IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.
The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This test more operations in the zeroed out FinderInfo test, ensuring
after zeroing out FinderInfo, operations on the filehandle still work
and that enumerating streams doesn't return the stream anymore.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This test suite had a memory impact of around 2.5GB, from built-up LDAP
connection handlers under the standard process model.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jan 9 08:22:27 CET 2018 on sn-devel-144
This test suite had a memory impact of around 2.2GB, from LDAP connection
handlers under the standard process model.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan 8 08:02:15 CET 2018 on sn-devel-144
Over the length of a run of this suite (which runs under the standard process
model), memory usage from LDAP connection handlers reaches 4GB. This patch
reduces it to a manageable amount.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This would have to be retrieved from the interface type we have I guess.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 4 05:08:02 CET 2018 on sn-devel-144
This was part of the previous bugfix for 9632, which has been replaced
by TCP fallback code. We can dig this up from git if needed.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This skips adding the DNS option for a larger UDP packet size than
512. This is a different fix for bug 9632.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 1 19:19:22 CET 2018 on sn-devel-144
`samba-tool [COMMAND] --help` will list sub-commands of COMMAND
(or top-level commands if COMMAND is omitted). This ensures that
`samba-tool COMMAND SUBCOMMAND --help` works for all the commands
found in the help tree.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This demonstrates the interaction of NT_STATUS_NETWORK_SESSION_EXPIRED
and various SMB2 opcodes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Next will be a test which compares the current run of the script against
this reference provision.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is sourced from the WindowsServerDocs repository on Github under an
MIT/CC 4.0 attribution license. A huge thanks is required for these
being provided and the work done in the process, as they mean a lot less
work for us to repeat.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Operation 77: {82112ba0-7e4c-4a44-89d9-d46c9612bf91}
- Create the CN=PSPs,CN=System object
Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Operation 75 {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}
- Create the CN=Managed Service Accounts object
Operation 76 {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}
- Add otherWellKnownObject link for CN=Managed Service Accounts
Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With the update to the newer version of the 2008 R2 schemas, the files
were not available on install.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba3.rpc.samba3.netlogon is using get_myname to find a username with which to
perform a join. This means that the test tries to join with the existing
localnt4dc2 user, which happens to work if get_myname is working
correctly (which it isn't -- see next commit about NSS_WRAPPER_HOSTNAME!)
This commit fixes a test run with, for example:
TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
(given samba3.blackbox.smbclient_ntlm.plain is in the nt4_member env)
...which previously failed due to the combination of this and the
NSS_WRAPPER_HOSTNAME bug.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Commit 8736013dc4 got the (confusing) sense of opt_fork
wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 19 11:24:29 CET 2017 on sn-devel-144
The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute. This is not as efficient as a base DN lookup, so we try for
that first.
A not-found and wildcard response will still fall back to the ONELEVEL
index.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This query is made for every record returned via BIND9 DLZ.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(the RDN, being 'dc' in this use case, does not have an index in
the AD schema).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13191
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 08:49:57 CET 2017 on sn-devel-144
Changes to provision and join to create a database with
encrypted_secrets enabled and a key file generated.
Also adds the --plaintext-secrets option to join and provision commands
to allow the creation of unencrypted databases.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Encrypt the samba secret attributes on disk. This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.
Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.
Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add tests to check that the encrypted_secrets module encrypts
secrets/sensitive attributes on disk.
This test also proves that the provision and join operations correctly
configure the encrypted_secrets module.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Obtained under the Open Protocols Specifications licence from
https://www.microsoft.com/en-us/download/details.aspx?id=23782
These are more complete than the version we have had in the tree until now.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This number had been mistakenly updated alongside the standard forest
updates revision. This version number appears to be independent of the
other revision levels.
Also add the change to a new .ldf file, which can be used to apply
the schema change to an existing Samba 4.7 (or earlier) instance.
Update the provision/upgrade test to do just this (otherwise it
complains about differences between a new provision and an older Samba
4.0.0 instance).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The adprep LDIF files were adding the systemFlags, but they weren't
present in the 2012 schema files. This is not just a Microsoft
documentation problem - the difference was present when doing a provision
of a 2012 Windows server vs using Adprep.exe to upgrade an older Windows
server.
Samba might as well use the correct systemFlags right from the start.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This tool (and the corresponding test) is designed to migrate a Samba DC
from a pre-4.0.0 release up to a more recent schema (i.e. Windows 2008R2).
Going further than 2008R2 turns this test into a bit of a nightmare. We
now have a better adprep/'samba-tool domain schemaupgrade' option for
upgrading from 2008R2 to a more recent schema.
It seems to make most sense to leave this tests just running against
2008R2 schema provisions and add new tests to migrate from 2008R2 to
2012R2.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add the ability to override the base schema files being used for the
new provision, e.g. instead of using the default supported schema,
the code can now potentially specify an older or newer schema to use.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
To match Windows 2008R2, this should have the same flags as the
recycle bin enabled feature.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We appear to have been missing some extended rights from 2008R2. These were
added in samba by the extended-rights.ldif
On Windows this was in Sch45.ldf (triggered by adprep schema updates).
We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif,
which can be used to apply the changes to an existing Samba instance.
This is not extracted from the Sch45.ldf file provided by Microsoft
but is instead extracted using ldapcmp against a Samba install running
the new extended-rights.ldif.
Finally, these schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
