samba.git
2 years agotdb: Test for readonly lock upgrade bug
Volker Lendecke [Tue, 8 Nov 2016 16:01:56 +0000 (17:01 +0100)]
tdb: Test for readonly lock upgrade bug

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 11 00:33:31 CEST 2017 on sn-devel-144

2 years agotdb: Do lock upgrades properly
Volker Lendecke [Mon, 7 Nov 2016 20:40:15 +0000 (21:40 +0100)]
tdb: Do lock upgrades properly

When a process holds a readlock and wants to upgrade, this needs to be
reflected in the underlying lock. Without this, it is possible to cheat:
One process holds a readlock, and another process wants to write this
record. All the writer has to do is take a readonly lock on the key and
then do the store.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotdb: Fix some signed/unsigned hickups
Volker Lendecke [Mon, 7 Nov 2016 20:38:58 +0000 (21:38 +0100)]
tdb: Fix some signed/unsigned hickups

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoselftest: Test for bug 12558
Volker Lendecke [Fri, 7 Apr 2017 14:33:57 +0000 (16:33 +0200)]
selftest: Test for bug 12558

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agothird_party: Add cmocka 1.1.1
Andreas Schneider [Fri, 7 Apr 2017 13:44:05 +0000 (15:44 +0200)]
third_party: Add cmocka 1.1.1

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Apr 10 11:38:13 CEST 2017 on sn-devel-144

2 years agowafsamba: Add CHECK_CMOCKA function
Andreas Schneider [Fri, 7 Apr 2017 13:44:22 +0000 (15:44 +0200)]
wafsamba: Add CHECK_CMOCKA function

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2 years agoauth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
Volker Lendecke [Sun, 19 Feb 2017 14:37:51 +0000 (15:37 +0100)]
auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()

This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".

We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144

2 years agoauth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
Stefan Metzmacher [Fri, 17 Mar 2017 15:53:27 +0000 (16:53 +0100)]
auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()

make_auth3_context_for_ntlm() was the only caller of
make_auth_context_subsystem().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
Stefan Metzmacher [Fri, 17 Mar 2017 15:51:45 +0000 (16:51 +0100)]
auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon

If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
Stefan Metzmacher [Thu, 16 Mar 2017 14:45:32 +0000 (15:45 +0100)]
auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC

This will be used in the s3 netlogon server in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
Stefan Metzmacher [Fri, 17 Mar 2017 18:35:24 +0000 (19:35 +0100)]
auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication

We should not do anonymous authentication nor a fallback that
ignores the domain part.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: remove unused map_user_info[_cracknames]()
Stefan Metzmacher [Fri, 17 Mar 2017 15:21:05 +0000 (16:21 +0100)]
auth4: remove unused map_user_info[_cracknames]()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: avoid map_user_info() in auth_check_password_send()
Stefan Metzmacher [Fri, 17 Mar 2017 15:19:10 +0000 (16:19 +0100)]
auth4: avoid map_user_info() in auth_check_password_send()

The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: improve authsam_want_check for upn authentication
Stefan Metzmacher [Fri, 17 Mar 2017 15:31:02 +0000 (16:31 +0100)]
auth4: improve authsam_want_check for upn authentication

We need to check if the upn suffix is within our forest.
The check if it's within our domain is done in
authsam_check_password_internals() after calling
crack_name_to_nt4_name().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
Stefan Metzmacher [Fri, 17 Mar 2017 13:57:33 +0000 (14:57 +0100)]
auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's

Currently the caller does this before calling the auth backends,
but that should change in order to support trusted domains correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
Stefan Metzmacher [Wed, 22 Mar 2017 09:45:25 +0000 (10:45 +0100)]
auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER

We hopefully remove this role in future, but for now we should do this
correct and fallback to sam_ignoredomain at the end of the auth chain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
Stefan Metzmacher [Fri, 17 Mar 2017 13:54:16 +0000 (14:54 +0100)]
auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC

It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: add a "sam_failtrusts" module
Stefan Metzmacher [Wed, 22 Mar 2017 09:37:22 +0000 (10:37 +0100)]
auth4: add a "sam_failtrusts" module

This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.

