[SCM] Samba Shared Repository - branch master updated
Andrew Tridgell
tridge at samba.org
Tue Sep 14 23:39:01 MDT 2010
The branch, master has been updated
via 5a0bb22 cldap: prevent crashes when freeing cldap socket
via ea223ba s4-server: check the return of irpc_binding_handle_by_name
via beb9c6b s4-finddcs: ensure we free previous cldap requests before starting a new one
via fcf576f s4-selftest: enable logging in valgrind server xterm
via a498ab9 s4-rpc: fixed double free in RPC proxy
via 0212800 tsocket: we return -1 on error, not fd
via 0009d17 s4-libnet: print the domain name on domain open failure
via c18e956 s4-libnet: force IDL printing for high debug levels
via 66460c9 s4-resolve: the file backend should not look at the name type
via 6012f31 s4-finddcs: show required server type bits on failure
via 6c45eeb s4-repl: use consistent API calls for getting DN GUID
via 52ae578 s4-netlogon: fixed logic for setting DS_SERVER_WRITABLE
via 59d415f4 s4-finddc: use NBT lookup for a 1C name if joining a short domain name
via 99f514f s4-selftest: use the full domain name in joins
via 4e9f449 s4-join: give a clear error when using short domain form
via 011978e s4-rodc: use python finddc code to avoid the need for --server
via 2e92484 s4-pynet: added finddc call
via 58d59a0 s4-libcli: change finddcs.h -> finddc.h
via 7f029aa s4-finddcs: rename finddcs to finddcs_nbt
via ee61568 s4-winbind: use finddcs_cldap() in winbind
via 0c447e3 s4-libnet: use finddcs_cldap() in libnet_lookup
via fede78f s4-cldap: don't set the writable bit when we are a RODC
via 898674c s4-finddcs: added finddcs_cldap()
via 5bbfe2b s4-secrets: fixed shadowed variable warning
via 4ff4521 cldap: use ipv4 not up for unbound cldap sockets
via dbc9b18 s4-resolve: added resolve_name_multiple_recv()
via fa7fd4f s4-dns: fixed lookup of SRV records using dns_ex
via ce2004d s4: fixed some printf format errors
via 041c699 s4-libnet: converted finddcs call to tevent_req
via 94fb612 s4-secrets: fetch secure channel type with domain SID
via bd51d30 s4-auth: when we are a DC enable winbind auth
via 67ac855 s4-auth: set the RODC bit for RODC schannel
via 52445e1 s4-schannel: fixed reference to context after free
via 5b02cf1 s4-auth: allow multiple active auth backends
via 890a33c s4-smb: serialise session setup operations
via ba2c394 talloc: fixed spelling errors in comment
via 13a8745 s4-rodc: add a trigger message for REPL_SECRET to auth_sam
via f6d85be s4-messaging: add support for no_reply in irpc messages
via b9393e4 s4-kcc: removed redundent loop check
via 2fbf10e s4-smb: smbsrv_blob_push_string() can return -1
via a17da70 s4-dsdb: check for invalid backend type
via 3e88f3c s4-rootdse: setup length after NULL check
via d00cb8b s4-dsdb: fixed use after free for RODC
via 597372d s4-dsdb: free right context on failure
via cbd8297 s4-dsdb: defer ac->msg after check for NULL ac
via 5a4a11c s4-anr: check for allocation failure before use
from ba726b5 s4: Fix two typos
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5a0bb2234e86c6718c9dbfd7a087ab7c1b7f6bb4
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 14:24:51 2010 +1000
cldap: prevent crashes when freeing cldap socket
As a callback may destroy the cldap socket we need to ensure we don't
reference the cldap structure after the callback
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit ea223baabc599415bf8da14a53cb77632343bc82
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 13:14:42 2010 +1000
s4-server: check the return of irpc_binding_handle_by_name
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit beb9c6be70bcbd04c087c8352cf480e4f869448f
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 12:22:48 2010 +1000
s4-finddcs: ensure we free previous cldap requests before starting a new one
commit fcf576f002cc2b6dc7e3ecc3533572adcfcb1ffe
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 12:16:00 2010 +1000
s4-selftest: enable logging in valgrind server xterm
when running with valgrind on the server, enable logging in the xterm
so you get a permanent record of any errors
commit a498ab90fbad872c36900a86fe7ccada64c3c4a7
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 11:23:15 2010 +1000
s4-rpc: fixed double free in RPC proxy
the unbind method is only called when the dcesrv_connection_context is
being destroyed (its called from the destructor). That means that priv
is either already free, or is about to be freed, so don't free it
again
commit 0212800de8c6367c9da7939fc43a1fa23c7da2bf
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 11:21:43 2010 +1000
tsocket: we return -1 on error, not fd
the code used this pattent:
if (fd < 0) {
...various cleanups...
