[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d5f845c s3: Make an if statement a bit easier to read via 5e0365d Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges. via 6550bc0 Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing. via 64e57a1 Add a comment showing where to set log level in tests. via 4645564 Change the S3 fileserver over to se_file_access_check(). via 2b89e1a Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter. via 69d925d SEC_RIGHTS_DIR_PRIV_BACKUP and SEC_RIGHTS_DIR_PRIV_RESTORE aren't used anywhere. Remove (can re-add if needed). from 4d7dad1 s4-dsdb: Remove unused variables http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d5f845c0d3ca185181760bce3731d31a71db4f32 Author: Volker Lendecke Date: Fri Aug 31 14:11:45 2012 +0200 s3: Make an if statement a bit easier to read Fix indentation a bit Signed-off-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Sep 1 07:07:12 CEST 2012 on sn-devel-104 commit 5e0365dfe891f556eed180bc44ac7120c37141fb Author: Jeremy Allison Date: Fri Aug 31 14:42:21 2012 -0700 Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges. Mark samba4.base.maximum_allowed knownfail until we implement NTCREATEX_OPTIONS_BACKUP_INTENT. commit 6550bc0d26278ce96a2a752231efef274c0dcf12 Author: Jeremy Allison Date: Fri Aug 31 12:42:16 2012 -0700 Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing. commit 64e57a1770b61593082ddd1191f26fa314ddafcd Author: Jeremy Allison Date: Fri Aug 31 12:41:48 2012 -0700 Add a comment showing where to set log level in tests. commit 46455642a78f7a1c60f56dec8ad907d0cfd326ea Author: Jeremy Allison Date: Mon Aug 27 16:07:32 2012 -0700 Change the S3 fileserver over to se_file_access_check(). Don't set the priv_open_requested yet until the open-for-backup request is correctly passed in. commit 2b89e1a20a6c726e5c3219a944143f0beb7c5920 Author: Jeremy Allison Date: Mon Aug 27 15:41:18 2012 -0700 Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter. commit 69d925d110a23e9f1cf9e6013729eb611b8ab58a Author: Jeremy Allison Date: Mon Aug 27 14:15:35 2012 -0700 SEC_RIGHTS_DIR_PRIV_BACKUP and SEC_RIGHTS_DIR_PRIV_RESTORE aren't used anywhere. Remove (can re-add if needed). Ensure the privilege rights are always specific rights, not generic. By the time the privilege rights are examined, we've already mapped from generic to specific in the access_mask. --- Summary of changes: libcli/security/access_check.c | 86 +++--- libcli/security/access_check.h | 11 librpc/idl/security.idl | 15 ++--- selftest/knownfail |1 + selftest/target/Samba4.pm|3 + source3/lib/sharesec.c |2 +- source3/smbd/open.c | 20 --- source4/torture/basic/denytest.c | 31 - source4/torture/rpc/samba3rpc.c | 123 +- source4/torture/rpc/testjoin.c | 74 +++ 10 files changed, 320 insertions(+), 46 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c index 7f08cb5..9153dad 100644 --- a/libcli/security/access_check.c +++ b/libcli/security/access_check.c @@ -274,16 +274,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd, } } - /* TODO: remove this, as it is file server specific */ - if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) && - security_token_has_privilege(token, SEC_PRIV_RESTORE)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE); - } - if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) && - security_token_has_privilege(token, SEC_PRIV_BACKUP)) { - bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP); - } - if ((bits_remaining & SEC_STD_WRITE_OWNER) && security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) { bits_remaining &= ~(SEC_STD_WRITE_OWNER); @@ -29
