1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

30814 Commits

Author SHA1 Message Date
Andreas Schneider
5de011be3f s4-torture: Remove socket_wrapper testsuite.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
2522bb8090 selftest: Rename WINBINDD_SOCKET_DIR environment variable.
It is very confusing if the env var uses the same name as the define in
the source code. So prefix it with SELFTEST.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
b2163f23c0 Remove special nss_wrapper code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
f95e86828a s4-torture: Remove nss_wrapper testsuite.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Andreas Schneider
28b87dd75e s4-ntfs: Improve uid check in wrapper mode.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:05 +02:00
Andreas Schneider
6d23354f72 lib: Change uid_wrapper to preloadable version.
This imports version 1.0.1 of uid_wrapper.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:05 +02:00
Björn Baumbach
fae7e5d771 lib-util: rename memdup to smb_memdup and fix all callers
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-04-16 20:39:08 +02:00
Andrew Bartlett
d7ce127de9 auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c
The comments indicate that this was needed for HP-UX at one point, but
the configure code was never ported to WAF.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Apr 15 12:32:09 CEST 2014 on sn-devel-104
2014-04-15 12:32:09 +02:00
Andrew Bartlett
634cc8fdff auth: Remove USE_BOTH_CRYPT_CALLS block from pass_check.c
This code is dead since the move to the WAF build system, but was set
for HP-UX 9, 10 and 11 in the autoconf build system.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
6e8eb60545 auth: Remove linux_bigcrypt support from pass_check.c
This is dead code, and probably has been for quite some time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
e731655f09 auth: Remove support for plaintext auth on systems that use getprpwnam()
The WAF build does not have the code to detect getprpwnam, so this is
dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
3fa67e6346 auth: Remove afs_auth() from pass_check.c and s4's auth_unix
The waf build does not have code to detect support for AFS plaintext
authentication, so this is dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Andrew Bartlett
94f0716fff auth: Remove dfs_auth() from pass_check.c and s4's auth_unix
The waf build has no logic to detect DCE/DFS, so this plaintext
authentication mechanism is dead code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-15 10:13:12 +02:00
Jeroen Dekkers
3b82b6f531 Do not install smbclient4 and nmblookup4
Change-Id: I2d91d9c9faa2df084321d10fbdc948acbd2bb735
Signed-off-by: Jeroen Dekkers <jeroen@dekkers.ch>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Tue Apr 15 03:25:13 CEST 2014 on sn-devel-104
2014-04-15 03:25:13 +02:00
Jelmer Vernooij
e0cddcd5c4 Typo: s/preceeded/preceded/
Caught by lintian, the Debian package linter :)

Change-Id: Ia7162ea8c2b1845155345526b66d71ae64f15227
Reviewed-on: https://gerrit.samba.org/216
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Mon Apr 14 03:51:15 CEST 2014 on sn-devel-104
2014-04-14 03:51:15 +02:00
Andrew Bartlett
88ba81140e s4-wbclient: Fix wbc_sids_to_xids to correctly indicate the length of the SID list
This uses the fact that we know the end of the string in p to avoid
needing a strlen() call.  Otherwise the winbindd validation that the
extra_data is terminated may fail, if the un-initiliased memory is not
zero.

Andrew Bartlett

Change-Id: I9b28068e4fbd3754c8d14724af93638d657810dd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr  9 18:26:40 CEST 2014 on sn-devel-104
2014-04-09 18:26:40 +02:00
David Disseldorp
1e1b7b1021 torture: add local verification trailer parsing test
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr  9 03:44:15 CEST 2014 on sn-devel-104
2014-04-09 03:44:15 +02:00
Andrew Bartlett
9d91f01b7b s4-wbclient: Cope with winbind returning an error
Change-Id: I8eaf858f9e9e55eec20aa2c585db5459fb73b887
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr  8 12:53:13 CEST 2014 on sn-devel-104
2014-04-08 12:53:13 +02:00
Noel Power
32b35b8d92 script to generate content for libcli/util/nterr.c & libcli/util/ntstatus.h
A ropey script to generate some missing NT_STATUS error codes and
and descriptions. The script generates ntstatus.c & ntstatus.h
whose contents are used to extend the existing contents of
libcli/util/nterr.c & libcli/util/ntstatus.h

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr  2 22:40:06 CEST 2014 on sn-devel-104
2014-04-02 22:40:06 +02:00
Noel Power
4f9dd94819 script to generate libcli/util/hresult.c & libcli/util/hresult.h
This hacky script was used to generate the contents of libcli/util/hresult.c
& libcli/util/hresult.h. It expects the table contents of
http://msdn.microsoft.com/en-us/library/cc704587.aspx cut'n'pasted into
the text file specified as it's single required input param

