kai/samba-autobuild/.git
2 years agodebug: new debug class for kerberos
Andrew Bartlett [Mon, 15 May 2017 20:32:03 +0000 (08:32 +1200)]
debug: new debug class for kerberos

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoauth/spnego: do basic state_position checking in gensec_spnego_update_in()
Stefan Metzmacher [Wed, 14 Jun 2017 01:29:58 +0000 (03:29 +0200)]
auth/spnego: do basic state_position checking in gensec_spnego_update_in()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 29 20:15:05 CEST 2017 on sn-devel-144

2 years agoauth/spnego: move gensec_spnego_update() into gensec_spnego_update_send()
Stefan Metzmacher [Tue, 13 Jun 2017 21:41:01 +0000 (23:41 +0200)]
auth/spnego: move gensec_spnego_update() into gensec_spnego_update_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: split out gensec_spnego_update_{client,server}() functions
Stefan Metzmacher [Fri, 30 Dec 2016 05:56:47 +0000 (06:56 +0100)]
auth/spnego: split out gensec_spnego_update_{client,server}() functions

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: remove unused out_mem_ctx = spnego_state fallback in gensec_spnego_update()
Stefan Metzmacher [Tue, 27 Jun 2017 16:05:04 +0000 (18:05 +0200)]
auth/spnego: remove unused out_mem_ctx = spnego_state fallback in gensec_spnego_update()

The only caller never passes NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: add gensec_spnego_update_sub_abort() helper function
Stefan Metzmacher [Wed, 10 May 2017 12:44:48 +0000 (14:44 +0200)]
auth/spnego: add gensec_spnego_update_sub_abort() helper function

This helps to be consistent when destroying a unuseable sub context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: remove useless spnego_state->sub_sec_ready check
Stefan Metzmacher [Fri, 30 Dec 2016 08:06:33 +0000 (09:06 +0100)]
auth/spnego: remove useless spnego_state->sub_sec_ready check

The lines above make sure it's always true.

Check with git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()
Stefan Metzmacher [Fri, 30 Dec 2016 08:04:47 +0000 (09:04 +0100)]
auth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: rename spnego_state->no_response_expected to ->sub_sec_ready
Stefan Metzmacher [Fri, 30 Dec 2016 08:03:08 +0000 (09:03 +0100)]
auth/spnego: rename spnego_state->no_response_expected to ->sub_sec_ready

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: move gensec_spnego_update_out() behind gensec_spnego_update_in()
Stefan Metzmacher [Tue, 13 Jun 2017 20:43:59 +0000 (22:43 +0200)]
auth/spnego: move gensec_spnego_update_out() behind gensec_spnego_update_in()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: move some more logic to gensec_spnego_update_in()
Stefan Metzmacher [Tue, 13 Jun 2017 20:41:14 +0000 (22:41 +0200)]
auth/spnego: move some more logic to gensec_spnego_update_in()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: move gensec_spnego_update_in() after gensec_spnego_update_send()
Stefan Metzmacher [Tue, 13 Jun 2017 14:59:02 +0000 (16:59 +0200)]
auth/spnego: move gensec_spnego_update_in() after gensec_spnego_update_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: set state_position = SPNEGO_DONE in gensec_spnego_update_cleanup()
Stefan Metzmacher [Wed, 14 Jun 2017 06:43:13 +0000 (08:43 +0200)]
auth/spnego: set state_position = SPNEGO_DONE in gensec_spnego_update_cleanup()

Every fatal error should mark the spnego_state to reject any further update()
calls.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: move gensec_spnego_update_wrapper() into gensec_spnego_update_send()
Stefan Metzmacher [Tue, 13 Jun 2017 14:53:06 +0000 (16:53 +0200)]
auth/spnego: move gensec_spnego_update_wrapper() into gensec_spnego_update_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/spnego: make use of data_blob_null instead of using data_blob(NULL, 0)
Stefan Metzmacher [Fri, 30 Dec 2016 15:36:23 +0000 (16:36 +0100)]
auth/spnego: make use of data_blob_null instead of using data_blob(NULL, 0)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoctdb-tests: Add transaction/recovery test for replicated database
Amitay Isaacs [Tue, 21 Mar 2017 04:36:36 +0000 (15:36 +1100)]
ctdb-tests: Add transaction/recovery test for replicated database