return fd;
}
it is much clearer to do this:
if (fd < 0) {
...various cleanups...
return -1;
}
as otherwise when reading the code you think this function may return
a fd.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 0009d1771a757c1df152693840991ecc57564f34
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 09:53:49 2010 +1000
s4-libnet: print the domain name on domain open failure
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit c18e9566ea62fb1a3cb46ca6ce703e32e24cf550
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 09:53:29 2010 +1000
s4-libnet: force IDL printing for high debug levels
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 66460c946ac8b4dadb00cb10cfa14a642a206871
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 09:52:56 2010 +1000
s4-resolve: the file backend should not look at the name type
this matches the behaviour of our DNS resolver
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 6012f311159ddf0ee45dd954eb0808463e406356
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 09:20:59 2010 +1000
s4-finddcs: show required server type bits on failure
when we skip a DC because it doesn't have the required server type
bits, show what bits we wanted
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 6c45eeb94430d9312c28e6f28da3c9d1db8156cc
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 09:20:14 2010 +1000
s4-repl: use consistent API calls for getting DN GUID
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 52ae57850006abeb5d2ca90deeebf83a989ccf01
Author: Andrew Tridgell <tridge at samba.org>
Date: Wed Sep 15 09:19:47 2010 +1000
s4-netlogon: fixed logic for setting DS_SERVER_WRITABLE
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 59d415f43f72146b15a721e928cf346777239bfc
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 20:10:51 2010 +1000
s4-finddc: use NBT lookup for a 1C name if joining a short domain name
once we get the 1C lookup reply, use a CLDAP query to find the details
for the server
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 99f514f233fb1b3dcdd19cd2cc9ca9130ea841c8
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 18:28:44 2010 +1000
s4-selftest: use the full domain name in joins
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 4e9f449106bb31cad87b7985837b2181c1df3558
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 18:28:27 2010 +1000
s4-join: give a clear error when using short domain form
we now require the full domain name, for the DNS/CLDAP lookup
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 011978eb1baf16c622ffcfcaf9944a217d95fadf
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 18:22:13 2010 +1000
s4-rodc: use python finddc code to avoid the need for --server
The DC is now found via DNS/CLDAP
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 2e92484c60f55b967dcd3c698e6553c2eed4a4ea
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 18:21:38 2010 +1000
s4-pynet: added finddc call
this gives access to the CLDAP/DNS finddc code from python
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 58d59a08ad3620c980cac47ece3a3f900d2eb336
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 17:48:52 2010 +1000
s4-libcli: change finddcs.h -> finddc.h
this prevents conflicts with old generated files and we can only even
return one DC with this interface.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 7f029aad350d64efa8aef0ec1432d077ea3426b2
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 17:37:01 2010 +1000
s4-finddcs: rename finddcs to finddcs_nbt
finddcs_nbt is currently unused, but will later be a fallback is a
cldap DC find fails.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit ee61568be6bcb217d106c08ec915775c8476ed56
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 17:36:23 2010 +1000
s4-winbind: use finddcs_cldap() in winbind
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 0c447e316f17e64becaf70c91006b90de21887df
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 17:34:55 2010 +1000
s4-libnet: use finddcs_cldap() in libnet_lookup
this may later be changed to do fallback to NBT as well, but for now
cldap is sufficient
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit fede78f29d15bb718186122f136cc25f0557773f
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 15:48:19 2010 +1000
s4-cldap: don't set the writable bit when we are a RODC
when we are a RODC, don't respond with the writable bit in the server
type response of netlogon requests
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 898674cb1ca5b071653acfe3bcfeac895fffc6c8
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 15:46:31 2010 +1000
s4-finddcs: added finddcs_cldap()
this finds DCs with a specified set of server_type bit using SRV
lookups and CLDAP
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 5bbfe2b42fd065e34bf20a24cb235863ad41fddc
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 13:12:00 2010 +1000
s4-secrets: fixed shadowed variable warning
we already have a 'v' in scope
commit 4ff452151a1d253b44cccfce034873c260ff414c
Author: Andrew Tridgell <tridge at samba.org>
Date: Tue Sep 14 07:49:12 2010 +1000
cldap: use ipv4 not up for unbound cldap sockets
If we use "ip" we end up with a PF_INET6 socket which breaks sendto()
for v4 addresses.
