1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

505 Commits

Author SHA1 Message Date
Ralph Boehme
08a6ae4419 selftest: test vfs_nfs4acl_xattr with NFS 4.1 ACLs
Only tests with "nfs4:mode = simple" as mode special is supposed to be
broken anyway and simple is recommended.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
12f4263b28 selftest: add explicit default NFS4 acl version
This is the current default, just make it explicit. A subsequent commit
will bump the default to 4.1.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
d4d7e38bf6 vfs_nfs4acl_xattr: fsp->fh->fd can legally be -1
We only open the underlying file if the open access mode contains

FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_EXECUTE

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
7f62b16a12 vfs_nfs4acl_xattr: modernize ACL inheritance
This changes the way ACL inheritance is achieved in this
module.

Previously the module recursed to the next parent directory until the
share root was reached or a directory with an ACL xattr. If the share
root didn't contain an ACL xattr either a default ACL would be used.

This commit removed this recursive scanning and replaces it with the
same mechanism used by vfs_acl_xattr: by setting "inherit acls = yes"
just let smbd do the heavy lefting and inheritance.

For any file without ACL xattr we still synthesize a default ACL,
leveraging the existing default ACL function used by vfs_acl_xattr.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
f3f119e456 selftest: split out failing owner related subtest from samba3.raw.acls.create_file|dir
All the other subtests in samba3.raw.acls.create_file|dir pass with
nfs4acl_xattr, it's just the subtest that tries to set the owner which
fails with everything else then acl_xattr.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:07 +01:00
Tim Beale
8c56aa2c91 selftest: Rename ntlmauth tests to ntlmdisabled
There are already some existing ntlm_auth tests, so the new tests I've
added make things a bit confusing. Also, ntlmdisabled probably better
reflects the specific case we're trying to test.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-26 00:41:16 +02:00
Tim Beale
1a1c4ad71c selftest: Add new AD DC testenv with NTLM disabled
This is so that we test the source4 case as well. Currently the only
testenv with NTLM disabled is ktest, and that only exercises the source3
code.

I've tried to support the new test environment with minimal changes to the
Samba4.pm setup code.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-26 00:41:16 +02:00
Christof Schmitt
3a360f552d selftest: Also run smbtorture smb2.compound with aio enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13047

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 22 09:49:30 CEST 2017 on sn-devel-144
2017-09-22 09:49:30 +02:00
Stefan Metzmacher
615b0d83d0 winbindd: as DC we should try to get the target_domain from @SOMETHING part of the username in wb_irpc_SamLogon()
We still need a full routing table including all upn suffixes,
but this is a start to support NTLM authentication using user@REALM
against structed domains.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
b88f9384b0 s4:auth/ntlmssp: add support for using "winbind" as DC
This adds support for trusted domains to the auth stack on AD DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Christof Schmitt
ffee37c243 torture: Add sharemode tests for SMB2
There are two pieces: Test access with different sharemodes through SMB
and verify access, and also provide tests that can be used with file
systems enforcing share modes outside of Samba.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 26 09:30:31 CEST 2017 on sn-devel-144
2017-07-26 09:30:31 +02:00
Bob Campbell
eb2e77970e samdb/cracknames: support user and service principal as desired format
This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.

This also causes the test in cracknames.py to no longer fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144
2017-07-24 11:10:26 +02:00
Bob Campbell
4779afe0d2 python/tests: add python test for cracknames
This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-24 07:14:10 +02:00
Tim Beale
4e04f025a0 selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
2017-07-21 13:54:35 +02:00
Tim Beale
831861ecf9 selftest: Disable NTLM authentication in ktest environment
This allows us to prove that "ntlm auth = disabled" works

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:21 +02:00
Andrew Bartlett
e23e8d9ff9 s3-rpc_server: Disable the NETLOGON server by default
The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past.  Therefore
reduce the attack surface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Ralph Boehme
492930779a s4/torture: test fetching a resume key twice
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-03 19:59:08 +02:00
Garming Sam
d3e8bcbc9b netlogon: Add necessary security checks for SendToSam
We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
452170db2c tests/rodc: Check SID restriction for SendToSam
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
f40fdaea7f rodc: Set non-authoritative for RODC bad passwords
This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
44b0ebefb2 tests/rodc: Test for NTLM wrong password forwarding
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
2368f57b4d winbindd: Do not run SAM auth stack in winbind SamLogon
pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Ralph Boehme
15367ce4b4 s4/torture: add a leases test with stat open
This test passes against Windows 2016 but currently fails against Samba
for some reason. The test does the following:

1. A stat open on a file, then
2. a second open with a RWH-lease request

Windows grants a RWH-lease in step 2, while Samba only grants a
R-lease. Go figure...

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun May 28 18:52:52 CEST 2017 on sn-devel-144
2017-05-28 18:52:52 +02:00
Gary Lockyer
610919e5e6 auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call
The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:13 +02:00
Gary Lockyer
68ccebfa59 auth_log: Add test that execises the SamLogon python bindings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
b14bb68417 samba-tool add support for userPassword
Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes.
The values are now calculated as follows:
  1) If a value exists in 'Primary:userPassword' with
     the specified number of rounds it is returned.
  2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with
     '--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds
  3) Return the first {CRYPT} value in 'Primary:userPassword' with a
     matching algorithm

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
8a5308bea0 samba-tool tests: add tests for userPassword
Tests to ensure that precomputed SHA256 and SHA512 hashes in
'supplementalCredentials Primary:userPassword' are used correctly in the
calculation of virtualCryptSHA256 and virtualCryptSHA512

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
4b49e18c14 password_hash: generate and store Primary:userPassword
Generate sha256 and sha512 password hashes and store them in
supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
de5299d155 tests password_hash: add tests for Primary:userPassword
Add tests to verify the generation and storage of sha256 and sha512
    password hashes in suplementalCredentials Primary:userPassword

