sfrench/samba-autobuild/.git
4 years agovfs_ceph: use 'file descriptor' version xattr functions when possible
Yan, Zheng [Thu, 2 Apr 2015 02:11:02 +0000 (10:11 +0800)]
vfs_ceph: use 'file descriptor' version xattr functions when possible

libcephfs version 0.94 adds 'file descriptor' version xattr functions.
This patch makes corresponding samba VFS callbacks use these new
functions.

Signed-off-by: Yan, Zheng <zyan@redhat.com>
Reviewed-by: Ira Cooper <ira@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
4 years agoctdb: check for talloc_asprintf() failure
David Disseldorp [Tue, 31 Mar 2015 16:06:43 +0000 (18:06 +0200)]
ctdb: check for talloc_asprintf() failure

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Wed Apr  1 15:36:03 CEST 2015 on sn-devel-104

4 years agoctdb: Coverity fix for CID 1291643
Rajesh Joseph [Tue, 31 Mar 2015 13:13:36 +0000 (18:43 +0530)]
ctdb: Coverity fix for CID 1291643

CID 1291643: Resource leak: leaked_handle: Handle
variable lock_fd going out of scope leaks the handle.

Fix: on failure case release handle variable lock_fd

Signed-off-by: Rajesh Joseph <rjoseph@redhat.com>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agos3-passdb: Fix 'force user' with winbind default domain
Andreas Schneider [Tue, 31 Mar 2015 16:15:51 +0000 (18:15 +0200)]
s3-passdb: Fix 'force user' with winbind default domain

If we set 'winbind use default domain' and specify 'force user = user'
without a domain name we fail to log in. In this case we need to try a
lookup with the domain name.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11185

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 31 21:17:23 CEST 2015 on sn-devel-104

4 years agoselftest: run the FSRVP test suite against s3fs
David Disseldorp [Tue, 14 May 2013 22:45:17 +0000 (00:45 +0200)]
selftest: run the FSRVP test suite against s3fs

With FSRVP server support now present along with suitable mock-up test
infrastructure, run the FSRVP test suite against s3fs.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoselftest: add snapshot share configuration
David Disseldorp [Tue, 14 May 2013 22:42:35 +0000 (00:42 +0200)]
selftest: add snapshot share configuration

Define a share that uses both vfs_shell_snap and fake_snap.pl to create,
delete and expose fake snapshots in response to FSRVP requests.
Additionally test snapshot enumeration and access via the shadow_copy2
module.

Allow for simple testing of FSRVP message sequence timeouts, by
specifying an artificially small interval.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodoc: add vfs_shell_snap manpage
David Disseldorp [Mon, 7 Jul 2014 12:16:13 +0000 (14:16 +0200)]
doc: add vfs_shell_snap manpage

Document usage of the shell_snap VFS module, explaining when and how
each of the shell script commands are called.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agovfs: add vfs_shell_snap module
David Disseldorp [Wed, 30 Jan 2013 13:42:46 +0000 (14:42 +0100)]
vfs: add vfs_shell_snap module

The shell_snap VFS module plumbs into the snapshot (aka shadow-copy)
management paths used by Samba's File Server Remote VSS Protocol (FSRVP)
server.
The following shell callouts may be configured in smb.conf:

shell_snap: check path command
- Called when an FSRVP client wishes to check whether a given
  share supports snapshot create/delete requests.
- The command is called with a single <share path> argument.
- The command must return 0 if <share path> is capable of being
  snapshotted.

shell_snap: create command
- Called when an FSRVP client wishes to create a snapshot.
- The command is called with a single <share path> argument.
- The command must return 0 status if the snapshot was
  successfully taken.
- The command must output the path of the newly created snapshot
  to stdout.

shell_snap: delete command
- Called when an FSRVP client wishes to delete a snapshot.
- The command is called with <base share path> and
  <snapshot share path> arguments.
- The command must return 0 status if the snapshot was
  successfully removed.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodoc: explain vfs_btrfs remote snapshot configuration
David Disseldorp [Fri, 14 Sep 2012 18:55:40 +0000 (20:55 +0200)]
doc: explain vfs_btrfs remote snapshot configuration

This extends the vfs_btrfs man page to also cover FSRVP remote snapshot
behaviour and configuration.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodoc: explain vfs_snapper remote snapshot configuration
David Disseldorp [Fri, 14 Feb 2014 00:18:41 +0000 (01:18 +0100)]
doc: explain vfs_snapper remote snapshot configuration

