Kai Blin [Fri, 10 Jan 2014 13:37:44 +0000 (14:37 +0100)]
configure: Skip DMAPI configure checks on --without-dmapi
Signed-off-by: Kai Blin <kai@samba.org>
Kai Blin [Fri, 10 Jan 2014 12:12:49 +0000 (13:12 +0100)]
configure: Skip all checks for PAM with configuring --without-pam
Signed-off-by: Kai Blin <kai@samba.org>
Volker Lendecke [Wed, 8 Jan 2014 15:32:39 +0000 (16:32 +0100)]
messaging: Fix a memleak (master only..)
Immediate tevents don't free themselves as timed events do :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 10 01:20:04 CET 2014 on sn-devel-104
Volker Lendecke [Wed, 8 Jan 2014 15:15:27 +0000 (16:15 +0100)]
messaging: Use talloc_pooled_object
... not as a speed improvement, it saves the second NULL check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 8 Jan 2014 15:13:11 +0000 (16:13 +0100)]
messaging: Move the self-send logic out of messaging_tdb
This is not specific to tdb
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 8 Jan 2014 09:32:37 +0000 (09:32 +0000)]
messaging: Fix a memleak with clustering
We have to properly throw away unexpected messages that came in via ctdb
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Thu, 9 Jan 2014 14:20:21 +0000 (15:20 +0100)]
s3-passdb: Fix string duplication to pointers.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jan 9 22:35:25 CET 2014 on sn-devel-104
Andreas Schneider [Thu, 9 Jan 2014 14:12:24 +0000 (15:12 +0100)]
wbinfo: Fix a memory leak in wbinfo_ping_dc().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Andreas Schneider [Thu, 9 Jan 2014 14:06:14 +0000 (15:06 +0100)]
s3-libads: Fix memory leaks in ads_build_path().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Andreas Schneider [Thu, 9 Jan 2014 13:50:18 +0000 (14:50 +0100)]
lib: Fix strict-aliasing warning in md5 code.
If the compiler detects strict aliasing problems it isn't able to
optimize the code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Volker Lendecke [Tue, 3 Dec 2013 15:01:35 +0000 (16:01 +0100)]
group_mapping: Avoid a talloc
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 9 20:41:15 CET 2014 on sn-devel-104
Matthias Dieter Wallnöfer [Wed, 8 Jan 2014 14:42:50 +0000 (15:42 +0100)]
samba:python - Py_RETURN_NONE remove compatibility code for releases < 2.4
http://www.python.org/doc//current/c-api/none.html
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date(master): Thu Jan 9 16:27:47 CET 2014 on sn-devel-104
Christof Schmitt [Tue, 7 Jan 2014 18:55:46 +0000 (11:55 -0700)]
s3: Avoid oplock break by storing timestamps with gpfs_set_times
The gpfs_set_times API call allows setting timestamps directly in GPFS
without going through the utime() call. Using this API call fixes an
unecessary oplock break when a client sends a SET_FILE_ALLOCATION_INFO
request and no other client has opened the file. The call to utime()
triggers the oplock break through the Linux kernel. Using the
gpfs_set_times call for updating the timestamp avoids the call to
utime() and the oplock break.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu Jan 9 00:04:48 CET 2014 on sn-devel-104
Jeremy Allison [Mon, 6 Jan 2014 23:22:59 +0000 (15:22 -0800)]
s3: winbindd: Move calling setup_domain_child() into add_trusted_domain().
Ensure it only gets called when a new domain is allocated
and added to the list.
