1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

32306 Commits

Author SHA1 Message Date
Stefan Metzmacher
77c3d504b2 lib/crypto: add aes_ccm_128 tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11451

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-27 20:23:20 +02:00
Volker Lendecke
aa38175e00 lib: Convert callers of sid_blob_parse to sid_parse
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-08-26 21:41:12 +02:00
Andrew Bartlett
dcc657a221 selftest: Add assertion that we actually fix the replPropertyMetaData sort order
This ensures that the dbcheck rule fixes the sort order (and only fixes the sort order).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Aug 25 02:45:58 CEST 2015 on sn-devel-104
2015-08-25 02:45:58 +02:00
Andrew Bartlett
5504502aa6 selftest: Add in steps to re-create this database
This may assist if this needs to be changed again

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:36 +02:00
Andrew Bartlett
a6957ba5da Update release-4-1-0rc3 to include data using schema modifications
This allows us to know that the previous patches are correct.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:36 +02:00
Andrew Bartlett
2766bad5ef dbcheck: Add explict tests for unknown and unsorted attributeID values
Unknown attributeID values would cause an exception previously, and
unsorted attributes cause a failure to replicate with Samba 4.2.

In commit 61b978872f we started
to sort these values correctly, but previous versions of Samba
did not sort them correctly (we sorted high-bit-set values as
negative), and then after 9c9df40220
we stoped accepting these.

To ensure we are allowed to make this unusual change to the
replPropertyMetaData, a new OID is allocated and checked
for in repl_meta_data.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Andrew Bartlett
bed29f3c92 pydsdb: Allow the full range of uint32_t values for attributeID
The high bit may be set in these integers, so we need an unsigned int to store it in

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Andrew Bartlett
4ef468eecd dnsserver: Remove incorrect and not required include of ldb_private.h
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-24 23:46:22 +02:00
Volker Lendecke
78d7512db9 lib: Remove unused parmlist code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-21 11:43:04 +02:00
Stefan Metzmacher
f8fca7d315 s4:ntvfs/posix: fix forward declaration of struct pvfs_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-08-20 16:06:20 +02:00
Stefan Metzmacher
e8c602dfa2 s4:torture/rpc: fix ndr_security.h include in fsrvp.c
We should not include ndr_security.c

This allows ./configure --nonshared-binary=smbtorture again.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Aug 17 20:53:10 CEST 2015 on sn-devel-104
2015-08-17 20:53:10 +02:00
Andrew Bartlett
8cacd5b811 Revert "dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN"
This reverts commit 1a012d591b.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-17 17:43:36 +02:00
Volker Lendecke
1fcad53d7c dns_server: Fix a small memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug  7 12:57:02 CEST 2015 on sn-devel-104
2015-08-07 12:57:02 +02:00
Volker Lendecke
938636886c dns_server: Don't call tevent_req_finish twice
Both tevent_req_werror and tevent_req_done call tevent_req_finish on a request.
This should not be done. We should only call either of both.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2015-08-07 09:52:13 +02:00
Ralph Boehme
7258061e5e s4:torture:vfs_fruit: add a test for stream names
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-07 09:52:13 +02:00
Ralph Boehme
fe4909f1ca s4:torture:vfs_fruit: pass xattr name as arg to torture_setup_local_xattr()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11278

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-07 09:52:12 +02:00
Arvid Requate
d3ac3da986 s4:rpc_server/netlogon: Fix for NetApp
This patch fixes an issue where NetApp filers joined to a
Samba/ADDC cannot resolve SIDs. Without this patch the issue
can only be avoided by setting "allow nt4 crypto = yes" in smb.conf.

The issue is triggered by NetApp filers in three steps:

1. The client calls netr_ServerReqChallenge to set up challenge tokens

2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS
   set to 0. Native AD and Samba respond to this with
   NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away
   the challenge token negotiated in the first step.

3. Next the client calls netr_ServerAuthenticate2 again, this time with
   NETLOGON_NEG_STRONG_KEYS set to 1.
   Samba returns NT_STATUS_ACCESS_DENIED as it has lost track
   of the challenge and denies logon with the message

   No challenge requested by client [CLNT1/CLNT1$], cannot authenticate

Git commit 321ebc99b5 introduced
a workaround for a different but related issue. This patch makes a minor
adjustment to that commit to delay flushing the cached challenge until
it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED
situation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Aug  6 20:29:04 CEST 2015 on sn-devel-104
2015-08-06 20:29:04 +02:00
Kai Blin
42f38fe8d9 dns: always add authority records
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Kai Blin <kai@samba.org>
Autobuild-Date(master): Thu Aug  6 14:06:52 CEST 2015 on sn-devel-104
2015-08-06 14:06:52 +02:00
Kai Blin
d9a3f19749 dns: Add a SOA record to error replies
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:14 +02:00
Kai Blin
bda1a7320f dns: Also pass nsrecs to handle_question()
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:14 +02:00
Kai Blin
0e11c08d3e dns: Just pass the name to create_response_rr
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:13 +02:00
Kai Blin
d7a54f33ef dns: Add dns_get_authoritative_zone helper function
Signed-off-by: Kai Blin <kai@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-08-06 11:03:13 +02:00
Andrew Bartlett
711a420eef selftest: Add test for GSSAPI with no authenticator checksum mode
This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 09:43:40 CEST 2015 on sn-devel-104
2015-08-05 09:43:40 +02:00
Andrew Bartlett
ddee603b5e heimdal/gssapi: Allow a NULL authenticator
Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here.  Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.

