Arvid Requate [Mon, 31 Mar 2014 16:45:07 +0000 (18:45 +0200)]
dfs_server: get_dcs: fix pointer list termination
Should fix a potential SEGV e.g. in case searched_site == NULL and no
objects with objectClass=site are found.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Noel Power [Mon, 24 Mar 2014 20:35:50 +0000 (20:35 +0000)]
script to generate content for libcli/util/nterr.c & libcli/util/ntstatus.h
A ropey script to generate some missing NT_STATUS error codes and
and descriptions. The script generates ntstatus.c & ntstatus.h
whose contents are used to extend the existing contents of
libcli/util/nterr.c & libcli/util/ntstatus.h
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 2 22:40:06 CEST 2014 on sn-devel-104
Noel Power [Mon, 24 Mar 2014 17:19:54 +0000 (17:19 +0000)]
Add error codes and message descriptions for NTSTATUS
Error codes and descriptions were autogenerated from [MS-ERREF]
see http://msdn.microsoft.com/en-us/library/
cc704588.aspx
Additionally some missing error descriptions for existing errors were
identified and generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Noel Power [Mon, 24 Mar 2014 19:19:42 +0000 (19:19 +0000)]
Use correct error code value for NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Noel Power [Mon, 24 Mar 2014 15:02:45 +0000 (15:02 +0000)]
script to generate libcli/util/hresult.c & libcli/util/hresult.h
This hacky script was used to generate the contents of libcli/util/hresult.c
& libcli/util/hresult.h. It expects the table contents of
http://msdn.microsoft.com/en-us/library/
cc704587.aspx cut'n'pasted into
the text file specified as it's single required input param
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Noel Power [Mon, 24 Mar 2014 11:52:48 +0000 (11:52 +0000)]
Allow FSRVP access generic HRESULT error message descriptions
FSRVP can possibly return any HRESULT error in addition to it's own
specific errors. This change searches the HRESULT errors for a description
if the error doesn't match any of the known FSRVP ones.
Also removed some errors defined in fsrvp.idl (now that they are defined
in hresult.h)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Noel Power [Mon, 10 Mar 2014 11:00:38 +0000 (11:00 +0000)]
Add autogenerated HRESULT error codes and descriptions from MS_ERREF
error codes & string descriptions are generated from
http://msdn.microsoft.com/en-us/library/
cc704587.aspx, additionally there
is a function to return the error description from the error code,
this function will also try to determine the error description
associated with a W_ERROR code translated as a HRESULT.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 31 Oct 2013 03:57:10 +0000 (16:57 +1300)]
torture-samr: Add testing of account lockout and password change behaviour
This is the regression test to avoid a repeat of CVE-2013-4496
This includes confirming that badPwdCount is updated on login, not just on first failure
However the badPwdCount is not updated if the account is disabled
Note: that samr_QueryUserInfo return the effective bad_password_count in level
5, 16 and 21, while it returns the raw value in level 3.
(Sadly the s3 code does not do this correctly, so a knownfail is added)
Change-Id: I4fd8ac5c3b1357e7a98386756dac2a43eb778ecf
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 2 19:30:59 CEST 2014 on sn-devel-104
Andrew Bartlett [Mon, 4 Nov 2013 22:43:41 +0000 (11:43 +1300)]
selftest: Run rpc.samr.passwords.badpwdcount against s3dc
Change-Id: I9529def954521bf8ab05212759a2ef6bbe9913f8
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 16 Mar 2014 08:14:51 +0000 (21:14 +1300)]
torture-samr: Add test for lockout with and without a password history
Change-Id: I6f4b3e92feabe4ff09839329b0db3d33cc6c73b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 9 Dec 2013 01:25:06 +0000 (14:25 +1300)]
torture-samr: Improve rpc.samr.passwords.badpwdcount test
Change-Id: I89ac30d715e89f14aca049e0e5c5043a39ab93c7
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 24 Nov 2013 21:03:05 +0000 (10:03 +1300)]
selftest: Add test for password lockout
Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 25 Mar 2014 22:32:05 +0000 (11:32 +1300)]
dsdb: Allow SAMR server to return the computed, not actual badPwdCount
This matters after the lockout observation period has expired.
Note: that QueryUserInfo level 3 returns the raw badPwdCount value.
Andrew Bartlett
Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 25 Mar 2014 06:12:04 +0000 (07:12 +0100)]
s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.
The samldb module will handle the verification and magic.
Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 25 Mar 2014 06:10:02 +0000 (07:10 +0100)]
s4:dsdb/samldb: rework samldb_user_account_control_change()
- Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags
(combined with msDS-User-Account-Control-Computed) results in
lockoutTime=0 (implying badPadCount=0).
