[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Oct 17 07:21:04 MDT 2014
The branch, master has been updated
via 14b5eb9 ntlm_auth: Allow the --option parameter to work against ntlm_auth
via aee83c2 ntlm_auth: Allow us to use kerberos when we are an AD DC
via 0f6ad53 docs: Explain that winbindd enforces smb signing by default.
via bbad2fe s3:libsmb: remove unused cli_set_username() function
via 0e2b255 s3:libsmb: avoid calling cli_set_username() cliconnect.c
via 98f2946 s3:libsmb: avoid calling cli_set_username() in clidfs
via 97759ec s3:libsmb: avoid cli_set_username() in SMBC_server_internal()
via c8dca76 s3:lib/netapi: avoid calling cli_set_username()
via 40bc651 s3:torture: avoid unused cli_set_username()
via 71432b9 s3:libsmb: Remove unused domain copy stored in cli_state
via 2b9d6d3 s3:libsmb: Remove unused password copy stored in cli_state
via 07bd866 s3-winbindd: use cli_rpc_pipe_open_with_creds()
via 295b323 s3-librpc: Add cli_rpc_pipe_open_with_creds()
via be994ca s3-winbindd: Use own machine account to connect to trusted domains as well
via 0392ebc s3-winbindd: use a cli_credentials structure to hold the trust credentials
via e9472f8 libsmb: Print the principal name that we failed to kinit for.
via 37f5d82 passdb: Use common code in cli_credentials_set_machine_account_db_ctx()
via e9dc642 auth/credentials: Ensure that we set the realm when reading secrets.tdb
via 35b8ed7 credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()
via 89daf5d credentials: Improve error message on failure to set machine account password
via adb3eb7 credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account
via 72687b1 selftest: Run samba.tests.messaging in an environment where it has servers to list
via 022f1ca tests: Allow "max open files" to differ from the documentation
from 470af88 ctdb-tools: Fix heap-use-after-free problem
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 14b5eb90d84f109f6a3ed8694acf13afe9b68f09
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 13 13:13:15 2014 +1300
ntlm_auth: Allow the --option parameter to work against ntlm_auth
Change-Id: Iee386624359c2bf8437719f286e306cdfbb628c6
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 17 15:20:59 CEST 2014 on sn-devel-104
commit aee83c22ff65a7afd302c7a164259ad050634c39
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 13 09:42:25 2014 +1300
ntlm_auth: Allow us to use kerberos when we are an AD DC
Change-Id: I88caff9ded915d914cb7fda8829ccbcd3ad64af1
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0f6ad5370e0ed5201a63e047b7e3fef5b27b3149
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 1 20:49:23 2014 +1300
docs: Explain that winbindd enforces smb signing by default.
Change-Id: I9341fa3bd7480836ac5e0c18e28458175b42d44a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bbad2fed7cda09f5a7d7006ada6382d29f1c1a86
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:39:13 2014 +0200
s3:libsmb: remove unused cli_set_username() function
Change-Id: Ib432b4ff66f966de9e733e01de6de2f486c0c728
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e2b25562241404db70d0bba018998078361976d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:35:30 2014 +0200
s3:libsmb: avoid calling cli_set_username() cliconnect.c
Change-Id: I45e44405ea51ecb1aa38c72f4fc6243a1d3d531a
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 98f2946dd1deea558cc41df93c2109754838eae1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:33:45 2014 +0200
s3:libsmb: avoid calling cli_set_username() in clidfs
Change-Id: I8b32be8a10d2bff33bb468cc68c98e555b220bde
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 97759ecfaea36555db78a6854355c02acd15053b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:17:08 2014 +0200
s3:libsmb: avoid cli_set_username() in SMBC_server_internal()
Change-Id: I32e19078a4d4948e405f39dc2a479ff925ad3684
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c8dca765a0c984602389bbd707eca7c58cd41b41
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:14:53 2014 +0200
s3:lib/netapi: avoid calling cli_set_username()
Change-Id: I3ab768d2df06749187555a16d7b930f7cc8f8b9f
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 40bc651f95061fdd27db8b0ce4da0e38c209c3db
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:13:28 2014 +0200
s3:torture: avoid unused cli_set_username()
Change-Id: Ia774b256093aff5f2b3338e7827e2d798fb06a96
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 71432b9eda6e36222a3fcfcdc185a2459fb07541
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Sep 26 03:10:19 2014 +0200
