kai/samba-autobuild/.git
2 years agoupdaterefs: Do not open transaction even when unnecessary
Garming Sam [Wed, 29 Mar 2017 02:21:04 +0000 (15:21 +1300)]
updaterefs: Do not open transaction even when unnecessary

This can be called during GetNCChanges (a generally read-only call), it
is not wise to be blocking the database for no reason.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Apr 13 11:25:06 CEST 2017 on sn-devel-144

2 years agodrepl_server: Allow refresh of partitions on UpdateRef
Garming Sam [Tue, 28 Mar 2017 22:24:50 +0000 (11:24 +1300)]
drepl_server: Allow refresh of partitions on UpdateRef

When we call UpdateRef, the push replication will not begin until the
drepl_server has done its periodic refresh. If UpdateRefs is called, we
should just send an IRPC message to call the refresh.

NOTE: This has the same dependencies and issues as repl_secrets in
auth_sam.c in terms of IRPC implementation.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agodns_update: RODC updates should use lower case realm
Garming Sam [Mon, 3 Apr 2017 03:31:14 +0000 (15:31 +1200)]
dns_update: RODC updates should use lower case realm

This is consistent with the standard update list we write.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorodc/dns: Do not put a trailing dot at end of a DNS record
Garming Sam [Wed, 29 Mar 2017 00:16:48 +0000 (13:16 +1300)]
rodc/dns: Do not put a trailing dot at end of a DNS record

This causes RESOLV_WRAPPER to not detect the record correctly (while
also creating inconsistent and possibly breaking records).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agojoin.py: Allow RODC to have push replication at join
Garming Sam [Tue, 28 Mar 2017 01:29:26 +0000 (14:29 +1300)]
join.py: Allow RODC to have push replication at join

Normally DsAddEntry connects to DRSUAPI, however not in the RODC case. This meant that
it never called DsReplicaUpdateRefs and so never got push-replication after join.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword-lockout: Allow RODC to ensure lockout and lockout reset
Garming Sam [Tue, 28 Mar 2017 01:34:01 +0000 (14:34 +1300)]
password-lockout: Allow RODC to ensure lockout and lockout reset

Prior to this, the modification of lockoutTime triggered referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoreplmd: Reduce calls to ldb_request_get_control
Garming Sam [Thu, 30 Mar 2017 02:50:01 +0000 (15:50 +1300)]
replmd: Reduce calls to ldb_request_get_control

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorodc: Allow local RODC changes with version 0
Garming Sam [Thu, 23 Mar 2017 21:24:21 +0000 (10:24 +1300)]
rodc: Allow local RODC changes with version 0

These changes will get clobbered by RWDCs through replication. This
behaviour is required for lockoutTime to enforce the password lockout
locally on the RODC (and is consistent with Windows).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agodrepl: Add partial attribute set in the case of repl secret
Garming Sam [Fri, 17 Mar 2017 03:09:06 +0000 (16:09 +1300)]
drepl: Add partial attribute set in the case of repl secret

Against Windows, the call will always fail without it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Tests against RODC (once preloaded)
Garming Sam [Thu, 6 Apr 2017 04:26:26 +0000 (16:26 +1200)]
password_lockout: Tests against RODC (once preloaded)

In this scenario, both the login server and the verification server are
the RODC. This tests that a user is locked out correctly once the
lockout limit is reached and they are also unlocked correctly when the
lockout time period expires.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/rodc: Add a number of tests for RODC-RWDC interaction
Garming Sam [Sun, 9 Apr 2017 22:16:57 +0000 (10:16 +1200)]
tests/rodc: Add a number of tests for RODC-RWDC interaction

This tests password fallback to RWDC in preloaded and non-preloaded
cases. It also tests some basic scenarios around what things are
replicated between the two DCs.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

2 years agosam.c: Make NTLM login set logonCount when unset
Garming Sam [Fri, 7 Apr 2017 02:41:05 +0000 (14:41 +1200)]
sam.c: Make NTLM login set logonCount when unset

Previously, it only bothered if it was being incremented. Now on first
logon, it should turn the unset logonCount to 0.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Move some unnecessary methods from base
Garming Sam [Thu, 6 Apr 2017 04:57:13 +0000 (16:57 +1200)]
password_lockout: Move some unnecessary methods from base

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Move lockoutObservationWindow tests from setUp
Garming Sam [Thu, 6 Apr 2017 04:21:53 +0000 (16:21 +1200)]
password_lockout: Move lockoutObservationWindow tests from setUp

