The branch, master has been updated via 8dd3732 s4:kdc: add aes key support for trusted domains via ec73511 s4:rpc_server/lsa: fix segfault in check_ft_info() via 1e74ab3 s4:rpc_server/lsa: remove unused allow_warnings=True via 2c92545 s4:rpc_server/lsa: remove trustAuthIncoming/trustAuthOutgoing when the related flag is removed. via 1d6e9e5 s4:rpc_server/lsa: pass the correct variable to setInfoTrustedDomain_base() via 05eb7b5 s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in pdb_samba_dsdb_get_trusteddom_creds() via 7387678 s3:pdb_samba_dsdb: add pdb_samba_dsdb_get_trusteddom_creds via c5e966d s3:winbindd: make use of cli_rpc_pipe_open_schannel_with_creds() via a601c08 s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds_with_creds() via 6f718ba s3:winbindd: we only need a an netlogon connection to a rwdc if we're a rodc ourself via 29816c5 s3:winbindd: make sure we try to use NCACN_IP_TCP in cm_connect_netlogon via fb42b02 s3:rpc_client: add cli_rpc_pipe_open_schannel_with_creds() helper function via 995cf54 s3:cli_netlogon: add rpccli_{create,setup}_netlogon_creds_with_creds() helper functions via 826b0f7 auth/credentials: add cli_credentials_set_utf16_password() via 153938a auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update() via 6ec32d7 auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required via c257b14 nsswitch/wbinfo: allow 'wbinfo --ping-dc --domain=SOMEDOMAIN' via f80f585 nsswitch: allow passing the domain name to wbcPingDC[2]() via a44e8a3 s3:winbindd: use find_domain_from_name_noinit() in winbindd_ping_dc_send() via 8a40669 s3:winbindd: report our own name for PING_DC and internal domains via 89cc31f wafsamba: check for rpath compiler/linker flags via 76fdcf5 wafsamba: fill PRIVATE_NAME() logic again via 575b093 nsswitch: fix soname of linux nss_*.so.2 modules via 4eb24fa selftest: use shared/libnss_wrapper_winbind.so.2 via 82e583b wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY() via e0bf5dd ctdb-daemon: Use correct tdb flags when enabling robust mutex support from a1a90f7 tdb: version 1.3.4
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8dd37327b02eaea33915a9cd206667981b8df872 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 15 16:48:27 2014 +0100 s4:kdc: add aes key support for trusted domains We have a look at "msDS-SupportedEncryptionTypes" and >= DS_DOMAIN_FUNCTION_2008 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Dec 19 15:39:40 CET 2014 on sn-devel-104 commit ec7351184f136990e96e10da98f0298c81699beb Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 15 16:47:50 2014 +0100 s4:rpc_server/lsa: fix segfault in check_ft_info() This is triggered by lsa_lsaRSetForestTrustInformation() with ForestTrustInfo elements using FOREST_TRUST_TOP_LEVEL_NAME. The nb_name variable was uninitialized and dereferenced without checking. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 1e74ab337ccfe2fb8b456d070a6583d4cb67aa18 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 15 16:37:17 2014 +0100 s4:rpc_server/lsa: remove unused allow_warnings=True We compile without warnings now. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 2c9254545224bec3ace135603388f19f1e02ea71 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 15 16:33:38 2014 +0100 s4:rpc_server/lsa: remove trustAuthIncoming/trustAuthOutgoing when the related flag is removed. When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is cleared we should also remove the related credentials. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 1d6e9e5e5879f0da5831fea7637be507b01b09de Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 15 16:03:49 2014 +0100 s4:rpc_server/lsa: pass the correct variable to setInfoTrustedDomain_base() This requires 'struct lsa_policy_state', we now pass this directly instead of a instead of an opaque 'struct dcesrv_handle'. dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle' with 'struct lsa_trusted_domain_state' before, which results in segfaults. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 05eb7b52cd7ebcb5bfc873e388c745f8e958c994 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 15:57:49 2014 +0000 s3:pdb_samba_dsdb: use SEC_CHAN_DNS_DOMAIN in pdb_samba_dsdb_get_trusteddom_creds() If both ends have a dns domain, we can use SEC_CHAN_DNS_DOMAIN in order to match a Windows DC. For kerberos we still need to use MY_NETBIOS_DOMAIN$@REMOTE_REALM. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7387678ff518a394d9f837561987af0e90464d6c Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 15:06:56 2014 +0000 s3:pdb_samba_dsdb: add pdb_samba_dsdb_get_trusteddom_creds We have the password as raw UTF16 blob, which might not be valid utf16, so we need to use cli_credentials_set_utf16_password(). Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c5e966d989ceb2209e8572f9cab2b5931286f919 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 17 13:05:45 2014 +0000 s3:winbindd: make use of cli_rpc_pipe_open_schannel_with_creds() This way we pass down enough information for SEC_CHAN_DNS_DOMAIN to work. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a601c087b06555c650e9b69e9a831b3aee1c30d8 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 17 08:48:38 2014 +0000 s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds_with_creds() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6f718ba1720d1318b08fd3fce293fb9c34a36a45 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 23:17:52 2014 +0000 s3:winbindd: we only need a an netlogon connection to a rwdc if we're a rodc ourself If we're a member or RWDC there's no need to require talking to a rwdc, an rodc will forward the request if required. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 29816c53b28c6c061843e6f8aeef7764d8a78aff Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 23:17:52 2014 +0000 s3:winbindd: make sure we try to use NCACN_IP_TCP in cm_connect_netlogon We need to call init_dc_connection_rpc() before we can decide if we want to try NCACN_IP_TCP. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fb42b02c9f75804bc471c1f88fbda28865d9f01e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 17 09:19:49 2014 +0000 s3:rpc_client: add cli_rpc_pipe_open_schannel_with_creds() helper function This will simplify the callers and add potential support for SEC_CHAN_DNS_DOMAIN as cli_credentials_get_realm() will return the correct value compared to cli_credentials_get_domain(). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 995cf54b3177cd92b1bce5f34df134122a0200de Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 17 08:40:49 2014 +0000 s3:cli_netlogon: add rpccli_{create,setup}_netlogon_creds_with_creds() helper functions This simplifies the callers, then can just pass in a cli_credentials structure. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 826b0f761e07987fbe067badde665c3d1c99e821 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 13:58:11 2014 +0000 auth/credentials: add cli_credentials_set_utf16_password() We need a way to initialize the cli_credentials from the raw utf16 blob, which might not be completely valid utf16, which means the conversion from CH_UTF16MUNGED to CH_UTF8 might loose information. This would result in an invalid nt_hash, when we convert back from CH_UTF8 to CH_UTF16LE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11016 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 153938a1f2a06fec5b2f7daef12200a504fb92f4 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 21:49:05 2014 +0000 auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6ec32d7e127d48c708a53850ad99079fac0dad8e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 17 18:42:55 2014 +0000 auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL backend arround, this can only be specified explicitely by the caller and cli_credentials_get_netlogon_creds() != NULL is the strong indication that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*. With trusts against AD domain we can reliable use kerberos and netlogon secure channel for authentication. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c257b14b8b2ff8a1ca29f8a429ce6051c309f512 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 10 14:03:55 2014 +0000 nsswitch/wbinfo: allow 'wbinfo --ping-dc --domain=SOMEDOMAIN' Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f80f585d959b03a41434e48ffa31cac842a76ade Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 10 14:02:18 2014 +0000 nsswitch: allow passing the domain name to wbcPingDC[2]() winbindd already supports this. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a44e8a3249f644accc0c115ba0d2e305e3b69f10 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 16 11:27:21 2014 +0000 s3:winbindd: use find_domain_from_name_noinit() in winbindd_ping_dc_send() We should not try to connect to the given domain from within the winbindd parent. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8a4066930908e82ac593f616ebea67044ff267bb Author: Stefan Metzmacher <me...@samba.org> Date: Wed Dec 10 12:25:55 2014 +0000 s3:winbindd: report our own name for PING_DC and internal domains This means "wbinfo --ping-dc" works fine on a DC. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 89cc31f5cf9181f04f3ca1a5f7000ee15a74e86e Author: Ralph Boehme <s...@samba.org> Date: Thu Dec 18 06:37:28 2014 +0100 wafsamba: check for rpath compiler/linker flags Older SunOS linker only support -Wl,-R,/path instead of -Wl,-rpath,/path. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Ralph Boehme <s...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 76fdcf5c15bd904c3686f0c2dd93d27486c61ca4 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 15:05:12 2014 +0100 wafsamba: fill PRIVATE_NAME() logic again We append bld.env.PRIVATE_EXTENSION to the name of private libraries again, but only unless they have a abi_directory, vnum or soname defined. This avoids naming conflicts with system libraries, e.g. libidmap.so on Solaris Bug: https://bugzilla.samba.org/show_bug.cgi?id=10112 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 575b093dac3c509b1bfaab0b4ad29b9b4214e487 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 10:33:34 2014 +0100 nsswitch: fix soname of linux nss_*.so.2 modules Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4eb24fa545234be506eb1330ccbbfd5c2b9e0d82 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 20:13:44 2014 +0100 selftest: use shared/libnss_wrapper_winbind.so.2 This library is always available in make test. nss-wrapper strictly requires the linux nss api. Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 82e583b04b04e560c121163850d70c52d2fce78d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 18 10:21:30 2014 +0100 wafsamba: add optional keep_underscore=True to SAMBA_LIBRARY() Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e0bf5dd4566785b41ad1fa0492a9f215639f1685 Author: Amitay Isaacs <ami...@gmail.com> Date: Thu Dec 11 13:16:47 2014 +1100 ctdb-daemon: Use correct tdb flags when enabling robust mutex support BUG: https://bugzilla.samba.org/show_bug.cgi?id=11000 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials.c | 13 +- auth/credentials/credentials.h | 3 + auth/credentials/credentials_ntlm.c | 55 +++++++- auth/gensec/gensec_start.c | 8 ++ auth/gensec/schannel.c | 27 ++-- buildtools/wafsamba/samba_bundled.py | 16 ++- buildtools/wafsamba/wafsamba.py | 15 +- buildtools/wafsamba/wscript | 4 + ctdb/client/ctdb_client.c | 30 +++- ctdb/server/ctdb_lock.c | 30 +++- ctdb/server/ctdb_lock_helper.c | 28 ++-- ctdb/server/ctdb_ltdb_server.c | 4 +- nsswitch/libwbclient/tests/wbclient.c | 40 +++++- nsswitch/libwbclient/wbc_pam.c | 14 +- nsswitch/wbinfo.c | 17 ++- nsswitch/wscript_build | 24 +++- selftest/target/Samba.pm | 2 +- source3/passdb/pdb_samba_dsdb.c | 253 +++++++++++++++++++++++++++++++++- source3/rpc_client/cli_netlogon.c | 54 ++++++++ source3/rpc_client/cli_netlogon.h | 11 ++ source3/rpc_client/cli_pipe.c | 86 ++++++++++++ source3/rpc_client/cli_pipe.h | 7 + source3/winbindd/winbindd_cm.c | 96 +++++++------ source3/winbindd/winbindd_ping_dc.c | 24 +++- source3/wscript_build | 7 - source4/kdc/db-glue.c | 185 ++++++++++++++++++++----- source4/rpc_server/lsa/dcesrv_lsa.c | 41 +++--- source4/rpc_server/wscript_build | 1 - source4/selftest/tests.py | 2 +- 29 files changed, 920 insertions(+), 177 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 78b5955..a9e4fc8 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -496,24 +496,27 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred, _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, TALLOC_CTX *mem_ctx) { - const char *password = cli_credentials_get_password(cred); + const char *password = NULL; - if (password) { + if (cred->nt_hash != NULL) { struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); if (!nt_hash) { return NULL; } - E_md4hash(password, nt_hash->hash); + *nt_hash = *cred->nt_hash; return nt_hash; - } else if (cred->nt_hash != NULL) { + } + + password = cli_credentials_get_password(cred); + if (password) { struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password); if (!nt_hash) { return NULL; } - *nt_hash = *cred->nt_hash; + E_md4hash(password, nt_hash->hash); return nt_hash; } diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 2da47d2..814f016 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -191,6 +191,9 @@ enum netr_SchannelType cli_credentials_get_secure_channel_type(struct cli_creden time_t cli_credentials_get_password_last_changed_time(struct cli_credentials *cred); void cli_credentials_set_kvno(struct cli_credentials *cred, int kvno); +bool cli_credentials_set_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16, + enum credentials_obtained obtained); bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained); diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index 8c6be39..5e9aeed 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -214,7 +214,60 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred } return NT_STATUS_OK; } - + +/* + * Set a utf16 password on the credentials context, including an indication + * of 'how' the password was obtained + * + * This is required because the nt_hash is calculated over the raw utf16 blob, + * which might not be completely valid utf16, which means the conversion + * from CH_UTF16MUNGED to CH_UTF8 might loose information. + */ +_PUBLIC_ bool cli_credentials_set_utf16_password(struct cli_credentials *cred, + const DATA_BLOB *password_utf16, + enum credentials_obtained obtained) +{ + if (password_utf16 == NULL) { + return cli_credentials_set_password(cred, NULL, obtained); + } + + if (obtained >= cred->password_obtained) { + struct samr_Password *nt_hash = NULL; + char *password_talloc = NULL; + size_t password_len = 0; + bool ok; + + nt_hash = talloc(cred, struct samr_Password); + if (nt_hash == NULL) { + return false; + } + + ok = convert_string_talloc(cred, + CH_UTF16MUNGED, CH_UTF8, + password_utf16->data, + password_utf16->length, + (void *)&password_talloc, + &password_len); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + ok = cli_credentials_set_password(cred, password_talloc, obtained); + TALLOC_FREE(password_talloc); + if (!ok) { + TALLOC_FREE(nt_hash); + return false; + } + + mdfour(nt_hash->hash, password_utf16->data, password_utf16->length); + cred->nt_hash = nt_hash; + return true; + } + + return false; +} + _PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained) diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 9910f1a..955cc36 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -75,9 +75,13 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX const struct gensec_security_ops **new_gensec_list; int i, j, num_mechs_in; enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS; + bool keep_schannel = false; if (creds) { use_kerberos = cli_credentials_get_kerberos_state(creds); + if (cli_credentials_get_netlogon_creds(creds) != NULL) { + keep_schannel = true; + } } for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) { @@ -103,6 +107,10 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX } } + if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + keep = keep_schannel; + } + switch (use_kerberos) { case CRED_AUTO_USE_KERBEROS: keep = true; diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c index ee23e77..9b28c45 100644 --- a/auth/gensec/schannel.c +++ b/auth/gensec/schannel.c @@ -459,7 +459,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ struct schannel_state); NTSTATUS status; enum ndr_err_code ndr_err; - struct NL_AUTH_MESSAGE bind_schannel; + struct NL_AUTH_MESSAGE bind_schannel = {}; struct NL_AUTH_MESSAGE bind_schannel_ack; struct netlogon_creds_CredentialState *creds; const char *workstation; @@ -486,26 +486,19 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ } bind_schannel.MessageType = NL_NEGOTIATE_REQUEST; -#if 0 - /* to support this we'd need to have access to the full domain name */ - /* 0x17, 23 */ - bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME | - NL_FLAG_OEM_NETBIOS_COMPUTER_NAME | - NL_FLAG_UTF8_DNS_DOMAIN_NAME | - NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME; - bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials); - bind_schannel.oem_netbios_computer.a = creds->computer_name; - bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials); - /* w2k3 refuses us if we use the full DNS workstation? - why? perhaps because we don't fill in the dNSHostName - attribute in the machine account? */ - bind_schannel.utf8_netbios_computer = creds->computer_name; -#else + bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME | NL_FLAG_OEM_NETBIOS_COMPUTER_NAME; bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials); bind_schannel.oem_netbios_computer.a = creds->computer_name; -#endif + + if (creds->secure_channel_type == SEC_CHAN_DNS_DOMAIN) { + bind_schannel.Flags |= NL_FLAG_UTF8_DNS_DOMAIN_NAME; + bind_schannel.utf8_dns_domain.u = cli_credentials_get_realm(gensec_security->credentials); + + bind_schannel.Flags |= NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME; + bind_schannel.utf8_netbios_computer.u = creds->computer_name; + } ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel, (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE); diff --git a/buildtools/wafsamba/samba_bundled.py b/buildtools/wafsamba/samba_bundled.py index 45946d5..515590f 100644 --- a/buildtools/wafsamba/samba_bundled.py +++ b/buildtools/wafsamba/samba_bundled.py @@ -7,11 +7,25 @@ from samba_utils import * def PRIVATE_NAME(bld, name, private_extension, private_library): '''possibly rename a library to include a bundled extension''' + if not private_library: + return name + # we now use the same private name for libraries as the public name. # see http://git.samba.org/?p=tridge/junkcode.git;a=tree;f=shlib for a # demonstration that this is the right thing to do # also see http://lists.samba.org/archive/samba-technical/2011-January/075816.html - return name + if private_extension: + return name + + extension = bld.env.PRIVATE_EXTENSION + + if extension and name.startswith('%s' % extension): + return name + + if extension and name.endswith('%s' % extension): + return name + + return "%s-%s" % (name, extension) def target_in_list(target, lst, default): diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index 020516b..5fef9be 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -110,6 +110,7 @@ def SAMBA_LIBRARY(bld, libname, source, ldflags='', external_library=False, realname=None, + keep_underscore=False, autoproto=None, autoproto_extra_source='', group='main', @@ -123,7 +124,7 @@ def SAMBA_LIBRARY(bld, libname, source, pyembed=False, pyext=False, target_type='LIBRARY', - bundled_extension=True, + bundled_extension=False, link_name=None, abi_directory=None, abi_match=None, @@ -212,10 +213,16 @@ def SAMBA_LIBRARY(bld, libname, source, libname) if target_type == 'PYTHON' or realname or not private_library: - bundled_name = libname.replace('_', '-') + if keep_underscore: + bundled_name = libname + else: + bundled_name = libname.replace('_', '-') else: - bundled_name = PRIVATE_NAME(bld, libname, bundled_extension, - private_library) + assert (private_library == True and realname is None) + if abi_directory or vnum or soname: + bundled_extension=True + bundled_name = PRIVATE_NAME(bld, libname.replace('_', '-'), + bundled_extension, private_library) ldflags = TO_LIST(ldflags) diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript index 1a2cfe6..1a30d2f 100755 --- a/buildtools/wafsamba/wscript +++ b/buildtools/wafsamba/wscript @@ -295,6 +295,10 @@ def configure(conf): headers='stdio.h', msg='Checking simple C program') + # check which compiler/linker flags are needed for rpath support + if not conf.CHECK_LDFLAGS(['-Wl,-rpath,.']) and conf.CHECK_LDFLAGS(['-Wl,-R,.']): + conf.env['RPATH_ST'] = '-Wl,-R,%s' + # check for rpath if conf.CHECK_LIBRARY_SUPPORT(rpath=True): support_rpath = True diff --git a/ctdb/client/ctdb_client.c b/ctdb/client/ctdb_client.c index 07b17d0..da18826 100644 --- a/ctdb/client/ctdb_client.c +++ b/ctdb/client/ctdb_client.c @@ -1928,7 +1928,7 @@ int ctdb_ctrl_createdb(struct ctdb_context *ctdb, struct timeval timeout, uint32 #ifdef TDB_MUTEX_LOCKING if (!persistent && ctdb->tunable.mutex_enabled == 1) { - tdb_flags |= TDB_MUTEX_LOCKING; + tdb_flags |= (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST); } #endif @@ -2055,6 +2055,9 @@ struct ctdb_db_context *ctdb_attach(struct ctdb_context *ctdb, TDB_DATA data; int ret; int32_t res; +#ifdef TDB_MUTEX_LOCKING + uint32_t mutex_enabled = 0; +#endif ctdb_db = ctdb_db_handle(ctdb, name); if (ctdb_db) { @@ -2080,8 +2083,18 @@ struct ctdb_db_context *ctdb_attach(struct ctdb_context *ctdb, } #ifdef TDB_MUTEX_LOCKING - if (!persistent && ctdb->tunable.mutex_enabled == 1) { - tdb_flags |= TDB_MUTEX_LOCKING; + if (!persistent) { + ret = ctdb_ctrl_get_tunable(ctdb, timeval_current_ofs(3,0), + CTDB_CURRENT_NODE, + "TDBMutexEnabled", + &mutex_enabled); + if (ret != 0) { + DEBUG(DEBUG_WARNING, ("Assuming no mutex support.\n")); + } + + if (mutex_enabled == 1) { + tdb_flags |= (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST); + } } #endif @@ -2105,7 +2118,16 @@ struct ctdb_db_context *ctdb_attach(struct ctdb_context *ctdb, return NULL; } - tdb_flags = persistent?TDB_DEFAULT:TDB_NOSYNC; + if (persistent) { + tdb_flags = TDB_DEFAULT; + } else { + tdb_flags = TDB_NOSYNC; +#ifdef TDB_MUTEX_LOCKING + if (mutex_enabled) { + tdb_flags |= (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST); + } +#endif + } if (ctdb->valgrinding) { tdb_flags |= TDB_NOMMAP; } diff --git a/ctdb/server/ctdb_lock.c b/ctdb/server/ctdb_lock.c index 22a88b3..7959d40 100644 --- a/ctdb/server/ctdb_lock.c +++ b/ctdb/server/ctdb_lock.c @@ -544,11 +544,23 @@ static int db_count_handler(struct ctdb_db_context *ctdb_db, uint32_t priority, { int *count = (int *)private_data; - (*count)++; + (*count) += 2; return 0; } +static int db_flags(struct ctdb_db_context *ctdb_db) +{ + int tdb_flags = TDB_DEFAULT; + +#ifdef TDB_MUTEX_LOCKING + if (!ctdb_db->persistent && ctdb_db->ctdb->tunable.mutex_enabled) { + tdb_flags = (TDB_MUTEX_LOCKING | TDB_CLEAR_IF_FIRST); + } +#endif + return tdb_flags; +} + struct db_namelist { const char **names; int n; @@ -560,7 +572,9 @@ static int db_name_handler(struct