This extends the vfs_snapper man page to also cover FSRVP remote
snapshot behaviour and configuration.
The permissions section is also extended to describe specific Samba and
Snapper requirements for remote snapshot creation and deletion using
DiskShadow.exe.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agodoc: "prune stale" and "sequence timeout" fssd parameters
David Disseldorp [Wed, 26 Nov 2014 12:01:00 +0000 (13:01 +0100)]
doc: "prune stale" and "sequence timeout" fssd parameters

This change adds smb.conf documentation for the "fss: prune stale" and
"fss: sequence timeout" parameters accepted by Samba's FSRVP server.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agofsrvp: prune shadow copies if associated path doesn't exist
Noel Power [Thu, 13 Nov 2014 11:13:35 +0000 (11:13 +0000)]
fsrvp: prune shadow copies if associated path doesn't exist

This patch implements some simple FSRVP server housekeeping. On startup
the server scans the cached entries, any entries where the underlying
system paths associated with shadow copies no longer exist are removed
from the cache and from the registry.

This behaviour is disabled by default, but can be enabled via the new
"fss: prune stale" smb.conf parameter.

Signed-off-by: Noel Power <noel.power@suse.com>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agofsrvp: add remote snapshot RPC server
David Disseldorp [Tue, 10 Apr 2012 12:32:41 +0000 (14:32 +0200)]
fsrvp: add remote snapshot RPC server

The Samba fss_agent RPC server is an implementation of the File Server
Remote VSS (Volume Shadow Copy Service) Protocol, or FSRVP for short.

FSRVP is new with Windows Server 2012, and allows authenticated clients
to remotely request the creation, exposure and deletion of share
snapshots.

The fss_agent RPC server processes requests on the FssAgentRpc named
pipe, and dispatches relevant snapshot creation and deletion requests
through to the VFS.
The registry smb.conf back-end is used to expose snapshot shares, with
configuration parameters and share ACLs cloned from the base share.

There are three FSRVP client implementations that I'm aware of:
- Samba rpcclient includes fss_X commands.
- Windows Server 2012 includes diskshadow.exe.
- System Center 2012.

FSRVP operations are only processed for users with:
- Built-in Administrators group membership, or
- Built-in Backup Operators group membership, or
- Backup Operator privileges, or
- Security token matches the initial process UID

MS-FSRVP specifies that server state should be stored persistently
during operation and retrieved on startup. Use the existing fss_srv.tdb
FSRVP state storage back-end to satisfy this requirement.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agovfs_snapper: create/delete snapshot support
David Disseldorp [Sun, 14 Oct 2012 17:54:24 +0000 (19:54 +0200)]
vfs_snapper: create/delete snapshot support

Extend vfs_snapper to support the new remote snapshot creation and
deletion hooks added for FSRVP.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agovfs_btrfs: add snapshot create/delete calls
David Disseldorp [Tue, 4 Sep 2012 13:29:58 +0000 (15:29 +0200)]
vfs_btrfs: add snapshot create/delete calls

The "btrfs: manipulate snapshots" smb.conf parameter is disabled by
default, to encourage use of, and pass requests through to, the
vfs_snapper module.
When enabled, issue BTRFS_IOC_SNAP_CREATE_V2 and BTRFS_IOC_SNAP_DESTROY
ioctls accordingly. The ioctls are issued as root, so rely on permission
checks in the calling FSRVP server process.

Base share paths must exist as btrfs subvolumes in order to
be supported for snapshot operations.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoreplace: check for dirname() and basename()
David Disseldorp [Mon, 23 Mar 2015 18:37:05 +0000 (19:37 +0100)]
replace: check for dirname() and basename()

These functions are provided by libgen.h, and conform to POSIX.1-2001.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agovfs: add snapshot create/delete hooks
David Disseldorp [Tue, 10 Apr 2012 01:16:57 +0000 (03:16 +0200)]
vfs: add snapshot create/delete hooks

This change adds three new VFS hooks covering snapshot manipulation:
- snap_check_path
  Check whether a path supports snapshots.
- snap_create
  Request the creation of a snapshot of the provided path.
- snap_delete
  Request the deletion of a snapshot.

