The branch, master has been updated
via 1c859ec1dbe WHATSNEW: Add client netlogon ping protocol parameter
via 47d7e86a62e tests: Run ad members with new netlogon ping protocol
settings
via f151f462d51 libcli: Make cldap_error_reply() static to
cldap_server.c
via 39c4e804552 libcli: Remove two unused functions
via 6d19d4ab7b3 libnet: Simplify becomeDC
via f78a44fce68 docs: Fix a typo in a parameter file name
via 2459337a586 libcli: Move "struct cldap_netlogon" definition to
torture
via be846bf5a2e libcli: Remove cldap_netlogon() and friends
via 4aff4c749b9 torture4: Replace direct netlogon ping calls with
netlogon_pings()
via d260478195e torture4: Add ldap.netlogon-ping test
via 462748afedf torture4: Use netlogon_pings() in rpc.lsa tests
via 63b5b5d05b7 torture4: Use netlogon_pings_send/recv in bench-cldap
via 74cec52bab1 libnet4: Use netlogon_pings() in finddcs_cldap
via e7844537b67 libnet4: Use netlogon_pings() in unbecome_dc
via bfa6f18a0e8 libnet4: Use netlogon_pings() in become_dc
via 42cafe481d2 libnet4: Use netlogon_pings() in findsite
via 3ecb6654223 libnet: Initialize variables in libnet_FindSite()
via dcc27671854 libnet: Simplify error return in libnet_FindSite()
via ccfbb5c2ed8 libnet: Save a few lines with talloc_move()
via eb8767a076e libads: Move check_cldap_reply_required_flags() to
netlogon_ping.c
via fc7c55c9389 libads: Simplify ads_fill_cldap_reply()
via 759665fcf23 libads: Pass "required_flags" through
ads_cldap_netlogon_5()
via 808b79b4a95 libads: Pass "required_flags" through
ads_cldap_netlogon()
via b8028709664 libads: Make ads_cldap_netlogon() static
via 523a1c6fa16 libads: remove cldap_multi_netlogon
via 8bededd1b3d libsmb: Use netlogon_pings() in dsgetdcname
via cb00b78fa04 kerberos: Use netlogon_pings()
via 8a88f322db4 ldap: Use netlogon_pings
via df2844ca8f1 cldap: Use netlogon_pings()
via cf66ff3d1b0 libads: Add netlogon_pings()
via e88db0a6b51 tldap: Add tldap_context_create_from_plain_stream()
via 24dc8ef1749 param: Add "client netlogon ping protocol"
via b3a8f845ec3 lib: Add a few required includes
via baeedee5345 build: Remove the big samba3util dependency from TLDAP
via 469e1ebd71f build: Make util_tsock its own subsystem
via 527d81fc5e3 param: Remove parameter "cldap port"
via 43b2d4104b0 cldap: Make finddcs.out.netlogon a pointer
via 31d1fc0912a cldap: Make cldap_netlogon.out.netlogon a pointer
via a3f1cb15971 lib: Fix trailing whitespace
via 6edd49c68b2 cldap: Remove cldap_netlogon->in.map_response
via 82d8f345f57 libnet4: Call map_netlogon_samlogon_response directly
via a3eb60e7c8f libnet4: Call map_netlogon_samlogon_response directly
via d41efadde3c libnet4: Call map_netlogon_samlogon_response directly
via fc9810051e6 libcli4: Call map_netlogon_samlogon_response directly
via b5af90bd5c6 torture4: Simplifiy [tcp|udp]_ldap_netlogon()
via e54a4f06b31 tldap_tls: Remove tldap_[gs]et_starttls_needed()
via 2cc41bd6ae1 tldap_tls: Move creation of tls_params out of
tldap_tls_connect()
via 19ab2db59ac tstream_tls: Add tstream_tls_params_peer_name()
from f6d3e1117ff smbtorture: use torture_assert_ntstatus_equal_goto() in
CHECK_STATUS() in unlink.c
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1c859ec1dbec839f3c6571e76a7587c3e2032465
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 8 16:39:42 2024 +0100
WHATSNEW: Add client netlogon ping protocol parameter
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Volker Lendecke <v...@samba.org>
Autobuild-Date(master): Mon Nov 11 15:15:29 UTC 2024 on atb-devel-224
commit 47d7e86a62e8ce151e5ae413c5f32eb4ff09439c
Author: Volker Lendecke <v...@samba.org>
Date: Wed Nov 6 14:30:30 2024 +0100
tests: Run ad members with new netlogon ping protocol settings
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f151f462d51926a96e54c95a5eb25c39549abae3
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 1 12:49:55 2024 +0100
libcli: Make cldap_error_reply() static to cldap_server.c
Only used there
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 39c4e8045529c8dce091640041c4bf7d26327237
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 1 12:44:42 2024 +0100
libcli: Remove two unused functions
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6d19d4ab7b31f1ad6acc72b7761be6e61c3116a2
Author: Volker Lendecke <v...@samba.org>
Date: Fri Oct 25 14:53:09 2024 +0200
libnet: Simplify becomeDC
Checking for "" does not need a call to strcmp
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f78a44fce6893a42cabcc6668a962abe771b0099
Author: Volker Lendecke <v...@samba.org>
Date: Thu Oct 24 16:44:09 2024 +0200
docs: Fix a typo in a parameter file name
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2459337a58686f476a68675774893699603917b2
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 1 12:41:57 2024 +0100
libcli: Move "struct cldap_netlogon" definition to torture
This structure is only used in torture/ldap/netlogon.c now for
historic reasons. Replacing it with something else would be the right
thing to do...
