IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This checks that the lockout settings of the PSO take effect when one is
applied to a user. Import the password_settings code to create/apply a
PSO with the same lockout settings that the test cases normally use.
Then update the global settings so that the default lockout settings are
wildly different (i.e. so the test fails if the default lockout settings
get used instead of the PSO's).
As the password-lockout tests are quite slow, I've selected test cases
that should provide sufficient PSO coverage (rather than repeat every
single password-lockout test case in its entirety).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
a.k.a Fine-Grained Password Policies
These tests currently all run and pass gainst Windows, but fail against
Samba. (Actually, the permissions test case passes against Samba,
presumably because it's enforced by the Schema permissions).
Two helper classes have been added:
- PasswordSettings: creates a PSO object and tracks its values.
- TestUser: creates a user and tracks its password history
This allows other existing tests (e.g. password_lockout, password_hash)
to easily be extended to also cover PSOs.
Most test cases use assert_PSO_applied(), which asserts:
- the correct msDS-ResultantPSO attribute is returned
- the PSO's min-password-length, complexity, and password-history
settings are correctly enforced (this has been temporarily been hobbled
until the basic constructed-attribute support is working).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Here we simply forward everything without alteration (the same struct is
returned). This helps us to fix the case where the DC does not exist in
the target site, furthermore, this is supposed to work for trusted
domains.
In calling out to winbind, we now also notice if you provide a site
which exists in multiple domains and provide the correct domain (instead
of accidentally returning ourselves).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will test the winbind forwarding to deal with sites that the target
DC does not exist in.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps us remove the write to the database from the (soon to be
read locked) init code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This avoids starting a transaction in schema_load_init() and allows it
to operate with a read lock held, which will avoid locking issues
(deadlock detected due to lock odering if we do not have a global
read lock).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13379
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This check would pass if the dSHeuristics was treated as always being
000000000 for searches which is not enough, we must check for a value
of 000000001 (userPassword enabled).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13378
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The net result of this is only that userPassword values (which were
world readable when set) would still be visible after userPassword
started setting the main DB password.
In AD, those values become hidden once the dSHeuristics bit is set,
but Samba lost that when fixing a performance issue with
f26a2845bd42e580ddeaf0eecc9b46b823a0c6bc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13378
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This uses the underlying function in kcc_utils.py which already has
tests.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This fails currently as we don't expand groups on the trust boundary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This implements the handling for FPO-enabled attributes, see
[MS-ADTS] 3.1.1.5.2.3 Special Classes and Attributes:
FPO-enabled attributes: member, msDS-MembersForAzRole,
msDS-NeverRevealGroup, msDS-NonMembers, msDS-RevealOnDemandGroup,
msDS-ServiceAccount.
Note there's no msDS-ServiceAccount in any schema (only
msDS-HostServiceAccount and that's not an FPO-enabled attribute
at least not in W2008R2)
msDS-NonMembers always generates NOT_SUPPORTED against W2008R2.
See also [MS-SAMR] 3.1.1.8.9 member.
We now create foreignSeurityPrincipal objects on the fly (as needed).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
[MS-ADTS] 3.1.1.5.2.3 Special Classes and Attributes claims:
FPO-enabled attributes:
member, msDS-MembersForAzRole, msDS-NeverRevealGroup,
msDS-NonMembers, msDS-RevealOnDemandGroup, msDS-ServiceAccount.
'msDS-NonMembers' always generates NOT_SUPPORTED.
'msDS-ServiceAccount' is not defined in any schema
(only msDS-HostServiceAccount).
'msDS-HostServiceAccount' is not an FPO-enabled attribute
and behaves as the 'manager' attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
It's important to have them separated from make_{server,session}_info_guest(),
because there's a fundamental difference between anonymous (the client requested
no authentication) and guest (the server lies about the authentication failure).
When it's really an anonymous connection, we should reflect that in the
resulting session info.
This should fix a problem where Windows 10 tries to join
a Samba hosted NT4 domain and has SMB2/3 enabled.
We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
for true anonymous connections.
The commit message from a few commit before shows the resulting
auth_session_info change.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
It turns out that an empty domain name maps to the local SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
Confirmed to pass against Windows 2012 R2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This test passes against 4.6, but failed against 4.7.5 and master.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We now encode according to RFC 3986 (section 2.1 - 2.3).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Improvements:
* NULL is returned when the string is incorrectly formed.