These VFS call-outs will be used in future by Samba's File Server Remote
VSS Protocol (FSRVP) server.

MS-FSVRP states:
  At any given time, Windows servers allow only one shadow copy set to
  be going through the creation process.
Therefore, only provide synchronous hooks for now, which can be
converted to asynchronous _send/_recv functions when the corresponding
DCE/RPC server infrastructure is in place.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture: add local FSRVP server state tests
David Disseldorp [Tue, 11 Sep 2012 09:59:45 +0000 (11:59 +0200)]
torture: add local FSRVP server state tests

Test the storage and retrieval of FSRVP server state, with varying
shadow-copy set, shadow copy and share map hierarchies.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agofsrvp: add server state storage back-end
David Disseldorp [Fri, 3 Jan 2014 15:21:22 +0000 (16:21 +0100)]
fsrvp: add server state storage back-end

MS-FSRVP specifies:
  the server MUST persist all state information into an implementation-
  specific configuration store.

This change adds a fss_srv TDB database to preserve FSRVP server state,
with the following keys used to track shadow copy state and hierarchy:
- sc_set/<shadow copy set GUID>
  A shadow copy set tracks a collection of zero or more shadow copies,
  as initiated by a StartShadowCopySet FSRVP client request.
- sc_set/<shadow copy set GUID>/sc/<shadow copy GUID>
  A shadow copy defines information about a snapshot base volume, the
  snapshot path, and a collection of share maps. It is initiated by an
  AddToShadowCopySet client request.
- sc_set/<shadow copy set GUID>/sc/<shadow copy GUID>/smap/<smap GUID>
  A share map tracks new shares that are created to expose shadow
  copies.

All structures are marshalled into on-disk format using the previously
added fsrvp_state IDL library.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolibrpc: add FSRVP server state idl
David Disseldorp [Wed, 25 Mar 2015 11:35:27 +0000 (12:35 +0100)]
librpc: add FSRVP server state idl

FSRVP server state must be retained persistently. This change adds IDL
definitions for the share map, shadow-copy and shadow-copy set types,
which will be used for marshalling and unmarshalling state alongside
database storage or retrieval.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agowaf: Remove 'linkflags.remove(x)' line added in error.
Jeremy Allison [Mon, 30 Mar 2015 18:41:09 +0000 (11:41 -0700)]
waf: Remove 'linkflags.remove(x)' line added in error.

Fixes bug #11165 - Bug in configure scripts when system-mitkrb5 is used

https://bugzilla.samba.org/show_bug.cgi?id=11165

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Mar 31 04:32:52 CEST 2015 on sn-devel-104

4 years agotdb: Do not build test binaries if it's not a standalone build
Amitay Isaacs [Fri, 15 Aug 2014 01:36:40 +0000 (11:36 +1000)]
tdb: Do not build test binaries if it's not a standalone build

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 31 01:56:02 CEST 2015 on sn-devel-104

4 years agos4-torture: add test to verify nbt_name with "." ending handling.
Günther Deschner [Fri, 27 Mar 2015 14:31:36 +0000 (15:31 +0100)]
s4-torture: add test to verify nbt_name with "." ending handling.

Windows uses a username of 'domain.example.com.' and we need to return it that
way in the NETLOGON_SAM_LOGON_RESPONSE_EX.

See e6e2ec0001fe3c010445e26cc0efddbc1f73416b for further details.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Mar 30 16:18:04 CEST 2015 on sn-devel-104

4 years agos4-torture: use torture_comment instead of printf in raw notify test.
Günther Deschner [Fri, 27 Mar 2015 16:47:42 +0000 (17:47 +0100)]
s4-torture: use torture_comment instead of printf in raw notify test.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
4 years agos4-torture: use tctx variable name in raw notify test consistently.
Günther Deschner [Fri, 27 Mar 2015 16:40:16 +0000 (17:40 +0100)]
s4-torture: use tctx variable name in raw notify test consistently.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
4 years agos4:torture:raw:notify: torture_assert on creation of secondary tcon
Michael Adam [Fri, 27 Mar 2015 09:34:34 +0000 (10:34 +0100)]
s4:torture:raw:notify: torture_assert on creation of secondary tcon

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: use torture_assert instead of printf in test_notify_tree
Michael Adam [Fri, 27 Mar 2015 09:25:17 +0000 (10:25 +0100)]
s4:torture:raw:notify: use torture_assert instead of printf in test_notify_tree

