[SCM] Samba Shared Repository - branch v4-10-test updated
Karolin Seeger
kseeger at samba.org
Tue Jul 9 10:32:04 UTC 2019
The branch, v4-10-test has been updated
via b56e010af12 s4/libnet: Fix joining a Windows pre-2008R2 DC
via 4743188456f vfs:glusterfs_fuse: treat ENOATTR as ENOENT
via 01a7df07fc9 vfs:glusterfs: treat ENOATTR as ENOENT
via 27bd08f36bd dsdb: Handle DB corner-case where PSO container doesn't exist
via 1f0870a7b28 s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
via b7f586ca6c9 s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
via e9c23a02470 s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
via 58760fe8b72 s4 librpc rpc pyrpc: Fix flapping dcerpc.bare tests
via 4f70d4d76a0 s4 librpc rpc pyrpc: Ensure tevent_context deleted last
via 4179bdb6f2a s4/pyrpc_util: appropriately decrement refcounts on failure
via 8128ceceb87 build: Allow build when --disable-gnutls is set
from 372ee382939 VERSION: Bump version up to 4.10.7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test
- Log -----------------------------------------------------------------
commit b56e010af12908e4291231172eb67306e14de9a6
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 1 17:06:31 2019 +1200
s4/libnet: Fix joining a Windows pre-2008R2 DC
From v4.8 onwards, Samba may not be able join a DC older than 2008R2
because the Windows DC doesn't support GET_TGT.
If the dsdb repl_md code can't resolve a link target it returns an
error, and the calling code (e.g. drs_util.py) should retry with
GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later,
so if you try to join an earlier Windows DC, the join will throw an
error that you can't work-around.
We can avoid this problem by setting the same DSDB flag that GET_TGT
sets to indicate that the link targets are as up-to-date as possible,
and so there's no point retrying. Missing targets are still logged, so
this at least allows the admin to fix up any problems after the join
completed.
I've only done this for the join case (problems during periodic
replication are probably still worth escalating to an error).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021
RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD
DC may not have worked. When this problem occurred, the following
message would be displayed:
'Failed to commit objects: DOS code 0x000021bf'
This particular issue has now been resolved. Note that there may still
be other potential problems that occur when joining an older Windows DC.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-10-test): Tue Jul 9 10:31:40 UTC 2019 on sn-devel-144
commit 4743188456f7da4023890d17f699a88780525291
Author: Michael Adam <obnox at samba.org>
Date: Thu Jun 20 15:14:57 2019 +0200
vfs:glusterfs_fuse: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs_fuse vfs module to treat ENOATTR as
ENOENT to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184
(cherry picked from commit fee8cf326bfe240d3a8720569eab43f474349aff)
commit 01a7df07fc92c8e1d73749585432d5071a6f460a
Author: Michael Adam <obnox at samba.org>
Date: Thu Jun 20 15:14:57 2019 +0200
vfs:glusterfs: treat ENOATTR as ENOENT
The original implementation of the virtual xattr get_real_filename
in gluster was misusing the ENOENT errno as the authoritative anwer
that the file/dir that we were asking the real filename for does not
exist. But since the getxattr call is done on the parent directory,
this is a violation of the getxattr API which uses ENOENT for the
case that the file/dir that the getxattr call is done against does
not exist.
Now after a recent regression for fuse-mount re-exports due to
gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster
implementation is changed to more correctly return ENOATTR if the
requested file does not exist.
This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT
to be fully functional again with latest gluster.
- Without this patch, samba against a new gluster will work correctly,
but the get_real_filename optimization for a non-existing entry
is lost.
- With this patch, Samba will not work correctly any more against
very old gluster servers: Those (correctly) returned ENOATTR
always, which Samba originally interpreted as EOPNOTSUPP, triggering
the expensive directory scan. With this patch, ENOATTR is
interpreted as ENOENT, the authoritative answer that the requested
entry does not exist, which is wrong unless it really does not exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>
(cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83)
commit 27bd08f36bda8ab362c7a69a2137734e22a42c48
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Jun 25 10:10:17 2019 +1200
dsdb: Handle DB corner-case where PSO container doesn't exist
A 2003 AD DB with functional level set to >= 2008 was non-functional
due to the PSO checks.
