1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

107253 Commits

Author SHA1 Message Date
Stefan Metzmacher
2a57b285ce auth4: use "anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain" as AD_DC
It's better to consistently fail authentications for users
of trusted domains (on a RWDC) with NT_STATUS_NO_TRUST_LSA_SECRET,
instead of silently mapping them to local users, by accident.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
bb6583fdf2 auth4: add a "sam_failtrusts" module
This fails the authentication for any known domain with
NT_STATUS_NO_TRUST_LSA_SECRET.

This will be used on an AD_DC to fail authentication
for users of trusted domains sanely, instead of silently
mapping them to local users.

This is just a temporary solution, until we have full
async support in the gensec/auth4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
3caca9b7fb s4:selftest: run test_trust_ntlm.sh against various environments
This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.

Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.

If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
2de1994e6f testprogs/blackbox: add test_trust_ntlm.sh
This verifies that various domain/realm and username
combinations map to the correct user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
948a1dab4d winbindd: allow wbinfo -a REALM\\user to work on a DC
find_domain_from_name_noinit() find the correct domain based
on domain->alt_name, but the child for the local domain
fails to detect that winbindd_dual_auth_passdb() should be
used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Stefan Metzmacher
5da664dbed auth4: use lpcfg_is_my_domain_or_realm() in authsam_want_check()
We also accept the domain to be the realm string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Stefan Metzmacher
66ee788a5a testprogs/blackbox: add test_rpcclient_*_grep helper functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Stefan Metzmacher
31f0b31308 testprogs/blackbox: use subunit_ helper functions in test_smbclient_*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Stefan Metzmacher
20404e19b9 selftest: make sure we don't have any umask limitations for selftest
We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Jeremy Allison
6d6117b5ba s4: process_standard: Add a simplified SIGTERM handler based on code from source4/smbd/server.c. Use from a tevent handler added to standard_accept_connection() and standard_new_task()
Allows us to be independent of parent SIGTERM signal handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Apr  8 16:21:57 CEST 2017 on sn-devel-144
2017-04-08 16:21:57 +02:00
Jeremy Allison
d354be9e07 s4: process_standard: Add tevent SIGHUP signal handler to standard_accept_connection() and standard_new_task().
This makes us independent of parent SIGHUP signal handling.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-04-08 12:30:08 +02:00
Jeremy Allison
513eb8b8d3 s4: process_standard: Add return checking for tevent_add_fd() to standard_accept_connection() and standard_new_task().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-04-08 12:30:08 +02:00
Jeremy Allison
c97714319b s4: process_standard: Always free tevent_context before exit().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-04-08 12:30:08 +02:00
Jeremy Allison
7c017234ab s4: process_standard: Move talloc_free of event context so it is last thing freed before exit().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-04-08 12:30:08 +02:00
Andreas Schneider
a9bd9a143e s3:tests: Create a test directory for a clean test
The test fails on openSUSE Tumbleweed with:

NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \foo\bar\testfile

This cleans up the code to create a directory 'test' which can be
completely removed so nothing will stay behind. It also makes sure that
all parent directories are created and the files have some content.

https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 12:29:19 CEST 2017 on sn-devel-144
2017-04-08 12:29:19 +02:00
Uri Simchoni
5b4a1b628e docs: fixup smbclient rename -f option
Fixup documentation of new -f option of the smbclient
rename command. This command is supported by SMB1 and
SMB2.

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  8 02:38:16 CEST 2017 on sn-devel-144
2017-04-08 02:38:16 +02:00
Ralph Boehme
8dfbba59d7 winbindd: error handling in rpc_lookup_sids()
NT_STATUS_NONE_MAPPED and NT_STATUS_SOME_NOT_MAPPED should not be
treated as fatal error. We should continue processing the results and
not bail out.