commit dbc9b185afa2fe59f73526b081ef6acff7d61aaa
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 23:08:28 2010 +1000
s4-resolve: added resolve_name_multiple_recv()
this allows for multiple replies to a SRV lookup
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit fa7fd4f261955753edfa3a415dcbf1f206200504
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 23:07:44 2010 +1000
s4-dns: fixed lookup of SRV records using dns_ex
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit ce2004d631bb7eb0aa838f07ef48465a6f199d22
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 23:07:10 2010 +1000
s4: fixed some printf format errors
commit 041c699f3ae10d189405b93977e3143813fb4525
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 16:37:10 2010 +1000
s4-libnet: converted finddcs call to tevent_req
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 94fb6120d80d05de0f24ea71a93c761517fd4231
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 12:15:52 2010 +1000
s4-secrets: fetch secure channel type with domain SID
The secure channel type is needed to work out what DC to connect to
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit bd51d30809180b64c5c6fc98c2bd79040b93051c
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 11:38:12 2010 +1000
s4-auth: when we are a DC enable winbind auth
As a RODC we need to forward some auth requests to a writable DC
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 67ac8555b1e80aed07e420bca63e5c133c63fb5e
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 11:36:43 2010 +1000
s4-auth: set the RODC bit for RODC schannel
When we are using SEC_CHAN_RODC we need to set the
NETLOGON_NEG_RODC_PASSTHROUGH bit in the negotiated flags in
ServerAuthenticate2
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 52445e1583580e135da9e85c93608d0909dea8a7
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 07:44:06 2010 +1000
s4-schannel: fixed reference to context after free
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 5b02cf1eb0b2e524cb58ec6ed6e766c252b06af9
Author: Andrew Tridgell <tridge at samba.org>
Date: Mon Sep 13 07:41:56 2010 +1000
s4-auth: allow multiple active auth backends
when we are an RODC we need to be able to allow multiple auth backends
to process a single auth request. First the sam backend will try to
authenticate, using locally stored passwords. If this backend can't
find local passwords then it will try the winbind backend and
authenticate via a writeable DC
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit 890a33c99bc0a468984c456647311db0a19528aa
Author: Andrew Tridgell <tridge at samba.org>
Date: Sun Sep 12 22:24:46 2010 +1000
s4-smb: serialise session setup operations
the mixture of async and sync code in gensec makes a EOF on a socket
during a session setup cause a crash. The simplest solution is to
stop processing events on the socket until the session setup is
complete.
commit ba2c394ed479bb121b7b20ddd724e92d71ac1518
Author: Andrew Tridgell <tridge at samba.org>
Date: Sun Sep 12 22:17:01 2010 +1000
talloc: fixed spelling errors in comment
commit 13a8745cae2b38c8071b182a4c020305c76e62b8
Author: Andrew Tridgell <tridge at samba.org>
Date: Sun Sep 12 10:06:39 2010 +1000
s4-rodc: add a trigger message for REPL_SECRET to auth_sam
when an RODC tries to authenticate against an account and the account
has no password information it needs to send a message to the drepl
server to tell it to try and replicate the secret information from
a writeable DC
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit f6d85be52830d17dbf6e7b01bf854a49dccbc7f8
Author: Andrew Tridgell <tridge at samba.org>
Date: Sun Sep 12 10:02:02 2010 +1000
s4-messaging: add support for no_reply in irpc messages
It can be useful for a irpc message to be one-way, where the client
sends a messages and the server does not reply. This will be used for
things like a triger message from an auth context to the drepl server
to tell it to try a REPL_SECRET on a user in a RODC.
