sfrench/samba-autobuild/.git
2 years agos3: VFS: Change SMB_VFS_LISTXATTR to use const struct smb_filename * instead of const...
Jeremy Allison [Tue, 23 May 2017 20:12:29 +0000 (13:12 -0700)]
s3: VFS: Change SMB_VFS_LISTXATTR to use const struct smb_filename * instead of const char *.

We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: VFS: Change SMB_VFS_SYS_ACL_SET_FILE to use const struct smb_filename * instead...
Jeremy Allison [Wed, 24 May 2017 17:47:46 +0000 (10:47 -0700)]
s3: VFS: Change SMB_VFS_SYS_ACL_SET_FILE to use const struct smb_filename * instead of const char *.

We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: VFS: Change SMB_VFS_SYS_ACL_BLOB_GET_FILE to use const struct smb_filename *...
Jeremy Allison [Wed, 24 May 2017 00:35:59 +0000 (17:35 -0700)]
s3: VFS: Change SMB_VFS_SYS_ACL_BLOB_GET_FILE to use const struct smb_filename * instead of const char *.

We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: VFS: Change SMB_VFS_SYS_ACL_GET_FILE to use const struct smb_filename * instead...
Jeremy Allison [Wed, 24 May 2017 00:11:18 +0000 (17:11 -0700)]
s3: VFS: Change SMB_VFS_SYS_ACL_GET_FILE to use const struct smb_filename * instead of const char *.

We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Requires a few extra cleanups in calling code.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: VFS: Change SMB_VFS_SYS_ACL_DELETE_DEF_FILE to use const struct smb_filename...
Jeremy Allison [Tue, 23 May 2017 22:33:31 +0000 (15:33 -0700)]
s3: VFS: Change SMB_VFS_SYS_ACL_DELETE_DEF_FILE to use const struct smb_filename * instead of const char *.

We need to migrate all pathname based VFS calls to use a struct
to finish modernising the VFS with extra timestamp and flags parameters.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agos3: lib: Add new utility function cp_smb_filename_nostream().
Jeremy Allison [Tue, 30 May 2017 18:46:49 +0000 (11:46 -0700)]
s3: lib: Add new utility function cp_smb_filename_nostream().

Will be needed when we migrate lower-level VFS functions to
take an struct smb_filename *, especially the SYS_ACL and
XATTR modification modules, as these must ignore a passed-in
stream name.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agodsdb: Use ldb_handle_use_global_event_context for rootdse modifies
Andrew Bartlett [Thu, 11 May 2017 23:55:45 +0000 (01:55 +0200)]
dsdb: Use ldb_handle_use_global_event_context for rootdse modifies

The modify operations on the rootDSE turn into IRPC messages, and these need
to be handled on the global event context, not the per-operation context

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 31 10:47:46 CEST 2017 on sn-devel-144

2 years agoschema: Use ldb_schema_set_override_indexlist for faster index selection
Andrew Bartlett [Thu, 30 Mar 2017 00:25:35 +0000 (13:25 +1300)]
schema: Use ldb_schema_set_override_indexlist for faster index selection

This allows Samba to provide a binary tree lookup for the existance of an index on the attribute
rather than the O(n) lookup that was being done for each attribute during a search or modify

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Version 1.1.30 ldb-1.1.30
Andrew Bartlett [Thu, 30 Mar 2017 00:54:58 +0000 (13:54 +1300)]
ldb: Version 1.1.30

