The branch, v4-10-test has been updated via b56e010af12 s4/libnet: Fix joining a Windows pre-2008R2 DC via 4743188456f vfs:glusterfs_fuse: treat ENOATTR as ENOENT via 01a7df07fc9 vfs:glusterfs: treat ENOATTR as ENOENT via 27bd08f36bd dsdb: Handle DB corner-case where PSO container doesn't exist via 1f0870a7b28 s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check() via b7f586ca6c9 s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() via e9c23a02470 s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() via 58760fe8b72 s4 librpc rpc pyrpc: Fix flapping dcerpc.bare tests via 4f70d4d76a0 s4 librpc rpc pyrpc: Ensure tevent_context deleted last via 4179bdb6f2a s4/pyrpc_util: appropriately decrement refcounts on failure via 8128ceceb87 build: Allow build when --disable-gnutls is set from 372ee382939 VERSION: Bump version up to 4.10.7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-test - Log ----------------------------------------------------------------- commit b56e010af12908e4291231172eb67306e14de9a6 Author: Tim Beale <timbe...@catalyst.net.nz> Date: Mon Jul 1 17:06:31 2019 +1200 s4/libnet: Fix joining a Windows pre-2008R2 DC From v4.8 onwards, Samba may not be able join a DC older than 2008R2 because the Windows DC doesn't support GET_TGT. If the dsdb repl_md code can't resolve a link target it returns an error, and the calling code (e.g. drs_util.py) should retry with GET_TGT. However, GET_TGT is only supported on Windows 2008R2 and later, so if you try to join an earlier Windows DC, the join will throw an error that you can't work-around. We can avoid this problem by setting the same DSDB flag that GET_TGT sets to indicate that the link targets are as up-to-date as possible, and so there's no point retrying. Missing targets are still logged, so this at least allows the admin to fix up any problems after the join completed. I've only done this for the join case (problems during periodic replication are probably still worth escalating to an error). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14021 RN: From Samba v4.8 onwards, joining a Windows 2003 or 2008 (non-R2) AD DC may not have worked. When this problem occurred, the following message would be displayed: 'Failed to commit objects: DOS code 0x000021bf' This particular issue has now been resolved. Note that there may still be other potential problems that occur when joining an older Windows DC. Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit b3a2508f2ad79e2f1007464da7dbe918933038a0) Autobuild-User(v4-10-test): Karolin Seeger <ksee...@samba.org> Autobuild-Date(v4-10-test): Tue Jul 9 10:31:40 UTC 2019 on sn-devel-144 commit 4743188456f7da4023890d17f699a88780525291 Author: Michael Adam <ob...@samba.org> Date: Thu Jun 20 15:14:57 2019 +0200 vfs:glusterfs_fuse: treat ENOATTR as ENOENT The original implementation of the virtual xattr get_real_filename in gluster was misusing the ENOENT errno as the authoritative anwer that the file/dir that we were asking the real filename for does not exist. But since the getxattr call is done on the parent directory, this is a violation of the getxattr API which uses ENOENT for the case that the file/dir that the getxattr call is done against does not exist. Now after a recent regression for fuse-mount re-exports due to gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster implementation is changed to more correctly return ENOATTR if the requested file does not exist. This patch changes the glusterfs_fuse vfs module to treat ENOATTR as ENOENT to be fully functional again with latest gluster. - Without this patch, samba against a new gluster will work correctly, but the get_real_filename optimization for a non-existing entry is lost. - With this patch, Samba will not work correctly any more against very old gluster servers: Those (correctly) returned ENOATTR always, which Samba originally interpreted as EOPNOTSUPP, triggering the expensive directory scan. With this patch, ENOATTR is interpreted as ENOENT, the authoritative answer that the requested entry does not exist, which is wrong unless it really does not exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> Autobuild-User(master): Günther Deschner <g...