Previously we've used raw messaging for messages that have no reply,
but that doesn't allow us to use messages described by IDL
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
commit b9393e48963bb0e800383d5fdf6888b472d44fb2
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:18:11 2010 +1000
s4-kcc: removed redundent loop check
el has already been checked for NULL
commit 2fbf10ea1b1a52b1d01651d2f9ae4983013f1abd
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:17:39 2010 +1000
s4-smb: smbsrv_blob_push_string() can return -1
need to use ssize_t, not size_t for error handling
commit a17da707858baac78d5938313d935572520fabf1
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:16:29 2010 +1000
s4-dsdb: check for invalid backend type
commit 3e88f3cf339e49aedfaf949646df1e4b217435f4
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:16:14 2010 +1000
s4-rootdse: setup length after NULL check
commit d00cb8b3d311a694369e3a9a627ab7d6bc534c4b
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:15:51 2010 +1000
s4-dsdb: fixed use after free for RODC
commit 597372df34ba48b96e5c9cad4d552ce1b932b66e
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:15:27 2010 +1000
s4-dsdb: free right context on failure
down_req is not initialised yet
commit cbd8297b4dcf9446e30b752d977e15ba440dff70
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:15:00 2010 +1000
s4-dsdb: defer ac->msg after check for NULL ac
commit 5a4a11cb98460dfab0517636a1434e0a96009c4e
Author: Andrew Tridgell <tridge at samba.org>
Date: Fri Sep 10 20:14:29 2010 +1000
s4-anr: check for allocation failure before use
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 -
lib/talloc/talloc.c | 4 +-
lib/tsocket/tsocket_bsd.c | 14 +-
libcli/auth/credentials.h | 1 +
libcli/cldap/cldap.c | 27 ++-
selftest/target/Samba4.pm | 8 +-
source4/auth/ntlm/auth.c | 78 +++---
source4/auth/ntlm/auth_sam.c | 52 ++++
source4/cldap_server/netlogon.c | 8 +-
source4/dsdb/kcc/kcc_service.c | 2 +-
source4/dsdb/repl/drepl_ridalloc.c | 2 +-
source4/dsdb/repl/drepl_service.c | 14 +
source4/dsdb/samdb/ldb_modules/anr.c | 2 +-
source4/dsdb/samdb/ldb_modules/extended_dn_out.c | 4 +-
source4/dsdb/samdb/ldb_modules/objectguid.c | 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 5 +-
source4/dsdb/samdb/ldb_modules/rootdse.c | 4 +-
source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 2 +
source4/lib/messaging/irpc.h | 1 +
source4/lib/messaging/messaging.c | 7 +
source4/lib/registry/ldb.c | 2 +-
source4/lib/registry/util.c | 2 +-
source4/{libnet/libnet_site.h => libcli/finddc.h} | 24 +-
source4/libcli/finddcs_cldap.c | 330 +++++++++++++++++++++
source4/libcli/{finddcs.c => finddcs_nbt.c} | 194 +++++++-----
source4/libcli/resolve/dns_ex.c | 4 +-
source4/libcli/resolve/file.c | 2 +-
source4/libcli/resolve/resolve.c | 34 +++
source4/libcli/wscript_build | 6 +-
source4/libnet/libnet_lookup.c | 49 ++--
source4/libnet/libnet_rpc.c | 20 +-
source4/libnet/py_net.c | 45 +++
source4/librpc/idl/irpc.idl | 7 +
source4/librpc/rpc/dcerpc_schannel.c | 10 +-
source4/param/loadparm.c | 4 +-
source4/param/secrets.c | 16 +-
source4/param/secrets.h | 2 +
source4/rpc_server/remote/dcesrv_remote.c | 16 +-
source4/scripting/python/samba/join.py | 18 +-
source4/scripting/python/samba/netcmd/join.py | 2 +-
source4/selftest/wscript | 2 +-
source4/smb_server/blob.c | 19 +-
source4/smb_server/smb/sesssetup.c | 7 +
source4/smb_server/smb2/sesssetup.c | 9 +
source4/smbd/service_task.c | 7 +-
source4/torture/libnet/domain.c | 3 +-
source4/torture/libnet/libnet_domain.c | 3 +-
source4/winbind/wb_dom_info.c | 62 +++--
source4/winbind/wb_dom_info_trusted.c | 28 +-
source4/winbind/wb_init_domain.c | 12 +-
source4/winbind/wb_server.c | 12 +-
source4/winbind/wb_server.h | 5 +-
source4/winbind/wb_sid2domain.c | 4 +-
53 files changed, 914 insertions(+), 284 deletions(-)
copy source4/{libnet/libnet_site.h => libcli/finddc.h} (63%)
