The branch, master has been updated
via 8dd3732 s4:kdc: add aes key support for trusted domains
via ec73511 s4:rpc_server/lsa: fix segfault in check_ft_info()
via 1e74ab3 s4:rpc_server/lsa: remove unused allow_warnings=True
via 2c92545 s4:rpc_server/lsa: remove
trustAuthIncoming/trustAuthOutgoing when the related flag is removed.
via 1d6e9e5 s4:rpc_server/lsa: pass the correct variable to
setInfoTrustedDomain_base()
via 05eb7b5 s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in
pdb_samba_dsdb_get_trusteddom_creds()
via 7387678 s3:pdb_samba_dsdb: add pdb_samba_dsdb_get_trusteddom_creds
via c5e966d s3:winbindd: make use of
cli_rpc_pipe_open_schannel_with_creds()
via a601c08 s3:winbindd: make use of
rpccli_{create,setup}_netlogon_creds_with_creds()
via 6f718ba s3:winbindd: we only need a an netlogon connection to a
rwdc if we're a rodc ourself
via 29816c5 s3:winbindd: make sure we try to use NCACN_IP_TCP in
cm_connect_netlogon
via fb42b02 s3:rpc_client: add cli_rpc_pipe_open_schannel_with_creds()
helper function
via 995cf54 s3:cli_netlogon: add
rpccli_{create,setup}_netlogon_creds_with_creds() helper functions
via 826b0f7 auth/credentials: add cli_credentials_set_utf16_password()
via 153938a auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to
schannel_update()
via 6ec32d7 auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL
backend if required
via c257b14 nsswitch/wbinfo: allow 'wbinfo --ping-dc
--domain=SOMEDOMAIN'
via f80f585 nsswitch: allow passing the domain name to wbcPingDC[2]()
via a44e8a3 s3:winbindd: use find_domain_from_name_noinit() in
winbindd_ping_dc_send()
via 8a40669 s3:winbindd: report our own name for PING_DC and internal
domains
via 89cc31f wafsamba: check for rpath compiler/linker flags
via 76fdcf5 wafsamba: fill PRIVATE_NAME() logic again
via 575b093 nsswitch: fix soname of linux nss_*.so.2 modules
via 4eb24fa selftest: use shared/libnss_wrapper_winbind.so.2
via 82e583b wafsamba: add optional keep_underscore=True to
SAMBA_LIBRARY()
via e0bf5dd ctdb-daemon: Use correct tdb flags when enabling robust
mutex support
from a1a90f7 tdb: version 1.3.4
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8dd37327b02eaea33915a9cd206667981b8df872
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Dec 15 16:48:27 2014 +0100
s4:kdc: add aes key support for trusted domains
We have a look at "msDS-SupportedEncryptionTypes" and >=
DS_DOMAIN_FUNCTION_2008
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104
commit ec7351184f136990e96e10da98f0298c81699beb
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Dec 15 16:47:50 2014 +0100
s4:rpc_server/lsa: fix segfault in check_ft_info()
This is triggered by lsa_lsaRSetForestTrustInformation()
with ForestTrustInfo elements using FOREST_TRUST_TOP_LEVEL_NAME.
The nb_name variable was uninitialized and dereferenced without checking.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 1e74ab337ccfe2fb8b456d070a6583d4cb67aa18
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Dec 15 16:37:17 2014 +0100
s4:rpc_server/lsa: remove unused allow_warnings=True
We compile without warnings now.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 2c9254545224bec3ace135603388f19f1e02ea71
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Dec 15 16:33:38 2014 +0100
s4:rpc_server/lsa: remove trustAuthIncoming/trustAuthOutgoing when the
related flag is removed.
When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is
cleared
we should also remove the related credentials.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 1d6e9e5e5879f0da5831fea7637be507b01b09de
Author: Stefan Metzmacher <me...@samba.org>
Date: Mon Dec 15 16:03:49 2014 +0100
s4:rpc_server/lsa: pass the correct variable to setInfoTrustedDomain_base()
This requires 'struct lsa_policy_state', we now pass this directly
instead of a instead of an opaque 'struct dcesrv_handle'.
dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle'
with 'struct lsa_trusted_domain_state' before, which results in segfaults.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 05eb7b52cd7ebcb5bfc873e388c745f8e958c994
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 15:57:49 2014 +0000
s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in
pdb_samba_dsdb_get_trusteddom_creds()
If both ends have a dns domain, we can use SEC_CHAN_DNS_DOMAIN in order to
match
a Windows DC.