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: let NOTIFY_MASK_TEST use torture_assert macros
Michael Adam [Fri, 27 Mar 2015 09:19:26 +0000 (10:19 +0100)]
s4:torture:raw:notify: let NOTIFY_MASK_TEST use torture_assert macros

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: remove extra do-loop in NOTIFY_MASK_TEST macro.
Michael Adam [Thu, 26 Mar 2015 23:43:30 +0000 (00:43 +0100)]
s4:torture:raw:notify: remove extra do-loop in NOTIFY_MASK_TEST macro.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: use torture_assert instead of printf in failure case
Michael Adam [Thu, 26 Mar 2015 18:41:06 +0000 (19:41 +0100)]
s4:torture:raw:notify: use torture_assert instead of printf in failure case

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: remove superfluous conditional goto
Michael Adam [Thu, 26 Mar 2015 18:36:52 +0000 (19:36 +0100)]
s4:torture:raw:notify: remove superfluous conditional goto

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: treat torture_open_connection calls with torture_assert
Michael Adam [Thu, 26 Mar 2015 18:22:08 +0000 (19:22 +0100)]
s4:torture:raw:notify: treat torture_open_connection calls with torture_assert

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: use torture_assert with torture_setup_dir
Michael Adam [Thu, 26 Mar 2015 18:18:43 +0000 (19:18 +0100)]
s4:torture:raw:notify: use torture_assert with torture_setup_dir

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: add a few comments to torture_assert calls
Michael Adam [Thu, 26 Mar 2015 18:13:58 +0000 (19:13 +0100)]
s4:torture:raw:notify: add a few comments to torture_assert calls

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: improve the CHECK_WSTR() macro
Michael Adam [Thu, 26 Mar 2015 18:11:16 +0000 (19:11 +0100)]
s4:torture:raw:notify: improve the CHECK_WSTR() macro

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: make check_rename_reply() properly use torture_result
Michael Adam [Thu, 26 Mar 2015 18:08:26 +0000 (19:08 +0100)]
s4:torture:raw:notify: make check_rename_reply() properly use torture_result

Only change currently: the CHECK_WSTR calls report the line
number of this function now instead of the handed in
line of the callers. This could be fixed by turning this
function into a macro...

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: remove CHECK_WSTR2.
Michael Adam [Thu, 26 Mar 2015 17:58:05 +0000 (18:58 +0100)]
s4:torture:raw:notify: remove CHECK_WSTR2.

The original CHECK_WSTR() macro was not setting torture failure,
leading to errors instead of propoer failures.

The original CHECK_WSTR2() macro was exactly like the CHECK_WSTR
macro but using propoer torture_result() calls.

This patch removes the original CHECK_WSTR(), renames CHECK_WSTR2
to CHECK_WSTR and adapts the callers, hence removing the source
of many potential missing torture_assert messages.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: remove CHECK_VAL.
Michael Adam [Thu, 26 Mar 2015 17:45:47 +0000 (18:45 +0100)]
s4:torture:raw:notify: remove CHECK_VAL.

This macro is not setting torture failure, leading to errors instead
of failures. Use torture_assert_ntstatus_(ok|equal)* macros.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:torture:raw:notify: remove CHECK_STATUS.
Michael Adam [Thu, 26 Mar 2015 11:00:15 +0000 (12:00 +0100)]
s4:torture:raw:notify: remove CHECK_STATUS.

This macro is not setting torture failure, leading to errors instead
of failures. Use torture_assert_ntstatus_(ok|equal)* macros.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agotorture: add torture_assert_not_null[_goto]
Michael Adam [Thu, 26 Mar 2015 20:20:23 +0000 (21:20 +0100)]
torture: add torture_assert_not_null[_goto]

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agotorture: add torture_assert_int_not_equal_goto
Michael Adam [Fri, 27 Mar 2015 09:02:28 +0000 (10:02 +0100)]
torture: add torture_assert_int_not_equal_goto

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:trusts_util: generate completely random passwords in trust_pw_change()
Stefan Metzmacher [Fri, 30 Jan 2015 09:21:59 +0000 (09:21 +0000)]
s3:trusts_util: generate completely random passwords in trust_pw_change()

Instead of having every 2nd byte as '\0' in the utf16 password,
because the utf8 form is based on an ascii subset, we convert
the random buffer from CH_UTF16MUNGED to CH_UTF8.

