Karolin Seeger [Tue, 29 Jan 2013 10:11:55 +0000 (11:11 +0100)]
VERSION: Bump version number up to 4.0.2.
Bug 9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Bug 9577 - CVE-2013-0214: Potential XSRF in SWAT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Karolin Seeger [Tue, 29 Jan 2013 10:09:41 +0000 (11:09 +0100)]
WHATSNEW: Update release notes for Samba 4.0.2.
Bug 9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Bug 9577 - CVE-2013-0214: Potential XSRF in SWAT.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Kai Blin [Sun, 20 Jan 2013 07:58:08 +0000 (08:58 +0100)]
swat: Use additional nonce on XSRF protection
If the user had a weak password on the root account of a machine running
SWAT, there still was a chance of being targetted by an XSRF on a
malicious web site targetting the SWAT setup.
Use a random nonce stored in secrets.tdb to close this possible attack
window. Thanks to Jann Horn for reporting this issue.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9577 - CVE-2013-0214: Potential XSRF in SWAT.
Kai Blin [Fri, 18 Jan 2013 22:11:07 +0000 (23:11 +0100)]
swat: Use X-Frame-Options header to avoid clickjacking
Jann Horn reported a potential clickjacking vulnerability in SWAT where
the SWAT page could be embedded into an attacker's page using a frame or
iframe and then used to trick the user to change Samba settings.
Avoid this by telling the browser to refuse the frame embedding via the
X-Frame-Options: DENY header.
Signed-off-by: Kai Blin <kai@samba.org>
Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
Stefan Metzmacher [Thu, 10 Jan 2013 11:55:51 +0000 (12:55 +0100)]
VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 10 Jan 2013 11:55:14 +0000 (12:55 +0100)]
WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 Jan 2013 22:30:38 +0000 (09:30 +1100)]
dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 Jan 2013 05:59:18 +0000 (16:59 +1100)]
dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
This seems inefficient, but is needed for correctness. The
alternative might be to have the sec_access_check_ds code confirm that
*all* of the nodes in the object tree have been cleared to
node->remaining_bits == 0.
Otherwise, I fear that write access to one attribute will become write
access to all attributes.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 3 Jan 2013 09:39:23 +0000 (20:39 +1100)]
libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
It is critically important that we initialise this element as otherwise
all access is permitted.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Karolin Seeger [Tue, 11 Dec 2012 17:01:14 +0000 (18:01 +0100)]
VERSION: Bump version number up to 4.0.0.
And disable git snapshots.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 16:56:18 +0000 (17:56 +0100)]
WHATSNEW: Update changes since rc6.
Karolin
Michael Adam [Tue, 11 Dec 2012 15:13:39 +0000 (16:13 +0100)]
selftest: skip the samba4.rpc.samr.passwords test in ncacn_np(dc) and s4member environments
These currently fail in a corner case.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
The last 9 patches address bug #9414 - 'samba-tool user add' ignores password
complexity settings.
Michael Adam [Tue, 11 Dec 2012 12:34:49 +0000 (13:34 +0100)]
s4:torture:rpc:samr: fix password age calculation in test_ChangePasswordUser3()
The min_password_age field is the negative of the age.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:21:11 +0000 (13:21 +0100)]
s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from ChangePasswordUser
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:18:00 +0000 (13:18 +0100)]
s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
This matches the windows behavior.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:04:22 +0000 (13:04 +0100)]
s4:dsdb/password_hash: do the min password age checks first
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 22:56:47 +0000 (23:56 +0100)]
s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if required
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Michael Adam [Tue, 11 Dec 2012 10:42:11 +0000 (11:42 +0100)]
s4:torture:rpc:samr: add debugging of result of (many) dcerpc_samr_* calls
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 23 Nov 2012 10:49:05 +0000 (11:49 +0100)]
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Karolin Seeger [Tue, 11 Dec 2012 14:32:11 +0000 (15:32 +0100)]
WHATSNEW: Fix typo.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 13:56:02 +0000 (14:56 +0100)]
WHATSNEW: Add link to the whitepaper.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 13:44:31 +0000 (14:44 +0100)]
WHATSNEW: Move AD stuff to the corresponding paragraph.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 12:24:26 +0000 (13:24 +0100)]
WHATSNEW: Update release notes.
Apply changes provided by Andrew Bartlett.
Thanks!
