The branch, v4-0-test has been updated via de4e721 s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled via c07a730 libcli/smb: fix smb2cli_ioctl*() against Windows 2008. from 8d4f270 nsswitch: Fix short writes in winbind_write_sock
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit de4e72152d83cf03e86c3531f43a9f2bed4967ac Author: Samuel Cabrero <scabr...@zentyal.com> Date: Thu Oct 24 17:37:06 2013 +0200 s4-dns: dlz_bind9: Create dns-HOSTNAME account disabled Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Oct 25 00:39:21 CEST 2013 on sn-devel-104 (cherry picked from commit d3aee80928dc7ccde9441309bf946c2503f7714a) Part of a fix for bug #9091 - When replicating DNS for bind9_dlz we need to create the server-DNS account remotely. Autobuild-User(v4-0-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-0-test): Thu Nov 7 10:43:12 CET 2013 on sn-devel-104 commit c07a73007198dc51161c73e4a360334bb80b4908 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Oct 28 15:43:03 2013 +0100 libcli/smb: fix smb2cli_ioctl*() against Windows 2008. The subsections of [MS-SMB2] "3.2.5.14 Receiving an SMB2 IOCTL Response" say the client should ignore the InputOffset/InputCount. We do that only if we ask for max_input_length = 0. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10232 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Oct 31 01:16:10 CET 2013 on sn-devel-104 (cherry picked from commit 127fc670a39d15eaa3869045fca0287ba7df9efa) ----------------------------------------------------------------------- Summary of changes: libcli/smb/smb2cli_ioctl.c | 33 +++++++++++++++++++++++++++++---- python/samba/join.py | 11 +++++++---- 2 files changed, 36 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb2cli_ioctl.c b/libcli/smb/smb2cli_ioctl.c index 687c9d5..90c3a2c 100644 --- a/libcli/smb/smb2cli_ioctl.c +++ b/libcli/smb/smb2cli_ioctl.c @@ -201,7 +201,21 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) return; } - if (input_buffer_length < dyn_len) { + ofs = input_buffer_length; + ofs = NDR_ROUND(ofs, 8); + + if (state->max_input_length == 0) { + /* + * If max_input_length is 0 we ignore + * the input_buffer_length, because + * Windows 2008 echos the DCERPC request + * from the requested input_buffer + * to the response input_buffer. + */ + input_buffer_length = 0; + } + + if (input_buffer_length > dyn_len) { tevent_req_nterror( req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; @@ -216,8 +230,11 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) state->out_input_buffer.data = dyn; state->out_input_buffer.length = input_buffer_length; - ofs = input_buffer_length; - ofs = NDR_ROUND(ofs, 8); + if (ofs > dyn_len) { + tevent_req_nterror( + req, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } dyn_ofs += ofs; dyn += ofs; @@ -231,7 +248,15 @@ static void smb2cli_ioctl_done(struct tevent_req *subreq) return; } - if (output_buffer_length < dyn_len) { + if (state->max_output_length == 0) { + /* + * We do the same logic as for + * max_input_length. + */ + output_buffer_length = 0; + } + + if (output_buffer_length > dyn_len) { tevent_req_nterror( req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; diff --git a/python/samba/join.py b/python/samba/join.py index b2f4da4..bdd3629 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -606,15 +606,18 @@ class dc_join(object): "DNSNAME" : ctx.dnshostname})) for changetype, msg in recs: assert changetype == ldb.CHANGETYPE_NONE + dns_acct_dn = msg["dn"] print "Adding DNS account %s with dns/ SPN" % msg["dn"] # Remove dns password (we will set it as a modify, as we can't do clearTextPassword over LDAP) del msg["clearTextPassword"] # Remove isCriticalSystemObject for similar reasons, it cannot be set over LDAP del msg["isCriticalSystemObject"] + # Disable account until password is set + msg["userAccountControl"] = str(samba.dsdb.UF_NORMAL_ACCOUNT | + samba.dsdb.UF_ACCOUNTDISABLE) try: ctx.samdb.add(msg) - dns_acct_dn = msg["dn"] except ldb.LdbError, (num, _): if num != ldb.ERR_ENTRY_ALREADY_EXISTS: raise @@ -624,7 +627,7 @@ class dc_join(object): # connections which are hard to set up and otherwise refuse with # ERR_UNWILLING_TO_PERFORM. In this case we fall back to libnet # over SAMR. - print "Setting account password for %s" % ctx.samname + print "Setting account password for dns-%s" % ctx.myname try: ctx.samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))" % ldb.binary_encode(ctx.myname), @@ -633,8 +636,8 @@ class dc_join(object): username=ctx.samname) except ldb.LdbError, (num, _): if num != ldb.ERR_UNWILLING_TO_PERFORM: - pass - ctx.net.set_password(account_name="dns-" % ctx.myname, + raise + ctx.net.set_password(account_name="dns-%s" % ctx.myname, domain_name=ctx.domain_name, newpassword=ctx.dnspass) -- Samba Shared Repository