The branch, master has been updated
via 5437fdc s4:torture/ndr: add more krb5pac tests with PAC blobs from
pkinit
via 4e4cc8e s4:torture/ndr: make use of
torture_suite_add_ndr_pull_validate_test() in krb5pac when possible
via bb64c55 krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_*
via 0e201ec krb5pac/netlogon: add a comment regarding PAC_LOGON_INFO
unique pointers on push
via a6f672d torture: Add another sample of a PAC that broke the old
PAC_UPN_DNS_INFO handling
via 930dc1a s4-torture: add another krb5pac buffer to the ndr test.
via 7741e02 s4-torture: add ndr krb5pac testsuite.
via 3852770 krb5pac.idl: implement PAC_UPN_DNS_INFO correct
via 8e45836 krb5pac: fix push/pull of subcontexts in PAC_BUFFER
via 4f5dde6 krb5pac: no need for a noprint PAC_BUFFER.
via 7eab12f s4:torture/ndr: Add supplementalCredentials blob from
Win2012R2
via 9e82286 s4:torture/ndr: Add supplementalCredentials blobs from
alpha13 and release_4_1_0rc3
via c30dcae s4:torture/ndr: add validation checks for strange
supplementalCredentials blobs
via 5690bc9 s4-torture: rename torture_suite_add_ndr_pullpush_test to
torture_suite_add_ndr_pull_validate_test.
via cde8ed2 torture: show the first differing byte and a dump in
torture_assert_data_blob_equal().
via 26d2ea3 drsblobs.idl: supplementalCredentialsSubBlob make it
possible to parse strange blobs
via e9c9615 drsblobs.idl: mark supplementalCredentialsSubBlob as
nopull,nopush
via f9a4d0d s4:dsdb/password_hash: explicitly set
SUPPLEMENTAL_CREDENTIALS_SIGNATURE
via 5c1ce0e s3:libnet_dssync_keytab: ignore empty
supplementalCredentialsBlob structures
via 1be64cb s4:kdc: ignore empty supplementalCredentialsBlob structures
via d3c8902 ctdb-tools: Avoid uninitialised memory access
via fac60e5 ctdb-client: Fix access after free error
via 5f57bcc ctdb-client: Fix incorrect variable reference
via 7fdb5d2c WHATSNEW: Add features added for Samba 4.5
from a464a89 samba-tool: Speed up all samba-tool commands
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5437fdcffb116d0af279b7a0f45893cc883a8e69
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jul 19 16:32:06 2016 +0200
s4:torture/ndr: add more krb5pac tests with PAC blobs from pkinit
We validate everything except the whole LOGON_INFO structure,
we even decrypt the PAC_CREDENTIALS_INFO blob and verify
PAC_CREDENTIAL_DATA_NDR and PAC_CREDENTIAL_NTLM_SECPKG.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Thu Jul 21 01:07:28 CEST 2016 on sn-devel-144
commit 4e4cc8e91dd67308d6437f98d59059ac557aad4e
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jul 19 16:38:56 2016 +0200
s4:torture/ndr: make use of torture_suite_add_ndr_pull_validate_test() in
krb5pac when possible
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Jul 19 16:31:01 2016 +0200
krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_*
MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128,
while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 0e201ecdc53b07d66342e453b3710d3d06481b8b
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jul 14 09:34:43 2016 +0200
krb5pac/netlogon: add a comment regarding PAC_LOGON_INFO unique pointers on
push
This difference is the reason why we can't fully (ndr)validate some
PAC blobs.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit a6f672d69f9bb3933181f45bbd51f4014224bdca
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Jul 19 16:48:18 2016 +1200
torture: Add another sample of a PAC that broke the old PAC_UPN_DNS_INFO
handling
This is included because this sample helped us addres issues in the
previous attempt at
handling PAC_UPN_DNS_INFO correctly, and I have Tris's permission to
include this in our
tests.
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 930dc1a12ab2108a3d217aebabd93b31ea85524c
Author: Günther Deschner <g...@samba.org>
Date: Wed Feb 6 13:10:44 2013 +0100
s4-torture: add another krb5pac buffer to the ndr test.
This one nicely demonstrates that the strings are really non-null
terminated.
Guenther
Signed-off-by: Günther Deschner <g...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 7741e0286781a28c61a135afb143d943c56b6a8a
Author: Günther Deschner <g...@samba.org>
Date: Thu Dec 13 12:28:19 2012 +0100
s4-torture: add ndr krb5pac testsuite.
Someone changed the PAC buffer union without adding proper tests, now we
sometimes fail to parse the PAC completely due to that...