Karolin
Karolin Seeger [Tue, 11 Dec 2012 11:04:24 +0000 (12:04 +0100)]
WHATSNEW: Update release notes.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 08:05:47 +0000 (09:05 +0100)]
WHATSNEW: Update changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Tue Dec 11 10:49:36 CET 2012 on sn-devel-104
Stefan Metzmacher [Tue, 11 Dec 2012 02:15:26 +0000 (03:15 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
(cherry picked from commit
914a61d9e5b7a182592f3afe60f4dad1cd342fc4)
Stefan Metzmacher [Tue, 11 Dec 2012 02:15:26 +0000 (03:15 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
8eb359c23c6379be1ccc32e27fd2316d77a7c7b3)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
19b03834f08c2a6645a31fe18121534c692c18d1)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e1301fef735b305736db0b6db335c37aa9fea832)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
ebb0a88722d416ad470497fd6ffa7b26abfe58bc)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
999c068113af6158355634eb9a9c4b5a4d3066d8)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
649fb5b61492562f1400996a6ccf33af17af5b6b)
Stefan Metzmacher [Tue, 11 Dec 2012 01:01:12 +0000 (02:01 +0100)]
s4:dsdb/descriptor: pass object_list to create_security_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
a97b5f219678e409a851d9caf8317a6ef130c12f)
Stefan Metzmacher [Tue, 11 Dec 2012 02:17:42 +0000 (03:17 +0100)]
libcli/security: calculate the correct inherited_object GUID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
d20c46a520a7e39dd87476cd81edab56b5543892)
Stefan Metzmacher [Tue, 11 Dec 2012 01:00:38 +0000 (02:00 +0100)]
libcli/security: implement object_in_list()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
75729e6703c5b5dff7feefed590086898fc03c74)
Karolin Seeger [Tue, 11 Dec 2012 08:00:44 +0000 (09:00 +0100)]
WHATSNEW: Update release notes for Samba 4.0.0.
Karolin
Michael Adam [Mon, 10 Dec 2012 14:06:27 +0000 (15:06 +0100)]
s3:auth: fix create_token_from_sid() to not fail in the winbindd case
Commit
1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored
the sid-based variant out of create_token_from_username() broke
the case of a user handled by winbindd in that the "found_username"
was set to NULL which caused the function to fail with
NT_STATUS_NO_MEMORY further down.
This patch fixes the function so that the case of found_username == NULL
is cleanly separated from the NO_MEMORY case and the caller can provide
the username in this case, if required.
This fixes bug #9457.
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
(cherry picked from commit
c5b150b33fc54ed97dbd0736cc6f4c15977d6e70)
Michael Adam [Mon, 10 Dec 2012 20:56:42 +0000 (21:56 +0100)]
s3:auth: fix function header comment for user_sid_in_group_sid()
This is embarrassing: the commit
0770a4c01bef26ec51321cd5b97aea4eab9e00a8
which intended to fix an earlier copy'n'paste error, contained another
typo, fixed with this commit...
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
(cherry picked from commit
1d949cb0e51a086006612271d6f08305b68aa09c)
Michael Adam [Mon, 10 Dec 2012 13:48:43 +0000 (14:48 +0100)]
s3:auth: fix header comment for user_sid_in_group_sid()
This function was created in
1c3c5e2156d9096f60bd53a96b88c2f1001d898a
and the header comment contained copy'n'paste errors from the original
function user_in_group_sid() that took the user name.
Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
0770a4c01bef26ec51321cd5b97aea4eab9e00a8)
Stefan Metzmacher [Fri, 7 Dec 2012 17:58:57 +0000 (18:58 +0100)]
s4:dsdb/tests/sec_descriptor: verify the search of a windows dc join keeps working
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Dec 10 15:41:12 CET 2012 on sn-devel-104
(cherry picked from commit
53b736444d55c4eed3abbc34974b655cc2607cd6)
The last 13 patches address bug #9470 - MMC crashes.
Stefan Metzmacher [Thu, 6 Dec 2012 13:04:47 +0000 (14:04 +0100)]
s4:dsdb/tests/sec_descriptor: verify the nTSecurityDescriptor and sd_flags interaction
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e617a3fecb797031cf5a6545d51d7e116716ab52)
Stefan Metzmacher [Thu, 6 Dec 2012 14:56:26 +0000 (15:56 +0100)]
s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attribute
If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.
