Andreas Schneider [Thu, 6 Dec 2012 17:06:59 +0000 (18:06 +0100)]
s4-netapi: Initialize group_handle of NetGroupGetUsers_r().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Thu, 6 Dec 2012 17:13:23 +0000 (18:13 +0100)]
s3-auth: Make sure we work on valid data_blobs.
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Thu, 6 Dec 2012 17:15:12 +0000 (18:15 +0100)]
s3-netapi: Initialize group_handle of NetUserSetGroups_r.
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 12:22:52 +0000 (13:22 +0100)]
torture: Fix torture_rpc_spoolss_printer_teardown_common().
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 12:24:46 +0000 (13:24 +0100)]
s3-netapi: Fix zeroing policy handles in NetLocalGroupAdd_r().
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 12:35:27 +0000 (13:35 +0100)]
vfs: Make sure we don't call talloc_free on an uninitialized pointer.
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 12:42:37 +0000 (13:42 +0100)]
s3-printing: Don't call talloc_free on an uninitialized pointer.
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 14:48:28 +0000 (15:48 +0100)]
idl: Fix spoolss check for the size of the struct.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 16:36:39 +0000 (17:36 +0100)]
s3-net: Check the return value of strlower_m().
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 16:39:03 +0000 (17:39 +0100)]
s3-net: Check return value of string_to_sid().
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 16:41:46 +0000 (17:41 +0100)]
s3-rpcclient: Check return value of add_string_to_array().
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andreas Schneider [Mon, 10 Dec 2012 16:47:15 +0000 (17:47 +0100)]
s3-registry: Check return code of push_reg_sz().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Jeremy Allison [Mon, 10 Dec 2012 21:22:10 +0000 (13:22 -0800)]
s3:auth: Tidy up some of the API confusion in create_token_from_XXX() calls.
Based on Michaels example, split out the return of NT_STATUS_NO_MEMORY
on talloc fail from other possible errors. Allow the NTSTATUS return
to be the only valid indication of success in these calls.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 11 20:04:25 CET 2012 on sn-devel-104
Michael Adam [Tue, 11 Dec 2012 17:05:31 +0000 (18:05 +0100)]
s3:auth: fix dereference level in talloc checks in create_token_from_sid()
Commit
c5b150b33fc54ed97dbd0736cc6f4c15977d6e70 introduced these checks.
The current check "found_username == NULL" is wrong (we would segfault earlier
in this case). We need to check *found_username == NULL instead as
noted by Günter.
Reported-by: Günter Kukkukk <linux@kukkukk.com>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Michael Adam [Tue, 11 Dec 2012 15:13:39 +0000 (16:13 +0100)]
selftest: skip the samba4.rpc.samr.passwords test in ncacn_np(dc) and s4member environments
These currently fail in a corner case.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Dec 11 17:56:01 CET 2012 on sn-devel-104
Michael Adam [Tue, 11 Dec 2012 12:34:49 +0000 (13:34 +0100)]
s4:torture:rpc:samr: fix password age calculation in test_ChangePasswordUser3()
The min_password_age field is the negative of the age.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:21:11 +0000 (13:21 +0100)]
s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from ChangePasswordUser
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:18:00 +0000 (13:18 +0100)]
s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
This matches the windows behavior.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:04:22 +0000 (13:04 +0100)]
s4:dsdb/password_hash: do the min password age checks first
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 22:56:47 +0000 (23:56 +0100)]
s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if required
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Michael Adam [Tue, 11 Dec 2012 10:42:11 +0000 (11:42 +0100)]
s4:torture:rpc:samr: add debugging of result of (many) dcerpc_samr_* calls
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 23 Nov 2012 10:49:05 +0000 (11:49 +0100)]
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Tue, 11 Dec 2012 12:08:28 +0000 (13:08 +0100)]
Revert "s4:dsdb/password_hash: Honor password complexity settings."
This reverts commit
f8056b7a6998e002f473b0ad79eee046236a7032.