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d4bc91a964 samba-tool user: add rounds option to virtualCryptSHAxxx
Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.

i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d51253609d samba-tool tests: Tests for virtualCryptSHAxxx rounds
Add tests to for the new rounds option for the virtualCryptSHA256 and
virtualCryptSHA512 attributes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
3bcd384dcf samba-tool user: Support for virtualWDigest attributes
Add new virtualWDigest attributes, these return the hashes stored in
supplementalCredentials Primary:WDigest, in a form suitable for
htdigest authentication

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:11 +02:00
Gary Lockyer
81312ba4e2 samba-tool user: Tests for virtualWDigest attributes
Add tests for the new virtualWDigest attributes, these return the hashes
stored in supplementalCredentials Primary:WDigest in a form suitable for
use with htdigest authentication.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:11 +02:00
Ralph Boehme
6211eb1462 s4/torture: smb2.ioctl: add copy-chunk test with stream to smb2.ioctl
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12787

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-05-17 23:02:09 +02:00
Gary Lockyer
aa43d0d81b source3 smdb: fix null pointer dereference
Fix the null pointer dereference in smbd, introduced in the auth logging
changes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr 28 07:18:54 CEST 2017 on sn-devel-144
2017-04-28 07:18:54 +02:00
Gary Lockyer
85e98d2a31 source3 smbd: tests for null pointer dereference
Test case to replicate null pointer dereference in smbd, introduced in
the auth logging changes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-28 03:18:23 +02:00
Garming Sam
94256c9606 password-lockout: Allow RODC to ensure lockout and lockout reset
Prior to this, the modification of lockoutTime triggered referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:18 +02:00
Garming Sam
613d9e234e password_lockout: Tests against RODC (once preloaded)
In this scenario, both the login server and the verification server are
the RODC. This tests that a user is locked out correctly once the
lockout limit is reached and they are also unlocked correctly when the
lockout time period expires.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:17 +02:00
Garming Sam
f4170a49fb tests/rodc: Add a number of tests for RODC-RWDC interaction
This tests password fallback to RWDC in preloaded and non-preloaded
cases. It also tests some basic scenarios around what things are
replicated between the two DCs.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-04-13 07:29:17 +02:00
Garming Sam
b3ba0c85ff rodc: Force all RODC add and delete to cause a referral
Previously, you could add or delete and cause replication conflicts on
an RODC. Modifies are already partly restricted in repl_meta_data and
have more specific requirements, so they cannot be handled here.

We still differ against Windows for modifies of non-replicated
attributes over LDAP.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
2017-04-13 07:29:17 +02:00
Garming Sam
63a8376b6b selftest: Add ldap rodc python test
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
2017-04-13 07:29:16 +02:00
Ralph Boehme
a58b54a334 libcli/security: fix dom_sid_in_domain()
Ensure the SID has exactly one component more then the domain SID, eg

Domain SID: S-1-5-21-1-2-3
SID:        S-1-5-21-1-2-3-4

This will return true. If the SID has more components, eg

SID: S-1-5-21-1-2-3-4-5, or
SID: S-1-5-21-1-2-3-4-5-6-7-8

dom_sid_in_domain() must return false.

This was verified against Windows:

     lsa_LookupSids: struct lsa_LookupSids
        out: struct lsa_LookupSids
            domains                  : *
                domains                  : *
                    domains: struct lsa_RefDomainList
                        count                    : 0x00000002 (2)
                        domains                  : *
                            domains: ARRAY(2)
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x000e (14)
                                        size                     : 0x0010 (16)
                                        string                   : *
                                            string                   : 'BUILTIN'
                                    sid                      : *
                                        sid                      : S-1-5-32
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x0012 (18)
                                        size                     : 0x0014 (20)
                                        string                   : *
                                            string                   : 'W4EDOM-L4'
                                    sid                      : *
                                        sid                      : S-1-5-21-278041429-3399921908-1452754838
                        max_size                 : 0x00000020 (32)
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000004 (4)
                    names                    : *
                        names: ARRAY(4)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x001a (26)
                                    size                     : 0x001a (26)
                                    string                   : *
                                        string                   : 'Administrator'
                                sid_index                : 0x00000001 (1)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_UNKNOWN (8)
                                name: struct lsa_String
                                    length                   : 0x005c (92)
                                    size                     : 0x005e (94)
                                    string                   : *
                                        string                   : 'S-1-5-21-278041429-3399921908-1452754838-500-1'
                                sid_index                : 0xffffffff (4294967295)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_ALIAS (4)
                                name: struct lsa_String
                                    length                   : 0x001c (28)
                                    size                     : 0x001c (28)
                                    string                   : *
                                        string                   : 'Administrators'
                                sid_index                : 0x00000000 (0)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_UNKNOWN (8)
                                name: struct lsa_String
                                    length                   : 0x001c (28)
                                    size                     : 0x001e (30)
                                    string                   : *
                                        string                   : 'S-1-5-32-544-9'
                                sid_index                : 0xffffffff (4294967295)
            count                    : *
                count                    : 0x00000002 (2)
            result                   : STATUS_SOME_UNMAPPED

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Stefan Metzmacher
236b24dfd2 auth4: avoid map_user_info() in auth_check_password_send()
The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
3caca9b7fb s4:selftest: run test_trust_ntlm.sh against various environments
This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.

Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.

If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Ralph Boehme
8b32fc4006 winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.

The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  1 21:18:59 CEST 2017 on sn-devel-144
2017-04-01 21:18:59 +02:00
Ralph Boehme
6b7a14b4b9 winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-01 17:33:14 +02:00
Andrew Bartlett
008843463f samr: Add logging of password change success and failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Gary Lockyer
a70e944c80 auth log tests: password change tests
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
f498ba77df heimdal: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.