If there's a list of only explicit attribute names, we should ignore
the sd_flags control.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
6bc2caed8b3f153f92af013275f39c803f886a22)
Stefan Metzmacher [Thu, 6 Dec 2012 11:36:09 +0000 (12:36 +0100)]
s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags control is given (bug #9470)
Not returning the nTSecurityDescriptor causes a lot of problems.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
22bb2fd868b8df2244b801aeaa515a8a4036bce8)
Stefan Metzmacher [Thu, 6 Dec 2012 11:29:49 +0000 (12:29 +0100)]
s4:dsdb/acl_read: give some variables a better name
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
4f8558ffaf4c9fb9e350ec528ec1ce60de5f2e24)
Stefan Metzmacher [Fri, 7 Dec 2012 17:40:25 +0000 (18:40 +0100)]
s4:dsdb/acl_read: fix the calculation of the attribute array for the sub search
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
db15fcfa899e1fe4d6994f68ceb299921b8aa6f1)
Stefan Metzmacher [Fri, 7 Dec 2012 17:39:29 +0000 (18:39 +0100)]
s4:dsdb/acl_read: check the ldb_attr_list_copy_add() result
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e2181617a00d7982e4e6ced1c51aa2ee8a40df26)
Stefan Metzmacher [Fri, 7 Dec 2012 18:02:10 +0000 (19:02 +0100)]
s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
6bcafceb750d5c4d24e2ddbef35b411bebccd66f)
Stefan Metzmacher [Fri, 7 Dec 2012 12:56:21 +0000 (12:56 +0000)]
s4:dsdb/descriptor: fix replication of NC heads
The sub NC heads maybe replicated with the parent partition,
if we don't need to recalculate the nTSecurityDescriptor attribute in that
case, the replication of the of the sub partition should handle that.
This fixes error messages like this:
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
734d14b54834a4d03e67bcaece4f4e3cf1d10925)
Stefan Metzmacher [Fri, 7 Dec 2012 12:39:31 +0000 (13:39 +0100)]
s4:dsdb/acl_read: improve debugging for fatal error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
802124789513ef207a154ee950dc03e66a80e0b1)
Stefan Metzmacher [Fri, 7 Dec 2012 10:02:49 +0000 (11:02 +0100)]
s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
Some modules might not allocate values on the correct memory context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
14b5b729049d92c30ba518adb82c9396fdddd09f)
Stefan Metzmacher [Fri, 7 Dec 2012 10:08:14 +0000 (10:08 +0000)]
s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to msg->elements[i].values (bug #9470)
We should keep the talloc hierarchy sane.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
3535f8effefef6a68d2b686abe2769d797531dd9)
Stefan Metzmacher [Fri, 7 Dec 2012 09:34:58 +0000 (10:34 +0100)]
s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)
We should always update the ts_last_change.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
944b6863a71efc48ccc8cd9ae8ad1a3081bc1805)
Karolin Seeger [Mon, 10 Dec 2012 09:12:59 +0000 (10:12 +0100)]
WHATSNEW: Update changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Dec 10 11:56:00 CET 2012 on sn-devel-104
Günther Deschner [Fri, 7 Dec 2012 11:51:10 +0000 (12:51 +0100)]
s4-torture: call the s4u2self tests with arcfour and aes.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104
(cherry picked from commit
ade5bfd304cc806758a58f04b35834cd730dd9ba)
The last 28 patches address bug #9438 - netr_ServerPasswordSet2,
netr_LogonSamLogon with netlogon AES broken.
Günther Deschner [Fri, 7 Dec 2012 11:57:18 +0000 (12:57 +0100)]
s4-torture: precalculate expected session keys from samlogon in schannel test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d0bad6c3350698b26ba009bb0c91d0265cc22f60)
Günther Deschner [Fri, 7 Dec 2012 11:38:16 +0000 (12:38 +0100)]
libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f6cb8049b2fe62054d254a006b8a39f000d1d1d5)
Günther Deschner [Fri, 7 Dec 2012 00:05:00 +0000 (01:05 +0100)]
libcli/auth: remove trailing whitespace.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
be296a21fc509cacaedb5aad0c3ca4ccd44b4a62)
Günther Deschner [Thu, 6 Dec 2012 14:21:02 +0000 (15:21 +0100)]
s3-auth: remove crypto from serverinfo_to_SamInfoX calls.
All crypto is dealt with within the netlogon samlogon server now.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f2d9589b178c0e3374e1c1ad363639b9e2bdce5f)
Günther Deschner [Thu, 6 Dec 2012 13:54:25 +0000 (14:54 +0100)]
s3-rpc_server: Remove obsolete process_creds boolean in samlogon server.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c1fb595081c2b0bf66bce06c09750f53e8031311)
Günther Deschner [Thu, 6 Dec 2012 13:31:32 +0000 (14:31 +0100)]
s3-auth: session keys in validation level 6 samlogon replies are *not* encrypted.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7f435bd649f0b313804f40807a38de9478478b6c)
Günther Deschner [Wed, 5 Dec 2012 18:49:52 +0000 (19:49 +0100)]
s3-rpc_server: support AES for interactive netlogon samlogon password decryption.
