IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
These will be used separately in the full initialization function.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Also check for existence when the range is >= the HWM,
typically the "acquire" case where we bump the HWM.
In case of external modification, we would previously
simply overwrite an an existing range mapping. Now we
check and throw INTERNAL_DB_CORRUPTION in this case.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The initialization of the HWM values in autorid.tdb was racy:
It did:
1. fetch the HWM value
2. if it did not exist, store 0 in a transaction.
This can be racy if two processes at the same time try to
run the initialization code, especially in a cluster, when
winbindd and smbd are started simultaneously on all nodes.
The race is that the HWM is not re-fetched inside the transaction.
Assume both processes see that the HWM does not exist.
Both try to start a transaction. Process 1 gets the lock
and process 2 blocks. After Process 1 has stored the
HWM, it proceeds and manages to start subsequent transactions
which also bump the HWM value (e.g. a range allocation,
which is also triggered from allocation code). When
process 2 finally manages to start the transaction, the
HWM value is aready > 0. But process 2 does not look again
and simply overwrites the HWM with 0.
So the next allocation will overwrite an existing mapping,
at least partially.
This patch changes the mechanism to:
1. fetch the hwm value
2. if it does not exist start a transaction
3. fetch the hwm value
4. if it does not exist, store 0
5. commit the transaction.
Note: this is not theoretical. Corruptions have been
seen in cluster environments.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The HWM is treated as uint32_t all the times.
This was just a leftover from old code.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Should fix a potential SEGV e.g. in case searched_site == NULL and no
objects with objectClass=site are found.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
A ropey script to generate some missing NT_STATUS error codes and
and descriptions. The script generates ntstatus.c & ntstatus.h
whose contents are used to extend the existing contents of
libcli/util/nterr.c & libcli/util/ntstatus.h
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 2 22:40:06 CEST 2014 on sn-devel-104
Error codes and descriptions were autogenerated from [MS-ERREF]
see http://msdn.microsoft.com/en-us/library/cc704588.aspx
Additionally some missing error descriptions for existing errors were
identified and generated.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This hacky script was used to generate the contents of libcli/util/hresult.c
& libcli/util/hresult.h. It expects the table contents of
http://msdn.microsoft.com/en-us/library/cc704587.aspx cut'n'pasted into
the text file specified as it's single required input param
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
FSRVP can possibly return any HRESULT error in addition to it's own
specific errors. This change searches the HRESULT errors for a description
if the error doesn't match any of the known FSRVP ones.
Also removed some errors defined in fsrvp.idl (now that they are defined
in hresult.h)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
error codes & string descriptions are generated from
http://msdn.microsoft.com/en-us/library/cc704587.aspx, additionally there
is a function to return the error description from the error code,
this function will also try to determine the error description
associated with a W_ERROR code translated as a HRESULT.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is the regression test to avoid a repeat of CVE-2013-4496
This includes confirming that badPwdCount is updated on login, not just on first failure
However the badPwdCount is not updated if the account is disabled
Note: that samr_QueryUserInfo return the effective bad_password_count in level
5, 16 and 21, while it returns the raw value in level 3.
(Sadly the s3 code does not do this correctly, so a knownfail is added)
Change-Id: I4fd8ac5c3b1357e7a98386756dac2a43eb778ecf
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 2 19:30:59 CEST 2014 on sn-devel-104
Change-Id: I9529def954521bf8ab05212759a2ef6bbe9913f8
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I6f4b3e92feabe4ff09839329b0db3d33cc6c73b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I89ac30d715e89f14aca049e0e5c5043a39ab93c7
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This matters after the lockout observation period has expired.
Note: that QueryUserInfo level 3 returns the raw badPwdCount value.
Andrew Bartlett
Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The samldb module will handle the verification and magic.
Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
- Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags
(combined with msDS-User-Account-Control-Computed) results in
lockoutTime=0 (implying badPadCount=0).
- We also do more validation of the account type flags now.
Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: Ie26520c37c393ab4d2e3c5782e3dca46d4d1f83c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is only done during a 1 hour allowed period, by default.
We only update bad password count when not one of the last 3 passwords
Andrew Bartlett
Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I46228b492ba71ba4f3fee380a1ccadb328e3ade1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
To do this, and have the badPwdCount update stick, we must abort,
open, close and reopen transactions such that the badPwdCount update
is in it's own transaction.
To ensure the tests can confirm the correct behaviour here, we must
output the Windows error code in the error message.
Andrew Bartlett
Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows the password_hash code to call the same update routine.
Andrew Bartlett
Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This will allow password_hash to call this using dsdb_module_*() functions.
Andrew Bartlett
Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This only changes the log output, the same error is still returned
Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is needed to match Windows behaviour for NTLM logins.
Andrew Bartlett
Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
See [MS-SAMR] 3.1.1.8.3 lockoutTime.
Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This avoids giving away too much information to an attacker.
Andrew Bartlett
Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I949c6c64551f68c4381b41b30120874ead82949e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I291924785b505b26b91152c0c13b4afd4de068a6
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Including a fix by Arvid Requate <requate@univention.de>
Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