s3:libsmb: Remove unused domain copy stored in cli_state
Change-Id: I7333140906bb3a487205b5760396dcc00a9f49b0
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2b9d6d3d9b6766ba2e48523b005a7eecf3e05412
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 23 14:19:35 2014 -0700
s3:libsmb: Remove unused password copy stored in cli_state
Change-Id: Ia6b33a25628ae08be8a8c6baeb71ce390315cb45
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 07bd866f59f8a6a29521fbf0e17963aaef8575de
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 23 09:12:20 2014 -0700
s3-winbindd: use cli_rpc_pipe_open_with_creds()
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 295b323b1c65cd8387b3977a189f81253c139b43
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 23 09:12:20 2014 -0700
s3-librpc: Add cli_rpc_pipe_open_with_creds()
This provides a credentials-based interface. In the long term, we
will want to change this not to reference the credentials, but for now
this suits the caller in winbindd_cm.c
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit be994ca579c6c302d9d6487c863699b3e4457210
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 11 15:10:39 2013 +1300
s3-winbindd: Use own machine account to connect to trusted domains as well
This relies on a two-way trust, which we may not have, but is the only
secure way to do this. To do this correctly we need to split NETLOGON
from normal authentication, as we need to use the machine account for
the SMB level, but the inter-domain trust account for the NETLOGON
level.
Change-Id: Ib93eb6a4d704ef26df8234be7cb71c47ad519c8a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0392ebcd1d48e9f472f2148b85316a77d9cc953b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Aug 8 13:58:34 2013 +0200
s3-winbindd: use a cli_credentials structure to hold the trust credentials
Later we can pass this down directly and have a much more sane
handling of credentials and the spnego handshake.
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Change-Id: If12ef0b105d8c7af60190d4eed3c8c07849da2ca
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e9472f8e821acd988fee9a1a288986282a138fc6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Oct 4 07:06:35 2014 +1300
libsmb: Print the principal name that we failed to kinit for.
This should aid debugging when this is called from an automated process.
Andrew Bartlett
Change-Id: I2c7291ab3f67f9f7462d7c52c8c9a4b042f7ec5a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 37f5d822d636d4286bd8ee64c7e9e44ae1a297e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 3 06:35:28 2014 +1300
passdb: Use common code in cli_credentials_set_machine_account_db_ctx()
This avoids some duplication in setting the machine account passsword
for the domain member and DC case.
This does not yet remove the duplication, that requires a bigger
restructure of the various routines used here to obtain the machine
and domain trust secrets.
Also no longer used is the timeout/2 code to not set the previous
password. It is now always passed to the caller.
Andrew Bartlett
Change-Id: Idd5bafedf4cbac30b174955d743ec4128a6902ee
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e9dc6423d3f1ab3401314e134ecc574fc5d4c18b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 6 13:51:25 2014 +1300
auth/credentials: Ensure that we set the realm when reading secrets.tdb
Otherwise, we try and kinit as host$@DOMAIN and that will not work.
Andrew Bartlett
Change-Id: Id2fde673423e74dfa1e6ac48f47f49c61ee59779
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 35b8ed7710f60abcc70e0b070afc16bf3faef263
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 3 06:32:39 2014 +1300
credentials: Allow the secret.tdb handle to be passed in to cli_credentials_set_machine_account()
This adds a new wrapper, cli_credentials_set_machine_account_db_ctx()
Andrew Bartlett
Change-Id: Ia2cceefede4ba9cf7f8de41986daf9372c19d997
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 89daf5dc534ab03724a2622d3b6b4d6783756bae
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 3 05:14:56 2014 +1300
credentials: Improve error message on failure to set machine account password
Change-Id: I4136067d6d0e5cfe92770a2e7efa39f4ebcb2aca
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit adb3eb79ea828b6e6e1858c3d1b8b5ffe868f8ed
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 3 05:14:21 2014 +1300
credentials: Set secure_channel_type from secrets.tdb in cli_credentials_set_machine_account
This should ensure more parts of the source4 code can work with a
password set in secrets.tdb.