* let ldbdump parse the -i option
* don't allow the reveal_internals control for ldbedit
* only allow --show-binary for ldbsearch
* don't let ldbsearch create non-existing files
* fix ldb_tdb search inconsistencies
* add cmocka based tests
* provide an interface for improved indexing for callers
  like Samba, which will allow much better performance.
* Makes ldb access to tdb:// databases use a private event context
  rather than the global event context passed in by the caller.
  This is because running other operations while locks are held
  or a search is being conducted is not safe.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add Doxygen documentation for ldb_handle_use_global_event_context()
Andrew Bartlett [Tue, 30 May 2017 09:12:33 +0000 (21:12 +1200)]
ldb: Add Doxygen documentation for ldb_handle_use_global_event_context()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 years agoldb: Add Doxygen docs for ldb_set_require_private_event_context()
Andrew Bartlett [Tue, 30 May 2017 09:17:57 +0000 (21:17 +1200)]
ldb: Add Doxygen docs for ldb_set_require_private_event_context()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 years agoldb: Add Doxygen docs for ldb_handle_get_event_context()
Andrew Bartlett [Thu, 4 May 2017 09:39:21 +0000 (11:39 +0200)]
ldb: Add Doxygen docs for ldb_handle_get_event_context()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 years agoldb: Add Doxygen docs for ldb_schema_set_override_indexlist()
Andrew Bartlett [Tue, 30 May 2017 09:04:02 +0000 (21:04 +1200)]
ldb: Add Doxygen docs for ldb_schema_set_override_indexlist()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 years agoldb: Add Doxygen docs for ldb_schema_attribute_set_override_handler
Andrew Bartlett [Tue, 30 May 2017 09:00:34 +0000 (21:00 +1200)]
ldb: Add Doxygen docs for ldb_schema_attribute_set_override_handler

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 years agoldb: Add Doxygen comments for ldb_req_*trusted() functions
Andrew Bartlett [Tue, 30 May 2017 08:57:23 +0000 (20:57 +1200)]
ldb: Add Doxygen comments for ldb_req_*trusted() functions

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2 years agoldb: Add test for ldb_build_search_req()
Andrew Bartlett [Tue, 30 May 2017 02:59:16 +0000 (14:59 +1200)]
ldb: Add test for ldb_build_search_req()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add tests for new ldb handle and event context behaviour
Andrew Bartlett [Tue, 30 May 2017 02:39:49 +0000 (14:39 +1200)]
ldb: Add tests for new ldb handle and event context behaviour

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add ldb_handle_use_global_event_context()
Andrew Bartlett [Fri, 5 May 2017 06:25:40 +0000 (08:25 +0200)]
ldb: Add ldb_handle_use_global_event_context()

This will allow the IRPC to be processed in the main event loop of the
server, not the private event context for this request

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Use the private event context in ldb_tdb and ldb_wait()
Andrew Bartlett [Fri, 12 May 2017 00:30:01 +0000 (02:30 +0200)]
ldb: Use the private event context in ldb_tdb and ldb_wait()

This enables the previous commits, and ensures that ldb_tdb is safe from operations while locks
are held

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Force use of a private event context in ldb_tdb
Andrew Bartlett [Fri, 12 May 2017 00:28:02 +0000 (02:28 +0200)]
ldb: Force use of a private event context in ldb_tdb

ldb_tdb holds locks while making callbacks, so force the use of a per-request event context

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Create private event contexts in top level requests, chain to children
Andrew Bartlett [Fri, 12 May 2017 00:26:04 +0000 (02:26 +0200)]
ldb: Create private event contexts in top level requests, chain to children

We must ensure that the ldb_request we call ldb_wait() will share an event context with all
the eventual request that the ldb backend creates events on

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add ldb_set_require_private_event_context()
Andrew Bartlett [Fri, 12 May 2017 00:21:28 +0000 (02:21 +0200)]
ldb: Add ldb_set_require_private_event_context()

This will allow us to force use of the global event context for use when Samba
must make an IRPC call from within the ldb stack, to another part of the same
process

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add ldb_handle_get_event_context()
Andrew Bartlett [Thu, 4 May 2017 09:39:21 +0000 (11:39 +0200)]
ldb: Add ldb_handle_get_event_context()

This will allow us to obtain a private event context for use while we hold
locks in ldb_tdb, that is not shared with the global state of the application.