Guenther
Signed-off-by: Günther Deschner <g...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 38527702fd4be221939a629749c7bd939b219f6a
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Jan 6 13:27:21 2016 +0100
krb5pac.idl: implement PAC_UPN_DNS_INFO correct
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 8e458360b454a10bd6fea0bd76c995311348bf11
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Feb 6 16:44:12 2013 +0100
krb5pac: fix push/pull of subcontexts in PAC_BUFFER
We need to have two subcontexts to get the padding right,
the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
the inner subcontext only uses _ndr_size.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 4f5dde6730a7074ce36be59889cd181ddc79193f
Author: Günther Deschner <g...@samba.org>
Date: Mon Mar 18 16:25:06 2013 +0100
krb5pac: no need for a noprint PAC_BUFFER.
Guenther
@@ -1,6 +1,7 @@
_PUBLIC_ void ndr_print_PAC_BUFFER(struct ndr_print *ndr, const char
*name, const struct PAC_BUFFER *r)
{
ndr_print_struct(ndr, name, "PAC_BUFFER");
+ if (r == NULL) { ndr_print_null(ndr); return; }
ndr->depth++;
ndr_print_PAC_TYPE(ndr, "type", r->type);
ndr_print_uint32(ndr, "_ndr_size", (ndr->flags &
LIBNDR_PRINT_SET_VALUES)?_ndr_size_PAC_INFO(r->info,r->type,0):r->_ndr_size);
@@ -11,7 +12,7 @@
ndr_print_PAC_INFO(ndr, "info", r->info);
}
ndr->depth--;
- ndr_print_uint32(ndr, "_pad", r->_pad);
+ ndr_print_uint32(ndr, "_pad", (ndr->flags &
LIBNDR_PRINT_SET_VALUES)?0:r->_pad);
ndr->depth--;
}
Signed-off-by: Günther Deschner <g...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 7eab12fa637041660d442999f3dc5374bbddf627
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jul 20 16:45:34 2016 +1200
s4:torture/ndr: Add supplementalCredentials blob from Win2012R2
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 9e8228692d8083f855ff00e582bab12246f7ff2d
Author: Andrew Bartlett <abart...@samba.org>
Date: Wed Jul 20 14:53:42 2016 +1200
s4:torture/ndr: Add supplementalCredentials blobs from alpha13 and
release_4_1_0rc3
This coveres the case without AES keys, and before the IDL was changed for
SambaGPG support
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit c30dcaee4ccb8b83c907289788e84169ad2624e8
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jul 15 09:10:03 2016 +0200
s4:torture/ndr: add validation checks for strange supplementalCredentials
blobs
From the mail to dochelp:
I've also got cases (where I created an account with
UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_SMARTCARD_REQUIRED
in the LDAP add) with the following strange blobs:
One time:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00
and once:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 53
The original issue I reported was the following, a user was created
with a password and then userAccountControl was changed to
UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED. In that case I'm getting:
[0000] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00
[0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
[0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
[0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
[0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
[0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
[0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 30
As you see the last byte (unknown3) is always different on Windows,
but always 0x00 from Samba, so I used 0x00 in order to allow the
test to pass.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 5690bc9095a7748ccad2c165bd767634c88318c0
Author: Günther Deschner <g...@samba.org>
Date: Wed Feb 6 12:34:53 2013 +0100
s4-torture: rename torture_suite_add_ndr_pullpush_test to
torture_suite_add_ndr_pull_validate_test.
Hoping the new name is not as confusing as the old name.
Guenther
Signed-off-by: Günther Deschner <g...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit cde8ed20e0e71f17df3a34f1b6f132ea1f8af11e
Author: Günther Deschner <g...@samba.org>
Date: Wed Feb 6 12:25:43 2013 +0100
torture: show the first differing byte and a dump in
torture_assert_data_blob_equal().
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Günther Deschner <g...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 26d2ea389bbebc66831e597b570cfdd0b2d5a6ef
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri May 20 18:59:20 2016 +0200
drsblobs.idl: supplementalCredentialsSubBlob make it possible to parse
strange blobs
Windows omits the uint16 num_packages field when the packages array is
empty.
This happens if the UF_SMARTCARD_REQUIRED flag is set for an account.
A user was created with a password and then userAccountControl was changed
to
UF_NORMAL_ACCOUNT|UF_SMARTCARD_REQUIRED. In that case I'm getting
(as the whole supplementalCredentialsBlob):
[0000] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00 ....b... .... . .
[0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
[0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
[0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
[0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
[0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 . . . . . . . .
