1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1638 Commits

Author SHA1 Message Date
Tim Beale
2d0766a48b s4-drsuapi: Set getnc_state *after* we've checked request is valid
We were creating the getnc_state (and storing it on the connection)
before we had done some basic checks that the request was valid. If the
request was not valid and we returned early with an error, then the
partially-initialized getnc_state was left hanging on the connection.
The next request that got sent on the connection would try to use this,
rather than creating a new getnc_state from scratch.

The main side-effect of this was if you sent an invalid GetNCChanges
request twice, then it could be rejected the first time and accepted the
second time.

Note that although an invalid request was accepted, it would typically
not return any objects, so it would not actually leak any secure
information.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-08-29 07:23:28 +02:00
Tim Beale
6158f1839f selftest: GetNCChanges can 'accept' a repeated bad request
In theory, if we send the exact same rejected request again, we should
get the same response back from the DC. However, we don't - the request
is accepted if we send it a second time.

This patch updates the repl_rodc test to demonstrate the problem (which
now causes the test to fail).

Note that although the bad GetNCChanges request is not rejected outright,
the response that gets sent back is empty - it has no objects in it, so
it's not an actual security hole. It is annoying problem for writing
self-tests though.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-08-29 07:23:28 +02:00
Tim Beale
122c8e1fa2 selftest: Extend further getnc_unpriv tests to pass against windows 2012R2
An important change in this patch is changing the ACE type from
 A (Allow)
to
 AO (Object Allow)

as that will then respect the supplied GUID, which we also make use
the constant from the security.idl.

This reworks the tests to check replication with users with the
following rights:
- only GET_CHANGES
- only GET_ALL_CHANGES
- both GET_CHANGES and GET_ALL_CHANGES
- no rights

We basically want to test various different GetNCChanges requests
against each type of user rights, and the only difference is the
error/success value we get back. I've structured the tests this way, so
that we have 4 test_repl_xyz_userpriv() functions (to cover each of the
above user rights cases), and each test sends the same series of
GetNCChanges requests of varying validity.

Currently all these tests fail against Samba because Samba sends
different error codes to Windows.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-08-29 07:23:28 +02:00
Ralph Boehme
fb8e0343eb selftest: enable kernel change notifications in the fileserver environment
This environment is currently not used for any test in the smb2
testsuite, so this change doesn't affect any existing test.

A subsequent commit will add a test for change notifications with kernel
change notify enabled. It verifies a bug (this one) that only crops up
in such a setup and causes rename events to get lost.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12903

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-08-26 01:15:09 +02:00
Gary Lockyer
7057abcfcd scripts: Scripts to replay and generate samba traffic
Scripts to generate representative network traffic and replay this to a
samba instance.  For load testing, performance profiling and capacity
planning.

traffic_learner  process a file generated by traffic_summary and
                 generate a model that can be used by traffic_replay to
                 generate samba network traffic.

traffic_replay   Replay a summary file generated by traffic_summary, or
                 use a model created by traffic_learner to generate
                 network traffic.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Tim Beale <timbeale@catalyst.net.nz>
2017-08-17 04:06:06 +02:00
Gary Lockyer
29b3a2b0d1 samba-tool dns query: Allow '*' in names
As DNS wild cards are now supported we need to allow '*' characters in
the domain names.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
3d2bd849f1 samba-tool dns: Test support of DNS wild card in names
As DNS wild cards are now supported we need to allow '*' characters in
the domain names.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
edcbc99125 dnsserver: Add support for dns wildcards
Add support for dns wildcard records. i.e. if the following records
exist

  exact.samba.example.com 3600 A 1.1.1.1
  *.samba.example.com     3600 A 1.1.1.2

look up on exact.samba.example.com will return 1.1.1.1
look up on *.samba.example.com     will return 1.1.1.2
look up on other.samba.example.com will return 1.1.1.2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
1184770a76 dnsserver: Tests for dns wildcard entries
Add tests for dns wildcards.
Tests validated against Windows Server 2012 R2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Andreas Schneider
eb691cd024 python:tests: Add test for warn_pwd_expire
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug  7 19:11:02 CEST 2017 on sn-devel-144
2017-08-07 19:11:02 +02:00
Stefan Metzmacher
615b0d83d0 winbindd: as DC we should try to get the target_domain from @SOMETHING part of the username in wb_irpc_SamLogon()
We still need a full routing table including all upn suffixes,
but this is a start to support NTLM authentication using user@REALM
against structed domains.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
b88f9384b0 s4:auth/ntlmssp: add support for using "winbind" as DC
This adds support for trusted domains to the auth stack on AD DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Arvid Requate
88db634ed8 s4-dsdb/netlogon: allow missing ntver in cldap ping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-28 00:25:15 +02:00
Arvid Requate
22a94b728b s4:torture/ldap: Test netlogon without NtVer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11392

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-28 00:25:15 +02:00
Christof Schmitt
ffee37c243 torture: Add sharemode tests for SMB2
There are two pieces: Test access with different sharemodes through SMB
and verify access, and also provide tests that can be used with file
systems enforcing share modes outside of Samba.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 26 09:30:31 CEST 2017 on sn-devel-144
2017-07-26 09:30:31 +02:00
Gary Lockyer
efc335a030 source4 netlogon: Add authentication logging for ServerAuthenticate3
Log NETLOGON authentication activity by instrumenting the
netr_ServerAuthenticate3 processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
f3d3e6da5a tests auth_log: Add new tests for NETLOGON
Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing

Test code based on the existing auth_log tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Bob Campbell
eb2e77970e samdb/cracknames: support user and service principal as desired format
This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.

