The branch, master has been updated
via 86be54e... Change talloc_autofree_context() to frame in Andrew's
schannel.tdb TDB_CLEAR_IF_FIRST changes. Using talloc_autofree_context() has
undesirable effects when forked subprocesses exit.
via c84b74d... schannel Change to TDB_CLEAR_IF_FIRST to reduce fsync()
via cfece16... s3:schannel Open the schannel_state.tdb at startup
via 58d0b63... s4:schannel Open the schannel_store.tdb at startup
via 825b2f4... libcli/auth make open_schannel_session_store() public
from 6d97360... s3:registry: use regdb_store_regdb_version() in
regdb_init().
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 86be54ec61153d6ecd6967fa0f8c65880bbb088c
Author: Jeremy Allison <[email protected]>
Date: Fri Jun 25 12:02:08 2010 -0700
Change talloc_autofree_context() to frame in Andrew's schannel.tdb
TDB_CLEAR_IF_FIRST
changes. Using talloc_autofree_context() has undesirable effects when forked
subprocesses exit.
Jeremy.
commit c84b74dddd6c74ad28597f069a43a0a3d334b04a
Author: Andrew Bartlett <[email protected]>
Date: Wed Jun 23 10:37:13 2010 +1000
schannel Change to TDB_CLEAR_IF_FIRST to reduce fsync()
By making this DB TDB_NOSYNC, and by making that safe with
TDB_CLEAR_IF_FIRST, we greatly reduce the fsync() load on the server.
This particularly helps the source4/ 'make test', which otherwise tries
to disable fsync() in ldb.
Andrew Bartlett
Signed-off-by: Jeremy Allison <[email protected]>
commit cfece164981142168aa6c846c7433f0459fb6de7
Author: Andrew Bartlett <[email protected]>
Date: Wed Jun 23 10:36:32 2010 +1000
s3:schannel Open the schannel_state.tdb at startup
This will allow future TDB_CLEAR_IF_FIRST behaviour
Signed-off-by: Jeremy Allison <[email protected]>
commit 58d0b638c802241655b205b1974e48f477c2eaeb
Author: Andrew Bartlett <[email protected]>
Date: Wed Jun 23 10:33:15 2010 +1000
s4:schannel Open the schannel_store.tdb at startup
This will allow TDB_CLEAR_IF_FIRST behaviour in future
Signed-off-by: Jeremy Allison <[email protected]>
commit 825b2f456c136b33d139ee76e58426437bce65b8
Author: Andrew Bartlett <[email protected]>
Date: Wed Jun 23 10:31:50 2010 +1000
libcli/auth make open_schannel_session_store() public
This will allow TDB_CLEAR_IF_FIRST to be used
Signed-off-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/schannel_proto.h | 3 ++
libcli/auth/schannel_state_tdb.c | 44 ++++---------------------------------
source3/smbd/server.c | 8 +++++++
source4/smbd/server.c | 8 +++++++
4 files changed, 24 insertions(+), 39 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
index eee7199..f1731a7 100644
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@@ -23,6 +23,9 @@
#ifndef _LIBCLI_AUTH_SCHANNEL_PROTO_H__
#define _LIBCLI_AUTH_SCHANNEL_PROTO_H__
+struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
+ const char *private_dir);
+
NTSTATUS netsec_incoming_packet(struct schannel_state *state,
TALLOC_CTX *mem_ctx,
bool do_unseal,
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 9e76781..0dcc336 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -35,18 +35,13 @@
#define SECRETS_SCHANNEL_STATE "SECRETS/SCHANNEL"
/******************************************************************************
- Open or create the schannel session store tdb.
