summaryrefslogtreecommitdiff
path: root/source3/librpc
Commit message (Collapse)AuthorAgeFilesLines
* s3/librpc/crypto: clang: Fixes Value stored to 'ret' is never readNoel Power2019-09-251-1/+1
| | | | | | | | | | | | Fixes: source3/librpc/crypto/gse_krb5.c:63:3: warning: Value stored to 'ret' is never read <--[clang] ret = smb_krb5_kt_free_entry(krbctx, &kt_entry); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 warning generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3/librpc/crypto: clang: warning: Value stored to 'gss_maj' is never readNoel Power2019-09-251-4/+4
| | | | | | | | | | | | | | | | | | | | | Fixes: Value stored to 'gss_maj' is never read source3/librpc/crypto/gse.c:562:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &out_data); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ source3/librpc/crypto/gse.c:687:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &out_data); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ source3/librpc/crypto/gse.c:739:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &msg_min); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ source3/librpc/crypto/gse.c:742:3: warning: Value stored to 'gss_maj' is never read <--[clang] gss_maj = gss_release_buffer(&gss_min, &msg_maj); ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 4 warnings generated. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
* smbd: Add share mode flagsVolker Lendecke2019-09-171-1/+9
| | | | | | | | | | | This will contain a summary of the "most restrictive" share mode and lease, i.e. intersection of all share_access entries and the union of all access_mask and leases in the share mode array. This way open_mode_check in the non-conflicting case will only have to look at the summary and not walk the share mode array. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Make "share_mode_flags" 16-bit wideVolker Lendecke2019-09-171-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Introduce share_entries.tdb - ADD COMMENT FIXME !!Volker Lendecke2019-09-171-1/+0
| | | | | | | | | | | | | | This moves share_modes[] from "struct share_mode_data" into a separate share_entries.tdb with a sorted array of fixed-length (132 byte) "struct share_mode_entry" entries. I know it's one huge commit, but I did not see a way to keep both data structures and associated code working together without a lot of code duplication after having centralized all the code accessing the share_modes[] array into a few routines. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Make "current_state" show up first in the blobVolker Lendecke2019-09-171-1/+1
| | | | | | | | | Believe it or not, but without this change "num_files" was first. Thanks Metze for this (to me at least) really, really surprising insight! Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* idl: Fix a typoVolker Lendecke2019-09-171-1/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3:smbd: Use smb2_signing_key structure for the decryption keyAndreas Schneider2019-08-211-0/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:smbd: Use smb2_signing_key structure for the encryption keyAndreas Schneider2019-08-211-0/+1
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbd: Add flags to the beginning of share_mode_dataVolker Lendecke2019-07-041-0/+5
| | | | | | | | | They are put at the beginning for easy parsing without reading the full struct. First step to remove the number of read oplocks/leases from brlock.tdb, where it does not belong. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s3: convert struct stat_ex st_ex_calculated_birthtime bool to flagsRalph Boehme2019-07-011-1/+1
| | | | | | | Subsequent commits will add more flags, this paves the way. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3: remove unused st_ex_mask from struct stat_exRalph Boehme2019-07-011-1/+0
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Send "share_file_id" with the rename msgVolker Lendecke2019-05-181-0/+1
| | | | | | | | | | | file_id plus share_file_id remotely specify the fsp. This avoids the explicit loop in the receiver. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat May 18 20:18:55 UTC 2019 on sn-devel-184
* smbd: Add file_rename_message in idlVolker Lendecke2019-05-181-0/+7
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* smbd: Do oplock break messages in ndrVolker Lendecke2019-05-161-0/+6
| | | | | | | | | | | The previous scheme was overloaded, a idl definition is easier to print, and it clarifies what data is actually needed Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu May 16 23:48:18 UTC 2019 on sn-devel-184
* s3:librpc: Add smb2_signing_key to smbXsrv.idlAndreas Schneider2019-04-301-0/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:librpc: Rename the data blobs for keys in smbXsrv.idlAndreas Schneider2019-04-301-4/+4
