Andrew Bartlett [Mon, 20 Feb 2017 01:52:07 +0000 (14:52 +1300)]
auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:18:57 +0000 (14:18 +1300)]
ntlm_auth: Set ntlm_auth as the service_description into gensec
This allows this use case to be clearly found when logged.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:17:34 +0000 (14:17 +1300)]
s3-auth: Pass service_description into gensec via auth_generic_prepare()
This allows the GENSEC service description to be set from the various callers
that go via this function.
The RPC service description is the name of the interface from the IDL.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:15:46 +0000 (14:15 +1300)]
gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
This allows the GENSEC service description to be read at authentication time
for logging, eg that the user authenticated to the SAMR server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 00:32:47 +0000 (13:32 +1300)]
gensec: Add gensec_{get,set}_target_service_description()
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Feb 2017 23:04:52 +0000 (12:04 +1300)]
s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
This will allow a very verbose JSON line to be logged that others can audit from in the future
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Feb 2017 23:01:37 +0000 (12:01 +1300)]
s4-smbd: Remember the original client and server IPs from the SMB connection
We need to know in the RPC server the original address the client came from
so that we can log this with the authentication audit information
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 14 Mar 2017 03:43:06 +0000 (16:43 +1300)]
auth_log: Add tests by listening for JSON messages over the message bus
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 16 Mar 2017 03:24:20 +0000 (16:24 +1300)]
TestBase: move insta_creds from password_lockout.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Mon, 20 Mar 2017 20:58:18 +0000 (09:58 +1300)]
python net: add username, oldpassword and domain to change_password
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Tue, 21 Mar 2017 03:00:38 +0000 (16:00 +1300)]
pysmb: Check for credentials using same method as pyrpc
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 21 Mar 2017 22:07:49 +0000 (11:07 +1300)]
pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Sun, 12 Mar 2017 17:13:48 +0000 (18:13 +0100)]
s3/smbd: make copy chunk asynchronous
Just use SMB_VFS_PREAD_SEND/RECV and SMB_VFS_PWRITE_SEND/RECV in a
sensible loop.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 28 21:36:18 CEST 2017 on sn-devel-144
Ralph Boehme [Sun, 12 Mar 2017 16:23:09 +0000 (17:23 +0100)]
vfs_default: move check for fsp->op validity
Move the check whether fsp->of is valid out of the copy loop in
vfswrap_copy_chunk_send().
It's sufficient to check src_fsp->op and dest_fsp->op once before the
copy loop. fsp->op can only be NULL for internal opens (cf file_new()),
it's not expected to become NULL behind our backs.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 21 Mar 2017 17:34:22 +0000 (18:34 +0100)]
s3/smbd: optimize copy-chunk by merging chunks if possible
Merge chunks with adjacent ranges. This results in fewer IO requests for
the typical server-side file copy usecase: just one 16 MB copy instead
of sixteen 1 MB.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 21 Mar 2017 08:17:03 +0000 (09:17 +0100)]
s3/smbd: implement a serializing async copy-chunk loop
Later commits will make the low level copy-chunk implementation async
using a thread pool. That means the individual chunks may be scheduled
and copied out-of-order at the low level.
According to conversation with MS Dochelp, a server implementation
must process individual chunks in order.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 21 Mar 2017 07:26:37 +0000 (08:26 +0100)]
s3/smbd: move cc_copy into fsctl_srv_copychunk_state
No change, in behaviour, just preperational stuff to unroll the core
copy loop.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 12 Mar 2017 16:18:39 +0000 (17:18 +0100)]
vfs_default: let copy_chunk_send use const from IDL
This also increases the buffer size from 8 MB to the current value of
COPYCHUNK_MAX_TOTAL_LEN which is 16 MB.
For the typical case when vfswrap_copy_chunk_send is called from the SMB
layer for an copy_chunk ioctl() the parameter "num" is guaranteed to be
at most 1 MB though.