+ Open or create the schannel session store tdb. Non-static so it can
+ be called from parent processes to corectly handle TDB_CLEAR_IF_FIRST
*******************************************************************************/
-#define SCHANNEL_STORE_VERSION_1 1
-#define SCHANNEL_STORE_VERSION_2 2 /* should not be used */
-#define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_1
-
-static struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
- const char *private_dir)
+struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
+ const char *private_dir)
{
- TDB_DATA vers;
- uint32_t ver;
struct tdb_wrap *tdb_sc = NULL;
char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb",
private_dir);
@@ -54,7 +49,7 @@ static struct tdb_wrap
*open_schannel_session_store(TALLOC_CTX *mem_ctx,
return NULL;
}
- tdb_sc = tdb_wrap_open(mem_ctx, fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT,
0600);
+ tdb_sc = tdb_wrap_open(mem_ctx, fname, 0,
TDB_CLEAR_IF_FIRST|TDB_NOSYNC, O_RDWR|O_CREAT, 0600);
if (!tdb_sc) {
DEBUG(0,("open_schannel_session_store: Failed to open %s -
%s\n",
@@ -63,35 +58,6 @@ static struct tdb_wrap
*open_schannel_session_store(TALLOC_CTX *mem_ctx,
return NULL;
}
- again:
- vers = tdb_fetch_bystring(tdb_sc->tdb, "SCHANNEL_STORE_VERSION");
- if (vers.dptr == NULL) {
- /* First opener, no version. */
- SIVAL(&ver,0,SCHANNEL_STORE_VERSION_CURRENT);
- vers.dptr = (uint8_t *)&ver;
- vers.dsize = 4;
- tdb_store_bystring(tdb_sc->tdb, "SCHANNEL_STORE_VERSION", vers,
TDB_REPLACE);
- vers.dptr = NULL;
- } else if (vers.dsize == 4) {
- ver = IVAL(vers.dptr,0);
- if (ver == SCHANNEL_STORE_VERSION_2) {
- DEBUG(0,("open_schannel_session_store: wrong version
number %d in %s\n",
- (int)ver, fname ));
- tdb_wipe_all(tdb_sc->tdb);
- goto again;
- }
- if (ver != SCHANNEL_STORE_VERSION_CURRENT) {
- DEBUG(0,("open_schannel_session_store: wrong version
number %d in %s\n",
- (int)ver, fname ));
- TALLOC_FREE(tdb_sc);
- }
- } else {
- TALLOC_FREE(tdb_sc);
- DEBUG(0,("open_schannel_session_store: wrong version number
size %d in %s\n",
- (int)vers.dsize, fname ));
- }
-
- SAFE_FREE(vers.dptr);
TALLOC_FREE(fname);
return tdb_sc;
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 2bb0bb8..24788a9 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -25,6 +25,7 @@
#include "smbd/globals.h"
#include "librpc/gen_ndr/messaging.h"
#include "registry.h"
+#include "libcli/auth/schannel.h"
static_decl_rpc;
@@ -1023,6 +1024,13 @@ extern void build_options(bool screen);
exit(1);
}
+ if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() ==
ROLE_DOMAIN_PDC) {
+ if (!open_schannel_session_store(frame, lp_private_dir())) {
+ DEBUG(0,("ERROR: Samba cannot open schannel store for
secured NETLOGON operations.\n"));
+ exit(1);
+ }
+ }
+
if(!get_global_sam_sid()) {
DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n"));
exit(1);
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 88917c4..11415a1 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -31,6 +31,7 @@
#include "ntvfs/ntvfs.h"
#include "ntptr/ntptr.h"
#include "auth/gensec/gensec.h"
+#include "libcli/auth/schannel.h"
#include "smbd/process_model.h"
#include "param/secrets.h"
#include "smbd/pidfile.h"
@@ -400,6 +401,13 @@ static int binary_smbd_main(const char *binary_name, int
argc, const char *argv[
return 1;
}
+ if (lp_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
+ if (!open_schannel_session_store(talloc_autofree_context(),
lp_private_dir(cmdline_lp_ctx))) {
+ DEBUG(0,("ERROR: Samba cannot open schannel store for
secured NETLOGON operations.\n"));
+ exit(1);
+ }
+ }
+
gensec_init(cmdline_lp_ctx); /* FIXME: */
ntptr_init(cmdline_lp_ctx); /* FIXME: maybe run this in the
initialization function
--
Samba Shared Repository