We already check the functional level is >= 2008 before checking for the
PSO container. However, users could change their functional level
without ensuring their DB conforms to the corresponding base schema.
The objectclass DSDB module should prevent the PSO container from ever
being deleted. So the only way we should be able to hit this case is
through upgrading the functional level (but not the underlying schema
objects). If so, log a low-priority message and continue without errors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008
RN: Previously, AD operations such as user authentication could fail
completely with the message 'Error 32 determining PSOs in system' logged
on the samba server. This problem would only affect a domain that was
created using a pre-2008 AD base schema and then had its functional
level manually raised to 2008 or greater. This issue has now been
resolved.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43)
commit 1f0870a7b28c5485e1b8131088ff16fca4d04f15
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 27 13:12:14 2019 +0200
s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check()
The gensec schannel module already asserts that at least
AUTH_LEVEL_INTEGRITY is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de)
commit b7f586ca6c996213732ea6574f1dc7ad5915983b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 27 12:38:43 2019 +0200
s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916)
commit e9c23a024707bb54edcf2b755ed3f27fbc4325f4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 27 12:38:43 2019 +0200
s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*()
The domain join with VMWare Horizon Quickprep seems to use
netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS
(and in addition the NEG_SUPPORTS_AES) just to verify a password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc)
commit 58760fe8b72e74bb0e62c8d30c7de35bfcfb4055
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed May 22 11:43:54 2019 +1200
s4 librpc rpc pyrpc: Fix flapping dcerpc.bare tests
Commit d65b7641c84976c543ded8f0de5ab2da3c19b407 had the parameters to
talloc_reparent reversed. This caused the dcerpc.bare tests to flap.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13932
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Wed May 22 03:03:43 UTC 2019 on sn-devel-184
(cherry picked from commit 3e6661fd73bb24ef5700a98f676f1df5eeca408b)
commit 4f70d4d76a02717bc5d73ab51f936b224b8a6394
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed May 8 11:30:20 2019 +1200
s4 librpc rpc pyrpc: Ensure tevent_context deleted last
Ensure that the tevent_context is deleted after the connection, to
prevent a use after free.
Note: Py_DECREF calls dcerpc_interface_dealloc so the
TALLOC_FREE(ret->mem_ctx) calls in the error paths of
py_dcerpc_interface_init_helper needed removal.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13932
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d65b7641c84976c543ded8f0de5ab2da3c19b407)
commit 4179bdb6f2aaaa4841f4c3381ad8ac68f17f0eaa
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu May 3 09:53:56 2018 +1200
s4/pyrpc_util: appropriately decrement refcounts on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
(cherry picked from commit e23b9f88cc1c8a8c8cda07fb25d639218c12d91a)
commit 8128ceceb8702e596183dd509dd6f952a2f4efc2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 20 13:57:50 2019 +1300
build: Allow build when --disable-gnutls is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13844
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
Autobuild-Date(master): Wed Mar 20 05:25:48 UTC 2019 on sn-devel-144
(cherry picked from commit a40b0f452af5f393aa33c9d52673994effd0e31f)
-----------------------------------------------------------------------
Summary of changes:
lib/mscat/wscript | 6 ++-
source3/modules/vfs_glusterfs.c | 2 +-
source3/modules/vfs_glusterfs_fuse.c | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 52 ++------------------
source4/dsdb/samdb/ldb_modules/operational.c | 12 +++++
source4/libnet/libnet_vampire.c | 9 ++++
source4/librpc/rpc/pyrpc.c | 15 ++++++
source4/librpc/rpc/pyrpc.h | 1 +
source4/librpc/rpc/pyrpc_util.c | 70 ++++++++++++++++-----------
source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 ------
10 files changed, 91 insertions(+), 93 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/mscat/wscript b/lib/mscat/wscript
