[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Aug 16 16:54:03 MDT 2012


The branch, master has been updated
       via  16edb6e s3:smb2_server: try to sign an error response if we have a signing key
       via  19ca98a s3:smb2_server: verify the signature before the session_status
       via  f4432fe s3:smb2_server: add some const to print_req_vectors()
       via  8dbfa93 s4:cldap_server: only return DS_SERVER_*TIMESERV if "ntp_signd" is used
       via  4c5019d s4:cldap_server: set DS_SERVER_SELECT_SECRET_DOMAIN_6 if we're a RODC
      from  f3b69da s3-libsmb: Add a simple test for python bindings

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 16edb6eb7bf48026129a85e3c00ca9309d5c54c5
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 16 15:14:51 2012 +0200

    s3:smb2_server: try to sign an error response if we have a signing key
    
    metze
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Fri Aug 17 00:54:01 CEST 2012 on sn-devel-104

commit 19ca98a162050807ad96b3a3f1f8e1982c7d2c3e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 16 15:08:40 2012 +0200

    s3:smb2_server: verify the signature before the session_status
    
    metze

commit f4432fea6a7a64a04a304f21207eaa1b14c929aa
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 16 12:00:57 2012 +0200

    s3:smb2_server: add some const to print_req_vectors()
    
    metze

commit 8dbfa9305dc428e3987e4623034d16a598d54a26
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 16 13:32:14 2012 +0200

    s4:cldap_server: only return DS_SERVER_*TIMESERV if "ntp_signd" is used
    
    metze

commit 4c5019d507fbe0c9ae328463a3392323fc9e6d51
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Aug 16 13:31:33 2012 +0200

    s4:cldap_server: set DS_SERVER_SELECT_SECRET_DOMAIN_6 if we're a RODC
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_server.c      |   26 ++++++++++++++++++++++----
 source4/cldap_server/netlogon.c |   24 +++++++++++++++---------
 2 files changed, 37 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 97739e5..ff4ee60 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -165,7 +165,7 @@ static const struct smbd_smb2_dispatch_table *smbd_smb2_call(uint16_t opcode)
 	return ret;
 }
 
-static void print_req_vectors(struct smbd_smb2_request *req)
+static void print_req_vectors(const struct smbd_smb2_request *req)
 {
 	int i;
 
@@ -1789,11 +1789,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 
 		signing_key = x->global->channels[0].signing_key;
 
-		if (!NT_STATUS_IS_OK(session_status)) {
-			return smbd_smb2_request_error(req, session_status);
+		/*
+		 * If we have a signing key, we should
+		 * sign the response
+		 */
+		if (signing_key.length > 0) {
+			req->do_signing = true;
 		}
 
-		req->do_signing = true;
 		status = smb2_signing_check_pdu(signing_key,
 						conn->protocol,
 						SMBD_SMB2_IN_HDR_IOV(req),
@@ -1801,9 +1804,24 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 		if (!NT_STATUS_IS_OK(status)) {
 			return smbd_smb2_request_error(req, status);
 		}
+
+		/*
+		 * Now that we know the request was correctly signed
+		 * we have to sign the response too.
+		 */
+		req->do_signing = true;
+
+		if (!NT_STATUS_IS_OK(session_status)) {
+			return smbd_smb2_request_error(req, session_status);
+		}
 	} else if (opcode == SMB2_OP_CANCEL) {
 		/* Cancel requests are allowed to skip the signing */
 	} else if (signing_required) {
+		/*
+		 * If signing is required we try to sign
+		 * a possible error response
+		 */
+		req->do_signing = true;
 		return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED);
 	}
 
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index 4777fcc..ce257e9 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -73,7 +73,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
 	const char *pdc_ip;
 	struct ldb_dn *domain_dn = NULL;
 	struct interface *ifaces;
-	bool user_known, am_rodc;
+	bool user_known = false, am_rodc = false;
 	NTSTATUS status;
 
 	/* the domain parameter could have an optional trailing "." */
@@ -221,19 +221,13 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
 	} else {
 		user_known = true;
 	}
-		
-	server_type      = 
-		DS_SERVER_DS | DS_SERVER_TIMESERV |
-		DS_SERVER_GOOD_TIMESERV;
+
+	server_type = DS_SERVER_DS;
 
 	if (samdb_is_pdc(sam_ctx)) {
 		server_type |= DS_SERVER_PDC;
 	}
 
-	if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
-		server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
-	}
-
 	if (samdb_is_gc(sam_ctx)) {
 		server_type |= DS_SERVER_GC;
 	}
@@ -246,10 +240,22 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
 		server_type |= DS_SERVER_KDC;
 	}
 
+	if (str_list_check(services, "ntp_signd")) {
+		server_type | DS_SERVER_TIMESERV | DS_SERVER_GOOD_TIMESERV;
+	}
+
 	if (samdb_rodc(sam_ctx, &am_rodc) == LDB_SUCCESS && !am_rodc) {
 		server_type |= DS_SERVER_WRITABLE;
 	}
 
+	if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
+		if (server_type & DS_SERVER_WRITABLE) {
+			server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
+		} else {
+			server_type |= DS_SERVER_SELECT_SECRET_DOMAIN_6;
+		}
+	}
+
 	if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
 		pdc_name = lpcfg_netbios_name(lp_ctx);
 	} else {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list