@echo ' torturedir: $(TORTUREDIR)'
@echo ' datadir: $(datadir)'
@echo ' winbindd_socket_dir: $(winbindd_socket_dir)'
+ @echo ' ntp_signd_socket_dir: $(ntp_signd_socket_dir)'
showflags::
@echo ' srcdir = $(srcdir)'
privatedir="\${prefix}/private"
modulesdir="\${prefix}/modules"
winbindd_socket_dir="${localstatedir}/run/winbind_pipe"
+ntp_signd_socket_dir="${localstatedir}/run/ntp_signd"
AC_ARG_WITH(fhs,
[ --with-fhs Use FHS-compliant paths (default=no)],
modulesdir="${libdir}/samba"
datadir="${datadir}/samba"
includedir="${includedir}/samba-4.0"
+ ntp_signd_socket_dir="${localstatedir}/run/samba/ntp_signd"
winbindd_socket_dir="${localstatedir}/run/samba/winbind_pipe"
)
;;
esac])
+#################################################
+# set where the NTP signing deamon socket should be put
+AC_ARG_WITH(ntp-signd-socket-dir,
+[ --with-ntp-signd-socket-dir=DIR Where to put the NTP signing deamon socket ($ac_default_prefix/run/ntp_signd)],
+[ case "$withval" in
+ yes|no)
+ #
+ # Just in case anybody calls it without argument
+ #
+ AC_MSG_WARN([--with-ntp-signd-socketdir called without argument - will use default])
+ ;;
+ * )
+ ntp_signd_socket_dir="$withval"
+ ;;
+ esac])
+
#################################################
# set lock directory location
AC_ARG_WITH(lockdir,
AC_SUBST(bindir)
AC_SUBST(sbindir)
AC_SUBST(winbindd_socket_dir)
+AC_SUBST(ntp_signd_socket_dir)
AC_SUBST(modulesdir)
#################################################
-DPRIVATE_DIR=\"$(privatedir)\" \
-DMODULESDIR=\"$(modulesdir)\" -DJSDIR=\"$(JSDIR)\" \
-DTORTUREDIR=\"$(TORTUREDIR)\" \
- -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\"
+ -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" \
+ -DNTP_SIGND_SOCKET_DIR=\"$(ntp_signd_socket_dir)\"
/** Where to find the winbindd socket */
_PUBLIC_ const char *dyn_WINBINDD_SOCKET_DIR = WINBINDD_SOCKET_DIR;
+
+/** Where to find the NTP signing deamon socket */
+_PUBLIC_ const char *dyn_NTP_SIGND_SOCKET_DIR = NTP_SIGND_SOCKET_DIR;
extern const char *dyn_JSDIR;
extern const char *dyn_SETUPDIR;
extern const char *dyn_WINBINDD_SOCKET_DIR;
+extern const char *dyn_NTP_SIGND_SOCKET_DIR;
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/crypto/md5.h"
+#include "system/passwd.h"
/*
top level context structure for the ntp_signd server
return ndr_map_error2ntstatus(ndr_err);
}
+ /* We need to implement 'check signature' and 'request server
+ * to sign' operations at some point */
if (sign_request.op != SIGN_TO_CLIENT) {
talloc_free(tmp_ctx);
return signing_failure(ntp_signdconn, sign_request.packet_id);
return signing_failure(ntp_signdconn, sign_request.packet_id);
}
+ /* The top bit is a 'key selector' */
sid = dom_sid_add_rid(tmp_ctx, domain_sid, sign_request.key_id & 0x7FFFFFFF);
if (!sid) {
talloc_free(tmp_ctx);
return signing_failure(ntp_signdconn, sign_request.packet_id);
}
- /* Sign packet */
ret = ldb_search_exp_fmt(ntp_signdconn->ntp_signd->samdb, tmp_ctx,
&res, samdb_base_dn(ntp_signdconn->ntp_signd->samdb),
LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=computer))",
return signing_failure(ntp_signdconn, sign_request.packet_id);
}
+ /* Generate the reply packet */
signed_reply.version = 1;
signed_reply.packet_id = sign_request.packet_id;
signed_reply.op = SIGNING_SUCCESS;
}
memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
-
SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
/* Sign the NTP response with the unicodePwd */
MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx);
- /* Place it into the packet for the wire */
+ /* Place it into the packet for the wire */
ndr_err = ndr_push_struct_blob(&output, tmp_ctx,
lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx),
&signed_reply,
return NT_STATUS_NO_MEMORY;
}
+ /* The 'wire' transport for this is wrapped with a 4 byte network byte order length */
RSIVAL(wrapped_output.data, 0, output.length);
memcpy(wrapped_output.data + 4, output.data, output.length);
const struct model_ops *model_ops;
- const char *address = "/tmp/ux_demo";
+ const char *address;
+
+ if (!directory_create_or_exist(lp_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) {
+ char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
+ lp_ntp_signd_socket_directory(task->lp_ctx));
+ task_server_terminate(task,
+ error);
+ return;
+ }
/* within the ntp_signd task we want to be a single process, so
ask for the single process model ops and pass these to the
return;
}
+ address = talloc_asprintf(ntp_signd, "%s/socket", lp_ntp_signd_socket_directory(task->lp_ctx));
+
status = stream_setup_socket(ntp_signd->task->event_ctx,
ntp_signd->task->lp_ctx,
model_ops,
int bUnixExtensions;
int bDisableNetbios;
int bRpcBigEndian;
+ char *szNTPSignDSocketDirectory;
struct param_opt *param_opt;
};
{"template homedir", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateHomedir), NULL, NULL },
{"idmap trusted only", P_BOOL, P_GLOBAL, GLOBAL_VAR(bIdmapTrustedOnly), NULL, NULL},
+ {"ntp signd socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szNTPSignDSocketDirectory), NULL, NULL },
+
{NULL, P_BOOL, P_NONE, 0, NULL, NULL}
};
_PUBLIC_ FN_GLOBAL_INTEGER(lp_server_signing, server_signing)
_PUBLIC_ FN_GLOBAL_INTEGER(lp_client_signing, client_signing)
+_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_ntp_signd_socket_directory, szNTPSignDSocketDirectory)
+
/* local prototypes */
static int map_parameter(const char *pszParmName);
static struct loadparm_service *getservicebyname(struct loadparm_context *lp_ctx,
lp_do_global_parameter(lp_ctx, "prefork children:smb", "4");
+ lp_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
int lp_force_dir_mode(struct loadparm_service *, struct loadparm_service *);
int lp_server_signing(struct loadparm_context *);
int lp_client_signing(struct loadparm_context *);
+const char *lp_ntp_signd_socket_directory(struct loadparm_context *);
+
const char *lp_get_parametric(struct loadparm_context *lp_ctx,
struct loadparm_service *service,
const char *type, const char *option);