The branch, master has been updated
via bf520b7 s3:libsmb: restructure cli_full_connection_creds* flow
via cf9fb30 s3:libnet_join: make use of cli_full_connection_creds()
via 3c67855 s3:libsmb: change cli_full_connection_send/recv into
cli_full_connection_creds_send/recv
via 879c291 s3:winbindd: always use saf_store(domain->alt_name,
controller) for ad domains
via 0b1e63c tests/libsmb_samba_internal.py: fully setup the Credentials
by creds.guess(lp)
from 134ab45 lib: Remove a used-once variable
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bf520b70ab980eb886d0ce5eadfdd3166f36dad2
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 4 11:34:02 2016 +0100
s3:libsmb: restructure cli_full_connection_creds* flow
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Andreas Schneider <[email protected]>
Autobuild-Date(master): Fri Dec 2 17:32:26 CET 2016 on sn-devel-144
commit cf9fb3067553052e06e132dcba01162f3b37e131
Author: Stefan Metzmacher <[email protected]>
Date: Thu Dec 1 16:37:43 2016 +0100
s3:libnet_join: make use of cli_full_connection_creds()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 3c67855c2bf58e7fa59ce2db719aee8c0bdd0cdc
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 26 13:48:58 2016 +0200
s3:libsmb: change cli_full_connection_send/recv into
cli_full_connection_creds_send/recv
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 879c2913633217b21d8614a273b5f8c464d67c5f
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 4 12:56:20 2016 +0100
s3:winbindd: always use saf_store(domain->alt_name, controller) for ad
domains
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 0b1e63ce25b362555f6906eb591d244c9f03c535
Author: Stefan Metzmacher <[email protected]>
Date: Fri Dec 2 10:23:28 2016 +0100
tests/libsmb_samba_internal.py: fully setup the Credentials by
creds.guess(lp)
It's important that we correctly initialize domain and realm.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/libsmb_samba_internal.py | 1 +
source3/libnet/libnet_join.c | 26 +--
source3/libsmb/cliconnect.c | 276 ++++++++++++++++++----------
source3/libsmb/proto.h | 18 +-
source3/libsmb/pylibsmb.c | 9 +-
source3/winbindd/winbindd_cm.c | 2 +-
6 files changed, 209 insertions(+), 123 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/libsmb_samba_internal.py
b/python/samba/tests/libsmb_samba_internal.py
index fe9f197..d883dae 100644
--- a/python/samba/tests/libsmb_samba_internal.py
+++ b/python/samba/tests/libsmb_samba_internal.py
@@ -54,6 +54,7 @@ class LibsmbTestCase(samba.tests.TestCase):
lp.load(os.getenv("SMB_CONF_PATH"))
creds = credentials.Credentials()
+ creds.guess(lp)
creds.set_username(os.getenv("USERNAME"))
creds.set_password(os.getenv("PASSWORD"))
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 3ac7f39..8275a7c 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1546,9 +1546,6 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
struct netlogon_creds_CredentialState *creds = NULL;
uint32_t netlogon_flags = 0;
NTSTATUS status;
- const char *machine_account = NULL;
- const char *machine_domain = NULL;
- const char *machine_password = NULL;
int flags = 0;
if (!dc_name) {
@@ -1572,22 +1569,17 @@ NTSTATUS libnet_join_ok(struct messaging_context
*msg_ctx,
cli_credentials_set_old_password(cli_creds, NULL, CRED_SPECIFIED);
if (use_kerberos) {
- flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+ cli_credentials_set_kerberos_state(cli_creds,
+ CRED_MUST_USE_KERBEROS);
}
- machine_account = cli_credentials_get_username(cli_creds);
- machine_domain = cli_credentials_get_domain(cli_creds);
- machine_password = cli_credentials_get_password(cli_creds);
-
- status = cli_full_connection(&cli, NULL,
- dc_name,
- NULL, 0,
- "IPC$", "IPC",
- machine_account,
- machine_domain,
- machine_password,
- flags,
- SMB_SIGNING_IPC_DEFAULT);
+ status = cli_full_connection_creds(&cli, NULL,
+ dc_name,
+ NULL, 0,
+ "IPC$", "IPC",
+ cli_creds,
+ flags,
+ SMB_SIGNING_IPC_DEFAULT);
if (!NT_STATUS_IS_OK(status)) {
status = cli_full_connection(&cli, NULL,
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 7f82d4b..a32d378 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2830,88 +2830,103 @@ fail:
@param port (optional) The destination port (0 for default)
@param service (optional) The share to make the connection to. Should be
'unqualified' in any way.
