[SCM] Samba Shared Repository - branch master updated
Michael Adam
obnox at samba.org
Thu Nov 1 11:12:02 MDT 2012
The branch, master has been updated
via 2a3eb64 s3:winbindd: use PROTOCOL_LATEST instead of PROTOCOL_SMB2_02 (bug #9175)
via 45105af s3:winbindd: disconnection after getting NETWORK_SESSION_EXPIRED (bug #9175)
via c5cd22b libcli/smb: add smbXcli_session_set_disconnect_expired() (bug #9175)
via 24f3f87 lib/krb5_wrap: request enc_types in the correct order (bug #9272)
via f853c17 s3:winbindd:cache: fix offline logons with cached credentials (bug #9321)
from 75c51d6 s3-param: Move the options needed for running smbd in the AD DC to loadparm
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2a3eb641fe34fb95bf713f0e7184581847af1357
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 22 14:35:41 2012 +0200
s3:winbindd: use PROTOCOL_LATEST instead of PROTOCOL_SMB2_02 (bug #9175)
We should use the latest supported dialect.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewd-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Thu Nov 1 18:11:27 CET 2012 on sn-devel-104
commit 45105afffc5678082b23165ff74610d67e57a82a
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 22 14:31:20 2012 +0200
s3:winbindd: disconnection after getting NETWORK_SESSION_EXPIRED (bug #9175)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit c5cd22b5bbce724dcd68fe94320382b3f772cabf
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 22 14:18:20 2012 +0200
libcli/smb: add smbXcli_session_set_disconnect_expired() (bug #9175)
This should be a short term hack until the upper layers have implemented
re-authentication.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 24f3f87706329e6e280dc6be6d025e997d46c910
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Oct 22 13:47:48 2012 +0200
lib/krb5_wrap: request enc_types in the correct order (bug #9272)
aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
should have a higher priority than arcfour-hmac-md5,
otherwise the KDC still gives us arcfour-hmac-md5 session keys.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit f853c1792967332c4aff52c0fb35f653f614f86d
Author: Michael Adam <obnox at samba.org>
Date: Thu Nov 1 14:41:56 2012 +0100
s3:winbindd:cache: fix offline logons with cached credentials (bug #9321)
The removal of consumption of the time field from the centry
as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a
had the side effect of changing the offset for reading the following
nt password hash, so the read password hash was wrong.
This patch re-installs the consumption of the time,
thereby fixing the bug without changing the disk format of the cache.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 12 ++++++------
libcli/smb/smbXcli_base.c | 34 ++++++++++++++++++++++++++++++++++
libcli/smb/smbXcli_base.h | 1 +
source3/winbindd/winbindd_cache.c | 7 +++++++
source3/winbindd/winbindd_cm.c | 13 ++++++++++++-
5 files changed, 60 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 8037337..f04f6e1 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -685,15 +685,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
- ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+ ENCTYPE_ARCFOUR_HMAC,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
initialize_krb5_error_table();
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 02d0227..c547515 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -157,6 +157,13 @@ struct smbXcli_session {
struct {
DATA_BLOB signing_key;
} smb2_channel;
+
+ /*
+ * this should be a short term hack
+ * until the upper layers have implemented
+ * re-authentication.
+ */
+ bool disconnect_expired;
};
struct smbXcli_tcon {
@@ -1970,6 +1977,17 @@ static NTSTATUS smb1cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
cmd = CVAL(inhdr, HDR_COM);
status = smb1cli_pull_raw_error(inhdr);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
+ (state->session != NULL) && state->session->disconnect_expired)
+ {
+ /*
+ * this should be a short term hack
+ * until the upper layers have implemented
+ * re-authentication.
+ */
+ return status;
+ }
+
if (state->smb1.chained_requests == NULL) {
if (num_iov != 3) {
return NT_STATUS_INVALID_NETWORK_RESPONSE;
@@ -3442,6 +3460,17 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
}
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) &&
+ (session != NULL) && session->disconnect_expired)
+ {
+ /*
+ * this should be a short term hack
+ * until the upper layers have implemented
+ * re-authentication.
+ */
+ return status;
+ }
+
smbXcli_req_unset_pending(req);
/*
@@ -4483,6 +4512,11 @@ NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
return NT_STATUS_OK;
}
+void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session)
+{
+ session->disconnect_expired = true;
+}
+
uint16_t smb1cli_session_current_id(struct smbXcli_session *session)
{
return session->smb1.session_id;
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 03cb280..b720bc6 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -263,6 +263,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
DATA_BLOB *key);
+void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session);
uint16_t smb1cli_session_current_id(struct smbXcli_session* session);
void smb1cli_session_set_id(struct smbXcli_session* session,
uint16_t session_id);
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 2c9dd4a..c79d3b6 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1329,6 +1329,13 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
+ /*
+ * We don't use the time element at this moment,
+ * but we have to consume it, so that we don't
+ * neet to change the disk format of the cache.
+ */
+ (void)centry_time(centry);
+
/* In the salted case this isn't actually the nt_hash itself,
but the MD5 of the salt + nt_hash. Let the caller
sort this out. It can tell as we only return the cached_salt
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 0639be1..79b5839 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -832,7 +832,7 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
cli_set_timeout(*cli, 10000); /* 10 seconds */
result = smbXcli_negprot((*cli)->conn, (*cli)->timeout, PROTOCOL_CORE,
- PROTOCOL_SMB2_02);
+ PROTOCOL_LATEST);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(1, ("cli_negprot failed: %s\n", nt_errstr(result)));
@@ -979,6 +979,17 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain,
session_setup_done:
+ /*
+ * This should be a short term hack until
+ * dynamic re-authentication is implemented.
+ *
+ * See Bug 9175 - winbindd doesn't recover from
+ * NT_STATUS_NETWORK_SESSION_EXPIRED
+ */
+ if (smbXcli_conn_protocol((*cli)->conn) >= PROTOCOL_SMB2_02) {
+ smbXcli_session_set_disconnect_expired((*cli)->smb2.session);
+ }
+
/* cache the server name for later connections */
saf_store(domain->name, controller);
--
Samba Shared Repository
More information about the samba-cvs
mailing list