diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-05-29 15:20:58 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-05-29 15:20:58 +1000 |
commit | b9213316c77ab340fe02c9784f63a2f7d79cb492 (patch) | |
tree | b034cf4e7954d9554ee96e9474653b09b366947d | |
parent | ce877cafdd24b51fafb8e21a06012e8e47dd4622 (diff) | |
download | samba-b9213316c77ab340fe02c9784f63a2f7d79cb492.tar.gz samba-b9213316c77ab340fe02c9784f63a2f7d79cb492.tar.xz samba-b9213316c77ab340fe02c9784f63a2f7d79cb492.zip |
Allow the ntp_signd socket to be set from configure.
This will allow distributions to hard-code this path, particularly for
selinux, and matches how we handle the winbind socket dir.
Andrew Bartlett
(This used to be commit c8b441650400ed1b24c89991f5752dad3c87795f)
-rw-r--r-- | source4/Makefile | 1 | ||||
-rw-r--r-- | source4/build/m4/check_path.m4 | 19 | ||||
-rw-r--r-- | source4/dynconfig/config.mk | 3 | ||||
-rw-r--r-- | source4/dynconfig/dynconfig.c | 3 | ||||
-rw-r--r-- | source4/dynconfig/dynconfig.h | 1 | ||||
-rw-r--r-- | source4/ntp_signd/ntp_signd.c | 22 | ||||
-rw-r--r-- | source4/param/loadparm.c | 7 | ||||
-rw-r--r-- | source4/param/param.h | 2 |
8 files changed, 53 insertions, 5 deletions
diff --git a/source4/Makefile b/source4/Makefile index 14d0fe3b20..b7d5206868 100644 --- a/source4/Makefile +++ b/source4/Makefile @@ -167,6 +167,7 @@ showlayout:: @echo ' torturedir: $(TORTUREDIR)' @echo ' datadir: $(datadir)' @echo ' winbindd_socket_dir: $(winbindd_socket_dir)' + @echo ' ntp_signd_socket_dir: $(ntp_signd_socket_dir)' showflags:: @echo ' srcdir = $(srcdir)' diff --git a/source4/build/m4/check_path.m4 b/source4/build/m4/check_path.m4 index 08a858ebb2..c0b81f1a8d 100644 --- a/source4/build/m4/check_path.m4 +++ b/source4/build/m4/check_path.m4 @@ -20,6 +20,7 @@ piddir="${localstatedir}/run" privatedir="\${prefix}/private" modulesdir="\${prefix}/modules" winbindd_socket_dir="${localstatedir}/run/winbind_pipe" +ntp_signd_socket_dir="${localstatedir}/run/ntp_signd" AC_ARG_WITH(fhs, [ --with-fhs Use FHS-compliant paths (default=no)], @@ -31,6 +32,7 @@ AC_ARG_WITH(fhs, modulesdir="${libdir}/samba" datadir="${datadir}/samba" includedir="${includedir}/samba-4.0" + ntp_signd_socket_dir="${localstatedir}/run/samba/ntp_signd" winbindd_socket_dir="${localstatedir}/run/samba/winbind_pipe" ) @@ -67,6 +69,22 @@ AC_ARG_WITH(winbindd-socket-dir, esac]) ################################################# +# set where the NTP signing deamon socket should be put +AC_ARG_WITH(ntp-signd-socket-dir, +[ --with-ntp-signd-socket-dir=DIR Where to put the NTP signing deamon socket ($ac_default_prefix/run/ntp_signd)], +[ case "$withval" in + yes|no) + # + # Just in case anybody calls it without argument + # + AC_MSG_WARN([--with-ntp-signd-socketdir called without argument - will use default]) + ;; + * ) + ntp_signd_socket_dir="$withval" + ;; + esac]) + +################################################# # set lock directory location AC_ARG_WITH(lockdir, [ --with-lockdir=DIR Where to put lock files ($ac_default_prefix/var/locks)], @@ -122,6 +140,7 @@ AC_SUBST(privatedir) AC_SUBST(bindir) AC_SUBST(sbindir) AC_SUBST(winbindd_socket_dir) +AC_SUBST(ntp_signd_socket_dir) AC_SUBST(modulesdir) ################################################# diff --git a/source4/dynconfig/config.mk b/source4/dynconfig/config.mk index 