ira/wip.git
12 years agos4-samba3samtest: force workgroup so the domain is right
Andrew Tridgell [Fri, 8 Jan 2010 01:45:49 +0000 (12:45 +1100)]
s4-samba3samtest: force workgroup so the domain is right

the samba3sid backend looks at lp_sam_name() which is based on the
workgroup

12 years agos4-samba3sid: the sambaNextRid attribute is actually the previous RID
Andrew Tridgell [Fri, 8 Jan 2010 01:45:29 +0000 (12:45 +1100)]
s4-samba3sid: the sambaNextRid attribute is actually the previous RID

Not well named .... though same mistake that MS made with rIDNextRid

12 years agos4-samba3sam: use samba3sid module
Andrew Tridgell [Fri, 8 Jan 2010 01:15:01 +0000 (12:15 +1100)]
s4-samba3sam: use samba3sid module

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added a samba3sid module
Andrew Tridgell [Fri, 8 Jan 2010 01:14:39 +0000 (12:14 +1100)]
s4-dsdb: added a samba3sid module

This module allocates SIDs using the Samba3 algorithm, for use with
the samba3sam module.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-acl: fixed acl.py test to use correct ldif
Andrew Tridgell [Thu, 7 Jan 2010 23:03:51 +0000 (10:03 +1100)]
s4-acl: fixed acl.py test to use correct ldif

same problem as sec_descriptor.py

12 years agos4-secdesc: fixed the sec_descriptor.py test
Andrew Tridgell [Thu, 7 Jan 2010 23:00:35 +0000 (10:00 +1100)]
s4-secdesc: fixed the sec_descriptor.py test

The test was using a "changetype: add" to try and add a member to a
group, where it should use a "changetype: modify" with a "add: member"

Also fixed the recovery when the test fails part way through (delete
the test users at the start as well as the end)

Nadya, please check!

12 years agos4-samba3samtest: use system credentials for creating users
Andrew Tridgell [Thu, 7 Jan 2010 22:31:23 +0000 (09:31 +1100)]
s4-samba3samtest: use system credentials for creating users

12 years agos4-dsdb: fixed const misuse in acl module
Andrew Tridgell [Thu, 7 Jan 2010 22:30:59 +0000 (09:30 +1100)]
s4-dsdb: fixed const misuse in acl module

12 years agos4-dsdb: use dsdb_module_am_system() in acl module
Andrew Tridgell [Thu, 7 Jan 2010 22:30:31 +0000 (09:30 +1100)]
s4-dsdb: use dsdb_module_am_system() in acl module

12 years agos4-dsdb: allow specification of a SID if we are system
Andrew Tridgell [Thu, 7 Jan 2010 22:29:32 +0000 (09:29 +1100)]
s4-dsdb: allow specification of a SID if we are system

needed for samba3sam test

12 years agos4-dsdb: added dsdb_module_am_system()
Andrew Tridgell [Thu, 7 Jan 2010 22:29:01 +0000 (09:29 +1100)]
s4-dsdb: added dsdb_module_am_system()

better than each module inventing their own

12 years agos4-dsdb: squash some unknown structure warnings
Andrew Tridgell [Thu, 7 Jan 2010 22:28:38 +0000 (09:28 +1100)]
s4-dsdb: squash some unknown structure warnings

12 years agos4-partition: fixed selection of partitions on exact match
Andrew Tridgell [Thu, 7 Jan 2010 22:00:15 +0000 (09:00 +1100)]
s4-partition: fixed selection of partitions on exact match

When a search is on the root of a partition on the global catalog,
don't search partitions above that one.

12 years agos4-scripting: we need to use a base search for the NTDS GUID
Andrew Tridgell [Thu, 7 Jan 2010 10:28:03 +0000 (21:28 +1100)]
s4-scripting: we need to use a base search for the NTDS GUID

now we have nTDSConnections structures we can get more than 1 reply

12 years agos4:dsdb/repl: convert dreplsrv_op_pull_source_send/recv to tevent_req
Stefan Metzmacher [Wed, 30 Dec 2009 16:11:51 +0000 (17:11 +0100)]
s4:dsdb/repl: convert dreplsrv_op_pull_source_send/recv to tevent_req

metze

Signed-off-by: Andrew Tridgell <tridge@samba.org>
12 years agos4-smbd: setup the default event contexts for other process models
Andrew Tridgell [Thu, 7 Jan 2010 08:12:45 +0000 (19:12 +1100)]
s4-smbd: setup the default event contexts for other process models

