IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We want to disable SAMR password changes for Protected Users, but need
to ensure that other methods of changing the password still work.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Test that NTLM and SAMR password changes cannot be used for Protected
Users, and that lockouts are not triggered for attempting to use them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This method encrypts a samr_Password structure with the current session
key, which allows for interactive SamLogon from Python.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Replicating test accounts to the RODC and then deleting them caused
stale msDS-RevealedUsers links to remain in the database.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This ensures accounts are still cleaned up if a test fails before adding
it to the cleanup list.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This prevents problems if accounts are added as children of other
accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This code can be made part of the previous 'else' branch.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184
Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the
RODC has been created, so we don't try to use a mock RODC that failed to
create.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
It's not necessary to repeat the required environment variables for
every test.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Change the values to match those used by Windows.
Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is to prepare for the SDDL string being removed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is to prepare for changing the SDDL string values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is simple, explainable and secure.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184
This allows Samba as an AD DC (compared with the fileserver/NT4-like DC mode) to match
windows and refuse all LM passwords, no matter what.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Not all cases are covered, but this much covers the areas that Samba and Win19
will agree on.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is important to allow, after other changes, for the Samba AD DC to again
pass rpc.samr after the removal of LM hash support from the DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The removal of LM hash storage changes the expected metadata.
We do not need to track these values exactly to prove the
behaviour here.
This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.
However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.
Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept. We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This means Samba will essentially ignore this attribute, not even attempting
to read it from the AD DC sam.ldb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We now only change passwords based on the NT hash.
This means we no longer support samr_OemChangePasswordUser2()
and we do not check the LM verifier din samr_ChangePasswordUser3()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This still passes in the value in the LM field for checking
in case it is an NT response or LMv2.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
LM authentication is very weak and a very bad idea, so has been deprecated since
Samba 4.11.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We no longer generate nor store the LM hash in the Samba AD DC.
This adds much to the knownfail, some future commits will trim this
back down by making the tests understand that the server will not
support or store the LM hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We no longer use the old NT and LM hash as proof of performing a
password change, and this removes the privileged status of these
attributes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This makes it clearer that the purpose of this control is to indicate that the password
was already checked (by an out-of-band mechanism, eg kpasswd) and so can safely be changed
subject to ACLs etc.
This essentially reverts bbb9dc806e4399c65dee9b5dc2cde0bfaa9609bd
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This returns the API for password changes via (eg) kpasswd to the
previous design as at 7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8
where a control but no partiuclar values were specified.
This avoids the issues that were attempted to be addressed between
7eebcebbab8f62935bd1d5460e58b0a8f2cc30e8 and 786c41b0954b541518d1096019e1ce7ca11e5e98
by still keeping the ACL check from 23bd3a74176be4a1f8d6d70b148ababee397cf8c.
The purpose of this change is to move away from the NT hash (unicodePwd) being
the primary password in Samba, to allow installations to operate without this
unsalted hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The s4member test environment is a historical artifact, provisioned like an
AD DC using sam.ldb and joined using the historical S4 join code.
Once running however it is nothing particualr special in winbindd, so
there is no need to run the tests against ad_member and s4member.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.
To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c
The two blocks (for rpc.lsa and rpc.lsa.*) are because the rpc.lsa.*
subtests were not previously run under ncacn_ip_tcp: and this is the
minimal change.
The output is:
--- /tmp/3 2022-02-12 14:01:50.435761067 +1300
+++ /tmp/now 2022-02-12 14:01:37.427595351 +1300
@@ -13,9 +13,8 @@
2 rpc.lsa-getuser on ncalrpc with validate.
2 rpc.lsa-getuser with bigendian.
2 rpc.lsa-getuser with seal,padcheck.
2 rpc.lsa-getuser with validate.
- 2 rpc.lsa.lookupnames.
2 rpc.lsa.lookupnames with .
2 rpc.lsa.lookupnames with bigendian.
2 rpc.lsa.lookupnames with validate.
2 rpc.lsalookup on ncacn_ip_tcp with bigendian.