This will ensure we do not perform other operations while we hold the lock

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add ldb_build_req_common() helper function
Andrew Bartlett [Thu, 4 May 2017 20:27:24 +0000 (22:27 +0200)]
ldb: Add ldb_build_req_common() helper function

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Add tests for the schema and index override hooks
Andrew Bartlett [Tue, 30 May 2017 01:53:01 +0000 (13:53 +1200)]
ldb: Add tests for the schema and index override hooks

Because this uses ldb_private.h we no longer build the
test binary if we are building against a system ldb

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Move test_ldb_attrs_case_insensitive closer to setup/teardown functions
Andrew Bartlett [Tue, 30 May 2017 00:47:58 +0000 (12:47 +1200)]
ldb: Move test_ldb_attrs_case_insensitive closer to setup/teardown functions

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: Avoid reading the index list from the DB if we are already set to override it
Andrew Bartlett [Thu, 30 Mar 2017 00:10:22 +0000 (13:10 +1300)]
ldb_tdb: Avoid reading the index list from the DB if we are already set to override it

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb: Allow a caller (in particular Samba) to handle the list of attributes with an...
Andrew Bartlett [Thu, 30 Mar 2017 00:23:44 +0000 (13:23 +1300)]
ldb: Allow a caller (in particular Samba) to handle the list of attributes with an index

By doing that, Samba will use a binary search to locate the attributes
rather than an O(n) search, during every search or modify of the database.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: consistently use ltdb->cache->attribute_indexes to determine if we have...
Andrew Bartlett [Thu, 30 Mar 2017 00:21:34 +0000 (13:21 +1300)]
ldb_tdb: consistently use ltdb->cache->attribute_indexes to determine if we have indexes

This is instead of checking the number of elements via ltdb->cache->indexlist->num_elements

In turn, this allows us to avoid fetching ltdb->cache->indexlist in the future

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: change the arguments to ldb_is_indexed() to provide the ltdb_private
Andrew Bartlett [Thu, 30 Mar 2017 00:07:16 +0000 (13:07 +1300)]
ldb_tdb: change the arguments to ldb_is_indexed() to provide the ltdb_private

By doing this, we can be more efficient in locating if we have an index in
the future.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agoldb_tdb: Split index load out into a sub-funciton: ltdb_index_load
Andrew Bartlett [Thu, 30 Mar 2017 00:10:08 +0000 (13:10 +1300)]
ldb_tdb: Split index load out into a sub-funciton: ltdb_index_load

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agos3:smbd: Set up local and remote address for fake connection
Andreas Schneider [Tue, 21 Mar 2017 14:45:34 +0000 (15:45 +0100)]
s3:smbd: Set up local and remote address for fake connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 31 06:33:00 CEST 2017 on sn-devel-144

2 years agos3:smbd: Pass down remote and local address to get_referred_path()
Andreas Schneider [Tue, 21 Mar 2017 14:32:37 +0000 (15:32 +0100)]
s3:smbd: Pass down remote and local address to get_referred_path()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agolib: Remove use of MSG_NOSIGNAL
Volker Lendecke [Mon, 29 May 2017 14:15:50 +0000 (16:15 +0200)]
lib: Remove use of MSG_NOSIGNAL

According to susv4 sendmsg, NOSIGAL is effective for stream-oriented sockets.
Datagram sockets won't send SIGPIPE anyway. Looking at Linux kernel sources,
this is only looked at in stream functions. I guess this is a left-over from my
tmsgd attempts, which was based on stream sockets. messaging_dgm still only
uses datagram sockets, so MSG_NOSIGNAL is not needed here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12502

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 30 16:39:12 CEST 2017 on sn-devel-144

2 years agos4:lib/com: remove unused pycom binding
Stefan Metzmacher [Wed, 26 Apr 2017 13:25:43 +0000 (15:25 +0200)]
s4:lib/com: remove unused pycom binding

