From d0051462b99ab3102cebe5ce17bf517b5bdf6c03 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 May 2009 22:23:42 +0200 Subject: s4:libcli/smb2: add some more SMB2 constants metze --- source4/libcli/smb2/smb2_constants.h | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'source4') diff --git a/source4/libcli/smb2/smb2_constants.h b/source4/libcli/smb2/smb2_constants.h index 86dfbfedbe..1a69d54e53 100644 --- a/source4/libcli/smb2/smb2_constants.h +++ b/source4/libcli/smb2/smb2_constants.h @@ -68,10 +68,15 @@ #define SMB2_MAGIC 0x424D53FE /* 0xFE 'S' 'M' 'B' */ -/* the dialects we support */ -#define SMB2_DIALECT_REVISION 0x202 -#define SMB21_DIALECT_REVISION 0x210 -#define SMB2_LONGHORN_BETA_DIALECT_REVISION 0x0 /* early beta dialect */ +/* SMB2 negotiate dialects */ +#define SMB2_DIALECT_REVISION_000 0x0000 /* early beta dialect */ +#define SMB2_DIALECT_REVISION_202 0x0202 +#define SMB2_DIALECT_REVISION_210 0x0210 +#define SMB2_DIALECT_REVISION_2FF 0x02FF + +#define SMB2_DIALECT_REVISION SMB2_DIALECT_REVISION_202 +#define SMB21_DIALECT_REVISION SMB2_DIALECT_REVISION_210 +#define SMB2_LONGHORN_BETA_DIALECT_REVISION SMB2_DIALECT_REVISION_000 /* SMB2 negotiate security_mode */ #define SMB2_NEGOTIATE_SIGNING_ENABLED 0x01 @@ -79,9 +84,14 @@ /* SMB2 capabilities - only 1 so far. I'm sure more will be added */ #define SMB2_CAP_DFS 0x00000001 +#define SMB2_CAP_LEASING 0x00000002 /* only in dialect 0x210 */ /* so we can spot new caps as added */ #define SMB2_CAP_ALL SMB2_CAP_DFS +/* SMB2 session flags */ +#define SMB2_SESSION_FLAG_IS_GUEST 0x0001 +#define SMB2_SESSION_FLAG_IS_NULL 0x0002 + /* SMB2 share flags */ #define SMB2_SHAREFLAG_MANUAL_CACHING 0x0000 #define SMB2_SHAREFLAG_AUTO_CACHING 0x0010 -- cgit From 01b05df766cf55c356af495151ac665a82a57c4b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 May 2009 09:38:09 +0200 Subject: s4:libcli/smb2: use new SMB2_DIVELECT_REVISION constants Also send them in the order a windows client would send them (the lowest first). metze --- source4/libcli/smb2/connect.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c index 8d6ea04dc8..8c1a73b681 100644 --- a/source4/libcli/smb2/connect.c +++ b/source4/libcli/smb2/connect.c @@ -164,8 +164,11 @@ static void continue_socket(struct composite_context *creq) struct smbcli_socket *sock; struct smb2_transport *transport; struct smb2_request *req; - uint16_t dialects[3] = { SMB2_DIALECT_REVISION, SMB21_DIALECT_REVISION, - SMB2_LONGHORN_BETA_DIALECT_REVISION }; + uint16_t dialects[3] = { + SMB2_DIALECT_REVISION_000, + SMB2_DIALECT_REVISION_202, + SMB2_DIALECT_REVISION_210 + }; c->status = smbcli_sock_connect_recv(creq, state, &sock); if (!composite_is_ok(c)) return; -- cgit From fadffbae88335a45f23d4861c6a097bccb191069 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 May 2009 08:44:27 +0200 Subject: s4:smb2srv: We only support SMB 2.002. We need to loop over all given dialects and check if we can find SMB2_DIALECT_REVISION_202. metze --- source4/smb_server/smb/negprot.c | 1 - source4/smb_server/smb2/negprot.c | 17 ++++++++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'source4') diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c index c3399fdd48..5ac5624745 100644 --- a/source4/smb_server/smb/negprot.c +++ b/source4/smb_server/smb/negprot.c @@ -469,7 +469,6 @@ static const struct { int protocol_level; } supported_protocols[] = { {"SMB 2.002", "SMB2", reply_smb2, PROTOCOL_SMB2}, - {"SMB 2.001", "SMB2", reply_smb2, PROTOCOL_SMB2}, {"NT LANMAN 1.0", "NT1", reply_nt1, PROTOCOL_NT1}, {"NT LM 