It will only be larger for special callers like vfs_fruit for their
special implementation of copyfile where num will be the size of a file
to copy.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 8 Mar 2017 14:07:06 +0000 (15:07 +0100)]
s3/smbd: move copychunk ioctl limits to IDL
This will be needed in the next commit in vfs_default.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Björn Baumbach [Mon, 27 Mar 2017 15:43:07 +0000 (17:43 +0200)]
tdb/tools: add documentation for the tdbbackup -n option
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org
Uri Simchoni [Sun, 26 Mar 2017 09:02:09 +0000 (12:02 +0300)]
s3-libsmb: support rename and replace for SMB1
Add cli_smb1_rename_send() which renames a file via
setting FileRenameInformation.
Curretly this path is invoked only if replacing
an existing file is requested. This is because as far
as I can see, Windows uses CIFS rename for anything below
SMB2.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 26 Mar 2017 06:14:43 +0000 (09:14 +0300)]
s3-libsmb: fail rename and replace inside cifs variant
Another refactoring step - fail request to rename and
replace existing file from within the CIFS version,
allowing the soon-to-be-added SMB version to succeed.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 26 Mar 2017 05:54:42 +0000 (08:54 +0300)]
s3-libsmb: cli_cifs_rename_send()
Pure refactoring - current rename is [MS-CIFS] - style
rename. In later patch we'll introduce [MS-SMB] rename.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 26 Mar 2017 05:10:34 +0000 (08:10 +0300)]
libcli: introduce smbXcli_conn_support_passthrough()
This routine queries the client connenction whether
it supports query/set InfoLevels beyond 1000 (which,
in Windows OS, is a pass-through mechanism to the
file system).
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:56:35 +0000 (23:56 +0200)]
manpages: update smbclient manpage with rename -f option
Document the -f option of the rename command.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:26:05 +0000 (23:26 +0200)]
smbclient: add -f option to rename command
This option causes the rename to request that the
destination file / directory be replaced if it exists.
Supported only in SMB2 and higher protocol.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:13:07 +0000 (23:13 +0200)]
s3: libsmb: add replace support to cli_rename()
Adds support for replacing the destination file at
the higher-level cli_rename(). This is actually supported
only by SMB2, and fails with invalid parameter with SMB1.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:02:48 +0000 (23:02 +0200)]
s3: libsmb: add replace support to SMB2 rename
SMB2 rename operation supports replacing the
destination file if it exists.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:52:47 +0000 (19:52 +0000)]
lib: Avoid an includes.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 8 Jan 2017 19:46:17 +0000 (19:46 +0000)]
lib: Remove an unnecessary include
This comes in via samba_util.h already
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 3 Jan 2017 14:05:51 +0000 (14:05 +0000)]
lib: Remove unused winbind_get_groups and _get_sid_aliases
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 28 Mar 2017 05:10:29 +0000 (22:10 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no" - part 2
Add tests for regular access.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Mar 28 17:05:27 CEST 2017 on sn-devel-144
Jeremy Allison [Tue, 28 Mar 2017 00:09:38 +0000 (17:09 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Use the cwd_name parameter to reconstruct the original
client name for symlink testing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Tue, 28 Mar 2017 00:04:58 +0000 (17:04 -0700)]
s3: smbd: Fix "follow symlink = no" regression part 2.
Add an extra paramter to cwd_name to check_reduced_name().
If cwd_name == NULL then fname is a client given path relative
to the root path of the share.
If cwd_name != NULL then fname is a client given path relative
to cwd_name. cwd_name is relative to the root path of the share.
Not yet used, logic added in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Tue, 28 Mar 2017 05:07:50 +0000 (22:07 -0700)]
s3: Fixup test for CVE-2017-2619 regression with "follow symlinks = no"
Use correct bash operators (not string operators).