We use config->db[0] to find the first database to record incorrect
users.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
7cbe1c844e s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
This is triggered in the ncacn_np pass-though case in particular

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Gary Lockyer
4c9d69f82a s4-ntvfs: Correct mixup between local/remote addresses
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
b661e818b6 selftest: Turn on auth event notification and so allow tests to pass
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
3ee82de26d auth_log: Add tests by listening for JSON messages over the message bus
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Volker Lendecke
e92a20781c server_id_db: Protect against non-0-terminated data records
Remove the failing test from knownfail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
0c25c40315 selftest: Test server_id database add and removal
This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
a47a8e41bd samba-tool: Ensure that samba-tool processes --name=not-existing does not error
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
f21c17c6d0 selftest: Add more tests for "samba-tool processes"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
84204e9716 selftest: Add more RODC tests to avoid regressions here
This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-27 20:08:18 +02:00
Garming Sam
6bbcd3bbd8 dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
6b2425343b getncchanges: include object SID in tokenGroups calculation for repl secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
f869da8161 tests/repl_rodc: Test the direct allow/deny attribute works
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
4b4a4c1063 getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
2cb251353c tests/repl_rodc: Ensure that the machine account is tied to the destination DSA
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
a9e3830473 getncchanges: Implement functionality for msDS-RevealedUsers
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Bob Campbell
325f8e88c5 python/tests: Add repl_rodc test
Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Ralph Boehme
53e9c2b65d s4/torture: add a creditting test skipping a SMB2 MID
This tests that skipping a SMB2 MID the client's usable MID window is

[unused mid, unused mid + 8192]

The test currently fails against Samba as we only grant up to 512
credits. It passes against Windows 2016 as that grants up to 8192
credits by default.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  4 01:54:07 CET 2017 on sn-devel-144
2017-03-04 01:54:07 +01:00
Ralph Boehme
b668c300bf s4/torture: add some SMB2 crediting tests
These tests verify that a server grants at least 8192 credits in a
successfull session setup and in a single SMB2 request. Both tests pass
against Windows 2016 Server but currently fail against Samba.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-03 21:55:27 +01:00
Garming Sam
0a7c6b5656 dbchecker: Stop ignoring linked cases where both objects are alive
Previously, this did nothing and the code was both untested and unused.

Removes the knownfail entry for dbcheck.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
2017-02-23 23:58:21 +01:00
Garming Sam
86f10eaecd tests/dbcheck: Add a test for two live objects, with a dangling backlink
Adds dbcheck 4.5.0pre1 to the knownfail, to be removed later.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
2017-02-23 23:58:21 +01:00
Andrew Bartlett
4f558c9ad6 repl_meta_data: Remove the correct forward link for dn+binary attributes
The previous code assumed that only plain DNs could be linked attributes.

We need to look over the list of attribute values and find the value
that causes this particular backlink to exist, so we can remove it.

We do not know (until we search) of the binary portion, so we must
search over all the attribute values at this layer, using the
parsed_dn_find() routine used elsewhere in this code.

Found attempting to demote an RODC in a clone of a Windows 2012R2
domain, due to the msDS-RevealedUsers attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 14 06:14:35 CET 2017 on sn-devel-144
2017-02-14 06:14:35 +01:00
Bob Campbell
1c16e8abd2 torture/drs: Add a test for dn+binary linked attributes
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
2017-02-14 02:20:07 +01:00
Stefan Metzmacher
e935a04afb getncchanges: only set nc_{object,linked_attributes}_count with DRSUAPI_DRS_GET_NC_SIZE
The main change is that we return 0 values if DRSUAPI_DRS_GET_NC_SIZE is not
present in order to get the same result as a Windows server in that case.

If DRSUAPI_DRS_GET_NC_SIZE is return the number of links we found so far
during the cycle in addition the number of objects returned in this cycle.
Both values doesn't match what Windows returns, but doing that
correctly and efficient is a task for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
41bc007d49 torture/drs: remove pointless nc_object_count replication checks in test_link_utdv_hwm()
nc_object_count and nc_linked_attributes_count are only filled if
DRSUAPI_DRS_GET_NC_SIZE is requested. And they should contain
the total number. This is only useful for the initial replication.

Samba ignores DRSUAPI_DRS_GET_NC_SIZE currently but that will change in
the following commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Ralph Boehme
326765923f s3/smbd: check for invalid access_mask smbd_calculate_access_mask()
This makes us pass "base.createx_access".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-23 22:46:13 +01:00
Ralph Boehme
a3781d1cfe selftest: also run test base.createx_access against ad_dc
Fails currently, will be made to work in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-23 22:46:13 +01:00
Garming Sam
c94f824170 getncchanges: use the uptodateness_vector to filter links to replicate
This is to mirror the check in get_nc_changes_build_object.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144
2016-12-21 04:37:54 +01:00
Bob Campbell
5631421143 torture/drs: test link replication with hwm and utdv
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-21 00:47:25 +01:00
Andrew Bartlett
b6fa384471 selftest: test new "lsa over netlogon" smb.conf option
This proves we can act like Windows and over lsarpc over netlogon if we want

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 15 12:11:09 CET 2016 on sn-devel-144
2016-12-15 12:11:09 +01:00
Andrew Bartlett
fee6bb7ca6 idl: Do not listen for lsarpc on \\pipe\netlogon
This prevents making the netlogon process multi-threaded.

This works on Windows becuase NETLOGON is part of lsad

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-15 08:21:11 +01:00
Andrew Bartlett
ecb1f569d7 torture: Add credentials downgrade and challenge reuse test to rpc.netlogon
This test confirms that the challenge set up is available
after the ServerAuthenticate has failed at the NT_STATUS_DOWNGRADE_DETECTED
check.

This is needed for NetApp ONTAP member servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-14 11:55:18 +01:00
Douglas Bagnall
91d5ea2ae9 librpc/ndr/uuid.c: improve speed and accuracy of GUID string parsing
GUID_from_data_blob() was relying on sscanf to parse strings, which was
slow and quite accepting of invalid GUIDs. Instead we directly read a
fixed number of hex bytes for each field.

