samba.git
22 months agoauth/gensec: introduce gensec_security_ops.glue in order to avoid depending on GENSEC...
Stefan Metzmacher [Thu, 20 Jul 2017 21:28:51 +0000 (23:28 +0200)]
auth/gensec: introduce gensec_security_ops.glue in order to avoid depending on GENSEC_OID_SPNEGO being special

In future we have get more backends that can negotiate other backends,
we should keep all of them even if we require kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/gensec: add some useful debugging to gensec_update_send/gensec_update_done
Stefan Metzmacher [Thu, 20 Jul 2017 13:42:58 +0000 (15:42 +0200)]
auth/gensec: add some useful debugging to gensec_update_send/gensec_update_done

This makes it easier to spot problems with all the abstraction and async layers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_out()
Andreas Schneider [Wed, 19 Jul 2017 09:05:32 +0000 (11:05 +0200)]
auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_out()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agoauth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_in()
Andreas Schneider [Wed, 19 Jul 2017 09:02:39 +0000 (11:02 +0200)]
auth/spnego: Use talloc_get_type_abort() in gsensec_spnego_update_in()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agoauth/spnego: Rename gensec_spnego_update_sub_abort()
Andreas Schneider [Wed, 19 Jul 2017 08:53:30 +0000 (10:53 +0200)]
auth/spnego: Rename gensec_spnego_update_sub_abort()

The name is not ideal as someone might think we will panic and abort the
process. So rename it to gensec_spnego_reset_sub_sec().

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agoauth/spnego: replace gensec_spnego_neg_loop() by real async processing of {start...
Stefan Metzmacher [Wed, 14 Jun 2017 09:01:23 +0000 (11:01 +0200)]
auth/spnego: replace gensec_spnego_neg_loop() by real async processing of {start,step,finish}_fn()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split gensec_spnego_server_negTokenTarg() into subfunctions
Stefan Metzmacher [Wed, 14 Jun 2017 13:40:41 +0000 (15:40 +0200)]
auth/spnego: split gensec_spnego_server_negTokenTarg() into subfunctions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split gensec_spnego_server_negTokenInit() into subfunctions
Stefan Metzmacher [Wed, 14 Jun 2017 13:22:57 +0000 (15:22 +0200)]
auth/spnego: split gensec_spnego_server_negTokenInit() into subfunctions

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split gensec_spnego_client_negTokenTarg() into subfunctions
Stefan Metzmacher [Wed, 14 Jun 2017 11:56:02 +0000 (13:56 +0200)]
auth/spnego: split gensec_spnego_client_negTokenTarg() into subfunctions

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split gensec_spnego_client_negTokenInit() into subfunctions
Stefan Metzmacher [Wed, 14 Jun 2017 10:59:43 +0000 (12:59 +0200)]
auth/spnego: split gensec_spnego_client_negTokenInit() into subfunctions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions
Stefan Metzmacher [Tue, 13 Jun 2017 23:52:09 +0000 (01:52 +0200)]
auth/spnego: split gensec_spnego_create_negTokenInit() into subfunctions

This adds and uses the gensec_spnego_neg_loop() abstraction, which
abstracts start, step and finish hooks.

The start hook does the initial processing on the incoming paket and
may start the first possible subcontext. It indicates that
gensec_update() is required on the subcontext by returning
NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
caller should treat 'in_next' as const and don't attempt to free the
content.  NT_STATUS_OK indicates the finish hook should be invoked
directly withing the need of gensec_update() on the subcontext.
Every other error indicates an error that's returned to the caller.

The step hook processes the result of a failed gensec_update() and
can decide to ignore a failure or continue the negotiation by
setting up the next possible subcontext. It indicates that
gensec_update() is required on the subcontext by returning
NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
caller should treat 'in_next' as const and don't attempt to free the
content.  NT_STATUS_OK indicates the finish hook should be invoced
directly withing the need of gensec_update() on the subcontext.
Every other error indicated an error that's returned to the caller.

The finish hook processes the result of a successful gensec_update()
(NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the
response pdu that will be returned from the toplevel gensec_update()
together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It
may also alter the state machine to prepare receiving the next pdu
from the peer.

This is the start of using this abstraction for the initial client or server
start with on empty input token from the peer.