This should fix problems with the previous logic where
setup_domain_child() was called in places where an existing
domain was returned.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 8 20:46:55 CET 2014 on sn-devel-104
Jeremy Allison [Mon, 6 Jan 2014 23:15:37 +0000 (15:15 -0800)]
s3: winbindd: Move the logic of whether to set 'domain->primary' into add_trusted_domain().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Stefan Metzmacher [Wed, 8 Jan 2014 09:57:44 +0000 (10:57 +0100)]
s4:rpc_server: remember the hdr_signing negotiation result in dcesrv_auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jan 8 18:37:22 CET 2014 on sn-devel-104
Stefan Metzmacher [Wed, 8 Jan 2014 09:57:19 +0000 (10:57 +0100)]
s4:rpc_server: use talloc_zero for struct dcesrv_connection
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 8 Jan 2014 09:52:51 +0000 (10:52 +0100)]
s4:rpc_server: remove unused DCESRV_CALL_STATE_FLAG_HEADER_SIGNING
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Gregor Beck [Mon, 6 Jan 2014 10:19:04 +0000 (11:19 +0100)]
ndrdump: dump verification trailer
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Gregor Beck [Thu, 2 Jan 2014 14:30:52 +0000 (15:30 +0100)]
librpc/ndr: add ndr_pop_dcerpc_sec_verification_trailer()
This extracts the dcerpc_sec_verification_trailer from the end
of an ndr_pull structure, it found it reduces ndr->data_size.
NDR_ERR_ALLOC is the only possible error, all other errors
are ignored and a trailer with command count = 0 is returned.
Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 30 Aug 2013 07:48:06 +0000 (09:48 +0200)]
librpc/rpc: simplify tevent_req_nterror() usage in binding_handle.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 8 Jan 2014 11:04:22 +0000 (12:04 +0100)]
libcli/auth: fix usage of an uninitialized variable in netlogon_creds_cli_check_caps()
If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Björn Jacke [Tue, 7 Jan 2014 14:55:57 +0000 (15:55 +0100)]
crypto: fix build on OS X
we also need to use the CC_MD5_CTX from CommonCrypto here instead of the MD5_CTX
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jan 8 08:12:29 CET 2014 on sn-devel-104
Björn Jacke [Tue, 7 Jan 2014 14:55:56 +0000 (15:55 +0100)]
build: test the generic md5 function after importing it from hashlib
otherwise we used the one from md5 which lead to the following warning on SerNet-imini:
the md5 module is deprecated; use hashlib instead import md5
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Thu, 19 Dec 2013 21:23:44 +0000 (22:23 +0100)]
libgpo: apply some const.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 7 18:52:42 CET 2014 on sn-devel-104
Günther Deschner [Fri, 20 Dec 2013 16:23:22 +0000 (17:23 +0100)]
libgpo: when running in verbose mode, printout the parsed PReg file.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Fri, 20 Dec 2013 16:22:23 +0000 (17:22 +0100)]
libgpo: only use libgpo/gpext/gpext.h where really needed.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 16:29:10 +0000 (17:29 +0100)]
libgpo: allow to pass down a list of deleted GPOs in gpo_process_gpo_list().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 16:28:35 +0000 (17:28 +0100)]
libgpo: remove some unused code and remove that important FIXME note.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 16:26:59 +0000 (17:26 +0100)]
libgpo: directly call gpext_process_extension() from gpo_process_gpo_list.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 16:25:37 +0000 (17:25 +0100)]
libgpo: implement CSE filtering in gpext_process_extension().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 15:12:13 +0000 (16:12 +0100)]
libgpo: remove gpext_process_gpo_list_with_extension in favor of gpext_process_extension.
gpext_preocess_extension properly deals with GPO lists now.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 13:34:53 +0000 (14:34 +0100)]
libgpo: remove extension_guid and snapin_guid (the tool guid) from the process callback.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 18:33:28 +0000 (19:33 +0100)]
libgpo: allow to pass down deleted and changed gpo list to CSE plugins.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 18:59:09 +0000 (19:59 +0100)]
libgpo/gpext: add new gpext_check_gpo_for_gpext_presence() helper function.