Add missing "return".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Tue, 14 Mar 2017 00:09:02 +0000 (13:09 +1300)]
python: Provide Python bindings for messaging.idl
This will allow AUTH_EVENT_NAME and MSG_AUTH_LOG to be accessed from python
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 13:19:03 CEST 2017 on sn-devel-144
Andrew Bartlett [Mon, 13 Mar 2017 23:37:15 +0000 (12:37 +1300)]
messaging: Declare well known server name auth_events as AUTH_EVENT_NAME in IDL
This makes it easy to ensure we use the same name in the python and the C
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 7 Mar 2017 02:09:38 +0000 (15:09 +1300)]
messaging.idl: Register a message type for authentication log messages
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 16 Mar 2017 03:26:01 +0000 (16:26 +1300)]
pymessaging: add single element tupple form of the server_id
This avoids the python code needing to call getpid() internally,
while declaring a stable task_id.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 13 Mar 2017 23:39:13 +0000 (12:39 +1300)]
pymessaging: Add a hook to run the event loop, make callbacks practical
These change allow us to write a messaging server in python.
The previous ping_speed test did not actually test anything, so
we use .loop_once() to make it actually work. To enable practial use
a context is supplied in the tuple with the callback, and the server_id
for the reply is not placed inside an additional tuple.
In order to get at the internal event context on which to loop, we
expose imessaging_context in messaging_internal.h and allow the python
bindings to use that header.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Volker Lendecke [Thu, 23 Mar 2017 14:48:25 +0000 (15:48 +0100)]
server_id_db: Protect against non-0-terminated data records
Remove the failing test from knownfail.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
Andrew Bartlett [Tue, 14 Mar 2017 03:07:46 +0000 (16:07 +1300)]
selftest: Test server_id database add and removal
This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
Andrew Bartlett [Tue, 14 Mar 2017 00:39:00 +0000 (13:39 +1300)]
pymessaging: Add irpc_remove_name
This allows tests to be indirectly added for server_id_db_lookup()
and server_id_db_prune_name()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
Andrew Bartlett [Wed, 8 Mar 2017 01:53:26 +0000 (14:53 +1300)]
pymessaging: Add support for irpc_add_name
This allows tests to be indirectly added for server_id_db_lookup()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
Andrew Bartlett [Fri, 24 Mar 2017 00:07:06 +0000 (13:07 +1300)]
samba-tool: Ensure that samba-tool processes --name=not-existing does not error
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
Andrew Bartlett [Fri, 24 Mar 2017 00:07:23 +0000 (13:07 +1300)]
selftest: Add more tests for "samba-tool processes"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
Jeremy Allison [Mon, 27 Mar 2017 18:48:25 +0000 (11:48 -0700)]
s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 28 07:00:46 CEST 2017 on sn-devel-144
Jeremy Allison [Mon, 27 Mar 2017 17:46:47 +0000 (10:46 -0700)]
s3: smbd: Fix incorrect logic exposed by fix for the security bug 12496 (CVE-2017-2619).
In a UNIX filesystem, the names "." and ".." by definition can *never*
be symlinks - they are already reserved names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Garming Sam [Sun, 26 Feb 2017 22:39:51 +0000 (11:39 +1300)]
samba_dnsupdate: Add additional debugging
Tests are still flapping, because it claims it needs a cache rebuild.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 00:04:54 CEST 2017 on sn-devel-144
Douglas Bagnall [Tue, 25 Oct 2016 20:19:13 +0000 (09:19 +1300)]
whitespace: remove in rootdse
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Wed, 12 Oct 2016 05:00:34 +0000 (18:00 +1300)]
selftest/target/Samba.pm: Remove whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Douglas Bagnall [Mon, 10 Oct 2016 21:12:55 +0000 (10:12 +1300)]
getncchanges: remove whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Mon, 27 Mar 2017 02:49:25 +0000 (15:49 +1300)]
wbinfo: Prevent client segfault with given EOF
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 27 Mar 2017 02:26:48 +0000 (15:26 +1300)]