create mode 100644 source4/libcli/finddcs_cldap.c
rename source4/libcli/{finddcs.c => finddcs_nbt.c} (61%)
Changeset truncated at 500 lines:
diff --git a/.gitignore b/.gitignore
index 12573c5..56bba7e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -180,7 +180,6 @@ source4/kdc/pac-glue_proto.h
source4/ldap_server/proto.h
source4/lib/charset/charset_proto.h
source4/libcli/composite/proto.h
-source4/libcli/finddcs.h
source4/libcli/ldap/ldap_proto.h
source4/libcli/libcli_proto.h
libcli/nbt/nbtname.h
diff --git a/lib/talloc/talloc.c b/lib/talloc/talloc.c
index bd364ed..cafe4d6 100644
--- a/lib/talloc/talloc.c
+++ b/lib/talloc/talloc.c
@@ -571,8 +571,8 @@ static inline int _talloc_free_internal(void *ptr, const char *location)
if (unlikely(tc->refs)) {
int is_child;
- /* check this is a reference from a child or grantchild
- * back to it's parent or grantparent
+ /* check if this is a reference from a child or
+ * grandchild back to it's parent or grandparent
*
* in that case we need to remove the reference and
* call another instance of talloc_free() on the current
diff --git a/lib/tsocket/tsocket_bsd.c b/lib/tsocket/tsocket_bsd.c
index dfc9685..dabf962 100644
--- a/lib/tsocket/tsocket_bsd.c
+++ b/lib/tsocket/tsocket_bsd.c
@@ -1237,12 +1237,12 @@ static int tdgram_bsd_dgram_socket(const struct tsocket_address *local,
fd = socket(sa_fam, SOCK_DGRAM, 0);
if (fd < 0) {
- return fd;
+ return -1;
}
fd = tsocket_bsd_common_prepare_fd(fd, true);
if (fd < 0) {
- return fd;
+ return -1;
}
dgram = tdgram_context_create(mem_ctx,
@@ -1270,7 +1270,7 @@ static int tdgram_bsd_dgram_socket(const struct tsocket_address *local,
int saved_errno = errno;
talloc_free(dgram);
errno = saved_errno;
- return ret;
+ return -1;
}
}
#endif
@@ -1284,7 +1284,7 @@ static int tdgram_bsd_dgram_socket(const struct tsocket_address *local,
int saved_errno = errno;
talloc_free(dgram);
errno = saved_errno;
- return ret;
+ return -1;
}
}
@@ -1297,7 +1297,7 @@ static int tdgram_bsd_dgram_socket(const struct tsocket_address *local,
int saved_errno = errno;
talloc_free(dgram);
errno = saved_errno;
- return ret;
+ return -1;
}
}
@@ -1307,7 +1307,7 @@ static int tdgram_bsd_dgram_socket(const struct tsocket_address *local,
int saved_errno = errno;
talloc_free(dgram);
errno = saved_errno;
- return ret;
+ return -1;
}
}
@@ -1323,7 +1323,7 @@ static int tdgram_bsd_dgram_socket(const struct tsocket_address *local,
int saved_errno = errno;
talloc_free(dgram);
errno = saved_errno;
- return ret;
+ return -1;
}
}
diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h
index 7175211..47582ef 100644
--- a/libcli/auth/credentials.h
+++ b/libcli/auth/credentials.h
@@ -68,4 +68,5 @@
#define NETLOGON_NEG_AUTH2_ADS_FLAGS (0x200fbffb | NETLOGON_NEG_ARCFOUR | NETLOGON_NEG_128BIT | NETLOGON_NEG_SCHANNEL)
+#define NETLOGON_NEG_AUTH2_RODC_FLAGS (NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_RODC_PASSTHROUGH)
diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c
index 896319e..f5585c2 100644
--- a/libcli/cldap/cldap.c
+++ b/libcli/cldap/cldap.c
@@ -167,7 +167,7 @@ static void cldap_recvfrom_stop(struct cldap_socket *c)
c->recv_subreq = NULL;
}
-static void cldap_socket_recv_dgram(struct cldap_socket *c,
+static bool cldap_socket_recv_dgram(struct cldap_socket *c,
struct cldap_incoming *in);
static void cldap_recvfrom_done(struct tevent_req *subreq)
@@ -176,6 +176,7 @@ static void cldap_recvfrom_done(struct tevent_req *subreq)
struct cldap_socket);
struct cldap_incoming *in = NULL;
ssize_t ret;
+ bool setup_done;
c->recv_subreq = NULL;
@@ -199,10 +200,10 @@ static void cldap_recvfrom_done(struct tevent_req *subreq)
}
/* this function should free or steal 'in' */
- cldap_socket_recv_dgram(c, in);
+ setup_done = cldap_socket_recv_dgram(c, in);
in = NULL;
- if (!cldap_recvfrom_setup(c)) {
+ if (!setup_done && !cldap_recvfrom_setup(c)) {
goto nomem;
}
@@ -218,7 +219,7 @@ nomem:
/*
handle recv events on a cldap socket
