samba.git
2 years agomessaging: Declare well known server name auth_events as AUTH_EVENT_NAME in IDL
Andrew Bartlett [Mon, 13 Mar 2017 23:37:15 +0000 (12:37 +1300)]
messaging: Declare well known server name auth_events as AUTH_EVENT_NAME in IDL

This makes it easy to ensure we use the same name in the python and the C

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agomessaging.idl: Register a message type for authentication log messages
Andrew Bartlett [Tue, 7 Mar 2017 02:09:38 +0000 (15:09 +1300)]
messaging.idl: Register a message type for authentication log messages

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agopymessaging: add single element tupple form of the server_id
Gary Lockyer [Thu, 16 Mar 2017 03:26:01 +0000 (16:26 +1300)]
pymessaging: add single element tupple form of the server_id

This avoids the python code needing to call getpid() internally,
while declaring a stable task_id.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agopymessaging: Add a hook to run the event loop, make callbacks practical
Andrew Bartlett [Mon, 13 Mar 2017 23:39:13 +0000 (12:39 +1300)]
pymessaging: Add a hook to run the event loop, make callbacks practical

These change allow us to write a messaging server in python.

The previous ping_speed test did not actually test anything, so
we use .loop_once() to make it actually work.  To enable practial use
a context is supplied in the tuple with the callback, and the server_id
for the reply is not placed inside an additional tuple.

In order to get at the internal event context on which to loop, we
expose imessaging_context in messaging_internal.h and allow the python
bindings to use that header.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoserver_id_db: Protect against non-0-terminated data records
Volker Lendecke [Thu, 23 Mar 2017 14:48:25 +0000 (15:48 +0100)]
server_id_db: Protect against non-0-terminated data records

Remove the failing test from knownfail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agoselftest: Test server_id database add and removal
Andrew Bartlett [Tue, 14 Mar 2017 03:07:46 +0000 (16:07 +1300)]
selftest: Test server_id database add and removal

This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agopymessaging: Add irpc_remove_name
Andrew Bartlett [Tue, 14 Mar 2017 00:39:00 +0000 (13:39 +1300)]
pymessaging: Add irpc_remove_name

This allows tests to be indirectly added for server_id_db_lookup()
and server_id_db_prune_name()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agopymessaging: Add support for irpc_add_name
Andrew Bartlett [Wed, 8 Mar 2017 01:53:26 +0000 (14:53 +1300)]
pymessaging: Add support for irpc_add_name

This allows tests to be indirectly added for server_id_db_lookup()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agosamba-tool: Ensure that samba-tool processes --name=not-existing does not error
Andrew Bartlett [Fri, 24 Mar 2017 00:07:06 +0000 (13:07 +1300)]
samba-tool: Ensure that samba-tool processes --name=not-existing does not error

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agoselftest: Add more tests for "samba-tool processes"
Andrew Bartlett [Fri, 24 Mar 2017 00:07:23 +0000 (13:07 +1300)]
selftest: Add more tests for "samba-tool processes"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705

2 years agos3: Test for CVE-2017-2619 regression with "follow symlinks = no".
Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 28 07:00:46 CEST 2017 on sn-devel-144

2 years agos3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017...
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).

In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agosamba_dnsupdate: Add additional debugging
Garming Sam [Sun, 26 Feb 2017 22:39:51 +0000 (11:39 +1300)]
samba_dnsupdate: Add additional debugging

Tests are still flapping, because it claims it needs a cache rebuild.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 00:04:54 CEST 2017 on sn-devel-144

2 years agowhitespace: remove in rootdse
Douglas Bagnall [Tue, 25 Oct 2016 20:19:13 +0000 (09:19 +1300)]
whitespace: remove in rootdse

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoselftest/target/Samba.pm: Remove whitespace
Douglas Bagnall [Wed, 12 Oct 2016 05:00:34 +0000 (18:00 +1300)]
selftest/target/Samba.pm: Remove whitespace