For kerberos we still need to use MY_NETBIOS_DOMAIN$@REMOTE_REALM.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7387678ff518a394d9f837561987af0e90464d6c
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 15:06:56 2014 +0000
s3:pdb_samba_dsdb: add pdb_samba_dsdb_get_trusteddom_creds
We have the password as raw UTF16 blob, which might not be
valid utf16, so we need to use cli_credentials_set_utf16_password().
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c5e966d989ceb2209e8572f9cab2b5931286f919
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 17 13:05:45 2014 +0000
s3:winbindd: make use of cli_rpc_pipe_open_schannel_with_creds()
This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a601c087b06555c650e9b69e9a831b3aee1c30d8
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 17 08:48:38 2014 +0000
s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds_with_creds()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6f718ba1720d1318b08fd3fce293fb9c34a36a45
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 23:17:52 2014 +0000
s3:winbindd: we only need a an netlogon connection to a rwdc if we're a
rodc ourself
If we're a member or RWDC there's no need to require talking to a rwdc,
an rodc will forward the request if required.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 29816c53b28c6c061843e6f8aeef7764d8a78aff
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 23:17:52 2014 +0000
s3:winbindd: make sure we try to use NCACN_IP_TCP in cm_connect_netlogon
We need to call init_dc_connection_rpc() before we can decide if we want to
try
NCACN_IP_TCP.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fb42b02c9f75804bc471c1f88fbda28865d9f01e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 17 09:19:49 2014 +0000
s3:rpc_client: add cli_rpc_pipe_open_schannel_with_creds() helper function
This will simplify the callers and add potential support for
SEC_CHAN_DNS_DOMAIN
as cli_credentials_get_realm() will return the correct value compared to
cli_credentials_get_domain().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 995cf54b3177cd92b1bce5f34df134122a0200de
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 17 08:40:49 2014 +0000
s3:cli_netlogon: add rpccli_{create,setup}_netlogon_creds_with_creds()
helper functions
This simplifies the callers, then can just pass in a cli_credentials
structure.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 826b0f761e07987fbe067badde665c3d1c99e821
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 13:58:11 2014 +0000
auth/credentials: add cli_credentials_set_utf16_password()
We need a way to initialize the cli_credentials from the raw utf16 blob,
which might not be completely valid utf16, which means the conversion
from CH_UTF16MUNGED to CH_UTF8 might loose information.
This would result in an invalid nt_hash, when we convert back
from CH_UTF8 to CH_UTF16LE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 153938a1f2a06fec5b2f7daef12200a504fb92f4
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 21:49:05 2014 +0000
auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 6ec32d7e127d48c708a53850ad99079fac0dad8e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 17 18:42:55 2014 +0000
auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if
required
Even with CRED_MUST_USE_KERBEROS we should keep the
DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.
With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c257b14b8b2ff8a1ca29f8a429ce6051c309f512
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 10 14:03:55 2014 +0000
nsswitch/wbinfo: allow 'wbinfo --ping-dc --domain=SOMEDOMAIN'
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f80f585d959b03a41434e48ffa31cac842a76ade
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 10 14:02:18 2014 +0000
nsswitch: allow passing the domain name to wbcPingDC[2]()
winbindd already supports this.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a44e8a3249f644accc0c115ba0d2e305e3b69f10
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 16 11:27:21 2014 +0000
s3:winbindd: use find_domain_from_name_noinit() in winbindd_ping_dc_send()
We should not try to connect to the given domain from within the winbindd
parent.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 8a4066930908e82ac593f616ebea67044ff267bb
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 10 12:25:55 2014 +0000
s3:winbindd: report our own name for PING_DC and internal domains
This means "wbinfo --ping-dc" works fine on a DC.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 89cc31f5cf9181f04f3ca1a5f7000ee15a74e86e
Author: Ralph Boehme <s...@samba.org>
Date: Thu Dec 18 06:37:28 2014 +0100
wafsamba: check for rpath compiler/linker flags
Older SunOS linker only support -Wl,-R,/path instead of -Wl,-rpath,/path.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Ralph Boehme <s...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 76fdcf5c15bd904c3686f0c2dd93d27486c61ca4
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 18 15:05:12 2014 +0100
wafsamba: fill PRIVATE_NAME() logic again
We append bld.env.PRIVATE_EXTENSION to the name of private libraries
again, but only unless they have a abi_directory, vnum or soname defined.