This is completely untested and from reading the code it doesn't really
do anything beside always returning None from the get_class_object() method.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 30 12:16:57 CEST 2017 on sn-devel-144

2 years agos4:librpc: restore inhibit_timeout_processing = true during gensec_update_send/recv()
Stefan Metzmacher [Mon, 29 May 2017 07:37:09 +0000 (09:37 +0200)]
s4:librpc: restore inhibit_timeout_processing = true during gensec_update_send/recv()

As not all gensec backends are fully async yet, we need the
inhibit_timeout_processing workarround in order to protect
against nested event loops.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoRevert "s4:librpc: simplify dcerpc_connect_timeout_handler() logic"
Stefan Metzmacher [Mon, 29 May 2017 07:32:12 +0000 (09:32 +0200)]
Revert "s4:librpc: simplify dcerpc_connect_timeout_handler() logic"

This reverts commit 2c3e99d1697b83f7dd498596a274fe2e8e96116d.

As the source4 backends for kerberos still use nested event loops,
we need to restore this for now.

We should reapply this once all backends are fully async.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agos4:auth: use talloc_reparent() in samba_server_gensec_krb5_start()
Stefan Metzmacher [Wed, 24 May 2017 04:11:17 +0000 (06:11 +0200)]
s4:auth: use talloc_reparent() in samba_server_gensec_krb5_start()

This matches logic of samba_server_gensec_start() and avoids warnings like this:

WARNING: talloc_steal with references at ../source4/auth/samba_server_gensec.c:150
        reference at ../auth/gensec/gensec_start.c:586

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/rodc: Check that new passwords trigger wiping on RODC
Garming Sam [Mon, 22 May 2017 03:08:27 +0000 (15:08 +1200)]
tests/rodc: Check that new passwords trigger wiping on RODC

This appears to have been working correctly, but we just haven't had a test for it.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agogetncchanges: Do not filter EXOPs using highwatermark
Garming Sam [Mon, 22 May 2017 01:59:22 +0000 (13:59 +1200)]
getncchanges: Do not filter EXOPs using highwatermark

Prior to this patch, any REPL_SECRETS could be filtered accidentally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorpc_server: Move SID helpers into common
Garming Sam [Thu, 20 Apr 2017 23:29:48 +0000 (11:29 +1200)]
rpc_server: Move SID helpers into common

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogon: Add necessary security checks for SendToSam
Garming Sam [Wed, 19 Apr 2017 00:50:55 +0000 (12:50 +1200)]
netlogon: Add necessary security checks for SendToSam

We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/rodc: Check SID restriction for SendToSam
Garming Sam [Wed, 26 Apr 2017 04:32:51 +0000 (16:32 +1200)]
tests/rodc: Check SID restriction for SendToSam

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/rodc: Add password lockout tests with RODC-auth, RWDC-check
Garming Sam [Fri, 21 Apr 2017 03:21:58 +0000 (15:21 +1200)]
tests/rodc: Add password lockout tests with RODC-auth, RWDC-check

This occurs when the password is preloaded, and the bad logins and
successes must be forwarded the the RWDC.

The password server MUST be localdc.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoselftest: Ensure rodc environment uses localdc as winbind partner
Garming Sam [Wed, 26 Apr 2017 04:11:28 +0000 (16:11 +1200)]
selftest: Ensure rodc environment uses localdc as winbind partner

This is required for password lockout testing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogon: Implement SendToSam along with its winbind forwarding
Garming Sam [Tue, 11 Apr 2017 03:51:50 +0000 (15:51 +1200)]
netlogon: Implement SendToSam along with its winbind forwarding

This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).