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agogetncchanges: remove whitespace
Douglas Bagnall [Mon, 10 Oct 2016 21:12:55 +0000 (10:12 +1300)]
getncchanges: remove whitespace

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agowbinfo: Prevent client segfault with given EOF
Garming Sam [Mon, 27 Mar 2017 02:49:25 +0000 (15:49 +1300)]
wbinfo: Prevent client segfault with given EOF

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Check that LDAP is available during RODC startup
Garming Sam [Mon, 27 Mar 2017 02:26:48 +0000 (15:26 +1300)]
selftest: Check that LDAP is available during RODC startup

Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorepl_secret: Error condition should sound harmless
Garming Sam [Mon, 27 Mar 2017 01:30:19 +0000 (14:30 +1300)]
repl_secret: Error condition should sound harmless

In the case it is not in the replication group, it it correct to deny
the replication to succeed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Add more RODC tests to avoid regressions here
Andrew Bartlett [Thu, 23 Mar 2017 23:12:43 +0000 (12:12 +1300)]
selftest: Add more RODC tests to avoid regressions here

This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agorepl_secret: Prevent null deref on DEBUG
Garming Sam [Tue, 21 Mar 2017 02:02:50 +0000 (15:02 +1300)]
repl_secret: Prevent null deref on DEBUG

Code path with has_get_all_changes could not be exercised until
recently.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth/sam: Remove lastLogonTimestamp from RODC success accounting
Garming Sam [Thu, 23 Mar 2017 03:04:04 +0000 (16:04 +1300)]
auth/sam: Remove lastLogonTimestamp from RODC success accounting

This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoheimdal: Add initializer for stack pointers
Andrew Bartlett [Mon, 20 Mar 2017 02:15:39 +0000 (15:15 +1300)]
heimdal: Add initializer for stack pointers

This helps ensure we know these are NULL until set

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoauth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
Andrew Bartlett [Sun, 5 Mar 2017 23:11:18 +0000 (12:11 +1300)]
auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth

So far this is only on the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2 years agoselftest: tests for vfs_fruite file-id behavior
Uri Simchoni [Thu, 23 Mar 2017 19:32:04 +0000 (21:32 +0200)]
selftest: tests for vfs_fruite file-id behavior

The test is in its own suite because it validates
our hackish workaround rather than some reference
implementation behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph B√∂hme <slow@samba.org>
Autobuild-Date(master): Sun Mar 26 23:31:08 CEST 2017 on sn-devel-144

2 years agotorture: add torture_assert_mem_not_equal_goto()
Uri Simchoni [Thu, 23 Mar 2017 19:30:50 +0000 (21:30 +0200)]
torture: add torture_assert_mem_not_equal_goto()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agovfs_fruit: document added zero_file_id parameter
Uri Simchoni [Thu, 23 Mar 2017 12:51:32 +0000 (14:51 +0200)]
vfs_fruit: document added zero_file_id parameter

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agovfs_fruit: enable zero file id
Uri Simchoni [Thu, 23 Mar 2017 12:08:45 +0000 (14:08 +0200)]
vfs_fruit: enable zero file id

Enable zero_file_id if both conditions are met:
- AAPL negotiated
- fruit:zero_file_id is set

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agosmbd: add zero_file_id flag
Uri Simchoni [Thu, 23 Mar 2017 12:08:26 +0000 (14:08 +0200)]
smbd: add zero_file_id flag

This flag instructs the SMB layer to report a zero on-disk
file identifier.

According to [MS-SMB2] 3.3.5.9.9, the reported on-disk file ID
SHOULD be unique. However, macOS clients seem to expect it to be
unique over time as well, like the HFS+ CNID. Reporting a file ID
of 0 seems to instruct the Mac client not to trust the server-reported
file ID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agoWHATSNEW: Document "strict sync" default change.
Jeremy Allison [Thu, 23 Mar 2017 16:06:27 +0000 (09:06 -0700)]
WHATSNEW: Document "strict sync" default change.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 25 04:41:19 CET 2017 on sn-devel-144

2 years agos3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
Jeremy Allison [Thu, 23 Mar 2017 02:22:31 +0000 (19:22 -0700)]
s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.