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit be846bf5a2ea59877c2315eb63e9814de4398a6f
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 1 12:39:58 2024 +0100
libcli: Remove cldap_netlogon() and friends
Replaced with netlogon_pings()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 4aff4c749b943c30ae9ff05fcdc54da78861f43a
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 1 12:36:59 2024 +0100
torture4: Replace direct netlogon ping calls with netlogon_pings()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d260478195e7dd546740355985601253dd1e3ad4
Author: Volker Lendecke <v...@samba.org>
Date: Fri Nov 1 10:07:16 2024 +0100
torture4: Add ldap.netlogon-ping test
This will supersede the direct cldap based netlogon tests
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 462748afedf05f9a078fa8ecec1802e093c71a43
Author: Volker Lendecke <v...@samba.org>
Date: Wed Oct 30 18:22:57 2024 +0100
torture4: Use netlogon_pings() in rpc.lsa tests
Allow LDAPS netlogon ping
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 63b5b5d05b7d48be9fa8d10c7b5ea5d055685571
Author: Volker Lendecke <v...@samba.org>
Date: Thu Oct 31 18:05:00 2024 +0100
torture4: Use netlogon_pings_send/recv in bench-cldap
This slightly changes behaviour: It uses separate client sockets per
ping instead of just one, but it allows to compare CLDAP with LDAP and
LDAPS (spoiler: LDAPS is *much* slower...)
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 74cec52bab16e58254b41f4a444b4fe5a60d626b
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 15:35:37 2024 +0100
libnet4: Use netlogon_pings() in finddcs_cldap
Enable LDAPS lookups
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e7844537b676d3e69c2470899ab2fcb801f8cf23
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 13:06:13 2024 +0100
libnet4: Use netlogon_pings() in unbecome_dc
Enable LDAPS lookups
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit bfa6f18a0e85d75240b3fbcd6c32be743789d4ee
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 12:43:53 2024 +0100
libnet4: Use netlogon_pings() in become_dc
Allow LDAPS netlogon pings
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 42cafe481d23f7f4ea58b17ec978e6836c0db4a6
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 12:12:57 2024 +0100
libnet4: Use netlogon_pings() in findsite
Enable LDAPS lookups
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 3ecb665422351865c7b43baf9ba73b9b6d7f7d88
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 13:52:30 2024 +0100
libnet: Initialize variables in libnet_FindSite()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit dcc276718545ec278243872149e8880f3842eb6f
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 08:58:54 2024 +0100
libnet: Simplify error return in libnet_FindSite()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit ccfbb5c2ed828e57232048c8118ba78dc6bb4674
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 08:55:33 2024 +0100
libnet: Save a few lines with talloc_move()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit eb8767a076e38d35ea5cb8b8d11f0af1ba0d6518
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 15:01:57 2024 +0100
libads: Move check_cldap_reply_required_flags() to netlogon_ping.c
netlogon_ping.c depends on it but itself has fewer dependencies than
cldap.c, so we can use it in more places
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fc7c55c9389ec001473f91208275676f382408ef
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 13:20:56 2024 +0100
libads: Simplify ads_fill_cldap_reply()
Both callers now guarantee via the filter in netlogon_pings() that the
reply contains DCs that have the required flags set. Remove those
checks from ads_fill_cldap_reply()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 759665fcf235c1f61f4963bd70eaa3ca3fa833a7
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 13:19:08 2024 +0100
libads: Pass "required_flags" through ads_cldap_netlogon_5()
... down to netlogon_pings(). Passing 0 right now, this will change
for some callers
