static bool test_lp_parm_bool(struct torture_context *tctx)
{
struct loadparm_context *lp_ctx = loadparm_init(tctx);
torture_assert(tctx, lpcfg_set_option(lp_ctx, "some:thing=true"), "lpcfg_set_option failed");
torture_assert(tctx, lpcfg_parm_bool(lp_ctx, NULL, "some", "thing", false) == true,
"invalid parametric option");
torture_assert(tctx, lpcfg_parm_bool(lp_ctx, NULL, "some", "bla", true) == true,
"invalid parametric option");
return true;
}
static NTSTATUS mapiproxy_op_connect(struct dcesrv_call_state *dce_call,
const struct ndr_interface_table *table,
const char *binding)
{
NTSTATUS status;
struct dcesrv_mapiproxy_private *private;
const char *user;
const char *pass;
const char *domain;
struct cli_credentials *credentials;
bool acquired_creds = false;
bool machine_account;
OC_DEBUG(5, "mapiproxy::mapiproxy_op_connect");
/* Retrieve the binding string from parametric options if undefined */
if (!binding) {
binding = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "binding");
if (!binding) {
OC_DEBUG(0, "You must specify a DCE/RPC binding string");
return NT_STATUS_INVALID_PARAMETER;
}
}
/* Retrieve parametric options */
machine_account = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "use_machine_account", false);
user = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "username");
pass = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "password");
domain = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "domain");
/* Retrieve private mapiproxy data */
private = dce_call->context->private_data;
static NTSTATUS mapiproxy_server_load(struct dcesrv_context *dce_ctx)
{
NTSTATUS status;
struct mapiproxy_module_list *server;
bool server_mode;
int i;
const char *nspi;
const char *emsmdb;
const char *rfr;
const char *server_name[] = { NDR_EXCHANGE_NSP_NAME,
NDR_EXCHANGE_EMSMDB_NAME,
NDR_EXCHANGE_DS_RFR_NAME, NULL };
/* Check server mode */
server_mode = lpcfg_parm_bool(dce_ctx->lp_ctx, NULL, "dcerpc_mapiproxy", "server", false);
DEBUG(0, ("MAPIPROXY server mode %s\n", (server_mode == false) ? "disabled" : "enabled"));
if (server_mode == true) {
DEBUG(0, ("MAPIPROXY proxy mode disabled\n"));
for (i = 0; server_name[i]; i++) {
server = talloc_zero(dce_ctx, struct mapiproxy_module_list);
server->module = mapiproxy_server_bystatus(server_name[i], MAPIPROXY_DEFAULT);
if (server->module) {
DLIST_ADD_END(server_list, server, struct mapiproxy_module_list *);
} else {
DEBUG(0, ("MAPIPROXY ERROR: couldn't load server '%s'\n", server_name[i]));
}
}
}
int samba_ldb_connect(struct ldb_context *ldb, struct loadparm_context *lp_ctx,
const char *url, unsigned int flags)
{
int ret;
char *real_url = NULL;
/* allow admins to force non-sync ldb for all databases */
if (lpcfg_parm_bool(lp_ctx, NULL, "ldb", "nosync", false)) {
flags |= LDB_FLG_NOSYNC;
}
if (DEBUGLVL(10)) {
flags |= LDB_FLG_ENABLE_TRACING;
}
real_url = lpcfg_private_path(ldb, lp_ctx, url);
if (real_url == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_connect(ldb, real_url, flags, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
/* setup for leak detection */
ldb_set_opaque(ldb, "wrap_url", real_url);
return LDB_SUCCESS;
}
/*
drsuapi_DsReplicaGetInfo
*/
static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct drsuapi_DsReplicaGetInfo *r)
{
enum security_user_level level;
if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
"drs", "disable_sec_check", false)) {
level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
if (level < SECURITY_DOMAIN_CONTROLLER) {
DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
security_token_debug(0, 2, dce_call->conn->auth_state.session_info->security_token);
return WERR_DS_DRA_ACCESS_DENIED;
}
}
dcesrv_irpc_forward_rpc_call(dce_call, mem_ctx, r, NDR_DRSUAPI_DSREPLICAGETINFO,
&ndr_table_drsuapi, "kccsrv", "DsReplicaGetInfo",
IRPC_CALL_TIMEOUT);
return WERR_OK;
}
/*
connect to the sam database
*/
NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
{
conn->ldb = samdb_connect(conn,
conn->connection->event.ctx,
conn->lp_ctx,
conn->session_info,
conn->global_catalog ? LDB_FLG_RDONLY : 0);
if (conn->ldb == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (conn->server_credentials) {
char **sasl_mechs = NULL;
const struct gensec_security_ops * const *backends = gensec_security_all();
const struct gensec_security_ops **ops
= gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
unsigned int i, j = 0;
for (i = 0; ops && ops[i]; i++) {
if (!lpcfg_parm_bool(conn->lp_ctx, NULL, "gensec", ops[i]->name, ops[i]->enabled))
continue;
if (ops[i]->sasl_name && ops[i]->server_start) {
char *sasl_name = talloc_strdup(conn, ops[i]->sasl_name);
if (!sasl_name) {
return NT_STATUS_NO_MEMORY;
}
sasl_mechs = talloc_realloc(conn, sasl_mechs, char *, j + 2);
if (!sasl_mechs) {
return NT_STATUS_NO_MEMORY;
}
sasl_mechs[j] = sasl_name;
talloc_steal(sasl_mechs, sasl_name);
sasl_mechs[j+1] = NULL;
j++;
}
}
/**
load the list of network interfaces
**/
void load_interface_list(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct interface **local_interfaces)
{
const char **ptr = lpcfg_interfaces(lp_ctx);
int i;
struct iface_struct *ifaces;
int total_probed;
bool enable_ipv6 = lpcfg_parm_bool(lp_ctx, NULL, "ipv6", "enable", true);
*local_interfaces = NULL;
/* probe the kernel for interfaces */
total_probed = get_interfaces(mem_ctx, &ifaces);
/* if we don't have a interfaces line then use all interfaces
except loopback */
if (!ptr || !*ptr || !**ptr) {
if (total_probed <= 0) {
DEBUG(0,("ERROR: Could not determine network interfaces, you must use a interfaces config line\n"));
}
for (i=0; i<total_probed; i++) {