5f2887f8b6..a353ba1214 100644 --- a/source4/dynconfig/config.mk +++ b/source4/dynconfig/config.mk @@ -19,5 +19,6 @@ $(dynconfigsrcdir)/dynconfig.o: CFLAGS+=-DCONFIGFILE=\"$(CONFIGFILE)\" -DBINDIR= -DPRIVATE_DIR=\"$(privatedir)\" \ -DMODULESDIR=\"$(modulesdir)\" -DJSDIR=\"$(JSDIR)\" \ -DTORTUREDIR=\"$(TORTUREDIR)\" \ - -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" + -DSETUPDIR=\"$(SETUPDIR)\" -DWINBINDD_SOCKET_DIR=\"$(winbindd_socket_dir)\" \ + -DNTP_SIGND_SOCKET_DIR=\"$(ntp_signd_socket_dir)\" diff --git a/source4/dynconfig/dynconfig.c b/source4/dynconfig/dynconfig.c index 6dbbf872d9..ef5c40d698 100644 --- a/source4/dynconfig/dynconfig.c +++ b/source4/dynconfig/dynconfig.c @@ -84,3 +84,6 @@ _PUBLIC_ const char *dyn_JSDIR = JSDIR; /** Where to find the winbindd socket */ _PUBLIC_ const char *dyn_WINBINDD_SOCKET_DIR = WINBINDD_SOCKET_DIR; + +/** Where to find the NTP signing deamon socket */ +_PUBLIC_ const char *dyn_NTP_SIGND_SOCKET_DIR = NTP_SIGND_SOCKET_DIR; diff --git a/source4/dynconfig/dynconfig.h b/source4/dynconfig/dynconfig.h index ac54db63d6..e77c13bab3 100644 --- a/source4/dynconfig/dynconfig.h +++ b/source4/dynconfig/dynconfig.h @@ -38,3 +38,4 @@ extern const char *dyn_SWATDIR; extern const char *dyn_JSDIR; extern const char *dyn_SETUPDIR; extern const char *dyn_WINBINDD_SOCKET_DIR; +extern const char *dyn_NTP_SIGND_SOCKET_DIR; diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c index 1933c6a2f6..fdd97e475c 100644 --- a/source4/ntp_signd/ntp_signd.c +++ b/source4/ntp_signd/ntp_signd.c @@ -35,6 +35,7 @@ #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "lib/crypto/md5.h" +#include "system/passwd.h" /* top level context structure for the ntp_signd server @@ -144,6 +145,8 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return ndr_map_error2ntstatus(ndr_err); } + /* We need to implement 'check signature' and 'request server + * to sign' operations at some point */ if (sign_request.op != SIGN_TO_CLIENT) { talloc_free(tmp_ctx); return signing_failure(ntp_signdconn, sign_request.packet_id); @@ -155,13 +158,13 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return signing_failure(ntp_signdconn, sign_request.packet_id); } + /* The top bit is a 'key selector' */ sid = dom_sid_add_rid(tmp_ctx, domain_sid, sign_request.key_id & 0x7FFFFFFF); if (!sid) { talloc_free(tmp_ctx); return signing_failure(ntp_signdconn, sign_request.packet_id); } - /* Sign packet */ ret = ldb_search_exp_fmt(ntp_signdconn->ntp_signd->samdb, tmp_ctx, &res, samdb_base_dn(ntp_signdconn->ntp_signd->samdb), LDB_SCOPE_SUBTREE, attrs, "(&(objectSid=%s)(objectClass=computer))", @@ -188,6 +191,7 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return signing_failure(ntp_signdconn, sign_request.packet_id); } + /* Generate the reply packet */ signed_reply.version = 1; signed_reply.packet_id = sign_request.packet_id; signed_reply.op = SIGNING_SUCCESS; @@ -201,7 +205,6 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) } memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length); - SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id); /* Sign the NTP response with the unicodePwd */ @@ -210,8 +213,8 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) MD5Update(&ctx, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length); MD5Final(signed_reply.signed_packet.data + sign_request.packet_to_sign.length + 4, &ctx); - /* Place it into the packet for the wire */ + /* Place it into the packet for the wire */ ndr_err = ndr_push_struct_blob(&output, tmp_ctx, lp_iconv_convenience(ntp_signdconn->ntp_signd->task->lp_ctx), &signed_reply, @@ -229,6 +232,7 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input) return NT_STATUS_NO_MEMORY; } + /* The 'wire' transport for this is wrapped with a 4 byte network byte order length */ RSIVAL(wrapped_output.data, 0, output.length); memcpy(wrapped_output.data + 4, output.data, output.length); @@ -317,7 +321,15 @@ static void ntp_signd_task_init(struct task_server *task) const struct model_ops *model_ops; - const char *address = "/tmp/ux_demo"; + const char *address; + + if (!directory_create_or_exist(lp_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) { + char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s", + lp_ntp_signd_socket_directory(task->lp_ctx)); + task_server_terminate(task, + error); + return; + } /* within the ntp_signd task we want to be a single process, so ask for the single process model ops and pass these to the @@ -345,6 +357,8 @@ static void ntp_signd_task_init(struct task_server *task) return; } + address = talloc_asprintf(ntp_signd, "%s/socket", lp_ntp_signd_socket_directory(task->lp_ctx)); + status = stream_setup_socket(ntp_signd->task->event_ctx, ntp_signd->task->lp_ctx, model_ops, diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index ad1752a7e7..0a7aec1985 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -179,6 +179,7 @@ struct loadparm_global int bUnixExtensions; int bDisableNetbios; int bRpcBigEndian; + char *szNTPSignDSocketDirectory; struct param_opt *param_opt; }; @@ -489,6 +490,8 @@ static struct parm_struct parm_table[] = { {"template homedir", P_STRING, P_GLOBAL, GLOBAL_VAR(szTemplateHomedir), NULL, NULL }, {"idmap trusted only", P_BOOL, P_GLOBAL, GLOBAL_VAR(bIdmapTrustedOnly), NULL, NULL}, + {"ntp signd socket directory", P_STRING, P_GLOBAL, GLOBAL_VAR(szNTPSignDSocketDirectory), NULL, NULL }, + {NULL, P_BOOL, P_NONE, 0, NULL, NULL} }; @@ -730,6 +733,8 @@ _PUBLIC_ FN_LOCAL_INTEGER(lp_force_dir_mode, iDir_force_mode) _PUBLIC_ FN_GLOBAL_INTEGER(lp_server_signing, server_signing) _PUBLIC_ FN_GLOBAL_INTEGER(lp_client_signing, client_signing) +_PUBLIC_ FN_GLOBAL_CONST_STRING(lp_ntp_signd_socket_directory, szNTPSignDSocketDirectory) + /* local prototypes */ static int map_parameter(const char *pszParmName); static struct loadparm_service *getservicebyname(struct loadparm_context *lp_ctx, @@ -2410,6 +2415,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lp_do_global_parameter(lp_ctx, "prefork children:smb", "4"); + lp_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/source4/param/param.h b/source4/param/param.h index 0b276cdff2..06a42575ad 100644 --- a/source4/param/param.h +++ b/source4/param/param.h @@ -186,6 +186,8 @@ int lp_dir_mask(struct loadparm_service *, struct loadparm_service *); int lp_force_dir_mode(struct loadparm_service *, struct loadparm_service *); int lp_server_signing(struct loadparm_context *); int lp_client_signing(struct loadparm_context *); +const char *lp_ntp_signd_socket_directory(struct loadparm_context *); + const char *lp_get_parametric(struct loadparm_context *lp_ctx, struct loadparm_service *service, const char *type, const char *option); |