Amitay Isaacs [Wed, 18 Apr 2018 01:53:57 +0000 (11:53 +1000)]
ctdb-common: Add a function to validate logging specification
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 18 Apr 2018 01:52:05 +0000 (11:52 +1000)]
ctdb-common: Refactor log backend parsing code
This will allow to add a validator for logging specification.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 27 Apr 2018 07:21:00 +0000 (17:21 +1000)]
ctdb-common: Add config options tool
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Wed, 13 Dec 2017 08:41:16 +0000 (19:41 +1100)]
ctdb-common: Add config file parsing code
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Mon, 26 Mar 2018 04:04:12 +0000 (15:04 +1100)]
util: Add tini to samba-util-core
So it can be used by CTDB.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 08:09:46 +0000 (18:09 +1000)]
ctdb-tests: Setup $CTDB_BASE/{run,var} directories
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 03:23:15 +0000 (13:23 +1000)]
ctdb-common: Add path tool
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 03:02:33 +0000 (13:02 +1000)]
ctdb-common: Add utility code to get various paths
This will construct correct paths when running with CTDB_TEST_MODE.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 24 Apr 2018 13:17:18 +0000 (23:17 +1000)]
ctdb-common: Add command line processing abstraction
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Tue, 8 May 2018 06:03:54 +0000 (16:03 +1000)]
ctdb-packaging: Package all helpers using wildcard
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Aaron Haslett [Tue, 1 May 2018 03:54:07 +0000 (15:54 +1200)]
devel: removing unused code from chgkrbtgtpass
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 12 12:05:31 CEST 2018 on sn-devel-144
Aaron Haslett [Tue, 1 May 2018 03:51:10 +0000 (15:51 +1200)]
samdb rid: clear cache to prevent old ntds_guid
During the new samba-tool domain backup restore the NTDS GUID changes
as the server is taken over by the new DC record.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Aaron Haslett [Mon, 30 Apr 2018 23:10:40 +0000 (11:10 +1200)]
ldb: removing prior secret from logs
priorSecret, like secret, can contain a machine account password
(for secrets.ldb) and so should not be printed in a debug
trace.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13353
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Martin Schwenke [Tue, 24 Apr 2018 04:13:35 +0000 (14:13 +1000)]
ctdb-scripts: Drop CTDB_SUPPRESS_COREFILE and CTDB_MAX_OPEN_FILES options
These should be done using features provided by the operating system.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sat May 12 09:13:28 CEST 2018 on sn-devel-144
Martin Schwenke [Tue, 24 Apr 2018 06:35:16 +0000 (16:35 +1000)]
ctdb-config: Add default ctdb.sysconfig file, update ctdb.service
Install ctdb.sysconfig in RPM.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 24 Apr 2018 04:11:23 +0000 (14:11 +1000)]
ctdb-docs: Document system options and resource controls
The existing configuration file is disappearing so these configuration
options need a new home that is not handled by ctdbd_wrapper.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Tue, 24 Apr 2018 06:33:20 +0000 (16:33 +1000)]
ctdb-config: Add a default script.options file
Include it in the RPM.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:17:59 +0000 (19:17 +1000)]
ctdb-docs: Document script.options
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:16:57 +0000 (19:16 +1000)]
ctdb-scripts: Use load_script_options() in miscellaneous scripts
Some of these just aim to load the generic script.options file while
others target more specific files.
For NFS configuration, always use 60.nfs.options - even for 06.nfs.
This could be carefully documented but will change a lot before
release so there is no need.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:06:13 +0000 (19:06 +1000)]
ctdb-scripts: Allow load_script_options() to specify an event script
This allows other scripts to use the given options for a particular
event script. One interesting example is that the ctdb_natgw tool
should look for configuration in events.d/11.natgw.options.
In the future this will be something like
events/failover/11.natgw.options, so require the component to be
specified even though it isn't yet used.
Test support is also updated.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 08:52:36 +0000 (18:52 +1000)]
ctdb-scripts: Add global script.options configuration file
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Fri, 6 Apr 2018 00:30:23 +0000 (10:30 +1000)]
ctdb-tests: Separate support script for 06.nfs
Including 60.nfs was too simple a hack, since we will want to do some
magic to use the configuration from 60.nfs for 06.nfs.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 5 Apr 2018 00:54:00 +0000 (10:54 +1000)]
ctdb-scripts: Don't check for CTDB_PARTIALLY_ONLINE_INTERFACES clash
Just document that NAT gateway and LVS are not compatible with this
option. Update the documentation to make it clear that this is a
10.interface option.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 5 Apr 2018 06:19:23 +0000 (16:19 +1000)]
ctdb-scripts: Don't load CTDB configuration in onnode
onnode does not use any configuration options.