if (!is_loopback_addr((struct sockaddr *)&ifaces[i].ip)) {
add_interface(mem_ctx, &ifaces[i], local_interfaces, enable_ipv6);
}
}
}
while (ptr && *ptr) {
interpret_interface(mem_ctx, *ptr, ifaces, total_probed, local_interfaces, enable_ipv6);
ptr++;
}
if (!*local_interfaces) {
DEBUG(0,("WARNING: no network interfaces found\n"));
}
talloc_free(ifaces);
}
/*
query a name
*/
static void nbtd_winsserver_query(struct loadparm_context *lp_ctx,
struct nbt_name_socket *nbtsock,
struct nbt_name_packet *packet,
struct socket_address *src)
{
NTSTATUS status;
struct nbtd_interface *iface = talloc_get_type(nbtsock->incoming.private_data,
struct nbtd_interface);
struct wins_server *winssrv = iface->nbtsrv->winssrv;
struct nbt_name *name = &packet->questions[0].name;
struct winsdb_record *rec;
struct winsdb_record *rec_1b = NULL;
const char **addresses;
const char **addresses_1b = NULL;
uint16_t nb_flags = 0;
if (name->type == NBT_NAME_MASTER) {
goto notfound;
}
/*
* w2k3 returns the first address of the 0x1B record as first address
* to a 0x1C query
*
* since Windows 2000 Service Pack 2 there's on option to trigger this behavior:
*
* HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\WINS\Parameters\Prepend1BTo1CQueries
* Typ: Daten REG_DWORD
* Value: 0 = deactivated, 1 = activated
*/
if (name->type == NBT_NAME_LOGON &&
lpcfg_parm_bool(lp_ctx, NULL, "nbtd", "wins_prepend1Bto1Cqueries", true)) {
struct nbt_name name_1b;
name_1b = *name;
name_1b.type = NBT_NAME_PDC;
status = winsdb_lookup(winssrv->wins_db, &name_1b, packet, &rec_1b);
if (NT_STATUS_IS_OK(status)) {
addresses_1b = winsdb_addr_string_list(packet, rec_1b->addresses);
}
}
status = winsdb_lookup(winssrv->wins_db, name, packet, &rec);
if (!NT_STATUS_IS_OK(status)) {
if (!lpcfg_wins_dns_proxy(lp_ctx)) {
goto notfound;
}
if (name->type != NBT_NAME_CLIENT && name->type != NBT_NAME_SERVER) {
goto notfound;
}
nbtd_wins_dns_proxy_query(nbtsock, packet, src);
return;
}
/*
* for group's we always reply with
* 255.255.255.255 as address, even if
* the record is released or tombstoned
*/
if (rec->type == WREPL_TYPE_GROUP) {
addresses = str_list_add(NULL, "255.255.255.255");
talloc_steal(packet, addresses);
if (!addresses) {
goto notfound;
}
nb_flags |= NBT_NM_GROUP;
goto found;
}
if (rec->state != WREPL_STATE_ACTIVE) {
goto notfound;
}
addresses = winsdb_addr_string_list(packet, rec->addresses);
if (!addresses) {
goto notfound;
}
/*
* if addresses_1b isn't NULL, we have a 0x1C query and need to return the
* first 0x1B address as first address
*/
if (addresses_1b && addresses_1b[0]) {
const char **addresses_1c = addresses;
uint32_t i;
uint32_t num_addrs;
addresses = str_list_add(NULL, addresses_1b[0]);
if (!addresses) {
goto notfound;
}
talloc_steal(packet, addresses);
num_addrs = 1;
for (i=0; addresses_1c[i]; i++) {
if (strcmp(addresses_1b[0], addresses_1c[i]) == 0) continue;
/*
* stop when we already have 25 addresses
*/
if (num_addrs >= 25) break;
num_addrs++;
addresses = str_list_add(addresses, addresses_1c[i]);
if (!addresses) {
goto notfound;
}
}
}
if (rec->type == WREPL_TYPE_SGROUP) {
nb_flags |= NBT_NM_GROUP;
} else {
nb_flags |= (rec->node <<13);
}
/*
* since Windows 2000 Service Pack 2 there's on option to trigger this behavior:
*
* HKEY_LOCAL_MACHINE\System\CurrentControlset\Services\WINS\Parameters\Randomize1CList
* Typ: Daten REG_DWORD
* Value: 0 = deactivated, 1 = activated
*/
if (name->type == NBT_NAME_LOGON &&
lpcfg_parm_bool(lp_ctx, NULL, "nbtd", "wins_randomize1Clist", false)) {
nbtd_wins_randomize1Clist(lp_ctx, addresses, src);
}
found:
nbtd_name_query_reply(nbtsock, packet, src, name,
0, nb_flags, addresses);
return;
notfound:
nbtd_negative_name_query_reply(nbtsock, packet, src);
}
static int cli_credentials_new_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
char *ccache_name,
struct ccache_container **_ccc,
const char **error_string)
{
bool must_free_cc_name = false;
krb5_error_code ret;
struct ccache_container *ccc = talloc(cred, struct ccache_container);
if (!ccc) {
return ENOMEM;
}
ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
(*error_string) = talloc_asprintf(cred, "Failed to get krb5_context: %s",
error_message(ret));
return ret;
}
if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
talloc_free(ccc);
(*error_string) = strerror(ENOMEM);
return ENOMEM;
}
if (!ccache_name) {
must_free_cc_name = true;
if (lpcfg_parm_bool(lp_ctx, NULL, "credentials", "krb5_cc_file", false)) {
ccache_name = talloc_asprintf(ccc, "FILE:/tmp/krb5_cc_samba_%u_%p",
(unsigned int)getpid(), ccc);
} else {
ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
ccc);
}
if (!ccache_name) {
talloc_free(ccc);
(*error_string) = strerror(ENOMEM);
return ENOMEM;
}
}
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name,
&ccc->ccache);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to resolve a krb5 ccache (%s): %s\n",
ccache_name,
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context,
ret, ccc));
talloc_free(ccache_name);
talloc_free(ccc);
return ret;
}
if (strncasecmp(ccache_name, "MEMORY:", 7) == 0) {
talloc_set_destructor(ccc, free_mccache);
} else {
talloc_set_destructor(ccc, free_dccache);
}
if (must_free_cc_name) {
talloc_free(ccache_name);
}
*_ccc = ccc;
return 0;
}
bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
{
return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
}
bool torture_setting_bool(struct torture_context *test, const char *name,
bool default_value)
{
return lpcfg_parm_bool(test->lp_ctx, NULL, "torture", name, default_value);
}
/*
add any auth information needed in a bind ack, and process the authentication
information found in the bind.
