IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).
(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)
Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Test harness for the dns fowarder setting in smb.conf. Adds IPv6
forwarder as second target DNS forwarder, listening on port 54.
Signed-off-by: Matthew Grant <grantma@mattgrant.net.nz>
Reviewed-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This sometimes get stuck in a loop and this may help debug it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 8 12:44:49 UTC 2021 on sn-devel-184
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
There are a lot of things we should improve in our KDC
in order to work like a Windows KDC.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It looks like "python:tests: Add SAMR password change tests for fips"
(which is also the title of 9a3ba502d8,
but this is also unrelated) and was a probalby a rebase artifact,
being a debugging aid that should have been omitted.
This reverts commit ebd687335b.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon Jun 21 01:46:58 UTC 2021 on sn-devel-184
The full path to the winbindd socket must fit within a struct sockaddr_un and this helps us work
where this is quite deep on the server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jun 2 04:46:39 UTC 2021 on sn-devel-184
We should use long options in tests to make clear what we are trying to
do.
Also the -s short option will be removed for --configfile later.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should use long options in tests to make clear what we are trying to
do.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The s4 member join code has been broken for some
time. Modify samba-tool to instead use the
working s3 member join code.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Wed Apr 21 21:40:13 UTC 2021 on sn-devel-184
There are tests in this environment that kill processes with SEGV
signals, which causes a backtrace that is entirely spurious from a
debugging point of view.
We can turn that off, saving processor time and moments of developer
confusion.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@suse.com>
That makes it possible to run tests from a read only source tree.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This way we can use it on even in some special cases, where we combine
variables from multiple environments.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This simplifies the code a lot and makes it much easier to
add new environment variables in future.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
While spliting the build and test stages I hit strange permission
problems, when a parent directory is missing,
which can be avoided by using plain mkdir() on each level.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Oct 29 15:41:37 UTC 2020 on sn-devel-184
We need to make sure that winbind's idmap_ad deals fine with an
expired krb ticket used to connect to AD via LDAP. In a customer
situation we have seen the RFC4511 section 4.4.1 unsolicited ldap exop
response coming through, but the TCP disconnect that Windows seems to
do after that did not make it. Winbind deals fine with a TCP
disconnect, but right now it does not handle just the section 4.4.1
response properly: It completely hangs.
This test requests a ticket valid for 5 seconds and makes the LDAP
server postpone the TCP disconnect after the ticket expiry for 10
seconds. The tests that winbind reacts to the ticket expiry exop
response by making sure in this situation the wbinfo call running into
the issue takes less than 8 seconds. If it did not look at the expiry
exop response, it would take more than 10 seconds.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
If we do not have the NC of the target object we can not be really sure
that the object is redundent and so we want to keep it for now
and not (as happened until now) break the dbcheck run made during the
replication stage of a "samba-tool domain backup rename".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14450
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
setup_ad_dc() was used for more than 'ad_dc'.
Setting up 'ad_dc' means not all missing arguments are
passed as undef.
The following had no effect
if (!defined($conf_opts)) {
$conf_opts = "";
}
and $conf_opts results in a string of 'HASH(....)'
So we better pass explicit undef arguments from setup_ad_dc() to
_setup_ad_dc() now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
To test the CRC32 I reverted the unkeyed-checksum fix (43958af1)
and the weak-crypto fix (389d1b97). Note that the unkeyed-md5
still worked even with weak-crypto disabled, and that the
unkeyed-sha1 never worked but I left it anyway.
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184
This allows us to test MIT KRB5 and OpenLDAP in FIPS mode.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Adding test env ad_dc_default_smb1_done an alias for
test environment ad_dc_default_smb1
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
ad_dc_smb1 is a copy of the ad_dc test environment but
with the difference that it still supports SMB1, this will allow
use to still run SMB1 tests for that env.
Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Test environments rpc_proxy & s4member depend on ad_dc_ntvfs
so these environments additionally need to also be able to
still support SMB1.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Change the values of 'min protocol' set for the various test
environments to be SMB2_02.
Servers will only offer protocols starting with the min specified in the
conf files. We don't change the client value here yet (until SMB1 is
truely gone) as we still want to be able to run SMB1 tests.
Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The default for most test envs will be changed in a future
commit(s) to be >= SMB2 then we need to still allow ad_dc_ntvfs to
support SMB1. This will make the number of tests to port easier to
deal with. In addition to test env ad_dc_ntvfs still supporting SMB1
we need to do the same with test other environments that depend on
ad_dc_ntvfs (this will be handled in followup commits).
In addition to the above this change will ensure we don't trigger
failures for ntvfs tests when we switch to default >= SMB2 which will
make the associated skip file (added in a future commit) smaller.
Signed-off-by: Noel Power <npower@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
These restore copies of others and better use their own resolv.conf
and use '--use-samba-tool --no-credentials' for samba_dnsupdate in order
to avoid talking to the real environments.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
By default point RESOLV_CONF to a non-existing file and
use the per environment RESOLV_CONF explicitly where needed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is needed for all environments not just "samba".
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