This avoids naming conflicts with system libraries, e.g. libidmap.so
on Solaris
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 575b093dac3c509b1bfaab0b4ad29b9b4214e487
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 18 10:33:34 2014 +0100
nsswitch: fix soname of linux nss_*.so.2 modules
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4eb24fa545234be506eb1330ccbbfd5c2b9e0d82
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 18 20:13:44 2014 +0100
selftest: use shared/libnss_wrapper_winbind.so.2
This library is always available in make test.
nss-wrapper strictly requires the linux nss api.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 82e583b04b04e560c121163850d70c52d2fce78d
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Dec 18 10:21:30 2014 +0100
wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e0bf5dd4566785b41ad1fa0492a9f215639f1685
Author: Amitay Isaacs <ami...@gmail.com>
Date: Thu Dec 11 13:16:47 2014 +1100
ctdb-daemon: Use correct tdb flags when enabling robust mutex support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11000
Signed-off-by: Amitay Isaacs <ami...@gmail.com>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.c | 13 +-
auth/credentials/credentials.h | 3 +
auth/credentials/credentials_ntlm.c | 55 +++++++-
auth/gensec/gensec_start.c | 8 ++
auth/gensec/schannel.c | 27 ++--
buildtools/wafsamba/samba_bundled.py | 16 ++-
buildtools/wafsamba/wafsamba.py | 15 +-
buildtools/wafsamba/wscript | 4 +
ctdb/client/ctdb_client.c | 30 +++-
ctdb/server/ctdb_lock.c | 30 +++-
ctdb/server/ctdb_lock_helper.c | 28 ++--
ctdb/server/ctdb_ltdb_server.c | 4 +-
nsswitch/libwbclient/tests/wbclient.c | 40 +++++-
nsswitch/libwbclient/wbc_pam.c | 14 +-
nsswitch/wbinfo.c | 17 ++-
nsswitch/wscript_build | 24 +++-
selftest/target/Samba.pm | 2 +-
source3/passdb/pdb_samba_dsdb.c | 253 +++++++++++++++++++++++++++++++++-
source3/rpc_client/cli_netlogon.c | 54 ++++++++
source3/rpc_client/cli_netlogon.h | 11 ++
source3/rpc_client/cli_pipe.c | 86 ++++++++++++
source3/rpc_client/cli_pipe.h | 7 +
source3/winbindd/winbindd_cm.c | 96 +++++++------
source3/winbindd/winbindd_ping_dc.c | 24 +++-
source3/wscript_build | 7 -
source4/kdc/db-glue.c | 185 ++++++++++++++++++++-----
source4/rpc_server/lsa/dcesrv_lsa.c | 41 +++---
source4/rpc_server/wscript_build | 1 -
source4/selftest/tests.py | 2 +-
29 files changed, 920 insertions(+), 177 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 78b5955..a9e4fc8 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -496,24 +496,27 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct
cli_credentials *cred,
_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct
cli_credentials *cred,
TALLOC_CTX *mem_ctx)
{
- const char *password = cli_credentials_get_password(cred);
+ const char *password = NULL;
- if (password) {
+ if (cred->nt_hash != NULL) {
struct samr_Password *nt_hash = talloc(mem_ctx, struct
samr_Password);
if (!nt_hash) {
return NULL;
}
- E_md4hash(password, nt_hash->hash);
+ *nt_hash = *cred->nt_hash;
return nt_hash;
- } else if (cred->nt_hash != NULL) {
+ }
+
+ password = cli_credentials_get_password(cred);
+ if (password) {
struct samr_Password *nt_hash = talloc(mem_ctx, struct
samr_Password);
if (!nt_hash) {
return NULL;
}
- *nt_hash = *cred->nt_hash;
+ E_md4hash(password, nt_hash->hash);
return nt_hash;
}
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 2da47d2..814f016 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -191,6 +191,9 @@ enum netr_SchannelType
cli_credentials_get_secure_channel_type(struct cli_creden
time_t cli_credentials_get_password_last_changed_time(struct cli_credentials
*cred);
void cli_credentials_set_kvno(struct cli_credentials *cred,
int kvno);
+bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB *password_utf16,
+ enum credentials_obtained obtained);
bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained);
diff --git a/auth/credentials/credentials_ntlm.c
b/auth/credentials/credentials_ntlm.c
index 8c6be39..5e9aeed 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -214,7 +214,60 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct
cli_credentials *cred
}
return NT_STATUS_OK;
}
-
+
+/*
+ * Set a utf16 password on the credentials context, including an indication
+ * of 'how' the password was obtained
+ *
+ * This is required because the nt_hash is calculated over the raw utf16 blob,
+ * which might not be completely valid utf16, which means the conversion
+ * from CH_UTF16MUNGED to CH_UTF8 might loose information.