@@ -26,9 +25,8 @@
2 rpc.lsalookup on ncacn_np with validate.
2 rpc.lsalookup on ncalrpc with bigendian.
2 rpc.lsalookup on ncalrpc with seal,padcheck.
2 rpc.lsalookup on ncalrpc with validate.
- 2 rpc.lsa.lookupsids.
2 rpc.lsa.lookupsids with .
2 rpc.lsa.lookupsids with bigendian.
2 rpc.lsa.lookupsids with validate.
2 rpc.lsalookup with bigendian.
@@ -42,15 +40,11 @@
2 rpc.lsa on ncacn_np with validate.
2 rpc.lsa on ncalrpc with bigendian.
2 rpc.lsa on ncalrpc with seal,padcheck.
2 rpc.lsa on ncalrpc with validate.
- 2 rpc.lsa over ncacn_ip_tcp .
- 2 rpc.lsa over ncacn_np .
- 2 rpc.lsa.privileges.
2 rpc.lsa.privileges with .
2 rpc.lsa.privileges with bigendian.
2 rpc.lsa.privileges with validate.
- 2 rpc.lsa.secrets.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=no --option=clientntlmv2auth=yes.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes.
2 rpc.lsa.secrets on ncacn_np with with -k no --option=clientusespnego=yes --option=clientntlmv2auth=yes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Running these tests twice is a waste (sorry, thas was my choice when
merging s3 and s4 to just run all the tests against the AD DC) and
more importantly means that tests are run in "samba3" mode against
the AD DC, making it difficult to change the tests to expect a different
behaivour against the AD DC compared to the NT4 DC.
To assure that we have not lost tests, I ran:
grep command st/subunit | grep ad_dc| cut -f 2 -d\" | cut -f 2- -d. | sort | uniq -c
The output is:
--- /tmp/2 2022-02-11 21:00:54.033610748 +1300
+++ /tmp/now 2022-02-11 21:01:13.849823721 +1300
@@ -1,32 +1,21 @@
- 2 rpc.samr.
- 2 rpc.samr.handletype.
2 rpc.samr.handletype with .
2 rpc.samr.handletype with bigendian.
2 rpc.samr.handletype with validate.
- 2 rpc.samr.large-dc.
2 rpc.samr.large-dc on ncacn_np with .
- 2 rpc.samr.machine.auth.
2 rpc.samr.machine.auth with .
2 rpc.samr.machine.auth with bigendian.
2 rpc.samr.machine.auth with validate.
2 rpc.samr on ncacn_np with .
- 2 rpc.samr.passwords.
- 2 rpc.samr.passwords.badpwdcount.
2 rpc.samr.passwords.badpwdcount on ncacn_np with .
2 rpc.samr.passwords.lockout on ncacn_np with .
2 rpc.samr.passwords on ncacn_np with .
- 2 rpc.samr.passwords.pwdlastset.
2 rpc.samr.passwords.pwdlastset on ncacn_np with .
2 rpc.samr.passwords.validate on ncacn_ip_tcp with bigendian.
2 rpc.samr.passwords.validate on ncacn_ip_tcp with seal,padcheck.
2 rpc.samr.passwords.validate on ncacn_ip_tcp with validate.
- 2 rpc.samr.passwords.validate over ncacn_ip_tcp .
- 2 rpc.samr.priv.
2 rpc.samr.priv with .
2 rpc.samr.priv with bigendian.
2 rpc.samr.priv with validate.
- 2 rpc.samr.users.
2 rpc.samr.users on ncacn_np with .
- 2 rpc.samr.users.privileges.
2 rpc.samr.users.privileges on ncacn_np with .
4 tests.dcerpc.samr_change_password.
It is clear that the tests are all still being run at least once against the AD DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows a knownfail entry to be written for this test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This testsuite can otherwise fail with an error, which cannot be covered with
a knownfail.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
In Python 3, sorted() does not take a 'cmp' parameter, so we need to use
the 'key' parameter instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184
SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the one in
gp_create_gpt_security_descriptor().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