12 years agos4-drs: we need to wrap extended operations in transactions
Andrew Tridgell [Thu, 7 Jan 2010 07:38:39 +0000 (18:38 +1100)]
s4-drs: we need to wrap extended operations in transactions

12 years agos4-dsdb: poke the RID Manager when completely out of RIDs too
Andrew Tridgell [Thu, 7 Jan 2010 07:38:16 +0000 (18:38 +1100)]
s4-dsdb: poke the RID Manager when completely out of RIDs too

12 years agos4-dsdb: ensure we will in all the attributes for RID Set
Andrew Tridgell [Thu, 7 Jan 2010 07:16:14 +0000 (18:16 +1100)]
s4-dsdb: ensure we will in all the attributes for RID Set

We need to go to the top of the module stack so that all the extra
attributes get filled in

12 years agos4-dsdb: added DSDB_FLAG_TOP_MODULE
Andrew Tridgell [Thu, 7 Jan 2010 07:15:34 +0000 (18:15 +1100)]
s4-dsdb: added DSDB_FLAG_TOP_MODULE

This is used when you want the dsdb_module_*() functions to go to the
top of the stack.

12 years agos4-dsdb: no longer need special invocationID handling for standalone servers
Andrew Tridgell [Thu, 7 Jan 2010 06:32:13 +0000 (17:32 +1100)]
s4-dsdb: no longer need special invocationID handling for standalone servers

They now work the same way as a DC

12 years agos4-provision: do a self join for all server types
Andrew Tridgell [Thu, 7 Jan 2010 06:31:23 +0000 (17:31 +1100)]
s4-provision: do a self join for all server types

We need a machine account so the RID allocation code can work. It
seems better to use the same code paths for a domain controller and
standalone server to avoid testing headaches with little used code.

12 years agos4-schema: added generic attributeID conversion functions
Andrew Tridgell [Thu, 7 Jan 2010 06:29:40 +0000 (17:29 +1100)]
s4-schema: added generic attributeID conversion functions

When we get one we haven't seen before, we can work out the right type
automatically in most cases.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-schema: added dsdb_attribute_by_lDAPDisplayName_ldb_val
Andrew Tridgell [Thu, 7 Jan 2010 06:27:46 +0000 (17:27 +1100)]
s4-schema: added dsdb_attribute_by_lDAPDisplayName_ldb_val

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-schema: make ldb_val to string comparison safer with nul termination
Andrew Tridgell [Thu, 7 Jan 2010 06:27:03 +0000 (17:27 +1100)]
s4-schema: make ldb_val to string comparison safer with nul termination

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-idl: regenerate DRS IDL
Andrew Tridgell [Thu, 7 Jan 2010 06:25:38 +0000 (17:25 +1100)]
s4-idl: regenerate DRS IDL

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-idl: added some more wellknown attributeIDs
Andrew Tridgell [Thu, 7 Jan 2010 06:25:19 +0000 (17:25 +1100)]
s4-idl: added some more wellknown attributeIDs

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4/dsdb_schema: Load msDS-IntId value separately when loading from LDB
Kamen Mazdrashki [Thu, 7 Jan 2010 04:04:35 +0000 (06:04 +0200)]
s4/dsdb_schema: Load msDS-IntId value separately when loading from LDB

This way we have consistent behavior when loading from DRSUAPI
and from LDB.

12 years agoRevert "s4-schema: Set ATTID in schema cache from "msDS-IntId""
Kamen Mazdrashki [Thu, 7 Jan 2010 03:08:49 +0000 (05:08 +0200)]
Revert "s4-schema: Set ATTID in schema cache from "msDS-IntId""

This reverts commit 4e8ad284f5813413fdec8426f11e24570d22549b.