+ */
+_PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred,
+ const DATA_BLOB
*password_utf16,
+ enum credentials_obtained
obtained)
+{
+ if (password_utf16 == NULL) {
+ return cli_credentials_set_password(cred, NULL, obtained);
+ }
+
+ if (obtained >= cred->password_obtained) {
+ struct samr_Password *nt_hash = NULL;
+ char *password_talloc = NULL;
+ size_t password_len = 0;
+ bool ok;
+
+ nt_hash = talloc(cred, struct samr_Password);
+ if (nt_hash == NULL) {
+ return false;
+ }
+
+ ok = convert_string_talloc(cred,
+ CH_UTF16MUNGED, CH_UTF8,
+ password_utf16->data,
+ password_utf16->length,
+ (void *)&password_talloc,
+ &password_len);
+ if (!ok) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ ok = cli_credentials_set_password(cred, password_talloc,
obtained);
+ TALLOC_FREE(password_talloc);
+ if (!ok) {
+ TALLOC_FREE(nt_hash);
+ return false;
+ }
+
+ mdfour(nt_hash->hash, password_utf16->data,
password_utf16->length);
+ cred->nt_hash = nt_hash;
+ return true;
+ }
+
+ return false;
+}
+
_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred,
const struct samr_Password *nt_hash,
enum credentials_obtained obtained)
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 9910f1a..955cc36 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -75,9 +75,13 @@ _PUBLIC_ const struct gensec_security_ops
**gensec_use_kerberos_mechs(TALLOC_CTX
const struct gensec_security_ops **new_gensec_list;
int i, j, num_mechs_in;
enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+ bool keep_schannel = false;
if (creds) {
use_kerberos = cli_credentials_get_kerberos_state(creds);
+ if (cli_credentials_get_netlogon_creds(creds) != NULL) {
+ keep_schannel = true;
+ }
}
for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in];
num_mechs_in++) {
@@ -103,6 +107,10 @@ _PUBLIC_ const struct gensec_security_ops
**gensec_use_kerberos_mechs(TALLOC_CTX
}
}
+ if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL)
{
+ keep = keep_schannel;
+ }
+
switch (use_kerberos) {
case CRED_AUTO_USE_KERBEROS:
keep = true;
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index ee23e77..9b28c45 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -459,7 +459,7 @@ static NTSTATUS schannel_update(struct gensec_security
*gensec_security, TALLOC_
struct schannel_state);
NTSTATUS status;
enum ndr_err_code ndr_err;
- struct NL_AUTH_MESSAGE bind_schannel;
+ struct NL_AUTH_MESSAGE bind_schannel = {};
struct NL_AUTH_MESSAGE bind_schannel_ack;
struct netlogon_creds_CredentialState *creds;
const char *workstation;
@@ -486,26 +486,19 @@ static NTSTATUS schannel_update(struct gensec_security
*gensec_security, TALLOC_
}
bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
-#if 0
- /* to support this we'd need to have access to the full domain
name */
- /* 0x17, 23 */
- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
- bind_schannel.oem_netbios_domain.a =
cli_credentials_get_domain(gensec_security->credentials);
- bind_schannel.oem_netbios_computer.a = creds->computer_name;
- bind_schannel.utf8_dns_domain =
cli_credentials_get_realm(gensec_security->credentials);
- /* w2k3 refuses us if we use the full DNS workstation?