This now passes the samba4.local.ndr.*.guid_from_string_invalid tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Dec 14 08:55:42 CET 2016 on sn-devel-144
2016-12-14 08:55:42 +01:00
Douglas Bagnall
6c9a185be2 s4-torture: better, failing, tests for GUID_from_string
These tests reveal that the current implementation accepts all kinds
of invalid GUIDs. In particular, we fail on these ones:

 "00000001-0002-0003-0405--060708090a0"
 "-0000001-0002-0003-0405-060708090a0b"
 "-0000001-0002-0003-04-5-060708090a0b"
 "d0000001-0002-0003-0405-060708090a-b"
 "00000001-  -2-0003-0405-060708090a0b"
 "00000001-0002-0003-0405- 060708090a0"
 "0x000001-0002-0003-0405-060708090a0b"
 "00000001-0x02-0x03-0405-060708090a0b"

This test is added to selftest/knownfail.

The test for valid string GUIDs is extended to test upper and mixed case
GUIDs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-14 05:02:24 +01:00
Bob Campbell
4408df2493 dnsserver: add dns name checking
This may also prevent deletion of existing corrupted records through
DNS, but should be resolvable through RPC, or at worst LDAP.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 05:00:18 +01:00
Garming Sam
3ba40f6eb1 tests/dnsserver: Check security descriptors
These tests discover that there are some discrepancies between Windows and Samba.
Although there are failures, they do not appear to be critical, however
some of the SD differences will be important for 2012 support.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00
Bob Campbell
30faba750f samba-tool/dns: remove use of dns_record_match from add and delete
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00
Bob Campbell
64a3825765 python/tests: expand tests for dns server over rpc
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00
Bob Campbell
b9c99a3483 python/tests: add tests for samba-tool dns
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00
Andrew Bartlett
c503ca302d join.py: Attempt to allocate a RID Set during the join
If we are joining the RID Manager, then we should get a RID Set, but
otherwise we should accept failure with the right error code

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-12-01 05:54:21 +01:00
Andrew Bartlett
f051e5bf00 dbcheck: Be more careful with link checks
Here we are more careful when checking links, flagging errors only
when a non-deleted forward link appears incorrect.  In particular, we
trust the GUID more than we trust the name, as otherwise we can get
caught out if there is a swap of names, (the link should follow the
swap, staying on the same target GUID).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12297
2016-11-22 02:10:16 +01:00
Andrew Bartlett
8315d4d03a selftest: Add test for link and deleted link behaviour in dbcheck
The other dbcheck tests were getting over-complex, so we start a new test
here based on tombestone-expunge.sh, as we are looking at very similar
problems

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12297
2016-11-22 02:10:16 +01:00
Garming Sam
815658d2db samba_tool/fsmo: Allocate RID Set when seizing RID manager
Seizing the role without allocating a RID set for itself is likely prone
to cause issues.

Pair-programmed-with: Clive Ferreira <cliveferreira@catalyst.net.nz>

Signed-off-by: Clive Ferreira <cliveferreira@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri Nov  4 08:37:05 CET 2016 on sn-devel-144
2016-11-04 08:37:04 +01:00
Clive Ferreira
7fd5be535a dbcheck: confirm RID Set presence and consistency
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954
2016-11-04 04:41:19 +01:00
Garming Sam
1b40bb69d1 tests/ridalloc_exop: Add a new suite of tests for RID allocation
This moves some tests from getnc_exop.py regarding RID sets as well as
adding new tests for actions on join.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9954

Pair-programmed-with: Clive Ferreira <cliveferreira@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samaba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Clive Ferreira <cliveferreira@catalyst.net.nz>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-11-04 04:41:18 +01:00
Garming Sam
ef7e46d68a collect_tombstones: Allow links to recycled objects to be deleted
The reason we choose to provide the string DN is because extended_dn_in
will try to correct the <GUID=...> by searching on it (despite the fact
it does not exist and then failing on a ldb_dn_validate in
objectclass_attrs).

We can now also remove the dangling link test from the knownfail.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12385

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov  3 01:46:43 CET 2016 on sn-devel-144
2016-11-03 01:46:43 +01:00
Garming Sam
dba624364c tombstones-expunge: Add a test for deleting links to recycled objects
Currently this fails because we rely on a GUID DN, which fails to
resolve in the case that the GUID no longer exists in the database (i.e.
when that object has been purged after 6 months).

The tests use a made up extended DN built from fred where the GUID has
been tweaked.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12385
2016-11-02 21:58:24 +01:00
Clive Ferreira
79dd22aacb objectclass_attrs: Only abort on a missing attribute when an attribute is both MUST and replicated
If an attribute is not replicated or constructed, it is quite normal for
it to be missing. This is the case with both rIDNextRid and
rIDPreviousAllocationPool. This currently prevents us switching the RID
master. On Windows, missing this attribute does not cause any problems
for the RID manager.

We may now remove the knownfail entry added earlier.

Signed-off-by: Clive Ferreira <cliveferreira@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12394

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Nov  2 01:28:44 CET 2016 on sn-devel-144
2016-11-02 01:28:44 +01:00
Bob Campbell
37aa11ce5b tests/getnc_exop: Improve the ridalloc test by performing an alloc against a new master
Currently we fail against ourselves due to rIDNextRid and
rIDPreviousAllocationPool normally being unset, despite being mandatory
attributes (being the only attributes in this situation).

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Clive Ferreira <cliveferreira@catalyst.net.nz>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12394
2016-11-01 21:39:19 +01:00
Stefan Metzmacher
ff947f2765 s4:selftest: run rpc.echo with an object based binding string
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:18 +02:00
Stefan Metzmacher
6d70989c5c python/tests: add presentation context related tests to dcerpc raw protocol tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:14 +02:00
Stefan Metzmacher
450e00a8a7 s4:rpc_server: it's not a protocol error to do an alter context with an unknown transfer syntax
Windows 2012R2 only returns a protocol error if the client wants to change
between supported transfer syntaxes, e.g. from NDR32 to NDR64.