This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.

This is just a temporary solution, until we have full
async support in the gensec/auth4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:selftest: run test_trust_ntlm.sh against various environments
Stefan Metzmacher [Thu, 6 Apr 2017 17:44:16 +0000 (19:44 +0200)]
s4:selftest: run test_trust_ntlm.sh against various environments

This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.

Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.

If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotestprogs/blackbox: add test_trust_ntlm.sh
Stefan Metzmacher [Wed, 29 Mar 2017 09:41:31 +0000 (11:41 +0200)]
testprogs/blackbox: add test_trust_ntlm.sh

This verifies that various domain/realm and username
combinations map to the correct user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: allow wbinfo -a REALM\\user to work on a DC
Stefan Metzmacher [Sun, 2 Apr 2017 22:19:48 +0000 (00:19 +0200)]
winbindd: allow wbinfo -a REALM\\user to work on a DC

find_domain_from_name_noinit() find the correct domain based
on domain->alt_name, but the child for the local domain
fails to detect that winbindd_dual_auth_passdb() should be
used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
Stefan Metzmacher [Thu, 6 Apr 2017 13:34:01 +0000 (15:34 +0200)]
auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()

We also accept the domain to be the realm string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotestprogs/blackbox: add test_rpcclient_*_grep helper functions
Stefan Metzmacher [Wed, 29 Mar 2017 09:53:41 +0000 (11:53 +0200)]
testprogs/blackbox: add test_rpcclient_*_grep helper functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotestprogs/blackbox: use subunit_ helper functions in test_smbclient_*
Stefan Metzmacher [Wed, 29 Mar 2017 09:53:18 +0000 (11:53 +0200)]
testprogs/blackbox: use subunit_ helper functions in test_smbclient_*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: make sure we don't have any umask limitations for selftest
Stefan Metzmacher [Fri, 7 Apr 2017 08:39:31 +0000 (10:39 +0200)]
selftest: make sure we don't have any umask limitations for selftest

We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4: process_standard: Add a simplified SIGTERM handler based on code from source4...
Jeremy Allison [Fri, 7 Apr 2017 22:45:41 +0000 (15:45 -0700)]
s4: process_standard: Add a simplified SIGTERM handler based on code from source4/smbd/server.c. Use from a tevent handler added to standard_accept_connection() and standard_new_task()

Allows us to be independent of parent SIGTERM signal handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Apr  8 16:21:57 CEST 2017 on sn-devel-144

2 years agos4: process_standard: Add tevent SIGHUP signal handler to standard_accept_connection...
Jeremy Allison [Fri, 7 Apr 2017 22:31:57 +0000 (15:31 -0700)]
s4: process_standard: Add tevent SIGHUP signal handler to standard_accept_connection() and standard_new_task().

This makes us independent of parent SIGHUP signal handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4: process_standard: Add return checking for tevent_add_fd() to standard_accept_conn...
Jeremy Allison [Fri, 7 Apr 2017 22:12:51 +0000 (15:12 -0700)]
s4: process_standard: Add return checking for tevent_add_fd() to standard_accept_connection() and standard_new_task().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4: process_standard: Always free tevent_context before exit().
Jeremy Allison [Fri, 7 Apr 2017 22:10:09 +0000 (15:10 -0700)]
s4: process_standard: Always free tevent_context before exit().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4: process_standard: Move talloc_free of event context so it is last thing freed...
Jeremy Allison [Fri, 7 Apr 2017 22:08:13 +0000 (15:08 -0700)]
s4: process_standard: Move talloc_free of event context so it is last thing freed before exit().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3:tests: Create a test directory for a clean test
Andreas Schneider [Tue, 4 Apr 2017 09:07:36 +0000 (11:07 +0200)]
s3:tests: Create a test directory for a clean test

The test fails on openSUSE Tumbleweed with:

NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \foo\bar\testfile

This cleans up the code to create a directory 'test' which can be
completely removed so nothing will stay behind. It also makes sure that
all parent directories are created and the files have some content.

https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 12:29:19 CEST 2017 on sn-devel-144

2 years agodocs: fixup smbclient rename -f option
Uri Simchoni [Fri, 7 Apr 2017 18:10:47 +0000 (21:10 +0300)]
docs: fixup smbclient rename -f option

Fixup documentation of new -f option of the smbclient
rename command. This command is supported by SMB1 and
SMB2.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 02:38:16 CEST 2017 on sn-devel-144

2 years agowinbindd: error handling in rpc_lookup_sids()
Ralph Boehme [Sun, 26 Mar 2017 06:22:13 +0000 (08:22 +0200)]
winbindd: error handling in rpc_lookup_sids()

NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.