- We also do more validation of the account type flags now.
Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 1 Apr 2014 11:21:35 +0000 (13:21 +0200)]
libds: add UF_PARTIAL_SECRETS_ACCOUNT to UF_ACCOUNT_TYPE_MASK
Change-Id: Ie26520c37c393ab4d2e3c5782e3dca46d4d1f83c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 1 Apr 2014 08:54:27 +0000 (10:54 +0200)]
s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()
Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"!
Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 17 Mar 2014 00:33:18 +0000 (13:33 +1300)]
s4-samr: Escape the username in the LDAP filter
Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 10 Nov 2013 21:38:03 +0000 (10:38 +1300)]
s4-auth: Support password history correctly, including allowing NTLM logins using the old password
This is only done during a 1 hour allowed period, by default.
We only update bad password count when not one of the last 3 passwords
Andrew Bartlett
Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 9 Dec 2013 01:23:49 +0000 (14:23 +1300)]
lib/param: Add new parameter "old password allowed period"
Change-Id: I46228b492ba71ba4f3fee380a1ccadb328e3ade1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 2 Dec 2013 02:44:37 +0000 (15:44 +1300)]
dsdb: check type with talloc_get_type_abort in samdb_set_password
Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 6 Nov 2013 04:11:18 +0000 (17:11 +1300)]
dsdb: Implement password lockout on LDAP password changes
To do this, and have the badPwdCount update stick, we must abort,
open, close and reopen transactions such that the badPwdCount update
is in it's own transaction.
To ensure the tests can confirm the correct behaviour here, we must
output the Windows error code in the error message.
Andrew Bartlett
Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 28 Nov 2013 03:18:31 +0000 (16:18 +1300)]
dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
This allows the password_hash code to call the same update routine.
Andrew Bartlett
Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 28 Nov 2013 02:42:07 +0000 (15:42 +1300)]
auth: Split out badPwdCount update into a helper function
This will allow password_hash to call this using dsdb_module_*() functions.
Andrew Bartlett
Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 26 Nov 2013 02:32:18 +0000 (15:32 +1300)]
kdc: call authsam_zero_bad_pwd_count on successful AS-REQ
Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 29 Oct 2013 21:50:19 +0000 (10:50 +1300)]
kdc: Include values from msDS-User-Account-Control-Computed when checking user flags
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 28 Oct 2013 23:31:46 +0000 (12:31 +1300)]
kdc: Set flags.locked_out on a locked-out user.
This only changes the log output, the same error is still returned
Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 18 Feb 2014 00:53:38 +0000 (13:53 +1300)]
heimdal: Only indicate successful authentication after successful authz
This is needed to match Windows behaviour for NTLM logins.
Andrew Bartlett
Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 25 Nov 2013 01:13:02 +0000 (14:13 +1300)]
heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out
Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 28 Nov 2013 00:28:29 +0000 (13:28 +1300)]
heimdal: Do not attempt password authentication for locked out accounts
Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 10 Nov 2013 22:35:12 +0000 (11:35 +1300)]
s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 25 Mar 2014 06:23:04 +0000 (07:23 +0100)]
s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0
See [MS-SAMR] 3.1.1.8.3 lockoutTime.
Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 26 Nov 2013 04:04:46 +0000 (17:04 +1300)]
dsdb: collapse wrong password and no-password-hash errors into one handler
This avoids giving away too much information to an attacker.
Andrew Bartlett
Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 10 Nov 2013 21:37:38 +0000 (10:37 +1300)]
dsdb: Add samdb_result_passwords_from_history helper function
Change-Id: I949c6c64551f68c4381b41b30120874ead82949e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 10 Nov 2013 21:32:58 +0000 (10:32 +1300)]
s4-auth: Rework memory handling to use a tmp_ctx
Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 8 Nov 2013 00:38:22 +0000 (13:38 +1300)]
samba-tool add password lockout handling to samba-tool domain passwordsettings
Change-Id: I291924785b505b26b91152c0c13b4afd4de068a6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 6 Nov 2013 02:54:17 +0000 (15:54 +1300)]
dsdb: give a better error message and return code on failed password change
Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 5 Nov 2013 21:39:42 +0000 (10:39 +1300)]
s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate@univention.de>
Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 4 Nov 2013 08:37:17 +0000 (21:37 +1300)]
dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 29 Oct 2013 04:30:18 +0000 (17:30 +1300)]
dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.
By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.
Andrew Bartlett
Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 29 Oct 2013 02:44:15 +0000 (15:44 +1300)]
dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputed
This assists in testing this aspect of
msDS-User-Account-Control-Computed, and is exposed in AD for clients
to query.