*/
NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
{
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
bool want_header_signing = false;
if (!call->conn->auth_state.gensec_security) {
return NT_STATUS_OK;
}
if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
dce_conn->auth_state.client_hdr_signing = true;
want_header_signing = true;
}
if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
want_header_signing = false;
}
status = gensec_update(dce_conn->auth_state.gensec_security,
call, call->event_ctx,
dce_conn->auth_state.auth_info->credentials,
&dce_conn->auth_state.auth_info->credentials);
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return status;
}
if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER))
{
want_header_signing = false;
}
if (want_header_signing) {
gensec_want_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER);
dce_conn->auth_state.hdr_signing = true;
pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
}
/* Now that we are authenticated, go back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return NT_STATUS_OK;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
dce_conn->auth_state.auth_info->auth_reserved = 0;
if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER))
{
want_header_signing = false;
}
if (want_header_signing) {
gensec_want_feature(dce_conn->auth_state.gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER);
dce_conn->auth_state.hdr_signing = true;
pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
}
return NT_STATUS_OK;
} else {
DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
nt_errstr(status)));
return status;
}
}
/*
main server.
*/
static int binary_smbd_main(const char *binary_name, int argc, const char *argv[])
{
bool opt_daemon = false;
bool opt_interactive = false;
int opt;
poptContext pc;
#define _MODULE_PROTO(init) extern NTSTATUS init(void);
STATIC_service_MODULES_PROTO;
init_module_fn static_init[] = { STATIC_service_MODULES };
init_module_fn *shared_init;
struct tevent_context *event_ctx;
uint16_t stdin_event_flags;
NTSTATUS status;
const char *model = "standard";
int max_runtime = 0;
enum {
OPT_DAEMON = 1000,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
OPT_SHOW_BUILD
};
struct poptOption long_options[] = {
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON,
"Become a daemon (default)", NULL },
{"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE,
"Run interactive (not a daemon)", NULL},
{"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL,
"Select process model", "MODEL"},
{"maximum-runtime",0, POPT_ARG_INT, &max_runtime, 0,
"set maximum runtime of the server process, till autotermination", "seconds"},
{"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD, "show build info", NULL },
POPT_COMMON_SAMBA
POPT_COMMON_VERSION
{ NULL }
};
pc = poptGetContext(binary_name, argc, argv, long_options, 0);
while((opt = poptGetNextOpt(pc)) != -1) {
switch(opt) {
case OPT_DAEMON:
opt_daemon = true;
break;
case OPT_INTERACTIVE:
opt_interactive = true;
break;
case OPT_PROCESS_MODEL:
model = poptGetOptArg(pc);
break;
case OPT_SHOW_BUILD:
show_build();
break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
poptPrintUsage(pc, stderr, 0);
return 1;
}
}
if (opt_daemon && opt_interactive) {
fprintf(stderr,"\nERROR: "
"Option -i|--interactive is not allowed together with -D|--daemon\n\n");
poptPrintUsage(pc, stderr, 0);
return 1;
} else if (!opt_interactive) {
/* default is --daemon */
opt_daemon = true;
}
poptFreeContext(pc);
setup_logging(binary_name, opt_interactive?DEBUG_STDOUT:DEBUG_FILE);
setup_signals();
/* we want total control over the permissions on created files,
so set our umask to 0 */
umask(0);
DEBUG(0,("%s version %s started.\n", binary_name, SAMBA_VERSION_STRING));
DEBUGADD(0,("Copyright Andrew Tridgell and the Samba Team 1992-2013\n"));
if (sizeof(uint16_t) < 2 || sizeof(uint32_t) < 4 || sizeof(uint64_t) < 8) {
DEBUG(0,("ERROR: Samba is not configured correctly for the word size on your machine\n"));
DEBUGADD(0,("sizeof(uint16_t) = %u, sizeof(uint32_t) %u, sizeof(uint64_t) = %u\n",
(unsigned int)sizeof(uint16_t), (unsigned int)sizeof(uint32_t), (unsigned int)sizeof(uint64_t)));
return 1;
}
if (opt_daemon) {
DEBUG(3,("Becoming a daemon.\n"));
become_daemon(true, false, false);
}
cleanup_tmp_files(cmdline_lp_ctx);
if (!directory_exist(lpcfg_lockdir(cmdline_lp_ctx))) {
mkdir(lpcfg_lockdir(cmdline_lp_ctx), 0755);
}
pidfile_create(lpcfg_piddir(cmdline_lp_ctx), binary_name);
/* Set up a database to hold a random seed, in case we don't
* have /dev/urandom */
if (!randseed_init(talloc_autofree_context(), cmdline_lp_ctx)) {
return 1;
}
if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
exit(1);
}
}
gensec_init(); /* FIXME: */
ntptr_init(); /* FIXME: maybe run this in the initialization function
of the spoolss RPC server instead? */
ntvfs_init(cmdline_lp_ctx); /* FIXME: maybe run this in the initialization functions
of the SMB[,2] server instead? */
process_model_init(cmdline_lp_ctx);
shared_init = load_samba_modules(NULL, "service");
run_init_functions(static_init);
run_init_functions(shared_init);
talloc_free(shared_init);
/* the event context is the top level structure in smbd. Everything else
should hang off that */
event_ctx = s4_event_context_init(talloc_autofree_context());
if (event_ctx == NULL) {
DEBUG(0,("Initializing event context failed\n"));
return 1;
}
if (opt_interactive) {
/* terminate when stdin goes away */
stdin_event_flags = TEVENT_FD_READ;
} else {
/* stay alive forever */
stdin_event_flags = 0;
}
/* catch EOF on stdin */
#ifdef SIGTTIN
signal(SIGTTIN, SIG_IGN);
#endif
tevent_add_fd(event_ctx, event_ctx, 0, stdin_event_flags,
server_stdin_handler,
discard_const(binary_name));
if (max_runtime) {
DEBUG(0,("Called with maxruntime %d - current ts %llu\n",