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4d7dad1 s4-dsdb: Remove unused variables via 8557c69 s4-kdc: Improve grammer and clarity of password change failure messages. via f0a9180 s3: Fix warnings in aio_fork.c via 2ffe690 s3: Remove a shadowing variable declaration via 01ade93 s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_context from c256566 s4 dns: Store TKEYs in a ringbuffer http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4d7dad13158fe6d998d7f63ed0f4ac7935a29bf8 Author: Andrew Bartlett Date: Sat Sep 1 11:36:36 2012 +1000 s4-dsdb: Remove unused variables Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sat Sep 1 05:10:47 CEST 2012 on sn-devel-104 commit 8557c692f613847d190891b6d79498f4e8fb9096 Author: Andrew Bartlett Date: Sat Sep 1 11:34:33 2012 +1000 s4-kdc: Improve grammer and clarity of password change failure messages. This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett commit f0a9180ae9dd565e4772ba9027ade0edfe1fc8d8 Author: Volker Lendecke Date: Fri Aug 31 14:45:08 2012 +0200 s3: Fix warnings in aio_fork.c commit 2ffe69082e23675a96e59eea0954a6b17530e82c Author: Volker Lendecke Date: Fri Aug 31 14:17:49 2012 +0200 s3: Remove a shadowing variable declaration commit 01ade93c7c0c2f2e992f5295976bbfc20429023a Author: Andrew Bartlett Date: Sat Sep 1 11:29:46 2012 +1000 s4-dsdb: Remove unused tmp_ctx leaked onto long-term ldb_context This was found based on a log provided by Ricky Nance . Thanks Ricky! Andrew Bartlett --- Summary of changes: source3/modules/vfs_aio_fork.c |6 -- source3/passdb/lookup_sid.c|2 -- source4/dsdb/common/util.c |5 - source4/kdc/kpasswdd.c |7 +++ 4 files changed, 7 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_aio_fork.c b/source3/modules/vfs_aio_fork.c index 2ec3d3d..3db336f 100644 --- a/source3/modules/vfs_aio_fork.c +++ b/source3/modules/vfs_aio_fork.c @@ -590,9 +590,10 @@ static struct tevent_req *aio_fork_pread_send(struct vfs_handle_struct *handle, ssize_t written; int err; struct aio_fork_config *config; + SMB_VFS_HANDLE_GET_DATA(handle, config, struct aio_fork_config, - return -1); + return NULL); req = tevent_req_create(mem_ctx, &state, struct aio_fork_pread_state); if (req == NULL) { @@ -821,9 +822,10 @@ static struct tevent_req *aio_fork_fsync_send( ssize_t written; int err; struct aio_fork_config *config; + SMB_VFS_HANDLE_GET_DATA(handle, config, struct aio_fork_config, - return -1); + return NULL); req = tevent_req_create(mem_ctx, &state, struct aio_fork_fsync_state); if (req == NULL) { diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 530fa6b..76a454c 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1096,8 +1096,6 @@ static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) if ((sid_check_is_in_builtin(psid) || sid_check_is_in_wellknown_domain(psid))) { - bool ret; - map = talloc_zero(NULL, GROUP_MAP); if (!map) { return false; diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 5d73df2..086f2a5 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1618,12 +1618,10 @@ int samdb_reference_dn(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_ int samdb_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *dn, bool *is_ntdsa) { NTSTATUS status; - TALLOC_CTX *tmp_ctx = talloc_new(ldb); struct GUID dn_guid; const struct GUID *our_ntds_guid; status = dsdb_get_extended_dn_guid(dn, &dn_guid, "GUID"); if (!NT_STATUS_IS_OK(status)) { - talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } @@ -1645,10 +1643,7 @@ int samdb_reference_dn_is_our_ntdsa(struct ldb_context *ldb, struct ldb_dn *base { int ret; struct ldb_dn *referenced_dn; - NTSTATUS status; TALLOC_CTX *tmp_ctx = talloc_new(ldb); - struct GUID referenced_guid; - const struct GUID *our_ntds_guid; if (tmp_ctx == NULL) { return LDB_ERR_OPERATIONS_ERROR; } diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index c05ea82..5558794 100644
