The branch, master has been updated via 234f936 s3:popt_common: Fix password processing. via 3101fccc s3:util: fix usage of popt_burn_cmdline_password() via 4a73adf s3-winbind: use new reconnect logic in rpc_lookup_sids() also. via 7a49c96 s3-winbindd: rework reconnect logic in winbindd_lookup_names(). via cd51774 s3-winbindd: rework reconnect logic in winbindd_lookup_sids(). via 82ace10 s3-winbindd: remove lookup_sids_fn_t. via d924381 s3-winbindd: remove lookup_names_fn_t. via 3c486df s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public. via 2d38154 s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public. via 7bd9a3b s3-winbindd: add cm_connect_lsat(). via 457c933 s3-rpc_cli: Remove some unused wrapping code. from d5693d9 Fix Bug 9422 - large read requests cause server to issue malformed reply
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 234f9365b93b267f5a42dcc75512f08ccfb840c8 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 30 12:07:39 2012 +0100 s3:popt_common: Fix password processing. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Fri Nov 30 14:01:08 CET 2012 on sn-devel-104 commit 3101fcccff3ef847a123b10b2b99611e52504414 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 30 09:31:34 2012 +0100 s3:util: fix usage of popt_burn_cmdline_password() We should only call popt_burn_cmdline_password() after poptFreeContext(), otherwise we remove the password to early. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 4a73adf6e53fb810056a80a87c72b1370323c583 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 14:31:19 2012 +0100 s3-winbind: use new reconnect logic in rpc_lookup_sids() also. Volker, please check. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 7a49c966930ad79e954be582816c45e251d477f8 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 12:03:53 2012 +0100 s3-winbindd: rework reconnect logic in winbindd_lookup_names(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit cd517743166c55f3a9eb8b5232e9de061b9c8307 Author: Günther Deschner <g...@samba.org> Date: Thu Nov 29 12:03:16 2012 +0100 s3-winbindd: rework reconnect logic in winbindd_lookup_sids(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 82ace10492c7f71294ece4814817015cb0786bc1 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 20:41:21 2012 +0100 s3-winbindd: remove lookup_sids_fn_t. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit d9243815b484456dc79e99bc8062179fe96b2ecb Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 17:03:40 2012 +0100 s3-winbindd: remove lookup_names_fn_t. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 3c486dfee47d4d232f88bce05c0b583ed8c6a63b Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 17:00:49 2012 +0100 s3-rpc_client: make dcerpc_lsa_lookup_names_generic() public. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 2d38154f91d8cc7bf1269bdc134d161c438eac92 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 16:57:57 2012 +0100 s3-rpc_cli: make dcerpc_lsa_lookup_sids_generic() public. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 7bd9a3b86f4622369f3be57904a022202d934fec Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 16:57:24 2012 +0100 s3-winbindd: add cm_connect_lsat(). Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 457c933ff04e8ffc11ad1b94bbd9d28c48109066 Author: Günther Deschner <g...@samba.org> Date: Wed Nov 28 14:53:27 2012 +0100 s3-rpc_cli: Remove some unused wrapping code. Guenther Signed-off-by: Günther Deschner <g...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/lib/popt_common.c | 13 +---- source3/rpc_client/cli_lsarpc.c | 101 +++++++------------------------- source3/rpc_client/cli_lsarpc.h | 39 +++++++------ source3/utils/smbcacls.c | 1 - source3/utils/smbcquotas.c | 1 - source3/winbindd/winbindd_cm.c | 31 ++++++++++ source3/winbindd/winbindd_msrpc.c | 116 ++++++++++++++++--------------------- source3/winbindd/winbindd_proto.h | 4 + source3/winbindd/winbindd_rpc.c | 23 ++----- 9 files changed, 136 insertions(+), 193 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c index c072839..1ec8619 100644 --- a/source3/lib/popt_common.c +++ b/source3/lib/popt_common.c @@ -515,15 +515,6 @@ static void popt_common_credentials_callback(poptContext con, exit(ENOMEM); } set_cmdline_auth_info_username(auth_info, puser); - - if ((p = strchr_m(puser,'%'))) { - size_t len; - *p = 0; - len = strlen(p+1); - set_cmdline_auth_info_password(auth_info, p+1); - memset(strchr_m(getenv("USER"),'%')+1,'X',len); - } - SAFE_FREE(puser); } if (getenv("PASSWD")) { @@ -546,13 +537,13 @@ static void popt_common_credentials_callback(poptContext con, if ((lp=strchr_m(puser,'%'))) { size_t len; - *lp = 0; + *lp = '\0'; set_cmdline_auth_info_username(auth_info, puser); set_cmdline_auth_info_password(auth_info, lp+1); len = strlen(lp+1); - memset(strchr_m(arg,'%')+1,'X',len); + memset(lp + 1, '\0', len); } else { set_cmdline_auth_info_username(auth_info, puser); diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index c6e402d..126f370 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -330,16 +330,16 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h, * at 20480 for win2k3, but we keep it at a save 1000 for now. */ #define LOOKUP_SIDS_HUNK_SIZE 1000 -static NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes, - bool use_lookupsids3, - NTSTATUS *presult) +NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const struct dom_sid *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3, + NTSTATUS *presult) { NTSTATUS status = NT_STATUS_OK; NTSTATUS result = NT_STATUS_OK; @@ -539,48 +539,19 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h, result); } -NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes) -{ - NTSTATUS status; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - status = dcerpc_lsa_lookup_sids_generic(cli->binding_handle, - mem_ctx, - pol, - num_sids, - sids, - pdomains, - pnames, - ptypes, - true, - &result); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - return result; -} - /** Lookup a list of names */ -static NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - uint32_t num_names, - const char **names, - const char ***dom_names, - enum lsa_LookupNamesLevel level, - struct dom_sid **sids, - enum lsa_SidType **types, - bool use_lookupnames4, - NTSTATUS *presult) +NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + uint32_t num_names, + const char **names, + const char ***dom_names, + enum lsa_LookupNamesLevel level, + struct dom_sid **sids, + enum lsa_SidType **types, + bool use_lookupnames4, + NTSTATUS *presult) { NTSTATUS status; struct lsa_String *lsa_names = NULL; @@ -790,33 +761,3 @@ NTSTATUS dcerpc_lsa_lookup_names4(struct dcerpc_binding_handle *h, true, result); } - -NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_names, - const char **names, - const char ***dom_names, - int level, - struct dom_sid **sids, - enum lsa_SidType **types) -{ - NTSTATUS status; - NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - - status = dcerpc_lsa_lookup_names4(cli->binding_handle, - mem_ctx, - pol, - num_names, - names, - dom_names, - level, - sids, - types, - &result); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - return result; -} diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h index a26193e..36afe0b 100644 --- a/source3/rpc_client/cli_lsarpc.h +++ b/source3/rpc_client/cli_lsarpc.h @@ -125,7 +125,16 @@ NTSTATUS rpccli_lsa_lookup_sids(struct rpc_pipe_client *cli, char ***pdomains, char ***pnames, enum lsa_SidType **ptypes); - +NTSTATUS dcerpc_lsa_lookup_sids_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + int num_sids, + const struct dom_sid *sids, + char ***pdomains, + char ***pnames, + enum lsa_SidType **ptypes, + bool use_lookupsids3, + NTSTATUS *presult); /** * @brief Look up the names that correspond to an array of sids. * @@ -158,15 +167,6 @@ NTSTATUS dcerpc_lsa_lookup_sids3(struct dcerpc_binding_handle *h, char ***pnames, enum lsa_SidType **ptypes, NTSTATUS *result); -NTSTATUS rpccli_lsa_lookup_sids3(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes); - NTSTATUS dcerpc_lsa_lookup_names(struct dcerpc_binding_handle *h, TALLOC_CTX *mem_ctx, struct policy_handle *pol, @@ -196,14 +196,17 @@ NTSTATUS