* Badly formed escapes like "% b" that were accepted by sscanf() are now
rejected.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Feb 21 19:02:56 CET 2018 on sn-devel-144
We need to make sure the server handles call_id values > UINT16_MAX.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This might not be perfect yet, but it's enough to allow names from trusted
forests/domain to be resolved, which is very important for samba based
domain members.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Feb 15 10:18:42 CET 2018 on sn-devel-144
No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There are two cases we are interested in:
1) RODC receives two identical DNs which conflict
2) RODC receives a rename to a DN which already exists
Currently these issues are ignored, but the UDV and HWM are being
updated, leading to objects/updates being skipped.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The current defaults for SamDB are to create the database file if it does not
exist. Most of the uses of SamDB assume the database already exists, and so
auto-creation is not the desired behaviour.
TDB will overwrite an existing non TDB file with a newly created TDB file.
This becomes an issue when using alternate database file formats i.e. lmdb.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The current defaults for SamDB are to create the database file if it
does not exist. Most of the uses of SamDB assume the database already
exists, and so auto-creation is not the desired behaviour.
Also TDB will overwrite an existing non TDB file with a newly created
TDB file. This becomes an issue when using alternate database file
formats i.e. lmdb.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This recovers broken databases with duplicate and missing
forward links.
See commit a25c99c9f1fd1814c56c21848c748cd0e038eed7 for
the fix that prevents to problem from happening.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This reverts commit 43e3f79d54c5aeaea820865d298d4249cf47af99.
The real fix will follow in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Linked attribute values are sorted by objectGUID of the link target.
For C code we have parsed_dn_compare() to implement the logic,
the same is now available on python dsdb_Dn objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Failing until dsdb_Dn implements the correct __cmp__() function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This implements a check to test the delete-on-close flag of a directory
for requests to create files in this directory.
Windows server implement this check, Samba doesn't as it has performance
implications.
This commit implements the check and a new option to control it. By
default the check is skipped, setting "check parent directory delete on
close = yes" enables it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 3 23:42:16 CET 2018 on sn-devel-144
This is really critical bug, it removes valid linked attributes.
When a DC was provisioned/joined with a Samba version older than 4.7
is upgraded to 4.7 (or later), it can happen that the garbage collection
(dsdb_garbage_collect_tombstones()), triggered periodically by the 'kcc' task
of 'samba' or my 'samba-tool domain tombstones expunge' corrupt the linked attributes.
This is similar to Bug #13095 - Broken linked attribute handling,
but it's not triggered by an originating change.
The bug happens in replmd_modify_la_delete()
were get_parsed_dns_trusted() generates a sorted array of
struct parsed_dn based on the values in old_el->values.
If the database doesn't support the sortedLinks compatibleFeatures
in the @SAMBA_DSDB record, it's very likely that
the array of old_dns is sorted differently than the values
in old_el->values.
The problem is that struct parsed_dn has just a pointer
'struct ldb_val *v' that points to the corresponding
value in old_el->values.
Now if vanish_links is true the damage happens here:
if (vanish_links) {
unsigned j = 0;
for (i = 0; i < old_el->num_values; i++) {
if (old_dns[i].v != NULL) {
old_el->values[j] = *old_dns[i].v;
j++;
}
}
old_el->num_values = j;
}
old_el->values[0] = *old_dns[0].v;
can change the value old_dns[1].v is pointing at!
That means that some values can get lost while others
are stored twice, because the LDB_FLAG_INTERNAL_DISABLE_SINGLE_VALUE_CHECK
allows it to be stored.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13228
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
I guess that's what we try to test here, as 'use spnego' was only evaluated
on in the smb server part.
The basically tests the 'raw NTLMv2 auth' option, we set it to yes on
some environments, but keep a knownfail for the ad_member.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We previously removed the stream from the underlying filesystem stream
backing store when the client zeroes out FinderInfo in the AFP_AfpInfo
stream, but this causes certain operations to fail (eg stat) when trying
to access the stream over any file-handle open on that stream.
So instead of deleting, set delete-on-close on the stream. The previous
commit already implemented not to list list streams with delete-on-close
set which is necessary to implemenent correct macOS semantics for this
particular stream.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13181
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jan 9 17:09:12 CET 2018 on sn-devel-144