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c256566 s4 dns: Store TKEYs in a ringbuffer from e4505fc tdb: return unpack error on strdup failure http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c256566aa97e040a9b3007c779b1006d20462ccb Author: Kai Blin Date: Fri Aug 31 13:41:19 2012 +0200 s4 dns: Store TKEYs in a ringbuffer This stops us from potentially being DoSed by tons of TKEYs Autobuild-User(master): Kai Blin Autobuild-Date(master): Fri Aug 31 22:46:01 CEST 2012 on sn-devel-104 --- Summary of changes: source4/dns_server/dns_query.c | 125 ++- source4/dns_server/dns_server.c | 27 source4/dns_server/dns_server.h | 11 +++- 3 files changed, 106 insertions(+), 57 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index e9c3a24..530b7b2 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -36,7 +36,6 @@ #include "auth/auth.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" -#include "lib/util/dlinklist.h" static WERROR create_response_rr(const struct dns_name_question *question, const struct dnsp_DnssrvRpcRecord *rec, @@ -321,19 +320,73 @@ static WERROR handle_question(struct dns_server *dns, return WERR_OK; } -static NTSTATUS create_new_tkey(TALLOC_CTX *mem_ctx, - struct dns_server *dns, - struct dns_server_tkey **tkey, - const char* name) +static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx, + struct dns_server *dns, + struct dns_server_tkey *tkey, + const DATA_BLOB *key, + DATA_BLOB *reply, + uint16_t *dns_auth_error) +{ + NTSTATUS status; + + status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx, + *key, reply); + + if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { + *dns_auth_error = DNS_RCODE_OK; + return status; + } + + if (NT_STATUS_IS_OK(status)) { + + status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info); + if (!NT_STATUS_IS_OK(status)) { + *dns_auth_error = DNS_RCODE_BADKEY; + return status; + } + *dns_auth_error = DNS_RCODE_OK; + } + + return status; +} + +static struct dns_server_tkey *find_tkey(struct dns_server_tkey_store *store, +const char *name) +{ + struct dns_server_tkey *tkey = NULL; + uint16_t i = 0; + + do { + struct dns_server_tkey *tmp_key = store->tkeys[i]; + + i++; + i %= TKEY_BUFFER_SIZE; + + if (tmp_key == NULL) { + continue; + } + if (dns_name_equal(name, tmp_key->name)) { + tkey = tmp_key; + break; + } + } while (i != 0); + + return tkey; +} + +static NTSTATUS create_tkey(struct dns_server *dns, + const char* name, + struct dns_server_tkey **tkey) { NTSTATUS status; - struct dns_server_tkey *k = talloc_zero(mem_ctx, struct dns_server_tkey); + struct dns_server_tkey_store *store = dns->tkeys; + struct dns_server_tkey *k = talloc_zero(store, struct dns_server_tkey); if (k == NULL) { return NT_STATUS_NO_MEMORY; } - k->name = talloc_strdup(mem_ctx, name); + k->name = talloc_strdup(k, name); if (k->name == NULL) { return NT_STATUS_NO_MEMORY; @@ -363,52 +416,16 @@ static NTSTATUS create_new_tkey(TALLOC_CTX *mem_ctx, return status; } - *tkey = k; - return NT_STATUS_OK; -} - -static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx, - struct dns_server *dns, - struct dns_server_tkey *tkey, - const DATA_BLOB *key, - DATA_BLOB *reply, - uint16_t *dns_auth_error) -{ - NTSTATUS status; - - status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx, - *key, reply); - - if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { - *dns_auth_error = DNS_RCODE_OK; - return status; + if (store->tkeys[store->n
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e4505fc tdb: return unpack error on strdup failure from 85706c4 s3: Fix a few "warning: ISO C90 forbids mixed declarations and code" http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e4505fc27bf31dbf922635fac19ea52a2a002bd4 Author: David Disseldorp Date: Fri Aug 31 17:41:31 2012 +0200 tdb: return unpack error on strdup failure Signed-off-by: Lars Müller Autobuild-User(master): David Disseldorp Autobuild-Date(master): Fri Aug 31 21:05:21 CEST 2012 on sn-devel-104 --- Summary of changes: source3/lib/util_tdb.c |3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c index