[0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 30 . . . . . .P.0
I've also got cases (where I created an account with
UF_NORMAL_ACCOUNT|UF_ACCOUNTDISABLE|UF_SMARTCARD_REQUIRED
in the LDAP add) with the following strange blobs:
One time:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00
and once:
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 53
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit e9c9615a1fd704d5aa666002b04d32a7ab58e533
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri May 20 17:06:23 2016 +0200
drsblobs.idl: mark supplementalCredentialsSubBlob as nopull,nopush
This commit moves the autogenerated
ndr_{pull,push}_supplementalCredentialsSubBlob()
function to the handwritten librpc/ndr/ndr_drsblobs.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit f9a4d0d2a03d9c95e202604585fddcec44a36cb2
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Jun 2 19:57:15 2016 +0200
s4:dsdb/password_hash: explicitly set SUPPLEMENTAL_CREDENTIALS_SIGNATURE
Typically this is automatically set in
ndr_push_supplementalCredentialsBlob(),
but we need to change that behavior in order to handle strange formated
values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 5c1ce0e7e530feff55fd41a0be397b6dde4b2b27
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 3 16:34:08 2016 +0200
s3:libnet_dssync_keytab: ignore empty supplementalCredentialsBlob structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 1be64cb660e4d31d089755e065ac76425ab6d41e
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Jun 3 16:34:08 2016 +0200
s4:kdc: ignore empty supplementalCredentialsBlob structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit d3c890225be0110f23b6249b160f825a482ad68f
Author: Martin Schwenke <mar...@meltin.net>
Date: Wed Jul 20 16:42:32 2016 +1000
ctdb-tools: Avoid uninitialised memory access
==27786== Syscall param write(buf) points to uninitialised byte(s)
==27786== at 0x62820D0: __write_nocancel (syscall-template.S:84)
==27786== by 0x428B57: ctdb_queue_send (ctdb_io.c:322)
==27786== by 0x41F3B1: ctdb_client_queue_pkt (ctdb_client.c:153)
==27786== by 0x41F3B1: ctdb_client_send_message (ctdb_client.c:603)
==27786== by 0x419FA3: srvid_broadcast.constprop.26 (ctdb.c:1965)
==27786== by 0x41B869: control_reload_nodes_file (ctdb.c:5696)
==27786== by 0x404DBA: main (ctdb.c:6008)
==27786== Address 0x7ead310 is 144 bytes inside a block of size 168 alloc'd
==27786== at 0x4C2BBCF: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==27786== by 0x564DBEC: __talloc_with_prefix (talloc.c:675)
==27786== by 0x564DBEC: __talloc (talloc.c:716)
==27786== by 0x564DBEC: _talloc_named_const (talloc.c:873)
==27786== by 0x564DBEC: _talloc_zero (talloc.c:2318)
==27786== by 0x41E1E2: _ctdbd_allocate_pkt (ctdb_client.c:59)
==27786== by 0x41F37D: ctdb_client_send_message (ctdb_client.c:594)
==27786== by 0x419FA3: srvid_broadcast.constprop.26 (ctdb.c:1965)
==27786== by 0x41B869: control_reload_nodes_file (ctdb.c:5696)
==27786== by 0x404DBA: main (ctdb.c:6008)
==27786==
Signed-off-by: Martin Schwenke <mar...@meltin.net>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fac60e58847187fa91136aedb87ee5e32adf6cd3
Author: Martin Schwenke <mar...@meltin.net>
Date: Wed Jul 20 14:41:13 2016 +1000
ctdb-client: Fix access after free error
State is stolen onto tmp_ctx above so can't be referenced after
tmp_ctx is freed. So, state->status has to be looked at earlier.
Moving it immediately before the talloc_free(tmp_ctx) isn't sufficient
because invoking the callback appears to cause a recursive call to
ctdb_control_recv(), which also frees state.
Referencing it at the top seems safe.