In case we got NT_STATUS_NONE_MAPPED we must have to ensure all
lsa_TranslatedName are of type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
416c74e8c8 s3/rpc_client: lookupsids error handling of NT_STATUS_NONE_MAPPED
NT_STATUS_NONE_MAPPED is not a fatal error, it just means we must return
all lsa_TranslatedName's as type SID_NAME_UNKNOWN.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
0e7e4ebad3 s3/rpc_client: use NT_STATUS_LOOKUP_ERR
No change in behaviour.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
fc37c7327d s3/include: add NT_STATUS_LOOKUP_ERR
Useful helper macro to check the return value of LSA and SAMR
translations.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12728

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
893fc5abbe s4/torture: vfs_fruit: test for bug 12565
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Ralph Boehme
a36de8b81a vfs_fruit: resource fork open request with flags=O_CREAT|O_RDONLY
When receiving an SMB create request with read-only access mode and
open_if disposition, we end of calling the open() function with
flags=O_CREAT|O_RDONLY for the ._ AppleDouble file.

If the file doesn't exist, ie there's currently no rsrc stream, we create
it but then we fail to write the AppleDouble header into the file due to
the O_RDONLY open mode, leaving a 0 byte size ._ file.

Running this create requests against macOS SMB server yields an
interesting result: it returns NT_STATUS_OBJECT_NAME_NOT_FOUND even
though create dispotion is open_if. Another instance where the macOS SMB
server just exposes FSA behaviour (ie HFS+) and we have to adapt to be
compatible.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12565

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Volker Lendecke
baa3e71f79 smbd: Fix smb1 findfirst with DFS
9377f3bce should have changed the callers of dfs_path_lookup. It now
takes a uint32_t ucf_flags, not a boolean anymore.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12558

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-07 22:52:24 +02:00
Stefan Metzmacher
94e2aa7f77 WHATSNEW: Deprecate "auth methods" and "map untrusted to domain"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 20:42:39 CEST 2017 on sn-devel-144
2017-04-07 20:42:39 +02:00
Stefan Metzmacher
e999b798c6 s3:ntlm_auth: fix memory leak in manage_gensec_request()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12736

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-07 16:49:15 +02:00
Andreas Schneider
0641653c30 python: Add a simple pam_winbind test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 14:19:23 CEST 2017 on sn-devel-144
2017-04-07 14:19:23 +02:00
Andreas Schneider
a46566ea5e lib: Add pam_wrapper 1.0.3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-07 10:32:13 +02:00
Stefan Metzmacher
7a4e2bef18 uid_wrapper: use conf.blddir to construct libnss_wrapper_so_path
conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-07 10:32:13 +02:00
Stefan Metzmacher
05c8aa6390 resolv_wrapper: use conf.blddir to construct libnss_wrapper_so_path
conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-07 10:32:13 +02:00
Stefan Metzmacher
013a92ccc8 nss_wrapper: use conf.blddir to construct libnss_wrapper_so_path
conf.blddir might not the the same as conf.srcdir + '/bin'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-07 10:32:13 +02:00
Stefan Metzmacher
a26ba9d806 script/compare_cc_results.py: ignore all LIB*_WRAPPER_SO_PATH values
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-04-07 10:32:12 +02:00
Ralph Boehme
b680ceebf8 selftest: tests idmap mapping with idmap_rid
This adds two blackbox tests that run wbinfo --sids-to-unix-ids:

o a non-existing SID from the primary domain should return a mapping

o a SID with a bogus (and therefor unknown) domain must not return a mapping

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr  7 00:05:02 CEST 2017 on sn-devel-144
2017-04-07 00:05:02 +02:00
Ralph Boehme
ef10b43469 selftest: new environment "ad_member_idmap_rid"
This uses idmap_rid for the primary domain.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
9671811da8 winbindd: remove unused single_domains array
This was added as part of 9be918116e, but
is not needed anymore as the previous commit changed the logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
a684df160e winbindd: use correct domain name for failed lookupsids
What we want here is, for failed lookupsids, pass the domain name of the
SID we were trying to lookup to the idmap backend.

But as a domain member, using

  state->single_domains[state->single_sids_done]

for this purpose will always be use our primary domain name (for S-1-5-21
SIDs that are not in our local SAM).