These should not belong in the setUp, and should be a separate test.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Factor out a base testcase
Garming Sam [Thu, 6 Apr 2017 03:53:25 +0000 (15:53 +1200)]
password_lockout: Factor out a base testcase

This allows it to be used for the RODC testing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Remove use of global creds variables
Garming Sam [Mon, 10 Apr 2017 04:12:21 +0000 (16:12 +1200)]
password_lockout: Remove use of global creds variables

This is so that we can import the login tests into the RODC-RWDC tests.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Remove use of global lp and host vars
Garming Sam [Mon, 10 Apr 2017 04:08:57 +0000 (16:08 +1200)]
password_lockout: Remove use of global lp and host vars

This is so that we can import the login tests into the RODC-RWDC tests.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Move more helper methods to a base class
Garming Sam [Mon, 10 Apr 2017 04:33:03 +0000 (16:33 +1200)]
password_lockout: Move more helper methods to a base class

This is so that we can import the login tests into the RODC-RWDC tests.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Move more helper methods to a base class
Garming Sam [Mon, 10 Apr 2017 04:48:23 +0000 (16:48 +1200)]
password_lockout: Move more helper methods to a base class

This is so that we can import the login tests into the RODC-RWDC tests.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_lockout: Begin moving helper methods to a base class
Garming Sam [Wed, 5 Apr 2017 02:30:28 +0000 (14:30 +1200)]
password_lockout: Begin moving helper methods to a base class

This is so that we can import the login tests into the RODC-RWDC tests.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Make some assertions about RODC referrals
Garming Sam [Sun, 9 Apr 2017 22:41:44 +0000 (10:41 +1200)]
selftest: Make some assertions about RODC referrals

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorodc: Force all RODC add and delete to cause a referral
Garming Sam [Tue, 20 Sep 2016 04:25:34 +0000 (04:25 +0000)]
rodc: Force all RODC add and delete to cause a referral

Previously, you could add or delete and cause replication conflicts on
an RODC. Modifies are already partly restricted in repl_meta_data and
have more specific requirements, so they cannot be handled here.

We still differ against Windows for modifies of non-replicated
attributes over LDAP.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008

2 years agoselftest: Add ldap rodc python test
Garming Sam [Mon, 13 Mar 2017 21:36:13 +0000 (10:36 +1300)]
selftest: Add ldap rodc python test

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008

2 years agoreplmd: Send RODC referrals preferably to the PDC
Garming Sam [Tue, 4 Apr 2017 01:13:16 +0000 (13:13 +1200)]
replmd: Send RODC referrals preferably to the PDC

The Windows protocol test suites check that a particular DC is used when
sending referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008

2 years agodrsuapi.idl: Expose GetNCChanges req8 like req10
Garming Sam [Tue, 4 Apr 2017 00:18:42 +0000 (12:18 +1200)]
drsuapi.idl: Expose GetNCChanges req8 like req10

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamba_dnsupdate: Remove extra argument from debug
Garming Sam [Tue, 28 Mar 2017 21:32:39 +0000 (10:32 +1300)]
samba_dnsupdate: Remove extra argument from debug

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: Make some debugging clearer
Garming Sam [Tue, 4 Apr 2017 00:21:34 +0000 (12:21 +1200)]
winbindd: Make some debugging clearer

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowhitespace: Remove some whitespace
Garming Sam [Tue, 4 Apr 2017 01:11:16 +0000 (13:11 +1200)]
whitespace: Remove some whitespace

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:tests: fix commment typo in the offline test
Michael Adam [Tue, 11 Apr 2017 08:12:51 +0000 (10:12 +0200)]
s3:tests: fix commment typo in the offline test

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Apr 13 02:44:38 CEST 2017 on sn-devel-144

2 years agowinbindd: only use the domain name from lookup sids if the domain matches
Ralph Boehme [Mon, 10 Apr 2017 12:28:18 +0000 (14:28 +0200)]
winbindd: only use the domain name from lookup sids if the domain matches

With the use of sIDHistory it happens that two sids map to the same name:
S-1-5-21-1387724271-3540671778-1971508351-1115 DOMAIN2\d1u1 (1)
S-1-5-21-3293503978-489118715-2763867031-1106 DOMAIN2\d1u1 (1)

