1 |
From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001 |
2 |
From: Andreas Schneider <asn@samba.org> |
3 |
Date: Mon, 16 Jan 2017 11:43:12 +0100 |
4 |
Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows |
5 |
|
6 |
Since Windows Server 2008 Microsoft uses a different port range for RPC |
7 |
services. Before it was 1024-65535 and they changed it to 49152-65535. |
8 |
|
9 |
We should use the same range as these are the ports the firewall in AD |
10 |
networks normally allow. |
11 |
|
12 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 |
13 |
|
14 |
Signed-off-by: Andreas Schneider <asn@samba.org> |
15 |
Reviewed-by: Stefan Metzmacher <metze@samba.org> |
16 |
(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3) |
17 |
--- |
18 |
source3/rpc_server/rpc_server.c | 4 ++-- |
19 |
source4/smbd/service_stream.c | 4 ++-- |
20 |
2 files changed, 4 insertions(+), 4 deletions(-) |
21 |
|
22 |
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c |
23 |
index 5effe66d9bb..37fe68fc36d 100644 |
24 |
--- a/source3/rpc_server/rpc_server.c |
25 |
+++ b/source3/rpc_server/rpc_server.c |
26 |
@@ -34,8 +34,8 @@ |
27 |
#include "rpc_server/srv_pipe_hnd.h" |
28 |
#include "rpc_server/srv_pipe.h" |
29 |
|
30 |
-#define SERVER_TCP_LOW_PORT 1024 |
31 |
-#define SERVER_TCP_HIGH_PORT 1300 |
32 |
+#define SERVER_TCP_LOW_PORT 49152 |
33 |
+#define SERVER_TCP_HIGH_PORT 65535 |
34 |
|
35 |
/* Creates a pipes_struct and initializes it with the information |
36 |
* sent from the client */ |
37 |
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c |
38 |
index f0a379acf6a..96a303fc6a9 100644 |
39 |
--- a/source4/smbd/service_stream.c |
40 |
+++ b/source4/smbd/service_stream.c |
41 |
@@ -30,8 +30,8 @@ |
42 |
#include "lib/util/util_net.h" |
43 |
|
44 |
/* the range of ports to try for dcerpc over tcp endpoints */ |
45 |
-#define SERVER_TCP_LOW_PORT 1024 |
46 |
-#define SERVER_TCP_HIGH_PORT 1300 |
47 |
+#define SERVER_TCP_LOW_PORT 49152 |
48 |
+#define SERVER_TCP_HIGH_PORT 65535 |
49 |
|
50 |
/* size of listen() backlog in smbd */ |
51 |
#define SERVER_LISTEN_BACKLOG 10 |
52 |
-- |
53 |
2.11.0 |
54 |
|
55 |
|
56 |
From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001 |
57 |
From: Andreas Schneider <asn@samba.org> |
58 |
Date: Mon, 16 Jan 2017 12:05:09 +0100 |
59 |
Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC |
60 |
services |
61 |
|
62 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 |
63 |
|
64 |
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> |
65 |
|
66 |
Signed-off-by: Andreas Schneider <asn@samba.org> |
67 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
68 |
(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d) |
69 |
--- |
70 |
docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++-- |
71 |
.../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++ |
72 |
lib/param/loadparm.c | 47 ++++++++++++++++++++++ |
73 |
lib/param/loadparm.h | 9 ++++- |
74 |
lib/param/param.h | 3 ++ |
75 |
python/samba/tests/docs.py | 11 +++-- |
76 |
source3/include/proto.h | 2 + |
77 |
source3/param/loadparm.c | 16 ++++++++ |
78 |
source3/rpc_server/rpc_server.c | 5 +-- |
79 |
source4/smbd/service_stream.c | 8 ++-- |
80 |
10 files changed, 120 insertions(+), 17 deletions(-) |
81 |
create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml |
82 |
|
83 |
diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml |
84 |
index 8a70835612f..0fd87d69212 100644 |
85 |
--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml |
86 |
+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml |
87 |
@@ -4,11 +4,19 @@ |
88 |
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> |
89 |
<description> |
90 |
<para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para> |
91 |
- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para> |
92 |
- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para> |
93 |
+ <para>This controls the default port for all protocols, except for NETLOGON.</para> |