12 years agos4/schema: Do not assign msDS-IntId value if LDB_CONTROL_RELAX_OID is passed
Kamen Mazdrashki [Thu, 7 Jan 2010 02:01:14 +0000 (04:01 +0200)]
s4/schema: Do not assign msDS-IntId value if LDB_CONTROL_RELAX_OID is passed

This way msDS-IntId should not be assigned during provisioning,
which is how Windows works

12 years agos4-libnet: better error messages in libnet_vampire.c
Andrew Tridgell [Thu, 7 Jan 2010 01:19:42 +0000 (12:19 +1100)]
s4-libnet: better error messages in libnet_vampire.c

12 years agos4/dsdb_schema: use msDS-IntId value for attribute look-up
Kamen Mazdrashki [Thu, 7 Jan 2010 00:47:25 +0000 (02:47 +0200)]
s4/dsdb_schema: use msDS-IntId value for attribute look-up

12 years agos4/dsdb_schema: fetch msDS-IntId value during SCHEMA replication
Kamen Mazdrashki [Thu, 7 Jan 2010 00:46:25 +0000 (02:46 +0200)]
s4/dsdb_schema: fetch msDS-IntId value during SCHEMA replication

12 years agos4/dsdb_schema: GET_UINT32_DS() macro to use supplied default value instead of 0
Kamen Mazdrashki [Wed, 6 Jan 2010 21:16:12 +0000 (23:16 +0200)]
s4/dsdb_schema: GET_UINT32_DS() macro to use supplied default value instead of 0

12 years agos4-partition: don't ignore errors from other modules
Andrew Tridgell [Wed, 6 Jan 2010 23:22:26 +0000 (10:22 +1100)]
s4-partition: don't ignore errors from other modules

if we get an error code from a lower module, we don't want to ignore
it just because something also succeeded

12 years agos4-devel: a useful script to setup bin/ and st/ as tmpfs filesystems
Andrew Tridgell [Wed, 6 Jan 2010 23:18:30 +0000 (10:18 +1100)]
s4-devel: a useful script to setup bin/ and st/ as tmpfs filesystems

this makes building and testing s4 as a developer much faster, if you
have enough memory!

12 years agos4-provision: re-open sam.ldb after creating the schema
Andrew Tridgell [Wed, 6 Jan 2010 23:12:24 +0000 (10:12 +1100)]
s4-provision: re-open sam.ldb after creating the schema

This enables the full schema during the rest of the provision, which
means indexing is enabled (along with index error checking, such as
duplicate SIDs)

12 years agos4-provision: RID 1000 is consumed by the machine account
Andrew Tridgell [Wed, 6 Jan 2010 23:11:30 +0000 (10:11 +1100)]
s4-provision: RID 1000 is consumed by the machine account

12 years agos4-ldb: improve error handling in indexing code
Andrew Tridgell [Wed, 6 Jan 2010 23:11:10 +0000 (10:11 +1100)]
s4-ldb: improve error handling in indexing code

When we get an indexing failure we want a clear error message

12 years agos4-dsdb: improve error messages in schema and pdc_fsmo modules
Andrew Tridgell [Wed, 6 Jan 2010 23:09:09 +0000 (10:09 +1100)]
s4-dsdb: improve error messages in schema and pdc_fsmo modules

We want to incorporate the error messages from the modules further
down the stack.

12 years agos4-drs: added some debug messages
Andrew Tridgell [Wed, 6 Jan 2010 09:56:19 +0000 (20:56 +1100)]
s4-drs: added some debug messages

It is nice to see when a RID Alloc is successful

12 years agos4-event: added s4_event_context_set_default()
Andrew Tridgell [Wed, 6 Jan 2010 09:55:38 +0000 (20:55 +1100)]
s4-event: added s4_event_context_set_default()

we're still not weaned off event_context_find()

12 years agos4-dsdb: added support for DRSUAPI_EXOP_FSMO_RID_ALLOC
Andrew Tridgell [Wed, 6 Jan 2010 08:35:05 +0000 (19:35 +1100)]
s4-dsdb: added support for DRSUAPI_EXOP_FSMO_RID_ALLOC

This allocates a RID pool for the client DC when we are the RID Manager

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added an extended operation for allocating a new RID pool
Andrew Tridgell [Wed, 6 Jan 2010 08:34:14 +0000 (19:34 +1100)]
s4-dsdb: added an extended operation for allocating a new RID pool

This will be called by getncchanges when a client asks for a
DRSUAPI_EXOP_FSMO_RID_ALLOC operation

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-repl: implement MSG_DREPL_ALLOCATE_RID
Andrew Tridgell [Wed, 6 Jan 2010 06:18:42 +0000 (17:18 +1100)]
s4-repl: implement MSG_DREPL_ALLOCATE_RID