On the net it looks like this:

     lsa_LookupSids: struct lsa_LookupSids
        in: struct lsa_LookupSids
            handle                   : *
                handle: struct policy_handle
                    handle_type              : 0x00000000 (0)
                    uuid                     : 344f3586-7de4-4e1d-96a9-8c6c23e4b2f0
            sids                     : *
                sids: struct lsa_SidArray
                    num_sids                 : 0x00000002 (2)
                    sids                     : *
                        sids: ARRAY(2)
                            sids: struct lsa_SidPtr
                                sid                      : *
                                    sid                      : S-1-5-21-1387724271-3540671778-1971508351-1115
                            sids: struct lsa_SidPtr
                                sid                      : *
                                    sid                      : S-1-5-21-3293503978-489118715-2763867031-1106
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000000 (0)
                    names                    : NULL
            level                    : LSA_LOOKUP_NAMES_ALL (1)
            count                    : *
                count                    : 0x00000000 (0)
     lsa_LookupSids: struct lsa_LookupSids
        out: struct lsa_LookupSids
            domains                  : *
                domains                  : *
                    domains: struct lsa_RefDomainList
                        count                    : 0x00000001 (1)
                        domains                  : *
                            domains: ARRAY(1)
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x000e (14)
                                        size                     : 0x0010 (16)
                                        string                   : *
                                            string                   : 'DOMAIN2'
                                    sid                      : *
                                        sid                      : S-1-5-21-1387724271-3540671778-1971508351
                        max_size                 : 0x00000020 (32)
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000002 (2)
                    names                    : *
                        names: ARRAY(7)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x0008 (8)
                                    size                     : 0x0008 (8)
                                    string                   : *
                                        string                   : 'd1u1'
                                sid_index                : 0x00000000 (0)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x0008 (8)
                                    size                     : 0x0008 (8)
                                    string                   : *
                                        string                   : 'd1u1'
                                sid_index                : 0x00000000 (0)
            count                    : *
                count                    : 0x00000002 (2)
            result                   : NT_STATUS_OK

So the name for S-1-5-21-3293503978-489118715-2763867031-1106 has
S-1-5-21-1387724271-3540671778-1971508351 in referenced lsa_DomainInfo
structure. In that case we should not use the domain name from lsa_DomainInfo,
because we would use the wrong idmap backend.

For the case where the domain part of the sIDHistory sid is a still existing
domain, which can be found our internal list of trusted domains, we now use the
correct idmap backend: the idmap domain from the historic SID.

If the historic domain does no longer exist, we will fallback to the default
idmap domain.

The next step would be doing a lookup sid call for the domain sid, which may
help with one-way trusts.

The long term goal needs to be that idmap backends are based on sids only and
only the smb.conf allows names to be used which will be converted to sids on
startup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12702

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Apr 12 16:43:30 CEST 2017 on sn-devel-144

2 years agowaf: Only build pam_wrapper if we build with pam
Andreas Schneider [Mon, 10 Apr 2017 05:50:41 +0000 (07:50 +0200)]
waf: Only build pam_wrapper if we build with pam

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2 years agobuild: refuse to build without PAM support if enabled
Uri Simchoni [Wed, 12 Apr 2017 07:32:39 +0000 (10:32 +0300)]
build: refuse to build without PAM support if enabled

If PAM support is enabled, refuse to build if the prerequisite
libraries are not in place, instead of silently disabling PAM
support and continuing with the build.

This simplifies inclusion of pam_wrapper in the tree.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agowinbind_msrpc: Use any_nt_status_not_ok
Volker Lendecke [Thu, 9 Mar 2017 17:57:14 +0000 (18:57 +0100)]
winbind_msrpc: Use any_nt_status_not_ok

Less lines, less bytes .text

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 12 05:40:36 CEST 2017 on sn-devel-144

2 years agowinbind_pam: Use any_nt_status_not_ok in map_auth_samlogon
Volker Lendecke [Mon, 6 Mar 2017 20:36:25 +0000 (20:36 +0000)]
winbind_pam: Use any_nt_status_not_ok in map_auth_samlogon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbind: Slightly simplify remove_timed_out_clients
Volker Lendecke [Thu, 9 Mar 2017 16:50:01 +0000 (17:50 +0100)]
winbind: Slightly simplify remove_timed_out_clients

Best reviewed with "git show -b"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbind: Avoid a "ok==false"
Volker Lendecke [Thu, 9 Mar 2017 17:27:55 +0000 (18:27 +0100)]
winbind: Avoid a "ok==false"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbind: Simplify a logic expression
Volker Lendecke [Thu, 9 Mar 2017 17:49:39 +0000 (18:49 +0100)]
winbind: Simplify a logic expression

This isn't 100% the same flow, but before this patch we initialized
domain->primary to "false" via "talloc_zero". This means that the
end-result should be the same before and after this patch that IMHO
simplifies the logic a bit.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: remove fallback from lookuprids
Ralph Boehme [Sun, 2 Apr 2017 12:15:33 +0000 (14:15 +0200)]
winbindd: remove fallback from lookuprids

We're only calling lookuprids for our local SAM and BUILTIN domains, if
that results in a failed lookup for some rid, sending it again via
lookupsids() won't help, it will just fail again.

