From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Mon, 10 Feb 2020 19:19:44 +0100 Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Required for working certificate verification. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124 Signed-off-by: Björn Baumbach Reviewed-by: Bjoern Jacke Autobuild-User(master): Björn Baumbach Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184 (cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72) --- source3/libads/ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 7ef7e7e8420..b7f819d876b 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -669,7 +669,7 @@ got_connection: /* Otherwise setup the TCP LDAP session */ - ads->ldap.ld = ldap_open_with_timeout(addr, + ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, &ads->ldap.ss, ads->ldap.port, lp_ldap_timeout()); if (ads->ldap.ld == NULL) { -- 2.25.4 From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Wed, 3 Jun 2020 19:40:59 +0200 Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap session if possible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the known ip address of the ldap server to open the connection and initialize the ldap session with ldap_init_fd(). This avoid unnecessary DNS lookups which might block or prevent the successful connection. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124 Signed-off-by: Björn Baumbach Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0) --- source3/libads/ldap.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index b7f819d876b..36e73440495 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -92,7 +92,23 @@ static void gotalarm_sig(int signum) return NULL; } -#ifdef HAVE_LDAP_INITIALIZE +#ifdef HAVE_LDAP_INIT_FD + { + int fd = -1; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + + status = open_socket_out(ss, port, to, &fd); + if (!NT_STATUS_IS_OK(status)) { + return NULL; + } + +/* define LDAP_PROTO_TCP from openldap.h if required */ +#ifndef LDAP_PROTO_TCP +#define LDAP_PROTO_TCP 1 +#endif + ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp); + } +#elif defined(HAVE_LDAP_INITIALIZE) ldap_err = ldap_initialize(&ldp, uri); #else ldp = ldap_open(server, port); -- 2.25.4 From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 29 Jun 2020 16:55:33 +0300 Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider --- selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++ selftest/knownfail.d/net_ads_tls | 1 + source4/selftest/tests.py | 7 ++ testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++ 4 files changed, 94 insertions(+) create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback create mode 100644 selftest/knownfail.d/net_ads_tls create mode 100755 testprogs/blackbox/test_net_ads_base.sh diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback new file mode 100644 index 00000000000..b16a39d134d --- /dev/null +++ b/selftest/knownfail.d/net_ads_ntlm_fallback @@ -0,0 +1,10 @@ +# net-ads commands that fail with: --option=gensec:gse_krb5=no +^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin +^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName +^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN +^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN +^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls new file mode 100644 index 00000000000..251c948b6a9 --- /dev/null +++ b/selftest/knownfail.d/net_ads_tls @@ -0,0 +1 @@ +^samba4.blackbox.net_ads_tls diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 1d965c751a4..a394afa177f 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18']) plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) + +for nomech in ["none", "gse_krb5", "ntlmssp"]: + # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS + plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS']) + plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS']) + plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS']) + plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) # json tests hook into ``chgdcpass'' to make them run in contributor CI on # gitlab diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh new file mode 100755 index 00000000000..59e3da67a7f --- /dev/null +++ b/testprogs/blackbox/test_net_ads_base.sh @@ -0,0 +1,76 @@ +#!/bin/sh + +if [ $# -lt 5 ]; then +cat </dev/null | sha1sum | cut -b 1-10` +HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'` +LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'` + +RUNDIR=`pwd` +cd $BASEDIR +WORKDIR=`mktemp -d -p .` +WORKDIR=`basename $WORKDIR` +cp -a client/* $WORKDIR/ +sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf +sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf +sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf +sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf +rm -f $WORKDIR/private/secrets.tdb +cd $RUNDIR + +failed=0 + +export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + +xoptions="" +if [ $TLS_MODE != "no" ]; then + xoptions="--option=ldapsslads=yes" +fi + +if [ $NO_MECH != "none" ]; then + xoptions="$xoptions --option=gensec:$NO_MECH=no" +fi + +if [ $TLS_MODE = "noverify" ]; then + export LDAPTLS_REQCERT=allow +fi + +net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions" + +# Load test functions +. `dirname $0`/subunit.sh + +testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1` + +testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1` + +testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1` + +tls_log="StartTLS