This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC

Original patch by Andrew Bartlett, restructured by Douglas Bagnall

Cherry-picked from upstream GIT 0a5de96d72cdea9e465412d7dba1e5d13e53dc09
which is the merge of https://github.com/heimdal/heimdal/pull/134

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-05 06:39:19 +02:00
Andrew Bartlett
6224ac9cf4 gensec: Add an option emulating another mode a client building GSSAPI/krb5 manually uses
This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-08-05 06:39:19 +02:00
Andreas Schneider
78075cfcda waf: Add talloc as a dependency
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 04:08:30 CEST 2015 on sn-devel-104
2015-08-05 04:08:30 +02:00
Andreas Schneider
38d7617802 sdb: Assert if the HDB flags will change
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-08-05 01:05:15 +02:00
Andreas Schneider
ab08575405 hdb-samba: Translate SDB errors to HDB errors
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-08-05 01:05:15 +02:00
Günther Deschner
a3af16613f s4-torture: add test for CLUSCTL_NODE_GET_ID in clusapi_NodeControl.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>

Autobuild-User(master): José A. Rivera <jarrpa@samba.org>
Autobuild-Date(master): Tue Aug  4 22:14:33 CEST 2015 on sn-devel-104
2015-08-04 22:14:33 +02:00
Günther Deschner
93572c9cba s4-torture: add more ndr tests for property lists.
This data is derived from clusapi_NodeControl.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:18 +02:00
Günther Deschner
d6a8e35a07 s4-torture: add torture test for clusapi_NodeControl.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:18 +02:00
Günther Deschner
d6210991cc s4-torture: add tests for GroupControl.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Günther Deschner
2654ac3d52 s4-torture: also test ClusterControl with a large initial buffer size.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Günther Deschner
2a08aa0456 s4-torture: add ndr testsuite for complex clusapi_PROPERTY_LIST structs.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Günther Deschner
d13535d968 s4-torture: add test for clusapi_CreateEnumEx().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Günther Deschner
e68ce4b10f s4-torture: add test for GetResourceNetworkName.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Günther Deschner
bc144409bc s3-clusapi: add test for GetResourceDependencyExpression.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Günther Deschner
1f516287ef s4-torture: add more tests for clusapi_OpenResource().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: José A. Rivera <jarrpa@samba.org>
2015-08-04 19:11:17 +02:00
Volker Lendecke
9c48dbde06 dns_server: Fix CNAME handling
recs[i].wtype is == DNS_TYPE_CNAME, and my understanding of the union is that
data.cname is filled. We get away with this, because ipv4 and ipv6 have the
same char * representation, but it's confusing.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug  4 13:41:17 CEST 2015 on sn-devel-104
2015-08-04 13:41:17 +02:00
Volker Lendecke
3fbcd78a75 dns_server: Add NULL check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
2015-08-04 10:35:17 +02:00
Günther Deschner
7e60050194 lib/dcom: use HRESULT in dcom_create_object.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
4e5ee7146b s4-torture: fix ResolveOxid2 test, filling in missing ref,out pointers.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
f6f543837f s4-torture: fix ResolveOxid test, filling in missing ref,out pointers.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
195faed933 remact: use HRESULT in RemoteActivation IDL and tests.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
03b59a8d9b s4-torture: fix remact test from crashing.
RemoteActivation was missing all out,ref pointers.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
2ec59185b9 s4-torture: fix test for RemoteActivation.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
0cf5c89925 s4-torture: use torture_assert macros for RemoteActivation test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
7b155c3f95 oxidresolver: fix ServerAlive2 IDL and test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
abf0188d44 s4-torture: fix indent of remact test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:28 +02:00
Günther Deschner
3aaeaea13b s4-torture: remove trailing whitespace from remact test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:27 +02:00
Günther Deschner
82be9581f2 s4-torture: remove trailing whitespace from oxidresolve test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-31 01:55:27 +02:00
Günther Deschner
d49b4aafa8 s4-kdc: Use sdb in db-glue and hdb-samba4
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
2015-07-30 13:29:27 +02:00
Günther Deschner
99d3719e7d s4-kdc: Introduce a simple sdb_hdb shim layer
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
85a041bab5 s4-kdc: Introduce sdb a KDC backend abstraction
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
535035affc s4-kdc: PAC_GLUE does not depend on hdb anymore.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
217d4c1531 s4-auth: Call krb5_get_init_creds_opt_set_canonicalize() in MIT case.
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Andreas Schneider
80509dffdb s3-auth: Add MIT return code for KDC not reachable
This fixes authentication with local credentials against its own server
using netbios domain name.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Andreas Schneider
1c4dc00a5e s4-kdc: Use smb_krb5_principal_get_(type|realm) in db-glue
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
2443c34c91 s4-torture: don't build the lsa forest trust krb5 tests when building with MIT Kerberos.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11411

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-07-24 13:39:31 +02:00
Andreas Schneider
584adc4fd5 s4-auth: Make sure error_string is correctly initialized
This should avoid a possible double free.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
ae607c0d05 s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem.
This can then be easier shared with MIT's kadmin services for kpasswd services.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
a7705ad060 s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE.
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
1e64e720ae s4-kdc: only use a void* in samba_kdc_entry instead of hdb_entry_ex.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
38e5d8d4aa s4-kdc/pac_glue: remove old samba_kdc_build_edata_reply().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
893963cf78 s4-kdc/mit_samba: add a copy of samba_kdc_build_edata_reply for MIT.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
402b0dab67 s4-kdc/wdc-samba4: add a copy of samba_kdc_build_edata_reply for Heimdal.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Andreas Schneider
52e6d91d34 waf: Make mit_samba a subsystem and do not build with Heimdal
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Andreas Schneider
81471560d9 s4-kdc: Fix a casting warning
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Andreas Schneider
17c8b1a821 s4-kdc: Fix a typo
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Kamen Mazdrashki
252b62c54e dsdb: Disable tombstone_reanimation module until we isolate what causes flaky tests
Change-Id: I323a2cd5eb2449a44a9cb53abab5a127d21c5967
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 06:18:13 +02:00
Andrew Bartlett
374d73617d lib/tls: Add new 'tls priority' option
This adds a new option to the smb.conf to allow administrators to disable
TLS protocols in GnuTLS without changing the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 03:08:26 +02:00
Andrew Bartlett
1a8c1bd952 Remove support for OpenPGP certificates in our TLS client and server
We do not provide parameters to configure these, and OpenPGP for TLS (RFC 6091) is not used in AD