Andrew Bartlett
Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 29 Oct 2013 02:38:08 +0000 (15:38 +1300)]
dsdb-operational: Implement msDS-User-Account-Control-Computed
This is needed to get consistent account lockout support across the whole server.
Andrew Bartlett
Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 28 Oct 2013 23:30:58 +0000 (12:30 +1300)]
dsdb-operational: Use a list for the extra attributes that may be required
Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 31 Mar 2014 11:35:25 +0000 (13:35 +0200)]
s4:auth/sam: use a higher time resolution in authsam_account_ok()
Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Mar 2014 00:25:34 +0000 (01:25 +0100)]
s4:dsdb/util_samr: simplify dsdb_add_user()
We can specify userAccountControl on the ldb_add() call.
Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 3 Nov 2013 23:30:55 +0000 (12:30 +1300)]
selftest: Run rpc.samr.passwords.lockout against the s3dc environment
Change-Id: I7ee562cbf1e067ed90b22e212002e88752450e34
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 16 Mar 2014 09:17:51 +0000 (22:17 +1300)]
dsdb-tests: Remove pointless creation of ldaptestou
This is not used in this test, and is not removed by the test either.
Andrew Bartlett
Change-Id: I34366d469a1ebed04c3cea5a7f206cb0bf433e03
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 16 Mar 2014 09:59:32 +0000 (22:59 +1300)]
torture-samr: Do not issue a TORTURE_FAIL unless *this* test failed
Change-Id: I349d8ac77a98b934cd4b11b01a96a231097eeeed
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 5 Dec 2013 03:57:49 +0000 (16:57 +1300)]
torture-samr: Lock accounts for 5 seconds in rpc.samr.passwords.badpwdcount test to ensure consistent results
For "samba3" we use 60 seconds as in test_Password_lockout().
Change-Id: I886eb83d4c620e4d719a38ec47b45bacd1406b9d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 7 Nov 2013 04:04:14 +0000 (17:04 +1300)]
torture-samr: Try breaking the NT hash first, as the LM hash may not be being checked
Change-Id: Iea9040bc7130f8b779c35bd367a9915633cd494d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 8 Nov 2013 03:21:39 +0000 (16:21 +1300)]
torture-samr: set min password age to 0 for lockout and badpwdcount tests
Change-Id: I0d44fcc712e6f239d9adc739fdafc1b20dd2beba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 31 Oct 2013 03:57:47 +0000 (16:57 +1300)]
torture-samr: Make failures easier to trace with torture_assert
Change-Id: I729ba2f0a0501575357977754401a0cb40d95b34
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 30 Oct 2013 01:16:27 +0000 (14:16 +1300)]
torture-samr: Indent samba3-skip block
Change-Id: I2bb9f175e61401606742737a883604b922044ea5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 30 Oct 2013 01:16:03 +0000 (14:16 +1300)]
torture-samr: Actually fail on failures in rpc.samr, rather than just printing pretty warnings
Change-Id: I00d66ecd84cd1a7d733f491d19328cec93ba8d2b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 25 Nov 2013 01:09:48 +0000 (14:09 +1300)]
kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 25 Nov 2013 01:09:26 +0000 (14:09 +1300)]
ldb_ildap: Map some wrong username/password errors on to LDB_ERR_INVALID_CREDENTIALS
This is better than just LDB_ERR_OPERATIONS_ERROR for all errors.
Andrew Bartlett
Change-Id: Id832cf02fcd1dc0347d5ab9eb9a2db78fda39dc6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 25 Nov 2013 01:08:38 +0000 (14:08 +1300)]
auth: Pass though error from GENSEC sub-mechanism
This allows wrong-password or account-locked-out errors to be passed
though from Kerberos (gssapi).
Andrew Bartlett
Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 14 Feb 2014 10:13:37 +0000 (23:13 +1300)]
selftest: make blackbox_setpassword.sh test run independently
Change-Id: I8f3cdfc2c66800f9a1e11aec4f25a42752b6b205
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 5 Dec 2013 03:06:46 +0000 (16:06 +1300)]
s3-auth: Do not reset bad password count to 0 if account is disabled
Change-Id: I895435fb278eae5d92b4a8e15d062769c0e8a71a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 31 Oct 2013 03:59:16 +0000 (16:59 +1300)]
s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_security
Change-Id: I43792711543e25c50c29ab5a24d16f614c670cca
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Mon, 25 Nov 2013 04:23:53 +0000 (17:23 +1300)]
torture/samr: Re-open the user when checking for ACB_AUTOLOCK
This flag appears to be cached from the open, so the test incorrectly
indicated that the flag was not set over SAMR.
