1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-28 07:21:54 +03:00
Commit Graph

396 Commits

Author SHA1 Message Date
Michael Adam
1cfc02d786 s4:samr: allow builtin groups for samr_OpenGroup.
This fixes nsswitch getgrgid for builtins.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-05-03 07:57:13 +02:00
Andrew Bartlett
05c2f83f26 dsdb: Allow SAMR server to return the computed, not actual badPwdCount
This matters after the lockout observation period has expired.

Note: that QueryUserInfo level 3 returns the raw badPwdCount value.

Andrew Bartlett

Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
6ac62b3000 s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.
The samldb module will handle the verification and magic.

Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
a6b82ee197 s4-samr: Escape the username in the LDAP filter
Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
3f07737fd4 s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate@univention.de>

Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
a0de929009 dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.

Andrew Bartlett

Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
6f8fb163e0 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.

By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.

Andrew Bartlett

Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
48ffca0aca CVE-2013-4496:Revert remainder of ce895609b0
Part of this was removed when ChangePasswordUser was unimplemented,
but remove the remainder of this flawed commit.  Fully check the
password first, as extract_pw_from_buffer() already does a partial
check of the password because it needs a correct old password to
correctly decrypt the length.

Andrew Bartlett

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245

Change-Id: Ibccc4ada400b5f89a942d79c1a269b493e0adda6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://gerrit.samba.org/38

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 13 15:06:35 CET 2014 on sn-devel-104
2014-03-13 15:06:35 +01:00
Andrew Bartlett
9f53b61f06 CVE-2013-4496:samr: Remove ChangePasswordUser
This old password change mechanism does not provide the plaintext to
validate against password complexity, and it is not used by modern
clients.  It also has quite difficult semantics to handle regarding
password lockout.

The missing features in both implementations (by design) were:

 - the password complexity checks (no plaintext)
 - the minimum password length (no plaintext)

Additionally, the source3 version did not check:

 - the minimum password age
 - pdb_get_pass_can_change() which checks the security
   descriptor for the 'user cannot change password' setting.
 - the password history
 - the output of the 'passwd program' if 'unix passwd sync = yes'.

Finally, the mechanism was almost useless, as it was incorrectly
only made available to administrative users with permission
to reset the password.  It is removed here so that it is not
mistakenly reinstated in the future.

Andrew Bartlett

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245

Change-Id: If2edd3183c177e5ff37c9511b0d0ad0dd9038c66
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-on: https://gerrit.samba.org/37
2014-03-13 10:26:03 +01:00
Stefan Metzmacher
bc4c7d4c1e s4:rpc_server: make use of dcerpc_binding_get_transport()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2014-02-13 11:54:17 +01:00
Andrew Bartlett
fc13489c91 build: Build with system md5.h on OpenIndiana
This changes (again...) our system md5 detection to cope with how
OpenIndiana does md5.  I'm becoming increasingly convinced this isn't
worth our while (we should have just done samba_md5...), but for now
this change seems to work on FreeBSD, OpenIndiana and Linux with
libbsd.

This needs us to rename struct MD5Context -> MD5_CTX, but we provide a
config.h define to rename the type bad if MD5_CTX does not exist (it does
however exist in the md5.h from libbsd).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
2013-06-19 21:32:36 +02:00
Matthias Dieter Wallnöfer
2f7d9fddf7 s4:samr RPC server - dcesrv_samr_SetUserInfo() - password expiration
Also on level 26 this has to be handled the same as on levels 21, 23, 25.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-06-10 05:40:21 +02:00
Günther Deschner
4fd7aaf2b1 s4-rpc_server: limit allowed transports for samr_ValidatePassword().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2012-12-12 11:29:33 +01:00
Michael Adam
ce895609b0 s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
This matches the windows behavior.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-12-11 13:59:59 +01:00
Andrew Bartlett
b8815dc23d lib/param: Create a seperate server role for "active directory domain controller"
This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett
2012-06-15 09:18:33 +02:00
Andrew Tridgell
67651905f9 s4-samr: fixed subtree search
this needs to be on the domain NC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-08-25 07:39:37 +10:00
Andrew Bartlett
2993113a56 s4-dsdb Add ability to force a particular SID in the upgrade case 2011-08-13 12:30:49 +10:00
Matthias Dieter Wallnöfer
9f02fb51d4 s4:rpc_server/dcesrv_samr.c - quiet enum warnings
When we are acting in the role of a PDC then please return it as status information.