Andrew Bartlett
Change-Id: I4a890a719246b073898333d2e04841904c6e1a5d
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 72687b19dc4554d793651db399f16fc615b7efee
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 8 10:58:54 2014 +1300
selftest: Run samba.tests.messaging in an environment where it has servers to list
The previous code would run on empty databases.
Andrew Bartlett
Change-Id: I8f8e736b9ad475b5b3d10e32834450c76edc5ca2
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 022f1ca7fc2b3bea9d86c26d2ed275e828acae8b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 8 10:43:41 2014 +1300
tests: Allow "max open files" to differ from the documentation
It is system-dependent.
Andrew Bartlett
Change-Id: Icf21476c00295a428ad808bc56ab8153f109627f
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.h | 16 +
auth/credentials/credentials_secrets.c | 87 +++-
docs-xml/smbdotconf/security/clientsigning.xml | 7 +-
python/samba/tests/docs.py | 3 +-
selftest/tests.py | 2 +-
source3/include/auth_generic.h | 2 +
source3/include/client.h | 5 -
source3/lib/netapi/cm.c | 6 +-
source3/libsmb/auth_generic.c | 8 +
source3/libsmb/cliconnect.c | 49 +--
source3/libsmb/clidfs.c | 3 -
source3/libsmb/clientgen.c | 61 ---
source3/libsmb/libsmb_server.c | 8 -
source3/libsmb/passchange.c | 18 -
source3/libsmb/proto.h | 4 -
source3/passdb/passdb.c | 66 ++-
source3/rpc_client/cli_pipe.c | 116 +++++
source3/rpc_client/cli_pipe.h | 15 +
source3/rpcclient/rpcclient.c | 2 +-
source3/torture/torture.c | 6 -
source3/utils/ntlm_auth.c | 3 +-
source3/winbindd/winbindd_cm.c | 635 +++++++++++++++---------
22 files changed, 692 insertions(+), 430 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index fdd35bb..2da47d2 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -36,6 +36,7 @@ struct ccache_container;
struct gssapi_creds_container;
struct smb_krb5_context;
struct keytab_container;
+struct db_context;
/* In order of priority */
enum credentials_obtained {
@@ -161,6 +162,21 @@ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
const char *serviceprincipal);
NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
+ struct db_context *db_ctx);
+
bool cli_credentials_authentication_requested(struct cli_credentials *cred);
void cli_credentials_guess(struct cli_credentials *cred,
struct loadparm_context *lp_ctx);
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 625ce20..d259a4d 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -231,6 +231,43 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
_PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
struct loadparm_context *lp_ctx)
{
+ struct db_context *db_ctx;
+ char *secrets_tdb_path;
+
+ secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets");
+ if (secrets_tdb_path == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0,
+ TDB_DEFAULT, O_RDWR, 0600,
+ DBWRAP_LOCK_ORDER_1,
+ DBWRAP_FLAG_NONE);
+ TALLOC_FREE(secrets_tdb_path);
+
+ /*
+ * We do not check for errors here, we might not have a
+ * secrets.tdb at all, and so we just need to check the
+ * secrets.ldb
+ */
+ return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx);
+}
+
+/**
+ * Fill in credentials for the machine trust account, from the
+ * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
+ *
+ * This version is used in parts of the code that can link in the
+ * CTDB dbwrap backend, by passing down the already open handle.