If the caller wrongly had sent any other SID that is not from our SAM or
BUILTIN via lookuprids(), that it is up to the caller to fix that, not
us.

The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: remove lookupsid() fallback for a failed lookupsids()
Ralph Boehme [Fri, 24 Mar 2017 15:54:39 +0000 (16:54 +0100)]
winbindd: remove lookupsid() fallback for a failed lookupsids()

If lookupsids() returned any other error then OK, SOME_NOT_MAPPED or
NONE_MAPPED we must just bail out.

If some or all SIDs could not be mapped via lookupds(), don't fallback
to lookupsid(), it will just fail again.

The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: remove fallback to lookupsid for unknown SIDs
Ralph Boehme [Fri, 24 Mar 2017 15:46:40 +0000 (16:46 +0100)]
winbindd: remove fallback to lookupsid for unknown SIDs

In wb_lookupsids_done() if a SID failed with lookupsids(), remove the
hokey retry via lookupsid().

The retry logic with going through the single sids lookup at the end
added a fake domain with an empty string. The wb_lookupsids caller
wb_sids2xids needed this, as it wasn't doing the needed error handling
itself. As wb_sids2xids has been fixed to cope, we can just fail the
lookupsids here.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: handling of failed lookupsids in wb_lookupsids_single_done()
Ralph Boehme [Fri, 24 Mar 2017 16:06:38 +0000 (17:06 +0100)]
winbindd: handling of failed lookupsids in wb_lookupsids_single_done()

If lookupsid() failed with NT_STATUS_SOME_NOT_MAPPED or
NT_STATUS_NONE_MAPPED, if we didn't get a domain name, don't add a fake
domain to the lsa_RefDomainList. Just set the domain index in the
translated name to UINT32_MAX.

It's up to callers like wb_sids2xids to handle such failed mappings and
wb_sids2xids_lookupsids_done() has been updated in a previous commit to
deal with it.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX
Ralph Boehme [Sun, 26 Mar 2017 06:34:59 +0000 (08:34 +0200)]
winbindd: let wb_lookupsids_move_name() handle domain_index UINT32_MAX

If the SID was in an unknown domain, src_name->sid_index will be
UINT32_MAX.

This change allows wb_lookupsids_move_name() to add such names to the
result set. This is not used for now, but will be used in subsequent
commits.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agowinbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()
Ralph Boehme [Tue, 4 Apr 2017 12:51:09 +0000 (14:51 +0200)]
winbindd: handling of SIDs without domain reference in wb_sids2xids_lookupsids_done()

This lets wb_sids2xids_lookupsids_done() deal with wp_lookupsids
returning UINT32_MAX as domain index for SIDs from unknown domains.

Call find_domain_from_sid_noinit() to search our list of known
domains. If a matching domain is found, use it's name, otherwise use the
empty string "". This needed to handle Samba DCs which always returns
sid_index UINT32_MAX for unknown SIDs, even from known domains.

Currently the wb_lookupsids adds these fake domains with an empty string
as domain name, but that's not the correct place to do it. We need the
domain name as it gets passed to the idmap child where the choise of
idmap backend is based on the domain name. This will possibly be changed
in the future to be based on domain SIDs, not the name.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolibcli/security: fix dom_sid_in_domain()
Ralph Boehme [Mon, 10 Apr 2017 14:14:45 +0000 (16:14 +0200)]
libcli/security: fix dom_sid_in_domain()

Ensure the SID has exactly one component more then the domain SID, eg

Domain SID: S-1-5-21-1-2-3
SID:        S-1-5-21-1-2-3-4

This will return true. If the SID has more components, eg

SID: S-1-5-21-1-2-3-4-5, or
SID: S-1-5-21-1-2-3-4-5-6-7-8

dom_sid_in_domain() must return false.