In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
Ralph Boehme [Sat, 1 Apr 2017 14:51:07 +0000 (16:51 +0200)]
s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED

NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/rpc_client: use NT_STATUS_LOOKUP_ERR
Ralph Boehme [Sat, 1 Apr 2017 14:56:39 +0000 (16:56 +0200)]
s3/rpc_client: use NT_STATUS_LOOKUP_ERR

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/include: add NT_STATUS_LOOKUP_ERR
Ralph Boehme [Sat, 1 Apr 2017 14:44:45 +0000 (16:44 +0200)]
s3/include: add NT_STATUS_LOOKUP_ERR

Useful helper macro to check the return value of LSA and SAMR
translations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos4/torture: vfs_fruit: test for bug 12565
Ralph Boehme [Tue, 7 Feb 2017 14:13:15 +0000 (15:13 +0100)]
s4/torture: vfs_fruit: test for bug 12565

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agovfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
Ralph Boehme [Tue, 7 Feb 2017 06:44:40 +0000 (07:44 +0100)]
vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY

When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.

If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.

Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agosmbd: Fix smb1 findfirst with DFS
Volker Lendecke [Thu, 6 Apr 2017 20:12:36 +0000 (22:12 +0200)]
smbd: Fix smb1 findfirst with DFS

9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoWHATSNEW: Deprecate "auth methods" and "map untrusted to domain"
Stefan Metzmacher [Fri, 7 Apr 2017 09:21:20 +0000 (11:21 +0200)]
WHATSNEW: Deprecate "auth methods" and "map untrusted to domain"

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 20:42:39 CEST 2017 on sn-devel-144

2 years agos3:ntlm_auth: fix memory leak in manage_gensec_request()
Stefan Metzmacher [Tue, 4 Apr 2017 09:52:56 +0000 (11:52 +0200)]
s3:ntlm_auth: fix memory leak in manage_gensec_request()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agopython: Add a simple pam_winbind test
Andreas Schneider [Wed, 5 Apr 2017 13:59:39 +0000 (15:59 +0200)]
python: Add a simple pam_winbind test

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 14:19:23 CEST 2017 on sn-devel-144

2 years agolib: Add pam_wrapper 1.0.3
Andreas Schneider [Wed, 29 Mar 2017 13:55:53 +0000 (15:55 +0200)]
lib: Add pam_wrapper 1.0.3

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agouid_wrapper: use conf.blddir to construct libnss_wrapper_so_path
Stefan Metzmacher [Fri, 7 Apr 2017 07:27:39 +0000 (09:27 +0200)]
uid_wrapper: use conf.blddir to construct libnss_wrapper_so_path

conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoresolv_wrapper: use conf.blddir to construct libnss_wrapper_so_path
Stefan Metzmacher [Fri, 7 Apr 2017 07:27:39 +0000 (09:27 +0200)]
resolv_wrapper: use conf.blddir to construct libnss_wrapper_so_path

conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agonss_wrapper: use conf.blddir to construct libnss_wrapper_so_path
Stefan Metzmacher [Fri, 7 Apr 2017 07:27:39 +0000 (09:27 +0200)]
nss_wrapper: use conf.blddir to construct libnss_wrapper_so_path

conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoscript/compare_cc_results.py: ignore all LIB*_WRAPPER_SO_PATH values
Stefan Metzmacher [Fri, 7 Apr 2017 07:26:53 +0000 (09:26 +0200)]
script/compare_cc_results.py: ignore all LIB*_WRAPPER_SO_PATH values