@samba.org> Autobuild-Date(master): Fri Jun 28 12:52:03 UTC 2019 on sn-devel-184 (cherry picked from commit fee8cf326bfe240d3a8720569eab43f474349aff) commit 01a7df07fc92c8e1d73749585432d5071a6f460a Author: Michael Adam <ob...@samba.org> Date: Thu Jun 20 15:14:57 2019 +0200 vfs:glusterfs: treat ENOATTR as ENOENT The original implementation of the virtual xattr get_real_filename in gluster was misusing the ENOENT errno as the authoritative anwer that the file/dir that we were asking the real filename for does not exist. But since the getxattr call is done on the parent directory, this is a violation of the getxattr API which uses ENOENT for the case that the file/dir that the getxattr call is done against does not exist. Now after a recent regression for fuse-mount re-exports due to gluster mapping ENOENT to ESTALE in the fuse-bridge, the gluster implementation is changed to more correctly return ENOATTR if the requested file does not exist. This patch changes the glusterfs vfs module to treat ENOATTR as ENOENT to be fully functional again with latest gluster. - Without this patch, samba against a new gluster will work correctly, but the get_real_filename optimization for a non-existing entry is lost. - With this patch, Samba will not work correctly any more against very old gluster servers: Those (correctly) returned ENOATTR always, which Samba originally interpreted as EOPNOTSUPP, triggering the expensive directory scan. With this patch, ENOATTR is interpreted as ENOENT, the authoritative answer that the requested entry does not exist, which is wrong unless it really does not exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14010 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Guenther Deschner <g...@samba.org> (cherry picked from commit 8899eb21d48b7077328ae560490f9fb9715a6b83) commit 27bd08f36bda8ab362c7a69a2137734e22a42c48 Author: Tim Beale <timbe...@catalyst.net.nz> Date: Tue Jun 25 10:10:17 2019 +1200 dsdb: Handle DB corner-case where PSO container doesn't exist A 2003 AD DB with functional level set to >= 2008 was non-functional due to the PSO checks. We already check the functional level is >= 2008 before checking for the PSO container. However, users could change their functional level without ensuring their DB conforms to the corresponding base schema. The objectclass DSDB module should prevent the PSO container from ever being deleted. So the only way we should be able to hit this case is through upgrading the functional level (but not the underlying schema objects). If so, log a low-priority message and continue without errors. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14008 RN: Previously, AD operations such as user authentication could fail completely with the message 'Error 32 determining PSOs in system' logged on the samba server. This problem would only affect a domain that was created using a pre-2008 AD base schema and then had its functional level manually raised to 2008 or greater. This issue has now been resolved. Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 295bf73e9b24b1f2b4594320a6501dc7410d4b43) commit 1f0870a7b28c5485e1b8131088ff16fca4d04f15 Author: Stefan Metzmacher <me...@samba.org> Date: Mon May 27 13:12:14 2019 +0200 s3:rpc_server:netlogon: simplify AUTH_TYPE_SCHANNEL check in netr_creds_server_step_check() The gensec schannel module already asserts that at least AUTH_LEVEL_INTEGRITY is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 0b6e37c9e801435e094194dd60d9213b4868c3de) commit b7f586ca6c996213732ea6574f1dc7ad5915983b Author: Stefan Metzmacher <me...