This was verified against Windows:

     lsa_LookupSids: struct lsa_LookupSids
        out: struct lsa_LookupSids
            domains                  : *
                domains                  : *
                    domains: struct lsa_RefDomainList
                        count                    : 0x00000002 (2)
                        domains                  : *
                            domains: ARRAY(2)
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x000e (14)
                                        size                     : 0x0010 (16)
                                        string                   : *
                                            string                   : 'BUILTIN'
                                    sid                      : *
                                        sid                      : S-1-5-32
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x0012 (18)
                                        size                     : 0x0014 (20)
                                        string                   : *
                                            string                   : 'W4EDOM-L4'
                                    sid                      : *
                                        sid                      : S-1-5-21-278041429-3399921908-1452754838
                        max_size                 : 0x00000020 (32)
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000004 (4)
                    names                    : *
                        names: ARRAY(4)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x001a (26)
                                    size                     : 0x001a (26)
                                    string                   : *
                                        string                   : 'Administrator'
                                sid_index                : 0x00000001 (1)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_UNKNOWN (8)
                                name: struct lsa_String
                                    length                   : 0x005c (92)
                                    size                     : 0x005e (94)
                                    string                   : *
                                        string                   : 'S-1-5-21-278041429-3399921908-1452754838-500-1'
                                sid_index                : 0xffffffff (4294967295)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_ALIAS (4)
                                name: struct lsa_String
                                    length                   : 0x001c (28)
                                    size                     : 0x001c (28)
                                    string                   : *
                                        string                   : 'Administrators'
                                sid_index                : 0x00000000 (0)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_UNKNOWN (8)
                                name: struct lsa_String
                                    length                   : 0x001c (28)
                                    size                     : 0x001e (30)
                                    string                   : *
                                        string                   : 'S-1-5-32-544-9'
                                sid_index                : 0xffffffff (4294967295)
            count                    : *
                count                    : 0x00000002 (2)
            result                   : STATUS_SOME_UNMAPPED

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot
Michael Adam [Tue, 11 Apr 2017 10:03:52 +0000 (12:03 +0200)]
s3:vfs:shadow_copy2: fix corner case of "/@GMT-token" in shadow_copy2_strip_snapshot

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path
Michael Adam [Tue, 11 Apr 2017 10:03:20 +0000 (12:03 +0200)]
s3:vfs:shadow_copy2: fix the corner case if cwd=/ in make_relative_path

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3:vfs:shadow_copy2: fix quoting in debug messages
Michael Adam [Tue, 11 Apr 2017 09:18:30 +0000 (11:18 +0200)]
s3:vfs:shadow_copy2: fix quoting in debug messages

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotdb: Test for readonly lock upgrade bug
Volker Lendecke [Tue, 8 Nov 2016 16:01:56 +0000 (17:01 +0100)]
tdb: Test for readonly lock upgrade bug

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 11 00:33:31 CEST 2017 on sn-devel-144

2 years agotdb: Do lock upgrades properly
Volker Lendecke [Mon, 7 Nov 2016 20:40:15 +0000 (21:40 +0100)]
tdb: Do lock upgrades properly

When a process holds a readlock and wants to upgrade, this needs to be
reflected in the underlying lock. Without this, it is possible to cheat:
One process holds a readlock, and another process wants to write this
record. All the writer has to do is take a readonly lock on the key and
then do the store.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agotdb: Fix some signed/unsigned hickups
Volker Lendecke [Mon, 7 Nov 2016 20:38:58 +0000 (21:38 +0100)]
tdb: Fix some signed/unsigned hickups

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoselftest: Test for bug 12558
Volker Lendecke [Fri, 7 Apr 2017 14:33:57 +0000 (16:33 +0200)]
selftest: Test for bug 12558

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agothird_party: Add cmocka 1.1.1
Andreas Schneider [Fri, 7 Apr 2017 13:44:05 +0000 (15:44 +0200)]
third_party: Add cmocka 1.1.1

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Apr 10 11:38:13 CEST 2017 on sn-devel-144

2 years agowafsamba: Add CHECK_CMOCKA function
Andreas Schneider [Fri, 7 Apr 2017 13:44:22 +0000 (15:44 +0200)]
wafsamba: Add CHECK_CMOCKA function

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2 years agoauth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()
Volker Lendecke [Sun, 19 Feb 2017 14:37:51 +0000 (15:37 +0100)]
auth3: fallback to "sam_ignoredomain" in make_auth3_context_for_ntlm()

This is in the spirit of the "map untrusted to domain" parameter: We
fall back to the local SAM when we get a non-authoritative NO_SUCH_USER
from our domain controller. With this change we can implement
"map untrusted to domain = auto".