When the repl server gets MSG_DREPL_ALLOCATE_RID it contacts the RID
Manager to ask for another RID pool. We use a callback on completion
of the operation to make sure that we don't have two RID allocation
requests in flight at once

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-repl: allow for callbacks when a repl operation completes
Andrew Tridgell [Wed, 6 Jan 2010 06:16:58 +0000 (17:16 +1100)]
s4-repl: allow for callbacks when a repl operation completes

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: the dsdb ldb modules now need messagiing
Andrew Tridgell [Wed, 6 Jan 2010 05:47:36 +0000 (16:47 +1100)]
s4-dsdb: the dsdb ldb modules now need messagiing

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: send a message to the drepl task when we need another RID pool
Andrew Tridgell [Wed, 6 Jan 2010 05:47:11 +0000 (16:47 +1100)]
s4-dsdb: send a message to the drepl task when we need another RID pool

We send the message when the current pool is half gone. We don't wait
for a reply.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-messaging: added a new msg type MSG_DREPL_ALLOCATE_RID
Andrew Tridgell [Wed, 6 Jan 2010 05:45:34 +0000 (16:45 +1100)]
s4-messaging: added a new msg type MSG_DREPL_ALLOCATE_RID

This will be used to ask the drepl task for a new RID pool

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-repl: added request for RID allocation in drepl task
Andrew Tridgell [Wed, 6 Jan 2010 03:54:12 +0000 (14:54 +1100)]
s4-repl: added request for RID allocation in drepl task

The drepl task now checks to see if our rIDAllocationPool is
exhausted, and if it is then we queue a extended operation
DsGetNCChanges call to ask the RID Manager to give us a new allocation
pool.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added dsdb_find_guid_attr_by_dn()
Andrew Tridgell [Wed, 6 Jan 2010 03:50:41 +0000 (14:50 +1100)]
s4-dsdb: added dsdb_find_guid_attr_by_dn()

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-ridalloc: copy with missing rIDNextRid and rIDAllocationPool
Andrew Tridgell [Wed, 6 Jan 2010 03:50:04 +0000 (14:50 +1100)]
s4-ridalloc: copy with missing rIDNextRid and rIDAllocationPool

The attributes rIDNextRid and rIDAllocationPool are not replicated, so
their initial value when we first get a RID Set from the RID Manager
is blank.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added dsdb_module_set_integer()
Andrew Tridgell [Wed, 6 Jan 2010 03:48:55 +0000 (14:48 +1100)]
s4-dsdb: added dsdb_module_set_integer()

This will be used by ridalloc.c

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: clarify who is responsible for each attribute
Andrew Tridgell [Wed, 6 Jan 2010 00:40:05 +0000 (11:40 +1100)]
s4-dsdb: clarify who is responsible for each attribute

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: fixed usage of rIDAllocationPool and rIDPreviousAllocationPool
Andrew Tridgell [Wed, 6 Jan 2010 00:38:38 +0000 (11:38 +1100)]
s4-dsdb: fixed usage of rIDAllocationPool and rIDPreviousAllocationPool

These are very badly named attributes! See the comments in ridalloc.c
for a explanation of what they really seem to mean

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: implement refresh of RID Set pool for a local RID Manager
Andrew Tridgell [Tue, 5 Jan 2010 23:27:30 +0000 (10:27 +1100)]
s4-dsdb: implement refresh of RID Set pool for a local RID Manager

when we run out of RIDs in our RID Set pool then grab a new one from
the RID Manager object

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-provision: don't hard wire the creation of the RID Set object
Andrew Tridgell [Tue, 5 Jan 2010 22:26:17 +0000 (09:26 +1100)]
s4-provision: don't hard wire the creation of the RID Set object

We now create it automatically in the samldb module when the first
user is created.

The creation of the dns user also had to move to the _modify.ldif as
it now relies on the fSMO role being setup for the RID Manager

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: implement creation of the RID Set object
Andrew Tridgell [Tue, 5 Jan 2010 22:24:29 +0000 (09:24 +1100)]
s4-dsdb: implement creation of the RID Set object

when we are the RID Manager we can create our own RID Set object when
the first user is created

12 years agos4-dsdb: use dsdb_next_callback()
Andrew Tridgell [Tue, 5 Jan 2010 22:23:29 +0000 (09:23 +1100)]
s4-dsdb: use dsdb_next_callback()