This abstraction will be applied to all four other spnego states,
gensec_spnego_{client,server}_negToken{Init,Targ}() in the following
commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: don't produce an output token for errors in gensec_spnego_server_response()
Stefan Metzmacher [Mon, 17 Jul 2017 20:00:10 +0000 (22:00 +0200)]
auth/spnego: don't produce an output token for errors in gensec_spnego_server_response()

gensec_spnego_server_response() is never called with a fatal error anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: don't call gensec_spnego_server_response() with a fatal error
Stefan Metzmacher [Mon, 17 Jul 2017 19:54:51 +0000 (21:54 +0200)]
auth/spnego: don't call gensec_spnego_server_response() with a fatal error

It doesn't make sense to produce an output token without
returning OK or MORE_PROCESSING_REQUIRED.

Even in v4-0-test we had gensec_spnego_update_wrapper()
which only passed the constructed output token to the caller
with OK or MORE_PROCESSING_REQUIRED.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: generate a valid packet if gensec_spnego_client_negTokenTarg() gives...
Stefan Metzmacher [Tue, 18 Jul 2017 09:42:43 +0000 (11:42 +0200)]
auth/spnego: generate a valid packet if gensec_spnego_client_negTokenTarg() gives MORE_PROCESSING_REQUIRED

If we wait for the mechListMIC from the server we should send a valid paket
instead of an empty blob.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make sure we don't return OK without sub_sec_ready in gensec_spnego_clie...
Stefan Metzmacher [Mon, 17 Jul 2017 18:49:34 +0000 (20:49 +0200)]
auth/spnego: make sure we don't return OK without sub_sec_ready in gensec_spnego_client_negTokenTarg()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: do an early return for the success case in gensec_spnego_client_negToken...
Stefan Metzmacher [Mon, 17 Jul 2017 18:47:57 +0000 (20:47 +0200)]
auth/spnego: do an early return for the success case in gensec_spnego_client_negTokenTarg()

Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: use better variable names in gensec_spnego_create_negTokenInit()
Stefan Metzmacher [Thu, 13 Jul 2017 14:26:42 +0000 (16:26 +0200)]
auth/spnego: use better variable names in gensec_spnego_create_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: introduce an early return in gensec_spnego_create_negTokenInit()
Stefan Metzmacher [Thu, 13 Jul 2017 14:20:59 +0000 (16:20 +0200)]
auth/spnego: introduce an early return in gensec_spnego_create_negTokenInit()

This avoids print two debug message for the same failure.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: add more error checking to gensec_spnego_create_negTokenInit()
Stefan Metzmacher [Thu, 13 Jul 2017 14:16:35 +0000 (16:16 +0200)]
auth/spnego: add more error checking to gensec_spnego_create_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: rename 'nt_status' to 'status' in gensec_spnego_create_negTokenInit()
Stefan Metzmacher [Thu, 13 Jul 2017 14:08:05 +0000 (16:08 +0200)]
auth/spnego: rename 'nt_status' to 'status' in gensec_spnego_create_negTokenInit()

This makes future diffs smaller.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make the debug messages in gensec_spnego_create_negTokenInit() more...
Stefan Metzmacher [Thu, 13 Jul 2017 14:05:39 +0000 (16:05 +0200)]
auth/spnego: make the debug messages in gensec_spnego_create_negTokenInit() more useful

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: remove one more useless indentation level in gensec_spnego_create_negTok...
Stefan Metzmacher [Thu, 13 Jul 2017 13:49:32 +0000 (15:49 +0200)]
auth/spnego: remove one more useless indentation level in gensec_spnego_create_negTokenInit()

Check with git show -w -U20

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: introduce an early goto reply: for the server in gensec_spnego_create_ne...
Stefan Metzmacher [Thu, 13 Jul 2017 13:44:53 +0000 (15:44 +0200)]
auth/spnego: introduce an early goto reply: for the server in gensec_spnego_create_negTokenInit()

This removes a useless indentation level and simplifies future patches.

Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: move the output generation to the end of gensec_spnego_create_negTokenInit()
Stefan Metzmacher [Thu, 13 Jul 2017 13:41:23 +0000 (15:41 +0200)]
auth/spnego: move the output generation to the end of gensec_spnego_create_negTokenInit()

This will simplify the diff of future patches.