This also causes the test in cracknames.py to no longer fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144
2017-07-24 11:10:26 +02:00
Bob Campbell
4779afe0d2 python/tests: add python test for cracknames
This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-24 07:14:10 +02:00
Andrew Bartlett
61455ad82e selftest: Make --include-env and --exclude-env use the base env name
The code as deployed would have required (eg) '--include-env=ktest
--include-env=ktest:local' which was not done in autobuild, causing
tests to be skipped.  This patch restores the intended behaviour.

This causes 33 testsuites to run, one more test (the newly added
samba.tests.ntlmauth) than the old regex provided (before
602772159d).

(The regression dropped us down to matching only 7 tests).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 24 03:33:01 CEST 2017 on sn-devel-144
2017-07-24 03:33:01 +02:00
Tim Beale
4e04f025a0 selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
2017-07-21 13:54:35 +02:00
Ralph Boehme
4a7ec5b760 selftest: add ad_member_idmap_ad server
Add a member server that uses idmap_ad. Gets used in the next commit.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-12 09:01:17 +02:00
Lumir Balhar
31019d338d python: tests: Add test for tdb_copy function from tdb_util module.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul  5 02:00:25 CEST 2017 on sn-devel-144
2017-07-05 02:00:25 +02:00
Tim Beale
831861ecf9 selftest: Disable NTLM authentication in ktest environment
This allows us to prove that "ntlm auth = disabled" works

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:21 +02:00
Andrew Bartlett
8b398a4d72 selftest: Use new ntlmv2-only and mschapv2-and-ntlmv2-only options
This will allow the py_credentials test to tell if these are in use

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
e23e8d9ff9 s3-rpc_server: Disable the NETLOGON server by default
The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past.  Therefore
reduce the attack surface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Ralph Boehme
492930779a s4/torture: test fetching a resume key twice
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-03 19:59:08 +02:00
Ralph Boehme
3645f83a3c s3/vfs: make SMB_VFS_OFFLOAD_WRITE_SEND offload token based
Remove the source fsp argument and instead pass the offload token
generated with SMB_VFS_OFFLOAD_READ_SEND/RECV.

An actual offload fsctl is not implemented yet, neither in the VFS nor
at the SMB ioctl layer, and returns NT_STATUS_NOT_IMPLEMENTED

With these changes we now pass the copy-chunk-across-shares test.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-03 19:59:08 +02:00
Ralph Boehme
d50f307e97 s4/torture: add a test for copy-chunk across shares
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-03 19:59:08 +02:00
Andrew Bartlett
eb26522a52 selftest: Bind rfc2307 tests to exactly one server
The tests make changes to the DC, do not wait for replication, then expect
those to be reflected in the client.  If they bind to another server this
will not hold true.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Bob Campbell
c0a7d2bacd selftest: Do not force run of kcc at start of selftest
This should help to avoid clashes between periodic and manual runs of
the KCC during autobuild.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
d21d832195 dsdb: Teach the Samba partition module how to lock all the DB backends
The metadata partition (sam.ldb) lock is not
enough to block another process in prepare_commit(),
because prepare_commit() is a no-op, if nothing
was changed in the specific backend.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
4894f47e2e dsdb: Add tests showing that the CN=CONFIGURATION partition is also locked
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Stefan Metzmacher
4b5ff4a309 dsdb: Add more locking more tests, confirming blocking locks in both directions
These extended tests allow us to show that a search (read) blocks a
transaction commit (write), and that a transaction commit blocks a
search.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
c5b4cbf34e dsdb: Add test showing a search can't start while a transaction is already repared in a backend partition
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
602772159d selftest: Allow selftest.pl to run just some environments
This makes it easier to declare that some autobuild environments
only run some selftest environments.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-30 02:12:22 +02:00
Andreas Schneider
0a0fbaacbc selftest: Do *NOT* flush the complete gencache!
This removes *IMPORTANT* entries from the gencache winbindd creates on
startup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12868

Pair-Programmed-With: Ralph Boehme <slow@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
2017-06-28 22:18:16 +02:00
Stefan Metzmacher
e06d13f7ad s3:selftest: run samba3.blackbox.inherit_owner tests with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
ccb18481fb s3:selftest: run samba3.blackbox.acl_xattr with NT1 and SMB3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:48 +02:00
Stefan Metzmacher
be036d11e6 s3:selftest: also run test_smbclient_s3.sh with PROTO=SMB3
This makes sure only the "creating a bad symlink and deleting it"
is failing with -mSMB3.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-27 16:57:47 +02:00
Stefan Metzmacher
9530284383 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:47 +02:00
Stefan Metzmacher
295c9f7b32 s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol = SMB2_02"
A client that supports SMB3 will do a signed FSCTL_VALIDATE_NEGOTIATE_INFO
after a tree connect. This FSCTL_VALIDATE_NEGOTIATE_INFO call contains
the client capabilities, client guid, security mode and the array of supported
dialects. But if SMB 2.02 is negotiated the doesn't send these values to the
server in the first connection attempt (when the client starts with a SMB1 Negotiate).

Windows servers that only support SMB2 just return NT_STATUS_FILE_CLOSED
as answer to FSCTL_VALIDATE_NEGOTIATE_INFO.

We should do the same if we just pretend to support SMB 2.02,
as SMB 2.10 always include an SMB2 Negotiate request we can leave it as is.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:42 +02:00
Stefan Metzmacher
94b9b6832c selftest: run nt4_dc_schannel with 'server max protocol = SMB2_02'
This reproduces the problem with trying to implement
FSCTL_VALIDATE_NEGOTIATE_INFO as SMB2_02 server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-27 16:57:42 +02:00
Andrew Bartlett
1bd627b1fc smbtorture: Add more tests around NETLOGON challenge reuse
The existing tests did not actually demonstrate what they
thought they did until the credential values were refreshed.