Document change and modify in loadparm.c.
Safer default for new installs and vendors.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2 years agoRevert "selftest: temporary skip samba.blackbox.pdbtest.s4winbind"
Stefan Metzmacher [Thu, 23 Mar 2017 14:19:20 +0000 (15:19 +0100)]
Revert "selftest: temporary skip samba.blackbox.pdbtest.s4winbind"

This works again now...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 24 15:50:22 CET 2017 on sn-devel-144

2 years agos4:selftest: specify auth methods of pdbtests without 'samba4:' prefix
Stefan Metzmacher [Thu, 23 Mar 2017 14:13:54 +0000 (15:13 +0100)]
s4:selftest: specify auth methods of pdbtests without 'samba4:' prefix

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: implement the deprecated 'auth methods' in auth_methods_from_lp()
Stefan Metzmacher [Wed, 22 Mar 2017 08:50:13 +0000 (09:50 +0100)]
auth4: implement the deprecated 'auth methods' in auth_methods_from_lp()

This might be used to explicitly configure the old auth methods list
from Samba 4.6 and older, if required:
 "auth methods = anonymous sam_ignoredomain"

But this option will be removed again in future releases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in make_auth_context_...
Stefan Metzmacher [Thu, 23 Mar 2017 11:54:40 +0000 (12:54 +0100)]
auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in make_auth_context_subsystem()

"auth methods" never works as AD DC at all, so there's not really a change.

This allows us to implement "auth methods" (temporary) for the auth4 stack.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: temporary skip samba.blackbox.pdbtest.s4winbind
Stefan Metzmacher [Thu, 23 Mar 2017 14:15:45 +0000 (15:15 +0100)]
selftest: temporary skip samba.blackbox.pdbtest.s4winbind

This will reenabled in a few commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: reflect the reality and use "winbind_rodc" instead of "winbind" for the auth...
Stefan Metzmacher [Fri, 17 Mar 2017 13:54:16 +0000 (14:54 +0100)]
auth4: reflect the reality and use "winbind_rodc" instead of "winbind" for the auth methods as AD_DC

Currently we always map any incoming domain to our own domain
in map_user_info_cracknames(), so that the winbind module is never
used at all, e.g. we're DC of W4EDOM-L4.BASE with a forest trust to W2012R2-L4.BASE:

  [2017/03/22 10:09:54.268472,  3, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
    auth_check_password_send: Checking password for unmapped user [W2012R2-L4]\[administrator]@[UB1404-163]
  [2017/03/22 10:09:54.268496,  5, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
    map_user_info_cracknames: Mapping user [W2012R2-L4]\[administrator] from workstation [UB1404-163]
    auth_check_password_send: mapped user is: [W4EDOM-L4]\[administrator]@[UB1404-163]

That means the only condition in which "sam_ignoredomain" returns
NT_STATUS_NOT_IMPLEMENTED is the RODC case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: add a "winbind_rodc" backend
Stefan Metzmacher [Thu, 23 Mar 2017 10:57:49 +0000 (11:57 +0100)]
auth4: add a "winbind_rodc" backend

This is only active on a RODC.