- why? perhaps because we don't fill in the dNSHostName
- attribute in the machine account? */
- bind_schannel.utf8_netbios_computer = creds->computer_name;
-#else
+
bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
bind_schannel.oem_netbios_domain.a =
cli_credentials_get_domain(gensec_security->credentials);
bind_schannel.oem_netbios_computer.a = creds->computer_name;
-#endif
+
+ if (creds->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+ bind_schannel.Flags |= NL_FLAG_UTF8_DNS_DOMAIN_NAME;
+ bind_schannel.utf8_dns_domain.u =
cli_credentials_get_realm(gensec_security->credentials);
+
+ bind_schannel.Flags |=
NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+ bind_schannel.utf8_netbios_computer.u =
creds->computer_name;
+ }
ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
diff --git a/buildtools/wafsamba/samba_bundled.py
b/buildtools/wafsamba/samba_bundled.py
index 45946d5..515590f 100644
--- a/buildtools/wafsamba/samba_bundled.py
+++ b/buildtools/wafsamba/samba_bundled.py
@@ -7,11 +7,25 @@ from samba_utils import *
def PRIVATE_NAME(bld, name, private_extension, private_library):
'''possibly rename a library to include a bundled extension'''
+ if not private_library:
+ return name
+
# we now use the same private name for libraries as the public name.
# see http://git.samba.org/?p=tridge/junkcode.git;a=tree;f=shlib for a
# demonstration that this is the right thing to do
# also see
http://lists.samba.org/archive/samba-technical/2011-January/075816.html
- return name
+ if private_extension:
+ return name
+
+ extension = bld.env.PRIVATE_EXTENSION
+
+ if extension and name.startswith('%s' % extension):
+ return name
+
+ if extension and name.endswith('%s' % extension):
+ return name
+
+ return "%s-%s" % (name, extension)
def target_in_list(target, lst, default):
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 020516b..5fef9be 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -110,6 +110,7 @@ def SAMBA_LIBRARY(bld, libname, source,
ldflags='',
external_library=False,
realname=None,
+ keep_underscore=False,
autoproto=None,
autoproto_extra_source='',
group='main',
@@ -123,7 +124,7 @@ def SAMBA_LIBRARY(bld, libname, source,
pyembed=False,
pyext=False,
target_type='LIBRARY',
- bundled_extension=True,
+ bundled_extension=False,
link_name=None,
abi_directory=None,
abi_match=None,
@@ -212,10 +213,16 @@ def SAMBA_LIBRARY(bld, libname, source,
libname)
if target_type == 'PYTHON' or realname or not private_library:
- bundled_name = libname.replace('_', '-')
+ if keep_underscore:
+ bundled_name = libname
+ else:
+ bundled_name = libname.replace('_', '-')
else:
- bundled_name = PRIVATE_NAME(bld, libname, bundled_extension,
- private_library)
+ assert (private_library == True and realname is None)
+ if abi_directory or vnum or soname:
+ bundled_extension=True
+ bundled_name = PRIVATE_NAME(bld, libname.replace('_', '-'),
+ bundled_extension, private_library)
ldflags = TO_LIST(ldflags)
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 1a2cfe6..1a30d2f 100755
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -295,6 +295,10 @@ def configure(conf):
headers='stdio.h',
msg='Checking simple C program')
+ # check which compiler/linker flags are needed for rpath support