It will be used to inspect single members of a gpo list for the presence of a CSE guid.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 12:27:45 +0000 (13:27 +0100)]
libgpo: add gpo_copy().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 19:02:58 +0000 (20:02 +0100)]
libgpo: make gpo_get_gp_ext_from_gpo public.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 16:59:38 +0000 (17:59 +0100)]
libgpo: make gpo_process_a_gpo() static to the util code.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 15:29:36 +0000 (16:29 +0100)]
libgpo: remove unused gp_registry_entry2 struct.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 14:45:58 +0000 (15:45 +0100)]
libgpo: remove ads reference from dump calls and make them take const structs.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 14:43:23 +0000 (15:43 +0100)]
libgpo: prefix some more calls with gpext_.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Wed, 18 Dec 2013 14:24:17 +0000 (15:24 +0100)]
libgpo: rename debug_gpext_header to gpext_debug_header.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 21:22:39 +0000 (22:22 +0100)]
libgpo/CSE/scripts: fix a build warning.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Günther Deschner [Thu, 19 Dec 2013 20:29:32 +0000 (21:29 +0100)]
s3-registry: fix typo in DEBUG statement.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 6 Dec 2013 11:08:50 +0000 (12:08 +0100)]
s4:netlogon: implement "allow nt4 crypto" and "reject md5 clients" features.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
Stefan Metzmacher [Mon, 23 Dec 2013 09:10:17 +0000 (10:10 +0100)]
s4:netlogon: don't generate a debug message for SEC_CHAN_NULL.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 23 Dec 2013 09:12:24 +0000 (10:12 +0100)]
s4:netlogon: correctly calculate the negotiate_flags
We need to bit-wise AND the client and server flags.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 6 Dec 2013 12:41:43 +0000 (13:41 +0100)]
selftest/Samba4: use "allow nt4 crypto = yes" for testing
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 6 Dec 2013 10:39:15 +0000 (11:39 +0100)]
lib/param: add "reject md5 client" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 6 Dec 2013 10:38:21 +0000 (11:38 +0100)]
lib/param: add "allow nt4 crypto" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 17:17:12 +0000 (19:17 +0200)]
libcli/auth: remove unused netlogon_creds_cli_context_copy()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 17:25:27 +0000 (19:25 +0200)]
s3:rpc_client: finally remove unused rpc_pipe_client->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 17:23:54 +0000 (19:23 +0200)]
s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 17:23:18 +0000 (19:23 +0200)]
s3:rpc_client: remove unused rpccli_netlogon_sam_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 6 Sep 2013 11:06:53 +0000 (13:06 +0200)]
s3:rpc_client: remove unused rpccli_netlogon_setup_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 6 Sep 2013 11:54:30 +0000 (13:54 +0200)]
s3:rpc_client: remove unused rpccli_netlogon_set_trust_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 18:53:51 +0000 (20:53 +0200)]
s3:rpc_client: make cli_rpc_pipe_open_schannel() more flexible
It expects a messaging_context now
and returns a netlogon_creds_cli_context.
This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 22:56:15 +0000 (00:56 +0200)]
s3:winbindd: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 22:48:31 +0000 (00:48 +0200)]
s3:rpcclient: make use of rpccli_netlogon_password_logon() in the 'samlogon' cmd
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 22:46:09 +0000 (00:46 +0200)]
s3:rpcclient: remove optional auth_level parameter of the 'samlogon' cmd
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 29 Nov 2013 01:45:20 +0000 (14:45 +1300)]
s3:rpcclient: give errors and clean up correctly after failing to obtain secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 18:51:25 +0000 (20:51 +0200)]
s3:rpcclient: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 17:19:39 +0000 (19:19 +0200)]
s3:libnet: pass in struct netlogon_creds_cli_context from the caller.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:39:52 +0000 (18:39 +0200)]
s3:libsmb: remove unused trust_pw_find_change_and_store_it()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:37:34 +0000 (18:37 +0200)]
s3:winbindd: make use of trust_pw_change() in _wbint_ChangeMachineAccount()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:36:43 +0000 (18:36 +0200)]
s3:winbindd: make use of trust_pw_change() for periodic password changes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:35:39 +0000 (18:35 +0200)]
s3:winbindd: use invalidate_cm_connection() to kill the netlogon connection
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:34:48 +0000 (18:34 +0200)]
s3:net_rpc: make use of trust_pw_change()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:33:51 +0000 (18:33 +0200)]