(further patches still need to address forcing a RWDC contact)

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agonetlogon_creds_cli: Do not corrupt authenticator state on application level errors
Garming Sam [Thu, 20 Apr 2017 04:55:58 +0000 (16:55 +1200)]
netlogon_creds_cli: Do not corrupt authenticator state on application level errors

If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent
calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS
updates falling off and never continuing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agokdc: Send bad password via NETLOGON in RODC
Garming Sam [Mon, 3 Apr 2017 23:57:01 +0000 (11:57 +1200)]
kdc: Send bad password via NETLOGON in RODC

This means that a RWDC will be collecting the badPwdCount to ensure
domain wide lockout.

TODO The parameters should be better constructed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agohdb: Dupe a copy of repl secrets into the KDC
Garming Sam [Mon, 3 Apr 2017 04:11:35 +0000 (16:11 +1200)]
hdb: Dupe a copy of repl secrets into the KDC

When you have an RODC, this will force the fetch of secrets if not found here

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth_sam: Make auth_sam_trigger_repl_secret more generic
Garming Sam [Mon, 3 Apr 2017 03:49:45 +0000 (15:49 +1200)]
auth_sam: Make auth_sam_trigger_repl_secret more generic

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agorodc: Set non-authoritative for RODC bad passwords
Garming Sam [Mon, 3 Apr 2017 03:22:08 +0000 (15:22 +1200)]
rodc: Set non-authoritative for RODC bad passwords

This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/rodc: Test for NTLM wrong password forwarding
Garming Sam [Wed, 26 Apr 2017 01:41:03 +0000 (13:41 +1200)]
tests/rodc: Test for NTLM wrong password forwarding

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth_winbind: Allow badPwdCount to be set to 0 with this auth method
Garming Sam [Mon, 3 Apr 2017 03:26:12 +0000 (15:26 +1200)]
auth_winbind: Allow badPwdCount to be set to 0 with this auth method

We rely on the other SAM modules to increment the badPwdCount locally,
but we must reset to 0 if the remote sends a success (to override our
failure).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd: Do not run SAM auth stack in winbind SamLogon
Garming Sam [Wed, 12 Apr 2017 02:12:32 +0000 (14:12 +1200)]
winbindd: Do not run SAM auth stack in winbind SamLogon

pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth4: Add authoritative flag to check_password
Garming Sam [Mon, 3 Apr 2017 03:21:29 +0000 (15:21 +1200)]
auth4: Add authoritative flag to check_password

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agolibads: Decide to have no fallback option
Garming Sam [Tue, 4 Apr 2017 00:42:17 +0000 (12:42 +1200)]
libads: Decide to have no fallback option

Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd_cm: Pass cm_open_connection the need_rw_dc flag
Garming Sam [Mon, 20 Mar 2017 23:24:30 +0000 (12:24 +1300)]
winbindd_cm: Pass cm_open_connection the need_rw_dc flag

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd_cm: Call dcip_check_name even when fetching from cache
Garming Sam [Mon, 20 Mar 2017 22:56:39 +0000 (11:56 +1300)]
winbindd_cm: Call dcip_check_name even when fetching from cache

This is so that we can ensure that the DC is RWDC if required.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd_cm: Rename dcip_to_name to the more accurate dcip_check_name
Garming Sam [Mon, 20 Mar 2017 22:15:13 +0000 (11:15 +1300)]
winbindd_cm: Rename dcip_to_name to the more accurate dcip_check_name

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd_cm: Add new parameter to getdc and find_new_dc calls
Garming Sam [Mon, 20 Mar 2017 04:04:12 +0000 (17:04 +1300)]
winbindd_cm: Add new parameter to getdc and find_new_dc calls

This is to enforce the requirements on the remote DC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agowinbindd_cm: Add new parameter for dcip_to_name
Garming Sam [Mon, 20 Mar 2017 02:56:37 +0000 (15:56 +1300)]
winbindd_cm: Add new parameter for dcip_to_name

This is used to check the appropriateness of the DC given.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agolibads: Check cldap flags in libads/ldap
Garming Sam [Mon, 20 Mar 2017 02:37:12 +0000 (15:37 +1300)]
libads: Check cldap flags in libads/ldap

Pass down request flags and check they are respected with the response
flags. Otherwise, error out and pretend the connection never happened.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests/password_lockout: Remove unused users from base
Garming Sam [Tue, 25 Apr 2017 22:39:09 +0000 (10:39 +1200)]
tests/password_lockout: Remove unused users from base

They take extra time to set-up...