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 808b79b4a9514422cab91934dd3e0f8068bd85bb
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 13:16:46 2024 +0100
libads: Pass "required_flags" through ads_cldap_netlogon()
... down to netlogon_pings()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b80287096646525a6dddf5dbc2456a8365686bea
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 12:08:42 2024 +0100
libads: Make ads_cldap_netlogon() static
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 523a1c6fa16fda4745497e60cb07749d2c84a2ea
Author: Volker Lendecke <v...@samba.org>
Date: Fri Oct 25 17:42:18 2024 +0200
libads: remove cldap_multi_netlogon
Replaced by netlogon_pings()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 8bededd1b3dc0ce7f2a0ea43c78d319cbb8f98a2
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 12:06:05 2024 +0100
libsmb: Use netlogon_pings() in dsgetdcname
Use parallel requests and req_flags filtering provided by
netlogon_pings()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit cb00b78fa0445c71e220311a3a98b5e6878d761f
Author: Volker Lendecke <v...@samba.org>
Date: Fri Oct 25 17:38:04 2024 +0200
kerberos: Use netlogon_pings()
This also makes sure we've got a KDC via DS_KDC_REQUIRED
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 8a88f322db435b34c5ea8a94aa9ac0a674e1d895
Author: Volker Lendecke <v...@samba.org>
Date: Fri Oct 25 17:25:13 2024 +0200
ldap: Use netlogon_pings
This already requests the flags that ads_fill_cldap_reply() will later
check for, so netlogon_pings will only feed sufficient DCs into
ads_fill_cldap_reply.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit df2844ca8f1f9ef7a6e7e9e7485979a4ac93ff74
Author: Volker Lendecke <v...@samba.org>
Date: Fri Oct 25 16:45:29 2024 +0200
cldap: Use netlogon_pings()
Allow LDAPS for ads_cldap_netlogon()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit cf66ff3d1b0cd0e6dbc8091ba0f184c336ef6126
Author: Volker Lendecke <v...@samba.org>
Date: Thu Oct 24 13:55:35 2024 +0200
libads: Add netlogon_pings()
This encapsulates our logic that we send CLDAP requests on UDP/389,
sending them with 100msec timeouts until someone replies. It also
contains the code to do this over LDAP/389 or LDAPS/636.
It also contains code to filter for domain controller flags like
DS_ONLY_LDAP_NEEDED, this logic exists in several places right now.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e88db0a6b519518febed4b4876acbc256dda23e8
Author: Volker Lendecke <v...@samba.org>
Date: Thu Oct 31 17:04:44 2024 +0100
tldap: Add tldap_context_create_from_plain_stream()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 24dc8ef1749b77c21031465c1c77dd7ec2508163
Author: Volker Lendecke <v...@samba.org>
Date: Thu Oct 24 16:52:46 2024 +0200
param: Add "client netlogon ping protocol"
Allow "net ads join" in environments where UDP/389 is blocked. Code
will follow.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b3a8f845ec30759fce7862bd4070f5248b9880c0
Author: Volker Lendecke <v...@samba.org>
Date: Thu Oct 24 16:15:55 2024 +0200
lib: Add a few required includes
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit baeedee5345bcc77c282669f5e09c84443efcdcf
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 10:44:47 2024 +0100
build: Remove the big samba3util dependency from TLDAP
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 469e1ebd71f08091f0b0ae2bb1d393261067fd5b
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 10:40:26 2024 +0100
build: Make util_tsock its own subsystem
One step to strip TLDAP deps
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 527d81fc5e358470b8c28caadf1240a0210c20b2
Author: Volker Lendecke <v...@samba.org>
Date: Mon Oct 28 13:46:20 2024 +0100
param: Remove parameter "cldap port"
This was not used consistently across all of our code base, and I
don't see a reason why this should ever not be port 389.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 43b2d4104b08d7f74f0d488e062401f3ef45bffe
Author: Volker Lendecke <v...@samba.org>
Date: Wed Oct 30 11:10:28 2024 +0100
cldap: Make finddcs.out.netlogon a pointer
