Günther Deschner [Thu, 5 Mar 2015 11:06:46 +0000 (12:06 +0100)]
librpc: add clusapi_ClusterNetworkState and clusapi_ClusterNetInterfaceState.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 5 Mar 2015 11:06:05 +0000 (12:06 +0100)]
s4-torture: add more cluster group tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 5 Mar 2015 11:04:54 +0000 (12:04 +0100)]
s4-torture: add test for clusapi_SetResourceName.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 5 Mar 2015 11:04:02 +0000 (12:04 +0100)]
clusapi: add clusapi_CreateResourceFlags to IDL and torture test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 5 Mar 2015 10:42:30 +0000 (11:42 +0100)]
librpc: add clusapi_ClusterGroupState enum to IDL.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 4 Mar 2015 14:34:29 +0000 (15:34 +0100)]
s4-torture: fix clusapi_SetClusterName test by re-setting existing cluster name.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 4 Mar 2015 14:33:45 +0000 (15:33 +0100)]
s4-torture: use clusapi_ClusterNodeState enum in torture test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 4 Mar 2015 14:31:25 +0000 (15:31 +0100)]
librpc: add clusapi_ClusterNodeState enum to IDL.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 4 Mar 2015 14:28:32 +0000 (15:28 +0100)]
s4-torture: use clusapi_ClusterResourceState enum in torture test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 4 Mar 2015 14:27:46 +0000 (15:27 +0100)]
librpc: add clusapi_ClusterResourceState enum to IDL.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:53:13 +0000 (13:53 +0100)]
s4-torture: use a specific resource clusapi testcase.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:52:46 +0000 (13:52 +0100)]
s4-torture: rename clusapi testcase to cluster testcase.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:51:34 +0000 (13:51 +0100)]
s4-torture: use a real cluster group handle in cluster resource tests.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:50:45 +0000 (13:50 +0100)]
s4-torture: add tests for clusapi_OpenGroup and clusapi_CloseGroup.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:49:13 +0000 (13:49 +0100)]
s4-torture: add tests for cluster nodes.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 4 Mar 2015 08:45:56 +0000 (09:45 +0100)]
s4-torture: add test for clusapi_CreateResEnum.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Tue, 3 Mar 2015 17:00:55 +0000 (18:00 +0100)]
s4-torture: add test for clusapi_GetClusterVersion2().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Mon, 2 Mar 2015 19:52:59 +0000 (20:52 +0100)]
librpc: use WERROR in the clusapi interface.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:34:44 +0000 (13:34 +0100)]
s4-torture: add tests for cluster resources.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 12:25:24 +0000 (13:25 +0100)]
s4-torture: add test for clusapi_CreateEnum.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 27 Feb 2015 16:45:02 +0000 (17:45 +0100)]
s4-torture: add tests for ClusterName and ClusterVersion.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 26 Feb 2015 22:03:36 +0000 (23:03 +0100)]
s4-torture: add clusapi torture test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 26 Feb 2015 14:36:47 +0000 (15:36 +0100)]
clusapi: use ClusterEnumType.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 26 Feb 2015 14:19:10 +0000 (15:19 +0100)]
clusapi: add more enums to IDL.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Thu, 26 Feb 2015 11:57:53 +0000 (12:57 +0100)]
s3-rpcclient: add very basic clusapi client.
Note that you need to call rpcclient with ncacn_ip_tcp:$target[sign,seal],
otherwise clusapi will not allow success.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 25 Feb 2015 09:15:25 +0000 (10:15 +0100)]
librpc: build clusapi.idl
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Wed, 25 Feb 2015 09:10:38 +0000 (10:10 +0100)]
librpc: add clusapi idl version 3.0.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Mon, 7 Apr 2014 13:47:02 +0000 (15:47 +0200)]
pidl/python: support HRESULT errors in generated python bindings.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Mon, 7 Apr 2014 13:46:05 +0000 (15:46 +0200)]
pidl: support HRESULT in pidl.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Mon, 7 Apr 2014 13:40:40 +0000 (15:40 +0200)]
librpc/ndr: add ndr_{pull|push|print}_HRESULT and release new 0.0.5 ABI.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Mon, 7 Apr 2014 13:46:32 +0000 (15:46 +0200)]
lib/util: globally include herrors in error.h
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 16:44:19 +0000 (17:44 +0100)]
libcli/util/hresult: add generated hresult_errstr() function.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 16:42:06 +0000 (17:42 +0100)]
s4-scripting: generate a hresult_errstr() function.