Check with git show -w

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make the SPNEGO_FALLBACK continuation completely async
Stefan Metzmacher [Tue, 13 Jun 2017 21:43:01 +0000 (23:43 +0200)]
auth/spnego: make the SPNEGO_FALLBACK continuation completely async

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: invert the fallback logic in gensec_spnego_client_negTokenInit()
Stefan Metzmacher [Thu, 13 Jul 2017 14:49:57 +0000 (16:49 +0200)]
auth/spnego: invert the fallback logic in gensec_spnego_client_negTokenInit()

We should do the return first, that will simplify further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split out gensec_spnego_update_pre/post() functions
Stefan Metzmacher [Tue, 13 Jun 2017 21:43:01 +0000 (23:43 +0200)]
auth/spnego: split out gensec_spnego_update_pre/post() functions

For now we keep doing sync processing only, in future
we'll do some preprocessing before a gensec_update_send()
on the subcontext in gensec_spnego_update_pre()
and handle the the result of gensec_update_recv()
in gensec_spnego_update_post().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: inline gensec_spnego_parse_negTokenInit() into gensec_spnego_server_negT...
Stefan Metzmacher [Fri, 7 Jul 2017 09:39:39 +0000 (11:39 +0200)]
auth/spnego: inline gensec_spnego_parse_negTokenInit() into gensec_spnego_server_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: remove more dead code from gensec_spnego_parse_negTokenInit()
Stefan Metzmacher [Fri, 7 Jul 2017 09:11:57 +0000 (11:11 +0200)]
auth/spnego: remove more dead code from gensec_spnego_parse_negTokenInit()

Now we finally have a logic that someone can understand while reading it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: add an early return for OK or MORE PROCESSING in gensec_spnego_parse_neg...
Stefan Metzmacher [Fri, 7 Jul 2017 09:09:59 +0000 (11:09 +0200)]
auth/spnego: add an early return for OK or MORE PROCESSING in gensec_spnego_parse_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: add an early return for a hard error in gensec_spnego_parse_negTokenInit()
Stefan Metzmacher [Fri, 7 Jul 2017 09:07:41 +0000 (11:07 +0200)]
auth/spnego: add an early return for a hard error in gensec_spnego_parse_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: do an early return when we downgraded the mech in gensec_spnego_parse_ne...
Stefan Metzmacher [Fri, 7 Jul 2017 09:05:39 +0000 (11:05 +0200)]
auth/spnego: do an early return when we downgraded the mech in gensec_spnego_parse_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: remove one more useless indentation level from gensec_spnego_parse_negTo...
Stefan Metzmacher [Fri, 7 Jul 2017 09:03:37 +0000 (11:03 +0200)]
auth/spnego: remove one more useless indentation level from gensec_spnego_parse_negTokenInit()

Check with 'git show -w -U45' and carefully check the 'break' vs. 'continue'
changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: remove dead code from gensec_spnego_parse_negTokenInit()
Stefan Metzmacher [Fri, 7 Jul 2017 08:57:52 +0000 (10:57 +0200)]
auth/spnego: remove dead code from gensec_spnego_parse_negTokenInit()

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: remove unused indentation level from gensec_spnego_parse_negTokenInit()
Stefan Metzmacher [Fri, 7 Jul 2017 08:54:54 +0000 (10:54 +0200)]
auth/spnego: remove unused indentation level from gensec_spnego_parse_negTokenInit()

gensec_spnego_parse_negTokenInit() is only used as server now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: inline gensec_spnego_parse_negTokenInit() client logic into gensec_spneg...
Stefan Metzmacher [Fri, 7 Jul 2017 08:11:43 +0000 (10:11 +0200)]
auth/spnego: inline gensec_spnego_parse_negTokenInit() client logic into gensec_spnego_client_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: let gensec_spnego_parse_negTokenInit() require client provides mechs
Stefan Metzmacher [Fri, 7 Jul 2017 08:44:00 +0000 (10:44 +0200)]
auth/spnego: let gensec_spnego_parse_negTokenInit() require client provides mechs

