1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

112060 Commits

Author SHA1 Message Date
Andreas Schneider
5319cae000 selftest: Add a user with a different userPrincipalName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:36 +02:00
Andreas Schneider
4fa811ec7b nsswitch: Lookup the domain in tests with the wb seperator
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:36 +02:00
Andreas Schneider
0aceca6a94 nsswitch: Add a test looking up domain sid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:36 +02:00
Andreas Schneider
0d2f743d82 nsswitch: Add a test looking up the user using the upn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:36 +02:00
Andreas Schneider
9bc2b922bb selftest: Make sure we have correct group mappings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13369

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-05-11 09:07:36 +02:00
Tim Beale
569937b800 tests: Add tests for samba-tool passwordsettings commands
I've added a test case for 'samba-tool domain passwordsettings set/show'
to prove I haven't broken it. It's behaviour shouldn't have changed, but
there was no test for it previously.

We'll extend these tests in the very near future, when we add samba-tool
support for managing PSOs.

The base samba_tool test's runsubcmd() only handled commands with
exactly one sub-command, i.e. it would handle the command 'samba-tool
domain passwordsettings' OK, but not 'samba-tool domain passwordsettings
set' (The command still seemed to run OK, but you wouldn't get the
output/err back correctly). A new runsublevelcmd() function now handles
a varying number of sub-commands.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri May 11 09:06:10 CEST 2018 on sn-devel-144
2018-05-11 09:06:10 +02:00
Tim Beale
7255e0ced3 netcmd: Split 'domain passwordsettings' into a super-command
The show and set options are not really related to each other at all, so
it makes sense to split the code into 2 separate commands.

We also want to add separate sub-commands for PSOs in a subsequent
patch.

Because of the way the sub-command was implemented previously, it meant
that you could specify other command-line options before the 'set' or
'show' keyword, and the command would still be accepted. However, now
that it's a super-command 'set'/'show' needs to be specified before any
additional arguments, so we need to update the test code to reflect
this.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
0da9dbbf5a netcmd: Small tweak to retrieving pwdProperties
Currently the 'samba-tool domain passwordsettings' command shares a
'set' and 'show' option, but there is very little common code between
the two. The only variable that's shared is pwd_props, but there's a
separate API we can use to get this. This allows us to split the command
into a super-command in a subsequent patch.

Fixed up erroneous comments while I'm at it.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
8a105af76c dsdb: Split out construct_generic_token_groups() so we can reuse it
construct_generic_token_groups() currently works out the entire group
membership for a user, including the primaryGroupID. We want to do the
exact same thing for the msDS-ResultantPSO constructed attribute.
However, construct_generic_token_groups() currently adds the resulting
SIDs to the LDB search result, which we don't want to do for
msDS-ResultantPSO.

This patch splits the bulk of the group SID calculation work out into
a separate function that we can reuse for msDS-ResultantPSO. basically
this is just a straight move of the existing code. The only real change
is the TALLOC_CTX is renamed (tmp_ctx --> mem_ctx) and now passed into
the new function (so freeing it if an error conditions is hit is now
done in the caller).

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
fcdb935e37 dsdb: Use attribute-name parameter for error message
We'll reuse this code for working out the msDS-ResultantPSO, so
references to 'tokenGroups' in error messages would be misleading.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
823dec9d16 tests: Add a test case for msDS-PasswordReversibleEncryptionEnabled
Add a test for the 'msDS-PasswordReversibleEncryptionEnabled' attribute
on the PSO. The Effective-PasswordReversibleEncryptionEnabled is
based on the PSO setting (if one applies) or else the
DOMAIN_PASSWORD_STORE_CLEARTEXT bit for the domain's pwdProperties.
This indicates whether the user's cleartext password is to be stored
in the supplementalCredentials attribute (as 'Primary:CLEARTEXT').

The password_hash tests already text the cleartext behaviour, so I've
added an additional test case for PSOs. Note that supplementary-
credential information is not returned over LDAP (the password_hash
test uses a local LDB connection), so it made more sense to extend
the password_hash tests than to check this behaviour as part of the
PSO tests (i.e. rather than in password_settings.py).