==23982== Invalid read of size 4
==23982== at 0x4204AE: ctdb_control_recv (ctdb_client.c:1181)
==23982== by 0x420645: invoke_control_callback (ctdb_client.c:971)
==23982== by 0x5E675EC: tevent_common_loop_timer_delay
(tevent_timed.c:341)
==23982== by 0x5E68639: epoll_event_loop_once (tevent_epoll.c:911)
==23982== by 0x5E66BD6: std_event_loop_once (tevent_standard.c:114)
==23982== by 0x5E622EC: _tevent_loop_once (tevent.c:533)
==23982== by 0x4255F7: ctdb_client_async_wait (ctdb_client.c:3385)
==23982== by 0x42578A: ctdb_client_async_control (ctdb_client.c:3442)
==23982== by 0x41B405: ctdb_get_nodes_files (ctdb.c:5488)
==23982== by 0x41B405: check_all_node_files_are_identical (ctdb.c:5530)
==23982== by 0x41B405: control_reload_nodes_file (ctdb.c:5673)
==23982== by 0x404DBA: main (ctdb.c:6008)
==23982== Address 0x7e98d9c is 108 bytes inside a block of size 168 free'd
==23982== at 0x4C2CDFB: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23982== by 0x5652692: _tc_free_internal (talloc.c:1125)
==23982== by 0x5652692: _tc_free_children_internal (talloc.c:1570)
==23982== by 0x564B952: _tc_free_internal (talloc.c:1081)
==23982== by 0x564B952: _talloc_free_internal (talloc.c:1151)
==23982== by 0x564B952: _talloc_free (talloc.c:1693)
==23982== by 0x4204C9: ctdb_control_recv (ctdb_client.c:1182)
==23982== by 0x4207AA: async_callback (ctdb_client.c:3350)
==23982== by 0x4204AD: ctdb_control_recv (ctdb_client.c:1179)
==23982== by 0x420645: invoke_control_callback (ctdb_client.c:971)
==23982== by 0x5E675EC: tevent_common_loop_timer_delay
(tevent_timed.c:341)
==23982== by 0x5E68639: epoll_event_loop_once (tevent_epoll.c:911)
==23982== by 0x5E66BD6: std_event_loop_once (tevent_standard.c:114)
==23982== by 0x5E622EC: _tevent_loop_once (tevent.c:533)
==23982== by 0x4255F7: ctdb_client_async_wait (ctdb_client.c:3385)
==23982== Block was alloc'd at
==23982== at 0x4C2BBCF: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==23982== by 0x564DBEC: __talloc_with_prefix (talloc.c:675)
==23982== by 0x564DBEC: __talloc (talloc.c:716)
==23982== by 0x564DBEC: _talloc_named_const (talloc.c:873)
==23982== by 0x564DBEC: _talloc_zero (talloc.c:2318)
==23982== by 0x42017F: ctdb_control_send (ctdb_client.c:1086)
==23982== by 0x425746: ctdb_client_async_control (ctdb_client.c:3431)
==23982== by 0x41B405: ctdb_get_nodes_files (ctdb.c:5488)
==23982== by 0x41B405: check_all_node_files_are_identical (ctdb.c:5530)
==23982== by 0x41B405: control_reload_nodes_file (ctdb.c:5673)
==23982== by 0x404DBA: main (ctdb.c:6008)
==23982==
Signed-off-by: Martin Schwenke <mar...@meltin.net>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 5f57bcc01d973516beaedfbd2c1ef552322e4779
Author: Martin Schwenke <mar...@meltin.net>
Date: Wed Jul 20 14:46:58 2016 +1000
ctdb-client: Fix incorrect variable reference
The point of this code is almost certainly to return non-zero when
state->errormsg is set. So, return state->status if non-zero, -1
otherwise.
Signed-off-by: Martin Schwenke <mar...@meltin.net>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 7fdb5d2c5c05aec440b3ceea6a5fabcc3284f0a2
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Jul 19 15:48:28 2016 +1200
WHATSNEW: Add features added for Samba 4.5
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 86 +++
ctdb/client/ctdb_client.c | 3 +-
ctdb/tools/ctdb.c | 6 +-
lib/krb5_wrap/krb5_samba.h | 11 +
lib/torture/torture.h | 36 ++
librpc/idl/drsblobs.idl | 6 +-
librpc/idl/krb5pac.idl | 49 +-
librpc/idl/netlogon.idl | 8 +
librpc/ndr/ndr_drsblobs.c | 69 ++
librpc/ndr/ndr_krb5pac.c | 42 +-
.../gssapi-glue.c => librpc/ndr/ndr_krb5pac.h | 14 +-
librpc/wscript_build | 4 +-
source3/libnet/libnet_dssync_keytab.c | 4 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 1 +
source4/kdc/db-glue.c | 8 +-
source4/torture/ndr/backupkey.c | 2 +-
source4/torture/ndr/clusapi.c | 4 +-
source4/torture/ndr/drsblobs.c | 264 +++++++-
source4/torture/ndr/krb5pac.c | 703 +++++++++++++++++++++
source4/torture/ndr/nbt.c | 8 +-
source4/torture/ndr/ndr.c | 1 +
source4/torture/ndr/ndr.h | 4 +-
source4/torture/ndr/negoex.c | 2 +-
source4/torture/ndr/ntlmssp.c | 4 +-
source4/torture/ndr/ntprinting.c | 2 +-
source4/torture/wscript_build | 3 +-
26 files changed, 1262 insertions(+), 82 deletions(-)
copy source4/heimdal_build/gssapi-glue.c => librpc/ndr/ndr_krb5pac.h (74%)
create mode 100644 source4/torture/ndr/krb5pac.c
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 91f545d..2eaad94 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -25,6 +25,92 @@ The ldap server has support for the
LDAP_SERVER_NOTIFICATION_OID
control. This can be used to monitor the active directory database
for changes.
+VLV - Virtual List View
+-----------------------
+
+The VLV Control allows applications to page the LDAP directory in the
+way you might expect a live phone book application to operate, without
+first downloading the entire directory.
+
+DRS Replication for the AD DC
+-----------------------------
+
+DRS Replication in Samba 4.5 is now much more efficient in handling
+linked attributes, particularly in large domains with over 1000 group
+memberships or other links.