max_runtime, (unsigned long long) time(NULL)));
tevent_add_timer(event_ctx, event_ctx,
timeval_current_ofs(max_runtime, 0),
max_runtime_handler,
discard_const(binary_name));
}
if (lpcfg_server_role(cmdline_lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC
&& !lpcfg_parm_bool(cmdline_lp_ctx, NULL, "server role check", "inhibit", false)
&& !str_list_check_ci(lpcfg_server_services(cmdline_lp_ctx), "smb")
&& !str_list_check_ci(lpcfg_dcerpc_endpoint_servers(cmdline_lp_ctx), "remote")
&& !str_list_check_ci(lpcfg_dcerpc_endpoint_servers(cmdline_lp_ctx), "mapiproxy")) {
DEBUG(0, ("At this time the 'samba' binary should only be used for either:\n"));
DEBUGADD(0, ("'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote'\n"));
DEBUGADD(0, ("You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks\n"));
exit(1);
};
prime_ldb_databases(event_ctx);
status = setup_parent_messaging(event_ctx, cmdline_lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to setup parent messaging - %s\n", nt_errstr(status)));
return 1;
}
DEBUG(0,("%s: using '%s' process model\n", binary_name, model));
status = server_service_startup(event_ctx, cmdline_lp_ctx, model,
lpcfg_server_services(cmdline_lp_ctx));
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Starting Services failed - %s\n", nt_errstr(status)));
return 1;
}
/* wait for events - this is where smbd sits for most of its
life */
tevent_loop_wait(event_ctx);
/* as everything hangs off this event context, freeing it
should initiate a clean shutdown of all services */
talloc_free(event_ctx);
return 0;
}
int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
struct ldb_result *schema_res,
struct ldb_result *attrs_class_res,
struct dsdb_schema **schema_out,
char **error_string)
{
WERROR status;
const struct ldb_val *prefix_val;
const struct ldb_val *info_val;
struct ldb_val info_val_default;
struct dsdb_schema *schema;
struct loadparm_context *lp_ctx = NULL;
int ret;
schema = dsdb_new_schema(mem_ctx);
if (!schema) {
dsdb_oom(error_string, mem_ctx);
return ldb_operr(ldb);
}
schema->base_dn = talloc_steal(schema, schema_res->msgs[0]->dn);
prefix_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "prefixMap");
if (!prefix_val) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: no prefixMap attribute found");
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
info_val = ldb_msg_find_ldb_val(schema_res->msgs[0], "schemaInfo");
if (!info_val) {
status = dsdb_schema_info_blob_new(mem_ctx, &info_val_default);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: dsdb_schema_info_blob_new() failed - %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return ldb_operr(ldb);
}
info_val = &info_val_default;
}
status = dsdb_load_oid_mappings_ldb(schema, prefix_val, info_val);
if (!W_ERROR_IS_OK(status)) {
*error_string = talloc_asprintf(mem_ctx,
"schema_fsmo_init: failed to load oid mappings: %s",
win_errstr(status));
DEBUG(0,(__location__ ": %s\n", *error_string));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
ret = dsdb_load_ldb_results_into_schema(mem_ctx, ldb, schema, attrs_class_res, error_string);
if (ret != LDB_SUCCESS) {
return ret;
}
schema->fsmo.master_dn = ldb_msg_find_attr_as_dn(ldb, schema, schema_res->msgs[0], "fSMORoleOwner");
if (ldb_dn_compare(samdb_ntds_settings_dn(ldb), schema->fsmo.master_dn) == 0) {
schema->fsmo.we_are_master = true;
} else {
schema->fsmo.we_are_master = false;
}
lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
struct loadparm_context);
if (lp_ctx) {
bool allowed = lpcfg_parm_bool(lp_ctx, NULL,
"dsdb", "schema update allowed",
false);
schema->fsmo.update_allowed = allowed;
} else {
schema->fsmo.update_allowed = false;
}
DEBUG(5, ("schema_fsmo_init: we are master[%s] updates allowed[%s]\n",
(schema->fsmo.we_are_master?"yes":"no"),
(schema->fsmo.update_allowed?"yes":"no")));
*schema_out = schema;
return LDB_SUCCESS;
}
bool torture_net_become_dc(struct torture_context *torture)
{
bool ret = true;
NTSTATUS status;
struct libnet_BecomeDC b;
struct libnet_UnbecomeDC u;
struct libnet_vampire_cb_state *s;
struct ldb_message *msg;
int ldb_ret;
uint32_t i;
char *private_dir;
const char *address;
struct nbt_name name;
const char *netbios_name;
struct cli_credentials *machine_account;
struct test_join *tj;
struct loadparm_context *lp_ctx;
struct ldb_context *ldb;
struct libnet_context *ctx;
struct dsdb_schema *schema;
char *location = NULL;
torture_assert_ntstatus_ok(torture, torture_temp_dir(torture, "libnet_BecomeDC", &location),
"torture_temp_dir should return NT_STATUS_OK" );
netbios_name = lpcfg_parm_string(torture->lp_ctx, NULL, "become dc", "smbtorture dc");
if (!netbios_name || !netbios_name[0]) {
netbios_name = "smbtorturedc";
}
make_nbt_name_server(&name, torture_setting_string(torture, "host", NULL));
/* do an initial name resolution to find its IP */
status = resolve_name_ex(lpcfg_resolve_context(torture->lp_ctx),
0, 0,
&name, torture, &address, torture->ev);
torture_assert_ntstatus_ok(torture, status, talloc_asprintf(torture,
"Failed to resolve %s - %s\n",
name.name, nt_errstr(status)));
/* Join domain as a member server. */
tj = torture_join_domain(torture, netbios_name,
ACB_WSTRUST,
&machine_account);
torture_assert(torture, tj, talloc_asprintf(torture,
"%s failed to join domain as workstation\n",
netbios_name));
s = libnet_vampire_cb_state_init(torture, torture->lp_ctx, torture->ev,
netbios_name,
torture_join_dom_netbios_name(tj),
torture_join_dom_dns_name(tj),
location);
torture_assert(torture, s, "libnet_vampire_cb_state_init");
ctx = libnet_context_init(torture->ev, torture->lp_ctx);
ctx->cred = cmdline_credentials;
ZERO_STRUCT(b);
b.in.domain_dns_name = torture_join_dom_dns_name(tj);
b.in.domain_netbios_name = torture_join_dom_netbios_name(tj);