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2015-07-20 03:08:26 +02:00
Andreas Schneider
33817876cb s4-kerberos: Make sure we handle kvno's in keytabs correctly
Signed-off-by: Andreas Schneider <asn@samba.org>
2015-07-17 11:01:23 +02:00
Uri Simchoni
6aa0ae50e2 torture: include config.h before any glibc headers
config.h may have some flags which affect glibc behavior, e.g.
_FILE_OFFSET_BITS=64. To make sure these flags have the desired
effect, config.h must be included before any glibc header files.

Also remove inclusion of some system files, relying on
replace/system/*.h instead.

This commit does not fix a specific known bug. It changes the code to
comply with coding conventions.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: "Stefan Metzmacher" <metze@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jul 17 04:41:14 CEST 2015 on sn-devel-104
2015-07-17 04:41:13 +02:00
Andreas Schneider
c5d91e0e0f s4-torture: Make the backupkey test as a noop with MIT Kerberos.
The test is planned but will be skipped in the MIT case this way. We
need to rewrite the test using a proper cryto/tls library.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
547af4c3c7 s4-waf: Reformat torture_rpc
This makes it easier to read and see what changed in patches.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
c9a8fff525 s4-auth: Always pass down the salt principal
We should always pass down the saltPrincipal to smb_krb5_update_keytab()
function.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
74ca7753e5 s4-auth: Use kerberos util functions in srv_keytab
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
6ba4d2d04e s4-auth: Add smb_krb5_remove_obsolete_keytab_entries()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
398b287712 s4-auth: Add smb_krb5_create_principals_array()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
cd71f9338a s4-samdb: Correctly cast data pointer
This fixes a signedness warning.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
Andreas Schneider
dd8a085b01 CID 1311772: Fix null pointer check
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 15 04:50:36 CEST 2015 on sn-devel-104
2015-07-15 04:50:36 +02:00
Andreas Schneider
2bfe12e96e CID 1311771: Fix a null pointer dereference
We check for dir == NULL but dereference it during variable declaration.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-15 01:47:21 +02:00
Andreas Schneider
2f86e32a99 CID 1311767: Cast enum type to avoid compiler warnings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-15 01:47:21 +02:00
Andreas Schneider
0c01771e3b CID 1311764: Fix logical compare in if clause
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-15 01:47:20 +02:00
Günther Deschner
7ce0b7c958 s4-torture: add test for ClusterControl to clusapi testsuite.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>

Autobuild-User(master): José A. Rivera <jarrpa@samba.org>
Autobuild-Date(master): Wed Jul 15 00:25:38 CEST 2015 on sn-devel-104
2015-07-15 00:25:38 +02:00
Günther Deschner
0a95932aad s4-torture: add test for clusapi_QueryValue.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
2015-07-14 21:21:20 +02:00
Günther Deschner
2ac148d6a2 s4-torture: add more tests for dcerpc_clusapi_CreateEnum.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
2015-07-14 21:21:20 +02:00
Günther Deschner
97bef6613e s4-torture: make sure to always seal the clusapi connection in witness test.
clusapi only works via DCE/RPC sealed connections in Windows 2012R2.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
2015-07-14 21:21:20 +02:00
Günther Deschner
d6a4a2ddb3 s4-torture: do some more inspection on expected witness_AsyncNotify replies.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
2015-07-14 21:21:20 +02:00
Günther Deschner
d2700282ec s4-torture: add test for ClusterControl to clusapi testsuite.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
2015-07-14 21:21:20 +02:00
Günther Deschner
ff3b446175 s4-torture: use smb_krb5_principal_set_type() in lsa forest krb5 tests.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 14 19:15:59 CEST 2015 on sn-devel-104
2015-07-14 19:15:58 +02:00
Günther Deschner
a1c9415769 s4-torture: use krb5_error in lsa forest trust tests.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-07-14 16:11:18 +02:00
Günther Deschner
da3f41219d s4-torture: use smb_krb5_free_error() in lsa forest krb5 tests.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-07-14 16:11:18 +02:00
Günther Deschner
54ec74b3b2 s4-torture: use smb_krb5_principal_get_type in lsa forest krb5 tests.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-07-14 16:11:18 +02:00
Günther Deschner
4e69ff6bdd s4-torture: use smb_krb5_make_principal() in lsa forest krb5 tests.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-07-14 16:11:18 +02:00
Volker Lendecke
893484602d torture-notify: Give nonrecursive updates 200ms
This is in line with the recursive updates before.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jul 13 15:00:26 CEST 2015 on sn-devel-104
2015-07-13 15:00:25 +02:00
Volker Lendecke
be9c4f9033 librpc: Fix a "ignoring asprint return" warning
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-09 00:42:15 +02:00
Douglas Bagnall
9658112e10 Fix ldap_bind compilation for i386
More size_t != uintmax_t issues:

../source4/libcli/ldap/ldap_bind.c: In function ‘ldap_bind_sasl’:
../source4/libcli/ldap/ldap_bind.c:237:3: error: format ‘%ju’ expects argument of type ‘uintmax_t’, but argument 2 has type ‘size_t’ [-Werror=format=]

