IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Generate sha256 and sha512 password hashes and store them in
supplementalCredentials
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add tests to verify the generation and storage of sha256 and sha512
password hashes in suplementalCredentials Primary:userPassword
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.
i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add tests to for the new rounds option for the virtualCryptSHA256 and
virtualCryptSHA512 attributes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add new virtualWDigest attributes, these return the hashes stored in
supplementalCredentials Primary:WDigest, in a form suitable for
htdigest authentication
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add tests for the new virtualWDigest attributes, these return the hashes
stored in supplementalCredentials Primary:WDigest in a form suitable for
use with htdigest authentication.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These previously only ran if the develper was using EXTRA_PYTHON in their
OS environment
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 20 02:26:33 CEST 2017 on sn-devel-144
This ensures that the new "smb2.ioctl.copy-chunk streams" test passes
when run under selftest atop Btrfs.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Fix the null pointer dereference in smbd, introduced in the auth logging
changes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr 28 07:18:54 CEST 2017 on sn-devel-144
Test case to replicate null pointer dereference in smbd, introduced in
the auth logging changes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Add a share with "smbd:find async delay usec" set to 10000 and run the
test smb2.compound_find added in the previous commit against this new
share as well.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Prior to this, the modification of lockoutTime triggered referrals.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In this scenario, both the login server and the verification server are
the RODC. This tests that a user is locked out correctly once the
lockout limit is reached and they are also unlocked correctly when the
lockout time period expires.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This tests password fallback to RWDC in preloaded and non-preloaded
cases. It also tests some basic scenarios around what things are
replicated between the two DCs.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Previously, you could add or delete and cause replication conflicts on
an RODC. Modifies are already partly restricted in repl_meta_data and
have more specific requirements, so they cannot be handled here.
We still differ against Windows for modifies of non-replicated
attributes over LDAP.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
The cracknames call is done in the "sam" backend now.
In order to support trusted domains correctly, the backends
need to get the raw values from the client.
This is the important change in order to no longer
silently map users from trusted domains to local users.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.
Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.
If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr 7 14:19:23 CEST 2017 on sn-devel-144
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.
The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:
$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1
localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0
On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Remove the failing test from knownfail.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 28 07:00:46 CEST 2017 on sn-devel-144
Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Add possibility to execute old Python test suites with Python 3
and enable tests with Python 3 of ported samba.gensec module.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Port samba core tests to Python 3 compatible form and enable their
execution with Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Port samba.auth Python module to Python 3 compatible form and
enable tests execution with Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Port tests of samba.dcerpc.misc module to Python 3 compatible form
and enable their execution with Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Nothing uses this, and pyflakes points out it is unusable:
./selftest/client.py:60: undefined name 'prefix_abs'
./selftest/client.py:69: undefined name 'opts'
./selftest/client.py:70: undefined name 'interfaces'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This tests that skipping a SMB2 MID the client's usable MID window is
[unused mid, unused mid + 8192]
The test currently fails against Samba as we only grant up to 512
credits. It passes against Windows 2016 as that grants up to 8192
credits by default.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 4 01:54:07 CET 2017 on sn-devel-144
These tests verify that a server grants at least 8192 credits in a
successfull session setup and in a single SMB2 request. Both tests pass
against Windows 2016 Server but currently fail against Samba.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This just does a lot of packing and unpacking of various structures.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Not used for now, but the next commit will add a test that makes use of
this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Add the test script for traffic_summary.pl, test data in previous
commit.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar 1 09:01:07 CET 2017 on sn-devel-144
Previously, this did nothing and the code was both untested and unused.
Removes the knownfail entry for dbcheck.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
Adds dbcheck 4.5.0pre1 to the knownfail, to be removed later.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12572
Pair-programmed-with: Ralph Boehme <slow@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 16 22:06:51 CET 2017 on sn-devel-144
The previous code assumed that only plain DNs could be linked attributes.
We need to look over the list of attribute values and find the value
that causes this particular backlink to exist, so we can remove it.
We do not know (until we search) of the binary portion, so we must
search over all the attribute values at this layer, using the
parsed_dn_find() routine used elsewhere in this code.
Found attempting to demote an RODC in a clone of a Windows 2012R2
domain, due to the msDS-RevealedUsers attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 14 06:14:35 CET 2017 on sn-devel-144
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
This is the equivalent of vampire_dc, but using a domain functional
level of DS_DOMAIN_FUNCTION_2000.
Using this functional level is useful for tests involving replication
and linked attributes, as they behave differently at it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
The main change is that we return 0 values if DRSUAPI_DRS_GET_NC_SIZE is not
present in order to get the same result as a Windows server in that case.
If DRSUAPI_DRS_GET_NC_SIZE is return the number of links we found so far
during the cycle in addition the number of objects returned in this cycle.
Both values doesn't match what Windows returns, but doing that
correctly and efficient is a task for another day.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
nc_object_count and nc_linked_attributes_count are only filled if
DRSUAPI_DRS_GET_NC_SIZE is requested. And they should contain
the total number. This is only useful for the initial replication.
Samba ignores DRSUAPI_DRS_GET_NC_SIZE currently but that will change in
the following commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Encryption is currently not tested in this env so we can safely turn it
off. The next commit will add a blackbox tests that test combinations of
having encryption globally turned off and enabled (desired/required) on
a share.
This also adds a new share "enc_desired" with "smb encrypt = desired"
which will be used by the test in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This verifies that clients can still connect with that setting.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144
Fails currently, will be made to work in the next commit.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
I can not find anything that uses these in the testsuite
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Jan 22 22:15:01 CET 2017 on sn-devel-144
This option is unused and has not been used since before Samba 4.3
when the source4/ winbindd code went away.
The associated dynconfig parameters used for the default are also removed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10066
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This checks both that illegal NTFS names are still mangled and that long
names have no shortname.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
