IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is more generic and matches all other places.
As this is only used in the KDC it's not a real logic change.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
lastLogon is supposed to be updated for every interactive or kerberos
login, and (according to testing against Windows2012r2) when the bad
password count is non-zero but the lockout time is zero. It is not
replicated.
lastLogonTimestamp is updated if the old value is more than 14 -
random.choice([0, 1, 2, 3, 4, 5]) days old, and it is replicated. The
14 in this calculation is the default, stored as
"msDS-LogonTimeSyncInterval", which we offer no interface for
changing.
The authsam_zero_bad_pwd_count() function is a convenient place to
update these values, as it is called upon a successful logon however
that logon is performed. That makes the function's name inaccurate, so
we rename it authsam_logon_success_accounting(). It also needs to be
told whet5her the login is interactive.
The password_lockout tests are extended to test lastLogon and
lasLogonTimestamp.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
This new helper function will also be used by pdb_samba_dsdb.
Change-Id: I008af94a0822012c211cfcc6108a8b1285f4d7c7
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is only done during a 1 hour allowed period, by default.
We only update bad password count when not one of the last 3 passwords
Andrew Bartlett
Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This allows the password_hash code to call the same update routine.
Andrew Bartlett
Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This will allow password_hash to call this using dsdb_module_*() functions.
Andrew Bartlett
Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Including a fix by Arvid Requate <requate@univention.de>
Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows us to avoid the domain lookup in the constructed attribute
when not required.
By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.
Andrew Bartlett
Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.
Change-Id: Id1b540cde127395a7b27385a7c0fe79f3a145c73
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Following the current coding guidelines, it is considered bad practice to return from
within a macro and change control flow as they look like normal function calls.
Change-Id: I133eb5a699757ae57b87d3bd3ebbcf5b556b0268
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.
(this meant moving some parts out of the auth_sam code into the
containing library)
Andrew Bartlett
This isn't quite as good as using tokenGroups, but that is only
available for BASE searches, and this isn't how the all the callers
work at the moment.
Andrew Bartlett
The precision (maximum numbers of characters) should be enough.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Dec 3 10:26:39 CET 2010 on sn-devel-104
This can be expected (think at a membership of a "groupOfNames" group) and we
shouldn't blame about it.
This fixes a bug reported on the technical mailing list.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Thu Dec 2 17:17:56 CET 2010 on sn-devel-104
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add. So, we can't short-circuit the operation just because we found
the domain group.
Andrew Bartlett
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