+
+Replication is also much more reliable in the handling of tree
+renames, such as the rename of an organizational unit containing many
+users. Extensive tests have been added to ensure this code remains
+reliable, particularly in the case of conflicts between objects added
+with the same name on different servers.
+
+Schema updates are also handled much more reliably.
+
+replPropertyMetaData Changes
+----------------------------
+
+During the development of the DRS replication, tests showed that Samba
+stores the replPropertyMetaData object incorrectly. To address this,
+be aware that dbcheck will now detect and offer to fix all objects in
+the domain for this error.
+
+Linked attributes on deleted objects
+------------------------------------
+
+In Active Directory, an object that has been tombstoned or recycled
+has no linked attributes. However, Samba incorrectly maintained such
+links, slowing replication and run-time performance. dbcheck now
+offers to remove such links, and they are no longer kept after the
+object is tombstoned or recycled.
+
+Improved AD DC performance
+--------------------------
+
+Many other improvements have been made to our LDAP database layer in
+the AD DC, to improve performance, both during samba-tool domain
+provision and at runtime.
+
+Other dbcheck improvements
+--------------------------
+
+ - samba-tool dbcheck can now find and fix a missing or corrupted
+ 'deleted objects' container.
+ - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
+ in objectClass as these were then re-sorted at the next dbcheck
indefinitely.
+
+Tombstone Reanimation
+---------------------
+
+Samba now supports tombstone reanimation, a feature in the AD DC
+allowing tombstones, that is objects which have been deleted, to be
+restored with the original SID and GUID still in place.
+
+Multiple DNS Forwarders on the AD DC
+------------------------------------
+
+Multiple DNS forwarders are now supported on the AD DC, allowing
+samba to fall back between two different DNS servers for forwarded queries.
+
+Password quality plugin support in the AD DC
+--------------------------------------------
+
+The check password script now operates correctly in the AD DC (this
+was silently ignored in past releases)
+
+pwdLastSet is now correctly honoured
+------------------------------------
+
+BUG 9654: the pwdLastSet attribute is now correctly handled (this previously
+permitted passwords that next expire).
+
+net ads dns unregister
+----------------------
+
+It is now possible to remove the DNS entries created with 'net ads register'
+with the matching 'net ads unregister' command.
+
+
REMOVED FEATURES
================
diff --git a/ctdb/client/ctdb_client.c b/ctdb/client/ctdb_client.c
index 7e98499..6748e69 100644
--- a/ctdb/client/ctdb_client.c
+++ b/ctdb/client/ctdb_client.c
@@ -1170,6 +1170,7 @@ int ctdb_control_recv(struct ctdb_context *ctdb,
}
if (state->errormsg) {
+ int s = (state->status == 0 ? -1 : state->status);
DEBUG(DEBUG_ERR,("ctdb_control error: '%s'\n",
state->errormsg));
if (errormsg) {
(*errormsg) = talloc_move(mem_ctx, &state->errormsg);
@@ -1178,7 +1179,7 @@ int ctdb_control_recv(struct ctdb_context *ctdb,
state->async.fn(state);
}
talloc_free(tmp_ctx);
- return (status == 0 ? -1 : state->status);
+ return s;
}
if (outdata) {
diff --git a/ctdb/tools/ctdb.c b/ctdb/tools/ctdb.c
index 9f2abf2..8ea2fbc 100644
--- a/ctdb/tools/ctdb.c
+++ b/ctdb/tools/ctdb.c
@@ -1904,8 +1904,6 @@ static int srvid_broadcast(struct ctdb_context *ctdb,
struct srvid_reply_handler_data reply_data;
struct timeval tv;
- ZERO_STRUCT(request);
-
/* Time ticks to enable timeouts to be processed */
tevent_add_timer(ctdb->ev, ctdb, timeval_current_ofs(1, 0),
ctdb_every_second, ctdb);
@@ -1914,12 +1912,16 @@ static int srvid_broadcast(struct ctdb_context *ctdb,
reply_srvid = getpid();
if (arg == NULL) {
+ ZERO_STRUCT(request);
+
request.pnn = pnn;
request.srvid = reply_srvid;
data.dptr = (uint8_t *)&request;
data.dsize = sizeof(request);
} else {
+ ZERO_STRUCT(request_data);
+
request_data.pnn = pnn;
request_data.srvid = reply_srvid;
request_data.timeout = *arg;
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 41664f1..2b5e2bb 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -74,6 +74,17 @@