Reviewed-by: Tridge

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Jun  9 12:06:36 CEST 2011 on sn-devel-104
2011-06-09 12:06:36 +02:00
Andrew Bartlett
8882dab93e s4-samr Remove incorrect transaction_cancel() in error path
The transactions are now handled entirely within dsdb_add_user()

Andrew Bartlett
2011-05-08 17:36:25 +02:00
Andrew Tridgell
f0e7303023 s4-rpc: improved error mapping for several RPC server calls
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-04-04 10:30:30 +10:00
Jeremy Allison
0c5214e2eb Ensure convert_string_XXX is always called with a valid converted_size pointer.
Preparation for cleaning up this API.

Autobuild-User: Jeremy Allison <jra@samba.org>
Autobuild-Date: Tue Mar 29 21:01:49 CEST 2011 on sn-devel-104
2011-03-29 21:01:49 +02:00
Andrew Bartlett
b5616adc8a lib/util/charset rename iconv_convenience to iconv_handle
This better reflects what this structure is

Andrew Bartlett
2011-03-25 04:37:06 +01:00
Andrew Tridgell
15e84a9a09 charcnv: removed the allow_badcharcnv and allow_bad_conv options to convert_string*()
we shouldn't accept bad multi-byte strings, it just hides problems

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
2011-03-24 01:47:26 +01:00
Jelmer Vernooij
d415a7f788 source4/rpc_server: Fix prototypes for all functions. 2011-03-19 03:20:05 +01:00
Andrew Tridgell
94c04b10db build: moved libds/common/flag_mapping.c into a common subsystem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-24 11:57:48 +11:00
Matthias Dieter Wallnöfer
2e0a933ac8 s4:samr RPC server - QueryDisplayInfo returns always all domains users, aliases and groups
That means when calling "QueryDisplayInfo" on the BUILTIN handle we
still get all related domain objects - for example all domain (global
+ universal) groups. This is contrary to the "EnumDomain..." calls which
do really only return the objects in the specified domain policy handle.

This has been observed against Windows Server 2008 and confirmed by
dochelp.

In the same occasion I've converted from a "gendb*"-oriented search call to "dsdb_search".

Patch-reviewed-by: Andrew Tridgell <tridge@samba.org>
2011-02-15 16:56:19 +01:00
Andrew Tridgell
8dc92c8f71 ldb: use #include <ldb.h> for ldb
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-10 06:51:07 +01:00
Matthias Dieter Wallnöfer
3f6ae9422b s4:samr RPC server - always interpret filter integer values as signed
To prevent platform-dependant problems.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Jan 15 14:54:14 CET 2011 on sn-devel-104
2011-01-15 14:54:13 +01:00
Matthias Dieter Wallnöfer
14d3027458 s4:samr RPC server - dcesrv_samr_GetBootKeyInformation - return NOT_SUPPORTED
Windows Server 2008 does this

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Dec  4 12:11:47 CET 2010 on sn-devel-104
2010-12-04 12:11:47 +01:00
Matthias Dieter Wallnöfer
9ff8428c6f s4:samr RPC server - "dcesrv_samr_RemoveMemberFromForeignDomain"
- Remove TODO comment: MS-SAMR 3.1.5.8.7 explicitly states:
  "The SamrRemoveMemberFromForeignDomain method removes a member from all
  aliases."