The new test showed this, because Samba fails it (windows passes)
due to the way we keep the last challenge on the connection.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-27 16:57:42 +02:00
Andreas Schneider
38033ed1d2 s3:tests: Add blackbox test for 'net usershare'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-06-27 16:57:42 +02:00
Andreas Schneider
4f5cfe2713 s3:tests: Do not delete the contets of LOCAL_PATH with tarmode test
The test_smbclient_tarmode.pl test operates on $LOCAL_PATH by default
and removes everything. So it deletes all precreated files and
directories which the setup_fileserver() function initially set up.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12867

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-27 16:57:42 +02:00
Daniel Kobras
acc16592b4 s3: smbd: fix regression with non-wide symlinks to directories over SMB3.
The errno returned by open() is ambiguous when called with flags O_NOFOLLOW and
O_DIRECTORY on a symlink. With ELOOP, we know for certain that we've tried to
open a symlink. With ENOTDIR, we might have hit a symlink, and need to perform
further checks to be sure. Adjust non_widelink_open() accordingly. This fixes
a regression where symlinks to directories within the same share were no
longer followed for some call paths on systems returning ENOTDIR in the above
case.

Also remove the knownfail added in previous commit.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860

Signed-off-by: Daniel Kobras <d.kobras@science-computing.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-26 23:16:13 +02:00
Jeremy Allison
f1f388ef80 s3: smbd: Add regression test for non-wide symlinks to directories fail over SMB3.
Mark as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12860

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-06-26 23:16:13 +02:00
Douglas Bagnall
6cbd3b52cd add provision performance tests
Because making provision faster makes autobuild faster.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-23 02:25:25 +02:00
Douglas Bagnall
c1e3937b3e perftest: add a new medley test
This is something of a rewrite of ad_dc_performance.py with more
search tests and a rebalancing of others. For example, the users are
added in three lots of 2000 using varying methods rather than 5 of
1000 using ldap, reducing duplication thus clarifying the results.

Links are added in more realistic patterns with groups of varying
size.

To save time, the database is not cleaned up. Usually perftests are
run with TESTS= restriction to a single suite, but in case this is not
done, this suite is run last.

The ad_dc_performance suite is not replaced so that comparisons with
old test sequences are still possible.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-23 02:25:25 +02:00
Gary Lockyer
7539595c48 lsa.String: add String constructor, str and repr
Add a String constructor, str and repr methods to the
samba.dcerpc.lsa.String python object

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Gary Lockyer
4cc979aba7 Tests lsa.String: add String constructor, str and repr
Tests for the String constructor, str and repr methods added to
the samba.dcerpc.lsa.String python object

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Volker Lendecke
f393edd41c selftest: Give tmux a bit of time to establish
I've seen a lot of failures with make testenv telling that stdin returns
EAGAIN. I haven't fully diagnosed it, but this seems to fix it. Now
make testenv is much more reliable.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 21 03:14:17 CEST 2017 on sn-devel-144
2017-06-21 03:14:17 +02:00
Andreas Schneider
5b3c121a26 selftest: Use 'ad_dc' as the default for testenv
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-20 10:39:15 +02:00
Andrew Bartlett
1b88c5d4c0 selftest: Also wait for winbindd to start
This ensures that the posixacl.py test does not race against winbindd starting up and so
give wrong mappings

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-16 19:34:17 +02:00
Andrew Bartlett
8d53ff10f8 selftest: Correctly print message when nbt is not up in 20 seconds
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12843

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-16 19:34:17 +02:00
Douglas Bagnall
567848498f replmd: check duplicate linked attributes
This is simple enough because we already have the sorted list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Douglas Bagnall
f3703c1727 dsdb/tests/ldap: test single valued linked attributes
This fails, so we add it to selftest/knownfail.d/

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Stefan Metzmacher
ee77759ed5 selftest: pass the workgroup name to Samba3::provision()
Not all environments should use the samba workgroup name.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 14 02:53:27 CEST 2017 on sn-devel-144
2017-06-14 02:53:27 +02:00
Stefan Metzmacher
9df4290202 selftest: don't use hardcoded domain names in Samba3::setup_admember()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
6355473fab selftest: test pam_winbind with a local user on ad_member
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
91b36e0c0d selftest: use "$DC_USERNAME" and "$DC_PASSWORD" for the pam_winbind test
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Stefan Metzmacher
0eb99bd988 python/samba/tests: don't use hardcoded names in *pam_winbind* tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Andrew Bartlett
75eb2e3a09 join.py Add DNS records at domain join time
This avoids issues getting replication going after the DC first starts
as the rest of the domain does not have to wait for samba_dnsupdate to
run successfully

We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined:
 - We do not want to query another DNS server
 - We do not want to obtain a Kerberos ticket for the new DC
   (as the KDC we select may not be the DC we just joined,
   and so may not be in sync with the password we just set)
 - We do not wish to set the _ldap records until we have started
 - We do not wish to use NTLM (the --use-samba-tool mode forces
   NTLM)

The downside to using DCE/RPC rather than DNS is that these will
be regarded as static entries, and (against windows) have a the ACL
assigned for static entries.  However this is still better than no
DNS at all.