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
17d8d475e5 tests: Add test for password-lockout via SAMR RPC
The existing password_lockout tests didn't check for changing the
password via the SAMR password_change RPC. This patch adds a test-case
for this, using the default domain lockout settings (which passes), and
then repeats the same test using a PSO (which fails).

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
f94f472830 tests: Add PSO test case to existing password_lockout tests
This checks that the lockout settings of the PSO take effect when one is
applied to a user. Import the password_settings code to create/apply a
PSO with the same lockout settings that the test cases normally use.
Then update the global settings so that the default lockout settings are
wildly different (i.e. so the test fails if the default lockout settings
get used instead of the PSO's).

As the password-lockout tests are quite slow, I've selected test cases
that should provide sufficient PSO coverage (rather than repeat every
single password-lockout test case in its entirety).

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:24 +02:00
Tim Beale
f5d67c10c0 tests: Add comments to help explain password_lockout tests
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:23 +02:00
Tim Beale
78ebfcfa86 tests: Add tests for Password Settings Objects
a.k.a Fine-Grained Password Policies

These tests currently all run and pass gainst Windows, but fail against
Samba. (Actually, the permissions test case passes against Samba,
presumably because it's enforced by the Schema permissions).

Two helper classes have been added:
- PasswordSettings: creates a PSO object and tracks its values.
- TestUser: creates a user and tracks its password history
This allows other existing tests (e.g. password_lockout, password_hash)
to easily be extended to also cover PSOs.

Most test cases use assert_PSO_applied(), which asserts:
- the correct msDS-ResultantPSO attribute is returned
- the PSO's min-password-length, complexity, and password-history
settings are correctly enforced (this has been temporarily been hobbled
until the basic constructed-attribute support is working).

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:23 +02:00
Tim Beale
d0a9e19114 tests: Split out setUp code into separate function for reuse
Any test that wants to change a password has to set the dSHeuristics
and minPwdAge first in order for the password change to work. The code
that does this is duplicated in several tests. This patch splits it out
into a static method so that the code can be reused rather than
duplicated.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:23 +02:00
Tim Beale
597428943b tests: Move repeated code into a helper function
Several tests hang all the objects they create off a unique OU.
Having a common OU makes cleanup easier, and having a unique OU (i.e.
adding some randomness) helps protect against one-off test failures
(Replication between testenvs is happening in the background.
Occasionally, when a test finishes on one testenv and moves onto the
next testenv, that testenv may have received the replicated test
objects from the first testenv, but has not received their deletion
yet).

Rather than copy-n-pasting this code yet again, split it out into a
helper function.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
2018-05-11 06:01:23 +02:00
Christof Schmitt
b07b4e459e loadparm: Remove unused realm_original
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 10 22:47:15 CEST 2018 on sn-devel-144
2018-05-10 22:47:15 +02:00
Gary Lockyer
01fab30a97 samdb: Add transaction id control
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Gary Lockyer
5c0345ea9b samdb: Add remote address to connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Gary Lockyer
daa7b60a60 dsdb: pass the remote address to samdb connect
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Gary Lockyer
8cf4e54696 auth logging tests: Clean up flake8 warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Gary Lockyer
fdf827553a auth logging tests: Add tests for sessionId
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:23 +02:00
Gary Lockyer
52a3318be8 auth log: Log the unique session GUID
Log the unique_session_token GUID on successful Authorizations.
This patch adds the "sessionID" attribute to the Authorization object
and increments the version to 1.1

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:22 +02:00
Gary Lockyer
1488723a11 auth: Add unique session GUID identifier
Generate a GUID for each successful authorization, this will allow the
tying of events in the logs back to a specific session.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:22 +02:00
Gary Lockyer
79ba530aaf dsdb: refactor password attibutes to constant
The password attributes are defined as literal in two places in the
password_hash code.  They will also be needed to support password change
logging. This patch replaces the individual definitions with a shared
constant.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-05-10 20:02:22 +02:00
Jeremy Allison
52dc959bb2 s3: smbd: Remove unused counters for outstanding aio calls.
Only a debug message used this.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May  9 22:24:38 CEST 2018 on sn-devel-144
2018-05-09 22:24:38 +02:00
David Disseldorp
f0e6453b04 vfs_ceph: add fake async pwrite/pread send/recv hooks
As found by Jeremy, VFS modules that don't provide pread_send() or
pwrite_send() hooks result in vfs_default fallback, which is
catastrophic for VFS modules with non-mounted filesystems such as
vfs_ceph.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13425