@param service_type The 'type' of serivice.
- @param user Username, unix string
- @param domain User's domain
- @param password User's password, unencrypted unix string.
+ @param creds The used user credentials
*/
-struct cli_full_connection_state {
+struct cli_full_connection_creds_state {
struct tevent_context *ev;
const char *service;
const char *service_type;
- const char *user;
- const char *domain;
- const char *password;
- int pw_len;
+ struct cli_credentials *creds;
int flags;
struct cli_state *cli;
};
-static int cli_full_connection_state_destructor(
- struct cli_full_connection_state *s);
-static void cli_full_connection_started(struct tevent_req *subreq);
-static void cli_full_connection_sess_set_up(struct tevent_req *subreq);
-static void cli_full_connection_done(struct tevent_req *subreq);
+static int cli_full_connection_creds_state_destructor(
+ struct cli_full_connection_creds_state *s)
+{
+ if (s->cli != NULL) {
+ cli_shutdown(s->cli);
+ s->cli = NULL;
+ }
+ return 0;
+}
+
+static void cli_full_connection_creds_conn_done(struct tevent_req *subreq);
+static void cli_full_connection_creds_sess_start(struct tevent_req *req);
+static void cli_full_connection_creds_sess_done(struct tevent_req *subreq);
+static void cli_full_connection_creds_tcon_start(struct tevent_req *req);
+static void cli_full_connection_creds_tcon_done(struct tevent_req *subreq);
-struct tevent_req *cli_full_connection_send(
+struct tevent_req *cli_full_connection_creds_send(
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
const char *my_name, const char *dest_host,
const struct sockaddr_storage *dest_ss, int port,
const char *service, const char *service_type,
- const char *user, const char *domain,
- const char *password, int flags, int signing_state)
+ struct cli_credentials *creds,
+ int flags, int signing_state)
{
struct tevent_req *req, *subreq;
- struct cli_full_connection_state *state;
+ struct cli_full_connection_creds_state *state;
+ enum credentials_use_kerberos krb5_state;
+ uint32_t gensec_features = 0;
req = tevent_req_create(mem_ctx, &state,
- struct cli_full_connection_state);
+ struct cli_full_connection_creds_state);
if (req == NULL) {
return NULL;
}
- talloc_set_destructor(state, cli_full_connection_state_destructor);
+ talloc_set_destructor(state,
cli_full_connection_creds_state_destructor);
+
+ flags &= ~CLI_FULL_CONNECTION_USE_KERBEROS;
+ flags &= ~CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ flags &= ~CLI_FULL_CONNECTION_USE_CCACHE;
+ flags &= ~CLI_FULL_CONNECTION_USE_NT_HASH;
+
+ krb5_state = cli_credentials_get_kerberos_state(creds);
+ switch (krb5_state) {
+ case CRED_MUST_USE_KERBEROS:
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+ flags &= ~CLI_FULL_CONNECTION_DONT_SPNEGO;
+ break;
+ case CRED_AUTO_USE_KERBEROS:
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ break;
+ case CRED_DONT_USE_KERBEROS:
+ break;
+ }
+
+ gensec_features = cli_credentials_get_gensec_features(creds);
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
+ flags |= CLI_FULL_CONNECTION_USE_CCACHE;
+ }
state->ev = ev;
state->service = service;
state->service_type = service_type;
- state->user = user;
- state->domain = domain;
- state->password = password;
+ state->creds = creds;
state->flags = flags;
- state->pw_len = state->password ? strlen(state->password)+1 : 0;
- if (state->password == NULL) {
- state->password = "";
- }
-
subreq = cli_start_connection_send(
state, ev, my_name, dest_host, dest_ss, port,
signing_state, flags);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
- tevent_req_set_callback(subreq, cli_full_connection_started, req);
+ tevent_req_set_callback(subreq,
+ cli_full_connection_creds_conn_done,
+ req);
return req;
}
-static int cli_full_connection_state_destructor(
- struct cli_full_connection_state *s)
-{
- if (s->cli != NULL) {
- cli_shutdown(s->cli);
- s->cli = NULL;
- }
- return 0;
-}
-
-static void cli_full_connection_started(struct tevent_req *subreq)
+static void cli_full_connection_creds_conn_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
- struct cli_full_connection_state *state = tevent_req_data(
- req, struct cli_full_connection_state);
+ struct cli_full_connection_creds_state *state = tevent_req_data(
+ req, struct cli_full_connection_creds_state);
NTSTATUS status;