#define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
#endif
+/*
+ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal
+ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT
+ */
+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) &&
!defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
+#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
+#endif
+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) &&
!defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
+#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
+#endif
+
typedef struct {
#if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) &&
defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
krb5_address **addrs;
diff --git a/lib/torture/torture.h b/lib/torture/torture.h
index e710873..31c02f7 100644
--- a/lib/torture/torture.h
+++ b/lib/torture/torture.h
@@ -349,6 +349,12 @@ void torture_result(struct torture_context *test,
} \
} while(0)
+static inline void torture_dump_data_str_cb(const char *buf, void
*private_data)
+{
+ char **dump = (char **)private_data;
+ *dump = talloc_strdup_append_buffer(*dump, buf);
+}
+
#define torture_assert_data_blob_equal(torture_ctx,got,expected,cmt)\
do { const DATA_BLOB __got = (got), __expected = (expected); \
if (__got.length != __expected.length) { \
@@ -358,6 +364,36 @@ void torture_result(struct torture_context *test,
return false; \
} \
if (memcmp(__got.data, __expected.data, __got.length) != 0) { \
+ char *__dump = NULL; \
+ uint8_t __byte_a = 0x00;\
+ uint8_t __byte_b = 0x00;\
+ int __i;\
+ for (__i=0; __i < __expected.length; __i++) {\
+ __byte_a = __expected.data[__i];\
+ if (__i == __got.length) {\
+ __byte_b = 0x00;\
+ break;\
+ }\
+ __byte_b = __got.data[__i];\
+ if (__byte_a != __byte_b) {\
+ break;\
+ }\
+ }\
+ torture_warning(torture_ctx, "blobs differ at byte 0x%02X
(%u)", __i, __i);\
+ torture_warning(torture_ctx, "expected byte[0x%02X] = 0x%02X
got byte[0x%02X] = 0x%02X",\
+ __i, __byte_a, __i, __byte_b);\
+ __dump = talloc_strdup(torture_ctx, ""); \
+ dump_data_cb(__got.data, __got.length, true, \
+ torture_dump_data_str_cb, &__dump); \
+ torture_warning(torture_ctx, "got[0x%02X]: \n%s", \
+ (int)__got.length, __dump); \
+ TALLOC_FREE(__dump); \
+ __dump = talloc_strdup(torture_ctx, ""); \
+ dump_data_cb(__expected.data, __expected.length, true, \
+ torture_dump_data_str_cb, &__dump); \
+ torture_warning(torture_ctx, "expected[0x%02X]: \n%s", \
+ (int)__expected.length, __dump); \
+ TALLOC_FREE(__dump); \
torture_result(torture_ctx, TORTURE_FAIL, \
__location__": "#got" of len %d did not match
"#expected": %s", (int)__got.length, cmt); \
return false; \
diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl
index 499febb..645ec38 100644
--- a/librpc/idl/drsblobs.idl
+++ b/librpc/idl/drsblobs.idl
@@ -291,7 +291,7 @@ interface drsblobs {
[in] ldapControlDirSyncCookie cookie
);
- typedef struct {
+ typedef [public] struct {
[value(2*strlen_m(name))] uint16 name_len;
[value(strlen(data))] uint16 data_len;
uint16 reserved; /* 2 for 'Packages', 1 for 'Primary:*', but
should be ignored */
@@ -323,11 +323,11 @@ interface drsblobs {
/* this are 0x30 (48) whitespaces (0x20) */
const string SUPPLEMENTAL_CREDENTIALS_PREFIX = "
";
- typedef [flag(NDR_PAHEX)] enum {
+ typedef [flag(NDR_PAHEX),public] enum {
SUPPLEMENTAL_CREDENTIALS_SIGNATURE = 0x0050
} supplementalCredentialsSignature;
- typedef [gensize] struct {
+ typedef [gensize,nopush,nopull] struct {
[value(SUPPLEMENTAL_CREDENTIALS_PREFIX),charset(UTF16)] uint16
prefix[0x30];
[value(SUPPLEMENTAL_CREDENTIALS_SIGNATURE)]
supplementalCredentialsSignature signature;
uint16 num_packages;
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index e6ebe35..f27e724 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -10,7 +10,8 @@ import "security.idl", "lsa.idl", "netlogon.idl", "samr.idl";
uuid("12345778-1234-abcd-0000-00000000"),
version(0.0),
pointer_default(unique),
- helpstring("Active Directory KRB5 PAC")
+ helpstring("Active Directory KRB5 PAC"),
+ helper("../librpc/ndr/ndr_krb5pac.h")
]
interface krb5pac
{
@@ -32,6 +33,12 @@ interface krb5pac
typedef struct {
netr_SamInfo3 info3;
+ /*
+ * On ndr_push:
+ * Pointers values of info3.sids[*].sid
+ * should be allocated before the following ones?
+ * (just the 0x30 0x00 0x02 0x00 value).