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Jun 29 14:43:44 CEST 2017 on sn-devel-144

2 years agoctdb-tests: Generalize transaction_loop test
Amitay Isaacs [Thu, 2 Mar 2017 07:15:05 +0000 (18:15 +1100)]
ctdb-tests: Generalize transaction_loop test

Instead of hard-coding the database name, it's passed as an argument
along with database type.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tests: Support replicated db in tool tests
Amitay Isaacs [Tue, 4 Apr 2017 07:02:38 +0000 (17:02 +1000)]
ctdb-tests: Support replicated db in tool tests

This updates and adds unit tests for database operations.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tests: Add database type option for tests
Amitay Isaacs [Thu, 2 Mar 2017 07:14:44 +0000 (18:14 +1100)]
ctdb-tests: Add database type option for tests

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tools: Allow attach for replicated databases
Amitay Isaacs [Thu, 2 Mar 2017 06:36:59 +0000 (17:36 +1100)]
ctdb-tools: Allow attach for replicated databases

... and update the output from various database query commands.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-client: Add db support for CTDB_DB_FLAGS_REPLICATED
Amitay Isaacs [Thu, 2 Mar 2017 06:34:55 +0000 (17:34 +1100)]
ctdb-client: Add db support for CTDB_DB_FLAGS_REPLICATED

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-client: Add sync api for DB_ATTACH_REPLICATED control
Amitay Isaacs [Mon, 26 Jun 2017 05:55:15 +0000 (15:55 +1000)]
ctdb-client: Add sync api for DB_ATTACH_REPLICATED control

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Add marshalling for CTDB_CONTROL_DB_ATTACH_REPLICATED control
Amitay Isaacs [Thu, 2 Mar 2017 06:07:13 +0000 (17:07 +1100)]
ctdb-protocol: Add marshalling for CTDB_CONTROL_DB_ATTACH_REPLICATED control

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Add implementation for CTDB_CONTROL_DB_ATTACH_REPLICATED control
Amitay Isaacs [Thu, 2 Mar 2017 05:38:58 +0000 (16:38 +1100)]
ctdb-daemon: Add implementation for CTDB_CONTROL_DB_ATTACH_REPLICATED control

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Add new control CTDB_CONTROL_DB_ATTACH_REPLICATED
Amitay Isaacs [Tue, 28 Feb 2017 22:51:32 +0000 (09:51 +1100)]
ctdb-protocol: Add new control CTDB_CONTROL_DB_ATTACH_REPLICATED

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Add accessors for CTDB_DB_FLAGS_REPLICATED flag
Amitay Isaacs [Thu, 2 Mar 2017 05:36:55 +0000 (16:36 +1100)]
ctdb-daemon: Add accessors for CTDB_DB_FLAGS_REPLICATED flag

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Calculate tdb flags for replicated databases
Amitay Isaacs [Mon, 1 May 2017 14:59:46 +0000 (00:59 +1000)]
ctdb-daemon: Calculate tdb flags for replicated databases

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Add CTDB_DB_FLAGS_REPLICATED for new type of database
Amitay Isaacs [Thu, 16 Feb 2017 07:44:38 +0000 (18:44 +1100)]
ctdb-protocol: Add CTDB_DB_FLAGS_REPLICATED for new type of database

persistent: replicated and permanent
volatile: distributed and temporary
replicated: replicated and temporary

This type of database will be used by CTDB for storing it's state.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-client: Store db_flags instead of a boolean persistent flag
Amitay Isaacs [Thu, 2 Mar 2017 06:29:04 +0000 (17:29 +1100)]
ctdb-client: Store db_flags instead of a boolean persistent flag

... and add accessors for CTDB_DB_FLAGS_PERSISTENT flag.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-recovery: Use db_flags instead of a boolean persistent flag
Amitay Isaacs [Thu, 2 Mar 2017 05:19:11 +0000 (16:19 +1100)]
ctdb-recovery: Use db_flags instead of a boolean persistent flag