This way we have a random but valid utf8 string,
which is almost like what Windows is doing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:trusts_util: pass new_trust_version to netlogon_creds_cli_ServerPasswordSet()...
Stefan Metzmacher [Fri, 30 Jan 2015 09:21:59 +0000 (09:21 +0000)]
s3:trusts_util: pass new_trust_version to netlogon_creds_cli_ServerPasswordSet() in trust_pw_change()

We should maintain current and previous passwords on both sides of the trust,
which mean we need to pass our view of the new version to the remote DC.

This avoid problems with replication delays and make sure the kvno
for cross-realm tickets is in sync.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:trusts_util: make use of pdb_get_trust_credentials() and pdb_get_trusted_domain...
Stefan Metzmacher [Fri, 30 Jan 2015 09:21:59 +0000 (09:21 +0000)]
s3:trusts_util: make use of pdb_get_trust_credentials() and pdb_get_trusted_domain() in trust_pw_change()

Using pdb_get_trust_credentials() works for all kind of trusts
and gives us much more details regarding the credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:trusts_util: add support for SEC_CHAN_DNS_DOMAIN in trust_pw_change()
Stefan Metzmacher [Fri, 30 Jan 2015 09:21:59 +0000 (09:21 +0000)]
s3:trusts_util: add support for SEC_CHAN_DNS_DOMAIN in trust_pw_change()

SEC_CHAN_DNS_DOMAIN trusts use longer passwords, Windows uses 240 UTF16 bytes.

Some trustAttribute flags may also make impact on the length on Windows,
but we could be better if we know that the remote domain is an AD domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
Stefan Metzmacher [Sat, 31 Jan 2015 10:45:12 +0000 (11:45 +0100)]
s3:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them

The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them
Stefan Metzmacher [Sat, 31 Jan 2015 10:45:12 +0000 (11:45 +0100)]
s4:rpc_server/lsa: we need to normalize the trustAuth* blobs before storing them

The number of current and previous elements need to match and we have to
fill TRUST_AUTH_TYPE_NONE if needed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:rpc_server/lsa: notify winbindd about new trusted domains
Stefan Metzmacher [Fri, 23 Jan 2015 15:59:27 +0000 (16:59 +0100)]
s4:rpc_server/lsa: notify winbindd about new trusted domains

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:winbindd: add MSG_WINBIND_NEW_TRUSTED_DOMAIN that takes a lsa_TrustDomainInfoInfoEx
Stefan Metzmacher [Fri, 23 Jan 2015 15:59:07 +0000 (16:59 +0100)]
s3:winbindd: add MSG_WINBIND_NEW_TRUSTED_DOMAIN that takes a lsa_TrustDomainInfoInfoEx

When a new trusted domain is added in the LSA server, we need to immediately
have the domain within winbindd. This notification is done via a
MSG_WINBIND_NEW_TRUSTED_DOMAIN message.

In future we might want just a "rescan direct trusts" message,
but that requires a lot of redesign within winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agolsa.idl: mark lsa_TrustDomainInfoInfoEx as public
Stefan Metzmacher [Sat, 24 Jan 2015 10:22:54 +0000 (11:22 +0100)]
lsa.idl: mark lsa_TrustDomainInfoInfoEx as public

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:selftest: run dbcheck against the ad_dc environment too
Stefan Metzmacher [Fri, 27 Mar 2015 09:45:58 +0000 (10:45 +0100)]
s4:selftest: run dbcheck against the ad_dc environment too

This is the environment that is configured like real world configurations.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:rpc_server/lsa: implement the policy security descriptor
Stefan Metzmacher [Wed, 25 Mar 2015 19:11:12 +0000 (19:11 +0000)]
s4:rpc_server/lsa: implement the policy security descriptor

We now check the requested access mask in OpenPolicy*()
and return NT_STATUS_ACCESS_DENIED if the request is not granted.