b.in.domain_sid = torture_join_sid(tj);
b.in.source_dsa_address = address;
b.in.dest_dsa_netbios_name = netbios_name;
b.in.callbacks.private_data = s;
b.in.callbacks.check_options = libnet_vampire_cb_check_options;
b.in.callbacks.prepare_db = libnet_vampire_cb_prepare_db;
b.in.callbacks.schema_chunk = libnet_vampire_cb_schema_chunk;
b.in.callbacks.config_chunk = libnet_vampire_cb_store_chunk;
b.in.callbacks.domain_chunk = libnet_vampire_cb_store_chunk;
status = libnet_BecomeDC(ctx, s, &b);
torture_assert_ntstatus_ok_goto(torture, status, ret, cleanup, talloc_asprintf(torture,
"libnet_BecomeDC() failed - %s %s\n",
nt_errstr(status), b.out.error_string));
ldb = libnet_vampire_cb_ldb(s);
msg = ldb_msg_new(s);
torture_assert_int_equal_goto(torture, (msg?1:0), 1, ret, cleanup,
"ldb_msg_new() failed\n");
msg->dn = ldb_dn_new(msg, ldb, "@ROOTDSE");
torture_assert_int_equal_goto(torture, (msg->dn?1:0), 1, ret, cleanup,
"ldb_msg_new(@ROOTDSE) failed\n");
ldb_ret = ldb_msg_add_string(msg, "isSynchronized", "TRUE");
torture_assert_int_equal_goto(torture, ldb_ret, LDB_SUCCESS, ret, cleanup,
"ldb_msg_add_string(msg, isSynchronized, TRUE) failed\n");
for (i=0; i < msg->num_elements; i++) {
msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
}
torture_comment(torture, "mark ROOTDSE with isSynchronized=TRUE\n");
ldb_ret = ldb_modify(libnet_vampire_cb_ldb(s), msg);
torture_assert_int_equal_goto(torture, ldb_ret, LDB_SUCCESS, ret, cleanup,
"ldb_modify() failed\n");
/* commit the transaction now we know the secrets were written
* out properly
*/
ldb_ret = ldb_transaction_commit(ldb);
torture_assert_int_equal_goto(torture, ldb_ret, LDB_SUCCESS, ret, cleanup,
"ldb_transaction_commit() failed\n");
/* reopen the ldb */
talloc_unlink(s, ldb);
lp_ctx = libnet_vampire_cb_lp_ctx(s);
private_dir = talloc_asprintf(s, "%s/%s", location, "private");
lpcfg_set_cmdline(lp_ctx, "private dir", private_dir);
torture_comment(torture, "Reopen the SAM LDB with system credentials and all replicated data: %s\n", private_dir);
ldb = samdb_connect(s, torture->ev, lp_ctx, system_session(lp_ctx), 0);
torture_assert_goto(torture, ldb != NULL, ret, cleanup,
talloc_asprintf(torture,
"Failed to open '%s/sam.ldb'\n", private_dir));
torture_assert_goto(torture, dsdb_uses_global_schema(ldb), ret, cleanup,
"Uses global schema");
schema = dsdb_get_schema(ldb, s);
torture_assert_goto(torture, schema != NULL, ret, cleanup,
"Failed to get loaded dsdb_schema\n");
/* Make sure we get this from the command line */
if (lpcfg_parm_bool(torture->lp_ctx, NULL, "become dc", "do not unjoin", false)) {
talloc_free(s);
return ret;
}
cleanup:
ZERO_STRUCT(u);
u.in.domain_dns_name = torture_join_dom_dns_name(tj);
u.in.domain_netbios_name = torture_join_dom_netbios_name(tj);
u.in.source_dsa_address = address;
u.in.dest_dsa_netbios_name = netbios_name;
status = libnet_UnbecomeDC(ctx, s, &u);
torture_assert_ntstatus_ok(torture, status, talloc_asprintf(torture,
"libnet_UnbecomeDC() failed - %s %s\n",
nt_errstr(status), u.out.error_string));
/* Leave domain. */
torture_leave_domain(torture, tj);
talloc_free(s);
return ret;
}
/*
startup the kcc service task
*/
static void kccsrv_task_init(struct task_server *task)
{
WERROR status;
struct kccsrv_service *service;
uint32_t periodic_startup_interval;
switch (lpcfg_server_role(task->lp_ctx)) {
case ROLE_STANDALONE:
task_server_terminate(task, "kccsrv: no KCC required in standalone configuration", false);
return;
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "kccsrv: no KCC required in domain member configuration", false);
return;
case ROLE_DOMAIN_CONTROLLER:
/* Yes, we want a KCC */
break;
}
task_server_set_title(task, "task[kccsrv]");
service = talloc_zero(task, struct kccsrv_service);
if (!service) {
task_server_terminate(task, "kccsrv_task_init: out of memory", true);
return;
}
service->task = task;
service->startup_time = timeval_current();
task->private_data = service;
status = kccsrv_init_creds(service);
if (!W_ERROR_IS_OK(status)) {
task_server_terminate(task,
talloc_asprintf(task,
"kccsrv: Failed to obtain server credentials: %s\n",
win_errstr(status)), true);
return;
}
status = kccsrv_connect_samdb(service, task->lp_ctx);
if (!W_ERROR_IS_OK(status)) {
task_server_terminate(task, talloc_asprintf(task,
"kccsrv: Failed to connect to local samdb: %s\n",
win_errstr(status)), true);
return;
}
status = kccsrv_load_partitions(service);
if (!W_ERROR_IS_OK(status)) {
task_server_terminate(task, talloc_asprintf(task,
"kccsrv: Failed to load partitions: %s\n",
win_errstr(status)), true);
return;
}
periodic_startup_interval =
lpcfg_parm_int(task->lp_ctx, NULL, "kccsrv",
"periodic_startup_interval", 15); /* in seconds */
service->periodic.interval =
lpcfg_parm_int(task->lp_ctx, NULL, "kccsrv",
"periodic_interval", 300); /* in seconds */
/* (kccsrv:samba_kcc=true) will run newer samba_kcc replication
* topology generation code.
*/
service->samba_kcc_code = lpcfg_parm_bool(task->lp_ctx, NULL,
"kccsrv", "samba_kcc", false);
status = kccsrv_periodic_schedule(service, periodic_startup_interval);
if (!W_ERROR_IS_OK(status)) {
task_server_terminate(task, talloc_asprintf(task,
"kccsrv: Failed to periodic schedule: %s\n",
win_errstr(status)), true);
return;
}
irpc_add_name(task->msg_ctx, "kccsrv");
IRPC_REGISTER(task->msg_ctx, drsuapi, DRSUAPI_DSEXECUTEKCC, kccsrv_execute_kcc, service);
IRPC_REGISTER(task->msg_ctx, drsuapi, DRSUAPI_DSREPLICAGETINFO, kccsrv_replica_get_info, service);
}
/**
\details exchange_nsp NspiBind (0x0) function, Initiates a NSPI
session with the client.
This function checks if the user is an Exchange user and input
parameters like codepage are valid. If it passes the tests, the
function initializes an emsabp context and returns to the client a
valid policy_handle and expected reply parameters.