- struct cli_credentials *creds = NULL;
status = cli_start_connection_recv(subreq, &state->cli);
TALLOC_FREE(subreq);
@@ -2919,33 +2934,31 @@ static void cli_full_connection_started(struct
tevent_req *subreq)
return;
}
- creds = cli_session_creds_init(state,
- state->user,
- state->domain,
- NULL, /* realm (use default) */
- state->password,
- state->cli->use_kerberos,
- state->cli->fallback_after_kerberos,
- state->cli->use_ccache,
- state->cli->pw_nt_hash);
- if (tevent_req_nomem(creds, req)) {
- return;
- }
+ cli_full_connection_creds_sess_start(req);
+}
+
+static void cli_full_connection_creds_sess_start(struct tevent_req *req)
+{
+ struct cli_full_connection_creds_state *state = tevent_req_data(
+ req, struct cli_full_connection_creds_state);
+ struct tevent_req *subreq = NULL;
subreq = cli_session_setup_creds_send(
- state, state->ev, state->cli, creds);
+ state, state->ev, state->cli, state->creds);
if (tevent_req_nomem(subreq, req)) {
return;
}
- tevent_req_set_callback(subreq, cli_full_connection_sess_set_up, req);
+ tevent_req_set_callback(subreq,
+ cli_full_connection_creds_sess_done,
+ req);
}
-static void cli_full_connection_sess_set_up(struct tevent_req *subreq)
+static void cli_full_connection_creds_sess_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
- struct cli_full_connection_state *state = tevent_req_data(
- req, struct cli_full_connection_state);
+ struct cli_full_connection_creds_state *state = tevent_req_data(
+ req, struct cli_full_connection_creds_state);
NTSTATUS status;
status = cli_session_setup_creds_recv(subreq);
@@ -2953,22 +2966,15 @@ static void cli_full_connection_sess_set_up(struct
tevent_req *subreq)
if (!NT_STATUS_IS_OK(status) &&
(state->flags & CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK)) {
- struct cli_credentials *creds = NULL;
state->flags &= ~CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
- creds = cli_credentials_init_anon(state);
- if (tevent_req_nomem(creds, req)) {
+ state->creds = cli_credentials_init_anon(state);
+ if (tevent_req_nomem(state->creds, req)) {
return;
}
- subreq = cli_session_setup_creds_send(
- state, state->ev, state->cli, creds);
- if (tevent_req_nomem(subreq, req)) {
- return;
- }
- tevent_req_set_callback(
- subreq, cli_full_connection_sess_set_up, req);
+ cli_full_connection_creds_sess_start(req);
return;
}
@@ -2976,22 +2982,44 @@ static void cli_full_connection_sess_set_up(struct
tevent_req *subreq)
return;
}
- if (state->service != NULL) {
- subreq = cli_tree_connect_send(
- state, state->ev, state->cli,
- state->service, state->service_type,
- state->password, state->pw_len);
- if (tevent_req_nomem(subreq, req)) {
- return;
- }
- tevent_req_set_callback(subreq, cli_full_connection_done, req);
+ cli_full_connection_creds_tcon_start(req);
+}
+
+static void cli_full_connection_creds_tcon_start(struct tevent_req *req)
+{
+ struct cli_full_connection_creds_state *state = tevent_req_data(
+ req, struct cli_full_connection_creds_state);
+ struct tevent_req *subreq = NULL;
+ const char *password = NULL;
+ int pw_len = 0;
+
+ if (state->service == NULL) {
+ tevent_req_done(req);
return;
}
- tevent_req_done(req);
+ password = cli_credentials_get_password(state->creds);
+ if (password == NULL) {
+ password = "";
+ pw_len = 0;
+ } else {
+ pw_len = strlen(password) + 1;
+ }
+
+ subreq = cli_tree_connect_send(state, state->ev,
+ state->cli,
+ state->service,
+ state->service_type,
+ password, pw_len);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq,
+ cli_full_connection_creds_tcon_done,
+ req);
}
-static void cli_full_connection_done(struct tevent_req *subreq)
+static void cli_full_connection_creds_tcon_done(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
@@ -3006,11 +3034,11 @@ static void cli_full_connection_done(struct tevent_req
*subreq)
tevent_req_done(req);
}
-NTSTATUS cli_full_connection_recv(struct tevent_req *req,
+NTSTATUS cli_full_connection_creds_recv(struct tevent_req *req,
struct cli_state **output_cli)
{
- struct cli_full_connection_state *state = tevent_req_data(
- req, struct cli_full_connection_state);
+ struct cli_full_connection_creds_state *state = tevent_req_data(
+ req, struct cli_full_connection_creds_state);
NTSTATUS status;
if (tevent_req_is_nterror(req, &status)) {
@@ -3021,14 +3049,14 @@ NTSTATUS cli_full_connection_recv(struct tevent_req