c6c6d26..8bfc75f 100644 --- a/source3/lib/util_tdb.c +++ b/source3/lib/util_tdb.c @@ -237,6 +237,9 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...) if (bufsize < len) goto no_space; *ps = SMB_STRDUP((const char *)buf); + if (*ps == NULL) { + goto no_space; + } break; case 'f': /* null-terminated string */ s = va_arg(ap,char *); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 85706c4 s3: Fix a few "warning: ISO C90 forbids mixed declarations and code" from 2eb606b s3:build fix autoconf build on RHEL5 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 85706c4e168d90f329372b7411223cb2291ec9f6 Author: Volker Lendecke Date: Fri Aug 31 14:10:02 2012 +0200 s3: Fix a few "warning: ISO C90 forbids mixed declarations and code" Autobuild-User(master): Björn Jacke Autobuild-Date(master): Fri Aug 31 19:24:47 CEST 2012 on sn-devel-104 --- Summary of changes: source3/modules/vfs_media_harmony.c | 388 +-- 1 files changed, 234 insertions(+), 154 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/modules/vfs_media_harmony.c b/source3/modules/vfs_media_harmony.c index 53cb176..e1de153 100644 --- a/source3/modules/vfs_media_harmony.c +++ b/source3/modules/vfs_media_harmony.c @@ -132,11 +132,11 @@ typedef struct mh_dirinfo_struct static int alloc_append_client_suffix(vfs_handle_struct *handle, char **path) { - DEBUG(MH_INFO_DEBUG, ("Entering with *path '%s'\n", *path)); - int status = 0; char *raddr = NULL; + DEBUG(MH_INFO_DEBUG, ("Entering with *path '%s'\n", *path)); + raddr = tsocket_address_inet_addr_string( handle->conn->sconn->remote_address, talloc_tos()); if (raddr == NULL) @@ -172,10 +172,10 @@ err: */ static bool is_apple_double(const char* fname) { - DEBUG(MH_INFO_DEBUG, ("Entering with fname '%s'\n", fname)); - bool ret = False; + DEBUG(MH_INFO_DEBUG, ("Entering with fname '%s'\n", fname)); + if (strncmp(APPLE_DOUBLE_PREFIX, fname, APPLE_DOUBLE_PREFIX_LEN) == 0) { @@ -189,12 +189,12 @@ static bool is_apple_double(const char* fname) static bool starts_with_media_dir(const char* media_dirname, size_t media_dirname_len, const char* path) { - DEBUG(MH_INFO_DEBUG, ("Entering with media_dirname '%s' " - "path '%s'\n", media_dirname, path)); - bool ret = False; char* path_start; + DEBUG(MH_INFO_DEBUG, ("Entering with media_dirname '%s' " + "path '%s'\n", media_dirname, path)); + /* Sometimes Samba gives us "./OMFI MediaFiles". */ if (strncmp(path, "./", 2) == 0) { @@ -230,10 +230,10 @@ static bool starts_with_media_dir(const char* media_dirname, */ static bool is_in_media_files(const char* path) { - DEBUG(MH_INFO_DEBUG, ("Entering with path '%s'\n", path)); - bool ret = False; + DEBUG(MH_INFO_DEBUG, ("Entering with path '%s'\n", path)); + if ( starts_with_media_dir(AVID_MEDIAFILES_DIRNAME, AVID_MEDIAFILES_DIRNAME_LEN, path) @@ -264,12 +264,13 @@ static bool is_in_media_files(const char* path) static int depth_from_media_dir(const char* media_dirname, size_t media_dirname_len, const char* path) { - DEBUG(MH_INFO_DEBUG, ("Entering with media_dirname '%s' " - "path '%s'\n", media_dirname, path)); int transition_count = 0; char* path_start; char* pathPtr; + DEBUG(MH_INFO_DEBUG, ("Entering with media_dirname '%s' " + "path '%s'\n", media_dirname, path)); + /* Sometimes Samba gives us "./OMFI MediaFiles". */ if (strncmp(path, "./", 2) == 0) { @@ -336,15 +337,15 @@ static bool is_avid_database( const char *avid_db_filename, const size_t avid_db_filename_len) { - DEBUG(MH_INFO_DEBUG, ("Entering with path '%s', " - "avid_db_filename '%s', " - "path_len '%i', " - "avid_db_filename_len '%i'\n", - path, avid_db_filename, - path_len, avid_db_filename_len)); - bool ret = False; + DEBUG(MH_INFO_DEBUG, ("Entering with path '%s', " + "avid_db_filename '%s', " + "path_len '%i', " + "avid_db_filename_len '%i'\n", + path, avid_db_filename, + path_len, avid_db_filename_len)); + if ( path_len > avid_db_filename_len && @@ -387,14 +388,16 @@ static int alloc_get_client_path(vfs_handle_struct *handle, const char *path, char **newPath) { - DEBUG(MH_INFO_DEBUG, ("Entering with path '%s'\n", path)); - /* replace /CREATING_DIRNAME/ or /._CREATING_DIRNAME/ * directory in path - potentially in middle