0.12", "NT1", reply_nt1, PROTOCOL_NT1}, {"LANMAN2.1", "LANMAN2", reply_lanman2, PROTOCOL_LANMAN2}, diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 0b65a19634..f915392ffa 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -97,14 +97,21 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 NTSTATUS status; struct timeval current_time; struct timeval boot_time; + uint16_t i; + uint16_t dialect = 0; /* we only do one dialect for now */ if (io->in.dialect_count < 1) { return NT_STATUS_NOT_SUPPORTED; } - if (io->in.dialects[0] != 0 && - io->in.dialects[0] != SMB2_DIALECT_REVISION) { - DEBUG(0,("Got unexpected SMB2 dialect %u\n", io->in.dialects[0])); + for (i=0; i < io->in.dialect_count; i++) { + dialect = io->in.dialects[i]; + if (dialect == SMB2_DIALECT_REVISION_202) { + break; + } + } + if (dialect != SMB2_DIALECT_REVISION_202) { + DEBUG(0,("Got unexpected SMB2 dialect %u\n", dialect)); return NT_STATUS_NOT_SUPPORTED; } @@ -128,7 +135,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2 req->smb_conn->smb2_signing_required = true; break; } - io->out.dialect_revision = SMB2_DIALECT_REVISION; + io->out.dialect_revision = dialect; io->out.capabilities = 0; io->out.max_transact_size = lp_parm_ulong(req->smb_conn->lp_ctx, NULL, "smb2", "max transaction size", 0x10000); @@ -281,7 +288,7 @@ void smb2srv_reply_smb_negprot(struct smbsrv_request *smb_req) SSVAL(req->in.body, 0x02, 1); memset(req->in.body+0x04, 0, 32); - SSVAL(req->in.body, 0x24, 0); + SSVAL(req->in.body, 0x24, SMB2_DIALECT_REVISION_202); smb2srv_negprot_recv(req); return; -- cgit From 53df34364416d3ce037024147788fdc968bdb31f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 May 2009 09:37:29 +0200 Subject: s4:libcli/smb2: remove old dialect revision constants metze --- source4/libcli/smb2/smb2_constants.h | 4 ---- 1 file changed, 4 deletions(-) (limited to 'source4') diff --git a/source4/libcli/smb2/smb2_constants.h b/source4/libcli/smb2/smb2_constants.h index 1a69d54e53..48f30972dc 100644 --- a/source4/libcli/smb2/smb2_constants.h +++ b/source4/libcli/smb2/smb2_constants.h @@ -74,10 +74,6 @@ #define SMB2_DIALECT_REVISION_210 0x0210 #define SMB2_DIALECT_REVISION_2FF 0x02FF -#define SMB2_DIALECT_REVISION SMB2_DIALECT_REVISION_202 -#define SMB21_DIALECT_REVISION SMB2_DIALECT_REVISION_210 -#define SMB2_LONGHORN_BETA_DIALECT_REVISION SMB2_DIALECT_REVISION_000 - /* SMB2 negotiate security_mode */ #define SMB2_NEGOTIATE_SIGNING_ENABLED 0x01 #define SMB2_NEGOTIATE_SIGNING_REQUIRED 0x02 -- cgit From bf863bccb662ff71a381f7c6d00e901d3c1c32fd Mon Sep 17 00:00:00 2001 From: Andrew Kroeger Date: Tue, 26 May 2009 15:22:13 -0500 Subject: s4:ldb:modules: Correct typos. --- source4/lib/ldb/common/ldb_controls.c | 4 +--- source4/lib/ldb/modules/asq.c | 2 +- source4/lib/ldb/modules/paged_results.c | 2 +- source4/lib/ldb/modules/sort.c | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) (limited to 'source4') diff --git a/source4/lib/ldb/common/ldb_controls.c b/source4/lib/ldb/common/ldb_controls.c index 0c587e0905..6f127d8c39 100644 --- a/source4/lib/ldb/common/ldb_controls.c +++ b/source4/lib/ldb/common/ldb_controls.c @@ -39,7 +39,6 @@ struct ldb_control *ldb_request_get_control(struct ldb_request *req, const char { int i; - /* check if there's a paged request control */ if (req->controls != NULL) { for (i = 0; req->controls[i]; i++) { if (strcmp(oid, req->controls[i]->oid) == 0) { @@ -59,7 +58,6 @@ struct ldb_control *ldb_reply_get_control(struct ldb_reply *rep, const char *oid { int i; - /* check if there's a paged request control */ if (rep->controls != NULL) { for (i = 0; rep->controls[i]; i++) { if (strcmp(oid, rep->controls[i]->oid) == 0) { @@ -75,7 +73,7 @@ struct ldb_control *ldb_reply_get_control(struct ldb_reply *rep, const char *oid /* saves the current controls list into the "saver" and replace the one in req with a new one excluding the "exclude" control */ -/* returns False on error */ +/* returns 0 on error */ int save_controls(struct ldb_control *exclude, struct ldb_request *req, struct ldb_control ***saver) { struct ldb_control **lcs; diff --git a/source4/lib/ldb/modules/asq.c b/source4/lib/ldb/modules/asq.c index 475b609e41..dd5afd868c 100644 --- a/source4/lib/ldb/modules/asq.c +++ b/source4/lib/ldb/modules/asq.c @@ -351,7 +351,7 @@ static int asq_search(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); - /* check if there's a paged request control */ + /* check if there's an ASQ control */ control = ldb_request_get_control(req, LDB_CONTROL_ASQ_OID); if (control == NULL) { /* not found go on */ diff --git a/source4/lib/ldb/modules/paged_results.c b/source4/lib/ldb/modules/paged_results.c index 2a06c5e6c5..f2692305d5 100644 --- a/source4/lib/ldb/modules/paged_results.c +++ b/source4/lib/ldb/modules/paged_results.c @@ -408,7 +408,7 @@ static int paged_request_init(struct ldb_module *module) ret = ldb_mod_register_control(module, LDB_CONTROL_PAGED_RESULTS_OID); if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_WARNING, - "paged_request:" + "paged_results:" "Unable to register control with rootdse!\n"); } diff --git a/source4/lib/ldb/modules/sort.c b/source4/lib/ldb/modules/sort.c index 309101c32b..b4f76e1007 100644 --- a/source4/lib/ldb/modules/sort.c +++ b/source4/lib/ldb/modules/sort.c @@ -255,7 +255,7 @@ static int server_sort_search(struct ldb_module *module, struct ldb_request *req ldb = ldb_module_get_ctx(module); - /* check if there's a paged request control */ + /* check if there's a server sort control */ control = ldb_request_get_control(req, LDB_CONTROL_SERVER_SORT_OID); if (control == NULL) { /* not found go on */ -- cgit From 73af16c0e7e599ca7f93b9769a42ae4ce0ce7a3e Mon Sep 17 00:00:00 2001 From: Andrew Kroeger Date: Sun, 24 May 2009 17:40:57 -0500 Subject: s4:ldb_modules: Correct typos. --- source4/dsdb/samdb/ldb_modules/kludge_acl.c | 2 +- source4/dsdb/samdb/ldb_modules/show_deleted.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index 0b5994bb88..5bed28b00c 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -514,7 +514,7 @@ static int kludge_acl_init(struct ldb_module *module) ret = ldb_mod_register_control(module, LDB_CONTROL_SD_FLAGS_OID); if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "partition: Unable to register control with rootdse!\n"); + "kludge_acl: Unable to register control with rootdse!\n"); return LDB_ERR_OPERATIONS_ERROR; } diff --git a/source4/dsdb/samdb/ldb_modules/show_deleted.c b/source4/dsdb/samdb/ldb_modules/show_deleted.c index d619558c21..b4f52d7cde 100644 --- a/source4/dsdb/samdb/ldb_modules/show_deleted.c +++ b/source4/dsdb/samdb/ldb_modules/show_deleted.c @@ -145,7 +145,7 @@ static int show_deleted_init(struct ldb_module *module) ret = ldb_mod_register_control(module, LDB_CONTROL_SHOW_DELETED_OID); if (ret != LDB_SUCCESS) { ldb_debug(ldb, LDB_DEBUG_ERROR, - "extended_dn: Unable to register control with rootdse!\n"); + "show_deleted: Unable to register control with rootdse!