[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Wed Mar 25 17:57:08 MDT 2015
The branch, master has been updated
via e8932b9 s3: client - "client use spnego principal = yes" code checks wrong name.
via c9299bd docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
via caaf89e Add multiplex state to dcerpc flags and control over multiplex PFC flag in bind_ack and and dcesrv_alter replies
from b14a6d3 pidl/python: add prototypes into header section of generated c-files.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e8932b92016fc7ece3169635fbe3d98cb0caa36b
Author: Jeremy Allison <jra at samba.org>
Date: Thu Mar 19 13:10:33 2015 -0700
s3: client - "client use spnego principal = yes" code checks wrong name.
Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178 at please_ignore"
https://bugzilla.samba.org/show_bug.cgi?id=10888
Code patch from <martin.wilck at ts.fujitsu.com>
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Thu Mar 26 00:56:25 CET 2015 on sn-devel-104
commit c9299bd6a4e86dbec10ab7741056f331a18c44a0
Author: Jeremy Allison <jra at samba.org>
Date: Thu Mar 19 13:09:21 2015 -0700
docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178 at please_ignore"
https://bugzilla.samba.org/show_bug.cgi?id=10888
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>
commit caaf89e899c2a3926fb9e54d1c86f1a9cd5d7618
Author: Julien Kerihuel <j.kerihuel at openchange.org>
Date: Tue Mar 24 21:06:03 2015 -0700
Add multiplex state to dcerpc flags and control over multiplex PFC flag in bind_ack and and dcesrv_alter replies
Signed-off-by: Julien Kerihuel <j.kerihuel at openchange.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze at samba.org>
Reviewed-by: Jelmer Vernooij <jelmer at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml | 7 +++++++
lib/param/param_table.c | 2 +-
source3/libsmb/cliconnect.c | 2 +-
source4/rpc_server/dcerpc_server.c | 15 ++++++++++++++-
source4/rpc_server/dcerpc_server.h | 1 +
5 files changed, 24 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
index 6ec1eb1..792a738 100644
--- a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -14,6 +14,10 @@
servers known only by IP address. Kerberos relies on names, so
ordinarily cannot function in this situation. </para>
+ <para>This is a VERY BAD IDEA for security reasons, and so this
+ parameter SHOULD NOT BE USED. It will be removed in a future
+ version of Samba.</para>
+
<para>If disabled, Samba will use the name used to look up the
server when asking the KDC for a ticket. This avoids situations
where a server may impersonate another, soliciting authentication
@@ -23,6 +27,9 @@
<para>Note that Windows XP SP2 and later versions already follow
this behaviour, and Windows Vista and later servers no longer
supply this 'rfc4178 hint' principal on the server side.</para>
+
+ <para>This parameter is deprecated in Samba 4.2.1 and will be removed
+ (along with the functionality) in a later release of Samba.</para>
</description>
<value type="default">no</value>
</samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d78b4d1..8b44733 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -765,7 +765,7 @@ struct parm_struct parm_table[] = {
.offset = GLOBAL_VAR(client_use_spnego_principal),
.special = NULL,
.enum_list = NULL,
- .flags = FLAG_ADVANCED,
+ .flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
.label = "username",
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9cbf11f..4cb4ed4 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1662,7 +1662,7 @@ static char *cli_session_setup_get_principal(
char *principal = NULL;
if (!lp_client_use_spnego_principal() ||
- strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+ strequal(spnego_principal, ADS_IGNORE_PRINCIPAL)) {
spnego_principal = NULL;
}
if (spnego_principal != NULL) {
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 5eac9ee..a8785b0 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -614,6 +614,12 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
}
+ if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
+ (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
+ call->context->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
+ extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+ }
+
/* handle any authentication that is being requested */
if (!dcesrv_auth_bind(call)) {
talloc_free(call->context);
@@ -793,6 +799,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
NTSTATUS status;
uint32_t result=0, reason=0;
uint32_t context_id;
+ uint32_t extra_flags = 0;
/* handle any authentication that is being requested */
if (!dcesrv_auth_alter(call)) {
@@ -826,12 +833,18 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
reason = DCERPC_BIND_REASON_ASYNTAX;
}
+ if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX)) {
+ if (call->context->conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED) {
+ extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+ }
+ }
+
/* setup a alter_resp */
dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
pkt.auth_length = 0;
pkt.call_id = call->pkt.call_id;
pkt.ptype = DCERPC_PKT_ALTER_RESP;
- pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+ pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
pkt.u.alter_resp.max_xmit_frag = 0x2000;
pkt.u.alter_resp.max_recv_frag = 0x2000;
if (result == 0) {
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 7b00418..1bf187a 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -101,6 +101,7 @@ struct dcesrv_call_state {
*/
#define DCESRV_CALL_STATE_FLAG_ASYNC (1<<0)
#define DCESRV_CALL_STATE_FLAG_MAY_ASYNC (1<<1)
+#define DCESRV_CALL_STATE_FLAG_MULTIPLEXED (1<<3)
uint32_t state_flags;
/* the time the request arrived in the server */
--
Samba Shared Repository
More information about the samba-cvs
mailing list