IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.
This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.
This is just a temporary solution, until we have full
async support in the gensec/auth4.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.
Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.
If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
find_domain_from_name_noinit() find the correct domain based
on domain->alt_name, but the child for the local domain
fails to detect that winbindd_dual_auth_passdb() should be
used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allows us to be independent of parent SIGTERM signal handling.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Apr 8 16:21:57 CEST 2017 on sn-devel-144
The test fails on openSUSE Tumbleweed with:
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \foo\bar\testfile
This cleans up the code to create a directory 'test' which can be
completely removed so nothing will stay behind. It also makes sure that
all parent directories are created and the files have some content.
https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 8 12:29:19 CEST 2017 on sn-devel-144
Fixup documentation of new -f option of the smbclient
rename command. This command is supported by SMB1 and
SMB2.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 8 02:38:16 CEST 2017 on sn-devel-144
NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.
In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Useful helper macro to check the return value of LSA and SAMR
translations.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.
If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.
Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr 7 20:42:39 CEST 2017 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr 7 14:19:23 CEST 2017 on sn-devel-144
conf.blddir might not the the same as conf.srcdir + '/bin'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
conf.blddir might not the the same as conf.srcdir + '/bin'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
conf.blddir might not the the same as conf.srcdir + '/bin'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This adds two blackbox tests that run wbinfo --sids-to-unix-ids:
o a non-existing SID from the primary domain should return a mapping
o a SID with a bogus (and therefor unknown) domain must not return a mapping
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr 7 00:05:02 CEST 2017 on sn-devel-144
This was added as part of 9be918116e, but
is not needed anymore as the previous commit changed the logic.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.
But as a domain member, using
state->single_domains[state->single_sids_done]
for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).
So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Those are implicitly already catched by the
if (sid->num_auths != 5)
check, but I'd like to make the desired behaviour more obvious.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
As WBFLAG_PAM_GET_PWD_POLICY is only kept for legacy external callers
of libwbclient, we should avoid having the complexity to do additional
network roundtrips to our domain, while we still can't garantee that
the returned password policy actually represents the reality for
the current authentication.
Instead we're calculating r->data.auth.policy.expire and
r->data.auth.policy.min_passwordage based on the effective
{last,allow,force}_password_change values.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 6 14:03:09 CEST 2017 on sn-devel-144
The expiry time for the specific user comes from
info->pass_must_change_time and nothing else.
The authenticating DC knows which password policy applies
to the user, that's nothing the client can do, as
domain trusts and fine-grained password policies makes
this a very complex task.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Load the test environment specific parameters
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 6 10:06:05 CEST 2017 on sn-devel-144
refactored to make it easier to add extra password hashes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add tests for password_hash.c to allow refactoring of setup_supplemental_field
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I guess the primary reason for forcing lp_workgroup()
was the usage of -U% together with schannel,
see source3/script/tests/test_rpcclient_samlogon.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12731
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 5 14:09:23 CEST 2017 on sn-devel-144
Instead of using hopcount as a metric for hot records, use the number
of migrations per second as a metric.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 5 08:35:45 CEST 2017 on sn-devel-144