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Pass db_flags instead of passing persistent flag
Amitay Isaacs [Thu, 2 Mar 2017 05:07:32 +0000 (16:07 +1100)]
ctdb-daemon: Pass db_flags instead of passing persistent flag

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Store db_flags instead of individual boolean flags
Amitay Isaacs [Thu, 2 Mar 2017 04:53:17 +0000 (15:53 +1100)]
ctdb-daemon: Store db_flags instead of individual boolean flags

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Add accessors for CTDB_DB_FLAGS_STICKY flag
Amitay Isaacs [Thu, 2 Mar 2017 04:47:46 +0000 (15:47 +1100)]
ctdb-daemon: Add accessors for CTDB_DB_FLAGS_STICKY flag

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Add accessors for CTDB_DB_FLAGS_READONLY flag
Amitay Isaacs [Thu, 2 Mar 2017 04:44:48 +0000 (15:44 +1100)]
ctdb-daemon: Add accessors for CTDB_DB_FLAGS_READONLY flag

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-daemon: Add accessors for CTDB_DB_FLAGS_PERSISTENT flag
Amitay Isaacs [Thu, 2 Mar 2017 04:39:29 +0000 (15:39 +1100)]
ctdb-daemon: Add accessors for CTDB_DB_FLAGS_PERSISTENT flag

This allows to differentiate between the two database models.

ctdb_db_persistent() - replicated and permanent
ctdb_db_volatile() - distributed and temporary

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-protocol: Add DB_OPEN_FLAGS control to debug
Amitay Isaacs [Wed, 28 Jun 2017 06:41:49 +0000 (16:41 +1000)]
ctdb-protocol: Add DB_OPEN_FLAGS control to debug

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-tests: Fix control reply data for DB_ATTACH_PERSISTENT control
Amitay Isaacs [Wed, 28 Jun 2017 06:39:13 +0000 (16:39 +1000)]
ctdb-tests: Fix control reply data for DB_ATTACH_PERSISTENT control

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agotests py_credentials: Fix encrypt_netr_crypt_password test
Gary Lockyer [Mon, 26 Jun 2017 22:33:56 +0000 (10:33 +1200)]
tests py_credentials: Fix encrypt_netr_crypt_password test

The test uses NetrServerPasswordSet2 to change a password, this tests
the end to end encryption.  The original call to NetrServerPasswordSet2
was not utf-16 encoding the new password.  However the call to
netr_DsrEnumerateDomainTrusts was using cached credentials and not
using the new password, so this was not detected.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 29 06:50:32 CEST 2017 on sn-devel-144

2 years agonsswitch: Add ad_member tests for wbinfo --domain-info and --dc-info
Andreas Schneider [Fri, 23 Jun 2017 14:14:08 +0000 (16:14 +0200)]
nsswitch: Add ad_member tests for wbinfo --domain-info and --dc-info

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 29 02:33:48 CEST 2017 on sn-devel-144

2 years agos3:winbind: Move debug statement into the error handling
Andreas Schneider [Fri, 23 Jun 2017 14:25:27 +0000 (16:25 +0200)]
s3:winbind: Move debug statement into the error handling

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3:tests: Do *NOT* flush the complete gencache!
Andreas Schneider [Wed, 28 Jun 2017 12:58:41 +0000 (14:58 +0200)]
s3:tests: Do *NOT* flush the complete gencache!

This removes important entries winbindd created during startup!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12868

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
2 years agoselftest: Do *NOT* flush the complete gencache!
Andreas Schneider [Wed, 28 Jun 2017 12:49:45 +0000 (14:49 +0200)]
selftest: Do *NOT* flush the complete gencache!

This removes *IMPORTANT* entries from the gencache winbindd creates on
startup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12868

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
2 years agos4:auth/ntlm: allow auth_operations to specify check_password_send/recv()
Stefan Metzmacher [Fri, 16 Jun 2017 22:05:22 +0000 (00:05 +0200)]
s4:auth/ntlm: allow auth_operations to specify check_password_send/recv()

This prepares real async handling in the backends.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 21:09:08 CEST 2017 on sn-devel-144

2 years agos4:auth/ntlm: introduce auth_check_password_next()
Stefan Metzmacher [Fri, 16 Jun 2017 22:05:22 +0000 (00:05 +0200)]
s4:auth/ntlm: introduce auth_check_password_next()

This prepares real async handling in the backends.