@samba.org> Date: Mon May 27 12:38:43 2019 +0200 s3:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. Note: NETLOGON_NEG_SCHANNEL is an alias to NEG_AUTHENTICATED_RPC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit fa5215ce5b93fb032df341e718d7011e619f0916) commit e9c23a024707bb54edcf2b755ed3f27fbc4325f4 Author: Stefan Metzmacher <me...@samba.org> Date: Mon May 27 12:38:43 2019 +0200 s4:rpc_server:netlogon: don't require NEG_AUTHENTICATED_RPC in netr_ServerAuthenticate*() The domain join with VMWare Horizon Quickprep seems to use netr_ServerAuthenticate3() with just the NEG_STRONG_KEYS (and in addition the NEG_SUPPORTS_AES) just to verify a password. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13464 (maybe) BUG: https://bugzilla.samba.org/show_bug.cgi?id=13949 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit ead9b93ce5c2c67bbdb778232805d6d9e70112fc) commit 58760fe8b72e74bb0e62c8d30c7de35bfcfb4055 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed May 22 11:43:54 2019 +1200 s4 librpc rpc pyrpc: Fix flapping dcerpc.bare tests Commit d65b7641c84976c543ded8f0de5ab2da3c19b407 had the parameters to talloc_reparent reversed. This caused the dcerpc.bare tests to flap. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13932 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Gary Lockyer <g...@samba.org> Autobuild-Date(master): Wed May 22 03:03:43 UTC 2019 on sn-devel-184 (cherry picked from commit 3e6661fd73bb24ef5700a98f676f1df5eeca408b) commit 4f70d4d76a02717bc5d73ab51f936b224b8a6394 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed May 8 11:30:20 2019 +1200 s4 librpc rpc pyrpc: Ensure tevent_context deleted last Ensure that the tevent_context is deleted after the connection, to prevent a use after free. Note: Py_DECREF calls dcerpc_interface_dealloc so the TALLOC_FREE(ret->mem_ctx) calls in the error paths of py_dcerpc_interface_init_helper needed removal. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13932 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit d65b7641c84976c543ded8f0de5ab2da3c19b407) commit 4179bdb6f2aaaa4841f4c3381ad8ac68f17f0eaa Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu May 3 09:53:56 2018 +1200 s4/pyrpc_util: appropriately decrement refcounts on failure Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> (cherry picked from commit e23b9f88cc1c8a8c8cda07fb25d639218c12d91a) commit 8128ceceb8702e596183dd509dd6f952a2f4efc2 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 20 13:57:50 2019 +1300 build: Allow build when --disable-gnutls is set BUG: https://bugzilla.samba.org/show_bug.cgi?id=13844 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Autobuild-User(master): Douglas Bagnall <dbagn...@samba.org> Autobuild-Date(master): Wed Mar 20 05:25:48 UTC 2019 on sn-devel-144 (cherry picked from commit a40b0f452af5f393aa33c9d52673994effd0e31f) ----------------------------------------------------------------------- Summary of changes: lib/mscat/wscript | 6 ++- source3/modules/vfs_glusterfs.c | 2 +- source3/modules/vfs_glusterfs_fuse.c | 2 +- source3/rpc_server/netlogon/srv_netlog_nt.c | 52 ++------------------ source4/dsdb/samdb/ldb_modules/operational.c | 12 +++++ source4/libnet/libnet_vampire.c | 9 ++++ source4/librpc/rpc/pyrpc.c | 15 ++++++ source4/librpc/rpc/pyrpc.h | 1 + source4/librpc/rpc/pyrpc_util.c | 70 ++++++++++++++++----------- source4/rpc_server/netlogon/dcerpc_netlogon.c | 15 ------ 10 files changed, 91 insertions(+), 93 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/mscat/wscript b/lib/mscat/wscript index 7ca9ef567ee..4d1f752a3c1 100644 --- a/lib/mscat/wscript +++ b/lib/mscat/wscript @@ -12,7 +12,11 @@ def configure(conf): if not conf.find_program('asn1Parser', var='ASN1PARSER'): Logs.warn('WARNING: ans1Parser hasn\'t been found! Please install it (e.g. libtasn1-bin)') - conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') + # GnuTLS is currently able to be disabled + if conf.env.enable_gnutls: + conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') + else: + Logs.warn('WARNING: gnutls disabled so dumpmscat will not be built') def build(bld): if (bld.CONFIG_SET('HAVE_LIBTASN1') and diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c index e23a5efe17f..ab0b86caa55 100644 --- a/source3/modules/vfs_glusterfs.c +++ b/source3/modules/vfs_glusterfs.c @@ -1465,7 +1465,7 @@ static int vfs_gluster_get_real_filename(struct vfs_handle_struct *handle, GLUSTER_NAME_MAX + 1); if (ret == -1) { if (errno == ENOATTR) { - errno = EOPNOTSUPP; + errno = ENOENT; } return -1; } diff --git a/source3/modules/vfs_glusterfs_fuse.c b/source3/modules/vfs_glusterfs_fuse.c index d92f5e2b08b..51515aa0df4 100644 --- a/source3/modules/vfs_glusterfs_fuse.c +++ b/source3/modules/vfs_glusterfs_fuse.c @@ -45,7 +45,7 @@ static int vfs_gluster_fuse_get_real_filename(struct vfs_handle_struct *handle, ret = getxattr(path, key_buf, val_buf, GLUSTER_NAME_MAX + 1); if (ret == -1) { if (errno == ENOATTR) { - errno = EOPNOTSUPP; + errno = ENOENT; } return -1; } diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 9b9947455ed..d799ba4feef 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -927,7 +927,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, srv_flgs |= NETLOGON_NEG_SUPPORTS_AES; } - if (lp_server_schannel() != false) { + if (in_neg_flags & NETLOGON_NEG_SCHANNEL) { srv_flgs |= NETLOGON_NEG_SCHANNEL; } @@ -968,17 +968,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, goto out; } - if ( (lp_server_schannel() == true) && - ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) { - - /* schannel must be used, but client did not offer it. */ - DEBUG(0,("%s: schannel required but client failed " - "to offer it. Client was %s\n", - fn, r->in.account_name)); - status = NT_STATUS_ACCESS_DENIED; - goto out; - } - status = get_md4pw(&mach_pwd, r->in.account_name, r->in.secure_channel_type, @@ -1072,36 +1061,6 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, return _netr_ServerAuthenticate3(p, &a); } -/************************************************************************* - * If schannel is required for this call test that it actually is available. - *************************************************************************/ -static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, - const char *computer_name, - bool integrity, bool privacy) -{ - if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - if (!privacy && !integrity) { - return NT_STATUS_OK; - } - - if ((!privacy && integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { - return NT_STATUS_OK; - } - - if ((privacy || integrity) && - auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { - return NT_STATUS_OK; - } - } - - /* test didn't pass */ - DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", - computer_name)); - - return NT_STATUS_ACCESS_DENIED; -} - /************************************************************************* *************************************************************************/ @@ -1121,11 +1080,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, } if (schannel_global_required) { - status = schannel_check_required(&p->auth, - computer_name, - false, false); - if (!NT_STATUS_IS_OK(status)) { - return status; + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("[%s] is not using schannel\n", + computer_name); + return NT_STATUS_ACCESS_DENIED; } } diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 8dad9517ced..86e43e124af 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -994,6 +994,7 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_result *res = NULL; struct ldb_context *ldb = ldb_module_get_ctx(module); + *pso_count = 0; domain_dn = ldb_get_default_basedn(ldb); psc_dn = ldb_dn_new_fmt(mem_ctx, ldb, "CN=Password Settings Container,CN=System,%s", @@ -1007,6 +1008,17 @@ static int get_pso_count(struct ldb_module *module, TALLOC_CTX *mem_ctx, LDB_SCOPE_ONELEVEL, attrs, DSDB_FLAG_NEXT_MODULE, parent, "(objectClass=msDS-PasswordSettings)"); + + /* + * Just