The background for this is that we currently only ever
call the "winbind" module when we're an RODC,
otherwise everything is catched by "sam_ignoredomain" before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth4: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: no longer use USER_INFO_LOCAL_SAM_ONLY
Stefan Metzmacher [Tue, 21 Mar 2017 07:31:29 +0000 (08:31 +0100)]
winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY

make_auth3_context_for_winbind() restricts the used auth backends now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()
Stefan Metzmacher [Fri, 17 Mar 2017 15:46:38 +0000 (16:46 +0100)]
auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()

This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM
interaction obsolete.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: debug if method->ops->check_password() gives NOT_IMPLEMENTED
Stefan Metzmacher [Thu, 16 Mar 2017 15:47:15 +0000 (16:47 +0100)]
auth4: debug if method->ops->check_password() gives NOT_IMPLEMENTED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth: let auth4_context->check_ntlm_password() return pauthoritative
Stefan Metzmacher [Fri, 17 Mar 2017 10:52:51 +0000 (11:52 +0100)]
auth: let auth4_context->check_ntlm_password() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agontlm_auth3: let contact_winbind_auth_crap() return pauthoritative
Stefan Metzmacher [Fri, 17 Mar 2017 10:49:40 +0000 (11:49 +0100)]
ntlm_auth3: let contact_winbind_auth_crap() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: let auth_check_password* return pauthoritative
Stefan Metzmacher [Fri, 17 Mar 2017 10:16:36 +0000 (11:16 +0100)]
auth4: let auth_check_password* return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: let auth_check_ntlm_password() return pauthoritative
Stefan Metzmacher [Fri, 17 Mar 2017 08:43:59 +0000 (09:43 +0100)]
auth3: let auth_check_ntlm_password() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: let winbindd_dual_auth_passdb() return pauthoritative
Stefan Metzmacher [Fri, 17 Mar 2017 08:42:38 +0000 (09:42 +0100)]
winbindd: let winbindd_dual_auth_passdb() return pauthoritative

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means "Dunno"
Volker Lendecke [Thu, 2 Mar 2017 10:28:18 +0000 (11:28 +0100)]
winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means "Dunno"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogon4: make use of auth_context_create_for_netlogon()
Stefan Metzmacher [Fri, 17 Mar 2017 11:15:13 +0000 (12:15 +0100)]
netlogon4: make use of auth_context_create_for_netlogon()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: add auth_context_create_for_netlogon()
Stefan Metzmacher [Fri, 17 Mar 2017 11:08:59 +0000 (12:08 +0100)]
auth4: add auth_context_create_for_netlogon()

For now it's the same as auth_context_create(), but this will
change the in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: make auth_check_password_wrapper() static
Stefan Metzmacher [Fri, 17 Mar 2017 10:41:04 +0000 (11:41 +0100)]
auth4: make auth_check_password_wrapper() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: make make_auth_context_subsystem() static
Stefan Metzmacher [Fri, 17 Mar 2017 11:31:01 +0000 (12:31 +0100)]
auth3: make make_auth_context_subsystem() static

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: make use of make_auth3_context_for_winbind()
Stefan Metzmacher [Fri, 17 Mar 2017 08:18:41 +0000 (09:18 +0100)]
winbindd: make use of make_auth3_context_for_winbind()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogond3: make use of make_auth3_context_for_netlogon()
Stefan Metzmacher [Fri, 17 Mar 2017 08:18:25 +0000 (09:18 +0100)]
netlogond3: make use of make_auth3_context_for_netlogon()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopdbtest: make use of make_auth3_context_for_ntlm()
Stefan Metzmacher [Fri, 17 Mar 2017 11:29:26 +0000 (12:29 +0100)]
pdbtest: make use of make_auth3_context_for_ntlm()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: make use of make_auth3_context_for_ntlm()
Stefan Metzmacher [Fri, 17 Mar 2017 08:17:45 +0000 (09:17 +0100)]
auth3: make use of make_auth3_context_for_ntlm()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: add make_auth3_context_for_{ntlm,netlogon,winbind}
Stefan Metzmacher [Fri, 17 Mar 2017 08:13:02 +0000 (09:13 +0100)]
auth3: add make_auth3_context_for_{ntlm,netlogon,winbind}

