[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Jun 17 17:00:12 MDT 2015
The branch, master has been updated
via db59f9e selftest: Change chgdcpass environment to use winbindd
via 5de7621 winbindd: Sync secrets.ldb into secrets.tdb on startup
via b209cd1 winbindd: Use pdb_get_domain_info() to get exactly the local domain info when we are an AD DC
via 5bb647b selftest: Run winbind tests in chgdcpass environment
via 0aefbf4 smbd: Fix clients connecting unencrypted with PROTOCOL_SMB2_24 or higher.
via bcb6949 s3:smb2_setinfo: fix memory leak in the defer_rename case
from 8406d4d docs-xml: Update sharesec manpage to reflect current output
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit db59f9ec731e3abbeba3070925a6dedaac26e6e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 17 11:59:49 2015 +1200
selftest: Change chgdcpass environment to use winbindd
This allows us to test that winbindd starts up without secrets.tdb, as happens after
a classicupgrade.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Jun 18 00:59:54 CEST 2015 on sn-devel-104
commit 5de7621cbfba1e1fb52cddf41a5a13d027d45b46
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 12 11:57:07 2015 +1200
winbindd: Sync secrets.ldb into secrets.tdb on startup
This ensures that the domain SID and machine account password are written into
secrets.tdb if the secrets.tdb file was either never written or was deleted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit b209cd1677b306d72e56a98ecb02db421a5ca35a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 12 11:54:21 2015 +1200
winbindd: Use pdb_get_domain_info() to get exactly the local domain info when we are an AD DC
This also triggers pdb_samba_dsdb_init_secrets(), to force the
correct SID into secrets.tdb.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10991
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 5bb647b78806413a94f959d0b2b417a97b7a2173
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 17 11:10:15 2015 +1200
selftest: Run winbind tests in chgdcpass environment
This ensures that winbind both starts and operates without a secrets.tdb
(chgdcpass deliberatly removes the secrets.tdb file after provision, like has happend with classicupgrade).
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 0aefbf45c92988db7dbe6ccb0cfe3d43c829a122
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jun 16 15:50:30 2015 -0700
smbd: Fix clients connecting unencrypted with PROTOCOL_SMB2_24 or higher.
Nonce code was terminating connections where xconn->smb2.server.cipher == 0.
If no negotiated cipher (smb2.server.cipher is zero) set nonce_high_max to zero.
smb2_get_new_nonce() returns NT_STATUS_ENCRYPTION_FAILED if it is ever called with
session->nonce_high_max == 0.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11300
Signed-off-by: Jeremy Allison <jra at samba.org>
commit bcb69499e1a9312ea3ee32561fdecb2b22835e77
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 15 08:34:12 2015 +0200
s3:smb2_setinfo: fix memory leak in the defer_rename case
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11329
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
-----------------------------------------------------------------------
Summary of changes:
selftest/knownfail | 2 +
selftest/target/Samba4.pm | 6 +--
source3/smbd/smb2_sesssetup.c | 4 +-
source3/smbd/smb2_setinfo.c | 9 ++++
source3/winbindd/winbindd_util.c | 89 +++++++++++++++++++++++++++++++++++++---
source4/selftest/tests.py | 2 +-
6 files changed, 100 insertions(+), 12 deletions(-)
Changeset truncated at 500 lines:
diff --git a/selftest/knownfail b/selftest/knownfail
index 26aed77..5ce3d97 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -259,6 +259,8 @@
^samba.wbinfo_simple.\(s4member:local\).--allocate-gid
^samba.wbinfo_simple.\(ad_dc:local\).--allocate-uid
^samba.wbinfo_simple.\(ad_dc:local\).--allocate-gid
+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-uid
+^samba.wbinfo_simple.\(chgdcpass:local\).--allocate-gid
#
# These do not work against winbindd in member mode for unknown reasons
#
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 3a5b409..47ad206 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1799,7 +1799,6 @@ sub provision_chgdcpass($$)
print "PROVISIONING CHGDCPASS...";
my $extra_provision_options = undef;
push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
- my $extra_conf_options = "server services = +winbind -winbindd";
my $ret = $self->provision($prefix,
"domain controller",
"chgdcpass",
@@ -1809,7 +1808,7 @@ sub provision_chgdcpass($$)
"chgDCpass1",
undef,
undef,
- $extra_conf_options,
+ "",
"",
$extra_provision_options);
@@ -1821,8 +1820,7 @@ sub provision_chgdcpass($$)
# Remove secrets.tdb from this environment to test that we
# still start up on systems without the new matching
- # secrets.tdb records. For this reason we don't run winbindd
- # in this environment
+ # secrets.tdb records.
unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
return undef;
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 3e80da8..da7adb3 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -372,8 +372,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
nonce_size = AES_GCM_128_IV_SIZE;
break;
default:
- ZERO_STRUCT(session_key);
- return NT_STATUS_INVALID_PARAMETER;
+ nonce_size = 0;
+ break;
}
x->nonce_high_max = SMB2_NONCE_HIGH_MAX(nonce_size);
x->nonce_high = 0;
diff --git a/source3/smbd/smb2_setinfo.c b/source3/smbd/smb2_setinfo.c
index 3f7bbec..9361aea 100644
--- a/source3/smbd/smb2_setinfo.c
+++ b/source3/smbd/smb2_setinfo.c
@@ -168,6 +168,12 @@ struct defer_rename_state {
int data_size;
};
+static int defer_rename_state_destructor(struct defer_rename_state *rename_state)
+{
+ SAFE_FREE(rename_state->data);
+ return 0;
+}
+
static void defer_rename_done(struct tevent_req *subreq);
static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
@@ -240,6 +246,8 @@ static struct tevent_req *delay_rename_for_lease_break(struct tevent_req *req,
rename_state->data = data;
rename_state->data_size = data_size;
+ talloc_set_destructor(rename_state, defer_rename_state_destructor);
+
subreq = dbwrap_record_watch_send(
rename_state,
ev,
@@ -312,6 +320,7 @@ static void defer_rename_done(struct tevent_req *subreq)
state->data_size);
if (subreq) {
/* Yep - keep waiting. */
+ state->data = NULL;
TALLOC_FREE(state);
TALLOC_FREE(lck);
return;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 021f5ca..d73327c 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -29,6 +29,7 @@
#include "passdb.h"
#include "source4/lib/messaging/messaging.h"
#include "librpc/gen_ndr/ndr_lsa.h"
+#include "auth/credentials/credentials.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -701,6 +702,49 @@ static void wb_imsg_new_trusted_domain(struct imessaging_context *msg,
TALLOC_FREE(frame);
}
+/*
+ * We did not get the secret when we queried secrets.tdb, so read it
+ * from secrets.tdb and re-sync the databases
+ */
+static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
+{
+ bool ok;
+ struct cli_credentials *creds;
+ NTSTATUS can_migrate = pdb_get_trust_credentials(domain->name,
+ NULL, domain, &creds);
+ if (!NT_STATUS_IS_OK(can_migrate)) {
+ DEBUG(0, ("Failed to fetch our own, local AD domain join "
+ "password for winbindd's internal use, both from "
+ "secrets.tdb and secrets.ldb: %s\n",
+ nt_errstr(can_migrate)));
+ return false;
+ }
+
+ /*
+ * NOTE: It is very unlikely we end up here if there is an
+ * oldpass, because a new password is created at
+ * classicupgrade, so this is not a concern.
+ */
+ ok = secrets_store_machine_pw_sync(cli_credentials_get_password(creds),
+ NULL /* oldpass */,
+ cli_credentials_get_domain(creds),
+ cli_credentials_get_realm(creds),
+ cli_credentials_get_salt_principal(creds),
+ 0, /* Supported enc types, unused */
+ &domain->sid,
+ cli_credentials_get_password_last_changed_time(creds),
+ cli_credentials_get_secure_channel_type(creds),
+ false /* do_delete: Do not delete */);
+ TALLOC_FREE(creds);
+ if (ok == false) {
+ DEBUG(0, ("Failed to write our our own, "
+ "local AD domain join password for "
+ "winbindd's internal use into secrets.tdb\n"));
+ return false;
+ }
+ return true;
+}
+
/* Look up global info for the winbind daemon */
bool init_domain_list(void)
{
@@ -722,12 +766,23 @@ bool init_domain_list(void)
enum netr_SchannelType sec_chan_type;
const char *account_name;
struct samr_Password current_nt_hash;
+ struct pdb_domain_info *pdb_domain_info;
bool ok;
- domain = add_trusted_domain(get_global_sam_name(), lp_dnsdomain(),
- &cache_methods, get_global_sam_sid());
+ pdb_domain_info = pdb_get_domain_info(talloc_tos());
+ if (pdb_domain_info == NULL) {
+ DEBUG(0, ("Failed to fetch our own, local AD "
+ "domain info from sam.ldb\n"));
+ return false;
+ }
+ domain = add_trusted_domain(pdb_domain_info->name,
+ pdb_domain_info->dns_domain,
+ &cache_methods,
+ &pdb_domain_info->sid);
+ TALLOC_FREE(pdb_domain_info);
if (domain == NULL) {
- DEBUG(0, ("Failed to add our own, local AD domain to winbindd's internal list\n"));
+ DEBUG(0, ("Failed to add our own, local AD "
+ "domain to winbindd's internal list\n"));
return false;
}
@@ -739,8 +794,32 @@ bool init_domain_list(void)
&account_name,
&sec_chan_type);
if (!ok) {
- DEBUG(0, ("Failed to fetch our own, local AD domain join password for winbindd's internal use\n"));
- return false;
+ /*
+ * If get_trust_pw_hash() fails, then try and
+ * fetch the password from the more recent of
+ * secrets.{ldb,tdb} using the
+ * pdb_get_trust_credentials()
+ */
+ ok = migrate_secrets_tdb_to_ldb(domain);
+
+ if (ok == false) {
+ DEBUG(0, ("Failed to migrate our own, "
+ "local AD domain join password for "
+ "winbindd's internal use into "
+ "secrets.tdb\n"));
+ return false;
+ }
+ ok = get_trust_pw_hash(domain->name,
+ current_nt_hash.hash,
+ &account_name,
+ &sec_chan_type);
+ if (ok == false) {
+ DEBUG(0, ("Failed to find our our own, just "
+ "written local AD domain join "
+ "password for winbindd's internal "
+ "use in secrets.tdb\n"));
+ return false;
+ }
}
if (sec_chan_type == SEC_CHAN_RODC) {
domain->rodc = true;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index d875fbb..da3cb98 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -383,7 +383,7 @@ for env in ["nt4_dc", "fl2003dc"]:
for t in winbind_wbclient_tests:
plansmbtorture4testsuite(t, "%s:local" % env, '//$SERVER/tmp -U$DC_USERNAME%$DC_PASSWORD')
-for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_dc_ntvfs", "ad_member", "s4member"]:
+for env in ["nt4_dc", "nt4_member", "ad_dc", "ad_dc_ntvfs", "ad_member", "s4member", "chgdcpass"]:
tests = ["--ping", "--separator",
"--own-domain",
"--all-domains",
--
Samba Shared Repository
More information about the samba-cvs
mailing list