Still need to fix AES support for the returned validation info.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
645289216eeb718eab1201dd3ad0a50fdf85753c)
Günther Deschner [Wed, 5 Dec 2012 15:24:24 +0000 (16:24 +0100)]
s4-rpc_server: support AES encryption in interactive and generic samlogon.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
71572632bd33dcb5c03a701bbb72a707e5642237)
Günther Deschner [Wed, 5 Dec 2012 18:52:54 +0000 (19:52 +0100)]
s3-rpc_server: we need to encrypt OWFs using DES in _netr_ServerGetTrustInfo().
Sumit, please check.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a52115ce67c2e5bd1e478d7601483fd2490aea31)
Günther Deschner [Wed, 5 Dec 2012 17:06:54 +0000 (18:06 +0100)]
s4-torture: validate owf password hash and negotiate AES in forest trust test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
6aec126566d01dd9ddbbd5488f73b61729094a52)
Günther Deschner [Wed, 5 Dec 2012 16:59:12 +0000 (17:59 +0100)]
s4-torture: validate owf password hash and negotiate AES ServerGetTrustInfo test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
83b00afe9f2116ef04378c251070143595450a3e)
Günther Deschner [Wed, 5 Dec 2012 15:37:02 +0000 (16:37 +0100)]
s3-rpc_server: pass down netlogon cred state in _netr_ServerGetTrustInfo().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
306a78d97f2fdfaa81c58bafdebcfab0fb8f1636)
Günther Deschner [Wed, 5 Dec 2012 17:38:01 +0000 (18:38 +0100)]
s4-torture: use netlogon_creds_arcfour_crypt() in samba3rpc test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
fd7087020344f7d24737e3be2f3afbd0417b0026)
Günther Deschner [Wed, 5 Dec 2012 15:21:59 +0000 (16:21 +0100)]
s4-torture: exit early when join fails in samba3rpc tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
4afb7dcb43c6903568c0fe2c2c2044706e9bd613)
Günther Deschner [Wed, 5 Dec 2012 15:20:14 +0000 (16:20 +0100)]
s4-torture: support AES encryption in interactive samlogon tests in rpc.samr.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5089442bfdbeff7314e589387c3702f9c401e12a)
Günther Deschner [Wed, 5 Dec 2012 15:23:34 +0000 (16:23 +0100)]
s4-torture: support AES encryption in pac_verify/generic samlogon netlogon tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d94f012f3fb428027709a9c8becf8edb85072463)
Günther Deschner [Wed, 5 Dec 2012 15:11:19 +0000 (16:11 +0100)]
s4-torture: use names for r.in.logon_level of netlogon samlogon requests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3dffd29904b3de145941a7420d56b30611f9616f)
Günther Deschner [Tue, 4 Dec 2012 22:11:10 +0000 (23:11 +0100)]
s4-torture: remove trailing whitespace in smbtorture remote_pac test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7ea9da0c9f0a0a8de416534d6cb1b0248d13f6cf)
Günther Deschner [Fri, 30 Nov 2012 23:59:44 +0000 (00:59 +0100)]
s3-rpc_client: use netlogon_creds_aes_encrypt in interactive netlogon samlogon.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
c6f4745c5670e8da77078e19f2d6a3a485e7adc6)
Günther Deschner [Thu, 29 Nov 2012 21:47:40 +0000 (22:47 +0100)]
s4-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
01e69703fb8c58ab1940bb560e34f6c3f10e0ae9)
Günther Deschner [Thu, 29 Nov 2012 21:47:19 +0000 (22:47 +0100)]
s4-torture: add AES support for netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
3dc8c20b8a94063c6578b60750757c5a40d7db38)
Günther Deschner [Thu, 29 Nov 2012 21:44:33 +0000 (22:44 +0100)]
s4-torture: pass down netlogon flags in netr_ServerPasswordSet2 tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
0a091604a45b4b143745a20fa842878ceb745c39)
Günther Deschner [Thu, 29 Nov 2012 21:24:37 +0000 (22:24 +0100)]
s4-torture: remove trailing whitespace from netlogon test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d1f481ffe17ce84ffddbedf1bd7efb0654e2807e)
