IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
'default' is already handled in an earlier switch statement,
so this won't be reached but avoids a warning.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This avoids bad decrypts from falling down to later code and getting
the error code wrong, by strictly requiring the NDR parse to use all the
data. A bad decyrpt is very unlikely to get the length correct, and
so fall down to the other checks.
This should fix:
UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_ntvfs)
REASON: Exception: Exception: ../source4/torture/rpc/backupkey.c:1926: r.out.result was WERR_INVALID_ACCESS, expected WERR_INVALID_PARAM: decrypt should fail with WERR_INVALID_PARAM
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11174
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
The gcrypt link will be disabled if gnutls is > 3.0.0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We no longer link against gcrypt if gnutls > 3.0.0 is found, as these
versions use libnettle.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
If there're no collisions we should not fill the collision_info pointer.
Otherwise Windows fails to create a forest trust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
The meaning of lsa_ForestTrustRecordFlags is based lsa_ForestTrustRecordType,
but the type is not always available so it's not possible to use an union.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Different gcc versions complain at different places
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar 3 13:14:53 CET 2015 on sn-devel-104
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Feb 25 16:32:29 CET 2015 on sn-devel-104
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We use GnuTLS because it can reliably generate 2048 bit keys every time.
Windows clients strictly require 2048, no more since it won't fit and no
less either. Heimdal would almost always generate a smaller key.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
This is done in both smbtoture and in our server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We implement both modes in BACKUPKEY_RESTORE_GUID, as it may decrypt
both ServerWrap and ClientWrap data, and we implement
BACKUPKEY_RESTORE_GUID_WIN2K.
BUG: https://bugzilla.samba.org/attachment.cgi?bugid=11097
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This happen on the RODC, a case that we try not to permit at all.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The values we return here are client-provided passwords or other keys, that we decrypt for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This makes it clear that this is the data stored on the LSA secrets store
and not the client-provided data to be encrypted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This adds some IDL structs for the ServerWrap subprotocol, allowing
parsing of the incoming RPC calls and returning WERR_NOT_SUPPORTED
instead of WERR_INVALID_PARAM.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
[MS-BKRP] 2.2.1 specifies "The Common Name field of the Subject name
field SHOULD contain the name of the DNS domain assigned to the server."
In fact Windows 7 clients don't seem to care. Also in certificates
generated by native AD the domain name (after CN=) is encoded as
UTF-16LE. Since hx509_parse_name only supports UTF-8 strings currently
we just leave the encoding as it is for now.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
[MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate
should be set identical to the subjectUniqueID. In fact certificates
generated by native AD have this field encoded in little-endian format.
See also
https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Check for talloc_memdup failure for uniqueid.data.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
hx509_ca_tbs_set_notAfter_lifetime expects the lifetime value in
in seconds. The Windows 7 client didn't seem to care that the lifetime
was only 6'03''. Two other TODOs in this implementation:
* Since notBefore is not set explicietely to "now", the heimdal code
default of now-(24 hours) is applied.
* Server side validity checks and cert renewal are missing.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
RSA_generate_key_ex doesn't always generate a modulus of requested
bit length. Tests with Windows 7 clients showed that they decline
x509 certificates (MS-BKRP 2.2.1) in cases where the modulus length
is smaller than the specified 2048 bits. For the user this resulted
in DPAPI failing to retrieve stored credentials after the user password
has been changed at least two times. On the server side log.samba showed
that the client also called the as yet unlimplemented ServerWrap sub-
protocol function BACKUPKEY_BACKUP_KEY_GUID after it had called the
ClientWarp function BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. After
enabling DPAPI auditing on the Windows Clients the Event Viewer showed
Event-ID 4692 failing with a FailureReason value of 0x7a in these cases.
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10980
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 26 14:23:50 CET 2015 on sn-devel-104
dcesrv_lsa_OpenTrustedDomain() and dcesrv_lsa_OpenTrustedDomainByName()
need to use the same logic and make sure trusted_domain_user_dn is valid.
Otherwise dcesrv_lsa_OpenTrustedDomainByName() followed by
dcesrv_lsa_DeleteObject() will leave the trust domain account
in the database.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
We should return the our ip address the client is connected too.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This requires an additional control to be used in the
LSA server to add domain trust account objects.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 6 22:50:23 CET 2015 on sn-devel-104
This is triggered by lsa_lsaRSetForestTrustInformation()
with ForestTrustInfo elements using FOREST_TRUST_TOP_LEVEL_NAME.
The nb_name variable was uninitialized and dereferenced without checking.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
We compile without warnings now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
When LSA_TRUST_DIRECTION_INBOUND or LSA_TRUST_DIRECTION_OUTBOUND flags is cleared
we should also remove the related credentials.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This requires 'struct lsa_policy_state', we now pass this directly
instead of a instead of an opaque 'struct dcesrv_handle'.
dcesrv_lsa_SetInformationTrustedDomain() passes in a 'struct dcesrv_handle'
with 'struct lsa_trusted_domain_state' before, which results in segfaults.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
In the initial implementation only IPv4 addresses were supported.
Add IPv6 (and mixed IPv4/IPv6) support and all further needed conversion
routines to support w2k, dotnet, longhorn clients.
Signed-off-by: Guenter Kukkukk <linux@kukkukk.com>
Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Wed Nov 26 03:44:07 CET 2014 on sn-devel-104