Equivalent to the nt_errstr(), win_errstr(), etc. function.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 16:41:06 +0000 (17:41 +0100)]
libcli/util/hresult: re-generate hresult.c.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 16:39:46 +0000 (17:39 +0100)]
s4-scripting: add string representation of error code define to generated table.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Günther Deschner [Fri, 6 Mar 2015 16:36:33 +0000 (17:36 +0100)]
s4-scripting: fix hresult generator python script indentation.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Fri, 13 Mar 2015 14:20:05 +0000 (14:20 +0000)]
ctdb: Fix CID
1125613 Destination buffer too small
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Mar 13 19:14:20 CET 2015 on sn-devel-104
Volker Lendecke [Fri, 13 Mar 2015 14:16:17 +0000 (14:16 +0000)]
ctdb: Introduce a helper var in ctdb_get_script_list
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Fri, 13 Mar 2015 14:12:41 +0000 (14:12 +0000)]
ctdb: Fix memleak in ctdb_get_script_list
scandir allocates every name individually, see example code in susv4 or man
scandir
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Fri, 13 Mar 2015 14:11:20 +0000 (14:11 +0000)]
ctdb: Make for-loop in ctdb_get_script_list more idiomatic
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Volker Lendecke [Fri, 13 Mar 2015 14:01:25 +0000 (14:01 +0000)]
ctdb: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Andreas Schneider [Thu, 12 Mar 2015 21:12:43 +0000 (22:12 +0100)]
replace: Remove superfluous check for gcrypt header.
We only need to check for the header if we need gnutls with gcrypt
support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 13 01:00:27 CET 2015 on sn-devel-104
Andrew Bartlett [Thu, 12 Mar 2015 04:05:50 +0000 (17:05 +1300)]
backupkey: Explicitly link to gnutls and gcrypt
The gcrypt link will be disabled if gnutls is > 3.0.0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andrew Bartlett [Thu, 12 Mar 2015 04:01:05 +0000 (17:01 +1300)]
lib/tls: Fix behaviour of --disable-gnutls and remove link to gcrypt
We no longer link against gcrypt if gnutls > 3.0.0 is found, as these
versions use libnettle.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 11 Mar 2015 15:39:05 +0000 (16:39 +0100)]
s3:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
If there're no collisions we should not fill the collision_info pointer.
Otherwise Windows fails to create a forest trust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Mar 12 19:49:33 CET 2015 on sn-devel-104
Stefan Metzmacher [Wed, 28 Jan 2015 10:02:54 +0000 (10:02 +0000)]
s4:rpc_server/lsa: only return collision_info if filled in lsaRSetForestTrustInformation()
If there're no collisions we should not fill the collision_info pointer.
Otherwise Windows fails to create a forest trust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Wed, 11 Mar 2015 11:09:42 +0000 (12:09 +0100)]
s4-torture: add ndr test for lsa_lsaRQueryForestTrustInformation().
Thanks to Alexander for providing the binary blobs.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 4 Feb 2015 18:00:44 +0000 (18:00 +0000)]
drsblobs.idl: improve idl for ForestTrustInfoRecord*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 4 Feb 2015 18:00:44 +0000 (18:00 +0000)]
lsa.idl: improve idl for lsa_ForestTrust*Record*
The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType,
but the type is not always available so it's not possible to use an union.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 30 Jan 2015 08:01:58 +0000 (08:01 +0000)]
lsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only'
This is only a cosmetic change to make the idl more verbose,
the resulting C code will still use 'uint8_t'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 30 Jan 2015 08:01:58 +0000 (08:01 +0000)]
lsa.idl: fix idl for lsa_ForestTrustRecordType
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 22:14:38 +0000 (23:14 +0100)]
security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}
These are not encryption types, but flags for specific kerberos features.
See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 2 Feb 2015 22:14:38 +0000 (23:14 +0100)]
netlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead
These are the same.