s3:rpcclient: make use of trust_pw_change()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sun, 15 Sep 2013 11:19:52 +0000 (13:19 +0200)]
s3:libsmb: add trust_pw_change()
This protects the password change using a domain specific g_lock,
so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
even on multiple cluster nodes doesn't race anymore.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 17:59:11 +0000 (19:59 +0200)]
s3:net_rpc: add net_context->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 17:00:22 +0000 (19:00 +0200)]
s3:rpcclient: make use of rpcclient_netlogon_creds instead of cli->netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:57:09 +0000 (18:57 +0200)]
s3:rpcclient: remove unused rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
rpccli_netlogon_setup_creds() is already called in the main do_cmd()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:29:30 +0000 (18:29 +0200)]
s3:rpcclient: add rpcclient_netlogon_creds
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 16 Sep 2013 16:24:44 +0000 (18:24 +0200)]
s3:rpcclient: add rpcclient_msg_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 11 Sep 2013 08:06:41 +0000 (10:06 +0200)]
s3:rpc_client: use rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 5 Sep 2013 18:57:02 +0000 (20:57 +0200)]
s3:libnet: use rpccli_{create,setup}_netlogon_creds() in libnet_join_joindomain_rpc_unsecure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 2 Sep 2013 17:32:23 +0000 (19:32 +0200)]
s3:libnet_join: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Aug 2013 13:02:26 +0000 (15:02 +0200)]
s3:auth_domain: make use of rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Aug 2013 13:01:10 +0000 (15:01 +0200)]
s3:auth_domain: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Aug 2013 11:07:45 +0000 (13:07 +0200)]
s3:auth_domain: simplify connect_to_domain_password_server()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 7 Aug 2013 09:32:44 +0000 (11:32 +0200)]
s3:winbindd: make use of rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 17 Dec 2013 19:06:14 +0000 (20:06 +0100)]
s3:winbindd: call rpccli_pre_open_netlogon_creds() in the parent
This opens the CLEAR_IF_FIRST tdb in the long living parent.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Aug 2013 12:56:06 +0000 (14:56 +0200)]
s3:rpc_client: add rpccli_netlogon_password_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Aug 2013 12:36:24 +0000 (14:36 +0200)]
s3:rpc_client: add rpccli_netlogon_network_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Aug 2013 12:07:43 +0000 (14:07 +0200)]
s3:rpc_client: remove unused rpccli_netlogon_sam_network_logon_ex()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 17 Dec 2013 19:05:56 +0000 (20:05 +0100)]
s3:rpc_client: add rpccli_pre_open_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 7 Aug 2013 09:27:25 +0000 (11:27 +0200)]
s3:rpc_client: add rpccli_{create,setup}_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 15:03:00 +0000 (17:03 +0200)]
s3:rpc_client: use netlogon_creds_cli_auth_level() in cli_rpc_pipe_open_schannel_with_key()
This means the auth level is now based on the "winbindd sealed pipes" option,
defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sat, 27 Jul 2013 09:30:13 +0000 (11:30 +0200)]
s3:rpc_client: make use of the new netlogon_creds_cli_context
This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.
This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 14 Nov 2013 17:53:06 +0000 (18:53 +0100)]
docs-xml: update 'winbind sealed pipes' description
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 17:31:58 +0000 (19:31 +0200)]
s3:winbindd: make use of the "winbind sealed pipes" option for all connections
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 23 Dec 2013 09:46:57 +0000 (10:46 +0100)]
docs-xml: explain the interaction of 'client schannel' with 'require strong key = yes'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 23 Dec 2013 09:45:27 +0000 (10:45 +0100)]
docs-xml: explain the interaction between security = ads and other options.
It implies 'require strong key = yes' and 'client schannel = yes'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 16:48:15 +0000 (18:48 +0200)]
libcli/auth: make use of real options in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 17:01:47 +0000 (19:01 +0200)]
s3:param: set Globals.bRequireStrongKey = true
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 16:39:56 +0000 (18:39 +0200)]
lib/param: add "require strong key" option, defaulting to true
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 16:39:56 +0000 (18:39 +0200)]
lib/param: add "reject md5 servers" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 16:39:56 +0000 (18:39 +0200)]
lib/param: add "neutralize nt4 emulation" option, defaulting to false
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Oct 2013 17:01:28 +0000 (19:01 +0200)]
s3:param: set Globals.bWinbindSealedPipes = true
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>