A better fix will follow.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Tue, 11 Dec 2012 02:15:26 +0000 (03:15 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
Stefan Metzmacher [Tue, 11 Dec 2012 02:15:26 +0000 (03:15 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Tue, 11 Dec 2012 01:01:12 +0000 (02:01 +0100)]
s4:dsdb/descriptor: pass object_list to create_security_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Tue, 11 Dec 2012 02:17:42 +0000 (03:17 +0100)]
libcli/security: calculate the correct inherited_object GUID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Tue, 11 Dec 2012 01:00:38 +0000 (02:00 +0100)]
libcli/security: implement object_in_list()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Michael Adam [Mon, 10 Dec 2012 20:56:42 +0000 (21:56 +0100)]
s3:auth: fix function header comment for user_sid_in_group_sid()
This is embarrassing: the commit
0770a4c01bef26ec51321cd5b97aea4eab9e00a8
which intended to fix an earlier copy'n'paste error, contained another
typo, fixed with this commit...
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
Michael Adam [Mon, 10 Dec 2012 15:58:43 +0000 (16:58 +0100)]
pidl: change strange spelling __donnot_use_enum_* to __do_not_use_enum_*
Signed-off-by: Michael Adam <obnox@samba.org>
Michael Adam [Mon, 10 Dec 2012 14:06:27 +0000 (15:06 +0100)]
s3:auth: fix create_token_from_sid() to not fail in the winbindd case
Commit
1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored
the sid-based variant out of create_token_from_username() broke
the case of a user handled by winbindd in that the "found_username"
was set to NULL which caused the function to fail with
NT_STATUS_NO_MEMORY further down.
This patch fixes the function so that the case of found_username == NULL
is cleanly separated from the NO_MEMORY case and the caller can provide
the username in this case, if required.
This fixes bug #9457.
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
Michael Adam [Mon, 10 Dec 2012 13:48:43 +0000 (14:48 +0100)]
s3:auth: fix header comment for user_sid_in_group_sid()
This function was created in
1c3c5e2156d9096f60bd53a96b88c2f1001d898a
and the header comment contained copy'n'paste errors from the original
function user_in_group_sid() that took the user name.
Signed-off-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 17:58:57 +0000 (18:58 +0100)]
s4:dsdb/tests/sec_descriptor: verify the search of a windows dc join keeps working
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Dec 10 15:41:12 CET 2012 on sn-devel-104
Stefan Metzmacher [Thu, 6 Dec 2012 13:04:47 +0000 (14:04 +0100)]
s4:dsdb/tests/sec_descriptor: verify the nTSecurityDescriptor and sd_flags interaction
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 6 Dec 2012 14:56:26 +0000 (15:56 +0100)]
s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attribute
If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.
If there's a list of only explicit attribute names, we should ignore
the sd_flags control.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 6 Dec 2012 11:36:09 +0000 (12:36 +0100)]
s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags control is given (bug #9470)
Not returning the nTSecurityDescriptor causes a lot of problems.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Thu, 6 Dec 2012 11:29:49 +0000 (12:29 +0100)]
s4:dsdb/acl_read: give some variables a better name
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 17:40:25 +0000 (18:40 +0100)]
s4:dsdb/acl_read: fix the calculation of the attribute array for the sub search
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 17:39:29 +0000 (18:39 +0100)]
s4:dsdb/acl_read: check the ldb_attr_list_copy_add() result
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 18:02:10 +0000 (19:02 +0100)]
s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Günther Deschner [Fri, 7 Dec 2012 11:51:10 +0000 (12:51 +0100)]
s4-torture: call the s4u2self tests with arcfour and aes.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104
Günther Deschner [Fri, 7 Dec 2012 11:57:18 +0000 (12:57 +0100)]
s4-torture: precalculate expected session keys from samlogon in schannel test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 7 Dec 2012 11:38:16 +0000 (12:38 +0100)]
libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 7 Dec 2012 00:05:00 +0000 (01:05 +0100)]
libcli/auth: remove trailing whitespace.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 6 Dec 2012 14:21:02 +0000 (15:21 +0100)]
s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 6 Dec 2012 13:54:25 +0000 (14:54 +0100)]
s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 6 Dec 2012 13:31:32 +0000 (14:31 +0100)]
s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 18:49:52 +0000 (19:49 +0100)]
s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 15:24:24 +0000 (16:24 +0100)]
s4-rpc_server: support AES encryption in interactive and generic samlogon.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 18:52:54 +0000 (19:52 +0100)]
s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
Sumit, please check.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 17:06:54 +0000 (18:06 +0100)]