We should not strictly need 'sam' before 'winbind', but it makes
it clearer to read and has the same effect.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8630

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 10 05:04:03 CEST 2017 on sn-devel-144

2 years agoauth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()
Stefan Metzmacher [Fri, 17 Mar 2017 15:53:27 +0000 (16:53 +0100)]
auth3: merge make_auth_context_subsystem() into make_auth3_context_for_ntlm()

make_auth3_context_for_ntlm() was the only caller of
make_auth_context_subsystem().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon
Stefan Metzmacher [Fri, 17 Mar 2017 15:51:45 +0000 (16:51 +0100)]
auth3: only use "sam_netlogon3 winbind:trustdomain" in make_auth3_context_for_netlogon

If some needs the old behavior for a while, the deprecated
"auth methods = guest sam winbind:trustdomain" option can be used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC
Stefan Metzmacher [Thu, 16 Mar 2017 14:45:32 +0000 (15:45 +0100)]
auth3: add "sam_netlogon3" which only reacts on lp_workgroup() as NT4 PDC/BDC

This will be used in the s3 netlogon server in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication
Stefan Metzmacher [Fri, 17 Mar 2017 18:35:24 +0000 (19:35 +0100)]
auth4: use "sam winbind_rodc sam_failtrusts" for the netlogon authentication

We should not do anonymous authentication nor a fallback that
ignores the domain part.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12710

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: remove unused map_user_info[_cracknames]()
Stefan Metzmacher [Fri, 17 Mar 2017 15:21:05 +0000 (16:21 +0100)]
auth4: remove unused map_user_info[_cracknames]()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: avoid map_user_info() in auth_check_password_send()
Stefan Metzmacher [Fri, 17 Mar 2017 15:19:10 +0000 (16:19 +0100)]
auth4: avoid map_user_info() in auth_check_password_send()

The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: improve authsam_want_check for upn authentication
Stefan Metzmacher [Fri, 17 Mar 2017 15:31:02 +0000 (16:31 +0100)]
auth4: improve authsam_want_check for upn authentication

We need to check if the upn suffix is within our forest.
The check if it's within our domain is done in
authsam_check_password_internals() after calling
crack_name_to_nt4_name().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's
Stefan Metzmacher [Fri, 17 Mar 2017 13:57:33 +0000 (14:57 +0100)]
auth4: let authsam_check_password_internals use crack_name_to_nt4_name() for upn's

Currently the caller does this before calling the auth backends,
but that should change in order to support trusted domains correctly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER
Stefan Metzmacher [Wed, 22 Mar 2017 09:45:25 +0000 (10:45 +0100)]
auth4: use "anonymous sam winbind sam_ignoredomain" with ROLE_DOMAIN_MEMBER

We hopefully remove this role in future, but for now we should do this
correct and fallback to sam_ignoredomain at the end of the auth chain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
Stefan Metzmacher [Fri, 17 Mar 2017 13:54:16 +0000 (14:54 +0100)]
auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC

It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: add a "sam_failtrusts" module
Stefan Metzmacher [Wed, 22 Mar 2017 09:37:22 +0000 (10:37 +0100)]
auth4: add a "sam_failtrusts" module

This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.

This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.

This is just a temporary solution, until we have full
async support in the gensec/auth4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:selftest: run test_trust_ntlm.sh against various environments
Stefan Metzmacher [Thu, 6 Apr 2017 17:44:16 +0000 (19:44 +0200)]
s4:selftest: run test_trust_ntlm.sh against various environments

This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.

Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.

If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotestprogs/blackbox: add test_trust_ntlm.sh
Stefan Metzmacher [Wed, 29 Mar 2017 09:41:31 +0000 (11:41 +0200)]
testprogs/blackbox: add test_trust_ntlm.sh

This verifies that various domain/realm and username
combinations map to the correct user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: allow wbinfo -a REALM\\user to work on a DC
Stefan Metzmacher [Sun, 2 Apr 2017 22:19:48 +0000 (00:19 +0200)]
winbindd: allow wbinfo -a REALM\\user to work on a DC

find_domain_from_name_noinit() find the correct domain based
on domain->alt_name, but the child for the local domain
fails to detect that winbindd_dual_auth_passdb() should be
used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
Stefan Metzmacher [Thu, 6 Apr 2017 13:34:01 +0000 (15:34 +0200)]
auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()