E.g. validating a domain trust via the Windows gui requires this
in order prompt the user for the credentials. Otherwise
we fail any other call with ACCESS_DENIED later and the
gui just displays a strange error message.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:rpc_server/lsa: normalize the access_mask for lsa account objects
Stefan Metzmacher [Thu, 26 Mar 2015 20:52:27 +0000 (21:52 +0100)]
s4:rpc_server/lsa: normalize the access_mask for lsa account objects

We still grant all access in the access_mask, but we don't check the
mask at all yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agolibcli/security: add security_descriptor_for_client() helper function
Stefan Metzmacher [Thu, 26 Mar 2015 13:39:35 +0000 (14:39 +0100)]
libcli/security: add security_descriptor_for_client() helper function

This prepares a possibly stripped security descriptor for a client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agolibcli/security: support "IS" in SDDL for SID_NT_IUSR
Stefan Metzmacher [Wed, 25 Mar 2015 19:10:48 +0000 (19:10 +0000)]
libcli/security: support "IS" in SDDL for SID_NT_IUSR

TODO: we should import the whole lists from [MS-DTYP].

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpcclient: only require netlogon_creds for specified netlogon calls
Stefan Metzmacher [Thu, 26 Mar 2015 13:41:09 +0000 (14:41 +0100)]
s3:rpcclient: only require netlogon_creds for specified netlogon calls

A lot of calls on the netlogon pipe doesn't require netlogon credentials,
e.g. netr_LogonControl*() should work just with administrator credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoCheck for third party Python modules during configure.
Jelmer Vernooij [Sat, 28 Mar 2015 16:11:51 +0000 (16:11 +0000)]
Check for third party Python modules during configure.

Inform the user whether the module was found on the system, or if the
bundled copy is being used. If the module is not found, suggest what
they can do to make it available to Samba.

Change-Id: I89ec57a2acf87768ca3714add59575578d2ee399
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Mar 30 13:40:33 CEST 2015 on sn-devel-104

4 years agoMove configure part of third party to third_party/wscript.
Jelmer Vernooij [Sat, 28 Mar 2015 15:43:29 +0000 (15:43 +0000)]
Move configure part of third party to third_party/wscript.

Change-Id: I34875a8bde99df2e0a2659677e88640bb0ec1816
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agoPass --recursive to 'git clone' in autobuild.
Jelmer Vernooij [Sat, 28 Mar 2015 16:15:03 +0000 (16:15 +0000)]
Pass --recursive to 'git clone' in autobuild.

This makes it possible to use submodules in Samba.

Change-Id: Iccb1876b1daf82864b18486f2dca9036d7d3c75c
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agogroupdb: Fix a typo
Volker Lendecke [Sun, 29 Mar 2015 16:17:46 +0000 (18:17 +0200)]
groupdb: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agoheimdal: Fix a warning
Volker Lendecke [Sun, 29 Mar 2015 13:59:41 +0000 (15:59 +0200)]
heimdal: Fix a warning

99% this is what was meant....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agoheimdal: Fix a warning
Volker Lendecke [Sun, 29 Mar 2015 13:59:41 +0000 (15:59 +0200)]
heimdal: Fix a warning

99% this is what was meant....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agovfs_gpfs: Remove warning after failure of get_gpfs_fset_id
Christof Schmitt [Fri, 27 Mar 2015 20:16:41 +0000 (13:16 -0700)]
vfs_gpfs: Remove warning after failure of get_gpfs_fset_id

get_gpfs_fset_id already emits more detailed warnings, there is no need
to print an additional warning in the calling function.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
4 years agoctdb-tests: Switch to tcp check in rpcinfo stub
Amitay Isaacs [Fri, 27 Mar 2015 01:00:56 +0000 (12:00 +1100)]
ctdb-tests: Switch to tcp check in rpcinfo stub

Use -T tcp instead of deprecated options -u and -t.  Also, check for
localhost.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar 27 09:16:50 CET 2015 on sn-devel-104

4 years agoctdb-scripts: Use tcp connection for checking RPC services
Amitay Isaacs [Fri, 27 Mar 2015 01:04:03 +0000 (12:04 +1100)]
ctdb-scripts: Use tcp connection for checking RPC services

It's possible for a RPC service to register only for UDP and not TCP.
Since we assume all the NFS operations are over TCP, always check RPC
services over TCP.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
4 years agoctdb-scripts: Respect $RPCMOUNTDOPTS when restarting rpc.mountd
Martin Schwenke [Tue, 24 Mar 2015 09:12:51 +0000 (20:12 +1100)]
ctdb-scripts: Respect $RPCMOUNTDOPTS when restarting rpc.mountd