dcerpc_lsa_lookup_names4(struct dcerpc_binding_handle *h, struct dom_sid **sids, enum lsa_SidType **types, NTSTATUS *result); -NTSTATUS rpccli_lsa_lookup_names4(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, int num_names, - const char **names, - const char ***dom_names, - int level, - struct dom_sid **sids, - enum lsa_SidType **types); +NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, + TALLOC_CTX *mem_ctx, + struct policy_handle *pol, + uint32_t num_names, + const char **names, + const char ***dom_names, + enum lsa_LookupNamesLevel level, + struct dom_sid **sids, + enum lsa_SidType **types, + bool use_lookupnames4, + NTSTATUS *presult); bool fetch_domain_sid( char *domain, char *remote_machine, struct dom_sid *psid); diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index d22e2f3..da190dd 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -1371,7 +1371,6 @@ static struct cli_state *connect_one(struct user_auth_info *auth_info, popt_common_set_auth_info(auth_info); pc = poptGetContext("smbcacls", argc, argv, long_options, 0); - popt_burn_cmdline_password(argc, argv); poptSetOtherOptionHelp(pc, "//server1/share1 filename\nACLs look like: " "'ACL:user:[ALLOWED|DENIED]/flags/permissions'"); diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c index d248bbe..7363d6b 100644 --- a/source3/utils/smbcquotas.c +++ b/source3/utils/smbcquotas.c @@ -608,7 +608,6 @@ FSQFLAGS:QUOTA_ENABLED/DENY_DISK/LOG_SOFTLIMIT/LOG_HARD_LIMIT", "SETSTRING" }, popt_common_set_auth_info(smbcquotas_auth_info); pc = poptGetContext("smbcquotas", argc, argv, long_options, 0); - popt_burn_cmdline_password(argc, argv); poptSetOtherOptionHelp(pc, "//server1/share1"); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 57027eb..33eeb32 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2565,6 +2565,37 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, } /**************************************************************************** +Open a LSA connection to a DC, suiteable for LSA lookup calls. +****************************************************************************/ + +NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, + struct rpc_pipe_client **cli, + struct policy_handle *lsa_policy) +{ + NTSTATUS status; + + if (domain->can_do_ncacn_ip_tcp) { + status = cm_connect_lsa_tcp(domain, mem_ctx, cli); + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { + invalidate_cm_connection(&domain->conn); + status = cm_connect_lsa_tcp(domain, mem_ctx, cli); + } + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + return NT_STATUS_OK; + } + + status = cm_connect_lsa(domain, mem_ctx, cli, lsa_policy); + + return status; +} + +/**************************************************************************** Open the netlogon pipe to this DC. Use schannel if specified in client conf. session key stored in conn->netlogon_pipe->dc->sess_key. ****************************************************************************/ diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c index 39186f8..e86838c 100644 --- a/source3/winbindd/winbindd_msrpc.c +++ b/source3/winbindd/winbindd_msrpc.c @@ -1064,16 +1064,6 @@ static NTSTATUS msrpc_password_policy(struct winbindd_domain *domain, return status; } -typedef NTSTATUS (*lookup_sids_fn_t)(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - int num_sids, - const struct dom_sid *sids, - char ***pdomains, - char ***pnames, - enum lsa_SidType **ptypes, - NTSTATUS *result); - NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_sids, @@ -1088,25 +1078,21 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, struct dcerpc_binding_handle *b = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout; - lookup_sids_fn_t lookup_sids_fn = dcerpc_lsa_lookup_sids; - - if (domain->can_do_ncacn_ip_tcp) { - status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); - if (NT_STATUS_IS_OK(status)) { - lookup_sids_fn = dcerpc_lsa_lookup_sids3; - goto lookup; - } - domain->can_do_ncacn_ip_tcp = false; - } - status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + bool use_lookupsids3 = false; + bool retried = false; + connect: + status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); if (!NT_STATUS_IS_OK(status)) { return status; } - lookup: b = cli->binding_handle; + if (cli->transport->transport == NCACN_IP_TCP) { + use_lookupsids3 = true; + } + /* * This call can take a long time * allow the server to time out. @@ -1114,21 +1100,23 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, */ orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000); - status = lookup_sids_fn(b, - mem_ctx, - &lsa_policy, - num_sids, - sids, - domains, - names, - types, - &result); + status = dcerpc_lsa_lookup_sids_generic(b, + mem_ctx, + &lsa_policy, + num_sids, + sids, + domains, + names, + types, + use_lookupsids3, + &result); /* And restore our original timeout. */ dcerpc_binding_handle_set_timeout(b, orig_timeout); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || - NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { /* * This can happen if the schannel key is not * valid anymore, we need to invalidate the @@ -1136,6 +1124,11 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, * a netlogon connection first. */ invalidate_cm_connection(&domain->conn); + domain->can_do_ncacn_ip_tcp = domain->active_directory; + if (!retried) { + retried = true; + goto connect; + } status = NT_STATUS_ACCESS_DENIED; } @@ -1150,17 +1143,6 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -typedef NTSTATUS (*lookup_names_fn_t)(struct dcerpc_binding_handle *h, - TALLOC_CTX *mem_ctx, - struct policy_handle *pol, - uint32_t num_names, - const char **names, - const char ***dom_names, - enum lsa_LookupNamesLevel level, - struct dom_sid **sids, - enum lsa_SidType **types, - NTSTATUS *result); - static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain, uint32_t num_names, @@ -1175,25 +1157,21 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, struct dcerpc_binding_handle *b = NULL; struct policy_handle lsa_policy; unsigned int orig_timeout = 0; - lookup_names_fn_t lookup_names_fn = dcerpc_lsa_lookup_names; - - if (domain->can_do_ncacn_ip_tcp) { - status = cm_connect_lsa_tcp(domain, mem_ctx, &cli); - if (NT_STATUS_IS_OK(status)) { - lookup_names_fn = dcerpc_lsa_lookup_names4; - goto lookup; - } - domain->can_do_ncacn_ip_tcp = false; - } - status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy); + bool use_lookupnames4 = false; + bool retried = false; + connect: + status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); if (!NT_STATUS_IS_OK(status)) { return status; } - lookup: b = cli->binding_handle; + if (cli->transport->transport == NCACN_IP_TCP) { + use_lookupnames4 = true; + } + /* * This call can take a long time * allow the server to time out. @@ -1201,22 +1179,24 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, */ orig_timeout = dcerpc_binding_handle_set_timeout(b, 35000); - status = lookup_names_fn(b, - mem_ctx, - &lsa_policy, - num_names, - (const char **) names, - domains, - 1, - sids, - types, - &result); + status = dcerpc_lsa_lookup_names_generic(b, + mem_ctx, + &lsa_policy, + num_names, + (const char **) names, + domains, + 1, + sids, + types, + use_lookupnames4, + &result); /* And restore our original timeout. */ dcerpc_binding_handle_set_timeout(b, orig_timeout); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || - NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) { + NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) || + NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { /* * This can happen if the schannel key is not * valid anymore, we need to invalidate the @@ -1224,6 +1204,10 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, * a netlogon connection first. */ invalidate_cm_connection(&domain->conn); + if (!retried) { + retried = true; + goto connect; + } status = NT_STATUS_ACCESS_DENIED; } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index bf8dbf7..b4f0852 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -163,6 +163,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, struct rpc_pipe_client **cli); +NTSTATUS cm_connect_lsat(struct winbindd_domain *domain, -- Samba Shared Repository