We also accept the domain to be the realm string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotestprogs/blackbox: add test_rpcclient_*_grep helper functions
Stefan Metzmacher [Wed, 29 Mar 2017 09:53:41 +0000 (11:53 +0200)]
testprogs/blackbox: add test_rpcclient_*_grep helper functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotestprogs/blackbox: use subunit_ helper functions in test_smbclient_*
Stefan Metzmacher [Wed, 29 Mar 2017 09:53:18 +0000 (11:53 +0200)]
testprogs/blackbox: use subunit_ helper functions in test_smbclient_*

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: make sure we don't have any umask limitations for selftest
Stefan Metzmacher [Fri, 7 Apr 2017 08:39:31 +0000 (10:39 +0200)]
selftest: make sure we don't have any umask limitations for selftest

We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4: process_standard: Add a simplified SIGTERM handler based on code from source4...
Jeremy Allison [Fri, 7 Apr 2017 22:45:41 +0000 (15:45 -0700)]
s4: process_standard: Add a simplified SIGTERM handler based on code from source4/smbd/server.c. Use from a tevent handler added to standard_accept_connection() and standard_new_task()

Allows us to be independent of parent SIGTERM signal handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Apr  8 16:21:57 CEST 2017 on sn-devel-144

2 years agos4: process_standard: Add tevent SIGHUP signal handler to standard_accept_connection...
Jeremy Allison [Fri, 7 Apr 2017 22:31:57 +0000 (15:31 -0700)]
s4: process_standard: Add tevent SIGHUP signal handler to standard_accept_connection() and standard_new_task().

This makes us independent of parent SIGHUP signal handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4: process_standard: Add return checking for tevent_add_fd() to standard_accept_conn...
Jeremy Allison [Fri, 7 Apr 2017 22:12:51 +0000 (15:12 -0700)]
s4: process_standard: Add return checking for tevent_add_fd() to standard_accept_connection() and standard_new_task().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4: process_standard: Always free tevent_context before exit().
Jeremy Allison [Fri, 7 Apr 2017 22:10:09 +0000 (15:10 -0700)]
s4: process_standard: Always free tevent_context before exit().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4: process_standard: Move talloc_free of event context so it is last thing freed...
Jeremy Allison [Fri, 7 Apr 2017 22:08:13 +0000 (15:08 -0700)]
s4: process_standard: Move talloc_free of event context so it is last thing freed before exit().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3:tests: Create a test directory for a clean test
Andreas Schneider [Tue, 4 Apr 2017 09:07:36 +0000 (11:07 +0200)]
s3:tests: Create a test directory for a clean test

The test fails on openSUSE Tumbleweed with:

NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \foo\bar\testfile

This cleans up the code to create a directory 'test' which can be
completely removed so nothing will stay behind. It also makes sure that
all parent directories are created and the files have some content.

https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 12:29:19 CEST 2017 on sn-devel-144

2 years agodocs: fixup smbclient rename -f option
Uri Simchoni [Fri, 7 Apr 2017 18:10:47 +0000 (21:10 +0300)]
docs: fixup smbclient rename -f option

Fixup documentation of new -f option of the smbclient
rename command. This command is supported by SMB1 and
SMB2.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 02:38:16 CEST 2017 on sn-devel-144

2 years agowinbindd: error handling in rpc_lookup_sids()
Ralph Boehme [Sun, 26 Mar 2017 06:22:13 +0000 (08:22 +0200)]
winbindd: error handling in rpc_lookup_sids()

NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.

In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
Ralph Boehme [Sat, 1 Apr 2017 14:51:07 +0000 (16:51 +0200)]
s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED

NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/rpc_client: use NT_STATUS_LOOKUP_ERR
Ralph Boehme [Sat, 1 Apr 2017 14:56:39 +0000 (16:56 +0200)]
s3/rpc_client: use NT_STATUS_LOOKUP_ERR

No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/include: add NT_STATUS_LOOKUP_ERR
Ralph Boehme [Sat, 1 Apr 2017 14:44:45 +0000 (16:44 +0200)]
s3/include: add NT_STATUS_LOOKUP_ERR

Useful helper macro to check the return value of LSA and SAMR
translations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos4/torture: vfs_fruit: test for bug 12565
Ralph Boehme [Tue, 7 Feb 2017 14:13:15 +0000 (15:13 +0100)]
s4/torture: vfs_fruit: test for bug 12565

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agovfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
Ralph Boehme [Tue, 7 Feb 2017 06:44:40 +0000 (07:44 +0100)]
vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY

When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.