   DEBUG(1, ("SASL bind triggered with non empty send_queue[%ju]: %s\n",
      ^
      cc1: all warnings being treated as errors

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-09 00:42:15 +02:00
Douglas Bagnall
3e35e0d6f8 Fix gensec_gssapi compilation for i386
Fixes this:

../source4/auth/gensec/gensec_gssapi.c:1017:3: error: format ‘%ju’ expects argument of type ‘uintmax_t’, but argument 3 has type ‘size_t’ [-Werror=format=]

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-09 00:42:15 +02:00
Stefan Metzmacher
7447abc44c s4:torture/rpc: extend and improve rpc.lsa.trusted.domains
This adds a lot more validation arround trust credentials and
krb5 interaction.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul  8 21:41:17 CEST 2015 on sn-devel-104
2015-07-08 21:41:17 +02:00
Stefan Metzmacher
d9d670713b s4:torture/rpc: add missing \n in comments
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
84b0d1f967 s4:torture/rpc: handle NT_STATUS_NO_SUCH_DOMAIN in test_query_each_TrustDom()
lsa_EnumTrusts() may also return non direct trusted domains in the forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
80be365e62 testprogs/blackbox: add test_trust_utils.sh
This tests 'samba-tool domain trust *' commands.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
7ee4f23821 testprogs/blackbox: add test_kinit_trusts.sh
That verifies kinit and smbclient work across trusts.

It also tests a trust password change and a following
access.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
fcc6b5c56a s4:rpc_server/netlogon: check domain state in netr_*GetForestTrustInformation()
This should only work on a forest root domain controller and a forest function
level >= 2003.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
ef8f55ad8a s4:rpc_server/netlogon: make use of dsdb_trust_xref_forest_info()
This collects the whole information about the local forest,
including all domains and defined top level names (uPNSuffixes and
msDS-SPNSuffixes).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
9af2561325 s4:rpc_server/netlogon: implement netr_DsRGetForestTrustInformation with trusted domains
We redirect this to remote DC as netr_GetForestTrustInformation() via an IRPC
call to winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
70cea2b85c s4:rpc_server/netlogon: implement NETLOGON_CONTROL_{QUERY,REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD}
We pass NETLOGON_CONTROL_{REDISCOVER,TC_QUERY,TC_VERIFY,CHANGE_PASSWORD} to
winbindd and do the hard work there, while we answer NETLOGON_CONTROL_QUERY
directly.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
ee5e25b5b3 librpc/idl: add winbind_LogonControl()
This will be used by the netr_LogonControl()
in order to contact remote domains via winbindd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
f9246d78f7 s4:rpc_server/lsa: remove unused code
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:22 +02:00
Stefan Metzmacher
c98f96d1b1 s4:rpc_server/lsa: use dsdb_trust_*() helper functions in dcesrv_lsa_lsaRSetForestTrustInformation()
This means we return mostly the same error codes as a Windows
and also normalize the given information before storing.

Storing is now done within a transaction in order to avoid races
and inconsistent values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
666ac7c5b7 s4:dsdb/common: add dsdb_trust_merge_forest_info() helper function
This is used to merge the netr_GetForestTrustInformation() result with
the existing information in msDS-TrustForestTrustInfo.

New top level names are added with LSA_TLN_DISABLED_NEW
while all others keep their flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
f043ee97ac s4:dsdb/common: dsdb_trust_normalize_forest_info_step[1,2]() and dsdb_trust_verify_forest_info()
These will be used in dcesrv_lsa_lsaRSetForestTrustInformation() in the
following order:

- dsdb_trust_normalize_forest_info_step1() verifies the input
  forest_trust_information and does some basic normalization.

- the output of step1 is used in dsdb_trust_verify_forest_info()
  to verify overall view of trusts and forests, this may generate
  collision records and marks records as conflicting.

- dsdb_trust_normalize_forest_info_step2() prepares the records
  to be stored in the msDS-TrustForestTrustInfo attribute.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
46e2a97a2b s4:dsdb/common: add dsdb_trust_xref_tdo_info() helper function
This emulates a lsa_TrustDomainInfoInfoEx struct for our own domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
e7c4d2e7eb s4:dsdb/common: add dsdb_trust_forest_info_from_lsa() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
ac4c4a95e5 s4:rpc_server/lsa: implement dcesrv_lsa_lsaRQueryForestTrustInformation()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
98dc4100ab s4:rpc_server/lsa: improve dcesrv_lsa_CreateTrustedDomain_base()
We need to make sure a trusted domain has 'flatName', 'trustPartner'
and 'securityIdentifier' values, which are unique.

Otherwise other code will get INTERNAL_DB_CORRUPTION errors.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
df7f745099 s4:rpc_server/lsa: fix dcesrv_lsa_CreateTrustedDomain()
It needs to pass 'name' as 'netbios_name' and also 'dns_name'.