94 |
+ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para> |
95 |
+ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para> |
96 |
<para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para> |
97 |
|
98 |
+ <para>This option applies currently only when |
99 |
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry> |
100 |
+ runs as an active directory domain controller.</para> |
101 |
+ |
102 |
+ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para> |
103 |
</description> |
104 |
-<para>The default value 0 causes Samba to select the first available port after 1024.</para> |
105 |
+ |
106 |
+<related>rpc server dynamic port range</related> |
107 |
+ |
108 |
<value type="default">0</value> |
109 |
</samba:parameter> |
110 |
diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml |
111 |
new file mode 100644 |
112 |
index 00000000000..a9c51d2fe41 |
113 |
--- /dev/null |
114 |
+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml |
115 |
@@ -0,0 +1,22 @@ |
116 |
+<samba:parameter name="rpc server dynamic port range" |
117 |
+ context="G" |
118 |
+ type="string" |
119 |
+ handler="handle_rpc_server_dynamic_port_range" |
120 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> |
121 |
+<description> |
122 |
+ <para> |
123 |
+ This parameter tells the RPC server which port range it is |
124 |
+ allowed to use to create a listening socket for LSA, SAM, |
125 |
+ Netlogon and others without wellknown tcp ports. |
126 |
+ The first value is the lowest number of the port |
127 |
+ range and the second the hightest. |
128 |
+ </para> |
129 |
+ <para> |
130 |
+ This applies to RPC servers in all server roles. |
131 |
+ </para> |
132 |
+</description> |
133 |
+ |
134 |
+<related>rpc server port</related> |
135 |
+ |
136 |
+<value type="default">49152-65535</value> |
137 |
+</samba:parameter> |
138 |
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c |
139 |
index 6aa757f7c6b..3b54ff232aa 100644 |
140 |
--- a/lib/param/loadparm.c |
141 |
+++ b/lib/param/loadparm.c |
142 |
@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx) |
143 |
return lp_ctx->sDefault; |
144 |
} |
145 |
|
146 |
+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx) |
147 |
+{ |
148 |
+ return lp_ctx->globals->rpc_low_port; |
149 |
+} |
150 |
+ |
151 |
+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) |
152 |
+{ |
153 |
+ return lp_ctx->globals->rpc_high_port; |
154 |
+} |
155 |
+ |
156 |
/** |
157 |
* Convenience routine to grab string parameters into temporary memory |
158 |
* and run standard_sub_basic on them. |
159 |
@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service * |
160 |
return true; |
161 |
} |
162 |
|
163 |
+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx, |
164 |
+ struct loadparm_service *service, |
165 |
+ const char *pszParmValue, |
166 |
+ char **ptr) |
167 |
+{ |
168 |
+ int low_port = -1, high_port = -1; |
169 |
+ int rc; |
170 |
+ |
171 |
+ if (pszParmValue == NULL || pszParmValue[0] == '\0') { |
172 |
+ return false; |
173 |
+ } |
174 |
+ |
175 |
+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port); |
176 |
+ if (rc != 2) { |
177 |
+ return false; |
178 |
+ } |
179 |
+ |
180 |
+ if (low_port > high_port) { |
181 |
+ return false; |
182 |
+ } |
183 |
+ |
184 |
+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) { |
185 |
+ return false; |
186 |
+ } |
187 |
+ |
188 |
+ lp_ctx->globals->rpc_low_port = low_port; |
189 |
+ lp_ctx->globals->rpc_high_port = high_port; |
190 |
+ |
191 |
+ return true; |
192 |
+} |
193 |
+ |
194 |
bool handle_smb2_max_credits(struct loadparm_context *lp_ctx, |
195 |
struct loadparm_service *service, |
196 |
const char *pszParmValue, char **ptr) |
197 |
@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) |
198 |
lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global); |
199 |
/* This appears odd, but globals in s3 isn't a pointer */ |
200 |