Günther Deschner [Thu, 29 Nov 2012 20:35:04 +0000 (21:35 +0100)]
s3-rpc_server: support AES decryption in netr_ServerPasswordSet2 server.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
1362d542df715aa31e9b818ee8783b5ee35f8870)
Günther Deschner [Thu, 29 Nov 2012 20:34:36 +0000 (21:34 +0100)]
s3-rpc_client: support AES encryption in netr_ServerPasswordSet2 client.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
64345018cda744d16b123d6ef5c4a982340484dc)
Günther Deschner [Thu, 29 Nov 2012 20:30:24 +0000 (21:30 +0100)]
s3-rpc_client: use netlogon_creds_arcfour_crypt() in init_netr_CryptPassword.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
ec06c81db313f2862544c972cbf582a07bb844c2)
Günther Deschner [Thu, 29 Nov 2012 20:23:30 +0000 (21:23 +0100)]
libcli/auth: add netlogon_creds_aes_{en|de}crypt routines.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
429600c5f3079c8433d5a542383908d6ff61fe60)
Karolin Seeger [Sun, 9 Dec 2012 20:07:37 +0000 (21:07 +0100)]
WHATSNEW: Add changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Sun Dec 9 22:51:12 CET 2012 on sn-devel-104
Alexander Bokovoy [Fri, 7 Dec 2012 15:36:02 +0000 (17:36 +0200)]
wafsamba: Make sure md5 is really work before using it or overriding the hash function
In FIPS mode importing md5 Python module will not cause any error but calling md5.md5()
function will throw ValueError since md5 is not available.
Make sure md5.md5() actually works and if not, fall back to use hash replacement that
we already have in wafsamba.
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Dec 8 13:30:07 CET 2012 on sn-devel-104
(cherry picked from commit
56d9c8c4bf29eb473f9f4e7a7ef16fc6020db6b5)
Signed-off-by: Andreas Schneider <asn@samba.org>
Fix bug #9479 - Support FIPS mode when building Samba.
Tsukasa Hamano [Thu, 6 Dec 2012 21:01:33 +0000 (13:01 -0800)]
Fix bug #9471 - SEGV when using second vfs module.
Don't use default_classname_table when we obviously shoud be using
classname_table.
Reviewed by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Dec 7 17:51:50 CET 2012 on sn-devel-104
(cherry picked from commit
16d725b4f5ed77db865e2a3c27ae0eb4accca5a8)
Andrew Bartlett [Wed, 5 Dec 2012 01:52:22 +0000 (12:52 +1100)]
build: Install .po files for SWAT intl support
(cherry picked from commit
171c63c3c45743f215ad360f928d9506951ddcd8)
Fix bug #9415 - SWAT *.msg files not installed with waf.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Fri Dec 7 11:26:47 CET 2012 on sn-devel-104
Jeremy Allison [Tue, 4 Dec 2012 23:47:06 +0000 (15:47 -0800)]
Documentation fixes for bug #9462 - Users can not be given write permissions any more by default
Ensure we don't apply the masks + force modes on security setting
changes, only on create.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
1ff1597e1feb45fd54b0d8dc6d8eabc7ace9073a)
The last 7 patches address bug #9462 - Users can not be given write permissions
any more by default.
Michael Adam [Wed, 5 Dec 2012 14:04:01 +0000 (15:04 +0100)]
s3:smbd: don't apply create/directory mask and modes in apply_default_perms()
The mask/mode parameters should only apply to a situation with only
pure posix permissions.
Once we are dealing with ACLs and inheritance, we need to do it correctly.
This fixes bug #9462: Users can not be given write permissions any more by default
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2013bb9b4dbed747921df2591068e2765428f57d)
Jeremy Allison [Tue, 13 Nov 2012 19:22:15 +0000 (11:22 -0800)]
Another fix needed for bug #9236 - ACL masks incorrectly applied when setting ACLs.
Not caught by make test as it's an extreme edge case for strange
incoming ACLs. I only found this as I'm making raw.acls and smb2.acls
pass against 3.6.x and 4.0.0 with acl_xattr mapped onto a POSIX backend.