Because some tests want a DNS record matching their own name
this fixes some tests and removes entires from knownfail

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jun 11 02:04:52 CEST 2017 on sn-devel-144
2017-06-11 02:04:51 +02:00
Andrew Bartlett
dfe739a252 selftest: Add test confirming join-created DNS entries can be modified as the DC
This ensures that samba_dnsupdate can run in the long term against the new DNS entries

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:22 +02:00
Andrew Bartlett
e36d908106 selftest: Test join.py and confirm that the DNS record is created
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
c1bf6d2493 dns_server: clobber MNAME in the SOA
Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour.  AD is multi-master so all RW servers are a master.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
21e76e2379 selftest: run dns tests in multiple envs
This will let us check the negative behaviour: that updates against RODCs fail
and un-authenticated updates fail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andreas Schneider
a37a0cd81f libcli:smb: Add unit test for smb_bytes_pull_str()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2017-06-09 13:00:11 +02:00
Garming Sam
29045dad15 selftest/rodc: Do not run in single mode, this causes deadlocks
Attempting to 'ls' the file server against a single process AD will get
stuck. This also appears as the KDC being busy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Jun  7 05:14:17 CEST 2017 on sn-devel-144
2017-06-07 05:14:17 +02:00
Andreas Schneider
61f827bcdd unittest: Add testsuite for smb_probe_module()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12780

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-06 18:36:07 +02:00
Andreas Schneider
90b69ba95d unittest: Add testsuite for is_known_pipename()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12780

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-06 18:36:06 +02:00
Douglas Bagnall
5b60600b32 selftest: use an additional directory of knownfail/flapping files
This makes it easier to add a temporary knownfail to cover a patch
series.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun  3 13:55:41 CEST 2017 on sn-devel-144
2017-06-03 13:55:41 +02:00
Garming Sam
d3e8bcbc9b netlogon: Add necessary security checks for SendToSam
We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
452170db2c tests/rodc: Check SID restriction for SendToSam
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
e418db6ea1 selftest: Ensure rodc environment uses localdc as winbind partner
This is required for password lockout testing.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
f40fdaea7f rodc: Set non-authoritative for RODC bad passwords
This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
44b0ebefb2 tests/rodc: Test for NTLM wrong password forwarding
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
2368f57b4d winbindd: Do not run SAM auth stack in winbind SamLogon
pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Ralph Boehme
15367ce4b4 s4/torture: add a leases test with stat open
This test passes against Windows 2016 but currently fails against Samba
for some reason. The test does the following:

1. A stat open on a file, then
2. a second open with a RWH-lease request

Windows grants a RWH-lease in step 2, while Samba only grants a
R-lease. Go figure...

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun May 28 18:52:52 CEST 2017 on sn-devel-144
2017-05-28 18:52:52 +02:00
Gary Lockyer
9444bbfe18 source4 rpc: binding.c enable DCERPC_SCHANNEL_AUTO for schannel connections
Enable the DCERPC_SCHANNEL_AUTO option in dceprc bindings. If not enabled
calls to netlogon.netlogon from python fail with NT_STATUS_DOWNGRADE_DETECTED
if schannel bindings are specified.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2017-05-25 02:25:13 +02:00
Gary Lockyer
610919e5e6 auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call
The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:13 +02:00
Gary Lockyer
68ccebfa59 auth_log: Add test that execises the SamLogon python bindings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
b14bb68417 samba-tool add support for userPassword
Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes.
The values are now calculated as follows:
  1) If a value exists in 'Primary:userPassword' with
     the specified number of rounds it is returned.
  2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with
     '--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds
  3) Return the first {CRYPT} value in 'Primary:userPassword' with a
     matching algorithm

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
8a5308bea0 samba-tool tests: add tests for userPassword
Tests to ensure that precomputed SHA256 and SHA512 hashes in
'supplementalCredentials Primary:userPassword' are used correctly in the
calculation of virtualCryptSHA256 and virtualCryptSHA512

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
4b49e18c14 password_hash: generate and store Primary:userPassword
Generate sha256 and sha512 password hashes and store them in
supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
de5299d155 tests password_hash: add tests for Primary:userPassword
Add tests to verify the generation and storage of sha256 and sha512
    password hashes in suplementalCredentials Primary:userPassword

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d4bc91a964 samba-tool user: add rounds option to virtualCryptSHAxxx
Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.

i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d51253609d samba-tool tests: Tests for virtualCryptSHAxxx rounds
Add tests to for the new rounds option for the virtualCryptSHA256 and
virtualCryptSHA512 attributes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
3bcd384dcf samba-tool user: Support for virtualWDigest attributes
Add new virtualWDigest attributes, these return the hashes stored in
supplementalCredentials Primary:WDigest, in a form suitable for
htdigest authentication

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:11 +02:00
Gary Lockyer
81312ba4e2 samba-tool user: Tests for virtualWDigest attributes
Add tests for the new virtualWDigest attributes, these return the hashes
stored in supplementalCredentials Primary:WDigest in a form suitable for
use with htdigest authentication.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:11 +02:00
Stefan Metzmacher
688c659de2 selftest: let fl2003dc use "dcesrv:header signing = no"
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:08 +02:00
Andrew Bartlett
1116ee1c5c selftest: Actually run python3 tests during the selftest
These previously only ran if the develper was using EXTRA_PYTHON in their
OS environment

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 20 02:26:33 CEST 2017 on sn-devel-144
2017-05-20 02:26:33 +02:00
David Disseldorp
6f8f99917f selftest: enable alternate streams for fs_specific share
This ensures that the new "smb2.ioctl.copy-chunk streams" test passes
when run under selftest atop Btrfs.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-05-17 23:02:09 +02:00
Ralph Boehme
6211eb1462 s4/torture: smb2.ioctl: add copy-chunk test with stream to smb2.ioctl
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12787

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-05-17 23:02:09 +02:00
Christof Schmitt
5a6d5ede33 selftest: Make lockdir available in test environment
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2017-05-08 21:08:24 +02:00
Volker Lendecke
da7481f835 selftest: Avoid idmap caching when testing idmap_rfc2307
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12757