flatName and trustPartner have the same value for downlevel trusts.
And both are required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
c57fef89e1 s4:rpc_server/netlogon: implement dcesrv_netr_ServerTrustPasswordsGet()
We just need to call dcesrv_netr_ServerGetTrustInfo() and ignore trust_info.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a02300c0c7 s4:rpc_server/netlogon: implement dcesrv_netr_ServerGetTrustInfo()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
0b4bdee4a1 s4:rpc_server/netlogon: let dcesrv_netr_ServerAuthenticate3() fallback to the previous hash for trusts
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
38c30b9d68 s4:dsdb/common: add dsdb_trust_get_incoming_passwords() helper function
This extracts the current and previous nt hashes from trustAuthIncoming
as the passed TDO ldb_message.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a56d9fe5da s4:rpc_server/netlogon: extract and pass down the password version in dcesrv_netr_ServerPasswordSet2()
For domain trusts we need to extract NL_PASSWORD_VERSION from the password
buffer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
8a63dd8bbc s4:dsdb/password_hash: reject interdomain trust password changes via LDAP
Only the LSA and NETLOGON server should be able to change this, otherwise
the incoming passwords in the trust account and trusted domain object
get out of sync.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
dd23d8e1b2 s4:dsdb/common: supported trusted domains in samdb_set_password_sid()
We also need to update trustAuthIncoming of the trustedDomain object.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
81c276047a s4:dsdb/common: make use of dsdb_search_one() in samdb_set_password_sid()
This will simplify the following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
aded6f6551 s4:dsdb/common: pass optional new_version to samdb_set_password_sid()
For trust account we need to store version number provided by the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
1a84cb7d0b s4:dsdb/netlogon: add support for CLDAP requests with AAC=0x00000400(ACB_AUTOLOCK) and user="example.com."
Windows reuses the ACB_AUTOLOCK flag to handle SEC_CHAN_DNS_DOMAIN domains,
but this not documented yet...

This is triggered by the NETLOGON_CONTROL_REDISCOVER with a domain string
of "example.com\somedc.example.com".

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
0deb1d9c4a s4:auth/sam: remove unused sam_get_results_trust()
This is replaced by dsdb_trust_search_tdo() now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
839645d238 s4:kdc/db-glue: make use of dsdb_trust_search_tdo()
dsdb_trust_search_tdo() is almost the same as sam_get_results_trust(),
so we can remove sam_get_results_trust() later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a2518116b7 s4:dsdb/common: add dsdb_trust_search_tdo*() helper functions
These are more generic and will replace the existing sam_get_results_trust().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
143b654ad2 s4:kdc/db-glue: implement cross forest routing by return HDB_ERR_WRONG_REALM
We lookup the principal against our trust routing table
and return HDB_ERR_WRONG_REALM and the realm of the next trust hoop.

Routing within our own forest is not supported yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:21 +02:00
Stefan Metzmacher
a11f874dc7 s4:dsdb/common: add helper functions for trusted domain objects (tdo)
The most important things is the dsdb_trust_routing_table with the
dsdb_trust_routing_table_load() and dsdb_trust_routing_by_name() functions.

The routing table has knowledge about trusted domains/forests and
enables the dsdb_trust_routing_by_name() function to find the direct trust
that is responsable for the given name.

This will be used in the kdc and later winbindd to handle cross-trust/forest
routing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
2d98800219 heimdal:kdc: add support for HDB_ERR_WRONG_REALM
A backend can return this if asked with HDB_F_GET_CLIENT|HDB_F_FOR_AS_REQ
for a KRB5_NT_ENTERPRISE_PRINCIPAL record or for HDB_F_GET_SERVER | HDB_F_FOR_TGS_REQ.

entry_ex->entry.principal->realm needs to return the real realm of the principal
(or at least a the realm of the next cross-realm trust hop).

This is needed to route enterprise principals between AD domain trusts.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
c63f360788 heimdal:kdc: generic support for 3part servicePrincipalNames
This is not DRSUAPI specific, it works for all 3 part principals.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
454db47eac heimdal:lib/krb5: add krb5_mk_error_ext() helper function
This gives the caller the ability to skip the client_name
and only provide client_realm. This is required for
KDC_ERR_WRONG_REALM messages.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
fca11edc0b heimdal:lib/krb5: correctly follow KRB5_KDC_ERR_WRONG_REALM client referrals
An AS-REQ with an enterprise principal will always directed to a kdc of the local
(default) realm. The KDC directs the client into the direction of the
final realm. See rfc6806.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
3a14835d18 s4:kdc/db-glue: let samba_kdc_trust_message2entry always generate the principal
We should always return the principal from the values stored in the database.
This also means we need to ignore a missing HDB_F_CANON.

This was demonstrated by running some new tests against windows.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
3943f02691 s4:kdc/db-glue: preferr the previous password for trust accounts
If no kvno is specified we should return the keys with the lowest value.

For the initial value this means we return the current key with kvno 0 (NULL on
the wire). Later we return the previous key with kvno current - 1.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
f05c0bc639 s4:kdc/db-glue: allow invalid kvno numbers in samba_kdc_trust_message2entry()
We should fallback to the current password if the trusted KDC used a wrong kvno.

After commit 6f8b868a29, we always have the
previous password filled. With the trust creation we typically don't
have a TRUST_AUTH_TYPE_VERSION in the current nor in the previous array.
This means current_kvno is 0. And now previous_kvno is 255.

A FreeIPA/MIT KDC uses kvno=1 in the referral ticket, which triggered
the 'Request for unknown kvno 1 - current kvno is 0' case.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-07-08 18:38:20 +02:00
Stefan Metzmacher
66736fee3a s4:torture/rpc: use dcerpc_secondary_auth_connection with creds
This is the same as calling dcerpc_secondary_connection/dcerpc_bind_auth.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul  7 17:07:49 CEST 2015 on sn-devel-104
2015-07-07 17:07:49 +02:00
Stefan Metzmacher
87bf1a6edd s4:torture/rpc: use dcerpc_secondary_auth_connection with anon creds
This is the same as calling dcerpc_secondary_connection/dcerpc_bind_auth_none.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
e0bb97fde6 s4:torture/samba3rpc: use pipe_bind_smb_auth()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
810d630bd5 s4:torture/samba3rpc: add pipe_bind_smb_auth()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
f42d4e9dd3 s4:torture/samba3rpc: use pipe_bind_smb2()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
1df9416bdb s4:torture/samba3rpc: add pipe_bind_smb2()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
d80c38990f s4:torture/samba3rpc: use pipe_bind_smb() in more places
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
5a849c13a7 s4:torture/samba3rpc: move pipe_bind_smb() to the top
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
07b1e375e5 s4:libnet: make use of dcerpc_secondary_auth_connection_send/recv()
This avoid the bogus usage of dcerpc_pipe_auth().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
f036683896 s4:libcli/clilsa: only remember the dcerpc_binding_handle
We don't need the 'dcerpc_pipe'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Stefan Metzmacher
8c22f81e9b s4:librpc/rpc: add dcerpc_secondary_auth_connection()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:28 +02:00
Michael Adam
204cbe3645 Introduce setting "desired" for 'smb encrypt' and 'client/server signing'
This should trigger the behaviour where the server requires
signing when the client supports it, but does not reject
clients that don't support it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11372