If the proposed transfer syntax is not known to the server,
the request will be silently ignored.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:14 +02:00
Uri Simchoni
3f82db56cb smbd: in ntlm auth, do not map empty domain in case of \user@realm
When mapping user and domain during NTLM authentication, an empty domain
is mapped to the local SAM db. However, an empty domain may legitimately
be used if the user field has both user and domain in upn@realm format.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12375

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-25 01:46:23 +02:00
Uri Simchoni
6e4c66e339 selftest: test NTLM user@realm authentication
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-10-25 01:46:23 +02:00
David Disseldorp
f6f6263f1f torture/ioctl: test compression responses when unsupported
Confirm that Samba matches Windows Server 2016 ReFS behaviour here.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12144

Reported-by: Nick Barrett
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct  6 06:14:34 CEST 2016 on sn-devel-144
2016-10-06 06:14:34 +02:00
Günther Deschner
bed0d84550 s4-torture: add test for spoolss_LogJobInfoForBranchOffice
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 19:57:25 +02:00
Andreas Schneider
5ae447e102 testprogs: Test only what the Heimdal kpasswd test should test
The test_password_settings.sh test does test using different password
settings and is not specific to the kpasswd implementation. This
test tests the kpasswd service.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Garming Sam
1a96f9329e getncchanges: Compute the partial attribute set from the remote schema
This doesn't fix the partialAttrSetEx case, so the test is left in the
knownfail file.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-25 10:32:09 +02:00
Uri Simchoni
f41f439335 vfs_shadow_copy: handle non-existant files and wildcards
During path checking, the vfs connectpath_fn is called to
determine the share's root, relative to the file being
queried (for example, in snapshot file this may be other
than the share's "usual" root directory). connectpath_fn
must be able to answer this question even if the path does
not exist and its parent does exist. The convention in this
case is that this refers to a yet-uncreated file under the parent
and all queries are relative to the parent.

This also serves as a workaround for the case where connectpath_fn
has to handle wildcards, as with the case of SMB1 trans2 findfirst.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12172

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 25 05:35:29 CEST 2016 on sn-devel-144
2016-08-25 05:35:29 +02:00
Uri Simchoni
22c3982100 selftest: test listing directories inside snapshots
Verify that directories are also listable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12172

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-25 01:38:28 +02:00
Günther Deschner
e99c8b34fe s4-torture: add test for spoolss_GetPrinterDriverPackagePath().
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-23 01:06:25 +02:00
Günther Deschner
54eafcaa12 s4-torture: add test for spoolss_CorePrinterDriver().
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-08-23 01:06:24 +02:00
Uri Simchoni
a6073e6130 smbd: allow reading files based on FILE_EXECUTE access right
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12149

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Aug 18 18:58:22 CEST 2016 on sn-devel-144
2016-08-18 18:58:22 +02:00
Uri Simchoni
5bf11f6f5b s4-smbtorture: pin copychunk exec right behavior
Add tests that show copychunk behavior when the
source and dest handles have execute right instead
of read-data right.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12149

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2016-08-16 11:31:27 +02:00
Uri Simchoni
55a9d35cab s4-selftest: add test for read access check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12149

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2016-08-16 11:31:27 +02:00
Garming Sam
192e54c91d rpc_server/drsuapi: Don't set msDS_IntId as attid for linked attributes if schema
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:10 +02:00
Garming Sam
0555443213 msds_intid: Add test for schema linked attributes
This test only covers the forward link case.

NOTE: We can't confirm this against Windows because they prevent us from
modifying the schema for the schema classes.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:10 +02:00
Evgeny Sinelnikov
032fc2762e rpc_server/drsuapi: Set msDS_IntId as attid for linked attributes if exists
We got WERR_DS_DRA_SCHEMA_MISMATCH for linked attributes with 8418 error for
extended attributes when using same attid as attribute object.

Signed-off-by: Evgeny Sinelnikov <sin@altlinux.ru>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:09 +02:00
Garming Sam
e0b6d6bb10 msds_intid: Add test for (non-schema) linked attributes
Prior to this, none of the linked attributes would be checked for their
ids.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-28 10:06:09 +02:00
Stefan Metzmacher
162c1f85bf selftest: don't allow ntlmv1 for 'nt4_member' and 'ad_member'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-22 16:03:26 +02:00
Garming Sam
3eb7fab04b dbcheck: Add a rule regarding replica locations
This fixes any RW DCs with repsFrom without the corresponding link. On
any RODC, this just reports an error (and doesn't fix it).

(the knownfail entry is also now removed)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-21 06:37:08 +02:00
Garming Sam
56771ec6d0 dbcheck/release-4-1-0rc3: Add a check regarding replica locations
This DC has repsFrom for the DNS partitions, but not the corresponding
link. This ensures that dbcheck has fixed them up. This will currently
fail without the actual changes to dbcheck coming in the following
commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9200

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-21 06:37:08 +02:00
Garming Sam
31ffe97178 extended_dn_out: Force showing of one-way links if they exist
Signed-off-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:29 +02:00
Garming Sam
00e828a8a8 link_attrs: Add tests for one way links (and pseudo one-way)
Tested against Win2012R2. The deactivated link control has no effect on either
one way links or pseudo ones (only two-way ones presumably).