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoselftest: tests idmap mapping with idmap_rid
Ralph Boehme [Wed, 5 Apr 2017 11:27:51 +0000 (13:27 +0200)]
selftest: tests idmap mapping with idmap_rid

This adds two blackbox tests that run wbinfo --sids-to-unix-ids:

o a non-existing SID from the primary domain should return a mapping

o a SID with a bogus (and therefor unknown) domain must not return a mapping

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr  7 00:05:02 CEST 2017 on sn-devel-144

2 years agoselftest: new environment "ad_member_idmap_rid"
Ralph Boehme [Wed, 5 Apr 2017 11:27:14 +0000 (13:27 +0200)]
selftest: new environment "ad_member_idmap_rid"

This uses idmap_rid for the primary domain.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agowinbindd: remove unused single_domains array
Ralph Boehme [Tue, 4 Apr 2017 12:23:03 +0000 (14:23 +0200)]
winbindd: remove unused single_domains array

This was added as part of 9be918116e356c358ef77cc2933e471090088293, but
is not needed anymore as the previous commit changed the logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 years agowinbindd: use correct domain name for failed lookupsids
Ralph Boehme [Tue, 4 Apr 2017 12:21:25 +0000 (14:21 +0200)]
winbindd: use correct domain name for failed lookupsids

What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.

But as a domain member, using

  state->single_domains[state->single_sids_done]

for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).

So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 years agoselftest: fix for wbinfo -s tests for wellknown SIDs
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: fix for wbinfo -s tests for wellknown SIDs

Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agowinbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
Ralph Boehme [Sun, 2 Apr 2017 11:42:45 +0000 (13:42 +0200)]
winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()

Those are implicitly already catched by the

  if (sid->num_auths != 5)

check, but I'd like to make the desired behaviour more obvious.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agoidmap_ldap: Fix CID 1404836 Dereference before null check
Volker Lendecke [Thu, 6 Apr 2017 09:35:23 +0000 (11:35 +0200)]
idmap_ldap: Fix CID 1404836 Dereference before null check

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Apr  6 19:31:25 CEST 2017 on sn-devel-144

2 years agoctdb-docs: Fix documentation of -n option to ctdb tool
Amitay Isaacs [Thu, 6 Apr 2017 02:20:21 +0000 (12:20 +1000)]
ctdb-docs: Fix documentation of -n option to ctdb tool

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12733

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2 years agowinbindd: let WBFLAG_PAM_GET_PWD_POLICY only fake the password policy
Stefan Metzmacher [Tue, 4 Apr 2017 07:24:11 +0000 (09:24 +0200)]
winbindd: let WBFLAG_PAM_GET_PWD_POLICY only fake the password policy

As WBFLAG_PAM_GET_PWD_POLICY is only kept for legacy external callers
of libwbclient, we should avoid having the complexity to do additional
network roundtrips to our domain, while we still can't garantee that
the returned password policy actually represents the reality for
the current authentication.

Instead we're calculating r->data.auth.policy.expire and
r->data.auth.policy.min_passwordage based on the effective
{last,allow,force}_password_change values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr  6 14:03:09 CEST 2017 on sn-devel-144

2 years agopam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating
Stefan Metzmacher [Sun, 2 Apr 2017 22:19:25 +0000 (00:19 +0200)]
pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating

The expiry time for the specific user comes from
info->pass_must_change_time and nothing else.

The authenticating DC knows which password policy applies
to the user, that's nothing the client can do, as
domain trusts and fine-grained password policies makes
this a very complex task.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2 years agotests dsdb: load paramaters from test environment
Gary Lockyer [Mon, 3 Apr 2017 20:56:47 +0000 (08:56 +1200)]
tests dsdb: load paramaters from test environment

Load the test environment specific parameters

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 10:06:05 CEST 2017 on sn-devel-144

2 years agopassword_hash: refactor setup_supplemental_field
Gary Lockyer [Thu, 30 Mar 2017 20:17:07 +0000 (09:17 +1300)]
password_hash: refactor setup_supplemental_field

refactored to make it easier to add extra password hashes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_hash: Add tests to allow refactoring
Gary Lockyer [Fri, 31 Mar 2017 02:50:31 +0000 (15:50 +1300)]
password_hash: Add tests to allow refactoring