index 7ca9ef567ee..4d1f752a3c1 100644
--- a/lib/mscat/wscript
+++ b/lib/mscat/wscript
@@ -12,7 +12,11 @@ def configure(conf):
if not conf.find_program('asn1Parser', var='ASN1PARSER'):
Logs.warn('WARNING: ans1Parser hasn\'t been found! Please install it (e.g. libtasn1-bin)')
- conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
+ # GnuTLS is currently able to be disabled
+ if conf.env.enable_gnutls:
+ conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
+ else:
+ Logs.warn('WARNING: gnutls disabled so dumpmscat will not be built')
def build(bld):
if (bld.CONFIG_SET('HAVE_LIBTASN1') and
diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
index e23a5efe17f..ab0b86caa55 100644
--- a/source3/modules/vfs_glusterfs.c
+++ b/source3/modules/vfs_glusterfs.c
@@ -1465,7 +1465,7 @@ static int vfs_gluster_get_real_filename(struct vfs_handle_struct *handle,
GLUSTER_NAME_MAX + 1);
if (ret == -1) {
if (errno == ENOATTR) {
- errno = EOPNOTSUPP;
+ errno = ENOENT;
}
return -1;
}
diff --git a/source3/modules/vfs_glusterfs_fuse.c b/source3/modules/vfs_glusterfs_fuse.c
index d92f5e2b08b..51515aa0df4 100644
--- a/source3/modules/vfs_glusterfs_fuse.c
+++ b/source3/modules/vfs_glusterfs_fuse.c
@@ -45,7 +45,7 @@ static int vfs_gluster_fuse_get_real_filename(struct vfs_handle_struct *handle,
ret = getxattr(path, key_buf, val_buf, GLUSTER_NAME_MAX + 1);
if (ret == -1) {
if (errno == ENOATTR) {
- errno = EOPNOTSUPP;
+ errno = ENOENT;
}
return -1;
}
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 9b9947455ed..d799ba4feef 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
srv_flgs |= NETLOGON_NEG_SUPPORTS_AES;
}
- if (lp_server_schannel() != false) {
+ if (in_neg_flags & NETLOGON_NEG_SCHANNEL) {
srv_flgs |= NETLOGON_NEG_SCHANNEL;
}
@@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
goto out;
}
- if ( (lp_server_schannel() == true) &&
- ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
-
- /* schannel must be used, but client did not offer it. */
- DEBUG(0,("%s: schannel required but client failed "
- "to offer it. Client was %s\n",
- fn, r->in.account_name));
- status = NT_STATUS_ACCESS_DENIED;
- goto out;
- }
-
status = get_md4pw(&mach_pwd,
r->in.account_name,
r->in.secure_channel_type,
@@ -1072,36 +1061,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
return _netr_ServerAuthenticate3(p, &a);
}
-/*************************************************************************
- * If schannel is required for this call test that it actually is available.
- *************************************************************************/
-static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
- const char *computer_name,
- bool integrity, bool privacy)
-{
- if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- if (!privacy && !integrity) {
- return NT_STATUS_OK;
- }
-
- if ((!privacy && integrity) &&
- auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
- return NT_STATUS_OK;
- }
-
- if ((privacy || integrity) &&
- auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
- return NT_STATUS_OK;
- }
- }
-
- /* test didn't pass */
- DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
- computer_name));
-
- return NT_STATUS_ACCESS_DENIED;
-}
-
/*************************************************************************
*************************************************************************/
@@ -1121,11 +1080,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
}
if (schannel_global_required) {
- status = schannel_check_required(&p->auth,
- computer_name,
- false, false);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ DBG_ERR("[%s] is not using schannel\n",
+ computer_name);
+ return NT_STATUS_ACCESS_DENIED;
}
}
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 8dad9517ced..86e43e124af 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -994,6 +994,7 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_result *res = NULL;
struct ldb_context *ldb = ldb_module_get_ctx(module);
+ *pso_count = 0;
domain_dn = ldb_get_default_basedn(ldb);
psc_dn = ldb_dn_new_fmt(mem_ctx, ldb,
"CN=Password Settings Container,CN=System,%s",
@@ -1007,6 +1008,17 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx,
LDB_SCOPE_ONELEVEL, attrs,
DSDB_FLAG_NEXT_MODULE, parent,
"(objectClass=msDS-PasswordSettings)");
+
+ /*
+ * Just ignore PSOs if the container doesn't exist. This is a weird
+ * corner-case where the AD DB was created from a pre-2008 base schema,
+ * and then the FL was manually upgraded.
