Ralph Boehme [Tue, 10 Jan 2017 13:48:07 +0000 (14:48 +0100)]
dbwrap: add parse_record_send/recv to struct db_context
The implementation comes next.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 10 Jan 2017 13:22:21 +0000 (14:22 +0100)]
dbwrap: add enum dbwrap_req_state
This will be used by async dwrap_parse_send() as an out argument, giving
the caller an indication about the state of the request.
This is can be useful for the caller if it is a sync function and sends
multiple async dbwrap requests. As it's a sync function it won't return
to the main tevent event loop and so the async dbwrap recv function are
not called.
As a result the function may deadlock: our receive queue may already be
full with results from a peer, the peer might be blocked in his send
queue (because we're not receiving), the peer therefor doesn't read from
his receive queue so our send queue will block as well.
To inform the caller of this situation "send queue full" we return this
state information to the caller of the dbwrap send function.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Wed, 22 Feb 2017 16:21:15 +0000 (17:21 +0100)]
lib/util: add and use iov_concat
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Tue, 18 Apr 2017 17:21:50 +0000 (10:21 -0700)]
lib: param: Remove lpcfg_register_defaults_hook().
Completely unused functionality. Gets rid of another
talloc_autofree_context(). Updated WHATSNEW to make
this clear.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Volker Lendecke [Mon, 17 Apr 2017 15:12:27 +0000 (17:12 +0200)]
smbldap: Move ldapsam_privates to pdb_ldap.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 18 22:52:03 CEST 2017 on sn-devel-144
Volker Lendecke [Mon, 17 Apr 2017 15:04:07 +0000 (17:04 +0200)]
smbldap: pdb_ipa is gone
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jan Engelhardt [Thu, 5 Sep 2013 18:57:12 +0000 (20:57 +0200)]
build: correct package dependencies
The wscript_build files convey what header files belong to which
logical package. For example,
# lib/util/wscript_build:
bld.SAMBA_LIBRARY('samba-util',
public_headers='... data_blob.h ...'
# auth/credentials/wscript_build:
bld.SAMBA_LIBRARY('samba-credentials',
public_headers='credentials.h',
Now, credentials.h #includes <util/data_blob.h> and therefore,
samba-credentials.pc must have a Requires: samba-util.
Similarly for other parts.
Signed-off-by: Jan Engelhardt <jengelh@inai.de>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Mon, 17 Apr 2017 21:30:54 +0000 (14:30 -0700)]
s3:smbd: Fix incorrect use of sys_getgroups()
Second arg must be NULL when first arg is 0 (it is in all other places).
Bug report and patch from Hanno Böck <hanno@hboeck.de>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 18 15:43:02 CEST 2017 on sn-devel-144
Jeremy Allison [Mon, 17 Apr 2017 21:30:04 +0000 (14:30 -0700)]
s3:lib: Fix incorrect logic in sys_broken_getgroups()
If setlen == 0 then the second argument must be ignored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12747
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Mon, 17 Apr 2017 21:09:24 +0000 (14:09 -0700)]
lib: debug: Avoid negative array access.
Report and patch from Hanno Böck <hanno@hboeck.de>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12746
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 23:06:08 +0000 (16:06 -0700)]
lib:charset: Remove use of talloc_autofree_context() for global_iconv_handle
All other callers use NULL here anyway, so there's no
need to use a special context for get_iconv_handle().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 23:05:02 +0000 (16:05 -0700)]
lib:charset: Make global_iconv_handle private
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 22:57:28 +0000 (15:57 -0700)]
lib: param: Remove the last external use of global_iconv_handle by calling the utility function reinit_iconv_handle().
Add an error check.
This *looks* like a logic change, but it is not.
The only change is the addition of the error return check.
The reason is that the changed function, reload_charcnv(),
is the *only* function that sets lp_ctx->iconv_handle. And
it does so just before setting global_iconv_handle = lp_ctx->iconv_handle.
Calling the utility function reinit_iconv_handle()
instead merely sets global_iconv_handle first, then
assigns it (as the return) to lp_ctx->iconv_handle.