*/
-static void cldap_socket_recv_dgram(struct cldap_socket *c,
+static bool cldap_socket_recv_dgram(struct cldap_socket *c,
struct cldap_incoming *in)
{
DATA_BLOB blob;
@@ -262,7 +263,7 @@ static void cldap_socket_recv_dgram(struct cldap_socket *c,
/* this function should free or steal 'in' */
c->incoming.handler(c, c->incoming.private_data, in);
- return;
+ return false;
}
search = talloc_get_type(p, struct cldap_search_state);
@@ -270,8 +271,15 @@ static void cldap_socket_recv_dgram(struct cldap_socket *c,
search->response.asn1 = asn1;
search->response.asn1->ofs = 0;
+ DLIST_REMOVE(c->searches.list, search);
+
+ if (!cldap_recvfrom_setup(c)) {
+ goto nomem;
+ }
+
tevent_req_done(search->req);
- goto done;
+ talloc_free(in);
+ return true;
nomem:
in->recv_errno = ENOMEM;
@@ -289,6 +297,7 @@ nterror:
tevent_req_nterror(c->searches.list->req, status);
done:
talloc_free(in);
+ return false;
}
/*
@@ -320,7 +329,11 @@ NTSTATUS cldap_socket_init(TALLOC_CTX *mem_ctx,
c->event.ctx = ev;
if (!local_addr) {
- ret = tsocket_address_inet_from_strings(c, "ip",
+ /* we use ipv4 here instead of ip, as otherwise we end
+ up with a PF_INET6 socket, and sendto() for ipv4
+ addresses will fail. That breaks cldap name
+ resolution for winbind to IPv4 hosts. */
+ ret = tsocket_address_inet_from_strings(c, "ipv4",
NULL, 0,
&any);
if (ret != 0) {
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 1754501..53237e0 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -870,7 +870,7 @@ sub provision_member($$$)
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
- $cmd .= "$net join $ret->{CONFIGURATION} $dcvars->{DOMAIN} member";
+ $cmd .= "$net join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
unless (system($cmd) == 0) {
@@ -925,7 +925,7 @@ sub provision_rpc_proxy($$$)
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
- $cmd .= "$net join $ret->{CONFIGURATION} $dcvars->{DOMAIN} member";
+ $cmd .= "$net join $ret->{CONFIGURATION} $dcvars->{REALM} member";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
unless (system($cmd) == 0) {
@@ -981,7 +981,7 @@ sub provision_vampire_dc($$$)
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
- $cmd .= "$net vampire $ret->{CONFIGURATION} $dcvars->{DOMAIN} --realm=$dcvars->{REALM}";
+ $cmd .= "$net vampire $ret->{CONFIGURATION} $dcvars->{REALM} --realm=$dcvars->{REALM}";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
unless (system($cmd) == 0) {
@@ -1159,7 +1159,7 @@ sub provision_rodc($$$)
my $cmd = "";
$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
- $cmd .= "$net join $ret->{CONFIGURATION} $dcvars->{DOMAIN} RODC";
+ $cmd .= "$net join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
$cmd .= " --server=$dcvars->{DC_SERVER}";
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index a977aa4..b34b8ac 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -234,7 +234,6 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
struct auth_check_password_state *state;
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status;
- struct auth_method_context *method;
uint8_t chal[8];
struct auth_usersupplied_info *user_info_tmp;
struct tevent_immediate *im;
@@ -252,7 +251,6 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
state->auth_ctx = auth_ctx;
state->user_info = user_info;
- state->method = NULL;
if (!user_info->mapped_state) {
nt_status = map_user_info(req, lpcfg_workgroup(auth_ctx->lp_ctx),
@@ -296,35 +294,11 @@ _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- for (method = auth_ctx->methods; method; method = method->next) {
- NTSTATUS result;
-
- /* check if the module wants to chek the password */
- result = method->ops->want_check(method, req, user_info);
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- DEBUG(11,("auth_check_password_send: "
- "%s had nothing to say\n",
- method->ops->name));
- continue;
- }
-
- state->method = method;
-
- if (tevent_req_nterror(req, result)) {