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ DBG_NOTICE("No Password Settings Container exists\n");
+ return LDB_SUCCESS;
+ }
+
if (ret != LDB_SUCCESS) {
return ret;
}
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c
index 6167493c359..128d237bcd2 100644
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -660,6 +660,15 @@ WERROR libnet_vampire_cb_store_chunk(void *private_data,
return WERR_INVALID_PARAMETER;
}
+ /*
+ * If the peer DC doesn't support GET_TGT (req v10), then the link
+ * targets are as up-to-date as they're ever gonna be. (Without this,
+ * cases where we'd normally retry with GET_TGT cause the join to fail)
+ */
+ if (c->req_level < 10) {
+ dsdb_repl_flags |= DSDB_REPL_FLAG_TARGETS_UPTODATE;
+ }
+
if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY || is_exop) {
/*
* If we only replicate the critical objects, or this
diff --git a/source4/librpc/rpc/pyrpc.c b/source4/librpc/rpc/pyrpc.c
index cf2d4c24007..d56eb023d96 100644
--- a/source4/librpc/rpc/pyrpc.c
+++ b/source4/librpc/rpc/pyrpc.c
@@ -281,9 +281,24 @@ static PyMethodDef dcerpc_interface_methods[] = {
static void dcerpc_interface_dealloc(PyObject* self)
{
dcerpc_InterfaceObject *interface = (dcerpc_InterfaceObject *)self;
+
+ struct tevent_context *ev_save = talloc_reparent(
+ interface->mem_ctx, NULL, interface->ev);
+ SMB_ASSERT(ev_save != NULL);
+
interface->binding_handle = NULL;
interface->pipe = NULL;
+
+ /*
+ * Free everything *except* the event context, which must go
+ * away last
+ */
TALLOC_FREE(interface->mem_ctx);
+
+ /*
+ * Now wish a fond goodbye to the event context itself
+ */
+ talloc_unlink(NULL, ev_save);
self->ob_type->tp_free(self);
}
diff --git a/source4/librpc/rpc/pyrpc.h b/source4/librpc/rpc/pyrpc.h
index 968bf863c4c..8852def7251 100644
--- a/source4/librpc/rpc/pyrpc.h
+++ b/source4/librpc/rpc/pyrpc.h
@@ -44,6 +44,7 @@ typedef struct {
TALLOC_CTX *mem_ctx;
struct dcerpc_pipe *pipe;
struct dcerpc_binding_handle *binding_handle;
+ struct tevent_context *ev;
} dcerpc_InterfaceObject;
diff --git a/source4/librpc/rpc/pyrpc_util.c b/source4/librpc/rpc/pyrpc_util.c
index 3a151e1591f..c8931bf96f0 100644
--- a/source4/librpc/rpc/pyrpc_util.c
+++ b/source4/librpc/rpc/pyrpc_util.c
@@ -118,6 +118,7 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py
ret = PyObject_New(dcerpc_InterfaceObject, type);
ret->pipe = NULL;
ret->binding_handle = NULL;
+ ret->ev = NULL;
ret->mem_ctx = talloc_new(NULL);
if (ret->mem_ctx == NULL) {
PyErr_NoMemory();
@@ -125,28 +126,27 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py
}
if (strncmp(binding_string, "irpc:", 5) == 0) {
- struct tevent_context *event_ctx;
struct loadparm_context *lp_ctx;
- event_ctx = s4_event_context_init(ret->mem_ctx);
- if (event_ctx == NULL) {
+ ret->ev = s4_event_context_init(ret->mem_ctx);
+ if (ret->ev == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected loadparm context");
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
- lp_ctx = lpcfg_from_py_object(event_ctx, py_lp_ctx);
+ lp_ctx = lpcfg_from_py_object(ret->ev, py_lp_ctx);
if (lp_ctx == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected loadparm context");
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
status = pyrpc_irpc_connect(ret->mem_ctx, binding_string+5, table,
- event_ctx, lp_ctx, &ret->binding_handle);
+ ret->ev, lp_ctx, &ret->binding_handle);
if (!NT_STATUS_IS_OK(status)) {
PyErr_SetNTSTATUS(status);
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
} else if (py_basis != Py_None) {
@@ -156,20 +156,23 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py
py_base = PyImport_ImportModule("samba.dcerpc.base");
if (py_base == NULL) {
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
ClientConnection_Type = (PyTypeObject *)PyObject_GetAttrString(py_base, "ClientConnection");
if (ClientConnection_Type == NULL) {
PyErr_SetNone(PyExc_TypeError);
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