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-07 14:05:27 +02:00
Stefan Metzmacher
3cdac4a855 s4:pyrpc: remove pointless alter_context() method
This will always result in a rpc protocol error.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Stefan Metzmacher
828e1d3f83 s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED in torture_rpc_alter_context()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Stefan Metzmacher
58a874111b s4:torture/rpc: expect NT_STATUS_CONNECTION_DISCONNECTED when a dcerpc connection is not connected
We still also allow NT_STATUS_INVALID_HANDLE and NT_STATUS_IO_DEVICE_ERROR for now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Stefan Metzmacher
8c9612e114 s4:pyrpc: add base.bind_time_features_syntax(features)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-07-03 02:00:28 +02:00
Stefan Metzmacher
ebfb1e9dac s4:ntvfs/ipc: fix ipc_close()
Until now this always returned NT_STATUS_INVALID_LEVEL
for everything but RAW_CLOSE_CLOSE.

Now it maps everything correctly to RAW_CLOSE_GENERIC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:28 +02:00
Günther Deschner
d1e81df36e s4-torture: pull, push and compare a witness Notify struct in ndr test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
f0156ca154 s4-torture: add new torture_suite_add_ndr_pullpush_fn_test_flags().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
6d3f7620d2 s4-torture: add torture_ndr_push_struct_blob_flags() in order to manipulate push flags.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
c82aed878e libndr: reformat libndr torture_suite macros to make differences more visible.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
c328ade5cd s4-torture: using async dcerpc for witness async notifications.
This test toggles the online/offline resource state using the clusapi protocol
between the send and receive.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
6aeb0a08ab s4-torture: move torture_assert_sid_equal() out of ndr headers.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
34e4dac57b s4-torture: finally enable witness_AsyncNotify ndr test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
92709e9250 s4-torture: add clusapi resource online/offline toggle code to witness test.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
ceebd509b1 s4-torture: make some clusapi torture tests public.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
cc3afec55d s4-torture: add some more tests for witness_AsyncNotify and RegisterEx with different timeouts.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
6e9c678c8b s4-torture: make setup of the clusapi pipe non-critical in witness test.
Samba currently does not implement clusapi.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
9cdb69c8dd s4-torture: minor cleanup in test_witness_Register().
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Günther Deschner
1b70b1aa28 s4-torture: open a clusapi connection to get list of cluster nodes, etc.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-07-03 02:00:27 +02:00
Ralph Boehme
c6e044ea33 s4:torture:vfs_fruit: check offset and length when reading AFP_AfpInfo stream
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11363

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jul  3 01:47:29 CEST 2015 on sn-devel-104
2015-07-03 01:47:28 +02:00
Volker Lendecke
7829395926 dsdb: Rename a parameter
Coverity was confused by the 'seq_num' variable as an argument for the
'local_usn' parameter, where also a 'seq_num' parameter exists. Doesn't hurt,
and if it kills a Coverity warning, why not...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: "Stefan (metze) Metzmacher" <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jul  1 14:09:14 CEST 2015 on sn-devel-104
2015-07-01 14:09:14 +02:00
Volker Lendecke
e1a87d8676 libldap: Fix CID 1308982 Unchecked return value from library
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul  1 00:11:41 CEST 2015 on sn-devel-104
2015-07-01 00:11:41 +02:00
Douglas Bagnall
bbb18875dc Avoid segfault in durable_open tests
There are "goto done"s hiding in CHECK_STATUS in parts of
the code where tree1 is unequivocally NULL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 26 05:12:02 CEST 2015 on sn-devel-104
2015-06-26 05:12:02 +02:00
Andrew Bartlett
c31c30043b s4-winbindd: Remove the winbind rewrite from the samba4 effort
This winbind implementation is undermaintained, out of date and not the
future of even the AD DC, let alone any other purpose.

Removing it will reduce our security and bug exposure on this
off by default subsystem

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 24 22:34:57 CEST 2015 on sn-devel-104
2015-06-24 22:34:57 +02:00
Andrew Bartlett
45b7992428 Allow winbind removal by matching delays to Samba3.pm
When using winbindd with the ntvfs file server, the responses are faster than
they were in the past.  Therefore, set:
 posix:sharedelay = 100000
 posix:writetimeupdatedelay = 500000
to the values used in Samba3.pm to allow the tests to pass against the NTVFS
file server without the internal winbind.