\param dce_call pointer to the session context
\param mem_ctx pointer to the memory context
\param r pointer to the NspiBind call structure
\return MAPI_E_SUCCESS on success, otherwise a MAPI error
*/
static void dcesrv_NspiBind(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
struct NspiBind *r)
{
struct GUID *guid = (struct GUID *) NULL;
struct emsabp_context *emsabp_ctx;
struct dcesrv_handle *handle;
struct policy_handle wire_handle;
struct exchange_nsp_session *session;
DEBUG(5, ("exchange_nsp: NspiBind (0x0)\n"));
/* Step 0. Ensure incoming user is authenticated */
if (!dcesrv_call_authenticated(dce_call) && (r->in.dwFlags & fAnonymousLogin)) {
DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
wire_handle.handle_type = EXCHANGE_HANDLE_NSP;
wire_handle.uuid = GUID_zero();
*r->out.handle = wire_handle;
r->out.mapiuid = r->in.mapiuid;
DCESRV_NSP_RETURN(r, MAPI_E_FAILONEPROVIDER, NULL);
}
/* Step 1. Initialize the emsabp context */
emsabp_ctx = emsabp_init(dce_call->conn->dce_ctx->lp_ctx, emsabp_tdb_ctx);
if (!emsabp_ctx) {
OC_ABORT(false, ("[exchange_nsp] Unable to initialize emsabp context"));
wire_handle.handle_type = EXCHANGE_HANDLE_NSP;
wire_handle.uuid = GUID_zero();
*r->out.handle = wire_handle;
r->out.mapiuid = r->in.mapiuid;
DCESRV_NSP_RETURN(r, MAPI_E_FAILONEPROVIDER, NULL);
}
if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
"exchange_nsp", "debug", false)) {
emsabp_enable_debug(emsabp_ctx);
}
/* Step 2. Check if incoming user belongs to the Exchange organization */
if ((emsabp_verify_user(dce_call, emsabp_ctx) == false) && (r->in.dwFlags & fAnonymousLogin)) {
talloc_free(emsabp_ctx);
wire_handle.handle_type = EXCHANGE_HANDLE_NSP;
wire_handle.uuid = GUID_zero();
*r->out.handle = wire_handle;
r->out.mapiuid = r->in.mapiuid;
DCESRV_NSP_RETURN(r, MAPI_E_LOGON_FAILED, emsabp_tdb_ctx);
}
/* Step 3. Check if valid cpID has been supplied */
if (emsabp_verify_codepage(emsabp_ctx, r->in.pStat->CodePage) == false) {
talloc_free(emsabp_ctx);
wire_handle.handle_type = EXCHANGE_HANDLE_NSP;
wire_handle.uuid = GUID_zero();
*r->out.handle = wire_handle;
r->out.mapiuid = r->in.mapiuid;
DCESRV_NSP_RETURN(r, MAPI_E_UNKNOWN_CPID, emsabp_tdb_ctx);
}
/* Step 4. Retrieve OpenChange server GUID */
guid = (struct GUID *) samdb_ntds_objectGUID(emsabp_ctx->samdb_ctx);
if (!guid) {
DCESRV_NSP_RETURN(r, MAPI_E_FAILONEPROVIDER, emsabp_ctx);
}
/* Step 5. Fill NspiBind reply */
handle = dcesrv_handle_new(dce_call->context, EXCHANGE_HANDLE_NSP);
if (!handle) {
DCESRV_NSP_RETURN(r, MAPI_E_NOT_ENOUGH_RESOURCES, emsabp_ctx);
}
handle->data = (void *) emsabp_ctx;
*r->out.handle = handle->wire_handle;
r->out.mapiuid = guid;
/* Search for an existing session and increment ref_count, otherwise create it */
session = dcesrv_find_nsp_session(&handle->wire_handle.uuid);
if (session) {
mpm_session_increment_ref_count(session->session);
DEBUG(5, (" [unexpected]: existing nsp_session: %p; session: %p (ref++)\n", session, session->session));
}
else {
DEBUG(5, ("%s: Creating new session\n", __func__));
/* Step 6. Associate this emsabp context to the session */
session = talloc((TALLOC_CTX *)nsp_session, struct exchange_nsp_session);
if (!session) {
DCESRV_NSP_RETURN(r, MAPI_E_NOT_ENOUGH_RESOURCES, emsabp_ctx);
}
session->session = mpm_session_init((TALLOC_CTX *)nsp_session, dce_call);
if (!session->session) {
DCESRV_NSP_RETURN(r, MAPI_E_NOT_ENOUGH_RESOURCES, emsabp_ctx);
}
session->uuid = handle->wire_handle.uuid;
mpm_session_set_private_data(session->session, (void *) emsabp_ctx);
mpm_session_set_destructor(session->session, emsabp_destructor);
DLIST_ADD_END(nsp_session, session, struct exchange_nsp_session *);
}
DCESRV_NSP_RETURN(r, MAPI_E_SUCCESS, NULL);
}
static NTSTATUS remote_op_bind(struct dcesrv_call_state *dce_call, const struct dcesrv_interface *iface, uint32_t if_version)
{
NTSTATUS status;
const struct ndr_interface_table *table;
struct dcesrv_remote_private *priv;
const char *binding = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "binding");
const char *user, *pass, *domain;
struct cli_credentials *credentials;
bool must_free_credentials = true;
bool machine_account;
struct dcerpc_binding *b;
struct composite_context *pipe_conn_req;
machine_account = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "use_machine_account", false);
priv = talloc(dce_call->conn, struct dcesrv_remote_private);
if (!priv) {
return NT_STATUS_NO_MEMORY;
}
priv->c_pipe = NULL;
dce_call->context->private_data = priv;
if (!binding) {
DEBUG(0,("You must specify a DCE/RPC binding string\n"));
return NT_STATUS_INVALID_PARAMETER;
}
user = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "user");
pass = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dcerpc_remote", "password");
domain = lpcfg_parm_string(dce_call->conn->dce_ctx->lp_ctx, NULL, "dceprc_remote", "domain");
table = ndr_table_by_syntax(&iface->syntax_id);
if (!table) {
dce_call->fault_code = DCERPC_FAULT_UNK_IF;
return NT_STATUS_NET_WRITE_FAULT;
}
if (user && pass) {
DEBUG(5, ("dcerpc_remote: RPC Proxy: Using specified account\n"));
credentials = cli_credentials_init(priv);
if (!credentials) {
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(credentials, dce_call->conn->dce_ctx->lp_ctx);
cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
} else if (machine_account) {
DEBUG(5, ("dcerpc_remote: RPC Proxy: Using machine account\n"));
credentials = cli_credentials_init(priv);
cli_credentials_set_conf(credentials, dce_call->conn->dce_ctx->lp_ctx);
if (domain) {
cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
}
status = cli_credentials_set_machine_account(credentials, dce_call->conn->dce_ctx->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
} else if (dce_call->conn->auth_state.session_info->credentials) {
DEBUG(5, ("dcerpc_remote: RPC Proxy: Using delegated credentials\n"));
credentials = dce_call->conn->auth_state.session_info->credentials;