+ Py_DECREF(py_base);
return NULL;
}
if (!PyObject_TypeCheck(py_basis, ClientConnection_Type)) {
PyErr_SetString(PyExc_TypeError, "basis_connection must be a DCE/RPC connection");
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
+ Py_DECREF(py_base);
+ Py_DECREF(ClientConnection_Type);
return NULL;
}
@@ -177,56 +180,66 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py
((dcerpc_InterfaceObject *)py_basis)->pipe);
if (base_pipe == NULL) {
PyErr_NoMemory();
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
+ Py_DECREF(py_base);
+ Py_DECREF(ClientConnection_Type);
+ return NULL;
+ }
+
+ ret->ev = talloc_reference(
+ ret->mem_ctx,
+ ((dcerpc_InterfaceObject *)py_basis)->ev);
+ if (ret->ev == NULL) {
+ PyErr_NoMemory();
+ Py_DECREF(ret);
+ Py_DECREF(py_base);
+ Py_DECREF(ClientConnection_Type);
return NULL;
}
status = dcerpc_secondary_context(base_pipe, &ret->pipe, table);
if (!NT_STATUS_IS_OK(status)) {
PyErr_SetNTSTATUS(status);
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
+ Py_DECREF(py_base);
+ Py_DECREF(ClientConnection_Type);
return NULL;
}
ret->pipe = talloc_steal(ret->mem_ctx, ret->pipe);
+ Py_XDECREF(ClientConnection_Type);
+ Py_XDECREF(py_base);
} else {
- struct tevent_context *event_ctx;
struct loadparm_context *lp_ctx;
struct cli_credentials *credentials;
- event_ctx = s4_event_context_init(ret->mem_ctx);
- if (event_ctx == NULL) {
+ ret->ev = s4_event_context_init(ret->mem_ctx);
+ if (ret->ev == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected loadparm context");
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
- lp_ctx = lpcfg_from_py_object(event_ctx, py_lp_ctx);
+ lp_ctx = lpcfg_from_py_object(ret->ev, py_lp_ctx);
if (lp_ctx == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected loadparm context");
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
credentials = cli_credentials_from_py_object(py_credentials);
if (credentials == NULL) {
PyErr_SetString(PyExc_TypeError, "Expected credentials");
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
status = dcerpc_pipe_connect(ret->mem_ctx, &ret->pipe, binding_string,
- table, credentials, event_ctx, lp_ctx);
+ table, credentials, ret->ev, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
PyErr_SetNTSTATUS(status);
- TALLOC_FREE(ret->mem_ctx);
+ Py_DECREF(ret);
return NULL;
}
-
- /*
- * the event context is cached under the connection,
- * so let it be a child of it.
- */
- talloc_steal(ret->pipe->conn, event_ctx);
}
if (ret->pipe) {
@@ -378,6 +391,7 @@ PyObject *py_return_ndr_struct(const char *module_name, const char *type_name,
py_type = (PyTypeObject *)PyObject_GetAttrString(module, type_name);
if (py_type == NULL) {
+ Py_DECREF(module);
return NULL;
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 530350d442a..023adfd99e9 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -144,8 +144,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
bool reject_des_client = !allow_nt4_crypto;
bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
- bool reject_none_rpc = (schannel == true);
ZERO_STRUCTP(r->out.return_credentials);
*r->out.rid = 0;
@@ -226,10 +224,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
negotiate_flags = *r->in.negotiate_flags & server_flags;
- if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
- reject_none_rpc = false;
- }
-
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
reject_des_client = false;
}
@@ -276,15 +270,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
*/
*r->out.negotiate_flags = negotiate_flags;
- if (reject_none_rpc) {
- /* schannel must be used, but client did not offer it. */
- DEBUG(0,("%s: schannel required but client failed "
- "to offer it. Client was %s\n",
- __func__,
- log_escape(mem_ctx, r->in.account_name)));
- return NT_STATUS_ACCESS_DENIED;
- }
-
switch (r->in.secure_channel_type) {
case SEC_CHAN_WKSTA:
case SEC_CHAN_DNS_DOMAIN:
--
Samba Shared Repository
More information about the samba-cvs
mailing list