- return tevent_req_post(req, ev);
- }
-
- tevent_schedule_immediate(im,
- auth_ctx->event_ctx,
- auth_check_password_async_trigger,
- req);
-
- return req;
- }
-
- /* If all the modules say 'not for me', then this is reasonable */
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return tevent_req_post(req, ev);
+ tevent_schedule_immediate(im,
+ auth_ctx->event_ctx,
+ auth_check_password_async_trigger,
+ req);
+ return req;
}
static void auth_check_password_async_trigger(struct tevent_context *ev,
@@ -336,11 +310,45 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
struct auth_check_password_state *state =
tevent_req_data(req, struct auth_check_password_state);
NTSTATUS status;
+ struct auth_method_context *method;
+
+ status = NT_STATUS_OK;
+
+ for (method=state->auth_ctx->methods; method; method = method->next) {
+
+ /* we fill in state->method here so debug messages in
+ the callers know which method failed */
+ state->method = method;
+
+ /* check if the module wants to check the password */
+ status = method->ops->want_check(method, req, state->user_info);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password_send: "
+ "%s had nothing to say\n",
+ method->ops->name));
+ continue;
+ }
+
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ status = method->ops->check_password(method,
+ state,
+ state->user_info,
+ &state->server_info);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ /* the backend has handled the request */
+ break;
+ }
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ /* don't expose the NT_STATUS_NOT_IMPLEMENTED
+ internals */
+ status = NT_STATUS_NO_SUCH_USER;
+ }
- status = state->method->ops->check_password(state->method,
- state,
- state->user_info,
- &state->server_info);
if (tevent_req_nterror(req, status)) {
return;
}
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index fdcc5bd..8de33ff 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -32,6 +32,8 @@
#include "dsdb/samdb/samdb.h"
#include "dsdb/common/util.h"
#include "param/param.h"
+#include "librpc/gen_ndr/ndr_irpc_c.h"
+#include "lib/messaging/irpc.h"
extern const char *user_attrs[];
extern const char *domain_ref_attrs[];
@@ -135,6 +137,37 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
}
+/*
+ send a message to the drepl server telling it to initiate a
+ REPL_SECRET getncchanges extended op to fetch the users secrets
+ */
+static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
+ struct ldb_dn *user_dn)
+{
+ struct dcerpc_binding_handle *irpc_handle;
+ struct drepl_trigger_repl_secret r;
+ struct tevent_req *req;
+
+ irpc_handle = irpc_binding_handle_by_name(mem_ctx, auth_context->msg_ctx,
+ "dreplsrv",
+ &ndr_table_irpc);
+ if (irpc_handle == NULL) {
+ DEBUG(1,(__location__ ": Unable to get binding handle for dreplsrv\n"));
+ return;
+ }
+
+ r.in.user_dn = ldb_dn_get_linearized(user_dn);
+
+ req = dcerpc_drepl_trigger_repl_secret_r_send(mem_ctx,
+ auth_context->event_ctx,
+ irpc_handle,
+ &r);
+
+ /* we aren't interested in a reply */
+ talloc_free(req);
+ talloc_free(irpc_handle);
+}
+
static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
@@ -165,6 +198,25 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
nt_status = samdb_result_passwords(mem_ctx, auth_context->lp_ctx, msg, &lm_pwd, &nt_pwd);
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lm_pwd == NULL && nt_pwd == NULL) {
+ bool am_rodc;
+ if (samdb_rodc(auth_context->sam_ctx, &am_rodc) == LDB_SUCCESS && am_rodc) {
+ /* we don't have passwords for this
+ * account. We are an RODC, and this account
+ * may be one for which we either are denied
+ * REPL_SECRET replication or we haven't yet
+ * done the replication. We return
+ * NT_STATUS_NOT_IMPLEMENTED which tells the
+ * auth code to try the next authentication
+ * mechanism. We also send a message to our
+ * drepl server to tell it to try and
+ * replicate the secrets for this account.