must_free_credentials = false;
} else {
DEBUG(1,("dcerpc_remote: RPC Proxy: You must supply binding, user and password or have delegated credentials\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* parse binding string to the structure */
status = dcerpc_parse_binding(dce_call->context, binding, &b);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to parse dcerpc binding '%s'\n", binding));
return status;
}
/* If we already have a remote association group ID, then use that */
if (dce_call->context->assoc_group->proxied_id != 0) {
status = dcerpc_binding_set_assoc_group_id(b,
dce_call->context->assoc_group->proxied_id);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_binding_set_assoc_group_id() - %s'\n",
nt_errstr(status)));
return status;
}
}
status = dcerpc_binding_set_abstract_syntax(b, &iface->syntax_id);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("dcerpc_binding_set_abstract_syntax() - %s'\n",
nt_errstr(status)));
return status;
}
DEBUG(3, ("Using binding %s\n", dcerpc_binding_string(dce_call->context, b)));
pipe_conn_req = dcerpc_pipe_connect_b_send(dce_call->context, b, table,
credentials, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
status = dcerpc_pipe_connect_b_recv(pipe_conn_req, dce_call->context, &(priv->c_pipe));
if (must_free_credentials) {
talloc_free(credentials);
}
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (dce_call->context->assoc_group->proxied_id == 0) {
dce_call->context->assoc_group->proxied_id =
dcerpc_binding_get_assoc_group_id(priv->c_pipe->binding);
}
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
krb5_context kctx;
#ifdef SAMBA4_USES_HEIMDAL
krb5_log_facility *logf;
#endif
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc_zero(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = smb_krb5_init_context_basic(tmp_ctx, lp_ctx, &kctx);
if (ret) {
DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n",
error_message(ret)));
talloc_free(tmp_ctx);
return ret;
}
(*smb_krb5_context)->krb5_context = kctx;
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy);
#ifdef SAMBA4_USES_HEIMDAL
/* TODO: Should we have a different name here? */
ret = krb5_initlog(kctx, "Samba", &logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message(kctx, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
(*smb_krb5_context)->pvt_log_data = logf;
ret = krb5_addlog_func(kctx, logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper,
smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message(kctx, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest(kctx, logf);
/* Set options in kerberos */
krb5_set_dns_canonicalize_hostname(kctx,
lpcfg_parm_bool(lp_ctx, NULL, "krb5",
"set_dns_canonicalize", false));
#endif
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
return 0;
}
/*
release a name
*/
static void nbtd_winsserver_release(struct nbt_name_socket *nbtsock,
struct nbt_name_packet *packet,
struct socket_address *src)
{
NTSTATUS status;
struct nbtd_interface *iface = talloc_get_type(nbtsock->incoming.private_data,
struct nbtd_interface);
struct wins_server *winssrv = iface->nbtsrv->winssrv;
struct nbt_name *name = &packet->questions[0].name;
struct winsdb_record *rec;
uint32_t modify_flags = 0;
uint8_t ret;
if (name->type == NBT_NAME_MASTER) {
goto done;
}
if (name->scope && strlen(name->scope) > 237) {
goto done;
}
status = winsdb_lookup(winssrv->wins_db, name, packet, &rec);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (rec->is_static) {
if (rec->type == WREPL_TYPE_UNIQUE || rec->type == WREPL_TYPE_MHOMED) {
goto done;
}
nbtd_name_release_reply(nbtsock, packet, src, NBT_RCODE_ACT);
return;
}
if (rec->state != WREPL_STATE_ACTIVE) {
goto done;
}
/*
* TODO: do we need to check if
* src->addr matches packet->additional[0].rdata.netbios.addresses[0].ipaddr
* here?
*/
/*
* we only allow releases from an owner - other releases are
* silently ignored
*/
if (!winsdb_addr_list_check(rec->addresses, src->addr)) {
int i;
DEBUG(4,("WINS: silently ignoring attempted name release on %s from %s\n", nbt_name_string(rec, rec->name), src->addr));
DEBUGADD(4, ("Registered Addresses: \n"));
for (i=0; rec->addresses && rec->addresses[i]; i++) {
DEBUGADD(4, ("%s\n", rec->addresses[i]->address));
}
goto done;
}
DEBUG(4,("WINS: released name %s from %s\n", nbt_name_string(rec, rec->name), src->addr));
switch (rec->type) {
case WREPL_TYPE_UNIQUE:
rec->state = WREPL_STATE_RELEASED;
break;
case WREPL_TYPE_GROUP:
rec->state = WREPL_STATE_RELEASED;
break;
case WREPL_TYPE_SGROUP:
winsdb_addr_list_remove(rec->addresses, src->addr);
/* TODO: do we need to take the ownership here? */
if (winsdb_addr_list_length(rec->addresses) == 0) {
rec->state = WREPL_STATE_RELEASED;
}
break;
case WREPL_TYPE_MHOMED:
winsdb_addr_list_remove(rec->addresses, src->addr);
/* TODO: do we need to take the ownership here? */
if (winsdb_addr_list_length(rec->addresses) == 0) {
rec->state = WREPL_STATE_RELEASED;
}
break;
}
if (rec->state == WREPL_STATE_ACTIVE) {
/*
* If the record is still active, we need to update the
* expire_time.
*
* if we're not the owner, we need to take the ownership.
*/
rec->expire_time= time(NULL) + winssrv->config.max_renew_interval;
if (strcmp(rec->wins_owner, winssrv->wins_db->local_owner) != 0) {
modify_flags = WINSDB_FLAG_ALLOC_VERSION | WINSDB_FLAG_TAKE_OWNERSHIP;
}
if (lpcfg_parm_bool(iface->nbtsrv->task->lp_ctx, NULL, "wreplsrv", "propagate name releases", false)) {
/*
* We have an option to propagate every name release,
* this is off by default to match windows servers
*/
modify_flags = WINSDB_FLAG_ALLOC_VERSION | WINSDB_FLAG_TAKE_OWNERSHIP;
}
} else if (rec->state == WREPL_STATE_RELEASED) {
/*
* if we're not the owner, we need to take the owner ship
* and make the record tombstone, but expire after
* tombstone_interval + tombstone_timeout and not only after tombstone_timeout
* like for normal tombstone records.