| | | | | | | | The original names will be used with a new structure to cache mac and cipher handles for gnutls later. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* smbd: Remove share_mode_lease and the leases array from share_mode_entryVolker Lendecke2019-04-141-33/+0
| | | | | | | | | | This also removes the temporary functions introduced during the patchset. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org> Autobuild-User(master): Christof Schmitt <cs@samba.org> Autobuild-Date(master): Sun Apr 14 05:18:14 UTC 2019 on sn-devel-144
* smbd: Add lease key to share_mode_entryVolker Lendecke2019-04-141-0/+2
| | | | | | | | | | | Instead of indexing into the leases[] array, put the lease_db reference into the share_mode_entry. For simplicity, put in the client guid as well. We *might* be able to retrieve that from somewhere else, but as other smbd processes have to look at the lease values, put in the full leases_db index data. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
* leases_db: Add share_mode_lease info to leases.tdbVolker Lendecke2019-04-141-0/+26
| | | | | | | | | This is the data stored in share_mode_lease inside the leases[] array in locking.tdb. This and all the following patches move all leases array to looking at the leases.tdb. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
* librpc: Add kerberos tracingSwen Schillig2018-12-191-5/+3
| | | | | | | | | | Replace kerberos context initialization from raw krb5_init_context() to smb_krb5_init_context_basic() which is adding common tracing as well. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Christof Schmitt <cs@samba.org>
* librpc: Free krb5 context on errorSwen Schillig2018-11-221-0/+4
| | | | | | | | | If the call to krb5_cc_resolve() fails and processing is aborted, the krb5 conext must be free'd before return. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* smbd: Remove "share_mode_entry->lease"Volker Lendecke2018-07-271-1/+0
| | | | | | | | | | | smbstatus was the only user, and this could be solved by adapting share_entry_forall. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Jul 27 01:42:31 CEST 2018 on sn-devel-144
* librpc/crypto: Fix a misleading commentVolker Lendecke2018-06-181-3/+1
| | | | | | | | | | Probably cut&paste error Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Jun 18 18:34:51 CEST 2018 on sn-devel-144
* smbd: rename smbXsrv_client->ev_ctx into smbXsrv_client->raw_ev_ctxStefan Metzmacher2018-06-181-1/+1
| | | | | | | | | That makes it clearer that no tevent_context wrapper is used here and the related code should really run without any (active) impersonation as before. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* smbd: remove xconn->client->last_session_id based set_current_user_info() ↵Stefan Metzmacher2018-06-181-1/+0
| | | | | | | caching Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* Revert "Use "localhost" to be ipv6 only friendly"Simo Sorce2018-03-191-1/+1
| | | | This reverts commit 54548f6dde3cf74f0e90ef577a55fd720dca6d93.
* Use "localhost" to be ipv6 only friendlySimo Sorce2018-03-191-1/+1
| | | | Signed-off-by: Simo Sorce <idra@samba.org>
* s3: gse: use "gensec_gssapi:requested_life_time"Ralph Boehme2018-03-161-2/+8
| | | | | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Mar 16 07:48:37 CET 2018 on sn-devel-144
* smbd: remove "id" from share_mode_entryVolker Lendecke2018-02-131-1/+0
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Feb 13 05:01:38 CET 2018 on sn-devel-144
* s3: librpc: Allow client to correctly report etype unsupported by KDC to caller.Jeremy Allison2018-01-311-0/+3
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13247 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jan 31 00:38:09 CET 2018 on sn-devel-144
* smbd: Fix channel sequence number checks for long-running requestsVolker Lendecke2018-01-141-1/+2
| | | | | | | | | | | | | When the client's supplied csn overflows and hits a pending, long-running request's csn, we panic. Fix this by counting the overflows in smbXsrv_open_global0->channel_generation Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Volker Lendecke <vl@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse_krb5: make use of precalculated krb5 keys in ↵Stefan Metzmacher2017-08-181-95/+85
| | | | | | | | | | | | | | | fill_mem_keytab_from_secrets() This avoids a lot of cpu cycles, which were wasted for each single smb connection, even if the client didn't use kerberos. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12973 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 18 10:04:57 CEST 2017 on sn-devel-144