lp_ctx->globals->ctx = lp_ctx->globals; |
201 |
+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT; |
202 |
+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT; |
203 |
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service); |
204 |
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters()); |
205 |
|
206 |
@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) |
207 |
|
208 |
lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all"); |
209 |
|
210 |
+ lpcfg_do_global_parameter(lp_ctx, |
211 |
+ "rpc server dynamic port range", |
212 |
+ "49152-65535"); |
213 |
+ |
214 |
/* Allow modules to adjust defaults */ |
215 |
for (defaults_hook = defaults_hooks; defaults_hook; |
216 |
defaults_hook = defaults_hook->next) { |
217 |
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h |
218 |
index f9fb7d8d804..c63683d6b66 100644 |
219 |
--- a/lib/param/loadparm.h |
220 |
+++ b/lib/param/loadparm.h |
221 |
@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, |
222 |
#endif /* DEVELOPER */ |
223 |
}; |
224 |
|
225 |
+#define SERVER_TCP_LOW_PORT 49152 |
226 |
+#define SERVER_TCP_HIGH_PORT 65535 |
227 |
+ |
228 |
+#define SERVER_TCP_PORT_MIN 1024 |
229 |
+#define SERVER_TCP_PORT_MAX 65535 |
230 |
|
231 |
|
232 |
|
233 |
@@ -272,7 +277,9 @@ enum inheritowner_options { |
234 |
#define LOADPARM_EXTRA_GLOBALS \ |
235 |
struct parmlist_entry *param_opt; \ |
236 |
char *dnsdomain; \ |
237 |
- char *realm_original; |
238 |
+ char *realm_original; \ |
239 |
+ int rpc_low_port; \ |
240 |
+ int rpc_high_port; |
241 |
|
242 |
const char* server_role_str(uint32_t role); |
243 |
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master); |
244 |
diff --git a/lib/param/param.h b/lib/param/param.h |
245 |
index 66037e2ef1b..e123e67a990 100644 |
246 |
--- a/lib/param/param.h |
247 |
+++ b/lib/param/param.h |
248 |
@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx, |
249 |
time_t *usr_tkt_lifetime, |
250 |
time_t *renewal_lifetime); |
251 |
|
252 |
+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx); |
253 |
+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx); |
254 |
+ |
255 |
/* The following definitions come from lib/version.c */ |
256 |
|
257 |
const char *samba_version_string(void); |
258 |
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py |
259 |
index 22e022583f6..65df573a350 100644 |
260 |
--- a/python/samba/tests/docs.py |
261 |
+++ b/python/samba/tests/docs.py |
262 |
@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase): |
263 |
'lprm command', 'lpq command', 'print command', 'template homedir', |
264 |
'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build', |
265 |
'max open files', 'fss: prune stale', 'fss: sequence timeout', |
266 |
- 'include system krb5 conf']) |
267 |
+ 'include system krb5 conf', 'rpc server dynamic port range']) |
268 |
|
269 |
def setUp(self): |
270 |
super(SmbDotConfTests, self).setUp() |
271 |
@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase): |
272 |
exceptions = ['client lanman auth', |
273 |
'client plaintext auth', |
274 |
'registry shares', |
275 |
- 'smb ports']) |
276 |
+ 'smb ports', |
277 |
+ 'rpc server dynamic port range']) |
278 |
self._test_empty(['bin/testparm']) |
279 |
|
280 |
def test_default_s4(self): |
281 |
self._test_default(['bin/samba-tool', 'testparm']) |
282 |
self._set_defaults(['bin/samba-tool', 'testparm']) |
283 |
self._set_arbitrary(['bin/samba-tool', 'testparm'], |
284 |
- exceptions = ['smb ports']) |
285 |
+ exceptions = ['smb ports', |
286 |
+ 'rpc server dynamic port range']) |
287 |
self._test_empty(['bin/samba-tool', 'testparm']) |
288 |
|
289 |
def _test_default(self, program): |
290 |
@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase): |
291 |
|
292 |
for tuples in self.defaults: |
293 |
param, default, context, param_type = tuples |
294 |
+ |
295 |
if param in self.special_cases: |
296 |
continue |
297 |
section = None |
298 |
