[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Dec 15 11:12:04 UTC 2016
The branch, master has been updated
via b6fa384 selftest: test new "lsa over netlogon" smb.conf option
via 31d625b s4-rpc_server: Add back support for lsa over \pipe\netlogon optionally
via fee6bb7 idl: Do not listen for lsarpc on \pipe
etlogon
from a7598fb rpc_server:netlogon Move from memcache to a tdb cache
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b6fa384471f2b1cc65cb41c59cd4839d93b6754b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 13 12:25:12 2016 +1300
selftest: test new "lsa over netlogon" smb.conf option
This proves we can act like Windows and over lsarpc over netlogon if we want
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Dec 15 12:11:09 CET 2016 on sn-devel-144
commit 31d625bcd2b0cb33dd98a37c202f5b371b871362
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 13 09:06:25 2016 +1300
s4-rpc_server: Add back support for lsa over \\pipe\\netlogon optionally
The idea here is that perhaps some real client relies on this (and not just Samba torture
commands), so we need a way to support it for the 4.6 release.
If no such client emerges, it can be deprecated and removed in the normal way.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fee6bb7ca656748cab71998fd60755a0882d0afc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 14 10:13:26 2016 +1300
idl: Do not listen for lsarpc on \\pipe\netlogon
This prevents making the netlogon process multi-threaded.
This works on Windows becuase NETLOGON is part of lsad
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/protocol/lsaovernetlogon.xml | 21 +++++++++++++++++++++
librpc/idl/lsa.idl | 2 +-
pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm | 5 ++++-
selftest/knownfail | 1 +
selftest/target/Samba4.pm | 1 +
source4/rpc_server/lsa/dcesrv_lsa.c | 21 +++++++++++++++++++++
6 files changed, 49 insertions(+), 2 deletions(-)
create mode 100644 docs-xml/smbdotconf/protocol/lsaovernetlogon.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/lsaovernetlogon.xml b/docs-xml/smbdotconf/protocol/lsaovernetlogon.xml
new file mode 100644
index 0000000..d67be29
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/lsaovernetlogon.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="lsa over netlogon"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Setting this deprecated option will allow the RPC server
+ in the AD DC to answer the LSARPC interface on the
+ <command>\pipe\netlogon</command> IPC pipe.</para>
+
+ <para>When enabled, this matches the behaviour of Microsoft's
+ Windows, due to their internal implementation choices.</para>
+
+ <para>If it is disabled (the default), the AD DC can offer
+ improved performance, as the netlogon server is decoupled and
+ can run as multiple processes.</para>
+
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 0823707..66a07e5 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -8,7 +8,7 @@ import "misc.idl", "security.idl";
[ uuid("12345778-1234-abcd-ef00-0123456789ab"),
version(0.0),
- endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\netlogon]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:", "ncalrpc:"),
+ endpoint("ncacn_np:[\\pipe\\lsarpc]","ncacn_np:[\\pipe\\lsass]", "ncacn_ip_tcp:", "ncalrpc:"),
pointer_default(unique),
helpstring("Local Security Authority")
] interface lsarpc
diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
index 7ca18a8..fe5ca0b 100644
--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Server.pm
@@ -262,8 +262,11 @@ NTSTATUS dcerpc_server_$name\_init(void)
.name = \"$name\",
/* fill in all the operations */
+#ifdef DCESRV_INTERFACE_$uname\_INIT_SERVER
+ .init_server = DCESRV_INTERFACE_$uname\_INIT_SERVER,
+#else
.init_server = $name\__op_init_server,
-
+#endif
.interface_by_uuid = $name\__op_interface_by_uuid,
.interface_by_name = $name\__op_interface_by_name
};
diff --git a/selftest/knownfail b/selftest/knownfail
index 0e168ab..d96e238 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -79,6 +79,7 @@
^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
^samba4.rpc.netlogon.*.GetPassword
^samba4.rpc.netlogon.*.DatabaseRedo
+^samba4.rpc.netlogon.*.netlogon.lsa_over_netlogon\(ad_dc\) #Broken by split of \\pipe\lsass from \\pipe\netlogon in the IDL
^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) # Broken by allowing NT4 crypto on this environment
^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs:local\) # Broken by allowing NT4 crypto on this environment
^samba4.rpc.drsuapi.*ncacn_ip_tcp.*validate # should only work with seal
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 9e30475..80fbd03 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1399,6 +1399,7 @@ sub provision_ad_dc_ntvfs($$)
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
allow nt4 crypto = yes
+ lsa over netlogon = yes
";
my $ret = $self->provision($prefix,
"domain controller",
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index c7a2c40..2aa7006 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -43,6 +43,27 @@ static NTSTATUS dcesrv_interface_lsarpc_bind(struct dcesrv_call_state *dce_call,
return dcesrv_interface_bind_reject_connect(dce_call, iface);
}
+static NTSTATUS lsarpc__op_init_server(struct dcesrv_context *dce_ctx,
+ const struct dcesrv_endpoint_server *ep_server);
+static const struct dcesrv_interface dcesrv_lsarpc_interface;
+
+#define DCESRV_INTERFACE_LSARPC_INIT_SERVER \
+ dcesrv_interface_lsarpc_init_server
+static NTSTATUS dcesrv_interface_lsarpc_init_server(struct dcesrv_context *dce_ctx,
+ const struct dcesrv_endpoint_server *ep_server)
+{
+ if (lpcfg_lsa_over_netlogon(dce_ctx->lp_ctx)) {
+ NTSTATUS ret = dcesrv_interface_register(dce_ctx,
+ "ncacn_np:[\\pipe\\netlogon]",
+ &dcesrv_lsarpc_interface, NULL);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1,("lsarpc_op_init_server: failed to register endpoint '\\pipe\\netlogon'\n"));
+ return ret;
+ }
+ }
+ return lsarpc__op_init_server(dce_ctx, ep_server);
+}
+
/*
this type allows us to distinguish handle types
*/
--
Samba Shared Repository
More information about the samba-cvs
mailing list