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2017-05-08 21:08:23 +02:00
Andreas Schneider
09f84d0fe5 selftest: Add a variable to indicate that selftest is running
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
41f03493ec selftest: Skip s4u2proxy tests, no support yet
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
3b0f1c2712 s4-torture: Add TORTURE_KRB5_TEST_CLOCK_SKEW test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
ac5427c6eb selftest: Set clockskew grace time to 5 seconds
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
c85f9b24ce selftest: Setup configs for MIT KDC
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
b40c92016f selftest: Disable RODC tests with MIT KDC
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
687da88590 selftest: Start MIT KDC if Kerberos is from MIT
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Gary Lockyer
aa43d0d81b source3 smdb: fix null pointer dereference
Fix the null pointer dereference in smbd, introduced in the auth logging
changes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Apr 28 07:18:54 CEST 2017 on sn-devel-144
2017-04-28 07:18:54 +02:00
Gary Lockyer
85e98d2a31 source3 smbd: tests for null pointer dereference
Test case to replicate null pointer dereference in smbd, introduced in
the auth logging changes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-28 03:18:23 +02:00
Ralph Boehme
f775068c40 selftest: also run smb2.compound_find against share with async delay set
Add a share with "smbd:find async delay usec" set to 10000 and run the
test smb2.compound_find added in the previous commit against this new
share as well.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-18 22:54:17 +02:00
Garming Sam
94256c9606 password-lockout: Allow RODC to ensure lockout and lockout reset
Prior to this, the modification of lockoutTime triggered referrals.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:18 +02:00
Garming Sam
613d9e234e password_lockout: Tests against RODC (once preloaded)
In this scenario, both the login server and the verification server are
the RODC. This tests that a user is locked out correctly once the
lockout limit is reached and they are also unlocked correctly when the
lockout time period expires.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:17 +02:00
Garming Sam
f4170a49fb tests/rodc: Add a number of tests for RODC-RWDC interaction
This tests password fallback to RWDC in preloaded and non-preloaded
cases. It also tests some basic scenarios around what things are
replicated between the two DCs.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-04-13 07:29:17 +02:00
Garming Sam
b3ba0c85ff rodc: Force all RODC add and delete to cause a referral
Previously, you could add or delete and cause replication conflicts on
an RODC. Modifies are already partly restricted in repl_meta_data and
have more specific requirements, so they cannot be handled here.

We still differ against Windows for modifies of non-replicated
attributes over LDAP.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
2017-04-13 07:29:17 +02:00
Garming Sam
63a8376b6b selftest: Add ldap rodc python test
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
2017-04-13 07:29:16 +02:00
Andreas Schneider
63698da6e2 waf: Only build pam_wrapper if we build with pam
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-04-12 12:54:24 +02:00
Ralph Boehme
a58b54a334 libcli/security: fix dom_sid_in_domain()
Ensure the SID has exactly one component more then the domain SID, eg

Domain SID: S-1-5-21-1-2-3
SID:        S-1-5-21-1-2-3-4

This will return true. If the SID has more components, eg

SID: S-1-5-21-1-2-3-4-5, or
SID: S-1-5-21-1-2-3-4-5-6-7-8

dom_sid_in_domain() must return false.

This was verified against Windows:

     lsa_LookupSids: struct lsa_LookupSids
        out: struct lsa_LookupSids
            domains                  : *
                domains                  : *
                    domains: struct lsa_RefDomainList
                        count                    : 0x00000002 (2)
                        domains                  : *
                            domains: ARRAY(2)
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x000e (14)
                                        size                     : 0x0010 (16)
                                        string                   : *
                                            string                   : 'BUILTIN'
                                    sid                      : *
                                        sid                      : S-1-5-32
                                domains: struct lsa_DomainInfo
                                    name: struct lsa_StringLarge
                                        length                   : 0x0012 (18)
                                        size                     : 0x0014 (20)
                                        string                   : *
                                            string                   : 'W4EDOM-L4'
                                    sid                      : *
                                        sid                      : S-1-5-21-278041429-3399921908-1452754838
                        max_size                 : 0x00000020 (32)
            names                    : *
                names: struct lsa_TransNameArray
                    count                    : 0x00000004 (4)
                    names                    : *
                        names: ARRAY(4)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_USER (1)
                                name: struct lsa_String
                                    length                   : 0x001a (26)
                                    size                     : 0x001a (26)
                                    string                   : *
                                        string                   : 'Administrator'
                                sid_index                : 0x00000001 (1)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_UNKNOWN (8)
                                name: struct lsa_String
                                    length                   : 0x005c (92)
                                    size                     : 0x005e (94)
                                    string                   : *
                                        string                   : 'S-1-5-21-278041429-3399921908-1452754838-500-1'
                                sid_index                : 0xffffffff (4294967295)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_ALIAS (4)
                                name: struct lsa_String
                                    length                   : 0x001c (28)
                                    size                     : 0x001c (28)
                                    string                   : *
                                        string                   : 'Administrators'
                                sid_index                : 0x00000000 (0)
                            names: struct lsa_TranslatedName
                                sid_type                 : SID_NAME_UNKNOWN (8)
                                name: struct lsa_String
                                    length                   : 0x001c (28)
                                    size                     : 0x001e (30)
                                    string                   : *
                                        string                   : 'S-1-5-32-544-9'
                                sid_index                : 0xffffffff (4294967295)
            count                    : *
                count                    : 0x00000002 (2)
            result                   : STATUS_SOME_UNMAPPED

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-12 01:41:14 +02:00
Stefan Metzmacher
236b24dfd2 auth4: avoid map_user_info() in auth_check_password_send()
The cracknames call is done in the "sam" backend now.

In order to support trusted domains correctly, the backends
need to get the raw values from the client.

This is the important change in order to no longer
silently map users from trusted domains to local users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
3caca9b7fb s4:selftest: run test_trust_ntlm.sh against various environments
This shows that NTLM authentication is currently completely broken
on an DCs of AD domains with trusts.

Currently we completely ignore the client provided domain
and try to authenticate against the username in our local sam.ldb.