We can't just use the callers callback directly otherwise the
ldb_module_done() is never called on the parent request, as the child
request is passed to the callback.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added dsdb_next_callback()
Andrew Tridgell [Tue, 5 Jan 2010 22:21:21 +0000 (09:21 +1100)]
s4-dsdb: added dsdb_next_callback()

This should be used when you create a sub request and just want the
parent requests callback to be called when done.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added dsdb_module_constrainted_update_integer()
Andrew Tridgell [Tue, 5 Jan 2010 22:20:35 +0000 (09:20 +1100)]
s4-dsdb: added dsdb_module_constrainted_update_integer()

This provides a convenient way to update a integer attribute with a
constrained delete/add

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added dsdb_module_reference_dn()
Andrew Tridgell [Tue, 5 Jan 2010 22:19:04 +0000 (09:19 +1100)]
s4-dsdb: added dsdb_module_reference_dn()

This adds a module callable version of samdb_reference_dn(), which
finds a DN via a reference link

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added dsdb_module_add()
Andrew Tridgell [Tue, 5 Jan 2010 22:17:19 +0000 (09:17 +1100)]
s4-dsdb: added dsdb_module_add()

added a ldb add function for modules

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-provision: allow provision modifies to add records
Andrew Tridgell [Tue, 5 Jan 2010 22:15:35 +0000 (09:15 +1100)]
s4-provision: allow provision modifies to add records

we need to recognise a changetype of 'add'

12 years agos4-dsdb: move the RID allocation logic into ridalloc.c
Andrew Tridgell [Tue, 5 Jan 2010 07:23:46 +0000 (18:23 +1100)]
s4-dsdb: move the RID allocation logic into ridalloc.c

This will end up having the RID Manager logic as well, so all the RID
pool allocation logic is in one spot

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-samldb: use RID Set to allocate user/group RIDs
Andrew Tridgell [Tue, 5 Jan 2010 06:09:51 +0000 (17:09 +1100)]
s4-samldb: use RID Set to allocate user/group RIDs

This is the first step towards DRS-friendly RID allocation. We now get
the next rid from the RID Set object

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-provision: the DC object itself needs a fixed objectSID
Andrew Tridgell [Tue, 5 Jan 2010 06:08:56 +0000 (17:08 +1100)]
s4-provision: the DC object itself needs a fixed objectSID

We can't allocate a objectSID until we have rIDSetReferences, but that
is in the DC object, so we have to force the objectSID of the DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-dsdb: added samdb_rid_set_dn()
Andrew Tridgell [Tue, 5 Jan 2010 06:07:51 +0000 (17:07 +1100)]
s4-dsdb: added samdb_rid_set_dn()

This returns the DN of our RID Set object

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-provision: added an initial RID Set
Andrew Tridgell [Tue, 5 Jan 2010 04:20:10 +0000 (15:20 +1100)]
s4-provision: added an initial RID Set

We will allocate RIDs from this set

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

12 years agos4-ldb: added nice ldif display of 64 bit ranges for RIDs
Andrew Tridgell [Tue, 5 Jan 2010 04:12:16 +0000 (15:12 +1100)]
s4-ldb: added nice ldif display of 64 bit ranges for RIDs

12 years agos4-dsdb: added samdb_reference_dn()
Andrew Tridgell [Mon, 4 Jan 2010 03:13:21 +0000 (14:13 +1100)]
s4-dsdb: added samdb_reference_dn()

This returns a 'reference' DN, which is a link to a DN, from the
specified object. It is then used by samdb_server_reference_dn() which
returns the serverReference DN, and samdb_rid_manager_dn() which
returns the rIDManagerReference DN.

12 years agolinked_attributes: Fix missing dependency on util.
Jelmer Vernooij [Sun, 3 Jan 2010 22:08:46 +0000 (23:08 +0100)]
linked_attributes: Fix missing dependency on util.

12 years agotestprogs: add support for "print" option in win32 spoolss torture test.
Günther Deschner [Wed, 16 Dec 2009 21:36:18 +0000 (22:36 +0100)]
testprogs: add support for "print" option in win32 spoolss torture test.

Guenther

12 years agotestprogs: pass down architecture in spoolss test.
Günther Deschner [Wed, 6 Jan 2010 22:15:09 +0000 (23:15 +0100)]
testprogs: pass down architecture in spoolss test.

Guenther

12 years agotestprogs: add win32 spoolss testsuite.
Günther Deschner [Mon, 14 Dec 2009 22:54:42 +0000 (23:54 +0100)]
testprogs: add win32 spoolss testsuite.