So all this is doing is reversing the order of
setting global_iconv_handle and lp_ctx->iconv_handle
to the same thing.
Even the removal of the lines:
- struct smb_iconv_handle *old_ic = lp_ctx->iconv_handle
- if (old_ic == NULL) {
- old_ic = global_iconv_handle;
has no effect, as remember that lp_ctx->iconv_handle
is only ever set to the same value as global_iconv_handle,
and once this function has been run once, lp_ctx->iconv_handle != NULL.
This allows us finally to make global_iconv_handle private
to the C source file that defines it.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 22:51:17 +0000 (15:51 -0700)]
lib: param: Use utility functions to get rid of two more uses of global_iconv_handle.
Add error return checking.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 22:47:17 +0000 (15:47 -0700)]
s3:param: Use new utility function to hide use of global_iconv_handle
Add error return check.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 22:44:08 +0000 (15:44 -0700)]
s3:lib:charcnv: Remove use of global global_iconv_handle
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 22:42:39 +0000 (15:42 -0700)]
lib:charset: Add utility functions reinit_iconv_handle() and free_iconv_handle(void)
Not yet used. Will enable us to make global_iconv_handle private.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Tue, 11 Apr 2017 22:31:17 +0000 (15:31 -0700)]
lib: Remove smb_iconv_handle_reinit_lp()
It's merely a wrapper for smb_iconv_handle_reinit(),
only used in one place and smb_iconv_handle_reinit()
is already called from lib/param/loadparm.c.
Removing this will make it easier to make global_iconv_handle
private state to lib/util/charset/codepoints.c later.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Uri Simchoni [Thu, 13 Apr 2017 09:44:58 +0000 (12:44 +0300)]
vfs_acl_xattr: avoid needlessly supplying a large buffer to getxattr()
When obtaining the security descriptor via getxattr(), first try
optimistically to supply a buffer of 4K, and if that turns out
to be too small, determine the correct buffer size.
The previous behavior of falling back to a 64K buffer encountered
problem with Linux prior to version 3.6, due to pyisical memory
fragmentation. With those kernels, as long as the buffer is 8K or
smaller, getting the xattr is much less prone to failure due to
memory fragmentation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 18 04:41:16 CEST 2017 on sn-devel-144
Uri Simchoni [Sat, 8 Apr 2017 21:40:44 +0000 (00:40 +0300)]
vfs_acl_xattr: factor out fetching of an extended attribute
Pure refactoring - add a function that fetches an extended attribute
based on either the file descriptor or the file name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Thu, 13 Apr 2017 09:50:47 +0000 (12:50 +0300)]
vfs_xattr_tdb: handle case of zero size.
With getxattr(), passing a zero buffer size is a
way of obtaining actual xattr size.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sat, 8 Apr 2017 21:20:40 +0000 (00:20 +0300)]
selftest: test fetching a large ACL from vfs_acl_xattr
Add a test that fetches an ACL whose size is larger than 4K.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12737
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Wed, 12 Apr 2017 11:17:16 +0000 (13:17 +0200)]
docs: Update idmap_rid manpage
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Mon, 3 Apr 2017 18:16:02 +0000 (18:16 +0000)]
s4: server: Use state as the talloc context for open_schannel_session_store.
Ensure it's freed on all error paths.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Apr 17 23:10:06 CEST 2017 on sn-devel-144
Jeremy Allison [Mon, 3 Apr 2017 18:04:31 +0000 (18:04 +0000)]
s4: server: Remove use of talloc_autofree_context as the parent of event_ctx.
Use state->event_ctx as the parent of the initial imessaging context.
Now we control all exit paths, we can call TALLOC_FREE(state)
on all of them.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Mon, 3 Apr 2017 17:58:24 +0000 (17:58 +0000)]
s4: messaging: When talloc_free()'ing an event context, only remove msg_dgm_ref's that point to *that* context.
Defensive programming change. Not strictly needed to prevent
any crash/error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 19:38:14 +0000 (12:38 -0700)]
s4: server: Add a tevent signal handler for SIGTERM.
Simplify by removing global state we don't need now
we're called by tevent (and in the short window where
we're installed by CatchSignal but before we install
the tevent handler we don't need the complex global
state handling as we have no forked children).