issued: using a TLS connection" +opt="-d3 --option=ldapssl=off" +if [ $TLS_MODE != "no" ]; then + testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1` +fi + +testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1` + +testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1` + +testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +rm -rf $BASEDIR/$WORKDIR + +exit $failed -- 2.25.4 From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 24 Jun 2020 15:28:45 +0300 Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider --- WHATSNEW.txt | 6 +++++ docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++---- source3/include/smbldap.h | 1 + source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++ source3/lib/smbldap.c | 19 +++++++++----- source3/libads/ldap.c | 2 +- source3/wscript_build | 2 +- 7 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a5b554fe11f..8935876d247 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -557,6 +557,12 @@ CTDB changes helper exits. This triggers an election. +The "ldap ssl ads" option no longer depends on "ldap ssl" option: +----------------------------------------------------------------- +With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" +is off. + + REMOVED FEATURES ================ diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml index 98c39651f1e..f99afe5bbad 100644 --- a/docs-xml/smbdotconf/ldap/ldapsslads.xml +++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml @@ -7,13 +7,10 @@ This option is used to define whether or not Samba should use SSL when connecting to the ldap server using ads methods. - Rpc methods are not affected by this parameter. Please note, that - this parameter won't have any effect if - is set to no. + Rpc methods are not affected by this parameter. - See smb.conf5 - for more information on . + See also . diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h index 878268aebd6..d063f44afbc 100644 --- a/source3/include/smbldap.h +++ b/source3/include/smbldap.h @@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state, const char *dn, LDAPMod *attrs[]); int smbldap_start_tls(LDAP *ldap_struct, int version); +int smbldap_start_tls_start(LDAP *ldap_struct, int version); int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri); int smbldap_search(struct smbldap_state *ldap_state, const char *base, int scope, const char *filter, diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs new file mode 100644 index 00000000000..67dcc9a8a78 --- /dev/null +++ b/source3/lib/ABI/smbldap-2.1.0.sigs @@ -0,0 +1,33 @@ +smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **) +smbldap_delete: int (struct smbldap_state *, const char *) +smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **) +smbldap_free_struct: void (struct smbldap_state **) +smbldap_get_ldap: LDAP *(struct smbldap_state *) +smbldap_get_paged_results: bool (struct smbldap_state *) +smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int) +smbldap_has_control: bool (LDAP *, const char *) +smbldap_has_extension: bool (LDAP *, const char *) +smbldap_has_naming_context: bool (LDAP *, const char *) +smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **) +smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *) +smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *) +smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **) +smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *) +smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **) +smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **) +smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **) +smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *) +smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *) +smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *) +smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *) +smbldap_set_paged_results: void (struct smbldap_state *, bool) +smbldap_setup_full_conn: int (LDAP **, const char *) +smbldap_start_tls: int (LDAP *, int) +smbldap_start_tls_start: int (LDAP *, int) +smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **) +smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *) +smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *) +smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) +smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) +smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *) +smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c index 34c841f9243..4815dd81fc3 100644 --- a/source3/lib/smbldap.c +++ b/source3/lib/smbldap.c @@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state) } /******************************************************************** - start TLS on an existing LDAP connection + start TLS on an existing LDAP connection per config *******************************************************************/ int smbldap_start_tls(LDAP *ldap_struct, int version) -{ -#ifdef LDAP_OPT_X_TLS - int rc,tls; -#endif - +{ if (lp_ldap_ssl() != LDAP_SSL_START_TLS) { return LDAP_SUCCESS; } + return smbldap_start_tls_start(ldap_struct, version); +} + +/******************************************************************** + start TLS on an existing LDAP connection unconditionally +*******************************************************************/ + +int smbldap_start_tls_start(LDAP *ldap_struct, int version) +{ #ifdef LDAP_OPT_X_TLS + int rc,tls; + /* check if we use ldaps already */ ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls); if (tls == LDAP_OPT_X_TLS_HARD) { diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 36e73440495..16c32b2d5a7 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -703,7 +703,7 @@ got_connection: ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version); if ( lp_ldap_ssl_ads() ) { - status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version)); + status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version)); if (!ADS_ERR_OK(status)) { goto out; } diff --git a/source3/wscript_build b/source3/wscript_build index 10d9f71ae76..76d01a78f64 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap', abi_directory='lib/ABI', abi_match='smbldap_*', pc_files=[], - vnum='2', + vnum='2.1.0', public_headers='include/smbldap.h include/smb_ldap.h') bld.SAMBA3_LIBRARY('ads', -- 2.25.4 From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 2 Jul 2020 10:59:18 +0200 Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider --- source3/libads/ads_proto.h | 2 +- source3/libads/ads_struct.c | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index cd9c1082681..6cdde0cf6eb 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm, const char *workgroup, const char *ldap_server, enum ads_sasl_state_e sasl_state); -bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); +bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags); void ads_destroy(ADS_STRUCT **ads); /* The following definitions come from libads/disp_sec.c */ diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 043a1b21247..67a9a7cf75e 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm, /**************************************************************** ****************************************************************/ -bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags) +bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags) { + unsigned other_flags; + if (!ads) { return false; } - ads->auth.flags = flags; + other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL); + + ads->auth.flags = flags | other_flags; return true; } -- 2.25.4 From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 2 Jul 2020 09:33:12 +0200 Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider --- WHATSNEW.txt | 5 +++++ selftest/knownfail.d/net_ads_tls | 1 - source3/libads/ldap.c | 4 ++++ 3 files changed, 9 insertions(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/net_ads_tls diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8935876d247..927b9a0fa59 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option: With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" is off. +The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain: +----------------------------------------------------------------------- +This is now done implicitly when over TLS, so "client ldap sasl wrapping" +does not need to be set to "plain" in order for it to work. + REMOVED FEATURES ================ diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls deleted file mode 100644 index 251c948b6a9..00000000000 --- a/selftest/knownfail.d/net_ads_tls +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.net_ads_tls diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 16c32b2d5a7..3f41e990085 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -707,6 +707,10 @@ got_connection: if (!ADS_ERR_OK(status)) { goto out; } + if (!ads_set_sasl_wrap_flags(ads, 0)) { + status = ADS_ERROR(LDAP_OPERATIONS_ERROR); + goto out; + } } /* fill in the current time and offsets */ -- 2.25.4 From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 11 Jul 2020 05:04:59 +0200 Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over TLS From local tests with strace: socket(AF_UNIX, SOCK_STREAM, 0) = 12 write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38 ... write(2, "ads_domain_func_level: 3\n", 25) = 25 write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36 write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe) --- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} --- +++ killed by SIGPIPE +++ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Autobuild-User(master): Isaac Boukris Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184 --- source3/utils/net.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source3/utils/net.c b/source3/utils/net.c index 683b46794e4..e289b2814bc 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c, POPT_TABLEEND }; + /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */ + BlockSignals(True, SIGPIPE); + zero_sockaddr(&c->opt_dest_ip); setup_logging(argv[0], DEBUG_STDERR); -- 2.25.4 From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 14 Jul 2020 22:38:06 +0200 Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124 Signed-off-by: Isaac Boukris --- source3/libads/ldap.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 1ffe96d32c9..d431156912f 100755 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -96,9 +96,11 @@ static void gotalarm_sig(int signum) { int fd = -1; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + unsigned timeout_ms = 1000 * to; - status = open_socket_out(ss, port, to, &fd); + status = open_socket_out(ss, port, timeout_ms, &fd); if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("open_socket_out: failed to open socket\n")); return NULL; } -- 2.25.4