Signed-off-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-07-15 10:01:29 +02:00
Andrew Bartlett
89e67e309a Revert selftest: Add knownfail entry required to disable tombstone_reanimation
This reverts e0fa42201b

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jul  9 18:41:40 CEST 2016 on sn-devel-144
2016-07-09 18:41:40 +02:00
Andreas Schneider
860d465e2b s4-torture: Add AES and RC4 enctype checks
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  6 19:06:19 CEST 2016 on sn-devel-144
2016-07-06 19:06:18 +02:00
Andreas Schneider
1be45ab4d5 selftest: Skip the samba4.raw.eas tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
9da97e5572 selftest: Skip also s4 base.createx_sharemodes_dir
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
bba66ca459 selftest: Remove samba4.smb2.compound tests we skip
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
82f0c72c39 selftest: Remove samba4 delaywrite tests we skip
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
32d10fd77b selftest: Skip s4 smb2 rename tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
2240aff7ed selftest: Skip the Samba4 rap tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
ca0332e901 selftest: Skip smbtorture_s3 tests against ntvfs
This reduces the time our testsuite is running. We are not going to
implement these features so it doesn't make sense to run the test at
all. More will follow.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Jeremy Allison
4db1c7d1cf s3: torture: Add test that proves Win2k12 correctly returns pidlow and pidhigh in SMB1 requests.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-06-18 15:32:18 +02:00
Garming Sam
8dc3110a5f getncchanges: Match Windows on linked attribute sort
The order of linked attributes depends on comparison of the NDR packed
GUIDs (not its struct GUID form).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
2016-06-17 14:13:18 +02:00
Garming Sam
2bb8e183fd tests/drs: change sort order in tests to match Windows
Although we attempted to sort by GUID based on DRSR, it is actually
sorted by the ndr packed GUID.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11960
2016-06-17 14:13:18 +02:00
Uri Simchoni
42151f6fa2 smbd: dfree - ignore quota if not enforced
When calculating free disk space, do not take user quota
into account if quota is globally not enforced on the file
system.

This is meant to fix a specific problem with XFS. One might
say "why don't you fix the XFS-specific code instead?". The
reason for that is that getting and setting quota must not
be affected by whether quota is actually enforced. NTFS has
the same notion of separating quota accounting (and being
able to configure / retrieve configured quota), from quota
enforcement.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11937

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat May 28 00:09:05 CEST 2016 on sn-devel-144
2016-05-28 00:09:05 +02:00
Uri Simchoni
de2d624d07 selftest: add disk-free quota tests
Add a test for situation where quota accounting is enabled
but quota enforcement is disabled (disk-free should not take
quota into account)

Add a test for situation where overall quota status reporting
(whether or not it's enforcing) is not supported - as with NFS.
In that case it must be assumed that if quota is configured, then
it is also enforced (as with NFS).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11937

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-05-27 20:36:06 +02:00
Dirk Godau
1fd7c28d5f Extend DsBind and DsGetDomainControllerInfo to work with w2k8.
W2K8 Clients ask for DRSUAPI_SUPPORTED_EXTENSION_LH_BETA2 on DsBind. W2K8
expect this to be set (with server fl 2k8) or else they do not call
DsGetDomainControllerInfo.

If DRSUAPI_SUPPORTED_EXTENSION_LH_BETA2 is set, DsGetDomainControllerInfo
must be able to return DCInfo Level 3.

If Samba4 AD ist set to work as 2k8, with >2k8 clients the following
will not work as expected:

  * Group Policy Editor Infrastructure Discovery
  * nltest /dclist:<domain>
  * w32tm /monitor

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9971
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9976

Signed-off-by: Dirk Godau <voidswitch@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu May 26 06:21:10 CEST 2016 on sn-devel-144
2016-05-26 06:21:10 +02:00
Dirk Godau
6ded4f5230 drsuapi tests for DsBind with w2k8
These are marked as known_fail pending the next patch ("Extend DsBind
and DsGetDomainControllerInfo to work with w2k8").

Signed-off-by: Dirk Godau <voidswitch@gmail.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-05-26 02:44:31 +02:00
Stefan Metzmacher
6de656b8f1 selftest: use the default values for "server signing"
That will hopefully catch possible regressions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11910

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue May 24 18:35:19 CEST 2016 on sn-devel-144
2016-05-24 18:35:19 +02:00
Jeremy Allison
1863e6da0a s3: torture: Add POSIX-OFD-LOCK test.
Ensures that we *always* expose ofd-lock behavior to clients.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jeff Layton <jlayton@samba.org>
2016-05-21 01:28:28 +02:00
Garming Sam
2570f16497 tests/dns: Add additional testing of CNAME handling
RFC 1034, for instance, describes that all intermediate CNAMEs should be
returned. As it is, CNAME do not return all found intermediate results
in the case of straightforward failure. It should be noted that in the
case of forwarding success, ALL intermediate paths are returned,
including the failure ones.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-05-03 08:10:09 +02:00
Stefan Metzmacher
b6ac2275c3 CVE-2015-5370: s4:rpc_server: no authentication is indicated by pkt->auth_length == 0
pkt->u.*.auth_info.length is not the correct thing to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
ace23643d1 CVE-2015-5370: s4:librpc/rpc: avoid using dcecli_security->auth_info and use per request values
We now avoid reusing the same auth_info structure for incoming and outgoing
values. We need to make sure that the remote server doesn't overwrite our own
values.

This will trigger some failures with our currently broken server,
which will be fixed in the next commits.

