sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code
98,406 Commits 62 Branches 1,153 Tags
Commit Graph

98406 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Metzmacher
2dcef48f24 libcli/security: add security_descriptor_for_client() helper function 
This prepares a possibly stripped security descriptor for a client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Stefan Metzmacher
77f0763c84 libcli/security: support "IS" in SDDL for SID_NT_IUSR 
TODO: we should import the whole lists from [MS-DTYP].

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Stefan Metzmacher
337d86f87e s3:rpcclient: only require netlogon_creds for specified netlogon calls 
A lot of calls on the netlogon pipe doesn't require netlogon credentials,
e.g. netr_LogonControl*() should work just with administrator credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-30 13:41:25 +02:00
Jelmer Vernooij
c3747f9658 Check for third party Python modules during configure. 
Inform the user whether the module was found on the system, or if the
bundled copy is being used. If the module is not found, suggest what
they can do to make it available to Samba.

Change-Id: I89ec57a2acf87768ca3714add59575578d2ee399
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Mar 30 13:40:33 CEST 2015 on sn-devel-104
 2015-03-30 13:40:33 +02:00
Jelmer Vernooij
e50342f33d Move configure part of third party to third_party/wscript. 
Change-Id: I34875a8bde99df2e0a2659677e88640bb0ec1816
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-30 11:04:15 +02:00
Jelmer Vernooij
d16c0e369e Pass --recursive to 'git clone' in autobuild. 
This makes it possible to use submodules in Samba.

Change-Id: Iccb1876b1daf82864b18486f2dca9036d7d3c75c
Signed-Off-By: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-30 11:04:15 +02:00
Volker Lendecke
b2d2fd2c67 groupdb: Fix a typo 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-30 11:04:15 +02:00
Volker Lendecke
6169ab798d heimdal: Fix a warning 
99% this is what was meant....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-30 11:04:15 +02:00
Volker Lendecke
578f2c7c7d heimdal: Fix a warning 
99% this is what was meant....

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-30 11:04:15 +02:00
Christof Schmitt
868f83e5c6 vfs_gpfs: Remove warning after failure of get_gpfs_fset_id 
get_gpfs_fset_id already emits more detailed warnings, there is no need
to print an additional warning in the calling function.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
 2015-03-30 11:04:15 +02:00
Amitay Isaacs
079575d80f ctdb-tests: Switch to tcp check in rpcinfo stub 
Use -T tcp instead of deprecated options -u and -t.  Also, check for
localhost.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri Mar 27 09:16:50 CET 2015 on sn-devel-104
 2015-03-27 09:16:50 +01:00
Amitay Isaacs
14886ed00c ctdb-scripts: Use tcp connection for checking RPC services 
It's possible for a RPC service to register only for UDP and not TCP.
Since we assume all the NFS operations are over TCP, always check RPC
services over TCP.

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
 2015-03-27 06:40:08 +01:00
Martin Schwenke
130202d635 ctdb-scripts: Respect $RPCMOUNTDOPTS when restarting rpc.mountd 
$RPCMOUNTDOPTS is ignored when restarting rpc.statd due to the service
being unresponsive.  This variable can be used to increase the number
of rpc.mountd threads when there are a lot of clients reattaching so
ignoring it can mean that only a single rpc.mount thread is started.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
 2015-03-27 06:40:08 +01:00
Amitay Isaacs
62ba95a9f3 ctdb-daemon: Drop tunable that is no longer in use 
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
 2015-03-27 06:40:08 +01:00
Amitay Isaacs
41ed26cbf7 ctdb-recoverd: Fix typo in comment 
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
 2015-03-27 06:40:08 +01:00
Christof Schmitt
0c7b69b10b selftest: Use 'logging' parameter instead of 'syslog' 
'syslog' has been deprecated, so use the new 'logging' parameter
instead.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Fri Mar 27 06:38:32 CET 2015 on sn-devel-104
 2015-03-27 06:38:32 +01:00
Andreas Schneider
3fb40b4bec s4-process_model: Panic if the standard init function fails 
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 04:03:14 +01:00
Andreas Schneider
f75182841d s4-process_model: Do not close random fds while forking. 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11180

The issue has been found with nss_wrapper debug output running:
    samba4.ntvfs.cifs.krb5.base.lock

In the case here, we fork a child and close the fd without resetting
the pipe fd variable. Then the fd was used to open the nss_wrapper
hosts file which got the same fd. We forked again in the process model
called close() on the re-used fd (of the pipe variable) again without
nss_wrapper noticing.  Now Samba opened the secrets tdb and got
the same fd as nss_wrapper was using for the hosts file and next
nss_wrapper tried to parse a TDB ...