* secrets.idl: add secrets_domain_info that will be used in secrets.tdb for ↵Stefan Metzmacher2017-06-272-2/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | machine account trusts This blob will be store in secrets.tdb. It makes it possible to store much more useful details about the workstation trust. The key feature that that triggered this change is the ability to store details for the next password change before doing the remote change. This will allow us to recover from failures. While being there I also thought about possible new features, which we may implement in the near future. We also store the raw UTF16 like cleartext buffer as well as derived keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys. This will allow us to avoid recalculating the keys for an in memory keytab in future. I also added pointer to an optional lsa_ForestTrustInformation structure, which might be useful to implement multi-tenancy in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse_krb5: simplify fill_keytab_from_password() by using ↵Stefan Metzmacher2017-06-271-26/+14
| | | | | | | | | kerberos_fetch_salt_princ() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join.idl: add krb5_salt to libnet_JoinCtxStefan Metzmacher2017-06-271-1/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join.idl: return the domain_guid in libnet_JoinCtxStefan Metzmacher2017-06-271-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc: let NDR_SECRETS depend on NDR_SECURITYStefan Metzmacher2017-06-271-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()Michael Saxl2017-06-271-0/+8
| | | | | | | | | | | | | If the keytab file isn't readable, we may call krb5_kt_end_seq_get() with an invalid kt_cursor. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Saxl <mike@mwsys.mine.bz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse: add simple gensec_gse_update_send/recv() wrapper functionsStefan Metzmacher2017-05-211-15/+71
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:gse: always announce GENSEC_FEATURE_SIGN_PKT_HEADER support.Stefan Metzmacher2017-05-211-9/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3: smbd: Fix open_files.idl to correctly ignore share_mode_lease *lease in ↵Jeremy Allison2017-05-181-1/+1
| | | | | | | | | | | | | | | | | | | | | share_mode_entry. This is currently marked 'skip', which means it isn't stored in the db, but printed out in ndr dump. However, this pointer can be invalid if the lease_idx is set to 0xFFFFFFFF (invalid). This is fixed up inside parse_share_modes(), but not until after ndr_pull_share_mode_data() is called. If lease_idx == 0xFFFFFFFF then ndr_print_share_mode_lease() prints an invalid value and crashes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12793 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu May 18 03:01:40 CEST 2017 on sn-devel-144
* auth_log: Also log the final type of authentication (ntlmssp,krb5)Andrew Bartlett2017-03-291-0/+16
| | | | | | | | | Administrators really care about how their users were authenticated, so make this clear. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* rpc: Always supply both the remote and local address to the auth subsystemGary Lockyer2017-03-291-0/+1
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* lib: Fix an uninitialized variable warningVolker Lendecke2017-03-151-1/+2
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Mar 15 14:21:43 CET 2017 on sn-devel-144
* s3:gse: Correctly handle external trusts with MITAndreas Schneider2017-03-101-0/+54
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Check if we have a target_princpal set we should useAndreas Schneider2017-03-101-1/+2
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Move setup of service_principal to update functionAndreas Schneider2017-03-101-26/+71
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Pass down the gensec_security pointerAndreas Schneider2017-03-101-7/+12
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s3:gse: Use smb_krb5_get_realm_from_hostname()Andreas Schneider2017-03-101-25/+68
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With credentials for administrator@FOREST1.EXAMPLE.COM this patch changes the target_principal for the ldap service of host dc2.forest2.example.com from ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM to ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. The problem is that KDCs only return such referral tickets if there's a forest trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If there's only an external domain trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. In the case of an external trust the client can still ask explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of FOREST1.EXAMPLE.COM will generate it. From there the client can use the krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC of FOREST2.EXAMPLE.COM for a service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as target principal. As _krb5_get_cred_kdc_any() first calls get_cred_kdc_referral() (which always starts with the client realm) and falls back to get_cred_kdc_capath() (which starts with the given realm). MIT krb5 only tries the given realm of the target principal, if we want to autodetect support for transitive forest trusts, we'll have to do the fallback ourself. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
View Lorry Controller Status