The broken server requires an dcerpc_auth structure with no credentials
in order to do an alter_context request that just creates a presentation
context without doing authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
41bccb5ae5 CVE-2016-2118: s3:rpc_server/{samr,lsa,netlogon}: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Pair-Programmed-With: Günther Deschner <gd@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:28 +02:00
Stefan Metzmacher
398a21c57c CVE-2016-2118: s4:rpc_server/samr: reject DCERPC_AUTH_LEVEL_CONNECT by default
This prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
80dae9afda CVE-2016-2118: s4:rpc_server/drsuapi: require DCERPC_AUTH_LEVEL_PRIVACY
This matches windows and prevents man in the middle downgrade attacks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:27 +02:00
Stefan Metzmacher
942e4ed851 CVE-2016-2113: selftest: test all "tls verify peer" combinations with ldaps
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
2b40fb8509 CVE-2016-2112: s4:selftest: run some ldap test against ad_dc_ntvfs, fl2008r2dc and fl2003dc
We want to test against all "ldap server require strong auth" combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-04-12 19:25:25 +02:00
Stefan Metzmacher
5dccb19801 selftest/Samba3: use the correct "SELFTEST_WINBINDD_SOCKET_DIR" for "net join"
This avoids picking up a gid from the DC's winbind when
creating BUILTIN\Administrators

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 24 22:15:44 CET 2016 on sn-devel-144
2016-03-24 22:15:44 +01:00
Michael Adam
e9586a653c torture:smb2: add durable-v2-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 03:47:02 CET 2016 on sn-devel-144
2016-03-22 03:47:02 +01:00
Michael Adam
3e90abe670 torture:smb2: add durable-open.reopen1a-lease
Lease variant of the reopen1a test which tests the
relevance of the client guid.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-22 00:23:22 +01:00
Günther Deschner
2b799880b9 torture:smb2: add test for checking sequence number wrap around.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-22 00:23:21 +01:00
Stefan Metzmacher
5a397216d4 s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-10 06:52:31 +01:00
Jeremy Allison
841ae4a2e2 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-03-10 06:52:23 +01:00
Jeremy Allison
19eb1c9311 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2016-03-10 06:52:23 +01:00
Douglas Bagnall
b797baaa60 Add python server sort tests
The tests are repeated twice: once properly with complex Unicode
strings, and again in a simplified ASCII subset. We only expect Samba
to pass the simplified version. The hard tests are aspirational and
show what Active Directory does.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2016-03-09 10:32:17 +01:00
Michael Adam
2fd54b5332 smbd:smb2: implement create replay
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
1b804d6f93 torture:smb2: add smb2.replay.replay-dhv2-lease3
create with a lease, and replay with lease
with a different lease key.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
1c772984c6 torture:smb2: add smb2.replay.replay-oplock-lease
create with an oplock, and replay with a lease.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
2036e1d27b torture:smb2: add smb2.replay.replay-dhv2-lease-oplock
Open with a lease and replay with an oplock.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
6eeabe43a2 torture:smb2: add smb2.replay.replay-dhv2-lease2
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
de678ebcdf torture:smb2: add smb2.replay.replay-dhv2-lease1
This is a variant of the replay-dhv2-oplock1 test for leases
instead of for oplocks.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:24 +01:00
Michael Adam
9ac9d286b4 torture:smb2: split rename2 into multiple tests and extend these
- replay-regular
- replay-dhv2-oplock1
- replay-dhv2-oplock2
- replay-dhv2-oplock3

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:23 +01:00
Michael Adam
9ebf079b00 torture:smb2: rename replay1 -> replay-commands
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-03-03 13:09:23 +01:00
Adrian Cochrane
594778e580 ldb-samba: Expand testing of recursive search
Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan 18 07:49:43 CET 2016 on sn-devel-144
2016-01-18 07:49:43 +01:00
Adrian Cochrane
c505076422 Fix propagation of LDB errors through TDB.
Returning a non-zero value from a tdb_traverse callback indicates that tdb_traverse
should stop traversing the database. This error code IS NOT propagated back to the
caller, so LTDB must record the error otherwise. This patch corrects LTDB for this
misunderstanding.

Naturally exposing these errors changes the behaviour of some tests. This commit fixes
that as well.

Signed-off-by: Adrian Cochrane <adrianc@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-12-04 06:08:29 +01:00
Andrew Bartlett
97577fd088 Add samba4.smb2.create.mkdir-dup(ad_dc_ntvfs) as flapping
This test sometimes succeeds, depending on the build environment.

(Corrects earlier patch to also remove from knownfail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11486
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2015-10-26 05:11:22 +01:00
Jeremy Allison
808f29cb2f s4: torture: Add SMB2 access-based enumeration test. Passes against Win2k12R2.
https://bugzilla.samba.org/show_bug.cgi?id=10252

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Oct 14 19:00:03 CEST 2015 on sn-devel-104
2015-10-14 19:00:03 +02:00
Jeremy Allison
969d043596 s4: torture: Test mkdir race condition.
Found by Max of LoadDynamix <adx.forum@gmail.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11486

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Sep 24 06:13:22 CEST 2015 on sn-devel-104
2015-09-24 06:13:22 +02:00
Andrew Bartlett
336d41155e python/tests: Add tests for integer overflow handling
This also documents an issue with our python bindings and lists, as changes to integers in a list
of integers are not preserved

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Andrew Bartlett
dc2d5ccd56 Revert "ldb-samba: Implement transitive extended matching"
This reverts commit 2a22ba34cd.

selftest/knownfail entries are added to ensure 'make test' continues to pass

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-17 17:43:36 +02:00
Andrew Bartlett
e0fa42201b selftest: Add knownfail entry required to disable tombstone_reanimation
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 20 09:21:33 CEST 2015 on sn-devel-104
2015-07-20 09:21:33 +02:00
Stefan Metzmacher
70cea2b85c s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c57fef89e1 s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a02300c0c7 s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Andrew Bartlett
c31c30043b s4-winbindd: Remove the winbind rewrite from the samba4 effort
This winbind implementation is undermaintained, out of date and not the
future of even the AD DC, let alone any other purpose.