struct netlogon_samlogon_response has subpointers, this patch enables
a proper talloc hierarchy.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 31d1fc0912ac8950be6503c37fffc9fc0525a3d3
Author: Volker Lendecke <v...@samba.org>
Date: Wed Oct 30 11:07:53 2024 +0100
cldap: Make cldap_netlogon.out.netlogon a pointer
struct netlogon_samlogon_response has subpointers, this patch enables
a proper talloc hierarchy.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a3f1cb15971642d2f4d698b0927862e628bba81c
Author: Volker Lendecke <v...@samba.org>
Date: Wed Oct 30 10:54:12 2024 +0100
lib: Fix trailing whitespace
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6edd49c68b2b096eb9a1311201cbc70239a1a089
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 09:02:19 2024 +0100
cldap: Remove cldap_netlogon->in.map_response
We should not pass booleans down where the caller can do the same
thing with equal effort
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 82d8f345f5785d7ede11f2fc3278ee59396f37db
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 09:01:43 2024 +0100
libnet4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a3eb60e7c8f2533cb170c460e1cbad84cd9308da
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 09:00:34 2024 +0100
libnet4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d41efadde3c79e43ac7a95abdb530adeb05c9d8e
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 08:59:29 2024 +0100
libnet4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fc9810051e6c4ae46c0b8c661450a378ba8f4f37
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 08:57:53 2024 +0100
libcli4: Call map_netlogon_samlogon_response directly
Avoid using a boolean flag passed down
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit b5af90bd5c687e32e48495fadf128c7f15f44bfd
Author: Volker Lendecke <v...@samba.org>
Date: Tue Oct 29 08:55:13 2024 +0100
torture4: Simplifiy [tcp|udp]_ldap_netlogon()
Both callers set "map_response=true", so we don't need that flag here.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e54a4f06b31e1cbefcdf3b26c1d36cfa3a9e21e5
Author: Volker Lendecke <v...@samba.org>
Date: Thu Nov 7 11:17:12 2024 +0100
tldap_tls: Remove tldap_[gs]et_starttls_needed()
The caller setting up a tldap connection is aware of whether to use
starttls, which is one single ldap extended operation before the tls
crypto starts. There is no complex logic behind this that is
worthwhile to be hidden behind a flag and an API. If there was more to
it than just a simple call to tldap_extended(), I would all be for
passing down that flag, but for this case I would argue the logic
after this patch is simpler.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 2cc41bd6ae1c4136661578e20019f6365f306ca8
Author: Volker Lendecke <v...@samba.org>
Date: Thu Nov 7 10:53:48 2024 +0100
tldap_tls: Move creation of tls_params out of tldap_tls_connect()
Soon we will have a tldap user which does not want to verify the
certs. Instead of passing another boolean down, hand in pre-created
tstream_tls_params.
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 19ab2db59acaa4f9b9283ff9da88dc14b60fda46
Author: Volker Lendecke <v...@samba.org>
Date: Thu Nov 7 10:48:52 2024 +0100
tstream_tls: Add tstream_tls_params_peer_name()
Signed-off-by: Volker Lendecke <v...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 18 +
docs-xml/smbdotconf/protocol/cldapport.xml | 12 -
.../security/clientnetlogonpingprotocol.xml | 30 +
...nt4emulation.xml => neutralizent4emulation.xml} | 0
lib/param/loadparm.c | 1 -
lib/param/loadparm.h | 8 +
lib/param/param_table.c | 8 +
libcli/cldap/cldap.c | 302 -------
libcli/cldap/cldap.h | 50 --
libcli/netlogon/netlogon_proto.h | 6 +
selftest/target/Samba3.pm | 3 +
source3/include/tldap.h | 5 +-
source3/lib/tldap.c | 48 +-
source3/lib/tldap_tls_connect.c | 117 +--
source3/lib/tldap_tls_connect.h | 10 +-
source3/libads/cldap.c | 377 +--------
source3/libads/cldap.h | 26 +-
source3/libads/kerberos.c | 30 +-
source3/libads/ldap.c | 44 +-
source3/libads/netlogon_ping.c | 883 +++++++++++++++++++++
source3/libads/netlogon_ping.h | 62 ++