If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.

Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agosmbd: Fix smb1 findfirst with DFS
Volker Lendecke [Thu, 6 Apr 2017 20:12:36 +0000 (22:12 +0200)]
smbd: Fix smb1 findfirst with DFS

9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoWHATSNEW: Deprecate "auth methods" and "map untrusted to domain"
Stefan Metzmacher [Fri, 7 Apr 2017 09:21:20 +0000 (11:21 +0200)]
WHATSNEW: Deprecate "auth methods" and "map untrusted to domain"

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 20:42:39 CEST 2017 on sn-devel-144

2 years agos3:ntlm_auth: fix memory leak in manage_gensec_request()
Stefan Metzmacher [Tue, 4 Apr 2017 09:52:56 +0000 (11:52 +0200)]
s3:ntlm_auth: fix memory leak in manage_gensec_request()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agopython: Add a simple pam_winbind test
Andreas Schneider [Wed, 5 Apr 2017 13:59:39 +0000 (15:59 +0200)]
python: Add a simple pam_winbind test

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 14:19:23 CEST 2017 on sn-devel-144

2 years agolib: Add pam_wrapper 1.0.3
Andreas Schneider [Wed, 29 Mar 2017 13:55:53 +0000 (15:55 +0200)]
lib: Add pam_wrapper 1.0.3

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agouid_wrapper: use conf.blddir to construct libnss_wrapper_so_path
Stefan Metzmacher [Fri, 7 Apr 2017 07:27:39 +0000 (09:27 +0200)]
uid_wrapper: use conf.blddir to construct libnss_wrapper_so_path

conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoresolv_wrapper: use conf.blddir to construct libnss_wrapper_so_path
Stefan Metzmacher [Fri, 7 Apr 2017 07:27:39 +0000 (09:27 +0200)]
resolv_wrapper: use conf.blddir to construct libnss_wrapper_so_path

conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agonss_wrapper: use conf.blddir to construct libnss_wrapper_so_path
Stefan Metzmacher [Fri, 7 Apr 2017 07:27:39 +0000 (09:27 +0200)]
nss_wrapper: use conf.blddir to construct libnss_wrapper_so_path

conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoscript/compare_cc_results.py: ignore all LIB*_WRAPPER_SO_PATH values
Stefan Metzmacher [Fri, 7 Apr 2017 07:26:53 +0000 (09:26 +0200)]
script/compare_cc_results.py: ignore all LIB*_WRAPPER_SO_PATH values

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoselftest: tests idmap mapping with idmap_rid
Ralph Boehme [Wed, 5 Apr 2017 11:27:51 +0000 (13:27 +0200)]
selftest: tests idmap mapping with idmap_rid

This adds two blackbox tests that run wbinfo --sids-to-unix-ids:

o a non-existing SID from the primary domain should return a mapping

o a SID with a bogus (and therefor unknown) domain must not return a mapping

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr  7 00:05:02 CEST 2017 on sn-devel-144

2 years agoselftest: new environment "ad_member_idmap_rid"
Ralph Boehme [Wed, 5 Apr 2017 11:27:14 +0000 (13:27 +0200)]
selftest: new environment "ad_member_idmap_rid"

This uses idmap_rid for the primary domain.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agowinbindd: remove unused single_domains array
Ralph Boehme [Tue, 4 Apr 2017 12:23:03 +0000 (14:23 +0200)]
winbindd: remove unused single_domains array

This was added as part of 9be918116e356c358ef77cc2933e471090088293, but
is not needed anymore as the previous commit changed the logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 years agowinbindd: use correct domain name for failed lookupsids
Ralph Boehme [Tue, 4 Apr 2017 12:21:25 +0000 (14:21 +0200)]
winbindd: use correct domain name for failed lookupsids

What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.

But as a domain member, using

  state->single_domains[state->single_sids_done]

for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).

So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2 years agoselftest: fix for wbinfo -s tests for wellknown SIDs
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: fix for wbinfo -s tests for wellknown SIDs

Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agowinbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
Ralph Boehme [Sun, 2 Apr 2017 11:42:45 +0000 (13:42 +0200)]
winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()

Those are implicitly already catched by the

  if (sid->num_auths != 5)

check, but I'd like to make the desired behaviour more obvious.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>