We now have access to struct server_state on all
exit paths - next commits will stop using talloc autofree context.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 19:29:03 +0000 (12:29 -0700)]
s4: server: Add error return checks for tevent_add_fde, tevent_add_timer.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 19:23:56 +0000 (12:23 -0700)]
s4: server: Plumb server_state through the irpc messaging for samba_terminate().
Use it in the message print to avoid a "unused variable" compile error.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 19:00:29 +0000 (12:00 -0700)]
s4: server: Use server_state as a parameter to max_runtime_handler, not just name.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 18:59:13 +0000 (11:59 -0700)]
s4: server: Use server_state as a parameter to stdin handler, not just name.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 18:54:45 +0000 (11:54 -0700)]
s4: server: Create a server 'state' struct.
No logic changes, will be used to move allocated
pointers off the talloc autofree context in a later commit.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 18:43:17 +0000 (11:43 -0700)]
s4: server. Whitespace and 80+ column cleanup.
No logic changes.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Jeremy Allison [Fri, 31 Mar 2017 18:07:35 +0000 (11:07 -0700)]
s4: messaging. Minor cleanup. Check for error returns on imessaging_register calls.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Noel Power [Tue, 11 Apr 2017 13:38:34 +0000 (14:38 +0100)]
s3:tests: Add test for illegal value detection for 'name resolve order'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12739
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 13 15:20:04 CEST 2017 on sn-devel-144
Noel Power [Tue, 11 Apr 2017 10:26:45 +0000 (11:26 +0100)]
param: Check for valid values of 'name resolve order' option
This variable is populated by a list of values where each value should
be a known option. This patch ensures that illegal values are detected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12739
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Garming Sam [Wed, 29 Mar 2017 02:21:04 +0000 (15:21 +1300)]
updaterefs: Do not open transaction even when unnecessary
This can be called during GetNCChanges (a generally read-only call), it
is not wise to be blocking the database for no reason.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Apr 13 11:25:06 CEST 2017 on sn-devel-144
Garming Sam [Tue, 28 Mar 2017 22:24:50 +0000 (11:24 +1300)]
drepl_server: Allow refresh of partitions on UpdateRef
When we call UpdateRef, the push replication will not begin until the
drepl_server has done its periodic refresh. If UpdateRefs is called, we
should just send an IRPC message to call the refresh.
NOTE: This has the same dependencies and issues as repl_secrets in
auth_sam.c in terms of IRPC implementation.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 3 Apr 2017 03:31:14 +0000 (15:31 +1200)]
dns_update: RODC updates should use lower case realm
This is consistent with the standard update list we write.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 29 Mar 2017 00:16:48 +0000 (13:16 +1300)]
rodc/dns: Do not put a trailing dot at end of a DNS record
This causes RESOLV_WRAPPER to not detect the record correctly (while
also creating inconsistent and possibly breaking records).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 28 Mar 2017 01:29:26 +0000 (14:29 +1300)]
join.py: Allow RODC to have push replication at join
Normally DsAddEntry connects to DRSUAPI, however not in the RODC case. This meant that
it never called DsReplicaUpdateRefs and so never got push-replication after join.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 28 Mar 2017 01:34:01 +0000 (14:34 +1300)]
password-lockout: Allow RODC to ensure lockout and lockout reset
Prior to this, the modification of lockoutTime triggered referrals.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 30 Mar 2017 02:50:01 +0000 (15:50 +1300)]
replmd: Reduce calls to ldb_request_get_control
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 23 Mar 2017 21:24:21 +0000 (10:24 +1300)]
rodc: Allow local RODC changes with version 0
These changes will get clobbered by RWDCs through replication. This
behaviour is required for lockoutTime to enforce the password lockout
locally on the RODC (and is consistent with Windows).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 17 Mar 2017 03:09:06 +0000 (16:09 +1300)]