source3/libsmb/dsgetdcname.c | 142 ++--
source3/param/loadparm.c | 2 -
source3/torture/torture.c | 35 +-
source3/utils/net_ads.c | 9 +-
source3/winbindd/idmap_ad.c | 35 +-
source3/wscript_build | 15 +-
source4/cldap_server/cldap_server.c | 37 +-
source4/lib/tls/tls.h | 2 +
source4/lib/tls/tls_tstream.c | 6 +
source4/libcli/finddc.h | 4 +-
source4/libcli/finddcs_cldap.c | 150 ++--
source4/libcli/wscript_build | 2 +-
source4/libnet/libnet_become_dc.c | 60 +-
source4/libnet/libnet_lookup.c | 3 +-
source4/libnet/libnet_site.c | 121 ++-
source4/libnet/libnet_site.h | 1 -
source4/libnet/libnet_unbecome_dc.c | 57 +-
source4/libnet/py_net.c | 8 +-
source4/libnet/wscript_build | 2 +-
source4/torture/ldap/cldap.c | 6 +-
source4/torture/ldap/cldapbench.c | 46 +-
source4/torture/ldap/common.c | 3 +
source4/torture/ldap/netlogon.c | 401 ++++++----
source4/torture/rpc/lsa.c | 86 +-
45 files changed, 1842 insertions(+), 1431 deletions(-)
delete mode 100644 docs-xml/smbdotconf/protocol/cldapport.xml
create mode 100644 docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml
rename docs-xml/smbdotconf/winbind/{netutralizent4emulation.xml =>
neutralizent4emulation.xml} (100%)
create mode 100644 source3/libads/netlogon_ping.c
create mode 100644 source3/libads/netlogon_ping.h
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index de4bb9d6e4e..9a056da4810 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -28,6 +28,16 @@ for more details.
SMB3 Directory Leases allow clients to cache directory listings and, depending
on the workload, result in a decent reduction in SMB requests from clients.
+Netlogon Ping over LDAP and LDAPS
+---------------------------------
+
+Samba must query domain controller information via simple queries on
+the AD rootdse's netlogon attribute. Typically this is done via
+connectionless LDAP, using UDP on port 389. The same information is
+also available via classic LDAP rootdse queries over TCP. Samba can
+now be configured to use TCP via the new "client netlogon ping
+protocol" parameter to enable running in environments where firewalls
+completely block port 389 or UDP traffic to domain controllers.
REMOVED FEATURES
================
@@ -35,6 +45,12 @@ REMOVED FEATURES
The "nmbd proxy logon" feature was removed. This was used before
Samba4 acquired a NBT server.
+The parameter "cldap port" has been removed. CLDAP runs over UDP port
+389, we don't see a reason why this should ever be changed to a
+different port. Moreover, we had several places in the code where
+Samba did not respect this parameter, so the behaviour was at least
+inconsistent.
+
fruit:posix_rename
------------------
@@ -57,7 +73,9 @@ smb.conf changes
-------------- ----------- -------
smb3 directory leases New Auto
vfs mkdir use tmp name New Auto
+ client netlogon ping protocol New cldap
fruit:posix_rename Removed
+ cldap port Removed
KNOWN ISSUES
============
diff --git a/docs-xml/smbdotconf/protocol/cldapport.xml
b/docs-xml/smbdotconf/protocol/cldapport.xml
deleted file mode 100644
index 3fcb2b369a4..00000000000
--- a/docs-xml/smbdotconf/protocol/cldapport.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<samba:parameter name="cldap port"
- context="G"
- type="integer"
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
-<description>
- <para>This option controls the port used by the CLDAP protocol.
-</para>
-</description>
-
-<value type="default">389</value>
-<value type="example">3389</value>
-</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml
b/docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml
new file mode 100644
index 00000000000..a616c7b0113
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientnetlogonpingprotocol.xml
@@ -0,0 +1,30 @@
+<samba:parameter name="client netlogon ping protocol"
+ context="G"
+ type="enum"
+ enumlist="enum_client_netlogon_ping_protocol"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para>This option controls the protocol Samba uses to issue netlogon
+ ping requests. This is normally done via connectionless ldap, but
+ some installations require LDAPS over TCP port 636 for this.