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 20:25:07 +02:00
Noel Power
57a4319baa Allow FSRVP access generic HRESULT error message descriptions
FSRVP can possibly return any HRESULT error in addition to it's own
specific errors. This change searches the HRESULT errors for a description
if the error doesn't match any of the known FSRVP ones.
Also removed some errors defined in fsrvp.idl (now that they are defined
in hresult.h)

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 20:25:07 +02:00
Andrew Bartlett
85f57ebda3 torture-samr: Add testing of account lockout and password change behaviour
This is the regression test to avoid a repeat of CVE-2013-4496

This includes confirming that badPwdCount is updated on login, not just on first failure

However the badPwdCount is not updated if the account is disabled

Note: that samr_QueryUserInfo return the effective bad_password_count in level
5, 16 and 21, while it returns the raw value in level 3.

(Sadly the s3 code does not do this correctly, so a knownfail is added)

Change-Id: I4fd8ac5c3b1357e7a98386756dac2a43eb778ecf
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr  2 19:30:59 CEST 2014 on sn-devel-104
2014-04-02 19:30:59 +02:00
Andrew Bartlett
6a4bedd36a torture-samr: Add test for lockout with and without a password history
Change-Id: I6f4b3e92feabe4ff09839329b0db3d33cc6c73b4
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:48 +02:00
Andrew Bartlett
3c731783e0 torture-samr: Improve rpc.samr.passwords.badpwdcount test
Change-Id: I89ac30d715e89f14aca049e0e5c5043a39ab93c7
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:48 +02:00
Andrew Bartlett
e266f610db selftest: Add test for password lockout
Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:48 +02:00
Andrew Bartlett
05c2f83f26 dsdb: Allow SAMR server to return the computed, not actual badPwdCount
This matters after the lockout observation period has expired.

Note: that QueryUserInfo level 3 returns the raw badPwdCount value.

Andrew Bartlett

Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
6ac62b3000 s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.
The samldb module will handle the verification and magic.

Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
50b9748fc5 s4:dsdb/samldb: rework samldb_user_account_control_change()
- Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags
  (combined with msDS-User-Account-Control-Computed) results in
  lockoutTime=0 (implying badPadCount=0).

- We also do more validation of the account type flags now.

Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
245d0f1b3d s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()
Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"!

Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
a6b82ee197 s4-samr: Escape the username in the LDAP filter
Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
f557f82acc s4-auth: Support password history correctly, including allowing NTLM logins using the old password
This is only done during a 1 hour allowed period, by default.

We only update bad password count when not one of the last 3 passwords

Andrew Bartlett

Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
afdd5fbd51 dsdb: check type with talloc_get_type_abort in samdb_set_password
Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
c91823028f dsdb: Implement password lockout on LDAP password changes
To do this, and have the badPwdCount update stick, we must abort,
open, close and reopen transactions such that the badPwdCount update
is in it's own transaction.

To ensure the tests can confirm the correct behaviour here, we must
output the Windows error code in the error message.

Andrew Bartlett

Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
8a89f7f4bc dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
This allows the password_hash code to call the same update routine.

Andrew Bartlett

Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
26c0eb623f auth: Split out badPwdCount update into a helper function
This will allow password_hash to call this using dsdb_module_*() functions.

Andrew Bartlett

Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
752b817365 kdc: call authsam_zero_bad_pwd_count on successful AS-REQ
Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
997e120f66 kdc: Include values from msDS-User-Account-Control-Computed when checking user flags
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
10cbd5e430 kdc: Set flags.locked_out on a locked-out user.
This only changes the log output, the same error is still returned

Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
d202191f9c heimdal: Only indicate successful authentication after successful authz
This is needed to match Windows behaviour for NTLM logins.

Andrew Bartlett

Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
580a705b83 heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out
Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
30bae40947 heimdal: Do not attempt password authentication for locked out accounts
Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
7e653f5ae2 s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Stefan Metzmacher
1a483a8b4b s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0
See [MS-SAMR] 3.1.1.8.3 lockoutTime.

Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
3ed55210ff dsdb: collapse wrong password and no-password-hash errors into one handler
This avoids giving away too much information to an attacker.

Andrew Bartlett

Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
2dd71de11a dsdb: Add samdb_result_passwords_from_history helper function
Change-Id: I949c6c64551f68c4381b41b30120874ead82949e
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
0f3dd921b3 s4-auth: Rework memory handling to use a tmp_ctx
Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:47 +02:00
Andrew Bartlett
526f98308a dsdb: give a better error message and return code on failed password change
Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
3f07737fd4 s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate@univention.de>

Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
a0de929009 dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.

Andrew Bartlett

Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00
Andrew Bartlett
6f8fb163e0 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.

By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.

Andrew Bartlett

Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-02 17:12:46 +02:00