drepl: Add partial attribute set in the case of repl secret
Against Windows, the call will always fail without it.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 6 Apr 2017 04:26:26 +0000 (16:26 +1200)]
password_lockout: Tests against RODC (once preloaded)
In this scenario, both the login server and the verification server are
the RODC. This tests that a user is locked out correctly once the
lockout limit is reached and they are also unlocked correctly when the
lockout time period expires.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Sun, 9 Apr 2017 22:16:57 +0000 (10:16 +1200)]
tests/rodc: Add a number of tests for RODC-RWDC interaction
This tests password fallback to RWDC in preloaded and non-preloaded
cases. It also tests some basic scenarios around what things are
replicated between the two DCs.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Garming Sam [Fri, 7 Apr 2017 02:41:05 +0000 (14:41 +1200)]
sam.c: Make NTLM login set logonCount when unset
Previously, it only bothered if it was being incremented. Now on first
logon, it should turn the unset logonCount to 0.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 6 Apr 2017 04:57:13 +0000 (16:57 +1200)]
password_lockout: Move some unnecessary methods from base
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 6 Apr 2017 04:21:53 +0000 (16:21 +1200)]
password_lockout: Move lockoutObservationWindow tests from setUp
These should not belong in the setUp, and should be a separate test.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 6 Apr 2017 03:53:25 +0000 (15:53 +1200)]
password_lockout: Factor out a base testcase
This allows it to be used for the RODC testing.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 10 Apr 2017 04:12:21 +0000 (16:12 +1200)]
password_lockout: Remove use of global creds variables
This is so that we can import the login tests into the RODC-RWDC tests.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 10 Apr 2017 04:08:57 +0000 (16:08 +1200)]
password_lockout: Remove use of global lp and host vars
This is so that we can import the login tests into the RODC-RWDC tests.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 10 Apr 2017 04:33:03 +0000 (16:33 +1200)]
password_lockout: Move more helper methods to a base class
This is so that we can import the login tests into the RODC-RWDC tests.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Mon, 10 Apr 2017 04:48:23 +0000 (16:48 +1200)]
password_lockout: Move more helper methods to a base class
This is so that we can import the login tests into the RODC-RWDC tests.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 5 Apr 2017 02:30:28 +0000 (14:30 +1200)]
password_lockout: Begin moving helper methods to a base class
This is so that we can import the login tests into the RODC-RWDC tests.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Sun, 9 Apr 2017 22:41:44 +0000 (10:41 +1200)]
selftest: Make some assertions about RODC referrals
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 20 Sep 2016 04:25:34 +0000 (04:25 +0000)]
rodc: Force all RODC add and delete to cause a referral
Previously, you could add or delete and cause replication conflicts on
an RODC. Modifies are already partly restricted in repl_meta_data and
have more specific requirements, so they cannot be handled here.
We still differ against Windows for modifies of non-replicated
attributes over LDAP.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
Garming Sam [Mon, 13 Mar 2017 21:36:13 +0000 (10:36 +1300)]
selftest: Add ldap rodc python test
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
Garming Sam [Tue, 4 Apr 2017 01:13:16 +0000 (13:13 +1200)]
replmd: Send RODC referrals preferably to the PDC
The Windows protocol test suites check that a particular DC is used when
sending referrals.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
Garming Sam [Tue, 4 Apr 2017 00:18:42 +0000 (12:18 +1200)]
drsuapi.idl: Expose GetNCChanges req8 like req10
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 28 Mar 2017 21:32:39 +0000 (10:32 +1300)]
samba_dnsupdate: Remove extra argument from debug
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 4 Apr 2017 00:21:34 +0000 (12:21 +1200)]
winbindd: Make some debugging clearer
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 4 Apr 2017 01:11:16 +0000 (13:11 +1200)]
whitespace: Remove some whitespace
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Michael Adam [Tue, 11 Apr 2017 08:12:51 +0000 (10:12 +0200)]
s3:tests: fix commment typo in the offline test