+ </para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem>
+ <para><constant>CLDAP</constant></para>
+ </listitem>
+ <listitem>
+ <para><constant>LDAP</constant></para>
+ </listitem>
+ <listitem>
+ <para><constant>LDAPS</constant></para>
+ </listitem>
+ <listitem>
+ <para><constant>STARTTLS</constant></para>
+ </listitem>
+ </itemizedlist>
+</description>
+
+<value type="default">CLDAP</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
b/docs-xml/smbdotconf/winbind/neutralizent4emulation.xml
similarity index 100%
rename from docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
rename to docs-xml/smbdotconf/winbind/neutralizent4emulation.xml
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index c867527f255..aecde4ab8bd 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2840,7 +2840,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "smb ports", "445 139");
lpcfg_do_global_parameter_var(lp_ctx, "nbt port", "%d",
NBT_NAME_SERVICE_PORT);
lpcfg_do_global_parameter_var(lp_ctx, "dgram port", "%d",
NBT_DGRAM_SERVICE_PORT);
- lpcfg_do_global_parameter(lp_ctx, "cldap port", "389");
lpcfg_do_global_parameter(lp_ctx, "krb5 port", "88");
lpcfg_do_global_parameter(lp_ctx, "kpasswd port", "464");
lpcfg_do_global_parameter_var(lp_ctx, "dns port", "%d",
DNS_SERVICE_PORT);
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 7e9e5d2da3f..32788e37391 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -265,6 +265,14 @@ enum acl_claims_evaluation {
ACL_CLAIMS_EVALUATION_NEVER
};
+/* Controlling the protocol for netlogon ping */
+enum client_netlogon_ping_protocol {
+ CLIENT_NETLOGON_PING_CLDAP,
+ CLIENT_NETLOGON_PING_LDAP,
+ CLIENT_NETLOGON_PING_LDAPS,
+ CLIENT_NETLOGON_PING_STARTTLS
+};
+
/*
* Default passwd chat script.
*/
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 229585b2807..f2a5a7ec40d 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -449,6 +449,14 @@ static const struct enum_list enum_acl_claims_evaluation[]
= {
{-1, NULL}
};
+static const struct enum_list enum_client_netlogon_ping_protocol[] = {
+ {CLIENT_NETLOGON_PING_CLDAP, "cldap"},
+ {CLIENT_NETLOGON_PING_LDAP, "ldap"},
+ {CLIENT_NETLOGON_PING_LDAPS, "ldaps"},
+ {CLIENT_NETLOGON_PING_STARTTLS, "starttls"},
+ {-1, NULL}
+};
+
/* Note: We do not initialise the defaults union - it is not allowed in ANSI C
*
* NOTE: Handling of duplicated (synonym) parameters:
diff --git a/libcli/cldap/cldap.c b/libcli/cldap/cldap.c
index 022bb2bfa21..77b8b30792c 100644
--- a/libcli/cldap/cldap.c
+++ b/libcli/cldap/cldap.c
@@ -897,305 +897,3 @@ NTSTATUS cldap_search(struct cldap_socket *cldap,
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
-
-struct cldap_netlogon_state {
- struct cldap_search search;
-};
-
-char *cldap_netlogon_create_filter(TALLOC_CTX *mem_ctx,
- const struct cldap_netlogon *io)
-{
- char *filter;
-
- filter = talloc_asprintf(mem_ctx, "(&(NtVer=%s)",
- ldap_encode_ndr_uint32(mem_ctx,
io->in.version));
-
- if (io->in.user) {
- talloc_asprintf_addbuf(&filter, "(User=%s)", io->in.user);
- }
- if (io->in.host) {
- talloc_asprintf_addbuf(&filter, "(Host=%s)", io->in.host);
- }
- if (io->in.realm) {
- talloc_asprintf_addbuf(&filter, "(DnsDomain=%s)", io->in.realm);
- }
- if (io->in.acct_control != -1) {
- talloc_asprintf_addbuf(
- &filter,
- "(AAC=%s)",
- ldap_encode_ndr_uint32(mem_ctx, io->in.acct_control));
- }
- if (io->in.domain_sid) {
- struct dom_sid *sid = dom_sid_parse_talloc(mem_ctx,
io->in.domain_sid);
-
- talloc_asprintf_addbuf(&filter, "(domainSid=%s)",
- ldap_encode_ndr_dom_sid(mem_ctx, sid));
- }
- if (io->in.domain_guid) {