ignore PSOs if the container doesn't exist. This is a weird + * corner-case where the AD DB was created from a pre-2008 base schema, + * and then the FL was manually upgraded. + */ + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + DBG_NOTICE("No Password Settings Container exists\n"); + return LDB_SUCCESS; + } + if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c index 6167493c359..128d237bcd2 100644 --- a/source4/libnet/libnet_vampire.c +++ b/source4/libnet/libnet_vampire.c @@ -660,6 +660,15 @@ WERROR libnet_vampire_cb_store_chunk(void *private_data, return WERR_INVALID_PARAMETER; } + /* + * If the peer DC doesn't support GET_TGT (req v10), then the link + * targets are as up-to-date as they're ever gonna be. (Without this, + * cases where we'd normally retry with GET_TGT cause the join to fail) + */ + if (c->req_level < 10) { + dsdb_repl_flags |= DSDB_REPL_FLAG_TARGETS_UPTODATE; + } + if (req_replica_flags & DRSUAPI_DRS_CRITICAL_ONLY || is_exop) { /* * If we only replicate the critical objects, or this diff --git a/source4/librpc/rpc/pyrpc.c b/source4/librpc/rpc/pyrpc.c index cf2d4c24007..d56eb023d96 100644 --- a/source4/librpc/rpc/pyrpc.c +++ b/source4/librpc/rpc/pyrpc.c @@ -281,9 +281,24 @@ static PyMethodDef dcerpc_interface_methods[] = { static void dcerpc_interface_dealloc(PyObject* self) { dcerpc_InterfaceObject *interface = (dcerpc_InterfaceObject *)self; + + struct tevent_context *ev_save = talloc_reparent( + interface->mem_ctx, NULL, interface->ev); + SMB_ASSERT(ev_save != NULL); + interface->binding_handle = NULL; interface->pipe = NULL; + + /* + * Free everything *except* the event context, which must go + * away last + */ TALLOC_FREE(interface->mem_ctx); + + /* + * Now wish a fond goodbye to the event context itself + */ + talloc_unlink(NULL, ev_save); self->ob_type->tp_free(self); } diff --git a/source4/librpc/rpc/pyrpc.h b/source4/librpc/rpc/pyrpc.h index 968bf863c4c..8852def7251 100644 --- a/source4/librpc/rpc/pyrpc.h +++ b/source4/librpc/rpc/pyrpc.h @@ -44,6 +44,7 @@ typedef struct { TALLOC_CTX *mem_ctx; struct dcerpc_pipe *pipe; struct dcerpc_binding_handle *binding_handle; + struct tevent_context *ev; } dcerpc_InterfaceObject; diff --git a/source4/librpc/rpc/pyrpc_util.c b/source4/librpc/rpc/pyrpc_util.c index 3a151e1591f..c8931bf96f0 100644 --- a/source4/librpc/rpc/pyrpc_util.c +++ b/source4/librpc/rpc/pyrpc_util.c @@ -118,6 +118,7 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py ret = PyObject_New(dcerpc_InterfaceObject, type); ret->pipe = NULL; ret->binding_handle = NULL; + ret->ev = NULL; ret->mem_ctx = talloc_new(NULL); if (ret->mem_ctx == NULL) { PyErr_NoMemory(); @@ -125,28 +126,27 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py } if (strncmp(binding_string, "irpc:", 5) == 0) { - struct tevent_context *event_ctx; struct loadparm_context *lp_ctx; - event_ctx = s4_event_context_init(ret->mem_ctx); - if (event_ctx == NULL) { + ret->ev = s4_event_context_init(ret->mem_ctx); + if (ret->ev == NULL) { PyErr_SetString(PyExc_TypeError, "Expected loadparm context"); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } - lp_ctx = lpcfg_from_py_object(event_ctx, py_lp_ctx); + lp_ctx = lpcfg_from_py_object(ret->ev, py_lp_ctx); if (lp_ctx == NULL) { PyErr_SetString(PyExc_TypeError, "Expected loadparm context"); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } status = pyrpc_irpc_connect(ret->mem_ctx, binding_string+5, table, - event_ctx, lp_ctx, &ret->binding_handle); + ret->ev, lp_ctx, &ret->binding_handle); if (!NT_STATUS_IS_OK(status)) { PyErr_SetNTSTATUS(status); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } } else if (py_basis != Py_None) { @@ -156,20 +156,23 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py py_base = PyImport_ImportModule("samba.dcerpc.base"); if (py_base == NULL) { - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } ClientConnection_Type = (PyTypeObject *)PyObject_GetAttrString(py_base, "ClientConnection"); if (ClientConnection_Type == NULL) { PyErr_SetNone(PyExc_TypeError); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); + Py_DECREF(py_base); return NULL; } if (!PyObject_TypeCheck(py_basis, ClientConnection_Type)) { PyErr_SetString(PyExc_TypeError, "basis_connection must be a DCE/RPC connection"); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); return NULL; } @@ -177,56 +180,66 @@ PyObject *py_dcerpc_interface_init_helper(PyTypeObject *type, PyObject *args, Py ((dcerpc_InterfaceObject *)py_basis)->pipe); if (base_pipe == NULL) { PyErr_NoMemory(); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); + return NULL; + } + + ret->ev = talloc_reference( + ret->mem_ctx, + ((dcerpc_InterfaceObject *)py_basis)->ev); + if (ret->ev == NULL) { + PyErr_NoMemory(); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); return NULL; } status = dcerpc_secondary_context(base_pipe, &ret->pipe, table); if (!NT_STATUS_IS_OK(status)) { PyErr_SetNTSTATUS(status); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); + Py_DECREF(py_base); + Py_DECREF(ClientConnection_Type); return NULL; } ret->pipe = talloc_steal(ret->mem_ctx, ret->pipe); + Py_XDECREF(ClientConnection_Type); + Py_XDECREF(py_base); } else { - struct tevent_context *event_ctx; struct loadparm_context *lp_ctx; struct cli_credentials *credentials; - event_ctx = s4_event_context_init(ret->mem_ctx); - if (event_ctx == NULL) { + ret->ev = s4_event_context_init(ret->mem_ctx); + if (ret->ev == NULL) { PyErr_SetString(PyExc_TypeError, "Expected loadparm context"); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } - lp_ctx = lpcfg_from_py_object(event_ctx, py_lp_ctx); + lp_ctx = lpcfg_from_py_object(ret->ev, py_lp_ctx); if (lp_ctx == NULL) { PyErr_SetString(PyExc_TypeError, "Expected loadparm context"); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } credentials = cli_credentials_from_py_object(py_credentials); if (credentials == NULL) { PyErr_SetString(PyExc_TypeError, "Expected credentials"); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } status = dcerpc_pipe_connect(ret->mem_ctx, &ret->pipe, binding_string, - table, credentials, event_ctx, lp_ctx); + table, credentials, ret->ev, lp_ctx); if (!NT_STATUS_IS_OK(status)) { PyErr_SetNTSTATUS(status); - TALLOC_FREE(ret->mem_ctx); + Py_DECREF(ret); return NULL; } - - /* - * the event context is cached under the connection, - * so let it be a child of it. - */ - talloc_steal(ret->pipe->conn, event_ctx); } if (ret->pipe) { @@ -378,6 +391,7 @@ PyObject *py_return_ndr_struct(const char *module_name, const char *type_name, py_type = (PyTypeObject *)PyObject_GetAttrString(module, type_name); if (py_type == NULL) { + Py_DECREF(module); return NULL; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 530350d442a..023adfd99e9 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -144,8 +144,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); bool reject_des_client = !allow_nt4_crypto; bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); - bool reject_none_rpc = (schannel == true); ZERO_STRUCTP(r->out.return_credentials); *r->out.rid = 0; @@ -226,10 +224,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( negotiate_flags = *r->in.negotiate_flags & server_flags; - if (negotiate_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { - reject_none_rpc = false; - } - if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { reject_des_client = false; } @@ -276,15 +270,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( */ *r->out.negotiate_flags = negotiate_flags; - if (reject_none_rpc) { - /* schannel must be used, but client did not offer it. */ - DEBUG(0,("%s: schannel required but client failed " - "to offer it. Client was %s\n", - __func__, - log_escape(mem_ctx, r->in.account_name))); - return NT_STATUS_ACCESS_DENIED; - } - switch (r->in.secure_channel_type) { case SEC_CHAN_WKSTA: case SEC_CHAN_DNS_DOMAIN: -- Samba Shared Repository