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamba-tool/spn: Add a missing newline to error message
Garming Sam [Mon, 10 Apr 2017 02:40:20 +0000 (14:40 +1200)]
samba-tool/spn: Add a missing newline to error message

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoctdb-tools: Always exit with positive return value
Amitay Isaacs [Tue, 7 Mar 2017 05:44:08 +0000 (16:44 +1100)]
ctdb-tools: Always exit with positive return value

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue May 30 08:05:56 CEST 2017 on sn-devel-144

2 years agoctdb-eventd: Avoid passing NULL pointer to printf( %s )
Amitay Isaacs [Mon, 29 May 2017 02:36:11 +0000 (12:36 +1000)]
ctdb-eventd: Avoid passing NULL pointer to printf( %s )

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-eventd: Use run_event abstraction
Amitay Isaacs [Mon, 27 Feb 2017 04:00:42 +0000 (15:00 +1100)]
ctdb-eventd: Use run_event abstraction

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Add run_event abstraction
Amitay Isaacs [Thu, 23 Feb 2017 07:40:48 +0000 (18:40 +1100)]
ctdb-common: Add run_event abstraction

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agoctdb-common: Update run_proc api to re-assign stdin
Amitay Isaacs [Fri, 5 May 2017 16:47:00 +0000 (02:47 +1000)]
ctdb-common: Update run_proc api to re-assign stdin

This allows to pass data to a child process via stdin.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2 years agos4/torture: add a leases test with stat open
Ralph Boehme [Fri, 26 May 2017 13:42:46 +0000 (15:42 +0200)]
s4/torture: add a leases test with stat open

This test passes against Windows 2016 but currently fails against Samba
for some reason. The test does the following:

1. A stat open on a file, then
2. a second open with a RWH-lease request

Windows grants a RWH-lease in step 2, while Samba only grants a
R-lease. Go figure...

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun May 28 18:52:52 CEST 2017 on sn-devel-144

2 years agos4/torture: test for bug 12798
Ralph Boehme [Fri, 26 May 2017 13:35:54 +0000 (15:35 +0200)]
s4/torture: test for bug 12798

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12798

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/smbd: fix exclusive lease optimisation
Ralph Boehme [Fri, 26 May 2017 09:57:08 +0000 (11:57 +0200)]
s3/smbd: fix exclusive lease optimisation

We need to expect any amount of "stat" opens on the file without
triggering an assert.

This is the correct fix for bug #11844. I guess we haven't seens this
very often before bug #12766 got fixed, because most clients were using
LEASES instead of OPLOCKS.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12798

See also:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11844
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12766

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3/locking: make find_share_mode_entry public
Ralph Boehme [Fri, 26 May 2017 09:35:52 +0000 (11:35 +0200)]
s3/locking: make find_share_mode_entry public

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12798

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2 years agos3: VFS: Fruit. Move to using struct smb_filename instead of char * paths.
Jeremy Allison [Thu, 25 May 2017 18:38:26 +0000 (11:38 -0700)]
s3: VFS: Fruit. Move to using struct smb_filename instead of char * paths.

Cleans up and removes some code.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri May 26 20:53:02 CEST 2017 on sn-devel-144

2 years agos3: VFS: Catia: Ensure path name is also converted.
Jeremy Allison [Wed, 24 May 2017 18:45:35 +0000 (11:45 -0700)]
s3: VFS: Catia: Ensure path name is also converted.

https://bugzilla.samba.org/show_bug.cgi?id=12804

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2 years agoRevert "param: Add 'mit kdc config' option to smb.conf"
Andreas Schneider [Tue, 9 May 2017 06:01:12 +0000 (08:01 +0200)]
Revert "param: Add 'mit kdc config' option to smb.conf"

This reverts commit eaaf5ce66e32d05b0a649619986d67ab6176a27a.