- struct GUID guid;
- GUID_from_string(io->in.domain_guid, &guid);
-
- talloc_asprintf_addbuf(&filter, "(DomainGuid=%s)",
- ldap_encode_ndr_GUID(mem_ctx, &guid));
- }
- talloc_asprintf_addbuf(&filter, ")");
-
- return filter;
-}
-
-static void cldap_netlogon_state_done(struct tevent_req *subreq);
-/*
- queue a cldap netlogon for send
-*/
-struct tevent_req *cldap_netlogon_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct cldap_socket *cldap,
- const struct cldap_netlogon *io)
-{
- struct tevent_req *req, *subreq;
- struct cldap_netlogon_state *state;
- char *filter;
- static const char * const attr[] = { "NetLogon", NULL };
-
- req = tevent_req_create(mem_ctx, &state,
- struct cldap_netlogon_state);
- if (!req) {
- return NULL;
- }
-
- filter = cldap_netlogon_create_filter(state, io);
- if (tevent_req_nomem(filter, req)) {
- goto post;
- }
-
- if (io->in.dest_address) {
- state->search.in.dest_address = talloc_strdup(state,
- io->in.dest_address);
- if (tevent_req_nomem(state->search.in.dest_address, req)) {
- goto post;
- }
- state->search.in.dest_port = io->in.dest_port;
- } else {
- state->search.in.dest_address = NULL;
- state->search.in.dest_port = 0;
- }
- state->search.in.filter = filter;
- state->search.in.attributes = attr;
- state->search.in.timeout = 2;
- state->search.in.retries = 2;
-
- subreq = cldap_search_send(state, ev, cldap, &state->search);
- if (tevent_req_nomem(subreq, req)) {
- goto post;
- }
- tevent_req_set_callback(subreq, cldap_netlogon_state_done, req);
-
- return req;
-post:
- return tevent_req_post(req, ev);
-}
-
-static void cldap_netlogon_state_done(struct tevent_req *subreq)
-{
- struct tevent_req *req = tevent_req_callback_data(subreq,
- struct tevent_req);
- struct cldap_netlogon_state *state = tevent_req_data(req,
- struct cldap_netlogon_state);
- NTSTATUS status;
-
- status = cldap_search_recv(subreq, state, &state->search);
- talloc_free(subreq);
-
- if (tevent_req_nterror(req, status)) {
- return;
- }
-
- tevent_req_done(req);
-}
-
-/*
- receive a cldap netlogon reply
-*/
-NTSTATUS cldap_netlogon_recv(struct tevent_req *req,
- TALLOC_CTX *mem_ctx,
- struct cldap_netlogon *io)
-{
- struct cldap_netlogon_state *state = tevent_req_data(req,
- struct cldap_netlogon_state);
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- DATA_BLOB *data;
-
- if (tevent_req_is_nterror(req, &status)) {
- goto failed;
- }
-
- if (state->search.out.response == NULL) {
- status = NT_STATUS_NOT_FOUND;
- goto failed;
- }
-
- if (state->search.out.response->num_attributes != 1 ||
- strcasecmp(state->search.out.response->attributes[0].name,
"netlogon") != 0 ||
- state->search.out.response->attributes[0].num_values != 1 ||
- state->search.out.response->attributes[0].values->length < 2) {
- status = NT_STATUS_UNEXPECTED_NETWORK_ERROR;
- goto failed;
- }
- data = state->search.out.response->attributes[0].values;
-
- status = pull_netlogon_samlogon_response(data, mem_ctx,
- &io->out.netlogon);
- if (!NT_STATUS_IS_OK(status)) {
- goto failed;
- }
-
- if (io->in.map_response) {
- map_netlogon_samlogon_response(&io->out.netlogon);
- }
-
- status = NT_STATUS_OK;
-failed:
- tevent_req_received(req);
- return status;
-}
-
-/*
- sync cldap netlogon search
-*/
-NTSTATUS cldap_netlogon(struct cldap_socket *cldap,
- TALLOC_CTX *mem_ctx,
- struct cldap_netlogon *io)
-{
- TALLOC_CTX *frame;
- struct tevent_req *req;
- struct tevent_context *ev;
- NTSTATUS status = NT_STATUS_NO_MEMORY;
-
- if (cldap->searches.list) {
- return NT_STATUS_PIPE_BUSY;
- }
-
- if (cldap->incoming.handler) {
- return NT_STATUS_INVALID_PIPE_STATE;