If the same username/password combination exists in both domains,
the user of the trusted domain silenty impersonates the user
of the local domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:20 +02:00
Stefan Metzmacher
20404e19b9 selftest: make sure we don't have any umask limitations for selftest
We create $prefix with 0700 (umask 0077), but everything else
should not have a umask limitation (by default).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-10 01:11:19 +02:00
Andreas Schneider
0641653c30 python: Add a simple pam_winbind test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 14:19:23 CEST 2017 on sn-devel-144
2017-04-07 14:19:23 +02:00
Ralph Boehme
ef10b43469 selftest: new environment "ad_member_idmap_rid"
This uses idmap_rid for the primary domain.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-04-06 20:08:19 +02:00
Ralph Boehme
8b32fc4006 winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.

The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr  1 21:18:59 CEST 2017 on sn-devel-144
2017-04-01 21:18:59 +02:00
Ralph Boehme
6b7a14b4b9 winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:

$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1

localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0

On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-01 17:33:14 +02:00
Andreas Schneider
5f49795099 selftest: Define template homedir for 'ad_member' env
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
2017-03-30 04:26:17 +02:00
Andreas Schneider
2be02fdd1e s3:tests: Add a subsitution test for %D %u %g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-30 00:33:13 +02:00
Andrew Bartlett
008843463f samr: Add logging of password change success and failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Gary Lockyer
a70e944c80 auth log tests: password change tests
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
f498ba77df heimdal: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.

We use config->db[0] to find the first database to record incorrect
users.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
7cbe1c844e s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
This is triggered in the ncacn_np pass-though case in particular

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Gary Lockyer
4c9d69f82a s4-ntvfs: Correct mixup between local/remote addresses
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
b661e818b6 selftest: Turn on auth event notification and so allow tests to pass
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
3ee82de26d auth_log: Add tests by listening for JSON messages over the message bus
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Volker Lendecke
e92a20781c server_id_db: Protect against non-0-terminated data records
Remove the failing test from knownfail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
0c25c40315 selftest: Test server_id database add and removal
This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
a47a8e41bd samba-tool: Ensure that samba-tool processes --name=not-existing does not error
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
f21c17c6d0 selftest: Add more tests for "samba-tool processes"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Jeremy Allison
782172a9be s3: Test for CVE-2017-2619 regression with "follow symlinks = no".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12721

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Tue Mar 28 07:00:46 CEST 2017 on sn-devel-144
2017-03-28 07:00:46 +02:00
Douglas Bagnall
2eb487fdbd selftest/target/Samba.pm: Remove whitespace
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-27 20:08:19 +02:00
Garming Sam
73bd0ebe55 selftest: Check that LDAP is available during RODC startup
Because the check was for RID Set, this was never done. However, this caused breakages that we've likely seen before.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-27 20:08:19 +02:00
Andrew Bartlett
84204e9716 selftest: Add more RODC tests to avoid regressions here
This ensures that the RODC can authenticatate users over wbinfo, normal services and SamLogon
including in particular the important need-to-be-forwarded case

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-27 20:08:18 +02:00
Stefan Metzmacher
a74fef0b90 Revert "selftest: temporary skip samba.blackbox.pdbtest.s4winbind"
This works again now...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 24 15:50:22 CET 2017 on sn-devel-144
2017-03-24 15:50:21 +01:00
Stefan Metzmacher
0c21cd5cb5 selftest: temporary skip samba.blackbox.pdbtest.s4winbind
This will reenabled in a few commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-24 11:57:10 +01:00
Garming Sam
6bbcd3bbd8 dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
6b2425343b getncchanges: include object SID in tokenGroups calculation for repl secret
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
f869da8161 tests/repl_rodc: Test the direct allow/deny attribute works
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
4b4a4c1063 getncchanges: Tie destination DSA GUID to authenticating RODC for REPL_SECRET
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
2cb251353c tests/repl_rodc: Ensure that the machine account is tied to the destination DSA
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:11 +01:00
Garming Sam
a9e3830473 getncchanges: Implement functionality for msDS-RevealedUsers
This multi-valued DN+Binary linked attribute is present on the server object
for an RODC. A link to an object is added to it whenever secret
attributes from that object are replicated to an RODC to serve as an
audit trail.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Bob Campbell
325f8e88c5 python/tests: Add repl_rodc test
Currently, this tests the msDS-RevealedUsers feature, which we don't
support at the moment.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Lumir Balhar
4ebd877ec0 python: selftest: Add possibility to run old Python test suites with Python 3
Add possibility to execute old Python test suites with Python 3
and enable tests with Python 3 of ported samba.gensec module.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:12 +01:00
Lumir Balhar
d0914e2713 python: selftests: Enable samba.getopt tests execution with Python 3
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:12 +01:00
Lumir Balhar
da71c39f46 python: samba.tests.core: Port and enable core tests in Python 3
Port samba core tests to Python 3 compatible form and enable their
execution with Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
1ac5bf21a1 python: samba.auth: Port samba.auth to Python 3 compatible form
Port samba.auth Python module to Python 3 compatible form and
enable tests execution with Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
9843ccef87 python: samba.tests.dcerpc.misc: Port and enable tests
Port tests of samba.dcerpc.misc module to Python 3 compatible form
and enable their execution with Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
5edb0b4ebd python: samba.tests: Enable Python 3 tests for ported modules
Enable tests with Python 3 for Python 3 compatible modules.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Douglas Bagnall
0779d66718 selftest: remove unused broken client.py
Nothing uses this, and pyflakes points out it is unusable:

./selftest/client.py:60: undefined name 'prefix_abs'
./selftest/client.py:69: undefined name 'opts'
./selftest/client.py:70: undefined name 'interfaces'

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:09 +01:00
Ralph Boehme
fd03420c4f s4/torture: some tests for kernel oplocks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=7537

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-10 03:28:26 +01:00
Ralph Boehme
53e9c2b65d s4/torture: add a creditting test skipping a SMB2 MID
This tests that skipping a SMB2 MID the client's usable MID window is

