The branch, master has been updated via 5592a9b... s4:selftest Test --sign and --encrypt options to ldbsearch via bb7854a... s4:cmdline Add --sign and --encrypt options to our common command line via a2286ba... s4:ntlmssp Ensure that we always negotiate signing if we negotiate sealing. from fbdcaa9... s3: Optimize gencache for smbd exit
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5592a9ba5adb6e23a0fc580725184f39efce0486 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 24 19:27:18 2010 +1100 s4:selftest Test --sign and --encrypt options to ldbsearch commit bb7854afea47699be32f5331fe5f8f05e469cb96 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 24 19:26:02 2010 +1100 s4:cmdline Add --sign and --encrypt options to our common command line This allows ldbsearch to accept --sign and --encrypt. I'll soon work to integrate with the --signing= option in smbclient. Andrew Bartlett commit a2286bad67a772d290fead9832b7ca52877c40b2 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 24 16:09:02 2010 +1100 s4:ntlmssp Ensure that we always negotiate signing if we negotiate sealing. Without this, a sealed LDAP connection to windows does not work. Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: source4/auth/ntlmssp/ntlmssp_client.c | 1 + source4/lib/cmdline/popt_credentials.c | 29 ++++++++++++++++++++++++++++- source4/selftest/tests.sh | 4 ++-- 3 files changed, 31 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 7aef086..b518fa8 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -368,6 +368,7 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c index 42ecac1..80f71eb 100644 --- a/source4/lib/cmdline/popt_credentials.c +++ b/source4/lib/cmdline/popt_credentials.c @@ -39,7 +39,7 @@ static bool dont_ask; -enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS }; +enum opt { OPT_SIMPLE_BIND_DN, OPT_PASSWORD, OPT_KERBEROS, OPT_SIGN, OPT_ENCRYPT }; /* disable asking for a password @@ -66,6 +66,7 @@ static void popt_common_credentials_callback(poptContext con, cli_credentials_set_cmdline_callbacks(cmdline_credentials); } return; + } switch(opt->val) { @@ -119,9 +120,33 @@ static void popt_common_credentials_callback(poptContext con, } case OPT_SIMPLE_BIND_DN: + { cli_credentials_set_bind_dn(cmdline_credentials, arg); break; } + case OPT_SIGN: + { + uint32_t gensec_features; + + gensec_features = cli_credentials_get_gensec_features(cmdline_credentials); + + gensec_features |= GENSEC_FEATURE_SIGN; + cli_credentials_set_gensec_features(cmdline_credentials, + gensec_features); + break; + } + case OPT_ENCRYPT: + { + uint32_t gensec_features; + + gensec_features = cli_credentials_get_gensec_features(cmdline_credentials); + + gensec_features |= GENSEC_FEATURE_SEAL; + cli_credentials_set_gensec_features(cmdline_credentials, + gensec_features); + break; + } + } } @@ -135,5 +160,7 @@ struct poptOption popt_common_credentials[] = { { "machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password (implies -k)" }, { "simple-bind-dn", 0, POPT_ARG_STRING, NULL, OPT_SIMPLE_BIND_DN, "DN to use for a simple bind" }, { "kerberos", 'k', POPT_ARG_STRING, NULL, OPT_KERBEROS, "Use Kerberos" }, + { "sign", 'S', POPT_ARG_NONE, NULL, OPT_SIGN, "Sign connection to prevent modification in transit" }, + { "encrypt", 'e', POPT_ARG_NONE, NULL, OPT_ENCRYPT, "Encrypt connection for privacy" }, { NULL } }; diff --git a/source4/selftest/tests.sh b/source4/selftest/tests.sh index e6a8c25..8dd8f2b 100755 --- a/source4/selftest/tests.sh +++ b/source4/selftest/tests.sh @@ -114,8 +114,8 @@ echo "OPTIONS $TORTURE_OPTIONS" # Simple tests for LDAP and CLDAP -for options in "" "--option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD --option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD"; do - plantest "ldb.ldap with options $options" dc $bbdir/test_ldb.sh ldap \$SERVER_IP $options +for options in "" "--option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD --option=socket:testnonblock=true" "-U\$USERNAME%\$PASSWORD" "-U\$USERNAME%\$PASSWORD -k yes" "-U\$USERNAME%\$PASSWORD -k no" "-U\$USERNAME%\$PASSWORD -k no --sign" "-U\$USERNAME%\$PASSWORD -k no --encrypt" "-U\$USERNAME%\$PASSWORD -k yes --encrypt" "-U\$USERNAME%\$PASSWORD -k yes --sign"; do + plantest "ldb.ldap with options $options" dc $bbdir/test_ldb.sh ldap \$SERVER $options done # see if we support ldaps if grep ENABLE_GNUTLS.1 include/config.h > /dev/null; then -- Samba Shared Repository