[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Aug 16 16:54:03 MDT 2012
The branch, master has been updated
via 16edb6e s3:smb2_server: try to sign an error response if we have a signing key
via 19ca98a s3:smb2_server: verify the signature before the session_status
via f4432fe s3:smb2_server: add some const to print_req_vectors()
via 8dbfa93 s4:cldap_server: only return DS_SERVER_*TIMESERV if "ntp_signd" is used
via 4c5019d s4:cldap_server: set DS_SERVER_SELECT_SECRET_DOMAIN_6 if we're a RODC
from f3b69da s3-libsmb: Add a simple test for python bindings
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 16edb6eb7bf48026129a85e3c00ca9309d5c54c5
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 16 15:14:51 2012 +0200
s3:smb2_server: try to sign an error response if we have a signing key
metze
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Aug 17 00:54:01 CEST 2012 on sn-devel-104
commit 19ca98a162050807ad96b3a3f1f8e1982c7d2c3e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 16 15:08:40 2012 +0200
s3:smb2_server: verify the signature before the session_status
metze
commit f4432fea6a7a64a04a304f21207eaa1b14c929aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 16 12:00:57 2012 +0200
s3:smb2_server: add some const to print_req_vectors()
metze
commit 8dbfa9305dc428e3987e4623034d16a598d54a26
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 16 13:32:14 2012 +0200
s4:cldap_server: only return DS_SERVER_*TIMESERV if "ntp_signd" is used
metze
commit 4c5019d507fbe0c9ae328463a3392323fc9e6d51
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 16 13:31:33 2012 +0200
s4:cldap_server: set DS_SERVER_SELECT_SECRET_DOMAIN_6 if we're a RODC
metze
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/smb2_server.c | 26 ++++++++++++++++++++++----
source4/cldap_server/netlogon.c | 24 +++++++++++++++---------
2 files changed, 37 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 97739e5..ff4ee60 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -165,7 +165,7 @@ static const struct smbd_smb2_dispatch_table *smbd_smb2_call(uint16_t opcode)
return ret;
}
-static void print_req_vectors(struct smbd_smb2_request *req)
+static void print_req_vectors(const struct smbd_smb2_request *req)
{
int i;
@@ -1789,11 +1789,14 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
signing_key = x->global->channels[0].signing_key;
- if (!NT_STATUS_IS_OK(session_status)) {
- return smbd_smb2_request_error(req, session_status);
+ /*
+ * If we have a signing key, we should
+ * sign the response
+ */
+ if (signing_key.length > 0) {
+ req->do_signing = true;
}
- req->do_signing = true;
status = smb2_signing_check_pdu(signing_key,
conn->protocol,
SMBD_SMB2_IN_HDR_IOV(req),
@@ -1801,9 +1804,24 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
if (!NT_STATUS_IS_OK(status)) {
return smbd_smb2_request_error(req, status);
}
+
+ /*
+ * Now that we know the request was correctly signed
+ * we have to sign the response too.
+ */
+ req->do_signing = true;
+
+ if (!NT_STATUS_IS_OK(session_status)) {
+ return smbd_smb2_request_error(req, session_status);
+ }
} else if (opcode == SMB2_OP_CANCEL) {
/* Cancel requests are allowed to skip the signing */
} else if (signing_required) {
+ /*
+ * If signing is required we try to sign
+ * a possible error response
+ */
+ req->do_signing = true;
return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED);
}
diff --git a/source4/cldap_server/netlogon.c b/source4/cldap_server/netlogon.c
index 4777fcc..ce257e9 100644
--- a/source4/cldap_server/netlogon.c
+++ b/source4/cldap_server/netlogon.c
@@ -73,7 +73,7 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
const char *pdc_ip;
struct ldb_dn *domain_dn = NULL;
struct interface *ifaces;
- bool user_known, am_rodc;
+ bool user_known = false, am_rodc = false;
NTSTATUS status;
/* the domain parameter could have an optional trailing "." */
@@ -221,19 +221,13 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
} else {
user_known = true;
}
-
- server_type =
- DS_SERVER_DS | DS_SERVER_TIMESERV |
- DS_SERVER_GOOD_TIMESERV;
+
+ server_type = DS_SERVER_DS;
if (samdb_is_pdc(sam_ctx)) {
server_type |= DS_SERVER_PDC;
}
- if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
- server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
- }
-
if (samdb_is_gc(sam_ctx)) {
server_type |= DS_SERVER_GC;
}
@@ -246,10 +240,22 @@ NTSTATUS fill_netlogon_samlogon_response(struct ldb_context *sam_ctx,
server_type |= DS_SERVER_KDC;
}
+ if (str_list_check(services, "ntp_signd")) {
+ server_type | DS_SERVER_TIMESERV | DS_SERVER_GOOD_TIMESERV;
+ }
+
if (samdb_rodc(sam_ctx, &am_rodc) == LDB_SUCCESS && !am_rodc) {
server_type |= DS_SERVER_WRITABLE;
}
+ if (dsdb_functional_level(sam_ctx) >= DS_DOMAIN_FUNCTION_2008) {
+ if (server_type & DS_SERVER_WRITABLE) {
+ server_type |= DS_SERVER_FULL_SECRET_DOMAIN_6;
+ } else {
+ server_type |= DS_SERVER_SELECT_SECRET_DOMAIN_6;
+ }
+ }
+
if (version & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP)) {
pdc_name = lpcfg_netbios_name(lp_ctx);
} else {
--
Samba Shared Repository
More information about the samba-cvs
mailing list