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: inline gensec_spnego_update_server() into gensec_spnego_update_send()
Stefan Metzmacher [Fri, 7 Jul 2017 07:22:25 +0000 (09:22 +0200)]
auth/spnego: inline gensec_spnego_update_server() into gensec_spnego_update_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: inline gensec_spnego_update_client() into gensec_spnego_update_send()
Stefan Metzmacher [Fri, 7 Jul 2017 07:22:25 +0000 (09:22 +0200)]
auth/spnego: inline gensec_spnego_update_client() into gensec_spnego_update_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split out a gensec_spnego_server_negTokenTarg() function
Stefan Metzmacher [Fri, 7 Jul 2017 07:18:18 +0000 (09:18 +0200)]
auth/spnego: split out a gensec_spnego_server_negTokenTarg() function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: introduce a 'struct spnego_negTokenTarg *ta' helper variable in gensec_s...
Stefan Metzmacher [Fri, 7 Jul 2017 07:05:29 +0000 (09:05 +0200)]
auth/spnego: introduce a 'struct spnego_negTokenTarg *ta' helper variable in gensec_spnego_update_server()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split out a gensec_spnego_client_negTokenTarg() function
Stefan Metzmacher [Fri, 7 Jul 2017 07:01:18 +0000 (09:01 +0200)]
auth/spnego: split out a gensec_spnego_client_negTokenTarg() function

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make more use of the 'ta' helper variable in gensec_spnego_update_client()
Stefan Metzmacher [Fri, 7 Jul 2017 06:42:08 +0000 (08:42 +0200)]
auth/spnego: make more use of the 'ta' helper variable in gensec_spnego_update_client()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split out a gensec_spnego_server_negTokenInit() function.
Stefan Metzmacher [Fri, 7 Jul 2017 06:30:24 +0000 (08:30 +0200)]
auth/spnego: split out a gensec_spnego_server_negTokenInit() function.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: split out a gensec_spnego_client_negTokenInit() function.
Stefan Metzmacher [Fri, 7 Jul 2017 06:11:32 +0000 (08:11 +0200)]
auth/spnego: split out a gensec_spnego_client_negTokenInit() function.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()
Stefan Metzmacher [Fri, 7 Jul 2017 06:00:00 +0000 (08:00 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_client()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenI...
Stefan Metzmacher [Fri, 7 Jul 2017 05:58:51 +0000 (07:58 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_create_negTokenInit()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()
Stefan Metzmacher [Wed, 28 Jun 2017 12:53:49 +0000 (14:53 +0200)]
auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in gensec_spnego_update_send()

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()
Stefan Metzmacher [Fri, 7 Jul 2017 05:53:29 +0000 (07:53 +0200)]
auth/spnego: simplify the error handling logic in gensec_spnego_parse_negTokenInit()

We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.

Check with git show -U10

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_updat...
Stefan Metzmacher [Thu, 6 Jul 2017 13:36:36 +0000 (15:36 +0200)]
auth/spnego: call gensec_spnego_create_negTokenInit() directly in gensec_spnego_update_send()

This simplifies further refactoring.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: do parse the incoming blob already in gensec_spnego_update_send()
Stefan Metzmacher [Wed, 14 Jun 2017 01:39:02 +0000 (03:39 +0200)]
auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()

It's easier to have this in one central place.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
Stefan Metzmacher [Wed, 5 Jul 2017 07:59:16 +0000 (09:59 +0200)]
auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()

In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()
Stefan Metzmacher [Wed, 5 Jul 2017 07:59:16 +0000 (09:59 +0200)]
auth/spnego: introduce a 'spnego_in' helper variable in gensec_spnego_update_client()

In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spneg...
Stefan Metzmacher [Fri, 30 Dec 2016 11:59:01 +0000 (12:59 +0100)]
auth/spnego: skip gensec_update_ev() if sub_sec_ready is already true in gensec_spnego_update_server()

This matches the flow already used in the client case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()
Stefan Metzmacher [Wed, 14 Jun 2017 01:39:02 +0000 (03:39 +0200)]
auth/spnego: move gensec_update_ev() out of gensec_spnego_server_try_fallback()

This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agoauth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()
Andreas Schneider [Wed, 19 Jul 2017 08:47:37 +0000 (10:47 +0200)]
auth/spnego: Fix withespace and indent in gensec_spnego_server_try_fallback()

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
22 months agos3:tests: Add tests for smbspool_krb5_wrapper
Andreas Schneider [Tue, 11 Jul 2017 08:59:59 +0000 (10:59 +0200)]
s3:tests: Add tests for smbspool_krb5_wrapper