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 26 15:28:40 CEST 2017 on sn-devel-144

2 years agopython: Create the kdc.conf in the Samba private directory
Andreas Schneider [Wed, 3 May 2017 07:19:38 +0000 (09:19 +0200)]
python: Create the kdc.conf in the Samba private directory

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopython: Do not use the glue code directly
Andreas Schneider [Wed, 3 May 2017 07:04:45 +0000 (09:04 +0200)]
python: Do not use the glue code directly

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoctdb-tests: Add some extra tests for "ctdb nodestatus"
Martin Schwenke [Wed, 24 May 2017 10:21:55 +0000 (20:21 +1000)]
ctdb-tests: Add some extra tests for "ctdb nodestatus"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12802

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri May 26 05:24:34 CEST 2017 on sn-devel-144

2 years agoctdb-tools: "ctdb nodestatus" should only display header for "all"
Martin Schwenke [Wed, 24 May 2017 10:27:58 +0000 (20:27 +1000)]
ctdb-tools: "ctdb nodestatus" should only display header for "all"

The "Number of nodes:" header should only be displayed when "all" is
specified.  This is how the command behaved in Samba <= 4.4.

Printing the number of nodes is not helpful and is rather confusing in
the default case where only the status of the current node is printed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12802

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agoctdb-tools: Stop "ctdb nodestatus" from always showing all nodes
Martin Schwenke [Wed, 24 May 2017 10:24:54 +0000 (20:24 +1000)]
ctdb-tools: Stop "ctdb nodestatus" from always showing all nodes

Exit code should only reflect current or specified nodes too.

Drop an unwanted call to get_nodemap() that overwrites the previously
calculated node map.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12802

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
2 years agolibnet join: Fix error handling on provision_store_self_join failure
Gary Lockyer [Tue, 23 May 2017 02:11:35 +0000 (14:11 +1200)]
libnet join: Fix error handling on provision_store_self_join failure

This avoids leaving the error string NULL.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 25 06:28:02 CEST 2017 on sn-devel-144

2 years agosource4/provision: fix talloc_steal on unallocated memory
Gary Lockyer [Tue, 23 May 2017 02:13:14 +0000 (14:13 +1200)]
source4/provision: fix talloc_steal on unallocated memory

The caller will steal *error_string on failure, if it
is not NULL.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests net_join: use private secrets database.
Gary Lockyer [Tue, 23 May 2017 01:03:03 +0000 (13:03 +1200)]
tests net_join: use private secrets database.

Tests were leaving entries in the secrets database that caused
subsequent test cases to fail.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agosource4 rpc: binding.c enable DCERPC_SCHANNEL_AUTO for schannel connections
Gary Lockyer [Wed, 26 Apr 2017 19:12:34 +0000 (07:12 +1200)]
source4 rpc: binding.c enable DCERPC_SCHANNEL_AUTO for schannel connections

Enable the DCERPC_SCHANNEL_AUTO option in dceprc bindings. If not enabled
calls to netlogon.netlogon from python fail with NT_STATUS_DOWNGRADE_DETECTED
if schannel bindings are specified.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

2 years agoauth pycredentials: incorrect PyArg_ParseTupleAndKeywords call
Gary Lockyer [Fri, 28 Apr 2017 01:14:16 +0000 (13:14 +1200)]
auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call

The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth pycredentials: correct docstring of get_ntlm_response method
Gary Lockyer [Fri, 28 Apr 2017 01:13:28 +0000 (13:13 +1200)]
auth pycredentials: correct docstring of get_ntlm_response method

Fix copy paste error was incorrectly named "get_ntlm_username_domain"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoauth_log: Add test that execises the SamLogon python bindings
Gary Lockyer [Thu, 27 Apr 2017 22:16:39 +0000 (10:16 +1200)]
auth_log: Add test that execises the SamLogon python bindings

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests password_hash: Add ldap based tests for WDigest
Gary Lockyer [Sun, 21 May 2017 21:49:17 +0000 (09:49 +1200)]
tests password_hash: Add ldap based tests for WDigest

Add tests of the WDigest values using ldap.  This allows the tests to be
run against Windows, to validate the calculated values.

