IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Found by Coverity.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu May 17 04:03:21 CEST 2018 on sn-devel-144
Extract the common audit logging code into a library to allow it's
re-use in other logging modules.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE
handling in our LDAP server.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 15 15:45:08 CEST 2018 on sn-devel-144
chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional. Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Those wishing to build without gpgme support need simply to build --without-gpgme
This In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This completes the regression fix of commit 7e091e5051.
There might be strings allocated on state, which are part of the
result.
The reason for the TALLOC_FREE(state) was to cleanup the possible
irpc_handle before leaving the function. Now we call
TALLOC_FREE(state->wb.irpc_handle) explicitly in
dcesrv_lsa_Lookup{Names,Sids}_base_done() instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13420
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 10:27:28 CEST 2018 on sn-devel-144
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 12 12:05:31 CEST 2018 on sn-devel-144
During the new samba-tool domain backup restore the NTDS GUID changes
as the server is taken over by the new DC record.
Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
There are two options which are undocumented.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat May 12 04:57:29 CEST 2018 on sn-devel-144
reponse --> response
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This passes against Windows, but fails against Samba.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13432
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
I've added a test case for 'samba-tool domain passwordsettings set/show'
to prove I haven't broken it. It's behaviour shouldn't have changed, but
there was no test for it previously.
We'll extend these tests in the very near future, when we add samba-tool
support for managing PSOs.
The base samba_tool test's runsubcmd() only handled commands with
exactly one sub-command, i.e. it would handle the command 'samba-tool
domain passwordsettings' OK, but not 'samba-tool domain passwordsettings
set' (The command still seemed to run OK, but you wouldn't get the
output/err back correctly). A new runsublevelcmd() function now handles
a varying number of sub-commands.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri May 11 09:06:10 CEST 2018 on sn-devel-144
The show and set options are not really related to each other at all, so
it makes sense to split the code into 2 separate commands.
We also want to add separate sub-commands for PSOs in a subsequent
patch.
Because of the way the sub-command was implemented previously, it meant
that you could specify other command-line options before the 'set' or
'show' keyword, and the command would still be accepted. However, now
that it's a super-command 'set'/'show' needs to be specified before any
additional arguments, so we need to update the test code to reflect
this.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
construct_generic_token_groups() currently works out the entire group
membership for a user, including the primaryGroupID. We want to do the
exact same thing for the msDS-ResultantPSO constructed attribute.
However, construct_generic_token_groups() currently adds the resulting
SIDs to the LDB search result, which we don't want to do for
msDS-ResultantPSO.
This patch splits the bulk of the group SID calculation work out into
a separate function that we can reuse for msDS-ResultantPSO. basically
this is just a straight move of the existing code. The only real change
is the TALLOC_CTX is renamed (tmp_ctx --> mem_ctx) and now passed into
the new function (so freeing it if an error conditions is hit is now
done in the caller).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
We'll reuse this code for working out the msDS-ResultantPSO, so
references to 'tokenGroups' in error messages would be misleading.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
The existing password_lockout tests didn't check for changing the
password via the SAMR password_change RPC. This patch adds a test-case
for this, using the default domain lockout settings (which passes), and
then repeats the same test using a PSO (which fails).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
This checks that the lockout settings of the PSO take effect when one is
applied to a user. Import the password_settings code to create/apply a
PSO with the same lockout settings that the test cases normally use.
Then update the global settings so that the default lockout settings are
wildly different (i.e. so the test fails if the default lockout settings
get used instead of the PSO's).
As the password-lockout tests are quite slow, I've selected test cases
that should provide sufficient PSO coverage (rather than repeat every
single password-lockout test case in its entirety).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
a.k.a Fine-Grained Password Policies
These tests currently all run and pass gainst Windows, but fail against
Samba. (Actually, the permissions test case passes against Samba,
presumably because it's enforced by the Schema permissions).
Two helper classes have been added:
- PasswordSettings: creates a PSO object and tracks its values.
- TestUser: creates a user and tracks its password history
This allows other existing tests (e.g. password_lockout, password_hash)
to easily be extended to also cover PSOs.
Most test cases use assert_PSO_applied(), which asserts:
- the correct msDS-ResultantPSO attribute is returned
- the PSO's min-password-length, complexity, and password-history
settings are correctly enforced (this has been temporarily been hobbled
until the basic constructed-attribute support is working).
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Any test that wants to change a password has to set the dSHeuristics
and minPwdAge first in order for the password change to work. The code
that does this is duplicated in several tests. This patch splits it out
into a static method so that the code can be reused rather than
duplicated.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Several tests hang all the objects they create off a unique OU.
Having a common OU makes cleanup easier, and having a unique OU (i.e.
adding some randomness) helps protect against one-off test failures
(Replication between testenvs is happening in the background.
Occasionally, when a test finishes on one testenv and moves onto the
next testenv, that testenv may have received the replicated test
objects from the first testenv, but has not received their deletion
yet).
Rather than copy-n-pasting this code yet again, split it out into a
helper function.
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Generate a GUID for each successful authorization, this will allow the
tying of events in the logs back to a specific session.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The password attributes are defined as literal in two places in the
password_hash code. They will also be needed to support password change
logging. This patch replaces the individual definitions with a shared
constant.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat May 5 04:31:18 CEST 2018 on sn-devel-144
This matches Windows behaviour and allows rpcclient to work against
Samba without knowing the GUID ahead of time. Errors related to this
don't appear to occur within selftest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13365
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Fri May 4 09:11:19 CEST 2018 on sn-devel-144