ctdb_db_context *ctdb_db, uint32_t priority, struct db_namelist *list = (struct db_namelist *)private_data; list->names[list->n] = talloc_strdup(list->names, ctdb_db->db_path); - list->n++; + list->names[list->n+1] = talloc_asprintf(list->names, "0x%x", + db_flags(ctdb_db)); + list->n += 2; return 0; } @@ -577,11 +591,11 @@ static bool lock_helper_args(TALLOC_CTX *mem_ctx, switch (lock_ctx->type) { case LOCK_RECORD: - nargs = 5; + nargs = 6; break; case LOCK_DB: - nargs = 4; + nargs = 5; break; case LOCK_ALLDB_PRIO: @@ -612,16 +626,20 @@ static bool lock_helper_args(TALLOC_CTX *mem_ctx, case LOCK_RECORD: args[2] = talloc_strdup(args, "RECORD"); args[3] = talloc_strdup(args, lock_ctx->ctdb_db->db_path); + args[4] = talloc_asprintf(args, "0x%x", + db_flags(lock_ctx->ctdb_db)); if (lock_ctx->key.dsize == 0) { - args[4] = talloc_strdup(args, "NULL"); + args[5] = talloc_strdup(args, "NULL"); } else { - args[4] = hex_encode_talloc(args, lock_ctx->key.dptr, lock_ctx->key.dsize); + args[5] = hex_encode_talloc(args, lock_ctx->key.dptr, lock_ctx->key.dsize); } break; case LOCK_DB: args[2] = talloc_strdup(args, "DB"); args[3] = talloc_strdup(args, lock_ctx->ctdb_db->db_path); + args[4] = talloc_asprintf(args, "0x%x", + db_flags(lock_ctx->ctdb_db)); break; case LOCK_ALLDB_PRIO: diff --git a/ctdb/server/ctdb_lock_helper.c b/ctdb/server/ctdb_lock_helper.c index 2161a9a..7a09ecf 100644 --- a/ctdb/server/ctdb_lock_helper.c +++ b/ctdb/server/ctdb_lock_helper.c @@ -36,9 +36,9 @@ static void send_result(int fd, char result) static void usage(void) { fprintf(stderr, "\n"); - fprintf(stderr, "Usage: %s <log-fd> <ctdbd-pid> <output-fd> RECORD <db-path> <db-key>\n", + fprintf(stderr, "Usage: %s <log-fd> <ctdbd-pid> <output-fd> RECORD <db-path> <db-flags> <db-key>\n", progname); - fprintf(stderr, " %s <log-fd> <ctdbd-pid> <output-fd> DB <db1-path> [<db2-path> ...]\n", + fprintf(stderr, " %s <log-fd> <ctdbd-pid> <output-fd> DB <db1-path> <db1-flags> [<db2-path> <db2-flags>...]\n", progname); } @@ -59,10 +59,14 @@ static uint8_t *hex_decode_talloc(TALLOC_CTX *mem_ctx, return buffer; } -static int lock_record(const char *dbpath, const char *dbkey) +static int lock_record(const char *dbpath, const char *dbflags, const char *dbkey) { TDB_DATA key; struct tdb_context *tdb; + int tdb_flags; + + /* No error checking since CTDB always passes sane values */ + tdb_flags = strtol(dbflags, NULL, 0); /* Convert hex key to key */ if (strcmp(dbkey, "NULL") == 0) { @@ -72,7 +76,7 @@ static int lock_record(const char *dbpath, const char *dbkey) key.dptr = hex_decode_talloc(NULL, dbkey, &key.dsize); } - tdb = tdb_open(dbpath, 0, TDB_DEFAULT, O_RDWR, 0600); + tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600); if (tdb == NULL) { fprintf(stderr, "%s: Error opening database %s\n", progname, dbpath); return 1; @@ -89,11 +93,15 @@ static int lock_record(const char *dbpath, const char *dbkey) } -static int lock_db(const char *dbpath) +static int lock_db(const char *dbpath, const char *dbflags) { struct tdb_context *tdb; + int tdb_flags; + + /* No error checking since CTDB always passes sane values */ + tdb_flags = strtol(dbflags, NULL, 0); - tdb = tdb_open(dbpath, 0, TDB_DEFAULT, O_RDWR, 0600); + tdb = tdb_open(dbpath, 0, tdb_flags, O_RDWR, 0600); if (tdb == NULL) { fprintf(stderr, "%s: Error opening database %s\n", progname, dbpath); return 1; @@ -140,21 +148,21 @@ int main(int argc, char *argv[]) lock_type = argv[4]; if (strcmp(lock_type, "RECORD") == 0) { - if (argc != 7) { + if (argc != 8) { fprintf(stderr, "%s: Invalid number of arguments (%d)\n", progname, argc); usage(); exit(1); } - result = lock_record(argv[5], argv[6]); + result = lock_record(argv[5], argv[6], argv[7]); } else if (strcmp(lock_type, "DB") == 0) { int n; /* If there are no databases specified, no need for lock */ if (argc > 5) { - for (n=5; n<argc; n++) { -- Samba Shared Repository