Add tests for password_hash.c to allow refactoring of setup_supplemental_field

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: fix SID composition in a test script
Ralph Boehme [Wed, 5 Apr 2017 09:13:43 +0000 (11:13 +0200)]
selftest: fix SID composition in a test script

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr  5 17:59:32 CEST 2017 on sn-devel-144

2 years agorpcclient: allow -U'OTHERDOMAIN\user' again
Stefan Metzmacher [Sun, 2 Apr 2017 22:19:40 +0000 (00:19 +0200)]
rpcclient: allow -U'OTHERDOMAIN\user' again

I guess the primary reason for forcing lp_workgroup()
was the usage of -U% together with schannel,
see source3/script/tests/test_rpcclient_samlogon.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12731

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr  5 14:09:23 CEST 2017 on sn-devel-144

2 years agoctdb-daemon: Add tracking of migration records
Amitay Isaacs [Tue, 21 Mar 2017 05:48:45 +0000 (16:48 +1100)]
ctdb-daemon: Add tracking of migration records

Instead of using hopcount as a metric for hot records, use the number
of migrations per second as a metric.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr  5 08:35:45 CEST 2017 on sn-devel-144

2 years agoctdb-daemon: For hot records, use count instead of hopcount
Amitay Isaacs [Mon, 3 Apr 2017 07:32:32 +0000 (17:32 +1000)]
ctdb-daemon: For hot records, use count instead of hopcount

This avoids tying hopcounts to hot records.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Add hash_count abstraction
Amitay Isaacs [Fri, 17 Mar 2017 07:00:40 +0000 (18:00 +1100)]
ctdb-common: Add hash_count abstraction

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Add traverse_update function to db_hash abstraction
Amitay Isaacs [Fri, 17 Mar 2017 07:00:16 +0000 (18:00 +1100)]
ctdb-common: Add traverse_update function to db_hash abstraction

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoTestBase: restore setting FEATURE_SEAL in insta_creds
Gary Lockyer [Thu, 30 Mar 2017 18:03:30 +0000 (07:03 +1300)]
TestBase: restore setting FEATURE_SEAL in insta_creds

The setting of FEATURE_SEAL by default in insta_creds got removed when
the code was moved from password_lockout.py.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Apr  5 04:46:29 CEST 2017 on sn-devel-144

2 years agowafsamba: move -L/some/path from LINKFLAGS_PYEMBED to LIBPATH_PYEMBED
Stefan Metzmacher [Tue, 28 Mar 2017 13:28:21 +0000 (15:28 +0200)]
wafsamba: move -L/some/path from LINKFLAGS_PYEMBED to LIBPATH_PYEMBED

LINKFLAGS should not have path components.

This fixes the build on systems like FreeBSD where python
is located in /usr/local/lib.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12724

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr  4 16:10:18 CEST 2017 on sn-devel-144

2 years agos4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
Jeremy Allison [Sat, 1 Apr 2017 15:34:48 +0000 (15:34 +0000)]
s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.

In the NTVFS server we have the following talloc heirarchy:

                                   event_ctx
                                     |
        ---------------------------------------------------- .. other children
        |                       |                      |
     msg_dgm_ref              srv_conn            msg_dgm_ref
        ^                       |
        |                    NTVFS structures
        |                       |
        |                    XXXXXX
        |                       |
        |                       |
        --------------------- pointer to msg_dgm_ref

Some of the structures under NTVFS (marked XXXXX) can have
pointers to imessaging contexts which internally have pointers
to msg_dgm_ref structurs allocated off event_ctx.

The original code calls:

        model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason);
        talloc_free(srv_conn);

But model_ops->terminate() calls talloc_free(event_ctx) and
then calls exit(). In this case srv_conn is never explicitly
freed, but only freed as a talloc child of the event_ctx.

Depending on the ordering of the linked list of talloc children
under event_ctx(which can be reordered via talloc_free/reinit
of msg_dgm_ref) a pointer to msg_dgm_ref under srv_conn can
be left pointing to memory that was already freed. This pointer
is then used in the destructor for a file object called when
srv_conn is freed.

