The branch, v4-15-test has been updated
via 13e621aea07 s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
via 8f346568007 s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
via 4853125524a s3:winbindd: Remove trailing spaces from winbindd_ads.c
via c3c0bf8ec7c s4:selftest: plan test suite
samba4.blackbox.test_weak_disable_ntlmssp_ldap
via 78d342fb604 tests: Add test for disabling NTLMSSP for ldap client
connections
via 2dde53993e9 s3:libads: Disable NTLMSSP if not allowed (for builds
without kerberos)
via 105e53250a9 s3:libads: Improve debug messages for SASL bind
via 130cde7b7b7 s3:libads: Disable NTLMSSP for FIPS
via 953b1027c7b s3:libads: Remove trailing spaces from sasl.c
via 3485e6ccbe5 s3:utils: set ads->auth.flags using krb5_state
via 911675da559 s4:dsdb/vlv_pagination: fix segfault in vlv_results()
via b9583585166 s4:dsdb/paged_results: fix segfault in paged_results()
via d123bc8be47 s4:rpc_server/netlogon: let CSDVersion="" wipe
operatingSystemServicePack
via a45cf134829 s4:torture/rpc: test how CSDVersion="" wipes
operatingSystemServicePack
from d93892d2e8e ldb: version 2.4.2
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 13e621aea074e5ac23538adff03794989629f9d4
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Fri Jan 21 12:01:33 2022 +0100
s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
Autobuild-User(v4-15-test): Jule Anger <jan...@samba.org>
Autobuild-Date(v4-15-test): Wed Jan 26 11:43:34 UTC 2022 on sn-devel-184
commit 8f3465680073c329406a154a53ba74a95179abd8
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Tue Jan 18 19:44:54 2022 +0100
s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
commit 4853125524af4cd9569ac963c4506e46c81f5c32
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Tue Jan 18 19:47:38 2022 +0100
s3:winbindd: Remove trailing spaces from winbindd_ads.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
commit c3c0bf8ec7c78f451f51485a8bc78f5b13988ab8
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Tue Jan 4 12:00:20 2022 +0100
s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
commit 78d342fb604278821d81e347b04094dbcb8b053e
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Mon Jan 3 15:33:46 2022 +0100
tests: Add test for disabling NTLMSSP for ldap client connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
commit 2dde53993e981d52e12fd9c36d5183c5295a1613
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Mon Jan 3 11:13:06 2022 +0100
s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
commit 105e53250a972c7d1fd3f6d088a5defc53be845e
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Fri Jan 7 10:31:19 2022 +0100
s3:libads: Improve debug messages for SASL bind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
commit 130cde7b7b76d766e27b2d39389e24f52be3e4a1
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Thu Dec 9 13:43:08 2021 +0100
s3:libads: Disable NTLMSSP for FIPS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
commit 953b1027c7b41b70e6f77335f978a7766cff7c8c
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Wed Dec 8 16:05:17 2021 +0100
s3:libads: Remove trailing spaces from sasl.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
commit 3485e6ccbe528df00d3eb2ba2d91356d1389e204
Author: Pavel Filipenský <pfili...@redhat.com>
Date: Fri Dec 10 16:08:04 2021 +0100
s3:utils: set ads->auth.flags using krb5_state
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Pavel Filipenský <pfili...@redhat.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
commit 911675da55999c4b2c82fe658c92518d23f7ced7
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jan 19 15:57:08 2022 +0100
s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
(cherry picked from commit 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc)
commit b958358516605918e32a21ba98e6d85a1d59acbb
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jan 19 15:57:08 2022 +0100
s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
(cherry picked from commit 19fa22b1fbcf33dbc4defe4dd2e487a642786c49)
commit d123bc8be47fa56d7fee4b8214fc19bd0a35a6b2
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 21 14:00:34 2021 +0100
s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Tue Jan 11 22:03:03 UTC 2022 on sn-devel-184
(cherry picked from commit 1243f52f7ae58de1005c431e20563f2f1902dfce)
commit a45cf13482921f16ce9be0be8030469866fa7df1
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Dec 21 13:58:07 2021 +0100
s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
(cherry picked from commit 4a0a0d2fc9555dc8ff7692607b1d51189785bd47)
-----------------------------------------------------------------------
Summary of changes:
source3/libads/sasl.c | 58 ++++++++++++++--------
source3/libnet/libnet_join.c | 18 ++++++-
source3/utils/net_ads.c | 22 +++++++-
source3/winbindd/winbindd_ads.c | 57 +++++++++++++--------
source4/dsdb/samdb/ldb_modules/paged_results.c | 19 ++++---
source4/dsdb/samdb/ldb_modules/vlv_pagination.c | 21 +++++---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 11 ++--