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 25 13:17:13 CEST 2017 on sn-devel-144

22 months agos3:client: Use KRB5CCNAME in smbspool_krb5_wrapper if set
Andreas Schneider [Wed, 12 Jul 2017 14:07:25 +0000 (16:07 +0200)]
s3:client: Use KRB5CCNAME in smbspool_krb5_wrapper if set

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agos3:tests: Add test for smbspool
Andreas Schneider [Tue, 11 Jul 2017 08:58:11 +0000 (10:58 +0200)]
s3:tests: Add test for smbspool

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
22 months agos3:client: Only use kerberos if credential cache exists in smbspool
Andreas Schneider [Tue, 11 Jul 2017 07:41:08 +0000 (09:41 +0200)]
s3:client: Only use kerberos if credential cache exists in smbspool

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agos3:client: Make it possible use smbspool in selftest
Andreas Schneider [Mon, 24 Jul 2017 10:27:50 +0000 (12:27 +0200)]
s3:client: Make it possible use smbspool in selftest

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
22 months agos3:client: Fix the usage of argv in smbspool
Andreas Schneider [Tue, 11 Jul 2017 08:40:39 +0000 (10:40 +0200)]
s3:client: Fix the usage of argv in smbspool

We use argv[0] to print the name of the binary, but have shifted it
away. Do not do that.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agos3:printing: Fix setting the first jobnum
Andreas Schneider [Wed, 12 Jul 2017 11:14:08 +0000 (13:14 +0200)]
s3:printing: Fix setting the first jobnum

This is just something logical. The define is called first jobnum but
the first one was always 101.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agos3:printing: Do not segfault in vlp if no command has been specified
Andreas Schneider [Wed, 12 Jul 2017 11:07:08 +0000 (13:07 +0200)]
s3:printing: Do not segfault in vlp if no command has been specified

We should just print the usage() and return

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agouwrap: Update to version 1.2.4
Andreas Schneider [Thu, 13 Jul 2017 06:57:13 +0000 (08:57 +0200)]
uwrap: Update to version 1.2.4

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
22 months agoselftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
Andrew Bartlett [Mon, 17 Jul 2017 21:03:17 +0000 (09:03 +1200)]
selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144

22 months agos4-netlogon: Use log_escape to protect against un-validated strings
Andrew Bartlett [Mon, 17 Jul 2017 20:57:03 +0000 (08:57 +1200)]
s4-netlogon: Use log_escape to protect against un-validated strings

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agos4-netlogon: Extend ServerAuthenticate3 logging to split up username forms
Andrew Bartlett [Mon, 17 Jul 2017 20:46:08 +0000 (08:46 +1200)]
s4-netlogon: Extend ServerAuthenticate3 logging to split up username forms

This splits out the username into the input, mapped and obtained
just as we do elsewhere.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agosource4 netlogon: Add authentication logging for ServerAuthenticate3
Gary Lockyer [Sun, 9 Jul 2017 19:48:08 +0000 (07:48 +1200)]
source4 netlogon: Add authentication logging for ServerAuthenticate3

Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agotests auth_log: Add new tests for NETLOGON
Gary Lockyer [Sun, 9 Jul 2017 19:46:26 +0000 (07:46 +1200)]
tests auth_log: Add new tests for NETLOGON

Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing

Test code based on the existing auth_log tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agotests auth_log: Modify existing tests to handle NETLOGON messages
Gary Lockyer [Sun, 9 Jul 2017 19:45:16 +0000 (07:45 +1200)]
tests auth_log: Modify existing tests to handle NETLOGON messages

Modify the existing tests to ignore auth logging for NETLOGON messages.
NETLOGON authentication is logged once per session, and is tested
separately.  Ignoring it in these tests avoids order dependencies.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agoauth_log: use symbolic constant to replace /root/ncalrpc_as_system
Gary Lockyer [Sun, 23 Jul 2017 22:59:18 +0000 (10:59 +1200)]
auth_log: use symbolic constant to replace /root/ncalrpc_as_system

Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of
string literal "/root/ncalrpc_as_system"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agorpc: use symbolic constant to replace /root/ncalrpc_as_system
Gary Lockyer [Sun, 23 Jul 2017 23:00:45 +0000 (11:00 +1200)]
rpc: use symbolic constant to replace /root/ncalrpc_as_system

Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of string literal
"/root/ncalrpc_as_system"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agodcerpc.idl Add symbolic constant for /root/ncalrpc_as_system
Gary Lockyer [Sun, 23 Jul 2017 22:55:48 +0000 (10:55 +1200)]
dcerpc.idl Add symbolic constant for /root/ncalrpc_as_system

This is string is used several places in the code and tests, so it
should be a constant.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
22 months agomit-kdb: Fix NULL pointer check after malloc
Andreas Schneider [Mon, 24 Jul 2017 10:19:27 +0000 (12:19 +0200)]
mit-kdb: Fix NULL pointer check after malloc

This fixes building with GCC 7.1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jul 24 18:45:34 CEST 2017 on sn-devel-144

22 months agos4:kcc: Add a NULL check before qsort()
Andreas Schneider [Mon, 24 Jul 2017 10:13:50 +0000 (12:13 +0200)]
s4:kcc: Add a NULL check before qsort()

This fixes building with GCC 7.1.1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12930

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
22 months agosmb.conf: Explain that "ntlm auth" is a per-passdb setting
Andrew Bartlett [Mon, 24 Jul 2017 02:09:19 +0000 (14:09 +1200)]
smb.conf: Explain that "ntlm auth" is a per-passdb setting

This parameter has always applied to this passdb only, not to domain
authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
22 months agosamdb/cracknames: support user and service principal as desired format
Bob Campbell [Wed, 5 Jul 2017 04:08:11 +0000 (16:08 +1200)]
samdb/cracknames: support user and service principal as desired format

This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.

This also causes the test in cracknames.py to no longer fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144

22 months agosamdb/cracknames: do not show recycled when a guid is desired
Bob Campbell [Tue, 4 Jul 2017 23:15:04 +0000 (11:15 +1200)]
samdb/cracknames: do not show recycled when a guid is desired

Previously, when a GUID was desired to
cracknames, it would include recycled objects as well. This would
sometimes result in two objects being returned from a query which is
supposed to return a unique GUID. For example, if a deleted user had
the same sAMAccountName as a non-deleted user and cracknames was used to
find the GUID of this account, it would return two GUIDs, and so would
fail with DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
22 months agopython/tests: add python test for cracknames
Bob Campbell [Tue, 4 Jul 2017 23:08:45 +0000 (11:08 +1200)]
python/tests: add python test for cracknames

This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
22 months agoselftest: Make --include-env and --exclude-env use the base env name
Andrew Bartlett [Fri, 21 Jul 2017 08:10:43 +0000 (20:10 +1200)]
selftest: Make --include-env and --exclude-env use the base env name

The code as deployed would have required (eg) '--include-env=ktest
--include-env=ktest:local' which was not done in autobuild, causing
tests to be skipped.  This patch restores the intended behaviour.

This causes 33 testsuites to run, one more test (the newly added
samba.tests.ntlmauth) than the old regex provided (before
602772159dfd1213385f42ecbf31136f57693b63).

(The regression dropped us down to matching only 7 tests).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 24 03:33:01 CEST 2017 on sn-devel-144

22 months agoctdb-tests: Add event script startup/shutdown tests
Martin Schwenke [Tue, 18 Jul 2017 20:09:15 +0000 (06:09 +1000)]
ctdb-tests: Add event script startup/shutdown tests

For vsftpd, httpd, winbind.  These should help to catch typo
regressions.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Sun Jul 23 19:31:08 CEST 2017 on sn-devel-144

22 months agoctdb-scripts: Fix a typo
Martin Schwenke [Mon, 17 Jul 2017 05:36:42 +0000 (15:36 +1000)]
ctdb-scripts: Fix a typo

This is a regression introduced in commit
e847ec3ae24cc6c8c69284c7fe0791a319cf7142

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
22 months agos4-drepl: Block GetNCChanges during a DsReplicaSync
Andrew Bartlett [Sat, 22 Jul 2017 10:00:59 +0000 (22:00 +1200)]
s4-drepl: Block GetNCChanges during a DsReplicaSync

If we do not block these, we can get RPC faults
(DCERPC_NCA_S_PROTO_ERROR) which gives WERR_WRITE_FAULT back to the
DsReplicaSync call as there are two outstanding requests on the wire
at the one time.