Check with git show -w.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4:auth/ntlm: move auth_check_password_wrapper() further down
Stefan Metzmacher [Fri, 16 Jun 2017 20:46:27 +0000 (22:46 +0200)]
s4:auth/ntlm: move auth_check_password_wrapper() further down

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4:auth_winbind: rename 's' to 'state' in winbind_check_password()
Stefan Metzmacher [Fri, 16 Jun 2017 22:29:25 +0000 (00:29 +0200)]
s4:auth_winbind: rename 's' to 'state' in winbind_check_password()

This prepares the conversion to winbind_check_password_send/recv()
where the internal state is called 'winbind_check_password_state'
as 'state'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos4:auth_winbind: remove a block nesting level and fix indentation
Ralph Boehme [Tue, 27 Jun 2017 10:09:41 +0000 (12:09 +0200)]
s4:auth_winbind: remove a block nesting level and fix indentation

The previous commit removed the condition from the block. No change in
behaviour, best viewed with git show -w.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2 years agos4:auth_winbind: fix error checking in winbind_check_password()
Stefan Metzmacher [Fri, 16 Jun 2017 22:26:18 +0000 (00:26 +0200)]
s4:auth_winbind: fix error checking in winbind_check_password()

We need to handle every error instead of just NT_STATUS_NO_SUCH_USER,
the callers also doesn't require NT_STATUS_NOT_IMPLEMENTED anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agoWHATSNEW: document "client max protocol" change to SMB3_11
Stefan Metzmacher [Mon, 26 Jun 2017 08:24:45 +0000 (10:24 +0200)]
WHATSNEW: document "client max protocol" change to SMB3_11

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoparam: change the effective default for "client max protocol" to the latest supported...
Stefan Metzmacher [Mon, 26 Jun 2017 08:00:53 +0000 (10:00 +0200)]
param: change the effective default for "client max protocol" to the latest supported protocol

Currently it's SMB3_11.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: run samba3.blackbox.smbclient_large_file (NTLM) with NT1 and SMB3
Stefan Metzmacher [Mon, 26 Jun 2017 07:48:21 +0000 (09:48 +0200)]
s3:selftest: run samba3.blackbox.smbclient_large_file (NTLM) with NT1 and SMB3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:test_smbclient_posix_large.sh: there's no posix test to rename to test_smbclient_l...
Stefan Metzmacher [Mon, 26 Jun 2017 07:55:34 +0000 (09:55 +0200)]
s3:test_smbclient_posix_large.sh: there's no posix test to rename to test_smbclient_large_file.sh

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: also run samba3.blackbox.smbclient_krb5 with the new ccache
Stefan Metzmacher [Mon, 26 Jun 2017 07:41:47 +0000 (09:41 +0200)]
s3:selftest: also run samba3.blackbox.smbclient_krb5 with the new ccache

There's no point in running it twice with the old ccache.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: run samba3.blackbox.smbclient_tar* tests with NT1 and SMB3
Stefan Metzmacher [Mon, 26 Jun 2017 07:40:08 +0000 (09:40 +0200)]
s3:selftest: run samba3.blackbox.smbclient_tar* tests with NT1 and SMB3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: run samba3.blackbox.large_acl tests with NT1 and SMB3
Stefan Metzmacher [Mon, 26 Jun 2017 07:39:31 +0000 (09:39 +0200)]
s3:selftest: run samba3.blackbox.large_acl tests with NT1 and SMB3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: run samba3.blackbox.inherit_owner tests with NT1 and SMB3
Stefan Metzmacher [Mon, 26 Jun 2017 07:25:17 +0000 (09:25 +0200)]
s3:selftest: run samba3.blackbox.inherit_owner tests with NT1 and SMB3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: run samba3.blackbox.acl_xattr with NT1 and SMB3
Stefan Metzmacher [Mon, 26 Jun 2017 07:34:38 +0000 (09:34 +0200)]
s3:selftest: run samba3.blackbox.acl_xattr with NT1 and SMB3

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:test_acl_xattr.sh: add more assertion about the expected output.
Stefan Metzmacher [Mon, 26 Jun 2017 07:32:54 +0000 (09:32 +0200)]
s3:test_acl_xattr.sh: add more assertion about the expected output.