source4/selftest/tests.py | 1 +
source4/torture/rpc/netlogon.c | 10 ++--
...crypto.sh => test_weak_disable_ntlmssp_ldap.sh} | 30 ++++-------
10 files changed, 160 insertions(+), 87 deletions(-)
copy testprogs/blackbox/{test_weak_crypto.sh =>
test_weak_disable_ntlmssp_ldap.sh} (52%)
Changeset truncated at 500 lines:
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 60fa2bf80cb..1bcfe0490a8 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
ads sasl code
Copyright (C) Andrew Tridgell 2001
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
.disconnect = ads_sasl_gensec_disconnect
};
-/*
+/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT
*ads,
#endif /* HAVE_KRB5 */
-/*
+/*
this performs a SASL/SPNEGO bind
*/
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
file_save("sasl_spnego.dat", blob.data, blob.length);
#endif
- /* the server sent us the first part of the SPNEGO exchange in the
negprot
+ /* the server sent us the first part of the SPNEGO exchange in the
negprot
reply */
if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs,
&given_principal, NULL) ||
OIDs[0] == NULL) {
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
+ got_kerberos_mechanism)
{
mech = "KRB5";
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
@@ -586,36 +586,50 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
p.service, p.hostname,
blob);
if (!ADS_ERR_OK(status)) {
- DEBUG(0,("kinit succeeded but "
- "ads_sasl_spnego_gensec_bind(KRB5)
failed "
- "for %s/%s with user[%s] realm[%s]:
%s\n",
+ DBG_ERR("kinit succeeded but "
+ "SPNEGO bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
- ads_errstr(status)));
+ ads_errstr(status));
}
}
/* only fallback to NTLMSSP if allowed */
- if (ADS_ERR_OK(status) ||
+ if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s, "
- "fallback to NTLMSSP\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
- ads_errstr(status)));
+ DBG_WARNING("SASL bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s, "
+ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
}
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
- to sync clocks, and we don't rely on special versions of the krb5
+ to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 02705f1c70c..4c67e9af5c4 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char
*dns_domain_name,
ADS_STATUS status;
ADS_STRUCT *my_ads = NULL;
char *cp;
+ enum credentials_use_kerberos krb5_state;
my_ads = ads_init(dns_domain_name,
netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char
*dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6ab4a0096b1..8f993f9ba4c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c,
bool only_own_domain,
char *cp;
const char *realm = NULL;
bool tried_closest_dc = false;
+ enum credentials_use_kerberos krb5_state =
+ CRED_USE_KERBEROS_DISABLED;
/* lp_realm() should be handled by a command line param,
However, the join requires that realm be set in smb.conf
@@ -650,10 +652,28 @@ retry:
ads->auth.password = smb_xstrdup(c->opt_password);
}
- ads->auth.flags |= auth_flags;
SAFE_FREE(ads->auth.user_name);
ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ ads->auth.flags |= auth_flags;
+
+ /* The ADS code will handle FIPS mode */
+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
+
/*
* If the username is of the form "name@realm",
* extract the realm and convert to upper case.
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 948c903f165..6f01ef6e334 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
#include "../libds/common/flag_mapping.h"
#include "libsmb/samlogon_cache.h"
#include "passdb.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_ADS
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT
**adsp,
ADS_STATUS status;
struct sockaddr_storage dc_ss;
fstring dc_name;
+ enum credentials_use_kerberos krb5_state;
if (auth_realm == NULL) {
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT
**adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
@@ -326,7 +343,7 @@ static NTSTATUS query_user_list(struct winbindd_domain
*domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -432,7 +449,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain
*domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -447,7 +464,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain
*domain,
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
- * when set to TRUE.
+ * when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then the buggy AD fails to decode
@@ -458,9 +475,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain
*domain,
*
* Thanks to Ralf Haferkamp for input and testing - Guenther */
- filter = talloc_asprintf(mem_ctx,
"(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ filter = talloc_asprintf(mem_ctx,
"(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
ADS_LDAP_MATCHING_RULE_BIT_AND,
GROUP_TYPE_SECURITY_ENABLED,
- ADS_LDAP_MATCHING_RULE_BIT_AND,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
enum_dom_local_groups ?
GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
if (filter == NULL) {
@@ -529,7 +546,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain
*domain,
DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -542,12 +559,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain
*domain,
struct wb_acct_info **info)
{
/*
- * This is a stub function only as we returned the domain
+ * This is a stub function only as we returned the domain
* local groups in enum_dom_groups() if the domain->native field
* was true. This is a simple performance optimization when
* using LDAP.
*
- * if we ever need to enumerate domain local groups separately,
+ * if we ever need to enumerate domain local groups separately,
* then this optimization in enum_dom_groups() will need
* to be split out
*/
@@ -601,7 +618,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain
*domain,
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- const char *user_dn,
+ const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid
**user_sids)
{
@@ -620,7 +637,7 @@ static NTSTATUS lookup_usergroups_member(struct
winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for
domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -702,7 +719,7 @@ static NTSTATUS lookup_usergroups_member(struct
winbindd_domain *domain,
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n",
user_dn));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -883,14 +900,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain
*domain,
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
- "invalid number of results (count=%d)\n",
+ "invalid number of results (count=%d)\n",
dom_sid_str_buf(sid, &buf),
count));
goto done;
}
if (!msg) {
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups:
NULL msg\n",
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups:
NULL msg\n",
dom_sid_str_buf(sid, &buf)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -903,7 +920,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain
*domain,
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
- DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name,
dom_sid_str_buf(sid, &buf)));
goto done;
@@ -913,7 +930,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain
*domain,
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
- /* there must always be at least one group in the token,
+ /* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
@@ -937,7 +954,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain
*domain,
/* lookup what groups this user is a member of by DN search on
* "member" */
- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
@@ -1302,7 +1319,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain
*domain,
DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
"not map any SIDs at all.\n"));
/* Don't handle this as an error here.
- * There is nothing left to do with respect to the
+ * There is nothing left to do with respect to the
* overall result... */
}
else if (!NT_STATUS_IS_OK(status)) {
@@ -1367,13 +1384,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain
*domain,
NETR_TRUST_FLAG_IN_FOREST;
} else {
flags = NETR_TRUST_FLAG_IN_FOREST;
- }
+ }
result = cm_connect_netlogon(domain, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s "
- "for PIPE_NETLOGON (%s)\n",
+ "for PIPE_NETLOGON (%s)\n",
domain->name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c
b/source4/dsdb/samdb/ldb_modules/paged_results.c
index 3eea3236e7d..2063e84e157 100644
--- a/source4/dsdb/samdb/ldb_modules/paged_results.c
+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c
@@ -239,6 +239,7 @@ static int paged_search_by_dn_guid(struct ldb_module
*module,
static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
{
+ struct ldb_extended *response = (ares != NULL ? ares->response : NULL);
struct ldb_paged_control *paged;
unsigned int i, num_ctrls;
int ret;
@@ -246,7 +247,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->store == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
while (ac->store->last_i < ac->store->num_entries && ac->size > 0) {
@@ -276,7 +277,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
continue;
} else if (ret != LDB_SUCCESS) {
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ret = ldb_module_send_entry(ac->req, result->msgs[0],
@@ -318,7 +319,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->controls == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[num_ctrls] = NULL;
@@ -331,7 +332,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->controls[i] == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[i]->oid = talloc_strdup(ac->controls[i],
@@ -339,7 +340,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (ac->controls[i]->oid == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[i]->critical = 0;
@@ -348,7 +349,7 @@ static int paged_results(struct paged_context *ac, struct
ldb_reply *ares)
if (paged == NULL) {
ret = LDB_ERR_OPERATIONS_ERROR;
return ldb_module_done(
- ac->req, ac->controls, ares->response, ret);
+ ac->req, ac->controls, response, ret);
}
ac->controls[i]->data = paged;
@@ -803,7 +804,11 @@ static int paged_search(struct ldb_module *module, struct
ldb_request *req)
ret = paged_results(ac, NULL);
if (ret != LDB_SUCCESS) {
- return ldb_module_done(req, NULL, NULL, ret);
+ /*
+ * paged_results() will have called ldb_module_done
+ * if an error occurred
+ */
+ return ret;
}
return ldb_module_done(req, ac->controls, NULL, LDB_SUCCESS);
}
diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
index d6d6039e849..b389d3fd4f0 100644
--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
--
Samba Shared Repository