We will get to the next operation as soon as this is finished
when we call run_pending_ops().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12926

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jul 23 12:32:49 CEST 2017 on sn-devel-144

22 months agos3: libsmb: Fix use-after-free when accessing pointer *p.
Thomas Jarosch [Sat, 22 Jul 2017 16:36:18 +0000 (09:36 -0700)]
s3: libsmb: Fix use-after-free when accessing pointer *p.

talloc_asprintf_append() might call realloc()
and therefore move the memory address of "path".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12927

Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jul 22 22:45:05 CEST 2017 on sn-devel-144

22 months agos4-drepl: Use tevent_schedule_immediate() in DsReplicaSync handler
Andrew Bartlett [Fri, 21 Jul 2017 05:52:04 +0000 (17:52 +1200)]
s4-drepl: Use tevent_schedule_immediate() in DsReplicaSync handler

When we are sent a DsReplicaSync() we should work on inbound replication
(ideally from the requested source, but so far we just start the whole queue)
right away, not after 1 second.

We should also target inbound replication, not any outbound replication
notification that may happen to be due.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12921

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jul 22 07:45:31 CEST 2017 on sn-devel-144

22 months agoldb: version 1.2.1 ldb-1.2.1
Stefan Metzmacher [Fri, 21 Jul 2017 12:36:08 +0000 (14:36 +0200)]
ldb: version 1.2.1

* Bug #12882: Do not install _ldb_text.py if we have system libldb
* Use libraries from build dir for testsuite
* Bug #12900: Fix index out of bound in ldb_msg_find_common_values

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Jul 22 03:46:25 CEST 2017 on sn-devel-144

22 months agotevent: version 0.9.33 tevent-0.9.33
Stefan Metzmacher [Fri, 21 Jul 2017 12:34:59 +0000 (14:34 +0200)]
tevent: version 0.9.33

* make tevent_req_print() more robust against crashes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agotevent: handle passing req = NULL to tevent_req_print()
Stefan Metzmacher [Thu, 20 Jul 2017 12:20:03 +0000 (14:20 +0200)]
tevent: handle passing req = NULL to tevent_req_print()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agotevent: avoid calling talloc_get_name(NULL) in tevent_req_default_print()
Stefan Metzmacher [Thu, 20 Jul 2017 12:16:44 +0000 (14:16 +0200)]
tevent: avoid calling talloc_get_name(NULL) in tevent_req_default_print()

We have the same information available under req->internal.private_type.

This way it's possible to call tevent_req_print() after
tevent_req_received() was called.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agotalloc: version 2.1.10 talloc-2.1.10
Stefan Metzmacher [Fri, 21 Jul 2017 12:33:57 +0000 (14:33 +0200)]
talloc: version 2.1.10

* build, documentation and python3 improvements

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
22 months agos4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done()
Stefan Metzmacher [Thu, 20 Jul 2017 09:56:21 +0000 (11:56 +0200)]
s4:http/gensec: add missing tevent_req_done() to gensec_http_ntlm_update_done()

This was missing in commit d718e92d5e145dccd492c46febc249e462ce50c6.

Sadly we can't have automated tests for this as we only implement
the client side for this protocol.

I've tested with using:

bin/smbtorture \
  -W BLA --realm=BLA.BASE \
  -s /dev/null -Uadministrator%A1b2C3d4 \
  ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=basic] \
  rpc.epmapper.epmapper.Lookup_simple \

and:

bin/smbtorture \
  -W BLA --realm=BLA.BASE \
  -s /dev/null -Uadministrator%A1b2C3d4 \
  ncacn_http:w2k8r2-219[593,RpcProxy=w2k8r2-219.bla.base,HttpUseTls=false,HttpAuthOption=ntlm] \
  rpc.epmapper.epmapper.Lookup_simple \

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12919

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 21 23:29:39 CEST 2017 on sn-devel-144

22 months agowinbindd: avoid refreshing sequence number when domain is offline
Uri Simchoni [Wed, 7 Jun 2017 17:34:33 +0000 (20:34 +0300)]
winbindd: avoid refreshing sequence number when domain is offline

When there's no connectivity to the domain, avoid attempt to
refresh sequence number. Before the change, this was avoided
only if winbind offline logon was enabled. However, being
able to operate based on cached data is desired even when
offline logons are disabled (offline logons are about caching
credentials for PAM authentication, a user may not want this
and still want service from the SMB server during short
AD disconnects).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
22 months agowinbindd: queryuser - only get group name if needed
Uri Simchoni [Wed, 7 Jun 2017 17:33:57 +0000 (20:33 +0300)]
winbindd: queryuser - only get group name if needed

When calculating the user entry for a user, the
primary group id *name* might be needed if it is
part of a home dir / shell template (%g or %G).