+ if not conf.CHECK_LDFLAGS(['-Wl,-rpath,.']) and
conf.CHECK_LDFLAGS(['-Wl,-R,.']):
+ conf.env['RPATH_ST'] = '-Wl,-R,%s'
+
# check for rpath
if conf.CHECK_LIBRARY_SUPPORT(rpath=True):
support_rpath = True
diff --git a/ctdb/client/ctdb_client.c b/ctdb/client/ctdb_client.c
index 07b17d0..da18826 100644
--- a/ctdb/client/ctdb_client.c
+++ b/ctdb/client/ctdb_client.c
@@ -1928,7 +1928,7 @@ int ctdb_ctrl_createdb(struct ctdb_context *ctdb, struct
timeval timeout, uint32
#ifdef TDB_MUTEX_LOCKING
if (!persistent && ctdb->tunable.mutex_enabled == 1) {
- tdb_flags |= TDB_MUTEX_LOCKING;
+ tdb_flags |= (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST);
}
#endif
@@ -2055,6 +2055,9 @@ struct ctdb_db_context *ctdb_attach(struct ctdb_context
*ctdb,
TDB_DATA data;
int ret;
int32_t res;
+#ifdef TDB_MUTEX_LOCKING
+ uint32_t mutex_enabled = 0;
+#endif
ctdb_db = ctdb_db_handle(ctdb, name);
if (ctdb_db) {
@@ -2080,8 +2083,18 @@ struct ctdb_db_context *ctdb_attach(struct ctdb_context
*ctdb,
}
#ifdef TDB_MUTEX_LOCKING
- if (!persistent && ctdb->tunable.mutex_enabled == 1) {
- tdb_flags |= TDB_MUTEX_LOCKING;
+ if (!persistent) {
+ ret = ctdb_ctrl_get_tunable(ctdb, timeval_current_ofs(3,0),
+ CTDB_CURRENT_NODE,
+ "TDBMutexEnabled",
+ &mutex_enabled);
+ if (ret != 0) {
+ DEBUG(DEBUG_WARNING, ("Assuming no mutex support.\n"));
+ }
+
+ if (mutex_enabled == 1) {
+ tdb_flags |= (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST);
+ }
}
#endif
@@ -2105,7 +2118,16 @@ struct ctdb_db_context *ctdb_attach(struct ctdb_context
*ctdb,
return NULL;
}
- tdb_flags = persistent?TDB_DEFAULT:TDB_NOSYNC;
+ if (persistent) {
+ tdb_flags = TDB_DEFAULT;
+ } else {
+ tdb_flags = TDB_NOSYNC;
+#ifdef TDB_MUTEX_LOCKING
+ if (mutex_enabled) {
+ tdb_flags |= (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST);
+ }
+#endif
+ }
if (ctdb->valgrinding) {
tdb_flags |= TDB_NOMMAP;
}
diff --git a/ctdb/server/ctdb_lock.c b/ctdb/server/ctdb_lock.c
index 22a88b3..7959d40 100644
--- a/ctdb/server/ctdb_lock.c
+++ b/ctdb/server/ctdb_lock.c
@@ -544,11 +544,23 @@ static int db_count_handler(struct ctdb_db_context
*ctdb_db, uint32_t priority,
{
int *count = (int *)private_data;
- (*count)++;
+ (*count) += 2;
return 0;
}
+static int db_flags(struct ctdb_db_context *ctdb_db)
+{
+ int tdb_flags = TDB_DEFAULT;
+
+#ifdef TDB_MUTEX_LOCKING
+ if (!ctdb_db->persistent && ctdb_db->ctdb->tunable.mutex_enabled) {
+ tdb_flags = (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST);
+ }
+#endif
+ return tdb_flags;
+}
+
struct db_namelist {
const char **names;
int n;
@@ -560,7 +572,9 @@ static int db_name_handler(struct ctdb_db_context *ctdb_db,
uint32_t priority,
struct db_namelist *list = (struct db_namelist *)private_data;
list->names[list->n] = talloc_strdup(list->names, ctdb_db->db_path);
- list->n++;
+ list->names[list->n+1] = talloc_asprintf(list->names, "0x%x",
+ db_flags(ctdb_db));
+ list->n += 2;
return 0;
}
@@ -577,11 +591,11 @@ static bool lock_helper_args(TALLOC_CTX *mem_ctx,
switch (lock_ctx->type) {
case LOCK_RECORD:
- nargs = 5;
+ nargs = 6;
break;
case LOCK_DB:
- nargs = 4;
+ nargs = 5;
break;
case LOCK_ALLDB_PRIO:
@@ -612,16 +626,20 @@ static bool lock_helper_args(TALLOC_CTX *mem_ctx,
case LOCK_RECORD:
args[2] = talloc_strdup(args, "RECORD");