+ *
+ * @param cred Credentials structure to fill in
+ * @param db_ctx dbwrap context for secrets.tdb
+ * @retval NTSTATUS error detailing any failure
+ */
+_PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
+ struct loadparm_context *lp_ctx,
+ struct db_context *db_ctx)
+{
NTSTATUS status;
char *filter;
char *error_string;
@@ -239,24 +276,14 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
time_t secrets_tdb_lct = 0;
char *secrets_tdb_password = NULL;
char *secrets_tdb_old_password = NULL;
+ uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
char *keystr;
char *keystr_upper = NULL;
- char *secrets_tdb;
- struct db_context *db_ctx;
TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
- secrets_tdb = lpcfg_private_db_path(cred, lp_ctx, "secrets");
- if (!secrets_tdb) {
- TALLOC_FREE(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb, 0,
- TDB_DEFAULT, O_RDWR, 0600,
- DBWRAP_LOCK_ORDER_1,
- DBWRAP_FLAG_NONE);
+
/* Bleh, nasty recursion issues: We are setting a machine
* account here, so we don't want the 'pending' flag around
* any more */
@@ -287,6 +314,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_password = (char *)dbuf.dptr;
}
+
keystr = talloc_asprintf(tmp_ctx, "%s/%s",
SECRETS_MACHINE_PASSWORD_PREV,
domain);
@@ -296,6 +324,16 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
if (NT_STATUS_IS_OK(status)) {
secrets_tdb_old_password = (char *)dbuf.dptr;
}
+
+ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
+ SECRETS_MACHINE_SEC_CHANNEL_TYPE,
+ domain);
+ keystr_upper = strupper_talloc(tmp_ctx, keystr);
+ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
+ &dbuf);
+ if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
+ secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0);
+ }
}
filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
@@ -321,20 +359,35 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
+ if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+ cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
+ }
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
+ cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
status = NT_STATUS_OK;
} else if (!NT_STATUS_IS_OK(status)) {
if (db_ctx) {
- error_string = talloc_asprintf(cred,
- "Failed to fetch machine account password from "
- "secrets.ldb: %s and failed to fetch %s from %s",
- error_string, keystr_upper, secrets_tdb);
+ error_string
+ = talloc_asprintf(cred,
+ "Failed to fetch machine account password for %s from both "
+ "secrets.ldb (%s) and from %s",
+ domain, error_string,
+ dbwrap_name(db_ctx));
} else {
+ char *secrets_tdb_path;
+
+ secrets_tdb_path = lpcfg_private_db_path(tmp_ctx,
+ lp_ctx,
+ "secrets");
+ if (secrets_tdb_path == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
error_string = talloc_asprintf(cred,
"Failed to fetch machine account password from "
"secrets.ldb: %s and failed to open %s",
- error_string, secrets_tdb);
+ error_string, secrets_tdb_path);
}
DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n",
error_string, nt_errstr(status)));
diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml
index 34fce3e..3b5687f 100644
--- a/docs-xml/smbdotconf/security/clientsigning.xml
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -9,8 +9,11 @@
and <emphasis>disabled</emphasis>.
</para>
- <para>When set to auto or default, SMB signing is offered, but not enforced.
- When set to mandatory, SMB signing is required and if set
+ <para>When set to auto or default, SMB signing is offered, but not
+ enforced, except in winbindd, where it is enforced to Active
+ Directory Domain Controllers. </para>
+
+ <para>When set to mandatory, SMB signing is required and if set
to disabled, SMB signing is not offered either.