- }
-
- frame = talloc_stackframe();
-
- ev = samba_tevent_context_init(frame);
- if (ev == NULL) {
- goto done;
- }
- req = cldap_netlogon_send(mem_ctx, ev, cldap, io);
- if (req == NULL) {
- goto done;
- }
- if (!tevent_req_poll_ntstatus(req, ev, &status)) {
- goto done;
- }
- status = cldap_netlogon_recv(req, mem_ctx, io);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-done:
- TALLOC_FREE(frame);
- return status;
-}
-
-
-/*
- send an empty reply (used on any error, so the client doesn't keep waiting
- or send the bad request again)
-*/
-NTSTATUS cldap_empty_reply(struct cldap_socket *cldap,
- uint32_t message_id,
- struct tsocket_address *dest)
-{
- NTSTATUS status;
- struct cldap_reply reply;
- struct ldap_Result result;
-
- reply.messageid = message_id;
- reply.dest = dest;
- reply.response = NULL;
- reply.result = &result;
-
- ZERO_STRUCT(result);
-
- status = cldap_reply_send(cldap, &reply);
-
- return status;
-}
-
-/*
- send an error reply (used on any error, so the client doesn't keep waiting
- or send the bad request again)
-*/
-NTSTATUS cldap_error_reply(struct cldap_socket *cldap,
- uint32_t message_id,
- struct tsocket_address *dest,
- int resultcode,
- const char *errormessage)
-{
- NTSTATUS status;
- struct cldap_reply reply;
- struct ldap_Result result;
-
- reply.messageid = message_id;
- reply.dest = dest;
- reply.response = NULL;
- reply.result = &result;
-
- ZERO_STRUCT(result);
- result.resultcode = resultcode;
- result.errormessage = errormessage;
-
- status = cldap_reply_send(cldap, &reply);
-
- return status;
-}
-
-
-/*
- send a netlogon reply
-*/
-NTSTATUS cldap_netlogon_reply(struct cldap_socket *cldap,
- uint32_t message_id,
- struct tsocket_address *dest,
- uint32_t version,
- struct netlogon_samlogon_response *netlogon)
-{
- NTSTATUS status;
- struct cldap_reply reply;
- struct ldap_SearchResEntry response;
- struct ldap_Result result;
- TALLOC_CTX *tmp_ctx = talloc_new(cldap);
- DATA_BLOB blob;
-
- status = push_netlogon_samlogon_response(&blob, tmp_ctx,
- netlogon);
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(tmp_ctx);
- return status;
- }
- reply.messageid = message_id;
- reply.dest = dest;
- reply.response = &response;
- reply.result = &result;
-
- ZERO_STRUCT(result);
-
- response.dn = "";
- response.num_attributes = 1;
- response.attributes = talloc(tmp_ctx, struct ldb_message_element);
- NT_STATUS_HAVE_NO_MEMORY(response.attributes);
- response.attributes->name = "netlogon";
- response.attributes->num_values = 1;
- response.attributes->values = &blob;
-
- status = cldap_reply_send(cldap, &reply);
-
- talloc_free(tmp_ctx);
-
- return status;
-}
-
diff --git a/libcli/cldap/cldap.h b/libcli/cldap/cldap.h
index cd76fee60f3..80fd6d222e3 100644
--- a/libcli/cldap/cldap.h
+++ b/libcli/cldap/cldap.h
@@ -82,53 +82,3 @@ struct cldap_reply {
};
NTSTATUS cldap_reply_send(struct cldap_socket *cldap, struct cldap_reply *io);
-
-NTSTATUS cldap_empty_reply(struct cldap_socket *cldap,
- uint32_t message_id,
- struct tsocket_address *dst);
-NTSTATUS cldap_error_reply(struct cldap_socket *cldap,
- uint32_t message_id,
- struct tsocket_address *dst,
- int resultcode,
- const char *errormessage);
-
-/*
- a netlogon cldap request
-*/
-struct cldap_netlogon {
- struct {
- const char *dest_address;
- uint16_t dest_port;
- const char *realm;
- const char *host;
- const char *user;
- const char *domain_guid;
- const char *domain_sid;
- int acct_control;
- uint32_t version;
- bool map_response;
- } in;
- struct {
- struct netlogon_samlogon_response netlogon;
- } out;
-};
--
Samba Shared Repository