selftest: Check that LDAP is available during RODC startup
Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 27 Mar 2017 01:30:19 +0000 (14:30 +1300)]
repl_secret: Error condition should sound harmless
In the case it is not in the replication group, it it correct to deny
the replication to succeed.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 23 Mar 2017 23:12:43 +0000 (12:12 +1300)]
selftest: Add more RODC tests to avoid regressions here
This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Tue, 21 Mar 2017 02:02:50 +0000 (15:02 +1300)]
repl_secret: Prevent null deref on DEBUG
Code path with has_get_all_changes could not be exercised until
recently.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 23 Mar 2017 03:04:04 +0000 (16:04 +1300)]
auth/sam: Remove lastLogonTimestamp from RODC success accounting
This is because it cannot be updated here (only SendToSAM) and prevents
RODC from resetting the badPwdCount (as well as lockoutTime, which needs
to be fixed to allow RODC local modification).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 20 Mar 2017 02:15:39 +0000 (15:15 +1300)]
heimdal: Add initializer for stack pointers
This helps ensure we know these are NULL until set
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 5 Mar 2017 23:11:18 +0000 (12:11 +1300)]
auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM auth
So far this is only on the AD DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Uri Simchoni [Thu, 23 Mar 2017 19:32:04 +0000 (21:32 +0200)]
selftest: tests for vfs_fruite file-id behavior
The test is in its own suite because it validates
our hackish workaround rather than some reference
implementation behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Mar 26 23:31:08 CEST 2017 on sn-devel-144
Uri Simchoni [Thu, 23 Mar 2017 19:30:50 +0000 (21:30 +0200)]
torture: add torture_assert_mem_not_equal_goto()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Uri Simchoni [Thu, 23 Mar 2017 12:51:32 +0000 (14:51 +0200)]
vfs_fruit: document added zero_file_id parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Uri Simchoni [Thu, 23 Mar 2017 12:08:45 +0000 (14:08 +0200)]
vfs_fruit: enable zero file id
Enable zero_file_id if both conditions are met:
- AAPL negotiated
- fruit:zero_file_id is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Uri Simchoni [Thu, 23 Mar 2017 12:08:26 +0000 (14:08 +0200)]
smbd: add zero_file_id flag
This flag instructs the SMB layer to report a zero on-disk
file identifier.
According to [MS-SMB2] 3.3.5.9.9, the reported on-disk file ID
SHOULD be unique. However, macOS clients seem to expect it to be
unique over time as well, like the HFS+ CNID. Reporting a file ID
of 0 seems to instruct the Mac client not to trust the server-reported
file ID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12715
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Thu, 23 Mar 2017 16:06:27 +0000 (09:06 -0700)]
WHATSNEW: Document "strict sync" default change.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 25 04:41:19 CET 2017 on sn-devel-144
Jeremy Allison [Thu, 23 Mar 2017 02:22:31 +0000 (19:22 -0700)]
s3: smbd: Change "strict sync" paramter from "no" to "yes" for 4.7.0.
Document change and modify in loadparm.c.
Safer default for new installs and vendors.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 14:19:20 +0000 (15:19 +0100)]
Revert "selftest: temporary skip samba.blackbox.pdbtest.s4winbind"
This works again now...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 24 15:50:22 CET 2017 on sn-devel-144
Stefan Metzmacher [Thu, 23 Mar 2017 14:13:54 +0000 (15:13 +0100)]
s4:selftest: specify auth methods of pdbtests without 'samba4:' prefix
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Mar 2017 08:50:13 +0000 (09:50 +0100)]
auth4: implement the deprecated 'auth methods' in auth_methods_from_lp()
This might be used to explicitly configure the old auth methods list
from Samba 4.6 and older, if required:
"auth methods = anonymous sam_ignoredomain"
But this option will be removed again in future releases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 11:54:40 +0000 (12:54 +0100)]
auth3: handle ROLE_ACTIVE_DIRECTORY_DC before lp_auth_methods() in make_auth_context_subsystem()
"auth methods" never works as AD DC at all, so there's not really a change.