s4-torture: validate owf password hash and negotiate AES in forest trust test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 16:59:12 +0000 (17:59 +0100)]
s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 15:37:02 +0000 (16:37 +0100)]
s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 17:38:01 +0000 (18:38 +0100)]
s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 15:21:59 +0000 (16:21 +0100)]
s4-torture: exit early when join fails in samba3rpc tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 15:20:14 +0000 (16:20 +0100)]
s4-torture: support AES encryption in interactive samlogon tests in rpc.samr.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 15:23:34 +0000 (16:23 +0100)]
s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 5 Dec 2012 15:11:19 +0000 (16:11 +0100)]
s4-torture: use names for r.in.logon_level of netlogon samlogon requests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Tue, 4 Dec 2012 22:11:10 +0000 (23:11 +0100)]
s4-torture: remove trailing whitespace in smbtorture remote_pac test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 30 Nov 2012 23:59:44 +0000 (00:59 +0100)]
s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 21:47:40 +0000 (22:47 +0100)]
s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 21:47:19 +0000 (22:47 +0100)]
s4-torture: add AES support for netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 21:44:33 +0000 (22:44 +0100)]
s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 21:24:37 +0000 (22:24 +0100)]
s4-torture: remove trailing whitespace from netlogon test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 20:35:04 +0000 (21:35 +0100)]
s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 20:34:36 +0000 (21:34 +0100)]
s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 20:30:24 +0000 (21:30 +0100)]
s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 29 Nov 2012 20:23:30 +0000 (21:23 +0100)]
libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Alexander Bokovoy [Sat, 8 Dec 2012 15:57:20 +0000 (17:57 +0200)]
wafsamba: replace try:except: case with explicit comment about FIPS mode
Since exceptions will be caught be outer try:except: pair anyway, mark
the test of MD5 code by the comment that explains why we need to really
test it.
Do it for both hashlib.md5 and md5 modules.
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Dec 8 18:41:07 CET 2012 on sn-devel-104
Alexander Bokovoy [Fri, 7 Dec 2012 15:36:02 +0000 (17:36 +0200)]
wafsamba: Make sure md5 is really work before using it or overriding the hash function
In FIPS mode importing md5 Python module will not cause any error but calling md5.md5()
function will throw ValueError since md5 is not available.
Make sure md5.md5() actually works and if not, fall back to use hash replacement that
we already have in wafsamba.
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Dec 8 13:30:07 CET 2012 on sn-devel-104
Ricky Nance [Sat, 8 Dec 2012 00:43:16 +0000 (18:43 -0600)]
samba-tool processes: Make the output a bit neater
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Sat Dec 8 03:34:29 CET 2012 on sn-devel-104
Andreas Schneider [Thu, 6 Dec 2012 13:31:45 +0000 (14:31 +0100)]
winbind: Make the code more readable in trustdom_list_done().
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>
Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Fri Dec 7 22:38:43 CET 2012 on sn-devel-104
Tsukasa Hamano [Thu, 6 Dec 2012 21:01:33 +0000 (13:01 -0800)]
Fix bug #9471 - SEGV when using second vfs module.
Don't use default_classname_table when we obviously shoud be using
classname_table.
Reviewed by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Dec 7 17:51:50 CET 2012 on sn-devel-104
Stefan Metzmacher [Fri, 7 Dec 2012 12:56:21 +0000 (12:56 +0000)]
s4:dsdb/descriptor: fix replication of NC heads
The sub NC heads maybe replicated with the parent partition,
if we don't need to recalculate the nTSecurityDescriptor attribute in that
case, the replication of the of the sub partition should handle that.
This fixes error messages like this:
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 12:39:31 +0000 (13:39 +0100)]
s4:dsdb/acl_read: improve debugging for fatal error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 10:02:49 +0000 (11:02 +0100)]
s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
Some modules might not allocate values on the correct memory context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 10:08:14 +0000 (10:08 +0000)]
s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to msg->elements[i].values (bug #9470)
We should keep the talloc hierarchy sane.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Stefan Metzmacher [Fri, 7 Dec 2012 09:34:58 +0000 (10:34 +0100)]
s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)
We should always update the ts_last_change.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Thu, 6 Dec 2012 14:51:55 +0000 (15:51 +0100)]
s3: Fix clear_if_first for the async echo handler
A worker smbd is as not long-lived as the main smbd, but as the async
echo handler exits when the worker smbd does, passing "true" here is the
right thing to do and fixes our clear_if_first handling when the async
echo handler is active.