*req,
return NT_STATUS_OK;
}
-NTSTATUS cli_full_connection(struct cli_state **output_cli,
- const char *my_name,
- const char *dest_host,
- const struct sockaddr_storage *dest_ss, int port,
- const char *service, const char *service_type,
- const char *user, const char *domain,
- const char *password, int flags,
- int signing_state)
+NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
+ const char *my_name,
+ const char *dest_host,
+ const struct sockaddr_storage *dest_ss, int
port,
+ const char *service, const char
*service_type,
+ struct cli_credentials *creds,
+ int flags,
+ int signing_state)
{
struct tevent_context *ev;
struct tevent_req *req;
@@ -3038,21 +3066,81 @@ NTSTATUS cli_full_connection(struct cli_state
**output_cli,
if (ev == NULL) {
goto fail;
}
- req = cli_full_connection_send(
+ req = cli_full_connection_creds_send(
ev, ev, my_name, dest_host, dest_ss, port, service,
- service_type, user, domain, password, flags, signing_state);
+ service_type, creds, flags, signing_state);
if (req == NULL) {
goto fail;
}
if (!tevent_req_poll_ntstatus(req, ev, &status)) {
goto fail;
}
- status = cli_full_connection_recv(req, output_cli);
+ status = cli_full_connection_creds_recv(req, output_cli);
fail:
TALLOC_FREE(ev);
return status;
}
+NTSTATUS cli_full_connection(struct cli_state **output_cli,
+ const char *my_name,
+ const char *dest_host,
+ const struct sockaddr_storage *dest_ss, int port,
+ const char *service, const char *service_type,
+ const char *user, const char *domain,
+ const char *password, int flags,
+ int signing_state)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+ bool use_kerberos = false;
+ bool fallback_after_kerberos = false;
+ bool use_ccache = false;
+ bool pw_nt_hash = false;
+ struct cli_credentials *creds = NULL;
+
+ if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+ use_kerberos = true;
+ }
+
+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
+ fallback_after_kerberos = true;
+ }
+
+ if (flags & CLI_FULL_CONNECTION_USE_CCACHE) {
+ use_ccache = true;
+ }
+
+ if (flags & CLI_FULL_CONNECTION_USE_NT_HASH) {
+ pw_nt_hash = true;
+ }
+
+ creds = cli_session_creds_init(frame,
+ user,
+ domain,
+ NULL, /* realm (use default) */
+ password,
+ use_kerberos,
+ fallback_after_kerberos,
+ use_ccache,
+ pw_nt_hash);
+ if (creds == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = cli_full_connection_creds(output_cli, my_name,
+ dest_host, dest_ss, port,
+ service, service_type,
+ creds, flags, signing_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/****************************************************************************
Send an old style tcon.
****************************************************************************/
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index 2191f92..107579c 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -89,15 +89,23 @@ NTSTATUS cli_start_connection(struct cli_state **output_cli,
const char *dest_host,
const struct sockaddr_storage *dest_ss, int port,
int signing_state, int flags);
-struct tevent_req *cli_full_connection_send(
+struct tevent_req *cli_full_connection_creds_send(
TALLOC_CTX *mem_ctx, struct tevent_context *ev,
const char *my_name, const char *dest_host,
const struct sockaddr_storage *dest_ss, int port,
const char *service, const char *service_type,
- const char *user, const char *domain,
- const char *password, int flags, int signing_state);
-NTSTATUS cli_full_connection_recv(struct tevent_req *req,
- struct cli_state **output_cli);
+ struct cli_credentials *creds,
+ int flags, int signing_state);
+NTSTATUS cli_full_connection_creds_recv(struct tevent_req *req,
+ struct cli_state **output_cli);
+NTSTATUS cli_full_connection_creds(struct cli_state **output_cli,
+ const char *my_name,
+ const char *dest_host,
+ const struct sockaddr_storage *dest_ss, int
port,
+ const char *service, const char
*service_type,
+ struct cli_credentials *creds,
+ int flags,
+ int signing_state);
NTSTATUS cli_full_connection(struct cli_state **output_cli,
const char *my_name,
const char *dest_host,
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index 0c5d7e9..59c0998 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -442,16 +442,13 @@ static int py_cli_state_init(struct py_cli_state *self,
PyObject *args,
--
Samba Shared Repository