- Remove the search attributes since they aren't strictly needed.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov  6 18:07:57 UTC 2010 on sn-devel-104
2010-11-06 18:07:57 +00:00
Matthias Dieter Wallnöfer
02355fc6fd s4:samr RPC server - the LDB error codes for adding or deleting a group member have changed 2010-10-30 17:32:17 +00:00
Matthias Dieter Wallnöfer
af4c9cc7c2 s4:samr RPC server - fix trailing whitespaces 2010-10-29 09:55:18 +00:00
Matthias Dieter Wallnöfer
5d835c8a29 s4:samr RPC server - fix indentation of function parameters 2010-10-29 09:55:18 +00:00
Matthias Dieter Wallnöfer
fc6f8be523 s4:samr RPC server - DomainGeneralInformation - never return NULL on the oem name
As far as I can tell Windows SAMR never returns NULL on unknown values in this
call.
2010-10-29 09:55:18 +00:00
Matthias Dieter Wallnöfer
ebe78c444c s4:samr RPC server - provide the right "ReplicaSourceNodeName"
It's the content of the "domainReplica" attribute if it exists and has only a
meaning on interim/mixed domain function levels (with NT4 dcs).
2010-10-29 09:55:18 +00:00
Matthias Dieter Wallnöfer
45cd2e445d s4:samr RPC server - remove wrong implementation of ReplicaSourceNodeName
This should represent a replication partner - never the DC iself
2010-10-29 09:55:18 +00:00
Matthias Dieter Wallnöfer
33f65a93fe s4:samr RPC server - "dcesrv_samr_info_DomGeneralInformation" - count always all type of groups
One pair are universal an global groups (on the SAMR pipe called "groups") and
the other one are the domain and builtin local groups (on the SAMR pipe called
"aliases").

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 19:37:27 UTC 2010 on sn-devel-104
2010-10-25 19:37:27 +00:00
Matthias Dieter Wallnöfer
83c381385c s4:samr RPC server - remove a somewhat pointless comment
Regardless if groups and users do exist in the builtin domain or not we do
count always all users, groups and aliases.
2010-10-25 20:39:05 +02:00
Matthias Dieter Wallnöfer
6fb64b9c7a s4:"samdb_search_count" - introduce a "mem_ctx" parameter
All other "samdb_search_*" calls do have one - why "samdb_search_count" doesn't?

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Oct 25 17:42:33 UTC 2010 on sn-devel-104
2010-10-25 17:42:33 +00:00
Matthias Dieter Wallnöfer
a3f61dea40 Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c""
This reverts commit 8a2ce5c47c.

Jelmer pointed out that these are also in use by other LDB databases - not only
SAMDB ones.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17 13:37:16 +00:00
Matthias Dieter Wallnöfer
8a2ce5c47c s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c"
They're only in use by SAMDB code.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sun Oct 17 09:40:13 UTC 2010 on sn-devel-104
2010-10-17 09:40:13 +00:00
Matthias Dieter Wallnöfer
a0e9814c0d s4:dsdb - remove "samdb_result_uint", "samdb_result_int64", "samdb_result_uint64" and "samdb_result_string"
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-15 08:36:01 +11:00
Jelmer Vernooij
93126b3315 samdb: Add flags argument to samdb_connect(). 2010-10-10 23:08:49 +02:00
Günther Deschner
b7683a2c9d samr: for correctness, rename samr_RidTypeArray to samr_RidAttrArray.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Oct  7 12:04:32 UTC 2010 on sn-devel-104
2010-10-07 12:04:32 +00:00
Günther Deschner
e0b340247a s4-samr: Fix dcesrv_samr_QueryGroupMember.
Guenther
2010-10-07 13:24:22 +02:00
Matthias Dieter Wallnöfer
83cd3f7630 s4:dcesrv_samr_GetGroupsForUser - also universal group memberships are returned here
Tested using User Manager for Domains against Windows Server 2008.
MS-SAMR 3.1.5.9.1 is wrong in this case therefore I've informed the dochelp team.
2010-09-11 14:34:37 +02:00
Matthias Dieter Wallnöfer
cd711da6ca s4:samr RPC server - samr_password.c - make real user password changes work
Now it's finally possible that the user can change his password with a DSDB
connection using his credentials.
2010-08-17 18:45:34 +02:00
Matthias Dieter Wallnöfer
2a423e0547 s4:kdc/rpc server - adapt the "samdb_set_password" calls which perform password sets 2010-08-17 18:45:34 +02:00
Andrew Tridgell
6b266b85cf s4-loadparm: 2nd half of lp_ to lpcfg_ conversion
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 18:24:27 +10:00
Matthias Dieter Wallnöfer
b03040c5a9 s4:SAMR rpc server - "SetUserInfo" - fix the implementation of the expire flag
It has to consider the "password_expires" flag to known if the "pwdLastSet" has
to be updated or to be resetted.
2010-07-06 21:54:21 +02:00