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Apr 13 02:44:38 CEST 2017 on sn-devel-144
Ralph Boehme [Mon, 10 Apr 2017 12:28:18 +0000 (14:28 +0200)]
winbindd: only use the domain name from lookup sids if the domain matches
With the use of sIDHistory it happens that two sids map to the same name:
S-1-5-21-
1387724271-
3540671778-
1971508351-1115 DOMAIN2\d1u1 (1)
S-1-5-21-
3293503978-
489118715-
2763867031-1106 DOMAIN2\d1u1 (1)
On the net it looks like this:
lsa_LookupSids: struct lsa_LookupSids
in: struct lsa_LookupSids
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid :
344f3586-7de4-4e1d-96a9-
8c6c23e4b2f0
sids : *
sids: struct lsa_SidArray
num_sids : 0x00000002 (2)
sids : *
sids: ARRAY(2)
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-
1387724271-
3540671778-
1971508351-1115
sids: struct lsa_SidPtr
sid : *
sid : S-1-5-21-
3293503978-
489118715-
2763867031-1106
names : *
names: struct lsa_TransNameArray
count : 0x00000000 (0)
names : NULL
level : LSA_LOOKUP_NAMES_ALL (1)
count : *
count : 0x00000000 (0)
lsa_LookupSids: struct lsa_LookupSids
out: struct lsa_LookupSids
domains : *
domains : *
domains: struct lsa_RefDomainList
count : 0x00000001 (1)
domains : *
domains: ARRAY(1)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'DOMAIN2'
sid : *
sid : S-1-5-21-
1387724271-
3540671778-
1971508351
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000002 (2)
names : *
names: ARRAY(7)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x0008 (8)
size : 0x0008 (8)
string : *
string : 'd1u1'
sid_index : 0x00000000 (0)
count : *
count : 0x00000002 (2)
result : NT_STATUS_OK
So the name for S-1-5-21-
3293503978-
489118715-
2763867031-1106 has
S-1-5-21-
1387724271-
3540671778-
1971508351 in referenced lsa_DomainInfo
structure. In that case we should not use the domain name from lsa_DomainInfo,
because we would use the wrong idmap backend.
For the case where the domain part of the sIDHistory sid is a still existing
domain, which can be found our internal list of trusted domains, we now use the
correct idmap backend: the idmap domain from the historic SID.
If the historic domain does no longer exist, we will fallback to the default
idmap domain.
The next step would be doing a lookup sid call for the domain sid, which may
help with one-way trusts.
The long term goal needs to be that idmap backends are based on sids only and
only the smb.conf allows names to be used which will be converted to sids on
startup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12702
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Apr 12 16:43:30 CEST 2017 on sn-devel-144
Andreas Schneider [Mon, 10 Apr 2017 05:50:41 +0000 (07:50 +0200)]
waf: Only build pam_wrapper if we build with pam
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Uri Simchoni [Wed, 12 Apr 2017 07:32:39 +0000 (10:32 +0300)]
build: refuse to build without PAM support if enabled
If PAM support is enabled, refuse to build if the prerequisite
libraries are not in place, instead of silently disabling PAM
support and continuing with the build.
This simplifies inclusion of pam_wrapper in the tree.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Thu, 9 Mar 2017 17:57:14 +0000 (18:57 +0100)]
winbind_msrpc: Use any_nt_status_not_ok
Less lines, less bytes .text
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 12 05:40:36 CEST 2017 on sn-devel-144
Volker Lendecke [Mon, 6 Mar 2017 20:36:25 +0000 (20:36 +0000)]
winbind_pam: Use any_nt_status_not_ok in map_auth_samlogon
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Mar 2017 16:50:01 +0000 (17:50 +0100)]
winbind: Slightly simplify remove_timed_out_clients
Best reviewed with "git show -b"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Mar 2017 17:27:55 +0000 (18:27 +0100)]
winbind: Avoid a "ok==false"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Mar 2017 17:49:39 +0000 (18:49 +0100)]
winbind: Simplify a logic expression
This isn't 100% the same flow, but before this patch we initialized
domain->primary to "false" via "talloc_zero". This means that the
end-result should be the same before and after this patch that IMHO
simplifies the logic a bit.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 2 Apr 2017 12:15:33 +0000 (14:15 +0200)]
winbindd: remove fallback from lookuprids
We're only calling lookuprids for our local SAM and BUILTIN domains, if
that results in a failed lookup for some rid, sending it again via
lookupsids() won't help, it will just fail again.