\n"); return LDB_ERR_OPERATIONS_ERROR; } -- cgit From b21656f09a1127f10de75b9cc098e07cf3135d3c Mon Sep 17 00:00:00 2001 From: Andrew Kroeger Date: Sun, 24 May 2009 01:48:49 -0500 Subject: s4:tevent: Increase trace debug level to 50. The sheer volume of messages generated by tevent when the trace level is set to 10 makes it difficult to debug issues in a level 10 log. Increasing this to 50 allows tevent tracing to be enabled if needed, but otherwise keeps the extra chatter out of a level 10 log. --- source4/lib/events/tevent_s4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/lib/events/tevent_s4.c b/source4/lib/events/tevent_s4.c index 06bfbf61ed..1898269c2c 100644 --- a/source4/lib/events/tevent_s4.c +++ b/source4/lib/events/tevent_s4.c @@ -42,7 +42,7 @@ static void ev_wrap_debug(void *context, enum tevent_debug_level level, samba_level = 2; break; case TEVENT_DEBUG_TRACE: - samba_level = 10; + samba_level = 50; break; }; -- cgit From 5264ad627d59e0f2cb03cb3bdd3baf8943d7fa5b Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 26 May 2009 13:09:57 +1000 Subject: Handle the krbtgt special case by looking for RID -514 It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary way the krbtgt account is recognised as special is that RID. This should fix issues such as 'password expired' on the kpasswd service. Andrew Bartlett --- source4/kdc/hdb-samba4.c | 78 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 52 insertions(+), 26 deletions(-) (limited to 'source4') diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 1fdb744a84..585285795f 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -38,6 +38,7 @@ #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "librpc/gen_ndr/netlogon.h" +#include "libcli/security/security.h" #include "auth/auth.h" #include "auth/credentials/credentials.h" #include "auth/auth_sam.h" @@ -499,7 +500,9 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, struct hdb_ldb_private *p; NTTIME acct_expiry; + NTSTATUS status; + uint32_t rid; struct ldb_message_element *objectclasses; struct ldb_val computer_val; const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); @@ -580,49 +583,70 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, /* First try and figure out the flags based on the userAccountControl */ entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type); - if (ent_type == HDB_SAMBA4_ENT_TYPE_KRBTGT) { - entry_ex->entry.flags.invalid = 0; - entry_ex->entry.flags.server = 1; - entry_ex->entry.flags.forwardable = 1; - entry_ex->entry.flags.ok_as_delegate = 1; - } - /* Windows 2008 seems to enforce this (very sensible) rule by * default - don't allow offline attacks on a user's password * by asking for a ticket to them as a service (encrypted with * their probably patheticly insecure password) */ - if (lp_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) { + if (entry_ex->entry.flags.server + && lp_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) { if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) { entry_ex->entry.flags.server = 0; } } - /* use 'whenCreated' */ - entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); - /* use '???' */ - entry_ex->entry.created_by.principal = NULL; + { + /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use + * of the Heimdal KDC. They are stored in a the traditional + * DB for audit purposes, and still form part of the structure + * we must return */ + + /* use 'whenCreated' */ + entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); + /* use '???' */ + entry_ex->entry.created_by.principal = NULL; + + entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event)); + if (entry_ex->entry.modified_by == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + ret = ENOMEM; + goto out; + } + + /* use 'whenChanged' */ + entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0); + /* use '???' */ + entry_ex->entry.modified_by->principal = NULL; + } - entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event)); - if (entry_ex->entry.modified_by == NULL) { - krb5_set_error_string(context, "malloc: out of memory"); - ret = ENOMEM; + + /* The lack of password controls etc applies to krbtgt by + * virtue of being that particular RID */ + status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, msg, "objectSid"), NULL, &rid); + + if (!NT_STATUS_IS_OK(status)) { + ret = EINVAL; goto out; } - /* use 'whenChanged' */ - entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0); - /* use '???' */ - entry_ex->entry.modified_by->principal = NULL; + if (rid == DOMAIN_RID_KRBTGT) { + entry_ex->entry.valid_end = NULL; + entry_ex->entry.pw_end = NULL; - entry_ex->entry.valid_start = NULL; + entry_ex->entry.flags.invalid = 0; + entry_ex->entry.flags.server = 1; + entry_ex->entry.flags.change_pw = 1; + entry_ex->entry.flags.client = 0; + entry_ex->entry.flags.forwardable = 1; + entry_ex->entry.flags.ok_as_delegate = 1; + } else if (entry_ex->entry.flags.server && ent_type == HDB_SAMBA4_ENT_TYPE_SERVER) { + /* The account/password expiry only applies when the account is used as a + * client (ie password login), not when used as a server */ - /* The account/password expiry only applies when the account is used as a - * client (ie password login), not when used as a server */ - if (ent_type == HDB_SAMBA4_ENT_TYPE_KRBTGT || ent_type == HDB_SAMBA4_ENT_TYPE_SERVER) { /* Make very well sure we don't use this for a client, - * it could bypass the above password restrictions */ + * it could bypass the password restrictions */ entry_ex->entry.flags.client = 0; + entry_ex->entry.valid_end = NULL; entry_ex->entry.pw_end = NULL; @@ -653,7 +677,9 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry); } } - + + entry_ex->entry.valid_start = NULL; + entry_ex->entry.max_life = NULL; entry_ex->entry.max_renew = NULL; -- cgit From 078343906d9e403d250639235bf634e1a71e682f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 May 2009 15:56:31 +1000 Subject: Detect missing 'witch' before detecting missing autoconf --- source4/autogen.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/autogen.sh b/source4/autogen.sh index 8b97023073..2d995caeae 100755 --- a/source4/autogen.sh +++ b/source4/autogen.sh @@ -22,7 +22,12 @@ TESTAUTOCONF="autoconf autoconf-2.53 autoconf2.50 autoconf259 autoconf253" AUTOHEADERFOUND="0" AUTOCONFFOUND="0" - +if which which > /dev/null 2>&1; then + echo -n +else + echo "$0: need 'which' to figure out if we have the right autoconf to build samba from git" >&2 + exit 1 +fi ## ## Look for autoheader ## -- cgit From ee4c1ed010d62e0522f6a96f40f1ebd2df89a6b6 Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Wed, 27 May 2009 13:49:51 +0300 Subject: Modified SamDB to accept options like Ldb. --- source4/scripting/python/samba/samdb.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4') diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 17b5450a3e..454a9d144c 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -36,14 +36,14 @@ class SamDB(samba.Ldb): """The SAM database.""" def __init__(self, url=None, session_info=None, credentials=None, - modules_dir=None, lp=None): + modules_dir=None, lp=None, options=None): """Open the Sam Database. :param url: URL of the database. """ self.lp = lp super(SamDB, self).__init__(session_info=session_info, credentials=credentials, - modules_dir=modules_dir, lp=lp) + modules_dir=modules_dir, lp=lp, options=options) glue.dsdb_set_global_schema(self) if url: self.connect(url) -- cgit