+ */
PAC_DOMAIN_GROUP_MEMBERSHIP resource_groups;
} PAC_LOGON_INFO;
@@ -78,18 +85,17 @@ interface krb5pac
[size_is(num_transited_services)] lsa_String
*transited_services;
} PAC_CONSTRAINED_DELEGATION;
+ typedef [bitmap32bit] bitmap {
+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
+ } PAC_UPN_DNS_FLAGS;
+
typedef struct {
- [value(2*strlen_m(upn_name))] uint16 upn_size;
- uint16 upn_offset;
- [value(2*strlen_m(domain_name))] uint16 domain_size;
- uint16 domain_offset;
- uint16 unknown3; /* 0x01 */
- uint16 unknown4;
- uint32 unknown5;
- [charset(UTF16)] uint8 upn_name[upn_size+2];
- [charset(UTF16)] uint8 domain_name[domain_size+2];
- uint32 unknown6; /* padding */
- } PAC_UNKNOWN_12;
+ [value(2*strlen_m(upn_name))] uint16 upn_name_size;
+
[relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)]
string *upn_name;
+ [value(2*strlen_m(dns_domain_name))] uint16
dns_domain_name_size;
+
[relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)]
string *dns_domain_name;
+ PAC_UPN_DNS_FLAGS flags;
+ } PAC_UPN_DNS_INFO;
typedef [public] struct {
PAC_LOGON_INFO *info;
@@ -106,7 +112,7 @@ interface krb5pac
PAC_TYPE_KDC_CHECKSUM = 7,
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UNKNOWN_12 = 12
+ PAC_TYPE_UPN_DNS_INFO = 12
} PAC_TYPE;
typedef struct {
@@ -121,18 +127,25 @@ interface krb5pac
[case(PAC_TYPE_LOGON_NAME)] PAC_LOGON_NAME logon_name;
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
+ [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
/* when new PAC info types are added they are supposed to be
done
in such a way that they are backwards compatible with
existing
servers. This makes it safe to just use a [default] for
unknown types, which lets us ignore the data */
[default] [subcontext(0)] DATA_BLOB_REM unknown;
- /* [case(PAC_TYPE_UNKNOWN_12)] PAC_UNKNOWN_12 unknown; */
} PAC_INFO;
- typedef [public,nopush,nopull,noprint] struct {
+ typedef [public,nopush,nopull] struct {
PAC_TYPE type;
[value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
-
[relative,switch_is(type),subcontext(0),subcontext_size(_subcontext_size_PAC_INFO(r,
ndr->flags)),flag(NDR_ALIGN8)] PAC_INFO *info;
+ /*
+ * We need to have two subcontexts to get the padding right,
+ * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
+ * the inner subcontext only uses _ndr_size.
+ *
+ * We do that in non-generated push/pull functions.
+ */
+
[relative,switch_is(type),subcontext(0),subcontext_size(NDR_ROUND(_ndr_size,8)),flag(NDR_ALIGN8)]
PAC_INFO *info;
[value(0)] uint32 _pad; /* Top half of a 64 bit pointer? */
} PAC_BUFFER;
@@ -185,6 +198,10 @@ interface krb5pac
[in] PAC_CREDENTIAL_DATA_NDR credential_data_ndr
);
+ [nopython] void decode_upn_dns_info(
+ [in] PAC_UPN_DNS_INFO upn_dns_info
+ );
+
[nopython] void decode_pac_validate(
[in] PAC_Validate pac_validate
);
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index 5eb8e6a..621d537 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -263,6 +263,14 @@ interface netlogon
netr_SamBaseInfo base;
uint32 sidcount;
[size_is(sidcount)] netr_SidAttr *sids;
+ /*
+ * On ndr_push:
+ * Should pointer values be allocated
+ * of sids[*].sid before the following ones?
+ *
+ * That's at least the case for
+ * PAC_LOGON_INFO.