This allows the internal winbind to be removed.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-24 19:33:23 +02:00
Douglas Bagnall
225d701546 correct sense of macro variable name in SMB2 durable open test
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 24 08:54:23 CEST 2015 on sn-devel-104
2015-06-24 08:54:23 +02:00
Douglas Bagnall
69e511e478 Avoid casting pointer to unsigned long long for NULL check
This allows compilation on i386 with -WError. Otherwise we see
this:

  ../source4/torture/smb2/durable_open.c:41:23: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
       __location__, #v, (unsigned long long)v, (unsigned long long)correct); \

because the pointer is 32 bits, while long long is 64.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 06:04:10 +02:00
Stefan Metzmacher
fa4f4fed2e s4:gensec/gssapi: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER also together with
GENSEC_FEATURE_SEAL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 24 04:00:43 CEST 2015 on sn-devel-104
2015-06-24 04:00:43 +02:00
Stefan Metzmacher
f643677d3f s3:librpc/gse: make use of add gssapi_get_sig_size() and gssapi_{seal,unseal,sign,check}_packet() helper functions
This way are able to support GENSEC_FEATURE_SIGN_PKT_HEADER.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:17 +02:00
Stefan Metzmacher
c245d4f33e heimdal:lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
571a05c649 heimdal:lib/gssapi/krb5: split out a arcfour_mic_cksum_iov() function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
688c537ab1 heimdal:lib/gssapi/krb5: add const to arcfour_mic_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
3269ebfcbf heimdal:lib/gssapi/krb5: clear temporary buffer with cleartext data.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
01350c76ad heimdal:lib/gssapi/krb5: fix indentation in _gk_wrap_iov()
Now it matches _gk_unwrap_iov() and _gk_wrap_iov_length().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
9414d9867c heimdal:lib/gssapi/krb5: make _gssapi_verify_pad() more robust
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
3b9e5cfd23 s4:selftest: add torture:run_removedollar_test=true to the machine account kdc tests
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
0ba6e0dc2a s4:torture/krb5: add a --option=torture:run_removedollar_test=true option to kdc-conon
With this option a machine account is tested without the trailing '$'
in the account name.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
65355d694c s4:selftest: run samba4.rpc.lsa.secrets with more principal combinations
'dcom/SERVER', 'SERVER$' and 'SERVER' as target principal names.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
61de10240e s4:kdc/db-glue: allow principals in form of computer@EXAMPLE.COM
This should be translated to computer$@EXAMPLE.COM.

Note the behavior differs between client and server lookup.
In samba_kdc_lookup_client() we need to fallback in case of
NO_SUCH_USER. samba_kdc_lookup_server() needs to do a single search
and only use the result if it's unique.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Stefan Metzmacher
ccb6495445 s4:kdc/db-glue: fix memory leak in samba_kdc_lookup_server()
We need to free enterprise_principal if generated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-24 01:03:16 +02:00
Volker Lendecke
a924399b91 dsdb: Fix CID 1034902 Dereference before null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 24 01:02:22 CEST 2015 on sn-devel-104
2015-06-24 01:02:22 +02:00
Volker Lendecke
8253549264 dsdb: Fix CID 1034687 Logically dead code
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
7613174e7b dsdb: Fix CID 1034719 Evaluation order violation
We assigned lp_ctx twice...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
d09d428c5e dsdb: Fix CID 1034802 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
22d4d91649 dsdb: Fix CID 1034742 Dereference after null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
5c30ed470d dsdb: Fix CID 1034743 Dereference after null check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
77c6cdcbd5 dsdb: Fix CID 1034803 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
6ed5b4ec8b dsdb: Fix CID 1034804 Dereference null return value
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Volker Lendecke
4b80851568 dsdb: Fix CID 1034745 Dereference after null check
This is a cut&paste error

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:09 +02:00
Stefan Metzmacher
37041e4158 s4:auth/gensec: remove unused gensec_socket_init()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
7943ffbb77 s4:auth/gensec: remove unused include of lib/socket/socket.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
beb84d0c26 s4:auth/gensec: remove unused and untested cyrus_sasl module
There's not a high chance that this module worked at all.

Requesting SASL_SSF in order to get the max input length
is completely broken.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
67c5d5849e s4:libcli/ldap: conversion to tstream
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
6f2c29a13c s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:08 +02:00
Stefan Metzmacher
3d298b994d s4:lib/tls: fix tstream_tls_connect_send() define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Stefan Metzmacher
7b916b5f9a s4:gensec/gssapi: make calculation of gensec_gssapi_sig_size() for aes keys more clear
This way the result matches what gss_wrap_iov_length() would return.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Stefan Metzmacher
ac5283f788 s4:gensec/gssapi: use gensec_gssapi_max_{input,wrapped}_size() for all backends
This avoids calls to gensec_gssapi_sig_size() as fallback in
gensec_max_input_size().

gensec_gssapi_sig_size() needs to report the sig size
gensec_{sign,seal}_packet(), which could be different to the
overhead produced by gensec_wrap().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-23 22:12:07 +02:00
Stefan Metzmacher
6dd117b21e s4:selftest: also run rpc.winreg with kerberos and all possible auth options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 23 17:31:08 CEST 2015 on sn-devel-104
2015-06-23 17:31:07 +02:00
Stefan Metzmacher
5b917fd622 s4:selftest: run rpc.echo tests also with krb5 krb5,sign krb5,seal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
69c1b4b7c1 s4:rpc_server: fix padding caclucation in dcesrv_auth_response()
This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
1bf7ab49b4 s4:rpc_server: let dcesrv_auth_response() handle sig_size == 0 with auth_info as error
Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
16f3837e02 s4:rpc_server: let dcesrv_reply() use a sig_size for a padded payload
The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
3fbdb255e3 s4:rpc_server: let dcesrv_reply() use DCERPC_AUTH_PAD_ALIGNMENT define
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
114c52e73e s4:librpc/rpc: fix padding caclucation in ncacn_push_request_sign()
This is simplified by using DCERPC_AUTH_PAD_LENGTH() and changes the behaviour
so that we will use no padding if the stub_length is already aligned
to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
48f2c383e1 s4:librpc/rpc: let ncacn_push_request_sign() handle sig_size == 0 with auth_info as internal error
Don't send plaintext on the wire because of an internal error...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
fc249d542f s4:librpc/rpc: let dcerpc_ship_next_request() use a sig_size for a padded payload
The sig_size could differ depending on the aligment/padding.
So should use the same alignment as we use for the payload.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
ef801bae95 s4:librpc/rpc: let dcerpc_ship_next_request() use DCERPC_AUTH_PAD_ALIGNMENT define
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Stefan Metzmacher
01499617bd s4:heimdal_build: define HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2015-06-23 14:38:53 +02:00
Ralph Boehme
408c965aab s4:torture:vfs_fruit: copyfile
Bug: https://bugzilla.samba.org/show_bug.cgi?id=11317