@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase): |
299 |
for tuples in self.defaults: |
300 |
param, default, context, param_type = tuples |
301 |
|
302 |
- if param in ['printing']: |
303 |
+ if param in ['printing', 'rpc server dynamic port range']: |
304 |
continue |
305 |
|
306 |
section = None |
307 |
diff --git a/source3/include/proto.h b/source3/include/proto.h |
308 |
index 642900ed67c..b3d3ca0e5d1 100644 |
309 |
--- a/source3/include/proto.h |
310 |
+++ b/source3/include/proto.h |
311 |
@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void); |
312 |
int lp_smb2_max_credits(void); |
313 |
int lp_cups_encrypt(void); |
314 |
bool lp_widelinks(int ); |
315 |
+int lp_rpc_low_port(void); |
316 |
+int lp_rpc_high_port(void); |
317 |
|
318 |
int lp_wi_scan_global_parametrics( |
319 |
const char *regex, size_t max_matches, |
320 |
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c |
321 |
index d8da749ccba..2c8380067f6 100644 |
322 |
--- a/source3/param/loadparm.c |
323 |
+++ b/source3/param/loadparm.c |
324 |
@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) |
325 |
|
326 |
Globals.aio_max_threads = 100; |
327 |
|
328 |
+ lpcfg_string_set(Globals.ctx, |
329 |
+ &Globals.rpc_server_dynamic_port_range, |
330 |
+ "49152-65535"); |
331 |
+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT; |
332 |
+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT; |
333 |
+ |
334 |
/* Now put back the settings that were set with lp_set_cmdline() */ |
335 |
apply_lp_set_cmdline(); |
336 |
} |
337 |
@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void) |
338 |
return client_ipc_signing; |
339 |
} |
340 |
|
341 |
+int lp_rpc_low_port(void) |
342 |
+{ |
343 |
+ return Globals.rpc_low_port; |
344 |
+} |
345 |
+ |
346 |
+int lp_rpc_high_port(void) |
347 |
+{ |
348 |
+ return Globals.rpc_high_port; |
349 |
+} |
350 |
+ |
351 |
struct loadparm_global * get_globals(void) |
352 |
{ |
353 |
return &Globals; |
354 |
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c |
355 |
index 37fe68fc36d..f7fb8ef5207 100644 |
356 |
--- a/source3/rpc_server/rpc_server.c |
357 |
+++ b/source3/rpc_server/rpc_server.c |
358 |
@@ -34,9 +34,6 @@ |
359 |
#include "rpc_server/srv_pipe_hnd.h" |
360 |
#include "rpc_server/srv_pipe.h" |
361 |
|
362 |
-#define SERVER_TCP_LOW_PORT 49152 |
363 |
-#define SERVER_TCP_HIGH_PORT 65535 |
364 |
- |
365 |
/* Creates a pipes_struct and initializes it with the information |
366 |
* sent from the client */ |
367 |
int make_server_pipes_struct(TALLOC_CTX *mem_ctx, |
368 |
@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port) |
369 |
if (*port == 0) { |
370 |
uint16_t i; |
371 |
|
372 |
- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) { |
373 |
+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) { |
374 |
fd = open_socket_in(SOCK_STREAM, |
375 |
i, |
376 |
0, |
377 |
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c |
378 |
index 96a303fc6a9..deb96d8d69d 100644 |
379 |
--- a/source4/smbd/service_stream.c |
380 |
+++ b/source4/smbd/service_stream.c |
381 |
@@ -29,10 +29,6 @@ |
382 |
#include "../lib/tsocket/tsocket.h" |
383 |
#include "lib/util/util_net.h" |
384 |
|
385 |
-/* the range of ports to try for dcerpc over tcp endpoints */ |
386 |
-#define SERVER_TCP_LOW_PORT 49152 |
387 |
-#define SERVER_TCP_HIGH_PORT 65535 |
388 |
- |
389 |
/* size of listen() backlog in smbd */ |
390 |
#define SERVER_LISTEN_BACKLOG 10 |
391 |
|
392 |
@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx, |
393 |
if (!port) { |
394 |
status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0); |
395 |
} else if (*port == 0) { |
396 |
- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) { |
397 |
+ for (i = lpcfg_rpc_low_port(lp_ctx); |
398 |
+ i <= lpcfg_rpc_high_port(lp_ctx); |
399 |
+ i++) { |
400 |
socket_address->port = i; |
401 |
status = socket_listen(stream_socket->sock, socket_address, |
402 |
SERVER_LISTEN_BACKLOG, 0); |
403 |
-- |
404 |
2.11.0 |
405 |
|