</para>
</description>
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 0d71e68..a6a1a15 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -131,7 +131,8 @@ class SmbDotConfTests(TestCase):
'ctdbd socket', 'printing', 'printcap name', 'queueresume command',
'queuepause command','lpresume command', 'lppause command',
'lprm command', 'lpq command', 'print command', 'template homedir',
- 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build'])
+ 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
+ 'max open files'])
def setUp(self):
super(SmbDotConfTests, self).setUp()
diff --git a/selftest/tests.py b/selftest/tests.py
index 7191fab..e83b236 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -56,7 +56,7 @@ planpythontestsuite("none", "samba.tests.netcmd")
planpythontestsuite("none", "samba.tests.dcerpc.rpc_talloc")
planpythontestsuite("none", "samba.tests.samdb")
planpythontestsuite("none", "samba.tests.hostconfig")
-planpythontestsuite("none", "samba.tests.messaging")
+planpythontestsuite("dc:local", "samba.tests.messaging")
planpythontestsuite("none", "samba.tests.samba3sam")
planpythontestsuite(
"none", "wafsamba.tests.test_suite",
diff --git a/source3/include/auth_generic.h b/source3/include/auth_generic.h
index 96b07cd..07df62a 100644
--- a/source3/include/auth_generic.h
+++ b/source3/include/auth_generic.h
@@ -37,6 +37,8 @@ NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans,
const char *domain);
NTSTATUS auth_generic_set_password(struct auth_generic_state *ans,
const char *password);
+NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans,
+ struct cli_credentials *creds);
NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx,
struct auth_generic_state **_ans);
NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid);
diff --git a/source3/include/client.h b/source3/include/client.h
index 59fb104..25c44ba 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -52,11 +52,6 @@ struct cli_state {
NTSTATUS raw_status; /* maybe via NT_STATUS_DOS() */
bool map_dos_errors;
- /* The credentials used to open the cli_state connection. */
- char *domain;
- char *user_name;
- char *password; /* Can be null to force use of zero NTLMSSP session key. */
-
/*
* The following strings are the
* ones returned by the server if
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index 801e61f..0e05af8 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -113,11 +113,7 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx,
false, false,
lp_client_max_protocol(),
0, 0x20, &cli_ipc);
- if (NT_STATUS_IS_OK(status)) {
- cli_set_username(cli_ipc, ctx->username);
- cli_set_password(cli_ipc, ctx->password);
- cli_set_domain(cli_ipc, ctx->workgroup);
- } else {
+ if (!NT_STATUS_IS_OK(status)) {
cli_ipc = NULL;
}
TALLOC_FREE(auth_info);
diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
index 1f6c681..68d1451 100644
--- a/source3/libsmb/auth_generic.c
+++ b/source3/libsmb/auth_generic.c
@@ -48,6 +48,14 @@ NTSTATUS auth_generic_set_password(struct auth_generic_state *ans,
return NT_STATUS_OK;
}
+NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans,
+ struct cli_credentials *creds)
+{
+ talloc_unlink(ans->credentials, creds);
+ ans->credentials = creds;
+ return NT_STATUS_OK;
+}
+
NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_generic_state)
{
struct auth_generic_state *ans;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9508651..789a85d 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -279,10 +279,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
}
p += ret;
- status = cli_set_username(cli, state->user);
- if (tevent_req_nterror(req, status)) {
- return;
- }
tevent_req_done(req);
}
@@ -486,11 +482,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
}
p += ret;
- status = cli_set_username(cli, "");
- if (!NT_STATUS_IS_OK(status)) {
- tevent_req_nterror(req, status);
- return;
- }
tevent_req_done(req);
}
@@ -650,11 +641,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
}
p += ret;
- status = cli_set_username(cli, state->user);
- if (tevent_req_nterror(req, status)) {
- return;
- }
-
tevent_req_done(req);
}
@@ -963,10 +949,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
}
p += ret;
- status = cli_set_username(cli, state->user);
- if (tevent_req_nterror(req, status)) {
- return;
- }
if (smb1cli_conn_activate_signing(cli->conn, state->session_key, state->response)
&& !smb1cli_conn_check_signing(cli->conn, (uint8_t *)in, 1)) {
tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
@@ -1811,13 +1793,6 @@ static struct tevent_req *cli_session_setup_spnego_send(
DEBUG(3,("got principal=%s\n", principal ? principal : "<null>"));
- status = cli_set_username(cli, user);