We should not treat 'test "" = ""' as success.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoRevert "s3:test_acl_xattr.sh: use -mNT1 for the 'getfacl' commands"
Stefan Metzmacher [Sun, 25 Jun 2017 18:44:47 +0000 (20:44 +0200)]
Revert "s3:test_acl_xattr.sh: use -mNT1 for the 'getfacl' commands"

This reverts commit 4eb29ce3266a8c05047ecf33a98d1dbdbbbd63c6.

This will be passed by the caller in a following commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:test_acl_xattr.sh: allow passing additional arguments for smbclient and smbcacls
Stefan Metzmacher [Sun, 25 Jun 2017 17:59:46 +0000 (19:59 +0200)]
s3:test_acl_xattr.sh: allow passing additional arguments for smbclient and smbcacls

This will make it possible to test with -mNT1 as well as -mSMB3
in a following patch.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:selftest: also run test_smbclient_s3.sh with PROTO=SMB3
Stefan Metzmacher [Tue, 20 Jun 2017 07:07:44 +0000 (09:07 +0200)]
s3:selftest: also run test_smbclient_s3.sh with PROTO=SMB3

This makes sure only the "creating a bad symlink and deleting it"
is failing with -mSMB3.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoWHATSNEW: document the new smbclient banner
Stefan Metzmacher [Fri, 23 Jun 2017 15:11:51 +0000 (17:11 +0200)]
WHATSNEW: document the new smbclient banner

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:libsmb: remove unused 'bool show_hdr' from cli_cm_open()
Stefan Metzmacher [Fri, 23 Jun 2017 15:03:05 +0000 (17:03 +0200)]
s3:libsmb: remove unused 'bool show_hdr' from cli_cm_open()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:libsmb: remove unused 'bool show_hdr' from cli_cm_connect()
Stefan Metzmacher [Fri, 23 Jun 2017 15:03:05 +0000 (17:03 +0200)]
s3:libsmb: remove unused 'bool show_hdr' from cli_cm_connect()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:libsmb: remove unused show_sessetup handling from do_connect()
Stefan Metzmacher [Fri, 23 Jun 2017 15:03:05 +0000 (17:03 +0200)]
s3:libsmb: remove unused show_sessetup handling from do_connect()

All caller pass in 'false'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:smbclient: remove unreliable Domain=[...] OS=[Windows 6.1] Server=[...] banner
Stefan Metzmacher [Fri, 23 Jun 2017 14:58:42 +0000 (16:58 +0200)]
s3:smbclient: remove unreliable Domain=[...] OS=[Windows 6.1] Server=[...] banner

On interactive sessions we print the following instead now:

Try "help" do get a list of possible commands.
smb: >

The reason for this is that we don't get these information via SMB2
and the we only get the domain name via some layering violations
from the NTLMSSP state.

It's better to remove this consitently for all SMB and auth
protocol combinations.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:test_smbclient_s3.sh: improve the error handling
Stefan Metzmacher [Fri, 23 Jun 2017 14:33:04 +0000 (16:33 +0200)]
s3:test_smbclient_s3.sh: improve the error handling

We should directly return if he hit an error.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos3:smb2_create: remove unused timer pointer from smbd_smb2_create_state
Stefan Metzmacher [Fri, 9 Jun 2017 16:22:19 +0000 (18:22 +0200)]
s3:smb2_create: remove unused timer pointer from smbd_smb2_create_state

This finishes commits 4e4376164bafbd3a883b6ce8033dcd714f971d51
and 8da5a0f1e33a85281610700b58b534bc985894f0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()
Stefan Metzmacher [Fri, 9 Jun 2017 10:30:33 +0000 (12:30 +0200)]
s3:smb2_create: avoid reusing the 'tevent_req' within smbd_smb2_create_send()

As the caller ("smbd_smb2_request_process_create()") already sets the callback,
the first time, it's not safe to reuse the tevent_req structure.

