[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Dec 15 11:12:04 UTC 2016


The branch, master has been updated
       via  b6fa384 selftest: test new "lsa over netlogon" smb.conf option
       via  31d625b s4-rpc_server: Add back support for lsa over \pipe\netlogon optionally
       via  fee6bb7 idl: Do not listen for lsarpc on \pipe
etlogon
      from  a7598fb rpc_server:netlogon Move from memcache to a tdb cache

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b6fa384471f2b1cc65cb41c59cd4839d93b6754b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 13 12:25:12 2016 +1300

    selftest: test new "lsa over netlogon" smb.conf option
    
    This proves we can act like Windows and over lsarpc over netlogon if we want
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Dec 15 12:11:09 CET 2016 on sn-devel-144

commit 31d625bcd2b0cb33dd98a37c202f5b371b871362
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 13 09:06:25 2016 +1300

    s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
    
    The idea here is that perhaps some real client relies on this (and not just Samba torture
    commands), so we need a way to support it for the 4.6 release.
    
    If no such client emerges, it can be deprecated and removed in the normal way.
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit fee6bb7ca656748cab71998fd60755a0882d0afc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Nov 14 10:13:26 2016 +1300

    idl: Do not listen for lsarpc on \\pipe\netlogon
    
    This prevents making the netlogon process multi-threaded.
    
    This works on Windows becuase NETLOGON is part of lsad
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/smbdotconf/protocol/lsaovernetlogon.xml | 21 +++++++++++++++++++++
 librpc/idl/lsa.idl                               |  2 +-
 pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm         |  5 ++++-
 selftest/knownfail                               |  1 +
 selftest/target/Samba4.pm                        |  1 +
 source4/rpc_server/lsa/dcesrv_lsa.c              | 21 +++++++++++++++++++++
 6 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 docs-xml/smbdotconf/protocol/lsaovernetlogon.xml


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/protocol/lsaovernetlogon.xml b/docs-xml/smbdotconf/protocol/lsaovernetlogon.xml
new file mode 100644
index 0000000..d67be29
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/lsaovernetlogon.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="lsa over netlogon"
+                 context="G"
+                 type="boolean"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>Setting this deprecated option will allow the RPC server
+	in the AD DC to answer the LSARPC interface on the
+	<command>\pipe\netlogon</command> IPC pipe.</para>
+
+	<para>When enabled, this matches the behaviour of Microsoft's
+	Windows, due to their internal implementation choices.</para>
+
+	<para>If it is disabled (the default), the AD DC can offer
+	improved performance, as the netlogon server is decoupled and
+	can run as multiple processes.</para>
+
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 0823707..66a07e5 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -8,7 +8,7 @@ import "misc.idl", "security.idl";
 
 [ uuid("12345778-1234-abcd-ef00-0123456789ab"),
   version(0.0),
-  endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\netlogon]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:", "ncalrpc:"),
+  endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:", "ncalrpc:"),
   pointer_default(unique),
   helpstring("Local Security Authority")
 ] interface lsarpc
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
index 7ca18a8..fe5ca0b 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
@@ -262,8 +262,11 @@ NTSTATUS dcerpc_server_$name\_init(void)
 	    .name = \"$name\",
 
 	    /* fill in all the operations */
+#ifdef DCESRV_INTERFACE_$uname\_INIT_SERVER
+	    .init_server = DCESRV_INTERFACE_$uname\_INIT_SERVER,
+#else
 	    .init_server = $name\__op_init_server,
-
+#endif
 	    .interface_by_uuid = $name\__op_interface_by_uuid,
 	    .interface_by_name = $name\__op_interface_by_name
 	};
diff --git a/selftest/knownfail b/selftest/knownfail
index 0e168ab..d96e238 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -79,6 +79,7 @@
 ^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
 ^samba4.rpc.netlogon.*.GetPassword
 ^samba4.rpc.netlogon.*.DatabaseRedo
+^samba4.rpc.netlogon.*.netlogon.lsa_over_netlogon\(ad_dc\) #Broken by split of \\pipe\lsass from \\pipe\netlogon in the IDL
 ^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) # Broken by allowing NT4 crypto on this environment
 ^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs:local\) # Broken by allowing NT4 crypto on this environment
 ^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 9e30475..80fbd03 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1399,6 +1399,7 @@ sub provision_ad_dc_ntvfs($$)
         server services = +winbind -winbindd
 	ldap server require strong auth = allow_sasl_over_tls
 	allow nt4 crypto = yes
+	lsa over netlogon = yes
 	";
 	my $ret = $self->provision($prefix,
 				   "domain controller",
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index c7a2c40..2aa7006 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -43,6 +43,27 @@ static NTSTATUS dcesrv_interface_lsarpc_bind(struct dcesrv_call_state *dce_call,
 	return dcesrv_interface_bind_reject_connect(dce_call, iface);
 }
 
+static NTSTATUS lsarpc__op_init_server(struct dcesrv_context *dce_ctx,
+				       const struct dcesrv_endpoint_server *ep_server);
+static const struct dcesrv_interface dcesrv_lsarpc_interface;
+
+#define DCESRV_INTERFACE_LSARPC_INIT_SERVER	\
+       dcesrv_interface_lsarpc_init_server
+static NTSTATUS dcesrv_interface_lsarpc_init_server(struct dcesrv_context *dce_ctx,
+						    const struct dcesrv_endpoint_server *ep_server)
+{
+	if (lpcfg_lsa_over_netlogon(dce_ctx->lp_ctx)) {
+		NTSTATUS ret = dcesrv_interface_register(dce_ctx,
+						"ncacn_np:[\\pipe\\netlogon]",
+						&dcesrv_lsarpc_interface, NULL);
+		if (!NT_STATUS_IS_OK(ret)) {
+			DEBUG(1,("lsarpc_op_init_server: failed to register endpoint '\\pipe\\netlogon'\n"));
+			return ret;
+		}
+	}
+	return lsarpc__op_init_server(dce_ctx, ep_server);
+}
+
 /*
   this type allows us to distinguish handle types
 */


-- 
Samba Shared Repository



More information about the samba-cvs mailing list