Andrew Bartlett
Change-Id: I2f1f017191dddb6c2ac496712064fa1b6b48be53
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Sun, 3 Nov 2013 23:26:18 +0000 (12:26 +1300)]
torture-samr: Set lockout_seconds to 60 for samba3
The source3 account policy code deals with lockouts in terms of
minutes, not nanoseconds, so we have to lock out for at least 60
seconds otherwise we do not wait long enough.
Andrew Bartlett.
Change-Id: I2b30d1c0d9b020b3aba6ed3343361e9a576b7d9a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 30 Oct 2013 01:09:15 +0000 (14:09 +1300)]
s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout
This was not noticed previously because the test was not run.
Andrew Bartlett
Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 2 Apr 2014 12:52:01 +0000 (14:52 +0200)]
dlinklist: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Apr 2 17:11:37 CEST 2014 on sn-devel-104
Andrew Bartlett [Mon, 31 Mar 2014 01:02:18 +0000 (14:02 +1300)]
selftest: Rename wbinfo_s3 to wbinfo_simple and reorder code for clarity
Change-Id: Ic2e06e448fce1d91422b711abf663b9253009a53
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Wed Apr 2 13:07:24 CEST 2014 on sn-devel-104
Andrew Bartlett [Fri, 28 Mar 2014 03:30:28 +0000 (16:30 +1300)]
winbindd: Ensure we do not look at rid_array before checking if it was returned
We no longer return early if there are no members, we just return an empty array.
Change-Id: I7b0949e0c0b9277426a8007514a8658615f6c709
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Andrew Bartlett [Tue, 1 Apr 2014 23:12:39 +0000 (12:12 +1300)]
s3-auth: Add prototype for plugin function to reduce warnings in auth_samba4
Change-Id: I0aa703bb2766f1353a176a0c3f25424bbc4953f5
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Andrew Bartlett [Tue, 1 Apr 2014 23:12:14 +0000 (12:12 +1300)]
s3-auth: Remember to always free the talloc_stackframe() in auth_samba4
Change-Id: I94469de9d463ee90365bae43094231efaf0a7d8c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Andrew Bartlett [Wed, 26 Mar 2014 20:18:04 +0000 (09:18 +1300)]
auth_samba4: Fix auth_samba4 to correctly provide a messaging context for itself
This is done by calling make_auth4_context_s4(), avoiding code duplication.
Change-Id: I3a3bf4e4273f27078c308d55102e4a1f4b052d17
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Andrew Bartlett [Wed, 26 Mar 2014 20:17:15 +0000 (09:17 +1300)]
s3-auth: Finally change make_user_info_*() use a parent talloc context
Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:34:51 +0000 (07:34 +0100)]
wafsamba: explicitly use allow_warnings=True for SAMBA_PYTHON()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 2 11:04:36 CEST 2014 on sn-devel-104
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:torture/wscript_build: explicitly use allow_warnings=True where needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:torture/winbind: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:torture/smb2: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:torture/libnetapi: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:ntvfs/unixuid: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:rpc_server: explicitly use allow_warnings=True where needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:kdc: explicitly use allow_warnings=True for MIT_SAMBA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:auth/gensec: explicitly use allow_warnings=True for gssapi and sasl modules
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:librpc: explicitly use allow_warnings=True where needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:lib/tls: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:lib/registry: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:lib/messaging: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:lib/events: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:lib/com: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s3:wscript_build: explicitly use allow_warnings=True where needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s3:rpc_server: explicitly use allow_warnings=True for RPC_SPOOLSS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s3:pam_smbpass: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s3:modules: explicitly use allow_warnings=True were needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
auth/kerberos: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
lib/socket_wrapper: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
lib/zlib: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
lib/popt: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
lib/ldb: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
lib/ntdb: explicitly use allow_warnings=True for ntdb-test-helpers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
lib/ccan: explicitly use allow_warnings=True
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 26 Feb 2014 06:35:22 +0000 (07:35 +0100)]
s4:heimdal_build: explicitly pass allow_warnings=True to CURRENT_CFLAGS()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 19 Feb 2014 14:48:34 +0000 (15:48 +0100)]
wafsamba: add optional allow_warnings(default=True) to SAMBA_{SUBSYSTEM,LIBRARY,MODULE}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 19 Feb 2014 14:48:34 +0000 (15:48 +0100)]
wafsamba: add an optional allow_warnings(default=True) to CURRENT_CFLAGS()
-Werror is now remembered in PICKY_CFLAGS and only added if
allow_warnings is False.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 19 Feb 2014 14:48:34 +0000 (15:48 +0100)]
wafsamba: split out a conf.ADD_NAMED_CFLAGS() function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
git.samba.org / metze / samba / wip.git / log