Reviewed-by: Christian Ambach <ambi@samba.org>
Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Fri Dec 7 11:29:36 CET 2012 on sn-devel-104
Stefan Metzmacher [Fri, 23 Nov 2012 10:49:05 +0000 (11:49 +0100)]
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 6 05:11:43 CET 2012 on sn-devel-104
Andrew Bartlett [Wed, 5 Dec 2012 01:52:22 +0000 (12:52 +1100)]
build: Install .po files for SWAT intl support
Andrew Bartlett [Tue, 4 Dec 2012 23:35:50 +0000 (10:35 +1100)]
scripting: Handle missing LDAP entries in samba-tool domain classicupgrade
Reported-by: Thomas Simmons <twsnnva@gmail.com>
Scott Lovenberg [Tue, 4 Dec 2012 14:15:38 +0000 (09:15 -0500)]
Clean up client timeout definitions [rev. 2]
The definitions for default client timeout values have been moved to client.h. When initializing a client struct we use this value instead of the old hardcoded value. The timeout value remains 20 seconds.
Signed-off-by: Scott Lovenberg <scott.lovenberg@gmail.com>
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 6 03:25:58 CET 2012 on sn-devel-104
Michael Adam [Tue, 4 Dec 2012 15:26:36 +0000 (16:26 +0100)]
s3:smbd: fix a cut and paste error in a debug message
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 4 Dec 2012 23:47:06 +0000 (15:47 -0800)]
Documentation fixes for bug #9462 - Users can not be given write permissions any more by default
Ensure we don't apply the masks + force modes on security setting
changes, only on create.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Michael Adam [Wed, 5 Dec 2012 14:04:01 +0000 (15:04 +0100)]
s3:smbd: don't apply create/directory mask and modes in apply_default_perms()
The mask/mode parameters should only apply to a situation with only
pure posix permissions.
Once we are dealing with ACLs and inheritance, we need to do it correctly.
This fixes bug #9462: Users can not be given write permissions any more by default
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>
Richard Sharpe [Wed, 5 Dec 2012 01:21:29 +0000 (17:21 -0800)]
Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
Ensure we check the buffer size correctly.
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 6 01:31:08 CET 2012 on sn-devel-104
Jelmer Vernooij [Sat, 24 Nov 2012 19:44:23 +0000 (20:44 +0100)]
wsgi: Serve '500 Internal Server Error' page when errors occur.
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Wed Dec 5 18:40:25 CET 2012 on sn-devel-104
Jelmer Vernooij [Sat, 24 Nov 2012 19:44:08 +0000 (20:44 +0100)]
web_server: Make second argument to websrv_output const.
Jelmer Vernooij [Sat, 24 Nov 2012 18:35:33 +0000 (19:35 +0100)]
wsgi: When encountering error in Python code, print traceback to logs.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Andreas Schneider [Tue, 4 Dec 2012 14:03:40 +0000 (15:03 +0100)]
BUG 9459: Install manpages only if we install the target.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 4 18:07:47 CET 2012 on sn-devel-104
Jeremy Allison [Mon, 3 Dec 2012 23:07:16 +0000 (15:07 -0800)]
Remove unused append_parent_acl().
Get rid of a large chunk of unused code.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Dec 4 11:59:30 CET 2012 on sn-devel-104
Michael Adam [Tue, 4 Dec 2012 01:02:07 +0000 (02:02 +0100)]
s3:smbd:vfs_acl: fix a PANIC when setting an ACL fails with ACCESS_DENIED
Omission to free the talloc frame causes a panic (at least in developer mode)
in the next main event loop due to "Frame not freed in order."
(Freed frame ../source3/smbd/process.c:3617, expected ../source3/modules/vfs_acl_common.c:534.)
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 4 09:03:25 CET 2012 on sn-devel-104
Michael Adam [Mon, 3 Dec 2012 15:52:12 +0000 (16:52 +0100)]
s3:passdb: fix building pdb_ldap as shared module
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 3 19:12:29 CET 2012 on sn-devel-104
Karolin Seeger [Fri, 30 Nov 2012 10:33:04 +0000 (11:33 +0100)]
docs: Merge both samba.8 manpages.
Remove source4/smbd/samba.8.xml and add the additional content to
docs-xml/samba.8.xml to be able to build this manpage with the autoconf build
also.
Karolin
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 3 16:28:32 CET 2012 on sn-devel-104