[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Mar 24 02:28:58 MDT 2010
The branch, master has been updated
via 5592a9b... s4:selftest Test --sign and --encrypt options to ldbsearch
via bb7854a... s4:cmdline Add --sign and --encrypt options to our common command line
via a2286ba... s4:ntlmssp Ensure that we always negotiate signing if we negotiate sealing.
from fbdcaa9... s3: Optimize gencache for smbd exit
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5592a9ba5adb6e23a0fc580725184f39efce0486
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 24 19:27:18 2010 +1100
s4:selftest Test --sign and --encrypt options to ldbsearch
commit bb7854afea47699be32f5331fe5f8f05e469cb96
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 24 19:26:02 2010 +1100
s4:cmdline Add --sign and --encrypt options to our common command line
This allows ldbsearch to accept --sign and --encrypt. I'll soon work
to integrate with the --signing= option in smbclient.
Andrew Bartlett
commit a2286bad67a772d290fead9832b7ca52877c40b2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 24 16:09:02 2010 +1100
s4:ntlmssp Ensure that we always negotiate signing if we negotiate sealing.
Without this, a sealed LDAP connection to windows does not work.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/auth/ntlmssp/ntlmssp_client.c | 1 +
source4/lib/cmdline/popt_credentials.c | 29 ++++++++++++++++++++++++++++-
source4/selftest/tests.sh | 4 ++--
3 files changed, 31 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index 7aef086..b518fa8 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -368,6 +368,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+ gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c
index 42ecac1..80f71eb 100644
--- a/source4/lib/cmdline/popt_credentials.c
+++ b/source4/lib/cmdline/popt_credentials.c
@@ -39,7 +39,7 @@
static bool dont_ask;
-enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS };
+enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT };
/*
disable asking for a password
@@ -66,6 +66,7 @@ static void popt_common_credentials_callback(poptContext con,
cli_credentials_set_cmdline_callbacks(cmdline_credentials);
}
return;
+
}
switch(opt->val) {
@@ -119,9 +120,33 @@ static void popt_common_credentials_callback(poptContext con,
}
case OPT_SIMPLE_BIND_DN:
+ {
cli_credentials_set_bind_dn(cmdline_credentials, arg);
break;
}
+ case OPT_SIGN:
+ {
+ uint32_t gensec_features;
+
+ gensec_features = cli_credentials_get_gensec_features(cmdline_credentials);
+
+ gensec_features |= GENSEC_FEATURE_SIGN;
+ cli_credentials_set_gensec_features(cmdline_credentials,
+ gensec_features);
+ break;
+ }
+ case OPT_ENCRYPT:
+ {
+ uint32_t gensec_features;
+
+ gensec_features = cli_credentials_get_gensec_features(cmdline_credentials);
+
+ gensec_features |= GENSEC_FEATURE_SEAL;
+ cli_credentials_set_gensec_features(cmdline_credentials,
+ gensec_features);
+ break;
+ }
+ }
}
@@ -135,5 +160,7 @@ struct poptOption popt_common_credentials[] = {
{ "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" },
{ "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" },
{ "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos" },
+ { "sign", 'S', POPT_ARG_NONE, NULL, OPT_SIGN, "Sign connection to prevent modification in transit" },
+ { "encrypt", 'e', POPT_ARG_NONE, NULL, OPT_ENCRYPT, "Encrypt connection for privacy" },
{ NULL }
};
diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh
index e6a8c25..8dd8f2b 100755
--- a/source4/selftest/tests.sh
+++ b/source4/selftest/tests.sh
@@ -114,8 +114,8 @@ echo "OPTIONS $TORTURE_OPTIONS"
# Simple tests for LDAP and CLDAP
-for options in "" "--option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD --option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD"; do
- plantest "ldb.ldap with options $options" dc $bbdir/test_ldb.sh ldap \$SERVER_IP $options
+for options in "" "--option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD --option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD" "-U\$USERNAME%\$PASSWORD -k yes" "-U\$USERNAME%\$PASSWORD -k no" "-U\$USERNAME%\$PASSWORD -k no --sign" "-U\$USERNAME%\$PASSWORD -k no --encrypt" "-U\$USERNAME%\$PASSWORD -k yes --encrypt" "-U\$USERNAME%\$PASSWORD -k yes --sign"; do
+ plantest "ldb.ldap with options $options" dc $bbdir/test_ldb.sh ldap \$SERVER $options
done
# see if we support ldaps
if grep ENABLE_GNUTLS.1 include/config.h > /dev/null; then
--
Samba Shared Repository
More information about the samba-cvs
mailing list