Tests validated against Windows Server 2012 R2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopynet: Add a hook to decrypt one attribute
Andrew Bartlett [Wed, 17 May 2017 05:05:13 +0000 (17:05 +1200)]
pynet: Add a hook to decrypt one attribute

This will help with testing GetNCChanges and supplementalCredentials against Windows in Python

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2 years agotests password_hash: update array indexes for readabliity
Gary Lockyer [Thu, 18 May 2017 02:38:37 +0000 (14:38 +1200)]
tests password_hash: update array indexes for readabliity

Use an n-1 pattern in the indexes to the digest array to simplify checking
against the documentation and samba-tool user tests.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamba-tool add support for userPassword
Gary Lockyer [Mon, 15 May 2017 00:19:22 +0000 (12:19 +1200)]
samba-tool add support for userPassword

Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes.
The values are now calculated as follows:
  1) If a value exists in 'Primary:userPassword' with
     the specified number of rounds it is returned.
  2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with
     '--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds
  3) Return the first {CRYPT} value in 'Primary:userPassword' with a
     matching algorithm

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamba-tool tests: add tests for userPassword
Gary Lockyer [Mon, 15 May 2017 00:20:58 +0000 (12:20 +1200)]
samba-tool tests: add tests for userPassword

Tests to ensure that precomputed SHA256 and SHA512 hashes in
'supplementalCredentials Primary:userPassword' are used correctly in the
calculation of virtualCryptSHA256 and virtualCryptSHA512

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agopassword_hash: generate and store Primary:userPassword
Gary Lockyer [Tue, 4 Apr 2017 04:05:08 +0000 (16:05 +1200)]
password_hash: generate and store Primary:userPassword

Generate sha256 and sha512 password hashes and store them in
supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests password_hash: add tests for Primary:userPassword
Gary Lockyer [Tue, 11 Apr 2017 21:12:56 +0000 (09:12 +1200)]
tests password_hash: add tests for Primary:userPassword

    Add tests to verify the generation and storage of sha256 and sha512
    password hashes in suplementalCredentials Primary:userPassword

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agodocs: configuration options for extra password hashes
Gary Lockyer [Tue, 9 May 2017 02:38:06 +0000 (14:38 +1200)]
docs: configuration options for extra password hashes

Add the configuration options for the generation and storage of crypt()
based sha256 and sha512 password hashes in supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests password_hash: fix white space issues
Gary Lockyer [Tue, 11 Apr 2017 21:09:27 +0000 (09:09 +1200)]
tests password_hash: fix white space issues

Clean up white space issues in password_hash.py

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agotests password_hash: remove unused import
Gary Lockyer [Tue, 11 Apr 2017 21:08:24 +0000 (09:08 +1200)]
tests password_hash: remove unused import

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agoidl drsblobs: add the blobs required for Primary:userPassword
Gary Lockyer [Tue, 4 Apr 2017 04:00:20 +0000 (16:00 +1200)]
idl drsblobs: add the blobs required for Primary:userPassword

Add the blobs required to allow the storing of an sha256 or sha512 hash of
the password in supplemental credentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2 years agosamba-tool user: add rounds option to virtualCryptSHAxxx
Gary Lockyer [Mon, 8 May 2017 23:20:15 +0000 (11:20 +1200)]
samba-tool user: add rounds option to virtualCryptSHAxxx

Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.

i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>