Only resolve primary group SID to primary group name
if it is needed, thereby saving a round-trip to the DC
(and better handling situations where it is disconnected).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
22 months agowinbindd: cache name-to-sid from PAC based on lookup domain
Uri Simchoni [Wed, 7 Jun 2017 17:33:24 +0000 (20:33 +0300)]
winbindd: cache name-to-sid from PAC based on lookup domain

The name-to-sid lookup for trusted domains is not necessarily
done against the domain - in AD member case it is done
against the primary domain. Therefore the caching should also
be done against the lookup domain.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
22 months agovfs_ceph: fix cephwrap_chdir()
David Disseldorp [Fri, 14 Jul 2017 21:55:29 +0000 (23:55 +0200)]
vfs_ceph: fix cephwrap_chdir()

When provided a '/' path (i.e. CephFS root), vfs_ceph does a *local*
chdir() to the share path. This breaks smb client directory listings.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12911

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 21 19:10:46 CEST 2017 on sn-devel-144

22 months agoselftest: Add test for password change when NTLM is disabled
Tim Beale [Tue, 4 Jul 2017 05:27:27 +0000 (17:27 +1200)]
selftest: Add test for password change when NTLM is disabled

When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144

22 months agogetncchanges: Do not segfault if somehow we get 0 results from an ldb_search with...
Andrew Bartlett [Thu, 20 Apr 2017 02:00:21 +0000 (14:00 +1200)]
getncchanges: Do not segfault if somehow we get 0 results from an ldb_search with scope BASE

This should not happen, but we have seen this happen in autobuild
before the whole-DB locking issues were resolved by
https://bugzilla.samba.org/show_bug.cgi?id=12858

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
22 months agobuild: fix ceph_statx check when configured with libcephfs_dir
David Disseldorp [Thu, 20 Jul 2017 09:10:57 +0000 (11:10 +0200)]
build: fix ceph_statx check when configured with libcephfs_dir

When configured with a custom libcephfs_dir, the ceph_statx check fails
to link. This is due to the location of the ceph-common dependency,
which is installed under a ceph subdirectory.

ceph/build > make DESTDIR=./inst install
...
ceph/build > find inst/|grep -e /libcephfs -e /libceph-common
inst/usr/local/lib64/ceph/libceph-common.so.0
inst/usr/local/lib64/ceph/libceph-common.so
inst/usr/local/lib64/libcephfs.so.2.0.0
inst/usr/local/lib64/libcephfs.so.2
inst/usr/local/lib64/libcephfs.so
inst/usr/local/include/cephfs/libcephfs.h

Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Jeff Layton <jlayton@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Jul 20 23:02:27 CEST 2017 on sn-devel-144

22 months agos3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)
Noel Power [Thu, 20 Jul 2017 12:01:50 +0000 (13:01 +0100)]
s3/utils: smbcacls failed to detect DIRECTORIES using SMB2 (windows only)

uint16_t get_fileinfo(...) returns file attributes, this function
called

     cli_qfileinfo_basic(cli, fnum, &mode, NULL, NULL, NULL,
                     NULL, NULL, NULL);

which was failing with NT_STATUS_ACCESS_DENIED errors when fnum above
was obtained via (when using protocol > SMB). Note: This only seems to be
an issue when run against a windows server, with smbd SMB1 & SMB2 work fine.

    status = cli_ntcreate(cli, filename, 0, CREATE_ACCESS_READ,
                  0, FILE_SHARE_READ|FILE_SHARE_WRITE,
                  FILE_OPEN, 0x0, 0x0, &fnum, NULL);

The failing cli_qfileinfo_basic call above is unnecessary as we can already
obtain the required information from the cli_ntcreate call

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>