+ */
lsa_String dns_domainname;
lsa_String principal_name;
uint32 unknown4[20];
diff --git a/librpc/ndr/ndr_drsblobs.c b/librpc/ndr/ndr_drsblobs.c
index 1392b98..b0d3f50 100644
--- a/librpc/ndr/ndr_drsblobs.c
+++ b/librpc/ndr/ndr_drsblobs.c
@@ -149,3 +149,72 @@ _PUBLIC_ void ndr_print_drsuapi_MSPrefixMap_Entry(struct
ndr_print *ndr, const c
ndr->flags = _flags_save_STRUCT;
}
}
+
+_PUBLIC_ enum ndr_err_code ndr_push_supplementalCredentialsSubBlob(struct
ndr_push *ndr, int ndr_flags, const struct supplementalCredentialsSubBlob *r)
+{
+ uint32_t cntr_packages_0;
+ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ if ((r->signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE)
+ && (r->num_packages == 0)) {
+ return NDR_ERR_SUCCESS;
+ }
+ NDR_CHECK(ndr_push_align(ndr, 3));
+ NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS,
SUPPLEMENTAL_CREDENTIALS_PREFIX, 0x30, sizeof(uint16_t), CH_UTF16));
+ NDR_CHECK(ndr_push_supplementalCredentialsSignature(ndr,
NDR_SCALARS, SUPPLEMENTAL_CREDENTIALS_SIGNATURE));
+ if (r->num_packages > 0) {
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS,
r->num_packages));
+ }
+ for (cntr_packages_0 = 0; cntr_packages_0 < (r->num_packages);
cntr_packages_0++) {
+ NDR_CHECK(ndr_push_supplementalCredentialsPackage(ndr,
NDR_SCALARS, &r->packages[cntr_packages_0]));
+ }
+ NDR_CHECK(ndr_push_trailer_align(ndr, 3));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_supplementalCredentialsSubBlob(struct
ndr_pull *ndr, int ndr_flags, struct supplementalCredentialsSubBlob *r)
+{
+ uint32_t size_prefix_0 = 0;
+ uint32_t size_packages_0 = 0;
+ uint32_t cntr_packages_0;
+ TALLOC_CTX *_mem_save_packages_0 = NULL;
+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ uint32_t remaining = 0;
+ NDR_CHECK(ndr_pull_align(ndr, 3));
+ size_prefix_0 = 0x30;
+ remaining = ndr->data_size - ndr->offset;
+ if (remaining >= size_prefix_0) {
+ NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS,
&r->prefix, size_prefix_0, sizeof(uint16_t), CH_UTF16));
+ } else {
+ r->prefix = NULL;
+ }
+ remaining = ndr->data_size - ndr->offset;
+ if (remaining >= 2) {
+
NDR_CHECK(ndr_pull_supplementalCredentialsSignature(ndr, NDR_SCALARS,
&r->signature));
+ } else {
+ r->signature = 0;
+ }
+ remaining = ndr->data_size - ndr->offset;
+ if (remaining > 0) {
+ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS,
&r->num_packages));
+ } else {
+ r->num_packages = 0;
+ }
+ size_packages_0 = r->num_packages;
+ NDR_PULL_ALLOC_N(ndr, r->packages, size_packages_0);
+ _mem_save_packages_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->packages, 0);
+ for (cntr_packages_0 = 0; cntr_packages_0 < (size_packages_0);
cntr_packages_0++) {
+ NDR_CHECK(ndr_pull_supplementalCredentialsPackage(ndr,
NDR_SCALARS, &r->packages[cntr_packages_0]));
+ }
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_packages_0, 0);
+ NDR_CHECK(ndr_pull_trailer_align(ndr, 3));
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
index f7db791..a9ae2c4 100644
--- a/librpc/ndr/ndr_krb5pac.c
+++ b/librpc/ndr/ndr_krb5pac.c
@@ -23,23 +23,19 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_krb5pac.h"
-static size_t _ndr_size_PAC_INFO(const union PAC_INFO *r, uint32_t level, int
flags)
+size_t _ndr_size_PAC_INFO(const union PAC_INFO *r, uint32_t level, int flags)
{
size_t s = ndr_size_PAC_INFO(r, level, flags);
switch (level) {
case PAC_TYPE_LOGON_INFO:
return NDR_ROUND(s,8);
+ case PAC_TYPE_UPN_DNS_INFO:
+ return NDR_ROUND(s,8);
default:
return s;
}
}
-static size_t _subcontext_size_PAC_INFO(const union PAC_INFO *r, uint32_t
level, int flags)
-{
- size_t s = ndr_size_PAC_INFO(r, level, flags);
- return NDR_ROUND(s,8);
-}
-
enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags,
const struct PAC_BUFFER *r)
{
if (ndr_flags & NDR_SCALARS) {
@@ -61,11 +57,15 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr,
int ndr_flags, const
if (r->info) {
NDR_CHECK(ndr_push_relative_ptr2_start(ndr,
r->info));
{
+ struct ndr_push *_ndr_info_pad;
struct ndr_push *_ndr_info;
-
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info, 0,
_subcontext_size_PAC_INFO(r->info,r->type,0)));
+ size_t _ndr_size =
_ndr_size_PAC_INFO(r->info, r->type, 0);
+
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0,
NDR_ROUND(_ndr_size, 8)));
+
NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
NDR_CHECK(ndr_push_PAC_INFO(_ndr_info,
NDR_SCALARS|NDR_BUFFERS, r->info));
- NDR_CHECK(ndr_push_subcontext_end(ndr,
_ndr_info, 0, _subcontext_size_PAC_INFO(r->info,r->type,0)));
+
NDR_CHECK(ndr_push_subcontext_end(_ndr_info_pad, _ndr_info, 0, _ndr_size));
+ NDR_CHECK(ndr_push_subcontext_end(ndr,
_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
}
NDR_CHECK(ndr_push_relative_ptr2_end(ndr,
r->info));
--
Samba Shared Repository