- if (!NT_STATUS_IS_OK(status)) {
- state->result = ADS_ERROR_NT(status);
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
-
#ifdef HAVE_KRB5
/* If password is set we reauthenticate to kerberos server
* and do not store results */
@@ -1826,6 +1801,12 @@ static struct tevent_req *cli_session_setup_spnego_send(
const char *remote_name = smbXcli_conn_remote_name(cli->conn);
char *tmp;
+
+ tmp = cli_session_setup_get_principal(
+ talloc_tos(), principal, remote_name, dest_realm);
+ TALLOC_FREE(principal);
+ principal = tmp;
+
if (pass && *pass) {
int ret;
@@ -1833,8 +1814,8 @@ static struct tevent_req *cli_session_setup_spnego_send(
ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL);
if (ret){
+ DEBUG(0, ("Kinit for %s to access %s failed: %s\n", user, principal, error_message(ret)));
TALLOC_FREE(principal);
- DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
if (cli->fallback_after_kerberos)
goto ntlmssp;
state->result = ADS_ERROR_KRB5(ret);
@@ -1843,11 +1824,6 @@ static struct tevent_req *cli_session_setup_spnego_send(
}
}
- tmp = cli_session_setup_get_principal(
- talloc_tos(), principal, remote_name, dest_realm);
- TALLOC_FREE(principal);
- principal = tmp;
-
if (principal) {
subreq = cli_session_setup_kerberos_send(
state, ev, cli, principal);
@@ -3388,11 +3364,6 @@ static void cli_full_connection_sess_set_up(struct tevent_req *subreq)
return;
}
- status = cli_init_creds(state->cli, state->user, state->domain,
- state->password);
- if (tevent_req_nterror(req, status)) {
- return;
- }
tevent_req_done(req);
}
@@ -3409,11 +3380,7 @@ static void cli_full_connection_done(struct tevent_req *subreq)
if (tevent_req_nterror(req, status)) {
return;
}
- status = cli_init_creds(state->cli, state->user, state->domain,
- state->password);
- if (tevent_req_nterror(req, status)) {
- return;
- }
+
tevent_req_done(req);
}
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 93f04c5..e5c03a8 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -207,9 +207,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
return status;
}
d_printf("Anonymous login successful\n");
- status = cli_init_creds(c, "", lp_workgroup(), "");
- } else {
- status = cli_init_creds(c, username, lp_workgroup(), password);
}
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index 71ec1dc..3b737d4 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -66,67 +66,6 @@ bool cli_set_backup_intent(struct cli_state *cli, bool flag)
}
/****************************************************************************
- Initialize Domain, user or password.
-****************************************************************************/
-
-NTSTATUS cli_set_domain(struct cli_state *cli, const char *domain)
-{
- TALLOC_FREE(cli->domain);
- cli->domain = talloc_strdup(cli, domain ? domain : "");
- if (cli->domain == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-NTSTATUS cli_set_username(struct cli_state *cli, const char *username)
-{
- TALLOC_FREE(cli->user_name);
- cli->user_name = talloc_strdup(cli, username ? username : "");
- if (cli->user_name == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-NTSTATUS cli_set_password(struct cli_state *cli, const char *password)
-{
- TALLOC_FREE(cli->password);
-
- /* Password can be NULL. */
- if (password) {
- cli->password = talloc_strdup(cli, password);
- if (cli->password == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
- } else {
- /* Use zero NTLMSSP hashes and session key. */
- cli->password = NULL;
- }
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************************
- Initialise credentials of a client structure.
-****************************************************************************/
-
-NTSTATUS cli_init_creds(struct cli_state *cli, const char *username, const char *domain, const char *password)
-{
- NTSTATUS status = cli_set_username(cli, username);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- status = cli_set_domain(cli, domain);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
- DEBUG(10,("cli_init_creds: user %s domain %s\n", cli->user_name, cli->domain));
-
- return cli_set_password(cli, password);
-}
-
-/****************************************************************************
Initialise a client structure. Always returns a talloc'ed struct.
Set the signing state (used from the command line).
****************************************************************************/
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index d89b9ec..8f68a40 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -488,14 +488,6 @@ SMBC_server_internal(TALLOC_CTX *ctx,
--
Samba Shared Repository
More information about the samba-cvs
mailing list