For now they'll all do the same, but that will change in the following commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Remove unused make_auth_context_fixed
Volker Lendecke [Mon, 13 Mar 2017 07:22:27 +0000 (08:22 +0100)]
auth3: Remove unused make_auth_context_fixed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopdbtest: Call make_auth_context_subsystem directly
Volker Lendecke [Mon, 13 Mar 2017 07:19:41 +0000 (08:19 +0100)]
pdbtest: Call make_auth_context_subsystem directly

Last caller of make_auth_context_fixed

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogond3: only call make_auth_context_subsystem() in one place
Stefan Metzmacher [Thu, 16 Mar 2017 14:54:18 +0000 (15:54 +0100)]
netlogond3: only call make_auth_context_subsystem() in one place

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogond3: Call make_auth_context_subsystem directly
Volker Lendecke [Mon, 13 Mar 2017 07:14:00 +0000 (08:14 +0100)]
netlogond3: Call make_auth_context_subsystem directly

Soon we'll call specific methods here

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogond3: "authorititative" is a uint8
Volker Lendecke [Thu, 9 Mar 2017 14:19:06 +0000 (15:19 +0100)]
netlogond3: "authorititative" is a uint8

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: Call make_auth_context_subsystem directly
Volker Lendecke [Mon, 13 Mar 2017 07:14:00 +0000 (08:14 +0100)]
winbindd: Call make_auth_context_subsystem directly

Soon we'll call specific methods here

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Introduce auth3_context_set_challenge
Volker Lendecke [Mon, 13 Mar 2017 07:08:44 +0000 (08:08 +0100)]
auth3: Introduce auth3_context_set_challenge

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Simplify the logic in auth_check_ntlm_password
Volker Lendecke [Sat, 11 Feb 2017 14:44:01 +0000 (15:44 +0100)]
auth3: Simplify the logic in auth_check_ntlm_password

Move everything but the strict loop logic outside. This makes the
loop exit condition clearer to me: Anything but NOT_IMPLEMENTED breaks
the loop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Don't try other auth modules on any error
Volker Lendecke [Sat, 11 Feb 2017 14:05:52 +0000 (15:05 +0100)]
auth3: Don't try other auth modules on any error

So far if any kind of error has happened, we just tried further auth
modules. An auth module should have the chance to definitely say "no,
this is a valid error, no further attempts anywhere else". The protocol
so far was for an auth module to return NT_STATUS_NOT_IMPLEMENTED if it
wanted to pass on to other modules, but any error led to the next auth
modules also being given a try.

This patch makes any auth module return code except NOT_IMPLEMENTED to
terminate the loop, such that every module has to explicitly request to
pass on to the next module via NOT_IMPLEMENTED.

All modules we reference in make_auth_context_subsystem() have code to
explicitly say "not for me please" with NOT_IMPLEMENTED.

This *might* break existing setups which fail in for example "guest" or
"winbind" due to other reasons. I prefer it this way though, because
adding another parameter like "This is a real authoritative failure,
don't go looking somewhere else" will only add to the mess.
But it's more a theoretical than a practical change with the
default auth backends.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Introduce make_auth_context_specific
Volker Lendecke [Mon, 13 Mar 2017 07:58:43 +0000 (08:58 +0100)]
auth3: Introduce make_auth_context_specific

Take a string instead of a string list. Simplifies
make_auth_context_subsystem and later similar callers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Slightly simplify make_auth_context_subsystem() step2
Volker Lendecke [Mon, 13 Mar 2017 07:43:06 +0000 (08:43 +0100)]
auth3: Slightly simplify make_auth_context_subsystem() step2

Use "git show -b" to see the simple diff.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: Slightly simplify make_auth_context_subsystem() step1
Volker Lendecke [Mon, 13 Mar 2017 07:43:06 +0000 (08:43 +0100)]
auth3: Slightly simplify make_auth_context_subsystem() step1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowbinfo: Add "authoritative" to wbinfo -a output
Volker Lendecke [Mon, 6 Mar 2017 13:32:18 +0000 (14:32 +0100)]
wbinfo: Add "authoritative" to wbinfo -a output