This allows us to implement "auth methods" (temporary) for the auth4 stack.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 14:15:45 +0000 (15:15 +0100)]
selftest: temporary skip samba.blackbox.pdbtest.s4winbind
This will reenabled in a few commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 13:54:16 +0000 (14:54 +0100)]
auth4: reflect the reality and use "winbind_rodc" instead of "winbind" for the auth methods as AD_DC
Currently we always map any incoming domain to our own domain
in map_user_info_cracknames(), so that the winbind module is never
used at all, e.g. we're DC of W4EDOM-L4.BASE with a forest trust to W2012R2-L4.BASE:
[2017/03/22 10:09:54.268472, 3, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user [W2012R2-L4]\[administrator]@[UB1404-163]
[2017/03/22 10:09:54.268496, 5, pid=4724, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth_util.c:57(map_user_info_cracknames)
map_user_info_cracknames: Mapping user [W2012R2-L4]\[administrator] from workstation [UB1404-163]
auth_check_password_send: mapped user is: [W4EDOM-L4]\[administrator]@[UB1404-163]
That means the only condition in which "sam_ignoredomain" returns
NT_STATUS_NOT_IMPLEMENTED is the RODC case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 23 Mar 2017 10:57:49 +0000 (11:57 +0100)]
auth4: add a "winbind_rodc" backend
This is only active on a RODC.
The background for this is that we currently only ever
call the "winbind" module when we're an RODC,
otherwise everything is catched by "sam_ignoredomain" before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM defines
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth4: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:32:27 +0000 (08:32 +0100)]
auth3: remove unused USER_INFO_LOCAL_SAM_ONLY/AUTH_METHOD_LOCAL_SAM handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 21 Mar 2017 07:31:29 +0000 (08:31 +0100)]
winbindd: no longer use USER_INFO_LOCAL_SAM_ONLY
make_auth3_context_for_winbind() restricts the used auth backends now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 15:46:38 +0000 (16:46 +0100)]
auth3: only use "[samba4:]sam" in make_auth3_context_for_winbind()
This makes the USER_INFO_LOCAL_SAM_ONLY and AUTH_METHOD_LOCAL_SAM
interaction obsolete.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2017 15:47:15 +0000 (16:47 +0100)]
auth4: debug if method->ops->check_password() gives NOT_IMPLEMENTED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:52:51 +0000 (11:52 +0100)]
auth: let auth4_context->check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:49:40 +0000 (11:49 +0100)]
ntlm_auth3: let contact_winbind_auth_crap() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:16:36 +0000 (11:16 +0100)]
auth4: let auth_check_password* return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:43:59 +0000 (09:43 +0100)]
auth3: let auth_check_ntlm_password() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:42:38 +0000 (09:42 +0100)]
winbindd: let winbindd_dual_auth_passdb() return pauthoritative
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 2 Mar 2017 10:28:18 +0000 (11:28 +0100)]
winbindd: NT_STATUS_CANT_ACCESS_DOMAIN_INFO means "Dunno"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:15:13 +0000 (12:15 +0100)]
netlogon4: make use of auth_context_create_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:08:59 +0000 (12:08 +0100)]
auth4: add auth_context_create_for_netlogon()
For now it's the same as auth_context_create(), but this will
change the in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 10:41:04 +0000 (11:41 +0100)]
auth4: make auth_check_password_wrapper() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:31:01 +0000 (12:31 +0100)]
auth3: make make_auth_context_subsystem() static
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:18:41 +0000 (09:18 +0100)]
winbindd: make use of make_auth3_context_for_winbind()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:18:25 +0000 (09:18 +0100)]
netlogond3: make use of make_auth3_context_for_netlogon()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 11:29:26 +0000 (12:29 +0100)]
pdbtest: make use of make_auth3_context_for_ntlm()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:17:45 +0000 (09:17 +0100)]
auth3: make use of make_auth3_context_for_ntlm()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 08:13:02 +0000 (09:13 +0100)]
auth3: add make_auth3_context_for_{ntlm,netlogon,winbind}
For now they'll all do the same, but that will change in the following commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>