Re-ordering this to explicitly call TALLOC_FREE(srv_conn) first
and then model_ops->terminate() fixes this problem.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Apr  2 05:18:39 CEST 2017 on sn-devel-144

2 years agowinbindd: trigger possible passdb_dsdb initialisation
Ralph Boehme [Wed, 29 Mar 2017 09:13:46 +0000 (11:13 +0200)]
winbindd: trigger possible passdb_dsdb initialisation

If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.

The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  1 21:18:59 CEST 2017 on sn-devel-144

2 years agoselftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
Ralph Boehme [Fri, 31 Mar 2017 14:24:05 +0000 (16:24 +0200)]
selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs

This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoselftest: wbinfo -s tests for wellknown SIDs
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: wbinfo -s tests for wellknown SIDs

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: use passdb backend for well-known SIDs
Ralph Boehme [Thu, 30 Mar 2017 21:41:59 +0000 (23:41 +0200)]
winbindd: use passdb backend for well-known SIDs

On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos4: messaging. Add imessaging_reinit_all() function.
Jeremy Allison [Wed, 29 Mar 2017 18:11:37 +0000 (11:11 -0700)]
s4: messaging. Add imessaging_reinit_all() function.

Ensure it is called from process_standard.c after
every fork().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Mar 31 14:48:17 CEST 2017 on sn-devel-144

2 years agoselftest: Define template homedir for 'ad_member' env
Andreas Schneider [Fri, 17 Mar 2017 09:04:19 +0000 (10:04 +0100)]
selftest: Define template homedir for 'ad_member' env

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144

2 years agos3:tests: Add a subsitution test for %D %u %g
Andreas Schneider [Wed, 15 Mar 2017 11:37:08 +0000 (12:37 +0100)]
s3:tests: Add a subsitution test for %D %u %g

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: Fix password policy for pam authentication
Christof Schmitt [Mon, 27 Mar 2017 22:11:08 +0000 (15:11 -0700)]
winbindd: Fix password policy for pam authentication

Authenticating users from trusted domains would return the password
policy of the joined domain. Fix the code so that the password policy of
the joined domain is only returned for users from that domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Mar 29 22:54:47 CEST 2017 on sn-devel-144

2 years agoctdb-tools: Avoid deferencing argv[0] if argc == 0
Amitay Isaacs [Tue, 7 Mar 2017 03:13:10 +0000 (14:13 +1100)]
ctdb-tools: Avoid deferencing argv[0] if argc == 0

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12723

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Mar 29 11:07:18 CEST 2017 on sn-devel-144

2 years agoWHATSNEW: Add entry for auth audit
Andrew Bartlett [Mon, 27 Mar 2017 00:17:35 +0000 (13:17 +1300)]
WHATSNEW: Add entry for auth audit

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 29 06:35:12 CEST 2017 on sn-devel-144

2 years agowhitespace: auth_log_pass_change.py python conventions
Garming Sam [Fri, 24 Mar 2017 00:52:58 +0000 (13:52 +1300)]
whitespace: auth_log_pass_change.py python conventions

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldap_server: Move a variable into a smaller scope
Garming Sam [Thu, 23 Mar 2017 23:20:19 +0000 (12:20 +1300)]
ldap_server: Move a variable into a smaller scope

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2 years agowhitespace: auth_log.c C code conventions
Garming Sam [Thu, 23 Mar 2017 22:33:51 +0000 (11:33 +1300)]
whitespace: auth_log.c C code conventions

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2 years agowhitespace: auth_log.py python conventions
Garming Sam [Thu, 23 Mar 2017 21:51:05 +0000 (10:51 +1300)]
whitespace: auth_log.py python conventions

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2 years agoauth log: Add tests for anonymous bind and SamLogon
Gary Lockyer [Thu, 23 Mar 2017 22:02:36 +0000 (11:02 +1300)]
auth log: Add tests for anonymous bind and SamLogon

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agopython: Add bindings for NTLMSSP
Andrew Bartlett [Thu, 23 Mar 2017 03:30:05 +0000 (16:30 +1300)]
python: Add bindings for NTLMSSP

This is helpful for building NTLMv2 packets in python for testing against the SamLogon server