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 23 14:37:05 CEST 2015 on sn-devel-104
2015-06-23 14:37:05 +02:00
Volker Lendecke
052b9a53b7 Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jun 19 01:05:17 CEST 2015 on sn-devel-104
2015-06-19 01:05:17 +02:00
Andrew Bartlett
5bb647b788 selftest: Run winbind tests in chgdcpass environment
This ensures that winbind both starts and operates without a secrets.tdb

(chgdcpass deliberatly removes the secrets.tdb file after provision, like has happend with classicupgrade).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-17 22:10:24 +02:00
Uri Simchoni
12079b412d heimdal: fix endless loop for specific KDC error code
When sending a Kerberos request, if at least one of the available
KDCs repeatedly replies with an error response of
KRB5KDC_ERR_SVC_UNAVAILABLE, and all other KDCs, if there are any,
do not reply at all or cannot be contacted, then the code repeatedly
retries to send the request in an endless loop.

This is fixed in upstream (post 1.5 branch) heimdal but the code
there is vastly refactored, so this is an independent fix to the issue.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 17 02:34:31 CEST 2015 on sn-devel-104
2015-06-17 02:34:31 +02:00
Stefan Metzmacher
3d7ce9d411 s4:ntvfs/pyposix_eadb: fix initposix_eadb() prototype
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
2015-06-12 17:08:19 +02:00
Stefan Metzmacher
dd037b0be4 s4:libcli/raw: make sure smbcli_transport_connect_send/recv correctly cleanup on error
We need to make sure that we remove any pending writev_send or read_smb_send
request before closing the socket fd. As a side effect we always close the
socket fd if we don't return success for any any reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11316

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-06-12 17:08:17 +02:00
Douglas Bagnall
6c86ddc3ff KCC: docstring for test_all_reps_from()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:15 +02:00
Douglas Bagnall
c93c2fcba5 KCC: samba_kcc uses forced_local_dsa in import_ldif
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:15 +02:00
Douglas Bagnall
a918edced0 KCC: test stub for KCC object
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:14 +02:00
Douglas Bagnall
eba852cc98 KCC: write dot files in a deterministic, user specified place
We were using randomised tempfile names in /tmp, initially to avoid
overwriting previous runs so as to track progress. Now we hardly ever
care about the old versions, and a user-specified name will be handy
for testing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:14 +02:00
Douglas Bagnall
cb94863087 KCC: switch samba_kcc over to samba.kcc module
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:13 +02:00
Douglas Bagnall
032291f492 KCC: shift samba.ldif_utils to samba.kcc.ldif_import_export
These functions are really only of use for KCC, and they only import and
export rather than be general utils.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:13 +02:00
Douglas Bagnall
b0e6a74362 KCC: split kcc_utils into samba.kcc.{kcc_utils,graph}
graph.py has the intersite graph stuff.
kcc_utils does intrasite, namespace, &cetera.

The wildcard imports are tidied up, so samba_kcc imports unix2nttime
directly rather than letting it fall out of kcc_utils.

Intersite graph functions samba/kcc/__init__.py are also shifted into
graph.py.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:13 +02:00
Douglas Bagnall
7cd35051c8 KCC: split and shift samba.graph_utils -> samba.kcc.{graph_utils,debug}
The debug module contains debug functions and colours.

Graph_utils keeps the DOT file generation and graph verification code.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-12 06:57:13 +02:00
Günther Deschner
60d95bbf77 s4-torture: call clusapi_CreateResEnum for all cluster resources.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun  2 05:16:00 CEST 2015 on sn-devel-104
2015-06-02 05:16:00 +02:00
Douglas Bagnall
0791bb07ca KCC: improve docstring for KCC.load_samdb()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 30 23:55:22 CEST 2015 on sn-devel-104
2015-05-30 23:55:22 +02:00
Douglas Bagnall
3c41fcffb6 KCC: improve docstring for KCC.list_dsas()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
b7f3ddca08 KCC: slightly improve docstring for KCC.create_connection()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
3bc288019b KCC: improve docstring for KCC.is_bridgehead_failed()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
017583269c KCC: Slightly improve docstring for KCC.get_all_bridgeheads()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
40d451a7da KCC: Slightly improve docstring for KCC.get_bridgehead()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
6a28fc8364 KCC: improve docstring for KCC.load_all_partitions()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
2f6c70a450 KCC: improve docstring for KCC.add_transports()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
f21d5ee8d7 KCC: improve docstring for KCC.setup_graph()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
9f3fcb065c KCC: improve docstring for KCC.translate_ntdsconn()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
ed3035a680 KCC: improve docstring for KCC.modify_repsFrom()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
a2ac039d37 KCC: improve docstring for KCC.is_stale_link_connection()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
aa4588db63 KCC: improve docstring for KCC.merge_failed_links()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
692d9c9127 KCC: improve docstring and comment for kcc.remove_unneeded_ntdsconn()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00
Douglas Bagnall
5b421545f3 KCC: improve docstring for KCC.load_my_dsa()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-05-30 21:05:25 +02:00