* This is to replicate the record directly to the original owner,
* where the record is still active
*/
if (strcmp(rec->wins_owner, winssrv->wins_db->local_owner) == 0) {
rec->expire_time= time(NULL) + winssrv->config.tombstone_interval;
} else {
rec->state = WREPL_STATE_TOMBSTONE;
rec->expire_time= time(NULL) +
winssrv->config.tombstone_interval +
winssrv->config.tombstone_timeout;
modify_flags = WINSDB_FLAG_ALLOC_VERSION | WINSDB_FLAG_TAKE_OWNERSHIP;
}
}
ret = winsdb_modify(winssrv->wins_db, rec, modify_flags);
if (ret != NBT_RCODE_OK) {
DEBUG(1,("WINS: FAILED: released name %s at %s: error:%u\n",
nbt_name_string(rec, rec->name), src->addr, ret));
}
done:
/* we match w2k3 by always giving a positive reply to name releases. */
nbtd_name_release_reply(nbtsock, packet, src, NBT_RCODE_OK);
}
static NTSTATUS wreplsrv_scavenging_owned_records(struct wreplsrv_service *service, TALLOC_CTX *tmp_mem)
{
NTSTATUS status;
struct winsdb_record *rec = NULL;
struct ldb_result *res = NULL;
const char *owner_filter;
const char *filter;
unsigned int i;
int ret;
time_t now = time(NULL);
const char *now_timestr;
const char *action;
const char *old_state=NULL;
const char *new_state=NULL;
uint32_t modify_flags;
bool modify_record;
bool delete_record;
bool delete_tombstones;
struct timeval tombstone_extra_time;
const char *local_owner = service->wins_db->local_owner;
bool propagate = lpcfg_parm_bool(service->task->lp_ctx, NULL, "wreplsrv", "propagate name releases", false);
now_timestr = ldb_timestring(tmp_mem, now);
NT_STATUS_HAVE_NO_MEMORY(now_timestr);
owner_filter = wreplsrv_owner_filter(service, tmp_mem, local_owner);
NT_STATUS_HAVE_NO_MEMORY(owner_filter);
filter = talloc_asprintf(tmp_mem,
"(&%s(objectClass=winsRecord)"
"(expireTime<=%s))",
owner_filter, now_timestr);
NT_STATUS_HAVE_NO_MEMORY(filter);
ret = ldb_search(service->wins_db->ldb, tmp_mem, &res, NULL, LDB_SCOPE_SUBTREE, NULL, "%s", filter);
if (ret != LDB_SUCCESS) return NT_STATUS_INTERNAL_DB_CORRUPTION;
DEBUG(10,("WINS scavenging: filter '%s' count %d\n", filter, res->count));
tombstone_extra_time = timeval_add(&service->startup_time,
service->config.tombstone_extra_timeout,
0);
delete_tombstones = timeval_expired(&tombstone_extra_time);
for (i=0; i < res->count; i++) {
bool has_replicas = false;
/*
* we pass '0' as 'now' here,
* because we want to get the raw timestamps which are in the DB
*/
status = winsdb_record(service->wins_db, res->msgs[i], tmp_mem, 0, &rec);
NT_STATUS_NOT_OK_RETURN(status);
talloc_free(res->msgs[i]);
modify_flags = 0;
modify_record = false;
delete_record = false;
switch (rec->state) {
case WREPL_STATE_ACTIVE:
old_state = "active";
if (rec->is_static) {
/*
*we store it again, so that it won't appear
* in the scavenging the next time
*/
old_state = "active(static)";
new_state = "active(static)";
modify_flags = 0;
modify_record = true;
break;
}
if (rec->type != WREPL_TYPE_SGROUP || !propagate) {
new_state = "released";
rec->state = WREPL_STATE_RELEASED;
rec->expire_time= service->config.tombstone_interval + now;
modify_flags = 0;
modify_record = true;
break;
}
/* check if there's any replica address */
for (i=0;rec->addresses[i];i++) {
if (strcmp(rec->addresses[i]->wins_owner, local_owner) != 0) {
has_replicas = true;
rec->addresses[i]->expire_time= service->config.renew_interval + now;
}
}
if (has_replicas) {
/* if it has replica addresses propagate them */
new_state = "active(propagated)";
rec->state = WREPL_STATE_ACTIVE;
rec->expire_time= service->config.renew_interval + now;
modify_flags = WINSDB_FLAG_ALLOC_VERSION | WINSDB_FLAG_TAKE_OWNERSHIP;
modify_record = true;
break;
}
/*
* if it doesn't have replica addresses, make it a tombstone,
* so that the released owned addresses are propagated
*/
new_state = "tombstone";
rec->state = WREPL_STATE_TOMBSTONE;
rec->expire_time= time(NULL) +
service->config.tombstone_interval +
service->config.tombstone_timeout;
modify_flags = WINSDB_FLAG_ALLOC_VERSION | WINSDB_FLAG_TAKE_OWNERSHIP;
modify_record = true;
break;
case WREPL_STATE_RELEASED:
old_state = "released";
new_state = "tombstone";
rec->state = WREPL_STATE_TOMBSTONE;
rec->expire_time= service->config.tombstone_timeout + now;
modify_flags = WINSDB_FLAG_ALLOC_VERSION | WINSDB_FLAG_TAKE_OWNERSHIP;
modify_record = true;
break;
case WREPL_STATE_TOMBSTONE:
old_state = "tombstone";
new_state = "tombstone";
if (!delete_tombstones) break;
new_state = "deleted";
delete_record = true;
break;
case WREPL_STATE_RESERVED:
DEBUG(0,("%s: corrupted record: %s\n",
__location__, nbt_name_string(rec, rec->name)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (modify_record) {
action = "modify";
ret = winsdb_modify(service->wins_db, rec, modify_flags);
} else if (delete_record) {
action = "delete";
ret = winsdb_delete(service->wins_db, rec);
} else {
action = "skip";
ret = NBT_RCODE_OK;
}
if (ret != NBT_RCODE_OK) {
DEBUG(2,("WINS scavenging: failed to %s name %s (owned:%s -> owned:%s): error:%u\n",
action, nbt_name_string(rec, rec->name), old_state, new_state, ret));
} else {
DEBUG(4,("WINS scavenging: %s name: %s (owned:%s -> owned:%s)\n",
action, nbt_name_string(rec, rec->name), old_state, new_state));
}
talloc_free(rec);
}
return NT_STATUS_OK;
}