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agopycredentials: Add bindings for get_ntlm_response()
Andrew Bartlett [Wed, 22 Mar 2017 03:40:40 +0000 (16:40 +1300)]
pycredentials: Add bindings for get_ntlm_response()

This should make testing of SamLogon from python practical

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agorpc_server: Re-order and rename remote and local address in np_open()
Gary Lockyer [Thu, 23 Mar 2017 01:05:56 +0000 (14:05 +1300)]
rpc_server: Re-order and rename remote and local address in np_open()

We use this order and name consistently eleswhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoldap_server: Log failures to find a valid user in the simple bind
Gary Lockyer [Wed, 22 Mar 2017 23:39:25 +0000 (12:39 +1300)]
ldap_server: Log failures to find a valid user in the simple bind

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agodsdb: Add authentication audit logging for LDAP password change
Andrew Bartlett [Fri, 17 Mar 2017 02:58:17 +0000 (15:58 +1300)]
dsdb: Add authentication audit logging for LDAP password change

This ensures this particular vector is not forgotten

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamr: Add logging of password change success and failure
Andrew Bartlett [Fri, 17 Mar 2017 00:26:13 +0000 (13:26 +1300)]
samr: Add logging of password change success and failure

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth log tests: password change tests
Gary Lockyer [Mon, 20 Mar 2017 20:59:45 +0000 (09:59 +1300)]
auth log tests: password change tests

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoheimdal: Pass extra information to hdb_auth_status() to log success and failures
Andrew Bartlett [Tue, 21 Feb 2017 01:07:54 +0000 (14:07 +1300)]
heimdal: Pass extra information to hdb_auth_status() to log success and failures

We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.

We use config->db[0] to find the first database to record incorrect
users.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
Andrew Bartlett [Mon, 13 Mar 2017 22:01:54 +0000 (11:01 +1300)]
s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case

This is triggered in the ncacn_np pass-though case in particular

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe...
Andrew Bartlett [Thu, 16 Mar 2017 21:29:02 +0000 (10:29 +1300)]
s3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe{,_p}()

We use this order and name consistently eleswhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3-rpc_server: pass remote and local address to rpc_pipe_open_external
Andrew Bartlett [Thu, 16 Mar 2017 21:26:03 +0000 (10:26 +1300)]
s3-rpc_server: pass remote and local address to rpc_pipe_open_external

We want the real client address here for audit purposes, if possible.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4-ntvfs: Correct mixup between local/remote addresses
Gary Lockyer [Thu, 9 Mar 2017 23:43:42 +0000 (12:43 +1300)]
s4-ntvfs: Correct mixup between local/remote addresses

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-rpc_server: Rename client -> remote_client and server -> local_server
Gary Lockyer [Thu, 9 Mar 2017 23:13:24 +0000 (12:13 +1300)]
s3-rpc_server: Rename client -> remote_client and server -> local_server

This changes struct dcerpc_ncacn_conn

While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.

By using both names we avoid a little of this.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-rpc_server: Re-order local and remote address in make_server_pipes_struct()
Gary Lockyer [Thu, 9 Mar 2017 23:38:33 +0000 (12:38 +1300)]
s3-rpc_server: Re-order local and remote address in make_server_pipes_struct()

The rest of the code uses remote before local, and this
often causes bugs

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos3-named_pipe_auth: Rename client -> remote_client and server -> local_server
Gary Lockyer [Thu, 9 Mar 2017 23:33:06 +0000 (12:33 +1300)]
s3-named_pipe_auth: Rename client -> remote_client and server -> local_server

This brings the callers of named_pipe_auth in line with that subsystem.

Much of Samba uses remote_address and local_address, and this difference
has hidden bugs

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agos4-named_pipe_auth: Rename client -> remote_client and server -> local_server
Gary Lockyer [Thu, 9 Mar 2017 22:38:56 +0000 (11:38 +1300)]
s4-named_pipe_auth: Rename client -> remote_client and server -> local_server

This brings the callers of named_pipe_auth in line with that subsystem.

While these names may be better, the rest of Samba consistently uses
remote_address and local_address, and this difference has hidden bugs

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>