The typical 'tevent_req_nterror(); return tevent_req_post()' will
crash as the tevent_req_nterror() already triggered the former callback,
which calls smbd_smb2_create_recv(), were tevent_req_received() invalidates
the tevent_req structure, so that tevent_req_post() will crash.

We just remember the required values from the old state
and move them to the new state.

We tried to write reproducers for this, but sadly weren't able to trigger
the backtrace we had from a create a customer (using recent code)
with commit 6beba782f1bf951236813e0b46115b8102212c03
included. And this patch fixed the situation for the
customer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12832

Pair-Programmed-With: Volker Lendecke <vl@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agoauth/credentials: remove unused smb_krb5_create_salt_principal()
Stefan Metzmacher [Thu, 18 May 2017 08:54:06 +0000 (10:54 +0200)]
auth/credentials: remove unused smb_krb5_create_salt_principal()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoauth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()
Stefan Metzmacher [Thu, 18 May 2017 08:50:34 +0000 (10:50 +0200)]
auth/credentials: make use of smb_krb5_salt_principal() in cli_credentials_get_keytab()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos4:password_hash: make use of smb_krb5_salt_principal() and smb_krb5_salt_principal2d...
Stefan Metzmacher [Thu, 18 May 2017 09:37:25 +0000 (11:37 +0200)]
s4:password_hash: make use of smb_krb5_salt_principal() and smb_krb5_salt_principal2data()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agoselftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
Stefan Metzmacher [Thu, 22 Jun 2017 13:30:56 +0000 (15:30 +0200)]
selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join

Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: remove unused secrets_store_[prev_]machine_password()
Stefan Metzmacher [Tue, 23 May 2017 15:42:09 +0000 (17:42 +0200)]
s3:secrets: remove unused secrets_store_[prev_]machine_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
Stefan Metzmacher [Tue, 23 May 2017 15:41:34 +0000 (17:41 +0200)]
s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agonet: make use of secrets_*_password_change() for "net changesecretpw"
Stefan Metzmacher [Tue, 23 May 2017 15:29:31 +0000 (17:29 +0200)]
net: make use of secrets_*_password_change() for "net changesecretpw"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:trusts_util: make use the workstation password change more robust
Stefan Metzmacher [Mon, 22 May 2017 18:47:17 +0000 (20:47 +0200)]
s3:trusts_util: make use the workstation password change more robust

We use secrets_{prepare,failed,defer,finish}_password_change() to make
the process more robust.

Even if we just just verified the current password with the DC
it can still happen that the remote password change will fail.

If a server has the RefusePasswordChange=1 under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD.

This results in a successful local change, but a failing remote change,
which means the domain membership is broken (as we don't fallback to
the previous password for ntlmssp nor kerberos yet).

An (at least Samba) RODC will also reject a password change,
see https://bugzilla.samba.org/show_bug.cgi?id=12773.

Even with this change we still have open problems, e.g. if the password was
changed, but we didn't get the servers response. In order to fix that we need
to use only netlogon and lsa over unprotected transports, just using schannel
authentication (which supports the fallback to the old password).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:libnet: make use of secrets_store_JoinCtx()
Stefan Metzmacher [Wed, 17 May 2017 08:29:59 +0000 (10:29 +0200)]
s3:libnet: make use of secrets_store_JoinCtx()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agonet: add "net primarytrust dumpinfo" command that dumps the details of the workstatio...
Stefan Metzmacher [Wed, 24 May 2017 16:05:40 +0000 (18:05 +0200)]
net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
Stefan Metzmacher [Fri, 19 May 2017 14:28:17 +0000 (16:28 +0200)]
s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials

We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.