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: add TODO comment on the auth_sam_trigger_repl_secret msDS-NeverRevealGroup...
Stefan Metzmacher [Thu, 23 Mar 2017 08:37:22 +0000 (09:37 +0100)]
auth4: add TODO comment on the auth_sam_trigger_repl_secret msDS-NeverRevealGroup interaction

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.
Jeremy Allison [Thu, 15 Dec 2016 21:06:31 +0000 (13:06 -0800)]
CVE-2017-2619: s3: smbd: Use the new non_widelink_open() function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Mar 23 22:55:04 CET 2017 on sn-devel-144

2 years agoCVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.
Jeremy Allison [Thu, 15 Dec 2016 21:04:46 +0000 (13:04 -0800)]
CVE-2017-2619: s3: smbd: Add the core functions to prevent symlink open races.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility...
Jeremy Allison [Thu, 15 Dec 2016 20:56:08 +0000 (12:56 -0800)]
CVE-2017-2619: s3: smbd: Move special handling of symlink errno's into a utility function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.
Jeremy Allison [Thu, 15 Dec 2016 20:52:13 +0000 (12:52 -0800)]
CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We insist on O_NOFOLLOW existing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not suppo...
Jeremy Allison [Mon, 19 Dec 2016 20:35:32 +0000 (12:35 -0800)]
CVE-2017-2619: s3: smbd: Correctly fallback to open_dir_safely if FDOPENDIR not supported on system.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just...
Jeremy Allison [Mon, 19 Dec 2016 20:32:07 +0000 (12:32 -0800)]
CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just before retuning success.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error.
Jeremy Allison [Mon, 19 Dec 2016 20:15:59 +0000 (12:15 -0800)]
CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory leak on error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.
Jeremy Allison [Mon, 19 Dec 2016 20:13:20 +0000 (12:13 -0800)]
CVE-2017-2619: s3: smbd: OpenDir_fsp() use early returns.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir().
Jeremy Allison [Tue, 20 Dec 2016 00:35:00 +0000 (16:35 -0800)]
CVE-2017-2619: s3: smbd: Create and use open_dir_safely(). Use from OpenDir().

Hardens OpenDir against TOC/TOU races.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.
Jeremy Allison [Tue, 20 Dec 2016 00:25:26 +0000 (16:25 -0800)]
CVE-2017-2619: s3: smbd: Opendir_internal() early return if SMB_VFS_OPENDIR failed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for makin...
Jeremy Allison [Mon, 19 Dec 2016 19:55:56 +0000 (11:55 -0800)]
CVE-2017-2619: s3: smbd: Create wrapper function for OpenDir in preparation for making robust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag
Ralph Boehme [Sun, 19 Mar 2017 17:52:10 +0000 (18:52 +0100)]
CVE-2017-2619: s4/torture: add SMB2_FIND tests with SMB2_CONTINUE_FLAG_REOPEN flag

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoCVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()
Ralph Boehme [Sun, 19 Mar 2017 14:58:17 +0000 (15:58 +0100)]
CVE-2017-2619: s3/smbd: re-open directory after dptr_CloseDir()

dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
have to reopen it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agolibwbclient: add WBC_SID_NAME_LABEL
Stefan Metzmacher [Mon, 20 Mar 2017 12:56:03 +0000 (13:56 +0100)]
libwbclient: add WBC_SID_NAME_LABEL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 23 12:55:26 CET 2017 on sn-devel-144

2 years agolibcli/security: add SID_NAME_LABEL to sid_type_lookup()
Stefan Metzmacher [Mon, 20 Mar 2017 12:50:59 +0000 (13:50 +0100)]
libcli/security: add SID_NAME_LABEL to sid_type_lookup()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolsa.idl: add SID_NAME_LABEL
Stefan Metzmacher [Mon, 20 Mar 2017 12:50:36 +0000 (13:50 +0100)]
lsa.idl: add SID_NAME_LABEL