Removing it will reduce our security and bug exposure on this
off by default subsystem

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 24 22:34:57 CEST 2015 on sn-devel-104
2015-06-24 22:34:57 +02:00
Andrew Bartlett
db59f9ec73 selftest: Change chgdcpass environment to use winbindd
This allows us to test that winbindd starts up without secrets.tdb, as happens after
a classicupgrade.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 18 00:59:54 CEST 2015 on sn-devel-104
2015-06-18 00:59:54 +02:00
Andrew Bartlett
5bb647b788 selftest: Run winbind tests in chgdcpass environment
This ensures that winbind both starts and operates without a secrets.tdb

(chgdcpass deliberatly removes the secrets.tdb file after provision, like has happend with classicupgrade).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-17 22:10:24 +02:00
Stefan Metzmacher
a5981d1374 s3:smbd: use STATUS_NOTIFY_CLEANUP when closing a smb2 directory handle
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-06 22:33:19 +02:00
Stefan Metzmacher
9eb64502f0 s3:winbindd: list users/groups of our own domain as AD DC
The AD users/groups of the local domain of an AD DC
only exist via winbindd and not in /etc/passwd or /etc/group.

This also matches the behaviour of the source4/winbind code.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-05-06 01:22:14 +02:00
Andrew Bartlett
4aa2246dd9 selftest: Run more winbind tests against more environments
This ensures we still test the internal winbind on the AD DC
and winbindd as a member server.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-05-06 01:22:14 +02:00
Stefan Metzmacher
419910532f s3:winbindd: don't remove the DOMAIN\ prefix for principals of our own domain as AD DC
This also matches the behaviour of the source4/winbind code.

In Samba 4.0 and 4.1 we had the following

> getent passwd administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\Administrator:*:0:100::/home/S4XDOM/Administrator:/bin/false

With Samba 4.2.0 we have:

> getent passwd administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
administrator:*:0:100::/home/S4XDOM/administrator:/bin/false

With the patches we have:

> getent passwd administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false
> getent passwd S4XDOM\\administrator
S4XDOM\administrator:*:0:100::/home/S4XDOM/administrator:/bin/false

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11183

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-06 01:22:14 +02:00
Jeremy Allison
9d7ecb9fc3 s4: torture: Test for incorrect file size returned in the response of "FILE_SUPERSEDE Create".
https://bugzilla.samba.org/show_bug.cgi?id=11240

Signed-off-by: Kenny Dinh <kdinh@peaxy.net>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <rb@sernet.de>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 30 22:12:22 CEST 2015 on sn-devel-104
2015-04-30 22:12:22 +02:00
Stefan Metzmacher
ff5f466825 selftest/knownfail: remove unused ^samba4.winbind.struct.show_sequence\(ad_dc\) line
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-04-09 16:58:23 +02:00
David Disseldorp
5c166d5cdb selftest: run the FSRVP test suite against s3fs
With FSRVP server support now present along with suitable mock-up test
infrastructure, run the FSRVP test suite against s3fs.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-03-31 18:40:25 +02:00
Stefan Metzmacher
1e782d9695 s4:torture/rpc: sync test_LogonControl2Ex with test_LogonControl2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
30cb12e7d2 s4:torture/rpc: let rpc.netlogon.admin pass against windows 2012r2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
038659dcbb s3:rpc_server/netlogon: improve the netr_LogonControl*() error returns
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Stefan Metzmacher
01cb90ad12 s4:torture/rpc: don't use the same names for 3 different tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-27 01:26:15 +01:00
Michael Adam
c157baa4b9 selftest: rename env s3dc to nt4_dc
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:47 +01:00
Michael Adam
25f9ebf270 selftest: rename env s3member to ad_member.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:46 +01:00
Michael Adam
3de5abb954 selftest: rename env dc to ad_dc_ntvfs
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:46 +01:00
Michael Adam
902aa3c710 selftest: rename env plugin_s4_dc to ad_dc
This is the environment that represents our supported production
setup of an active directory domain controller.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-03-16 23:04:46 +01:00
Michael Adam
79b927ac9e selftest: modify python.samba.test.posixacl to cope with nss_winbind active
It was observed that adding libnss_winbind (via nss_wrapper) lets
the posix acl mapping come out slightly differently with respect
to the owner/domain admin who is not explicitly nailed down in
the original NT acl.

This patch extends the test to react to the presence of
nss_winbind in environment and adapts the expected results.
This in particular fixes the run of the test against the
(changed) plugin_s4_dc environment while keeping the possibility
to successfully run it against an env without nss_winbind.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
2015-03-12 14:35:06 +01:00
Michael Adam
f5a0ccc228 selftest: re-enable nsswrapper integration testing for dc and member environments.
There are some failures:

- The dc environment fails consistently due to duplicate uid,
  (for the calling user and the domain administrator).
  ==> Marked as knownfail.

- The s3member environment only fails under very strange
  circumstances:
  - one needs to run the unix.whoami test in the
    member and s3member environment for the local.nss
    test to fail in the s3member:local env. The failure
    is then related to builtin administrators sharing
    a gid with a different group.
    --> This is really really strange!!!
    ==> Marked as knownfail.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Mar  2 19:50:55 CET 2015 on sn-devel-104
2015-03-02 19:50:55 +01:00
Günther Deschner
14cbc791ee selftest: re-enable nss_winbind via nss_wrapper in the test-envs.
Without exporting these new variables, we can never access or test nss_winbind
from the selftest environments.

This shows that our posixacl test probably needs fixing since now
two subtests fail against plugin_s4_dc:local. This env was just
not complete without winbind in nsswitch. The test failure is
probably due to the strangeness of the AD/DC setup that the
domain administrator uses the same uid as the root user, which
in the selftest case is overridden to be the calling user.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Feb 13 20:57:12 CET 2015 on sn-devel-104
2015-02-13 20:57:11 +01:00
Michael Adam
fd783b04bb selftest: run the samba.nss tests against :local environments
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-02-13 18:25:41 +01:00
Michael Adam
6cab59e016 selftest/knownfail: add newline to end of file.
git always complains about what vim does to the file...

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-02-13 18:25:40 +01:00
Andrew Bartlett
a07598db9c torture: Extend KDC test to cover more options and modes
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-01-23 05:42:07 +01:00
Jeremy Allison
7eae9460a3 selftest:Samba3: use "smb2 leases = yes"
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-12-04 05:45:10 +01:00