[unused mid, unused mid + 8192]

The test currently fails against Samba as we only grant up to 512
credits. It passes against Windows 2016 as that grants up to 8192
credits by default.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar  4 01:54:07 CET 2017 on sn-devel-144
2017-03-04 01:54:07 +01:00
Ralph Boehme
b668c300bf s4/torture: add some SMB2 crediting tests
These tests verify that a server grants at least 8192 credits in a
successfull session setup and in a single SMB2 request. Both tests pass
against Windows 2016 Server but currently fail against Samba.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-03-03 21:55:27 +01:00
Uri Simchoni
07af7774f3 selftest: remove "ea support" from vfs_fruit-related setups.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-03-02 22:30:23 +01:00
Douglas Bagnall
f2614bae2b selftest: add search performance tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-02 04:35:14 +01:00
Douglas Bagnall
779ea4c1b5 selftest: ndr_pack/unpack performance test
This just does a lot of packing and unpacking of various structures.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-02 04:35:14 +01:00
Ralph Boehme
bac79eac09 selftest: add shares without vfs_fruit for the vfs_fruit tests
Not used for now, but the next commit will add a test that makes use of
this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:23 +01:00
Ralph Boehme
f7b0982826 selftest: also run vfs_fruit tests with streams_depot
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Ralph Boehme
d9ab40e083 selftest: run vfs_fruit tests against share with fruit:metadata=stream
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12427

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
2017-03-02 00:32:22 +01:00
Gary Lockyer
b12562fac0 script: Add test script for traffic_summary.pl
Add the test script for traffic_summary.pl, test data in previous
commit.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Mar  1 09:01:07 CET 2017 on sn-devel-144
2017-03-01 09:01:07 +01:00
Garming Sam
0a7c6b5656 dbchecker: Stop ignoring linked cases where both objects are alive
Previously, this did nothing and the code was both untested and unused.

Removes the knownfail entry for dbcheck.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
2017-02-23 23:58:21 +01:00
Garming Sam
86f10eaecd tests/dbcheck: Add a test for two live objects, with a dangling backlink
Adds dbcheck 4.5.0pre1 to the knownfail, to be removed later.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12600
2017-02-23 23:58:21 +01:00
Jeremy Allison
40d813cdb3 s3: torture: Regression test for smbd trying to open an invalid symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12572

Pair-programmed-with: Ralph Boehme <slow@samba.org>

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 16 22:06:51 CET 2017 on sn-devel-144
2017-02-16 22:06:51 +01:00
Andrew Bartlett
4f558c9ad6 repl_meta_data: Remove the correct forward link for dn+binary attributes
The previous code assumed that only plain DNs could be linked attributes.

We need to look over the list of attribute values and find the value
that causes this particular backlink to exist, so we can remove it.

We do not know (until we search) of the binary portion, so we must
search over all the attribute values at this layer, using the
parsed_dn_find() routine used elsewhere in this code.

Found attempting to demote an RODC in a clone of a Windows 2012R2
domain, due to the msDS-RevealedUsers attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 14 06:14:35 CET 2017 on sn-devel-144
2017-02-14 06:14:35 +01:00
Bob Campbell
1c16e8abd2 torture/drs: Add a test for dn+binary linked attributes
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
2017-02-14 02:20:07 +01:00
Bob Campbell
1983d078f6 selftest: add vampire_2000_dc environment
This is the equivalent of vampire_dc, but using a domain functional
level of DS_DOMAIN_FUNCTION_2000.

Using this functional level is useful for tests involving replication
and linked attributes, as they behave differently at it.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11139
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
2017-02-14 02:20:07 +01:00
Douglas Bagnall
3c63f4711a selftest: show multiple arguments for --help
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-10 05:09:08 +01:00
Douglas Bagnall
6f88ff83bf waf --test-list takes a filename argument
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-10 05:09:08 +01:00
Stefan Metzmacher
e935a04afb getncchanges: only set nc_{object,linked_attributes}_count with DRSUAPI_DRS_GET_NC_SIZE
The main change is that we return 0 values if DRSUAPI_DRS_GET_NC_SIZE is not
present in order to get the same result as a Windows server in that case.

If DRSUAPI_DRS_GET_NC_SIZE is return the number of links we found so far
during the cycle in addition the number of objects returned in this cycle.
Both values doesn't match what Windows returns, but doing that
correctly and efficient is a task for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Stefan Metzmacher
41bc007d49 torture/drs: remove pointless nc_object_count replication checks in test_link_utdv_hwm()
nc_object_count and nc_linked_attributes_count are only filled if
DRSUAPI_DRS_GET_NC_SIZE is requested. And they should contain
the total number. This is only useful for the initial replication.

Samba ignores DRSUAPI_DRS_GET_NC_SIZE currently but that will change in
the following commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12398

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-02-08 23:20:18 +01:00
Ralph Boehme
573e8e15b3 selftest: disable SMB encryption in simpleserver environment
Encryption is currently not tested in this env so we can safely turn it
off. The next commit will add a blackbox tests that test combinations of
having encryption globally turned off and enabled (desired/required) on
a share.

This also adds a new share "enc_desired" with "smb encrypt = desired"
which will be used by the test in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-27 22:00:17 +01:00
Stefan Metzmacher
348bcca768 selftest/Samba3: use "server min protocol = SMB3_00" for "ktest"
This verifies that clients can still connect with that setting.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12540

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 27 12:03:39 CET 2017 on sn-devel-144
2017-01-27 12:03:39 +01:00
Ralph Boehme
326765923f s3/smbd: check for invalid access_mask smbd_calculate_access_mask()
This makes us pass "base.createx_access".