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 04:03:14 +01:00
Stefan Metzmacher
14b6e0a599 s4:kdc/db-glue: samba_kdc_trust_message2entry() should use the normalized principal as salt 
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@S4XDOM.BASE%A1b2C3d4
worked while
smbclient //w2012r2-183.w2012r2-l4.base/netlogon -c 'ls' -k yes -Uadministrator@s4xdom.base
failed, if aes keys are used across the trust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Mar 27 04:02:05 CET 2015 on sn-devel-104
 2015-03-27 04:02:05 +01:00
Stefan Metzmacher
0dbf1d4c40 libcli/util: remove unused WERR_BAD_PASSWORD 
The values are the same, but WERR_INVALID_PASSWORD matches the documentation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:17 +01:00
Stefan Metzmacher
6e5d9c2a3d libcli/auth: use WERR_INVALID_PASSWORD instead of WERR_BAD_PASSWORD 
The values are the same, but WERR_INVALID_PASSWORD matches the documentation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:17 +01:00
Stefan Metzmacher
17e8ad5379 docs-xml/Samba3-HOWTO: add reference to WERR_INVALID_PASSWORD were we had only WERR_BAD_PASSWORD 
The values are the same, but WERR_INVALID_PASSWORD matches the documentation
and the new win_errstr() output.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:16 +01:00
Stefan Metzmacher
cb786dfd7c selftest: use dns_lookup_* = true in krb5.conf 
We only need to specify explicit entries for the local realm
in order to provision the server.

Everything else is handled by real dns or faked dns via resolv wrapper.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
4b12fcebaf s4-kdc/db_glue: avoid accessing private struct members when there are accessor funcs. 
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
e2eef86431 s4-kdc/db_glue: use smb_krb5_principal_set_type(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
212a9e06c6 krb5_wrap: fix documentation for smb_krb5_principal_get_comp_string(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
e38acb344a krb5_wrap: add smb_krb5_principal_set_type(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
34ef6b8d20 s4-auth: fix DEBUG statement. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
de6021127d gensec: map KRB5KRB_AP_ERR_BAD_INTEGRITY to logon failure. 
When requesting initiator credentials fails, we need to map the error code
KRB5KRB_AP_ERR_BAD_INTEGRITY to NT_STATUS_LOGON_FAILURE as well. This is what
current MIT kerberos returns.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
ac23b7dd52 s4-kdc/db-glue: make sure to use smb_krb5_get_pw_salt and smb_krb5_create_key_from_string. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
023b5af639 lib/krb5_wrap: use krb5_const_principal in smb_krb5_get_pw_salt(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
a616df1848 lib/krb5_wrap: use krb5_const_principal in smb_krb5_create_key_from_string. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
b7abdbb0a1 s4-auth: avoid double free of krb5 kt_entries when compiling with MIT kerberos library. 
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Andreas Schneider
f05fbc1410 s4-gensec: Check if we have delegated credentials. 
With MIT Kerberos it is possible that the GSS_C_DELEG_FLAG is set, but
the delegated_cred_handle is NULL which results in a NULL-pointer
dereference. This way we fix it.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
cebecffd98 s4-kdc/db-glue: use smb_krb5_principal_get_comp_string in dbglue. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
2a0e2dd52a s4-kdc/db-glue: use principal_comp_str{case}cmp. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
6d6e411fb8 s4-kdc/db-glue: add principal_comp_str{case}cmp 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
714862defd s4-kdc: pass down only a samba_kdc_entry to samba_krbtgt_is_in_db(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
0501db1a67 s4-kdc: pass down only a samba_kdc_entry to samba_kdc_get_pac_blob(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
78c0cf292b s4-kdc: pass down only a samba_kdc_entry to samba_princ_needs_pac(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
ba1838300c s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
f4b087b483 s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
7afd9e6aca s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2self(). 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
1afd3d3262 s4-kdc: build some kdc components only for Heimdal KDCs. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
77ede580e9 lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Günther Deschner
9a0263a7c3 s4-kdc/db_glue: workaround different CLIENT_NAME_MISMATCH error codes. 
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2015-03-27 01:26:16 +01:00
Stefan Metzmacher
e6e2ec0001 librpc/ndr_nbt: we need to keep a trailing '.' in the last component of an nbt_string 
Windows uses a username of 'domain.example.com.' as username and we need to
return it that way in the NETLOGON_SAM_LOGON_RESPONSE_EX reply.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:15 +01:00
Stefan Metzmacher
1a78713552 lsa.idl: add LSA_POLICY_NOTIFICATION to LSA_POLICY_ALL_ACCESS 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:15 +01:00
Stefan Metzmacher
c9f68df798 s4:selftest: run rpc.netlogon.admin against also ad_dc 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:15 +01:00
Andrew Bartlett
2ec4a626b7 torture: Run lsa.trusted.domains auth tests against samba4 
We only need to skip th CreateTrustedDomainEx, which the docs strongly suggested not to use
in any case.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
 2015-03-27 01:26:15 +01:00