1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

32879 Commits

Author SHA1 Message Date
Uri Simchoni
2352e49f32 selftest: Add test for domain join + kerberos-only auth
Add "net ads join/leave -k" tests to the net_ads test suite.

Shift the test suite from ad_member env to ad_dc env, because:
1. Seems more appropriate (the member server plays no role in this
   test)
2. The -k test breaks against the ntvfs file server for some reason,
   when trying to open the netlogon named pipe after having established
   the session with Kerberos (the create fails).

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul  1 15:36:37 CEST 2016 on sn-devel-144
2016-07-01 15:36:37 +02:00
Stefan Metzmacher
3b94fde963 s4:rpc_server/netlogon: make use of auth_convert_user_info_dc_saminfo{2,6}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:27 +02:00
Stefan Metzmacher
5128a874c8 s4:rpc_server/netlogon: initialize pointer to NULL in dcesrv_netr_LogonSamLogon_base()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:27 +02:00
Stefan Metzmacher
3eba60aa65 auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6
This includes user_principal_name and dns_domain_name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
b67ea0e123 s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
6257003dff s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
432e83bf5b s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()
This is more generic and matches all other places.

As this is only used in the KDC it's not a real logic change.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
193de1c0e9 s4:dsdb/tests: let password_lockout.py verify the logonCount values
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
20ad79fecb s4:dsdb/tests: let password_lockout.py validate the lastLogon and lastLogonTimestamp interaction
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
72d16f9900 s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
ca874c200e s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user()
The results differ depending on Kerberos or NTLMSSP usage
and the lockOutObservationWindow.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:26 +02:00
Stefan Metzmacher
4b35d540fa s4:dsdb/tests: let password_lockout.py copy user{name,pass} from the template in insta_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
2c4612243a s4:dsdb/tests: let password_lockout.py use creds and other_ldb as function arguments
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
a37eef6b7d s4:dsdb/tests: let password_lockout.py use userpass variables in all functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
e760319526 s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
f03d490b7b s4:dsdb/tests: let password_lockout.py use userdn variables in all functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
da4e419adf s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects
This is easier than doing it by hand...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
73fb24c2e4 s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
860c6b1e8f s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
f301623550 s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
a9722a17ee s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
025e573d84 s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
26a96d2964 s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
7b7d7be244 s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function
This is a complete copy of the code that's currently inline.
I'm doing this in multiple steps in order to keep the diff
in a reviewable state.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
27d68469e2 s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful
We should first check if the error number is as expected and
then check for a specific WERROR in the error string.

We also add the full error string as msg to assertTrue(),
so we'll actually see it if the assertion is wrong.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
58173f28ae s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
9e6c22dbbe s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow
This reduces the runtime of the test while still producing reliable results.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
853c2a6d8a s4:auth/sam: update the logonCount for interactive logons
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
869616ceb9 s4:auth/sam: don't update lastLogon just because it's 0 currently
Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
1acd477960 s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already
Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
a35a5e9022 s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
8ac4218690 s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
b73cb40dd2 s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
e81d25a870 s4:dsdb/common: remove unused samdb_result_force_password_change()
The logic is incomplete and the correct logic is already available
via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
a5efb21a53 s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
86b9bf9591 s4:rpc_server/samr: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
9be4860511 s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
92141c6b03 s4:kdc: add some const to samba_get_logon_info_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Jeremy Allison
1d4b20d4f3 s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence.
https://bugzilla.samba.org/show_bug.cgi?id=11838

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-29 23:09:17 +02:00
Richard Sharpe
ed4af82a4f s4/selftests: test net ads dns register/unregister.
Add a new test for the net ads dns commands and the needed self test
setup. Currently tests that we can register a name and that it
turns up. Also, tests that we can register with -P.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 28 22:35:35 CEST 2016 on sn-devel-144
2016-06-28 22:35:35 +02:00
Volker Lendecke
874a9d9c87 libnet: Fix CID 1362934: CHECKED_RETURN
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-06-28 18:48:07 +02:00
Stefan Metzmacher
e0777da00b s4:dsdb/tests: add pwdLastSet tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 27 08:52:48 CEST 2016 on sn-devel-144
2016-06-27 08:52:48 +02:00
Stefan Metzmacher
f77c82d950 s4:dsdb/samldb: pwdLastSet = -1 requires Unexpire-Password right
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
bafa0166ee s4:dsdb/samldb: fix comment "lockoutTime" reset as per MS-SAMR 3.1.1.8.10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
1d808bb5d7 s4:dsdb/password_hash: only allow pwdLastSet as "0" or "-1"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
97534fffe6 s4:rpc_server/samr: only set pwdLastSet to "0" or "-1"
The password_hash module will take care of translating "-1"
to the current time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
b6933b2fda s4:dsdb/password_hash: allow pwdLastSet only changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
cada33bb97 s4:dsdb/password_hash: make it possible to specify pwdLastSet together with a password change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:18 +02:00
Stefan Metzmacher
e536dbd447 s4:dsdb/password_hash: handle the DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET control
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:17 +02:00
Stefan Metzmacher
9baae34d44 s4:dsdb/password_hash: make the DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET code path more robust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-27 05:00:17 +02:00