If the caller wrongly had sent any other SID that is not from our SAM or
BUILTIN via lookuprids(), that it is up to the caller to fix that, not
us.
The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 24 Mar 2017 15:54:39 +0000 (16:54 +0100)]
winbindd: remove lookupsid() fallback for a failed lookupsids()
If lookupsids() returned any other error then OK, SOME_NOT_MAPPED or
NONE_MAPPED we must just bail out.
If some or all SIDs could not be mapped via lookupds(), don't fallback
to lookupsid(), it will just fail again.
The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 24 Mar 2017 15:46:40 +0000 (16:46 +0100)]
winbindd: remove fallback to lookupsid for unknown SIDs
In wb_lookupsids_done() if a SID failed with lookupsids(), remove the
hokey retry via lookupsid().
The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 24 Mar 2017 16:06:38 +0000 (17:06 +0100)]
winbindd: handling of failed lookupsids in wb_lookupsids_single_done()
If lookupsid() failed with NT_STATUS_SOME_NOT_MAPPED or
NT_STATUS_NONE_MAPPED, if we didn't get a domain name, don't add a fake
domain to the lsa_RefDomainList. Just set the domain index in the
translated name to UINT32_MAX.
It's up to callers like wb_sids2xids to handle such failed mappings and
wb_sids2xids_lookupsids_done() has been updated in a previous commit to
deal with it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 26 Mar 2017 06:34:59 +0000 (08:34 +0200)]
winbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX
If the SID was in an unknown domain, src_name->sid_index will be
UINT32_MAX.
This change allows wb_lookupsids_move_name() to add such names to the
result set. This is not used for now, but will be used in subsequent
commits.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 4 Apr 2017 12:51:09 +0000 (14:51 +0200)]
winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()
This lets wb_sids2xids_lookupsids_done() deal with wp_lookupsids
returning UINT32_MAX as domain index for SIDs from unknown domains.
Call find_domain_from_sid_noinit() to search our list of known
domains. If a matching domain is found, use it's name, otherwise use the
empty string "". This needed to handle Samba DCs which always returns
sid_index UINT32_MAX for unknown SIDs, even from known domains.
Currently the wb_lookupsids adds these fake domains with an empty string
as domain name, but that's not the correct place to do it. We need the
domain name as it gets passed to the idmap child where the choise of
idmap backend is based on the domain name. This will possibly be changed
in the future to be based on domain SIDs, not the name.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 10 Apr 2017 14:14:45 +0000 (16:14 +0200)]
libcli/security: fix dom_sid_in_domain()
Ensure the SID has exactly one component more then the domain SID, eg
Domain SID: S-1-5-21-1-2-3
SID: S-1-5-21-1-2-3-4
This will return true. If the SID has more components, eg
SID: S-1-5-21-1-2-3-4-5, or
SID: S-1-5-21-1-2-3-4-5-6-7-8
dom_sid_in_domain() must return false.
This was verified against Windows:
lsa_LookupSids: struct lsa_LookupSids
out: struct lsa_LookupSids
domains : *
domains : *
domains: struct lsa_RefDomainList
count : 0x00000002 (2)
domains : *
domains: ARRAY(2)
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x000e (14)
size : 0x0010 (16)
string : *
string : 'BUILTIN'
sid : *
sid : S-1-5-32
domains: struct lsa_DomainInfo
name: struct lsa_StringLarge
length : 0x0012 (18)
size : 0x0014 (20)
string : *
string : 'W4EDOM-L4'
sid : *
sid : S-1-5-21-
278041429-
3399921908-
1452754838
max_size : 0x00000020 (32)
names : *
names: struct lsa_TransNameArray
count : 0x00000004 (4)
names : *
names: ARRAY(4)
names: struct lsa_TranslatedName
sid_type : SID_NAME_USER (1)
name: struct lsa_String
length : 0x001a (26)
size : 0x001a (26)
string : *
string : 'Administrator'
sid_index : 0x00000001 (1)
names: struct lsa_TranslatedName
sid_type : SID_NAME_UNKNOWN (8)
name: struct lsa_String
length : 0x005c (92)
size : 0x005e (94)
string : *
string : 'S-1-5-21-
278041429-
3399921908-
1452754838-500-1'
sid_index : 0xffffffff (
4294967295)
names: struct lsa_TranslatedName
sid_type : SID_NAME_ALIAS (4)
name: struct lsa_String
length : 0x001c (28)
size : 0x001c (28)
string : *
string : 'Administrators'
sid_index : 0x00000000 (0)
names: struct lsa_TranslatedName
sid_type : SID_NAME_UNKNOWN (8)
