). This can be overridden using the
default_pointer_top() property.
- initial work on new ethereal parser generators by Alan DeKok and me
- pidl now writes errors in the standard format used by compilers, which
is parsable by most editors
- ability to warn about the fact that pidl extension(s) have been used,
useful for making sure IDL files work with other IDL compilers.
oh, and there's probably some other things I can't think of right now..
(This used to be commit 13cf227615f6b9e0e5fa62e59197024410254f01)
|
|
(This used to be commit 46509eb89980bfe6dabd71264d570ea356ee5a22)
|
|
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.
(Yes, jelmer objects to this inclusion of the kitchen sink ;-)
Andrew Bartlett
(This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
|
|
it certainly doesn't make sense as LOGON_FAILURE.
Andrew Bartlett
(This used to be commit 4bec3d3f378ed8b988e00441c9bb5718b8548ba6)
|
|
cli_credentials_set_conf(), not cli_credentials_guess().
Also, clarify why for particular flags, we don't do a DCERPC-level
authentication.
Andrew Bartlett
(This used to be commit 838925761d004a1426107f4c5c84d0276fddb2c0)
|