We keep the old defines arround in order to avoid a lot of changes
in the callers.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Günther Deschner [Tue, 18 Dec 2012 14:27:06 +0000 (15:27 +0100)]
netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Mar 2015 12:18:38 +0000 (13:18 +0100)]
netlogon.idl: improve idl for netr_ServerTrustPasswordsGet()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 6 Mar 2015 17:07:15 +0000 (18:07 +0100)]
ldb-samba: implement --show-binary for msDS-RevealedUsers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 5 Mar 2015 15:21:18 +0000 (16:21 +0100)]
drsblobs.idl: make replPropertyMetaData1 public
This is used as binary data for the msDS-RevealedUsers attribute.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 27 Jan 2015 21:46:06 +0000 (21:46 +0000)]
s4:py_net: make domain and address fully optional to py_net_finddc
E.g. address=None is now also possible.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 26 Jan 2015 15:02:20 +0000 (16:02 +0100)]
s4:librpc: add auth_type=ncalrpc_as_system as binding option
In future we may want another way to trigger this,
but our current rpc libraries need a lot of cleanup before.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Sat, 31 Jan 2015 10:42:09 +0000 (10:42 +0000)]
s4:trust_utils: store new trust/machine passwords before trying it remotely.
If this fails we can still fallback to the old password...
Before trying the password change we verify the dc knows our current password.
This should make the password changes much more robust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 3 Feb 2015 15:22:25 +0000 (16:22 +0100)]
s3:winbindd: make open_internal_lsa_conn() non static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 11 Feb 2015 14:05:55 +0000 (15:05 +0100)]
s3:winbindd_cm: improve detection for the anonymous fallback.
If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback,
if allowed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 5 Feb 2015 09:26:23 +0000 (09:26 +0000)]
s3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 5 Feb 2015 10:07:46 +0000 (10:07 +0000)]
s3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 30 Jan 2015 16:53:40 +0000 (16:53 +0000)]
s3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_trusteddom_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 10:33:05 +0000 (11:33 +0100)]
s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 10:29:49 +0000 (11:29 +0100)]
s3:libnet: use cli_credentials based functions in libnet_join_ok()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 08:52:45 +0000 (09:52 +0100)]
s3:auth_domain: make use of cli_rpc_pipe_open_schannel()
This simplifies a lot and allows the previous password to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 09:33:01 +0000 (10:33 +0100)]
s3:auth_domain: fix talloc problem in connect_to_domain_password_server()
return values of connect_to_domain_password_server() need to be exported
to the callers memory context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 08:25:35 +0000 (09:25 +0100)]
s3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds()
This passing struct cli_credentials allows the usage of the previous password.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 09:05:37 +0000 (10:05 +0100)]
s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel()
This is only allowed with special config options ("client schannel = no",
"require strong key = no" and "reject md5 servers = no").
By default we require NETLOGON_NEG_AUTHENTICATED_RPC.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 08:34:45 +0000 (09:34 +0100)]
s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel()
This simplifies the code and allows the previous password to be passed
through the stack.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 08:49:16 +0000 (09:49 +0100)]
s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 30 Jan 2015 16:54:06 +0000 (16:54 +0000)]
s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds()
This way we'll fallback to use the previous machine/trust account password
if required.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Fri, 30 Jan 2015 16:20:27 +0000 (16:20 +0000)]
auth/credentials: add cli_credentials_set_old_utf16_password()
This is required to set the previous trust account password.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 08:04:42 +0000 (09:04 +0100)]
auth/credentials: add cli_credentials_[g|s]et_old_nt_hash()
The machine and trust accounts it's important to retry
netr_Authenticate3() with the previous (old) nt_hash.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 9 Feb 2015 08:06:32 +0000 (09:06 +0100)]
auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 21 Jan 2015 13:44:44 +0000 (14:44 +0100)]
s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Thu, 12 Mar 2015 00:43:49 +0000 (13:43 +1300)]
selftest: Change testsuite to use a samAccountName with a space in it
This shows that the previous patch is correct
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Thu, 12 Mar 2015 00:29:56 +0000 (13:29 +1300)]
kdc: Ensure we cope with a samAccountName with a space in it
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Thu, 12 Mar 2015 00:29:56 +0000 (13:29 +1300)]
dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Wed, 11 Mar 2015 23:56:56 +0000 (12:56 +1300)]
selftest: Change testsuite to use a UPN with a space in it
This shows that the previous patch is correct
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Thu, 12 Mar 2015 09:43:57 +0000 (10:43 +0100)]
selftest: fix the basedn for local accounts in non-DC environments e.g. s4member
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
doesn't generate an error if the command fails...