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-23 22:46:13 +01:00
Ralph Boehme
a3781d1cfe selftest: also run test base.createx_access against ad_dc
Fails currently, will be made to work in the next commit.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=12536

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-23 22:46:13 +01:00
Andrew Bartlett
0272986377 selftest: Remove unsued variables WINBINDD_PRIV_PIPE_DIR and wbsockprivdir
I can not find anything that uses these in the testsuite

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun Jan 22 22:15:01 CET 2017 on sn-devel-144
2017-01-22 22:15:01 +01:00
Andrew Bartlett
bd8d9559bf param: Remove winbindd privileged socket directory option
This option is unused and has not been used since before Samba 4.3
when the source4/ winbindd code went away.

The associated dynconfig parameters used for the default are also removed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10066

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2017-01-22 18:30:12 +01:00
Stefan Metzmacher
e6a5e6a01a script/autobuild.py: try make test TESTS=samba3.*ktest for samba-systemkrb5
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Stefan Metzmacher
1204b4432d selftest/selftest.pl: print out '[expanded] command: ' in all error cases
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Stefan Metzmacher
133416a8b9 selftest/selftest.pl: we don't need to call Subunit::progress_pop() twice on error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Stefan Metzmacher
a5db045f98 selftest/selftesthelpers.py: let plantestsuite() use the env name in the test name
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-01-10 13:54:17 +01:00
Ralph Boehme
573762436a s3/torture: add a test for "mangled names = invalid"
This checks both that illegal NTFS names are still mangled and that long
names have no shortname.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-01-09 19:31:20 +01:00
Garming Sam
c94f824170 getncchanges: use the uptodateness_vector to filter links to replicate
This is to mirror the check in get_nc_changes_build_object.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144
2016-12-21 04:37:54 +01:00
Bob Campbell
5631421143 torture/drs: test link replication with hwm and utdv
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-21 00:47:25 +01:00
Andrew Bartlett
86e706a32d selftest: Use 'rpc server port:netlogon' and 'rpc server port' smb.conf option
We need this because once we make NETLOGON run in multiple processes,
it will need its own port, and socket_wrapper can not currently allocate
and ephemeral port.  It also tests the option, which others have asked be
made available to firewall drsuapi.

Likewise the 'rpc server port' option is used to confirm it
functions for the default port'.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@samba.org>
2016-12-20 01:11:23 +01:00
Stefan Metzmacher
f09f5ae631 selftest: make sure we always export KRB5CCNAME
We should not risk the usage of the users global ccache!

This results in unpredictable effects for the user and
selftest itself.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 17 22:58:28 CET 2016 on sn-devel-144
2016-12-17 22:58:28 +01:00
Stefan Metzmacher
cbbd95c7f2 selftest: also export TMPDIR
This should hopefully avoid usage of /tmp.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-17 19:16:14 +01:00
Andreas Schneider
7585aa6c8f testsuite: Add cmocka unit test for smb_krb5_kt_open()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 16 05:43:12 CET 2016 on sn-devel-144
2016-12-16 05:43:10 +01:00
Andrew Bartlett
b6fa384471 selftest: test new "lsa over netlogon" smb.conf option
This proves we can act like Windows and over lsarpc over netlogon if we want

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 15 12:11:09 CET 2016 on sn-devel-144
2016-12-15 12:11:09 +01:00
Andrew Bartlett
fee6bb7ca6 idl: Do not listen for lsarpc on \\pipe\netlogon
This prevents making the netlogon process multi-threaded.

This works on Windows becuase NETLOGON is part of lsad

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-15 08:21:11 +01:00
Andrew Bartlett
ecb1f569d7 torture: Add credentials downgrade and challenge reuse test to rpc.netlogon
This test confirms that the challenge set up is available
after the ServerAuthenticate has failed at the NT_STATUS_DOWNGRADE_DETECTED
check.

This is needed for NetApp ONTAP member servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-12-14 11:55:18 +01:00
Douglas Bagnall
91d5ea2ae9 librpc/ndr/uuid.c: improve speed and accuracy of GUID string parsing
GUID_from_data_blob() was relying on sscanf to parse strings, which was
slow and quite accepting of invalid GUIDs. Instead we directly read a
fixed number of hex bytes for each field.

This now passes the samba4.local.ndr.*.guid_from_string_invalid tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Dec 14 08:55:42 CET 2016 on sn-devel-144
2016-12-14 08:55:42 +01:00
Douglas Bagnall
6c9a185be2 s4-torture: better, failing, tests for GUID_from_string
These tests reveal that the current implementation accepts all kinds
of invalid GUIDs. In particular, we fail on these ones:

 "00000001-0002-0003-0405--060708090a0"
 "-0000001-0002-0003-0405-060708090a0b"
 "-0000001-0002-0003-04-5-060708090a0b"
 "d0000001-0002-0003-0405-060708090a-b"
 "00000001-  -2-0003-0405-060708090a0b"
 "00000001-0002-0003-0405- 060708090a0"
 "0x000001-0002-0003-0405-060708090a0b"
 "00000001-0x02-0x03-0405-060708090a0b"

This test is added to selftest/knownfail.

The test for valid string GUIDs is extended to test upper and mixed case
GUIDs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-14 05:02:24 +01:00
Bob Campbell
4408df2493 dnsserver: add dns name checking
This may also prevent deletion of existing corrupted records through
DNS, but should be resolvable through RPC, or at worst LDAP.

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-12-12 05:00:18 +01:00
Garming Sam
3ba40f6eb1 tests/dnsserver: Check security descriptors
These tests discover that there are some discrepancies between Windows and Samba.
Although there are failures, they do not appear to be critical, however
some of the SD differences will be important for 2012 support.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00
Bob Campbell
30faba750f samba-tool/dns: remove use of dns_record_match from add and delete
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00
Bob Campbell
64a3825765 python/tests: expand tests for dns server over rpc
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-12-12 05:00:18 +01:00