[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Wed Mar 25 17:57:08 MDT 2015 

The branch, master has been updated
       via  e8932b9 s3: client - "client use spnego principal = yes" code checks wrong name.
       via  c9299bd docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
       via  caaf89e Add multiplex state to dcerpc flags and control over multiplex PFC flag in bind_ack and and dcesrv_alter replies
      from  b14a6d3 pidl/python: add prototypes into header section of generated c-files.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e8932b92016fc7ece3169635fbe3d98cb0caa36b
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 19 13:10:33 2015 -0700

    s3: client - "client use spnego principal = yes" code checks wrong name.
    
    Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178 at please_ignore"
    
    https://bugzilla.samba.org/show_bug.cgi?id=10888
    
    Code patch from <martin.wilck at ts.fujitsu.com>
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Thu Mar 26 00:56:25 CET 2015 on sn-devel-104

commit c9299bd6a4e86dbec10ab7741056f331a18c44a0
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Mar 19 13:09:21 2015 -0700

    docs: Mark 'client use spnego principal' as deprecated and also a bad idea.
    
    Bug 10888 - smbclient doesn't ignore "not_defined_in_RFC4178 at please_ignore"
    
    https://bugzilla.samba.org/show_bug.cgi?id=10888
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Stefan (metze) Metzmacher <metze at samba.org>

commit caaf89e899c2a3926fb9e54d1c86f1a9cd5d7618
Author: Julien Kerihuel <j.kerihuel at openchange.org>
Date:   Tue Mar 24 21:06:03 2015 -0700

    Add multiplex state to dcerpc flags and control over multiplex PFC flag in bind_ack and and dcesrv_alter replies
    
    Signed-off-by: Julien Kerihuel <j.kerihuel at openchange.org>
    Reviewed-by: "Stefan (metze) Metzmacher" <metze at samba.org>
    Reviewed-by: Jelmer Vernooij <jelmer at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml |  7 +++++++
 lib/param/param_table.c                                   |  2 +-
 source3/libsmb/cliconnect.c                               |  2 +-
 source4/rpc_server/dcerpc_server.c                        | 15 ++++++++++++++-
 source4/rpc_server/dcerpc_server.h                        |  1 +
 5 files changed, 24 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
index 6ec1eb1..792a738 100644
--- a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -14,6 +14,10 @@
     servers known only by IP address.  Kerberos relies on names, so
     ordinarily cannot function in this situation. </para>
 
+    <para>This is a VERY BAD IDEA for security reasons, and so this
+    parameter SHOULD NOT BE USED. It will be removed in a future
+    version of Samba.</para>
+
     <para>If disabled, Samba will use the name used to look up the
     server when asking the KDC for a ticket.  This avoids situations
     where a server may impersonate another, soliciting authentication
@@ -23,6 +27,9 @@
     <para>Note that Windows XP SP2 and later versions already follow
     this behaviour, and Windows Vista and later servers no longer
     supply this 'rfc4178 hint' principal on the server side.</para>
+
+    <para>This parameter is deprecated in Samba 4.2.1 and will be removed
+    (along with the functionality) in a later release of Samba.</para>
 </description>
 <value type="default">no</value>
 </samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d78b4d1..8b44733 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -765,7 +765,7 @@ struct parm_struct parm_table[] = {
 		.offset		= GLOBAL_VAR(client_use_spnego_principal),
 		.special	= NULL,
 		.enum_list	= NULL,
-		.flags		= FLAG_ADVANCED,
+		.flags		= FLAG_ADVANCED | FLAG_DEPRECATED,
 	},
 	{
 		.label		= "username",
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9cbf11f..4cb4ed4 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1662,7 +1662,7 @@ static char *cli_session_setup_get_principal(
 	char *principal = NULL;
 
 	if (!lp_client_use_spnego_principal() ||
-	    strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+	    strequal(spnego_principal, ADS_IGNORE_PRINCIPAL)) {
 		spnego_principal = NULL;
 	}
 	if (spnego_principal != NULL) {
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 5eac9ee..a8785b0 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -614,6 +614,12 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 		call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
 	}
 
+	if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
+	    (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
+		call->context->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
+		extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+	}
+
 	/* handle any authentication that is being requested */
 	if (!dcesrv_auth_bind(call)) {
 		talloc_free(call->context);
@@ -793,6 +799,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 	NTSTATUS status;
 	uint32_t result=0, reason=0;
 	uint32_t context_id;
+	uint32_t extra_flags = 0;
 
 	/* handle any authentication that is being requested */
 	if (!dcesrv_auth_alter(call)) {
@@ -826,12 +833,18 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
 		reason = DCERPC_BIND_REASON_ASYNTAX;
 	}
 
+	if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX)) {
+		if (call->context->conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED) {
+			extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+		}
+	}
+
 	/* setup a alter_resp */
 	dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
 	pkt.auth_length = 0;
 	pkt.call_id = call->pkt.call_id;
 	pkt.ptype = DCERPC_PKT_ALTER_RESP;
-	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+	pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
 	pkt.u.alter_resp.max_xmit_frag = 0x2000;
 	pkt.u.alter_resp.max_recv_frag = 0x2000;
 	if (result == 0) {
diff --git a/source4/rpc_server/dcerpc_server.h b/source4/rpc_server/dcerpc_server.h
index 7b00418..1bf187a 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -101,6 +101,7 @@ struct dcesrv_call_state {
 	 */
 #define DCESRV_CALL_STATE_FLAG_ASYNC (1<<0)
 #define DCESRV_CALL_STATE_FLAG_MAY_ASYNC (1<<1)
+#define DCESRV_CALL_STATE_FLAG_MULTIPLEXED (1<<3)
 	uint32_t state_flags;
 
 	/* the time the request arrived in the server */


-- 
Samba Shared Repository

More information about the samba-cvs mailing list