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2eb606b s3:build fix autoconf build on RHEL5 via 3dfd179 s3:doc Fix name of timeout parameter in documentation via 424492a s3:dbwrap_ctdb: Add DB name and key to warning message from 7204dc9 s4 dns: Negotiate GSSAPI-based TKEYs http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2eb606bfa907aea0a93f3eef550316fb1d663084 Author: Christian Ambach Date: Fri Aug 31 11:00:23 2012 +0200 s3:build fix autoconf build on RHEL5 RHEL5 only has autoconf 2.59, so autogen.sh still needs to find autoconf-2.60.m4 somewhere, but it was removed with 5f58359 Autobuild-User(master): Christian Ambach Autobuild-Date(master): Fri Aug 31 12:50:03 CEST 2012 on sn-devel-104 commit 3dfd179638a821e83a18476dc607fe34e7e5ec57 Author: Christof Schmitt Date: Thu Aug 30 15:42:51 2012 -0700 s3:doc Fix name of timeout parameter in documentation The name is time_audit:timeout, not time_audit:audit_timeout. Signed-off-by: Christian Ambach commit 424492a96358dd52b8cc48ec26b25b97ae809e57 Author: Christof Schmitt Date: Thu Aug 30 13:16:24 2012 -0700 s3:dbwrap_ctdb: Add DB name and key to warning message When a operation takes too long, it is useful for debugging to know the DB and the key. Signed-off-by: Christian Ambach --- Summary of changes: docs-xml/manpages-3/vfs_time_audit.8.xml |6 +- source3/lib/dbwrap/dbwrap_ctdb.c |9 +- source3/m4/autoconf-2.60.m4 | 236 ++ 3 files changed, 247 insertions(+), 4 deletions(-) create mode 100644 source3/m4/autoconf-2.60.m4 Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/vfs_time_audit.8.xml b/docs-xml/manpages-3/vfs_time_audit.8.xml index fc71e28..d79acc8 100644 --- a/docs-xml/manpages-3/vfs_time_audit.8.xml +++ b/docs-xml/manpages-3/vfs_time_audit.8.xml @@ -31,7 +31,7 @@ The time_audit VFS module logs system calls that take longer than the number of milliseconds defined by the variable - time_audit:audit_timeout. It will log the calls and + time_audit:timeout. It will log the calls and the time spent in it. @@ -51,7 +51,7 @@ - time_audit:audit_timeout = number of milliseconds + time_audit:timeout = number of milliseconds VFS calls that take longer than the defined number of milliseconds that should be logged. The default is 1 (10s). @@ -74,7 +74,7 @@ /test/sample_share time_audit - 3000 + 3000 diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c index 0a57997..6d46586 100644 --- a/source3/lib/dbwrap/dbwrap_ctdb.c +++ b/source3/lib/dbwrap/dbwrap_ctdb.c @@ -996,7 +996,14 @@ static int db_ctdb_record_destr(struct db_record* data) if (threshold != 0) { double timediff = timeval_elapsed(&crec->lock_time); if ((timediff * 1000) > threshold) { - DEBUG(0, ("Held tdb lock %f seconds\n", timediff)); + const char *key; + + key = hex_encode_talloc(data, + (unsigned char *)data->key.dptr, + data->key.dsize); + DEBUG(0, ("Held tdb lock on db %s, key %s %f seconds\n", + tdb_name(crec->ctdb_ctx->wtdb->tdb), key, + timediff)); } } diff --git a/source3/m4/autoconf-2.60.m4 b/source3/m4/autoconf-2.60.m4 new file mode 100644 index 000..b2694fd --- /dev/null +++ b/source3/m4/autoconf-2.60.m4 @@ -0,0 +1,236 @@ +# AC_GNU_SOURCE +# -- +AC_DEFUN([AC_GNU_SOURCE], +[AH_VERBATIM([_GNU_SOURCE], +[/* Enable GNU extensions on systems that have them. */ +#ifndef _GNU_SOURCE +# undef _GNU_SOURCE +#endif])dnl +AC_BEFORE([$0], [AC_COMPILE_IFELSE])dnl +AC_BEFORE([$0], [AC_RUN_IFELSE])dnl +AC_DEFINE([_GNU_SOURCE]) +]) + +# _AC_C_STD_TRY(STANDARD, TEST-PROLOGUE, TEST-BODY, OPTION-LIST, +# ACTION-IF-AVAILABLE, ACTION-IF-UNAVAILABLE) +# -- +# Check whether the C compiler accepts features of STANDARD (e.g `c89', `c99') +# by trying to compile a program of TEST-PROLOGUE and TEST-BODY. If this fails, +# try again with each compiler option in the space-separated OPTION-LIST; if one +# helps, append it to CC. If eventually successful, run ACTION-IF-AVAILABLE, +# else ACTION-IF-UNAVAILABLE. +AC_DEFUN([_AC_C_STD_TRY], +[AC_MSG_CHECKING([for $CC option to accept ISO ]m4_translit($1, [c], [C])) +AC_CACHE_VAL(ac_cv_prog_cc_$1, +[ac_cv_prog_c