Drop sourcing of functions file since the only function used was
loadconfig().
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 4 Apr 2018 09:14:16 +0000 (19:14 +1000)]
ctdb-scripts: Don't load CTDB configuration in statd-callout
The only configuration options used by statd-callout are NFS_HOSTNAME,
which comes from the NFS system configuration file, and
CTDB_NFS_CALLOUT, which is exported by the 60.nfs event script.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Thu, 11 Jan 2018 05:17:19 +0000 (16:17 +1100)]
ctdb-tests: Continue running if a testcase is not executable
At the moment the whole test run aborts without printing a summary of
results but inexplicably succeeds. Instead, generate a clear failure
for a non-executable testcase.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Garming Sam [Wed, 9 May 2018 03:39:09 +0000 (15:39 +1200)]
pysmb: Add some more documentation for conn.list
There are two options which are undocumented.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 12 04:57:29 CEST 2018 on sn-devel-144
Garming Sam [Wed, 9 May 2018 03:24:38 +0000 (15:24 +1200)]
gpo: Ensure all files are retrieved in fetch
.ini files are normally set as hidden, and will not be found over SMB.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 8 May 2018 05:09:53 +0000 (17:09 +1200)]
Fix spelling s/woks/works
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joe Guo [Thu, 10 May 2018 05:11:29 +0000 (17:11 +1200)]
traffic: improve is_really_a_packet
This function will repeat on each packet.
Avoid exception for getattr, which is expensive for performance.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 10 May 2018 05:04:50 +0000 (17:04 +1200)]
traffic: improve add_short_packet by avoiding str.split
Avoid str.split, which will repeat for each packet.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 10 May 2018 05:01:19 +0000 (17:01 +1200)]
traffic: simplify forget_packets_outside_window
Make code compact, and improve performance a little bit.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 10 May 2018 04:43:04 +0000 (16:43 +1200)]
traffic: grant user write permission
Some packets need user to have write permission, e.g.: writeaccountspn
Grant user write permission then we can send packets successfully.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Sun, 6 May 2018 22:18:42 +0000 (10:18 +1200)]
traffic_replay: fetch domain from creds other than opts
For traffic_replay script, when user provides `--workgroup` or `-W` option,
it will be set on the creds option group, not the default opts one.
The previous code will not work properly when smb.conf file is missing.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 2 May 2018 05:04:03 +0000 (05:04 +0000)]
traffic: set domain on user_creds and machine_creds
The domain is missing in traffic user and machine credential, this will cause
some packet tests fail against windows.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Tue, 1 May 2018 04:58:01 +0000 (16:58 +1200)]
traffic_packets: provision request data for packet_drsuapi_13
The `drsuapi.DsWriteAccountSpnRequest1` struct in this packet was empty before.
Samba lets it go but Windows will report an invalid parameter error.
Provision the request with proper data, and give user permission to
write account SPN.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Tue, 1 May 2018 05:15:09 +0000 (17:15 +1200)]
traffic_packets: add trailing $ to fix packet_rpc_netlogon_30
For `NetrServerPasswordSet2`, the 2nd arg `account_name` must end with a
$, otherwise windows will return an `Access Denied` error.
Use `creds.get_username()` instead of `creds.get_workstation()` to
include the trailing $.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Fri, 27 Apr 2018 02:51:11 +0000 (14:51 +1200)]
traffic_packets: add windows instructions for ldap 0 simple bind
To run packet_ldap_0 simple bind test against Windows, we need to
install CA on Windows with following PowerShell commands:
Install-windowsfeature ADCS-Cert-Authority
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA
Restart-Computer
Otherwise we will get `NT_STATUS_CONNECTION_RESET` error.
Didn't change any code, just add above instructions in comment.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Fri, 27 Apr 2018 00:07:16 +0000 (12:07 +1200)]
traffic_packets: replace share_name from netlogon to IPC$ for packet_srvsvc_16
Sharename list for Windows:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
For Samba:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service
While test packet_srvsvc_16 with share_name `netlogon`,
it passed Samba, and got a WERR_NERR_NETNAMENOTFOUND error for Windows.