So for now use find_domain_from_sid_noinit() to find the domain from the
domain list. This can be removed when we switch idmap backend
determination to be based on domain SIDs, not names.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
d8fd56a824 selftest: fix for wbinfo -s tests for wellknown SIDs
Rework while loop to not use a pipe as that uses a subshell for the loop
which means assigning to the variable failed is not visible in the
main script.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
167bb5ead8 winbindd: explicit check for well-known SIDs in wb_lookupsids_bulk()
Those are implicitly already catched by the

  if (sid->num_auths != 5)

check, but I'd like to make the desired behaviour more obvious.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Volker Lendecke
415d61eebb idmap_ldap: Fix CID 1404836 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Thu Apr  6 19:31:25 CEST 2017 on sn-devel-144
2017-04-06 19:31:24 +02:00
Amitay Isaacs
7f714a4362 ctdb-docs: Fix documentation of -n option to ctdb tool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12733

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-04-06 15:36:10 +02:00
Stefan Metzmacher
e69aa55c5d winbindd: let WBFLAG_PAM_GET_PWD_POLICY only fake the password policy
As WBFLAG_PAM_GET_PWD_POLICY is only kept for legacy external callers
of libwbclient, we should avoid having the complexity to do additional
network roundtrips to our domain, while we still can't garantee that
the returned password policy actually represents the reality for
the current authentication.

Instead we're calculating r->data.auth.policy.expire and
r->data.auth.policy.min_passwordage based on the effective
{last,allow,force}_password_change values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr  6 14:03:09 CEST 2017 on sn-devel-144
2017-04-06 14:03:09 +02:00
Stefan Metzmacher
fba7ed9a3f pam_winbind: no longer use wbcUserPasswordPolicyInfo when authenticating
The expiry time for the specific user comes from
info->pass_must_change_time and nothing else.

The authenticating DC knows which password policy applies
to the user, that's nothing the client can do, as
domain trusts and fine-grained password policies makes
this a very complex task.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-04-06 10:07:39 +02:00
Gary Lockyer
5ee494cbd7 tests dsdb: load paramaters from test environment
Load the test environment specific parameters

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 10:06:05 CEST 2017 on sn-devel-144
2017-04-06 10:06:04 +02:00
Gary Lockyer
62bbfda867 password_hash: refactor setup_supplemental_field
refactored to make it easier to add extra password hashes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-06 06:07:23 +02:00
Gary Lockyer
d1f4fc9ee3 password_hash: Add tests to allow refactoring
Add tests for password_hash.c to allow refactoring of setup_supplemental_field

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-06 06:07:23 +02:00
Ralph Boehme
78403a8a71 selftest: fix SID composition in a test script
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr  5 17:59:32 CEST 2017 on sn-devel-144
2017-04-05 17:59:32 +02:00
Stefan Metzmacher
f1e3c8ebb3 rpcclient: allow -U'OTHERDOMAIN\user' again
I guess the primary reason for forcing lp_workgroup()
was the usage of -U% together with schannel,
see source3/script/tests/test_rpcclient_samlogon.sh

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12731

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr  5 14:09:23 CEST 2017 on sn-devel-144
2017-04-05 14:09:23 +02:00
Amitay Isaacs
5da471919d ctdb-daemon: Add tracking of migration records
Instead of using hopcount as a metric for hot records, use the number
of migrations per second as a metric.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr  5 08:35:45 CEST 2017 on sn-devel-144
2017-04-05 08:35:45 +02:00
Amitay Isaacs
1445fa3b71 ctdb-daemon: For hot records, use count instead of hopcount
This avoids tying hopcounts to hot records.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-04-05 04:47:23 +02:00
Amitay Isaacs
1b2c919f19 ctdb-common: Add hash_count abstraction
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-04-05 04:47:23 +02:00
Amitay Isaacs
63b92f42f6 ctdb-common: Add traverse_update function to db_hash abstraction
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2017-04-05 04:47:23 +02:00