Guenther

12 years agos4 torture: Add RAW-OPEN-NTCREATEDIR to test error checking for open directories...
Tim Prouty [Mon, 4 Jan 2010 21:01:23 +0000 (13:01 -0800)]
s4 torture: Add RAW-OPEN-NTCREATEDIR to test error checking for open directories as files

12 years agos3 torture: Prevent smbcli segfault when running smbtorture3 against an smbd with...
Tim Prouty [Mon, 4 Jan 2010 20:57:34 +0000 (12:57 -0800)]
s3 torture: Prevent smbcli segfault when running smbtorture3 against an smbd with security=share

12 years agos3:auth: don't update the bad pw count if pw is among last 2 history entries
Michael Adam [Wed, 6 Jan 2010 16:29:04 +0000 (17:29 +0100)]
s3:auth: don't update the bad pw count if pw is among last 2 history entries

This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

This is supposed to fixes Bug #4347 .

Michael

12 years agos3:auth:check_sam_security: introduce a bool var to control pad_pw_count incrementation
Michael Adam [Wed, 6 Jan 2010 15:35:44 +0000 (16:35 +0100)]
s3:auth:check_sam_security: introduce a bool var to control pad_pw_count incrementation

This is a preparatory patch for the last part in fixing bug #4347 .

Michael

12 years agos3:passdb: store the plain nt passwords hashes in history, not salted md5
Michael Adam [Tue, 5 Jan 2010 17:28:48 +0000 (18:28 +0100)]
s3:passdb: store the plain nt passwords hashes in history, not salted md5

This is in order to be able to do challenge response with the history,
so that this can be checked when an invalid password was entered:
If the given password is wrong but in the history, then the bad password
count should not be updated...

The "lucky" bit here is that the md5 has and the nt hash (md4) both are
16 bytes long.

This is part of the fix for bug #4347 .

Michael

12 years agos3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash
Michael Adam [Tue, 5 Jan 2010 15:58:30 +0000 (16:58 +0100)]
s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash

This is to introduce a new format of the password history, maintaining backwards
compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash).
The new format is 16 zero bytes and 16 bytes nt hash.

This will allow us to respect the last X entries of the nt password history
when deciding whether to increment the bad password count.

This is part of the fix for bug #4347 .

Michael

12 years agos3: Remove some code that has become unnecessary
Volker Lendecke [Thu, 7 Jan 2010 13:50:43 +0000 (14:50 +0100)]
s3: Remove some code that has become unnecessary

The code I just removed was checked in with e5466fffc286a99f as a bug fix for
https://bugzilla.samba.org/show_bug.cgi?id=3319. With the changes to
is_visible_file made with 9e8b8f8c16612 these lines have become unnecessary,
even with "hide unreadable = yes" dead msdfs symlinks show. This is because we
can not stat(2) them and default to showing them.

Why this change? I have a user who wants to use "hide unreadable" on msdfs
links. Because you can't edit acls on symlinks themselves, the user created the
targets as bogus, empty files that just exist as acl placeholders. With the
code in place that this patch removes, we never allow this to work.

Jeremy, please check! :-)

Thanks,

Volker

12 years agos3-docs: fix eventlogadm manpage typo.
Günther Deschner [Thu, 7 Jan 2010 11:05:18 +0000 (12:05 +0100)]
s3-docs: fix eventlogadm manpage typo.

Guenther

12 years agos3: Lock down some srvsvc calls according to what w2k3 seems to do
Volker Lendecke [Thu, 7 Jan 2010 10:47:09 +0000 (11:47 +0100)]
s3: Lock down some srvsvc calls according to what w2k3 seems to do

12 years agos3:auth:check_sam_security: improve calling and logging of pdb_update_sam_account
Michael Adam [Wed, 6 Jan 2010 12:53:10 +0000 (13:53 +0100)]
s3:auth:check_sam_security: improve calling and logging of pdb_update_sam_account

Log what went wrongl, and also call pdb_update_sam_account inside
become_root/unbecome_root: do the logging outside.