args[3] = talloc_strdup(args, lock_ctx->ctdb_db->db_path);
+ args[4] = talloc_asprintf(args, "0x%x",
+ db_flags(lock_ctx->ctdb_db));
if (lock_ctx->key.dsize == 0) {
- args[4] = talloc_strdup(args, "NULL");
+ args[5] = talloc_strdup(args, "NULL");
} else {
- args[4] = hex_encode_talloc(args, lock_ctx->key.dptr,
lock_ctx->key.dsize);
+ args[5] = hex_encode_talloc(args, lock_ctx->key.dptr,
lock_ctx->key.dsize);
}
break;
case LOCK_DB:
args[2] = talloc_strdup(args, "DB");
args[3] = talloc_strdup(args, lock_ctx->ctdb_db->db_path);
+ args[4] = talloc_asprintf(args, "0x%x",
+ db_flags(lock_ctx->ctdb_db));
break;
case LOCK_ALLDB_PRIO:
diff --git a/ctdb/server/ctdb_lock_helper.c b/ctdb/server/ctdb_lock_helper.c
index 2161a9a..7a09ecf 100644
--- a/ctdb/server/ctdb_lock_helper.c
+++ b/ctdb/server/ctdb_lock_helper.c
@@ -36,9 +36,9 @@ static void send_result(int fd, char result)
static void usage(void)
{
fprintf(stderr, "\n");
- fprintf(stderr, "Usage: %s <log-fd> <ctdbd-pid> <output-fd> RECORD
<db-path> <db-key>\n",
+ fprintf(stderr, "Usage: %s <log-fd> <ctdbd-pid> <output-fd> RECORD
<db-path> <db-flags> <db-key>\n",
progname);
- fprintf(stderr, " %s <log-fd> <ctdbd-pid> <output-fd> DB
<db1-path> [<db2-path> ...]\n",
+ fprintf(stderr, " %s <log-fd> <ctdbd-pid> <output-fd> DB
<db1-path> <db1-flags> [<db2-path> <db2-flags>...]\n",
progname);
}
@@ -59,10 +59,14 @@ static uint8_t *hex_decode_talloc(TALLOC_CTX *mem_ctx,
return buffer;
}
-static int lock_record(const char *dbpath, const char *dbkey)
+static int lock_record(const char *dbpath, const char *dbflags, const char
*dbkey)
{
TDB_DATA key;
struct tdb_context *tdb;
+ int tdb_flags;
+
+ /* No error checking since CTDB always passes sane values */
+ tdb_flags = strtol(dbflags, NULL, 0);
/* Convert hex key to key */
if (strcmp(dbkey, "NULL") == 0) {
@@ -72,7 +76,7 @@ static int lock_record(const char *dbpath, const char *dbkey)
key.dptr = hex_decode_talloc(NULL, dbkey, &key.dsize);
}
- tdb = tdb_open(dbpath, 0, TDB_DEFAULT, O_RDWR, 0600);
+ tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600);
if (tdb == NULL) {
fprintf(stderr, "%s: Error opening database %s\n", progname,
dbpath);
return 1;
@@ -89,11 +93,15 @@ static int lock_record(const char *dbpath, const char
*dbkey)
}
-static int lock_db(const char *dbpath)
+static int lock_db(const char *dbpath, const char *dbflags)
{
struct tdb_context *tdb;
+ int tdb_flags;
+
+ /* No error checking since CTDB always passes sane values */
+ tdb_flags = strtol(dbflags, NULL, 0);
- tdb = tdb_open(dbpath, 0, TDB_DEFAULT, O_RDWR, 0600);
+ tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600);
if (tdb == NULL) {
fprintf(stderr, "%s: Error opening database %s\n", progname,
dbpath);
return 1;
@@ -140,21 +148,21 @@ int main(int argc, char *argv[])
lock_type = argv[4];
if (strcmp(lock_type, "RECORD") == 0) {
- if (argc != 7) {
+ if (argc != 8) {
fprintf(stderr, "%s: Invalid number of arguments
(%d)\n",
progname, argc);
usage();
exit(1);
}
- result = lock_record(argv[5], argv[6]);
+ result = lock_record(argv[5], argv[6], argv[7]);
} else if (strcmp(lock_type, "DB") == 0) {
int n;
/* If there are no databases specified, no need for lock */
if (argc > 5) {
- for (n=5; n<argc; n++) {
--
Samba Shared Repository