Change share name to `IPC$` so Samba and Windows have it in common.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 26 Apr 2018 23:27:59 +0000 (11:27 +1200)]
traffic_packets: replace level 102 to 101 for packet_srvsvc_21
Level 102 will cause WERR_ACCESS_DENIED error against Windows, because:
> If the level is 102 or 502, the Windows implementation checks whether
> the caller is a member of one of the groups previously mentioned or
> is a member of the Power Users local group.
It passed against Samba since this check is not implemented by Samba yet.
refer to:
https://msdn.microsoft.com/en-us/library/
cc247297.aspx#Appendix_A_80
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 26 Apr 2018 00:15:10 +0000 (12:15 +1200)]
traffic: add credentials to samr
lp and creds are missing in SamrContext and samr connection.
While run traffic_replay against windows, this will cause
`Access Denied` error.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:45:10 +0000 (15:45 +1200)]
traffic_packets: support NT_STATUS_NO_SUCH_DOMAIN in packet_lsarpc_39
For packet_lsarpc_39, samba will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
however, windows will return NT_STATUS_NO_SUCH_DOMAIN.
Allow both status for now to keep compatiable with both samba and
windows DC.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:40:18 +0000 (15:40 +1200)]
traffic_replay: fix typo in message string
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:31:12 +0000 (15:31 +1200)]
traffic_replay: set gensec features to encrypt credentials
While running traffic_replay script against windows dc, it will fail
with a `LDAP_UNWILLING_TO_PERFORM` error for adding user.
Windows requires the credentials to be encrypted before sending.
`set_gensec_features` will fix it.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 18 Apr 2018 03:36:02 +0000 (15:36 +1200)]
traffic: add paged_results control for ldb search
While there are more then 1000 records in the search result from Windows,
a `LDAP_SIZE_LIMIT_EXCEEDED` error will be returned.
Add paged_results control to fix.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Fri, 11 May 2018 01:18:43 +0000 (13:18 +1200)]
selftest: Add a test for creds.{get,set}_secure_channel_type()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Wed, 2 May 2018 21:40:39 +0000 (21:40 +0000)]
pycredentials: add py_creds_get_secure_channel_type
We have only set, need get.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Tue, 1 May 2018 00:44:43 +0000 (12:44 +1200)]
cmd_drsuapi: add dswriteaccountspn command
The dswriteaccountspn command is missing in drsuapi, add it so we can
use it in rpcclient.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Tue, 1 May 2018 18:35:52 +0000 (20:35 +0200)]
Improve vfs_linux_xfs_sgid manpage
- Add missing refpurpose and describe the "circumstances"
- Replace dangling link by archive.org backup
- Add fixed Linux version and commit link
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Tue, 1 May 2018 19:59:23 +0000 (21:59 +0200)]
Fix pidl manpage sections
.TH header should match file name (i.e 3pm and not 3 for Parse::Pidl::NDR).
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:24:25 +0000 (22:24 +0200)]
Fix spelling s/unsuported/unsupported/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:24:16 +0000 (22:24 +0200)]
Fix spelling s/unitialized/uninitialized/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:24:00 +0000 (22:24 +0200)]
Fix spelling s/succesfully/successfully/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:23:54 +0000 (22:23 +0200)]
Fix spelling s/specfied/specified/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:23:45 +0000 (22:23 +0200)]
Fix spelling s/retun/return/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:23:39 +0000 (22:23 +0200)]
Fix spelling s/retrive/retrieve/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:23:01 +0000 (22:23 +0200)]
Fix spelling s/receving/receiving/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:22:53 +0000 (22:22 +0200)]
Fix spelling s/protcol/protocol/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:22:46 +0000 (22:22 +0200)]
Fix spelling s/propogate/propagate/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:22:38 +0000 (22:22 +0200)]
Fix spelling s/processs/process/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:22:20 +0000 (22:22 +0200)]
Fix spelling s/ouput/output/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:22:00 +0000 (22:22 +0200)]
Fix spelling s/opions/options/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:21:53 +0000 (22:21 +0200)]
Fix spelling s/openened/opened/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:21:41 +0000 (22:21 +0200)]
Fix spelling s/missmatch/mismatch/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:21:30 +0000 (22:21 +0200)]
Fix spelling s/malicous/malicious/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:21:09 +0000 (22:21 +0200)]
Fix spelling s/fowarding/forwarding/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:20:57 +0000 (22:20 +0200)]
Fix spelling s/formated/formatted/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:20:21 +0000 (22:20 +0200)]
Fix spelling s/Everytime/Every time/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:19:08 +0000 (22:19 +0200)]