An incoming inheritable ACE entry containing only one permission,
WRITE_DATA maps into a POSIX owner perm of "-w-", which violates
the principle that the owner of a file/directory can always read.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Nov 15 19:52:52 CET 2012 on sn-devel-104
(cherry picked from commit
cf1540b73714fac6b25de5942cbd821e5f4f6ffc)
Arvid Requate [Sat, 10 Nov 2012 09:40:32 +0000 (10:40 +0100)]
s3:smbd: Fix typo in got_duplicate_group check
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 10 20:25:48 CET 2012 on sn-devel-104
(cherry picked from commit
c06d602d7f3b8d3da972071a1b5392c6b145133f)
Jeremy Allison [Fri, 5 Oct 2012 22:48:07 +0000 (15:48 -0700)]
Modify ensure_canon_entry_valid() into ensure_canon_entry_valid_on_set() - makes the logic clearer.
(cherry picked from commit
47ebc8fbc93ee1eb9640d9ca30275fcfc3b50026)
Michael Adam [Thu, 6 Dec 2012 09:38:40 +0000 (10:38 +0100)]
Revert "Fix bug 9376 - ensure_canon_entry_valid generates duplicate SMB_ACL_GROUP, acl_valid fails."
This reverts commit
e122c7d24b10119c9ea4d65e0099ff1690394457.
The patch will be picked again from master in the proper order
to reduce the need for conflict resolution.
Signed-off-by: Michael Adam <obnox@samba.org>
Michael Adam [Thu, 6 Dec 2012 09:38:11 +0000 (10:38 +0100)]
Revert "Another fix needed for bug #9236 - ACL masks incorrectly applied when setting ACLs."
This reverts commit
ce8beb781f7456e53262bd331ab3fbb8a100356b.
The patch will be picked again from master in the proper order
to reduce the need for conflict resolution.
Signed-off-by: Michael Adam <obnox@samba.org>
Richard Sharpe [Wed, 5 Dec 2012 01:21:29 +0000 (17:21 -0800)]
Fix bug #9460 - Samba 3.6.x and Master respond incorrectly to FILE_STREAM_INFO requests.
Ensure we check the buffer size correctly.
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 6 01:31:08 CET 2012 on sn-devel-104
(cherry picked from commit
943797c232f96a5dd411a803ad90b6980b2785b0)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Thu Dec 6 11:18:17 CET 2012 on sn-devel-104
Andreas Schneider [Tue, 4 Dec 2012 14:03:40 +0000 (15:03 +0100)]
BUG 9459: Install manpages only if we install the target.
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 4 18:07:47 CET 2012 on sn-devel-104
(cherry picked from commit
2ad562057a6d2f19056e90ece9b7c8be396e4662)
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Wed Dec 5 13:55:40 CET 2012 on sn-devel-104
Michael Adam [Tue, 4 Dec 2012 01:02:07 +0000 (02:02 +0100)]
s3:smbd:vfs_acl: fix a PANIC when setting an ACL fails with ACCESS_DENIED
Omission to free the talloc frame causes a panic (at least in developer mode)
in the next main event loop due to "Frame not freed in order."
(Freed frame ../source3/smbd/process.c:3617, expected ../source3/modules/vfs_acl_common.c:534.)
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 4 09:03:25 CET 2012 on sn-devel-104
(cherry picked from commit
4a8028a96e20f140c2d423efd4c010a7d300ca72)
Fix bug #9456 - developer-build: panic when acl_xattr fails with access denied.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Tue Dec 4 13:34:24 CET 2012 on sn-devel-104
Karolin Seeger [Tue, 4 Dec 2012 10:04:55 +0000 (11:04 +0100)]
VERSION: Bump version number up to rc7.
And re-anable git snapshots.
Karolin
Karolin Seeger [Tue, 4 Dec 2012 10:03:23 +0000 (11:03 +0100)]
VERSION: Disable git snapshots to prepare rc6 release.
Karolin
Karolin Seeger [Tue, 4 Dec 2012 09:58:08 +0000 (10:58 +0100)]
WHATSNEW: Update changes since RC5.
Karolin
Karolin Seeger [Mon, 3 Dec 2012 08:08:47 +0000 (09:08 +0100)]
docs: Fix typo in the howto collection.
Thanks to Hermann Gausterer <git-samba-2012@mrq1.org> for reporting!
Karolin
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 3 12:36:14 CET 2012 on sn-devel-104
(cherry picked from commit
42a23653237bfc89ba90d83d91942746825e3ee9)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Dec 3 22:32:02 CET 2012 on sn-devel-104
Karolin Seeger [Fri, 30 Nov 2012 10:37:33 +0000 (11:37 +0100)]
docs: Update man 7 samba.
Update man 7 samba. Still incomplete, but at least a bit more up to date.
Karolin
Fix bug #9445 - samba.7 outdated.
git.samba.org / gary / samba-autobuild / .git / log