name: struct lsa_String
length : 0x001c (28)
size : 0x001e (30)
string : *
string : 'S-1-5-32-544-9'
sid_index : 0xffffffff (
4294967295)
count : *
count : 0x00000002 (2)
result : STATUS_SOME_UNMAPPED
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 11 Apr 2017 10:03:52 +0000 (12:03 +0200)]
s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 11 Apr 2017 10:03:20 +0000 (12:03 +0200)]
s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Michael Adam [Tue, 11 Apr 2017 09:18:30 +0000 (11:18 +0200)]
s3:vfs:shadow_copy2: fix quoting in debug messages
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 8 Nov 2016 16:01:56 +0000 (17:01 +0100)]
tdb: Test for readonly lock upgrade bug
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 11 00:33:31 CEST 2017 on sn-devel-144
Volker Lendecke [Mon, 7 Nov 2016 20:40:15 +0000 (21:40 +0100)]
tdb: Do lock upgrades properly
When a process holds a readlock and wants to upgrade, this needs to be
reflected in the underlying lock. Without this, it is possible to cheat:
One process holds a readlock, and another process wants to write this
record. All the writer has to do is take a readonly lock on the key and
then do the store.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 7 Nov 2016 20:38:58 +0000 (21:38 +0100)]
tdb: Fix some signed/unsigned hickups
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 7 Apr 2017 14:33:57 +0000 (16:33 +0200)]
selftest: Test for bug 12558
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andreas Schneider [Fri, 7 Apr 2017 13:44:05 +0000 (15:44 +0200)]
third_party: Add cmocka 1.1.1
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Apr 10 11:38:13 CEST 2017 on sn-devel-144
Andreas Schneider [Fri, 7 Apr 2017 13:44:22 +0000 (15:44 +0200)]
wafsamba: Add CHECK_CMOCKA function
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Volker Lendecke [Sun, 19 Feb 2017 14:37:51 +0000 (15:37 +0100)]
auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".
We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144
Stefan Metzmacher [Fri, 17 Mar 2017 15:53:27 +0000 (16:53 +0100)]
auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
make_auth3_context_for_ntlm() was the only caller of
make_auth_context_subsystem().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 15:51:45 +0000 (16:51 +0100)]
auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 16 Mar 2017 14:45:32 +0000 (15:45 +0100)]
auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
This will be used in the s3 netlogon server in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 18:35:24 +0000 (19:35 +0100)]
auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
We should not do anonymous authentication nor a fallback that
ignores the domain part.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 15:21:05 +0000 (16:21 +0100)]
auth4: remove unused map_user_info[_cracknames]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 15:19:10 +0000 (16:19 +0100)]
auth4: avoid map_user_info() in auth_check_password_send()
The cracknames call is done in the "sam" backend now.
In order to support trusted domains correctly, the backends
need to get the raw values from the client.
This is the important change in order to no longer
silently map users from trusted domains to local users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 15:31:02 +0000 (16:31 +0100)]
auth4: improve authsam_want_check for upn authentication
We need to check if the upn suffix is within our forest.
The check if it's within our domain is done in
authsam_check_password_internals() after calling
crack_name_to_nt4_name().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 13:57:33 +0000 (14:57 +0100)]
auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
Currently the caller does this before calling the auth backends,
but that should change in order to support trusted domains correctly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 22 Mar 2017 09:45:25 +0000 (10:45 +0100)]
auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
We hopefully remove this role in future, but for now we should do this
correct and fallback to sam_ignoredomain at the end of the auth chain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 17 Mar 2017 13:54:16 +0000 (14:54 +0100)]
auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
git.samba.org / kai / samba-autobuild / .git / log