Reported-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-05-09 19:30:15 +02:00
Ralph Boehme
bc2beedfa2 libcli: remove unused se_create_child_secdesc_buf()
Commit e2c9ad93cb removed the last caller
of this.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May  9 19:18:44 CEST 2018 on sn-devel-144
2018-05-09 19:18:43 +02:00
Simo Sorce
4b793d9764 Fix Jean François name to be UTF-8
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed May  9 10:38:57 CEST 2018 on sn-devel-144
2018-05-09 10:38:57 +02:00
Andrew Bartlett
ba33d90ed6 ldb: Ensure we can open a new LDB after a fork()
Based on work for an mdb-specific test by Gary Lockyer

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May  9 07:27:24 CEST 2018 on sn-devel-144
2018-05-09 07:27:24 +02:00
Andrew Bartlett
f891b8dc32 ldb: Add tests for ldb_tdb use after a fork()
We need to show that despite the internal cache of TDB pointers that it
is safe to open a ldb_tdb after a fork()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-09 04:29:48 +02:00
Andrew Bartlett
2136664941 ldb_tdb: Allow use of a TDB for ldb_tdb after as fork()
Otherwise we rely on the caller doing tdb_reopen_all() which should
not be their job.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-09 04:29:48 +02:00
Andrew Bartlett
3b06915663 ldb: Reset errno before checking it in ltdb_connect()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-09 04:29:48 +02:00
Gary Lockyer
daf79e5b35 ldb/tests: add tests for transaction_{start,commit}/lock_read across forks
(Split from a larger commit by Andrew Bartlett)

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-09 04:29:48 +02:00
Andrew Bartlett
1174b52b91 ldb_tdb: Prevent ldb_tdb reuse after a fork()
We may relax this restriction in the future, but for now do not assume
that the caller has done a tdb_reopen_all() at the right time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-05-09 04:29:48 +02:00
Vandana Rungta
4e78aeedb8 s3: VFS: Fix memory leak in vfs_ceph.
Centralize error handling.

https://bugzilla.samba.org/show_bug.cgi?id=13424

Signed-off-by: Vandana Rungta <vrungta@amazon.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May  9 04:28:11 CEST 2018 on sn-devel-144
2018-05-09 04:28:11 +02:00
Volker Lendecke
233d22138b samba-tool: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May  8 23:48:07 CEST 2018 on sn-devel-144
2018-05-08 23:48:07 +02:00
Amitay Isaacs
2073fd0956 third_party: Update popt to 1.16 release
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May  8 12:55:04 CEST 2018 on sn-devel-144
2018-05-08 12:55:04 +02:00
Volker Lendecke
df16777ce4 dsdb: Fix CID 1435453 Null pointer dereferences
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-05-08 10:03:16 +02:00
Douglas Bagnall
2073635d58 traffic: ensure we are using the same division in py 2 and 3
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sat May  5 07:25:13 CEST 2018 on sn-devel-144
2018-05-05 07:25:13 +02:00
Douglas Bagnall
cb40e2bbc8 autobuild: do not try to send email to no recipient
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
406284be95 samba_kcc: remove an unused variable
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
2c6cac990e sambatool tests: make assertMatch use assertIn
With a note to tidy this up at some point

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
ac053b1493 .gitignore .agignore
.agingore is used by "the silver searcher", ag, which is a form of
grep with more useful defaults and prettier colours for searching
source trees.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
e6669d1264 gitignore .gdb_history anywhere in the tree
For when you run gdb in places like lib/ldb/ and it decides to leave
behind a history file.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
6b7494f5e7 perftest: ad_dc_medley failing base search failed to catch exception
This meant it only happened once.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
4eeb43d06c autobuild: add compiler version to results tarball
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
f94c9a1357 auth/ntlmssp_client: correct spelling of response
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00
Douglas Bagnall
a66f941619 auth/pycredentials: correct spelling of reponse
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-05-05 04:32:42 +02:00