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agonetlogon.idl: make netr_LogonInfoClass public
Stefan Metzmacher [Fri, 17 Mar 2017 18:28:16 +0000 (19:28 +0100)]
netlogon.idl: make netr_LogonInfoClass public

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agonet: Don't crash if lsa_LookupPrivDisplayName returns NULL
Volker Lendecke [Wed, 22 Mar 2017 14:41:47 +0000 (15:41 +0100)]
net: Don't crash if lsa_LookupPrivDisplayName returns NULL

lsa_LookupPrivDisplayName on Windows 2012R2 can return success and still return
a NULL name:

rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host 172.18.103.80 returned 12 bytes.
     lsa_LookupPrivDisplayName: struct lsa_LookupPrivDisplayName
        out: struct lsa_LookupPrivDisplayName
            disp_name                : *
                disp_name                : NULL
            returned_language_id     : *
                returned_language_id     : 0x0000 (0)
            result                   : NT_STATUS_OK

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 23 07:43:57 CET 2017 on sn-devel-144

2 years agonsswtich: Add negative tests for authentication with wbinfo
Andreas Schneider [Mon, 20 Mar 2017 11:22:44 +0000 (12:22 +0100)]
nsswtich: Add negative tests for authentication with wbinfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144

2 years agos3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()
Andreas Schneider [Tue, 21 Mar 2017 08:57:30 +0000 (09:57 +0100)]
s3:libads: Remove obsolete smb_krb5_get_ntstatus_from_init_creds()

There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoidmap_rfc2307: Clarify the documentation a bit
Volker Lendecke [Tue, 21 Mar 2017 15:00:27 +0000 (16:00 +0100)]
idmap_rfc2307: Clarify the documentation a bit

"bind_path" is a variable name internally used inside Samba. If you
look at "man ldapsearch" from OpenLDAP for example, the more common
term for this parameter is "search base". Adapt the documentation
accordingly.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoidmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()
Volker Lendecke [Tue, 21 Mar 2017 14:52:37 +0000 (15:52 +0100)]
idmap_rfc2307: Slightly simplify idmap_rfc2307_initialize()

Replace an "else" branch with an early "goto err"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agoidmap_tdb: Avoid a few casts
Volker Lendecke [Sun, 8 Jan 2017 13:00:39 +0000 (13:00 +0000)]
idmap_tdb: Avoid a few casts

The times of attempting to be C++ compatible are gone since C compilers
can do very good warnings too.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agos3:libsmb: Only print error message if kerberos use is forced
Andreas Schneider [Mon, 20 Mar 2017 15:08:20 +0000 (16:08 +0100)]
s3:libsmb: Only print error message if kerberos use is forced

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Mar 21 14:25:54 CET 2017 on sn-devel-144

2 years agoautobuild: Stop waf uninstall from removing test_tmpdir
Martin Schwenke [Mon, 20 Mar 2017 03:49:34 +0000 (14:49 +1100)]
autobuild: Stop waf uninstall from removing test_tmpdir

Most of the autobuild tasks run "make distcheck", which does a
recursive "waf configure make install uninstall".  "waf uninstall"
(via BuildContext.install() in Build.py) removes empty directories all
the way up the directory tree.  This means that it removes
test_tmpdir, if it is empty, and any empty directories above it.

While this is arguably a waf bug, the simplest solution is to make
test_tmpdir non-empty so it don't get removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12703

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 10:37:08 CET 2017 on sn-devel-144

2 years agoidmap_autorid: Use idmap_config_int
Volker Lendecke [Sat, 18 Mar 2017 18:06:49 +0000 (19:06 +0100)]
idmap_autorid: Use idmap_config_int

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Mar 20 23:28:38 CET 2017 on sn-devel-144

2 years agoidmap_rid: Use idmap_config_int
Volker Lendecke [Sat, 18 Mar 2017 18:05:10 +0000 (19:05 +0100)]
idmap_rid: Use idmap_config_int

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>