We keep storing the legacy values:
 SECRETS/SID/
 SECRETS/DOMGUID/
 SECRETS/MACHINE_LAST_CHANGE_TIME/
 SECRETS/MACHINE_PASSWORD/
 SECRETS/MACHINE_PASSWORD.PREV/
 SECRETS/SALTING_PRINCIPAL/DES/

This allows downgrades to older Samba versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agosecrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine...
Stefan Metzmacher [Wed, 17 May 2017 08:11:18 +0000 (10:11 +0200)]
secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts

This blob will be store in secrets.tdb. It makes it possible to store much
more useful details about the workstation trust.

The key feature that that triggered this change is the ability
to store details for the next password change before doing
the remote change. This will allow us to recover from failures.

While being there I also thought about possible new features,
which we may implement in the near future.

We also store the raw UTF16 like cleartext buffer as well as derived
keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys.
This will allow us to avoid recalculating the keys for an in memory
keytab in future.

I also added pointer to an optional lsa_ForestTrustInformation structure,
which might be useful to implement multi-tenancy in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agonetlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
Stefan Metzmacher [Wed, 17 May 2017 08:09:01 +0000 (10:09 +0200)]
netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agonetlogon.idl: make netr_TrustFlags [public]
Stefan Metzmacher [Wed, 17 May 2017 09:35:37 +0000 (11:35 +0200)]
netlogon.idl: make netr_TrustFlags [public]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agolsa.idl: make lsa_DnsDomainInfo [public]
Stefan Metzmacher [Wed, 17 May 2017 09:35:20 +0000 (11:35 +0200)]
lsa.idl: make lsa_DnsDomainInfo [public]

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
Stefan Metzmacher [Wed, 21 Jun 2017 19:30:39 +0000 (21:30 +0200)]
s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()

Even in the case where only the password is known to the server, we should
try to leave a valid authentication behind.

We have better ways to indentify which password worked than only using
the current one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agolibcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
Stefan Metzmacher [Tue, 13 Jun 2017 09:18:37 +0000 (11:18 +0200)]
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agolibcli/auth: add const to set_pw_in_buffer()
Stefan Metzmacher [Tue, 13 Jun 2017 09:17:03 +0000 (11:17 +0200)]
libcli/auth: add const to set_pw_in_buffer()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agolibcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
Stefan Metzmacher [Mon, 22 May 2017 18:44:40 +0000 (20:44 +0200)]
libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()

This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.

We allow up to 4 hashes (next, current, old, older).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:trusts_util: pass dcname to trust_pw_change()
Stefan Metzmacher [Mon, 22 May 2017 13:36:29 +0000 (15:36 +0200)]
s3:trusts_util: pass dcname to trust_pw_change()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
Stefan Metzmacher [Wed, 24 May 2017 03:56:32 +0000 (05:56 +0200)]
s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()

We just want all values to be removed at the end, it doesn't matter
if they didn't existed before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
Stefan Metzmacher [Mon, 22 May 2017 10:44:31 +0000 (12:44 +0200)]
s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
Stefan Metzmacher [Mon, 22 May 2017 10:40:05 +0000 (12:40 +0200)]
s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
Stefan Metzmacher [Mon, 22 May 2017 10:31:01 +0000 (12:31 +0200)]
s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
Stefan Metzmacher [Wed, 24 May 2017 04:44:32 +0000 (06:44 +0200)]
s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there...
Stefan Metzmacher [Mon, 22 May 2017 10:27:45 +0000 (12:27 +0200)]
s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
Stefan Metzmacher [Mon, 22 May 2017 10:21:37 +0000 (12:21 +0200)]
s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
Stefan Metzmacher [Mon, 22 May 2017 10:21:37 +0000 (12:21 +0200)]
s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: rename secrets_delete() to secrets_delete_entry()
Stefan Metzmacher [Tue, 20 Jun 2017 11:07:15 +0000 (13:07 +0200)]
s3:secrets: rename secrets_delete() to secrets_delete_entry()

secrets_delete_entry() fails if the key doesn't exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
Stefan Metzmacher [Mon, 22 May 2017 10:18:33 +0000 (12:18 +0200)]
s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2 years agos3:secrets: add some const to secrets_store_domain_guid()
Stefan Metzmacher [Wed, 21 Jun 2017 17:38:15 +0000 (19:38 +0200)]
s3:secrets: add some const to secrets_store_domain_guid()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>