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7204dc9 s4 dns: Negotiate GSSAPI-based TKEYs from d2c0387 s4-kdc: Give information on how long the password history is http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7204dc9708e5f5164dcd9b7cc3fcb2ea27dcd62e Author: Kai Blin Date: Thu Aug 30 09:04:07 2012 +0200 s4 dns: Negotiate GSSAPI-based TKEYs Autobuild-User(master): Kai Blin Autobuild-Date(master): Fri Aug 31 10:38:35 CEST 2012 on sn-devel-104 --- Summary of changes: source4/dns_server/dns_query.c | 224 ++ source4/dns_server/dns_server.c | 18 +++ source4/dns_server/dns_server.h | 11 ++ source4/dns_server/wscript_build |2 +- 4 files changed, 254 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index 5978fe9..e9c3a24 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -33,6 +33,10 @@ #include "libcli/dns/libdns.h" #include "lib/util/util_net.h" #include "lib/util/tevent_werror.h" +#include "auth/auth.h" +#include "auth/credentials/credentials.h" +#include "auth/gensec/gensec.h" +#include "lib/util/dlinklist.h" static WERROR create_response_rr(const struct dns_name_question *question, const struct dnsp_DnssrvRpcRecord *rec, @@ -317,6 +321,214 @@ static WERROR handle_question(struct dns_server *dns, return WERR_OK; } +static NTSTATUS create_new_tkey(TALLOC_CTX *mem_ctx, + struct dns_server *dns, + struct dns_server_tkey **tkey, + const char* name) +{ + NTSTATUS status; + struct dns_server_tkey *k = talloc_zero(mem_ctx, struct dns_server_tkey); + + if (k == NULL) { + return NT_STATUS_NO_MEMORY; + } + + k->name = talloc_strdup(mem_ctx, name); + + if (k->name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + status = samba_server_gensec_start(k, + dns->task->event_ctx, + dns->task->msg_ctx, + dns->task->lp_ctx, + dns->server_credentials, + "dns", + &k->gensec); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); + *tkey = NULL; + return status; + } + + gensec_want_feature(k->gensec, GENSEC_FEATURE_SIGN); + + status = gensec_start_mech_by_oid(k->gensec, GENSEC_OID_SPNEGO); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC server code: %s\n", + nt_errstr(status))); + *tkey = NULL; + return status; + } + + *tkey = k; + return NT_STATUS_OK; +} + +static NTSTATUS accept_gss_ticket(TALLOC_CTX *mem_ctx, + struct dns_server *dns, + struct dns_server_tkey *tkey, + const DATA_BLOB *key, + DATA_BLOB *reply, + uint16_t *dns_auth_error) +{ + NTSTATUS status; + + status = gensec_update(tkey->gensec, mem_ctx, dns->task->event_ctx, + *key, reply); + + if (NT_STATUS_EQUAL(NT_STATUS_MORE_PROCESSING_REQUIRED, status)) { + *dns_auth_error = DNS_RCODE_OK; + return status; + } + + if (NT_STATUS_IS_OK(status)) { + + status = gensec_session_info(tkey->gensec, tkey, &tkey->session_info); + if (!NT_STATUS_IS_OK(status)) { + *dns_auth_error = DNS_RCODE_BADKEY; + return status; + } + *dns_auth_error = DNS_RCODE_OK; + } + + return status; +} + +static struct dns_server_tkey *find_tkey(struct dns_server *dns, +const char *name) +{ + struct dns_server_tkey *tkey = NULL; + + for (tkey = dns->tkeys; tkey != NULL; tkey = tkey->next) { + if (dns_name_equal(name, tkey->name)) { + break; + } + } + + return tkey; +} + +static WERROR handle_tkey(struct dns_server *dns, + TALLOC_CTX *mem_ctx, + const struct dns_name_packet *in, + struct dns_res_rec **answers, + uint16_t *ancount) +{ + struct dns_res_rec *in_tkey = NULL; + st