'testallowed' is a local account here, with a dn of
CN=testallowed,CN=Users,DC=S4MEMBER instead of domain user
CN=testallowed,CN=Users,DC=samba,DC=example,DC=com
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Wed, 11 Mar 2015 23:50:23 +0000 (12:50 +1300)]
dsdb: Allow spaces in userPrincipalName values
This is needed to enable a kinit with a UPN that has a space in it
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 10 Mar 2015 14:33:14 +0000 (15:33 +0100)]
heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY
An ENTERPRISE principal should result in 'administrator@S4XDOM.BASE'
instead of 'administrator\@S4XDOM.BASE'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 10 Mar 2015 14:36:01 +0000 (15:36 +0100)]
heimdal:lib/krb5: allow enterprise principals in verify_logonname()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Wed, 11 Mar 2015 02:58:36 +0000 (15:58 +1300)]
torture-krb5: Test accepting the ticket to ensure PAC is well-formed
A future test will ask for impersonation to a different user, and
validate returned principal and the PAC matches that user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Wed, 11 Mar 2015 22:27:57 +0000 (11:27 +1300)]
auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac()
This ensures that in the all-Samba PAC creation code, we do not escape a space character if present
in the logon name. This matches what we do in the Heimdal code in the KDC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Andrew Bartlett [Wed, 11 Mar 2015 02:57:06 +0000 (15:57 +1300)]
auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
This ensures that if an enterprise principal is used, we do the
comparison properly
This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.
Otherwise, we get errors like:
Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 10 Mar 2015 11:38:55 +0000 (12:38 +0100)]
heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 10 Mar 2015 11:38:55 +0000 (12:38 +0100)]
heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 10 Mar 2015 11:38:55 +0000 (12:38 +0100)]
heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.
The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Michael Adam [Thu, 5 Mar 2015 13:43:54 +0000 (14:43 +0100)]
selftest: also test python.samba.tests.posixacl against plugin_s4_dc_no_nss
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Mar 12 17:12:11 CET 2015 on sn-devel-104
Michael Adam [Thu, 5 Mar 2015 12:22:35 +0000 (13:22 +0100)]
selftest: add a new environment plugin_s4_dc_no_nss
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Michael Adam [Thu, 5 Mar 2015 12:22:07 +0000 (13:22 +0100)]
selftest: extend setup_plugin_s4_dc to allow for not using nss_winbindd
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Michael Adam [Tue, 17 Feb 2015 15:06:49 +0000 (16:06 +0100)]
selftest: modify python.samba.test.posixacl to cope with nss_winbind active
It was observed that adding libnss_winbind (via nss_wrapper) lets
the posix acl mapping come out slightly differently with respect
to the owner/domain admin who is not explicitly nailed down in
the original NT acl.
This patch extends the test to react to the presence of
nss_winbind in environment and adapts the expected results.
This in particular fixes the run of the test against the
(changed) plugin_s4_dc environment while keeping the possibility
to successfully run it against an env without nss_winbind.
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Christof Schmitt [Wed, 11 Mar 2015 22:54:55 +0000 (15:54 -0700)]
brlock: Use 0 instead of empty initializer list
C does not allow empty initializer lists. Although gcc accepts that, the
SunOS compiler fails in this case with an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11153
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu Mar 12 02:49:36 CET 2015 on sn-devel-104
Lukas Slebodnik [Thu, 5 Mar 2015 10:26:46 +0000 (11:26 +0100)]
lib/util: Include DEBUG macro in internal header files before samba_util.h
It's best practice to include external header files before internal
header files. In this case internal DEBUG macro cannot be defined and
therefore samba version of debug macro will be included
in header file "util/fault.h".
In file included from example.c:27:0:
src/util/util.h:127:0: error: "DEBUG" redefined [-Werror]
#define DEBUG(level, format, ...) do { \
^
In file included from /usr/include/samba-4.0/util/fault.h:29:0,
from /usr/include/samba-4.0/samba_util.h:62,
from /usr/include/samba-4.0/ndr.h:30,
from example.c:24:
/usr/include/samba-4.0/util/debug.h:182:0: note: this is the location of the previous definition
#define DEBUG( level, body ) \
^
CC src/providers/ad/libsss_ad_common_la-ad_domain_info.lo
cc1: all warnings being treated as errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11033
Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 11 18:47:22 CET 2015 on sn-devel-104
Volker Lendecke [Tue, 10 Mar 2015 20:13:56 +0000 (21:13 +0100)]
smbd: Simplify create_token_from_sid()
This if-statement is unnecessary. First, talloc_array returns non-NULL
even if asked for 0 elements. Second, a bit further down we do a
SMB_ASSERT(num_group_sids > 0);
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Mar 2015 20:09:53 +0000 (21:09 +0100)]
smbd: Simplify create_token_from_sid()
With the previous commit all 3 branches do the same
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>