$RPCMOUNTDOPTS is ignored when restarting rpc.statd due to the service
being unresponsive.  This variable can be used to increase the number
of rpc.mountd threads when there are a lot of clients reattaching so
ignoring it can mean that only a single rpc.mount thread is started.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
4 years agoctdb-daemon: Drop tunable that is no longer in use
Amitay Isaacs [Wed, 30 Jul 2014 04:31:54 +0000 (14:31 +1000)]
ctdb-daemon: Drop tunable that is no longer in use

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
4 years agoctdb-recoverd: Fix typo in comment
Amitay Isaacs [Wed, 30 Jul 2014 02:32:08 +0000 (12:32 +1000)]
ctdb-recoverd: Fix typo in comment

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
4 years agoselftest: Use 'logging' parameter instead of 'syslog'
Christof Schmitt [Mon, 23 Mar 2015 23:16:36 +0000 (16:16 -0700)]
selftest: Use 'logging' parameter instead of 'syslog'

'syslog' has been deprecated, so use the new 'logging' parameter
instead.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Mar 27 06:38:32 CET 2015 on sn-devel-104

4 years agos4-process_model: Panic if the standard init function fails
Andreas Schneider [Thu, 26 Mar 2015 09:58:18 +0000 (10:58 +0100)]
s4-process_model: Panic if the standard init function fails

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-process_model: Do not close random fds while forking.
Andreas Schneider [Thu, 26 Mar 2015 09:48:31 +0000 (10:48 +0100)]
s4-process_model: Do not close random fds while forking.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11180

The issue has been found with nss_wrapper debug output running:
    samba4.ntvfs.cifs.krb5.base.lock

In the case here, we fork a child and close the fd without resetting
the pipe fd variable. Then the fd was used to open the nss_wrapper
hosts file which got the same fd. We forked again in the process model
called close() on the re-used fd (of the pipe variable) again without
nss_wrapper noticing.  Now Samba opened the secrets tdb and got
the same fd as nss_wrapper was using for the hosts file and next
nss_wrapper tried to parse a TDB ...

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal...
Stefan Metzmacher [Thu, 26 Mar 2015 09:24:05 +0000 (09:24 +0000)]
s4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal as salt

smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@S4XDOM.BASE%A1b2C3d4
worked while
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@s4xdom.base
failed, if aes keys are used across the trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar 27 04:02:05 CET 2015 on sn-devel-104

4 years agolibcli/util: remove unused WERR_BAD_PASSWORD
Stefan Metzmacher [Thu, 26 Mar 2015 10:00:10 +0000 (11:00 +0100)]
libcli/util: remove unused WERR_BAD_PASSWORD

The values are the same, but WERR_INVALID_PASSWORD matches the documentation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agolibcli/auth: use WERR_INVALID_PASSWORD instead of WERR_BAD_PASSWORD
Stefan Metzmacher [Thu, 26 Mar 2015 10:00:10 +0000 (11:00 +0100)]
libcli/auth: use WERR_INVALID_PASSWORD instead of WERR_BAD_PASSWORD

The values are the same, but WERR_INVALID_PASSWORD matches the documentation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agodocs-xml/Samba3-HOWTO: add reference to WERR_INVALID_PASSWORD were we had only WERR_B...
Stefan Metzmacher [Thu, 26 Mar 2015 10:00:10 +0000 (11:00 +0100)]
docs-xml/Samba3-HOWTO: add reference to WERR_INVALID_PASSWORD were we had only WERR_BAD_PASSWORD

The values are the same, but WERR_INVALID_PASSWORD matches the documentation
and the new win_errstr() output.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: use dns_lookup_* = true in krb5.conf
Stefan Metzmacher [Tue, 24 Mar 2015 18:05:10 +0000 (19:05 +0100)]
selftest: use dns_lookup_* = true in krb5.conf

We only need to specify explicit entries for the local realm
in order to provision the server.