Fix spelling s/doens't/doesn't/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:18:54 +0000 (22:18 +0200)]
Fix spelling s/desriptor/descriptor/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:18:47 +0000 (22:18 +0200)]
Fix spelling s/coult/could/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:18:16 +0000 (22:18 +0200)]
Fix spelling s/conection/connection/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:14:34 +0000 (22:14 +0200)]
Fix spelling s/authenticaiton/authentication/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:13:58 +0000 (22:13 +0200)]
Fix spelling s/anwser/answer/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Mathieu Parent [Fri, 4 May 2018 20:12:14 +0000 (22:12 +0200)]
Fix spelling s/allows to/allows one to/
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Joe Guo [Thu, 19 Apr 2018 05:05:21 +0000 (17:05 +1200)]
Fix typo for response
reponse --> response
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Ralph Boehme [Thu, 10 May 2018 10:29:35 +0000 (12:29 +0200)]
s3:smbd: fix interaction between chown and SD flags
A change ownership operation that doesn't set the NT ACLs must not touch
the SD flags (type).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 11 23:30:32 CEST 2018 on sn-devel-144
Ralph Boehme [Thu, 10 May 2018 10:28:43 +0000 (12:28 +0200)]
s4:torture/smb2: new test for interaction between chown and SD flags
This passes against Windows, but fails against Samba.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 8 May 2018 06:41:04 +0000 (08:41 +0200)]
printing: Fix CID
1435452 (TAINTED_SCALAR)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Andreas Schneider [Thu, 26 Apr 2018 15:32:42 +0000 (17:32 +0200)]
winbind: Fix UPN handling in canonicalize_username()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 11 12:02:37 CEST 2018 on sn-devel-144
Andreas Schneider [Thu, 26 Apr 2018 10:17:12 +0000 (12:17 +0200)]
winbind: Fix UPN handling in parse_domain_user()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Thu, 26 Apr 2018 15:23:41 +0000 (17:23 +0200)]
winbind: Remove unused function parse_domain_user_talloc()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Feb 2018 13:10:28 +0000 (14:10 +0100)]
winbind: Pass upn unmodified to lookup names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Fri, 20 Apr 2018 09:20:44 +0000 (11:20 +0200)]
nsswitch:tests: Add test for wbinfo --user-info
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Fri, 20 Apr 2018 07:38:24 +0000 (09:38 +0200)]
selftest: Add a user with a different userPrincipalName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 7 May 2018 11:23:42 +0000 (13:23 +0200)]
nsswitch: Lookup the domain in tests with the wb seperator
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Fri, 4 May 2018 10:43:05 +0000 (12:43 +0200)]
nsswitch: Add a test looking up domain sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Fri, 20 Apr 2018 09:24:30 +0000 (11:24 +0200)]
nsswitch: Add a test looking up the user using the upn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Mon, 7 May 2018 14:20:30 +0000 (16:20 +0200)]
selftest: Make sure we have correct group mappings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Tim Beale [Thu, 10 May 2018 04:22:06 +0000 (16:22 +1200)]
tests: Add tests for samba-tool passwordsettings commands
I've added a test case for 'samba-tool domain passwordsettings set/show'
to prove I haven't broken it. It's behaviour shouldn't have changed, but
there was no test for it previously.
We'll extend these tests in the very near future, when we add samba-tool
support for managing PSOs.
The base samba_tool test's runsubcmd() only handled commands with
exactly one sub-command, i.e. it would handle the command 'samba-tool
domain passwordsettings' OK, but not 'samba-tool domain passwordsettings
set' (The command still seemed to run OK, but you wouldn't get the
output/err back correctly). A new runsublevelcmd() function now handles
a varying number of sub-commands.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri May 11 09:06:10 CEST 2018 on sn-devel-144
Tim Beale [Thu, 3 May 2018 00:12:04 +0000 (12:12 +1200)]
netcmd: Split 'domain passwordsettings' into a super-command
The show and set options are not really related to each other at all, so
it makes sense to split the code into 2 separate commands.
We also want to add separate sub-commands for PSOs in a subsequent
patch.
Because of the way the sub-command was implemented previously, it meant
that you could specify other command-line options before the 'set' or
'show' keyword, and the command would still be accepted. However, now
that it's a super-command 'set'/'show' needs to be specified before any
additional arguments, so we need to update the test code to reflect
this.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Wed, 2 May 2018 23:48:21 +0000 (11:48 +1200)]
netcmd: Small tweak to retrieving pwdProperties
Currently the 'samba-tool domain passwordsettings' command shares a
'set' and 'show' option, but there is very little common code between
the two. The only variable that's shared is pwd_props, but there's a
separate API we can use to get this. This allows us to split the command
into a super-command in a subsequent patch.