+ */
+ auth_sam_trigger_repl_secret(mem_ctx, auth_context, msg->dn);
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ }
+
nt_status = authsam_password_ok(auth_context, mem_ctx,
acct_flags, lm_pwd, nt_pwd,
user_info, user_sess_key, lm_sess_key);
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index d1fde89..7192e46 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -71,7 +71,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
const char *pdc_ip;
struct ldb_dn *domain_dn = NULL;
struct interface *ifaces;
- bool user_known;
+ bool user_known, am_rodc;
NTSTATUS status;
/* the domain parameter could have an optional trailing "." */
@@ -233,7 +233,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
server_type =
DS_SERVER_DS | DS_SERVER_TIMESERV |
- DS_SERVER_CLOSEST | DS_SERVER_WRITABLE |
+ DS_SERVER_CLOSEST |
DS_SERVER_GOOD_TIMESERV;
#if 0
@@ -261,6 +261,10 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
server_type |= DS_SERVER_KDC;
}
+ if (samdb_rodc(sam_ctx, &am_rodc) == LDB_SUCCESS && !am_rodc) {
+ server_type |= DS_SERVER_WRITABLE;
+ }
+
#if 0
/* w2k8-r2 as a sole DC does not claim this */
if (ldb_dn_compare(ldb_get_root_basedn(sam_ctx), ldb_get_default_basedn(sam_ctx)) == 0) {
diff --git a/source4/dsdb/kcc/kcc_service.c b/source4/dsdb/kcc/kcc_service.c
index 4507545..9bacca9 100644
--- a/source4/dsdb/kcc/kcc_service.c
+++ b/source4/dsdb/kcc/kcc_service.c
@@ -101,7 +101,7 @@ static WERROR kccsrv_load_partitions(struct kccsrv_service *s)
return WERR_FOOBAR;
}
- for (i=0; el && i < el->num_values; i++) {
+ for (i=0; i < el->num_values; i++) {
const char *v = (const char *)el->values[i].data;
struct ldb_dn *pdn;
struct kccsrv_partition *p;
diff --git a/source4/dsdb/repl/drepl_ridalloc.c b/source4/dsdb/repl/drepl_ridalloc.c
index e394071..1869af8 100644
--- a/source4/dsdb/repl/drepl_ridalloc.c
+++ b/source4/dsdb/repl/drepl_ridalloc.c
@@ -71,7 +71,7 @@ WERROR drepl_create_role_owner_source_dsa(struct dreplsrv_service *service,
}
sdsa->repsFrom1 = &sdsa->_repsFromBlob.ctr.ctr1;
- ret = dsdb_find_guid_attr_by_dn(ldb, fsmo_role_dn, "objectGUID", &sdsa->repsFrom1->source_dsa_obj_guid);
+ ret = dsdb_find_guid_by_dn(ldb, fsmo_role_dn, &sdsa->repsFrom1->source_dsa_obj_guid);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Failed to find objectGUID for %s\n",
ldb_dn_get_linearized(fsmo_role_dn)));
diff --git a/source4/dsdb/repl/drepl_service.c b/source4/dsdb/repl/drepl_service.c
index 2c43617..9a353b0 100644
--- a/source4/dsdb/repl/drepl_service.c
+++ b/source4/dsdb/repl/drepl_service.c
@@ -351,6 +351,19 @@ static NTSTATUS drepl_take_FSMO_role(struct irpc_message *msg,
return NT_STATUS_OK;
}
+/**
+ * Called when the auth code wants us to try and replicate
+ * a users secrets
+ */
+static NTSTATUS drepl_trigger_repl_secret(struct irpc_message *msg,
+ struct drepl_trigger_repl_secret *r)
+{
+ /* we are not going to be sending a reply to this request */
+ msg->no_reply = true;
+ DEBUG(0,(__location__ ": got drepl_trigger_repl_secret with %s\n", r->in.user_dn));
+ return NT_STATUS_OK;
+}
+
/*
--
Samba Shared Repository
More information about the samba-cvs
mailing list