Everything else is handled by real dns or faked dns via resolv wrapper.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs.
Günther Deschner [Tue, 10 Feb 2015 12:23:14 +0000 (13:23 +0100)]
s4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db_glue: use smb_krb5_principal_set_type().
Günther Deschner [Tue, 10 Feb 2015 12:14:21 +0000 (13:14 +0100)]
s4-kdc/db_glue: use smb_krb5_principal_set_type().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agokrb5_wrap: fix documentation for smb_krb5_principal_get_comp_string().
Günther Deschner [Tue, 10 Feb 2015 12:38:41 +0000 (13:38 +0100)]
krb5_wrap: fix documentation for smb_krb5_principal_get_comp_string().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agokrb5_wrap: add smb_krb5_principal_set_type().
Günther Deschner [Tue, 10 Feb 2015 12:13:01 +0000 (13:13 +0100)]
krb5_wrap: add smb_krb5_principal_set_type().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-auth: fix DEBUG statement.
Günther Deschner [Sat, 7 Feb 2015 14:12:45 +0000 (15:12 +0100)]
s4-auth: fix DEBUG statement.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agogensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.
Günther Deschner [Sat, 7 Feb 2015 09:48:30 +0000 (10:48 +0100)]
gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure.

When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_st...
Günther Deschner [Fri, 19 Dec 2014 15:35:48 +0000 (16:35 +0100)]
s4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_string.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agolib/krb5_wrap: use krb5_const_principal in smb_krb5_get_pw_salt().
Günther Deschner [Thu, 26 Mar 2015 10:31:34 +0000 (11:31 +0100)]
lib/krb5_wrap: use krb5_const_principal in smb_krb5_get_pw_salt().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agolib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.
Günther Deschner [Thu, 26 Mar 2015 10:21:06 +0000 (11:21 +0100)]
lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-auth: avoid double free of krb5 kt_entries when compiling with MIT kerberos library.
Günther Deschner [Tue, 29 Jul 2014 16:32:20 +0000 (18:32 +0200)]
s4-auth: avoid double free of krb5 kt_entries when compiling with MIT kerberos library.

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-gensec: Check if we have delegated credentials.
Andreas Schneider [Tue, 29 Jul 2014 10:33:49 +0000 (12:33 +0200)]
s4-gensec: Check if we have delegated credentials.

With MIT Kerberos it is possible that the GSS_C_DELEG_FLAG is set, but
the delegated_cred_handle is NULL which results in a NULL-pointer
dereference. This way we fix it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue.
Günther Deschner [Fri, 16 May 2014 09:44:49 +0000 (11:44 +0200)]
s4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db-glue: use principal_comp_str{case}cmp.
Günther Deschner [Fri, 16 May 2014 09:44:02 +0000 (11:44 +0200)]
s4-kdc/db-glue: use principal_comp_str{case}cmp.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db-glue: add principal_comp_str{case}cmp
Günther Deschner [Thu, 15 May 2014 13:57:06 +0000 (15:57 +0200)]
s4-kdc/db-glue: add principal_comp_str{case}cmp

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db().
Günther Deschner [Fri, 9 May 2014 22:49:44 +0000 (00:49 +0200)]
s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob().
Günther Deschner [Fri, 9 May 2014 22:26:21 +0000 (00:26 +0200)]
s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac().
Günther Deschner [Fri, 9 May 2014 21:26:42 +0000 (23:26 +0200)]
s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy().
Günther Deschner [Fri, 9 May 2014 12:58:08 +0000 (14:58 +0200)]
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_mat...
Günther Deschner [Fri, 9 May 2014 12:56:22 +0000 (14:56 +0200)]
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self().
Günther Deschner [Fri, 9 May 2014 12:54:23 +0000 (14:54 +0200)]
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc: build some kdc components only for Heimdal KDCs.
Günther Deschner [Thu, 8 May 2014 13:15:40 +0000 (15:15 +0200)]
s4-kdc: build some kdc components only for Heimdal KDCs.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agolib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.
Günther Deschner [Thu, 8 May 2014 12:47:05 +0000 (14:47 +0200)]
lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agos4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes.
Günther Deschner [Thu, 8 May 2014 12:42:20 +0000 (14:42 +0200)]
s4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
4 years agolibrpc/ndr_nbt: we need to keep a trailing '.' in the last component of an nbt_string
Stefan Metzmacher [Wed, 25 Mar 2015 15:04:06 +0000 (15:04 +0000)]
librpc/ndr_nbt: we need to keep a trailing '.' in the last component of an nbt_string

Windows uses a username of 'domain.example.com.' as username and we need to
return it that way in the NETLOGON_SAM_LOGON_RESPONSE_EX reply.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>