Fixed up erroneous comments while I'm at it.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Wed, 4 Apr 2018 22:51:42 +0000 (10:51 +1200)]
dsdb: Split out construct_generic_token_groups() so we can reuse it
construct_generic_token_groups() currently works out the entire group
membership for a user, including the primaryGroupID. We want to do the
exact same thing for the msDS-ResultantPSO constructed attribute.
However, construct_generic_token_groups() currently adds the resulting
SIDs to the LDB search result, which we don't want to do for
msDS-ResultantPSO.
This patch splits the bulk of the group SID calculation work out into
a separate function that we can reuse for msDS-ResultantPSO. basically
this is just a straight move of the existing code. The only real change
is the TALLOC_CTX is renamed (tmp_ctx --> mem_ctx) and now passed into
the new function (so freeing it if an error conditions is hit is now
done in the caller).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Wed, 4 Apr 2018 22:40:03 +0000 (10:40 +1200)]
dsdb: Use attribute-name parameter for error message
We'll reuse this code for working out the msDS-ResultantPSO, so
references to 'tokenGroups' in error messages would be misleading.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Mon, 7 May 2018 05:33:51 +0000 (17:33 +1200)]
tests: Add a test case for msDS-PasswordReversibleEncryptionEnabled
Add a test for the 'msDS-PasswordReversibleEncryptionEnabled' attribute
on the PSO. The Effective-PasswordReversibleEncryptionEnabled is
based on the PSO setting (if one applies) or else the
DOMAIN_PASSWORD_STORE_CLEARTEXT bit for the domain's pwdProperties.
This indicates whether the user's cleartext password is to be stored
in the supplementalCredentials attribute (as 'Primary:CLEARTEXT').
The password_hash tests already text the cleartext behaviour, so I've
added an additional test case for PSOs. Note that supplementary-
credential information is not returned over LDAP (the password_hash
test uses a local LDB connection), so it made more sense to extend
the password_hash tests than to check this behaviour as part of the
PSO tests (i.e. rather than in password_settings.py).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Fri, 20 Apr 2018 00:50:00 +0000 (12:50 +1200)]
tests: Add test for password-lockout via SAMR RPC
The existing password_lockout tests didn't check for changing the
password via the SAMR password_change RPC. This patch adds a test-case
for this, using the default domain lockout settings (which passes), and
then repeats the same test using a PSO (which fails).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Sun, 18 Mar 2018 23:56:14 +0000 (12:56 +1300)]
tests: Add PSO test case to existing password_lockout tests
This checks that the lockout settings of the PSO take effect when one is
applied to a user. Import the password_settings code to create/apply a
PSO with the same lockout settings that the test cases normally use.
Then update the global settings so that the default lockout settings are
wildly different (i.e. so the test fails if the default lockout settings
get used instead of the PSO's).
As the password-lockout tests are quite slow, I've selected test cases
that should provide sufficient PSO coverage (rather than repeat every
single password-lockout test case in its entirety).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Wed, 11 Apr 2018 00:40:59 +0000 (12:40 +1200)]
tests: Add comments to help explain password_lockout tests
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Mon, 12 Mar 2018 02:22:24 +0000 (15:22 +1300)]
tests: Add tests for Password Settings Objects
a.k.a Fine-Grained Password Policies
These tests currently all run and pass gainst Windows, but fail against
Samba. (Actually, the permissions test case passes against Samba,
presumably because it's enforced by the Schema permissions).
Two helper classes have been added:
- PasswordSettings: creates a PSO object and tracks its values.
- TestUser: creates a user and tracks its password history
This allows other existing tests (e.g. password_lockout, password_hash)
to easily be extended to also cover PSOs.
Most test cases use assert_PSO_applied(), which asserts:
- the correct msDS-ResultantPSO attribute is returned
- the PSO's min-password-length, complexity, and password-history
settings are correctly enforced (this has been temporarily been hobbled
until the basic constructed-attribute support is working).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Tim Beale [Thu, 10 May 2018 23:03:03 +0000 (11:03 +1200)]
tests: Split out setUp code into separate function for reuse
Any test that wants to change a password has to set the dSHeuristics
and minPwdAge first in order for the password change to work. The code
that does this is duplicated in several tests. This patch splits it out
into a static method so that the code can be reused rather than
duplicated.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>