Michael

12 years agos3:auth:check_sam_security: fix a leading tab/ws mixup
Michael Adam [Wed, 6 Jan 2010 12:40:58 +0000 (13:40 +0100)]
s3:auth:check_sam_security: fix a leading tab/ws mixup

Michael

12 years agos3:auth:check_sam_security: create (and use) a common exit point
Michael Adam [Wed, 6 Jan 2010 11:36:56 +0000 (12:36 +0100)]
s3:auth:check_sam_security: create (and use) a common exit point

for use after sam_password_ok() has been called.

Michael

12 years agos3:auth:check_sam_security: null out sampass after it has been stolen.
Michael Adam [Wed, 6 Jan 2010 11:32:51 +0000 (12:32 +0100)]
s3:auth:check_sam_security: null out sampass after it has been stolen.

So that a later talloc_free would not harm. I could have used
talloc_move instead of talloc steal in make_server_info_sam(),
but this would have required a change of the signature.

Michael

12 years agos3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not sampass
Michael Adam [Mon, 4 Jan 2010 17:15:24 +0000 (18:15 +0100)]
s3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not sampass

This is in preparation to extending check_sam_security to also check
against the password history before updating the bad password count.
This way, sam_password_ok can more easily be reused for that purpose.

Michael

12 years agos3:auth: use data_blob_null instead of data_blob(NULL, 0) in sam_password_ok()
Michael Adam [Mon, 4 Jan 2010 14:37:24 +0000 (15:37 +0100)]
s3:auth: use data_blob_null instead of data_blob(NULL, 0) in sam_password_ok()

This way it is more explicit that there is no allocated data here
that may leak.

Michael

12 years agos3:auth:sam_password_ok: fix allocation of a data blob.
Michael Adam [Wed, 30 Dec 2009 14:37:23 +0000 (15:37 +0100)]
s3:auth:sam_password_ok: fix allocation of a data blob.

data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but
copies 16 bytes from mem_ctx into the newly allocated data blob.
This can not have been intentional. A blank uint8_t array of
length 16 is allocated by passing NULL instead of mem_ctx.
And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated
blank 16 byte array to mem_ctx - so this is what must have been
intended.

Michael

12 years agos3:auth:sam_password_ok: enhance readability (imho) by adding some pointers
Michael Adam [Wed, 30 Dec 2009 14:35:50 +0000 (15:35 +0100)]
s3:auth:sam_password_ok: enhance readability (imho) by adding some pointers

and removing bool variables and several checks.

Michael

12 years agos3:check_sam_security: untangle assignment from statement
Michael Adam [Wed, 30 Dec 2009 11:46:22 +0000 (12:46 +0100)]
s3:check_sam_security: untangle assignment from statement

Michael

12 years agos3: Factor password_in_history() out of check_passwd_history()
Volker Lendecke [Mon, 14 Dec 2009 19:54:33 +0000 (20:54 +0100)]
s3: Factor password_in_history() out of check_passwd_history()

12 years agoSimplify E_md5hash a bit
Volker Lendecke [Mon, 14 Dec 2009 18:29:36 +0000 (19:29 +0100)]
Simplify E_md5hash a bit

12 years agos3: Simplify pdb_set_plaintext_passwd: pwhistory==NULL can not happen anymore
Volker Lendecke [Mon, 14 Dec 2009 18:18:09 +0000 (19:18 +0100)]
s3: Simplify pdb_set_plaintext_passwd: pwhistory==NULL can not happen anymore

12 years agos3: Simplify pdb_set_plaintext_passwd: pwHistLen==0 was checked above
Volker Lendecke [Mon, 14 Dec 2009 18:16:58 +0000 (19:16 +0100)]
s3: Simplify pdb_set_plaintext_passwd: pwHistLen==0 was checked above

12 years agos3: Add a paranoia check to pdb_set_plaintext_passwd()
Volker Lendecke [Mon, 14 Dec 2009 18:12:50 +0000 (19:12 +0100)]
s3: Add a paranoia check to pdb_set_plaintext_passwd()

12 years agos3: Simplify pdb_set_plaintext_passwd() by removing a redundant condition
Volker Lendecke [Mon, 14 Dec 2009 17:50:38 +0000 (18:50 +0100)]
s3: Simplify pdb_set_plaintext_passwd() by removing a redundant condition

if (current_history_len != pwHistLen) {
     if (current_history_len < pwHistLen) {
     }
}

The second "if" is a bit pointless here

12 years agos3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytes
Volker Lendecke [Mon, 14 Dec 2009 17:44:38 +0000 (18:44 +0100)]
s3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytes