1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

34634 Commits

Author SHA1 Message Date
Andrej Gessel
8e6050587b bugfix memory leak. partition_dn is only used to search and compare and is not freed at the function end.
Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-03-19 07:33:44 +01:00
Jeremy Allison
a6054c01c2 s4: vfs: fruit tests: Add regression test for dealing with NFS ACE entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13319

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Mar 17 04:04:32 CET 2018 on sn-devel-144
2018-03-17 04:04:32 +01:00
Ralph Boehme
20609aa260 s4: dsdb/password_hash: use UF_TRUST_ACCOUNT_MASK
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 13 23:48:28 CET 2018 on sn-devel-144
2018-03-13 23:48:28 +01:00
Ralph Boehme
50e7788603 CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:27 +01:00
Ralph Boehme
c804568551 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.

It's very important that both modules treat the request identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:27 +01:00
Ralph Boehme
ab7dc210e9 CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control
Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:27 +01:00
Ralph Boehme
407a34c73f CVE-2018-1057: s4:dsdb/acl: run password checking only once
This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:27 +01:00
Ralph Boehme
3e6621fe58 CVE-2018-1057: s4/dsdb: correctly detect password resets
This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:27 +01:00
Ralph Boehme
9dd7dd9ebb CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:27 +01:00
Ralph Boehme
766ab4c52b CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Ralph Boehme
0e15ce12e1 CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Ralph Boehme
39e689aa70 CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Ralph Boehme
2fea9ee701 CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Ralph Boehme
c653e51a3d CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Ralph Boehme
b23bf04cae CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Ralph Boehme
fbd16473ec CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete
Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:24:26 +01:00
Garming Sam
e3d364a99b partition: Allow a different backend store from @PARTITION
By default, use tdb, but otherwise read the value from backendStore.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-05 20:50:16 +01:00
Garming Sam
2a0e022738 dsdb: The schema should be reloaded during the transaction
Reload the schema just after getting the tranaction lock
but before the transaction counter is bumped.

This ensures we reload the schema exactly once but with
the DB locked.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-05 20:50:15 +01:00
Bob Campbell
8ac1646e92 samdb/schema_load: do schema loading with one search
It appears that there was a race condition between searching for the
attribute & class definitions, and searching for the schema object, if
the schema was changed in-between the two searches.

This is likely the cause of ldap_schema being flapping.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12889

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-03-05 20:50:15 +01:00
Garming Sam
313b0c60f4 schema_set: Add a missing newline between functions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-05 20:50:15 +01:00
Garming Sam
242cf337e9 partition: Leave metadata.tdb unlocking until last
With the lmdb patches, I have cleanly observed the database being read
in between the commit of the metadata.tdb and the eventual commits of
the individual partitions.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-05 20:50:14 +01:00
Garming Sam
8caf84a8d4 schema: Do not read different schema sequence values during a read transaction
During a read lock, we find ourselves seeing an unchanged schema, but
reading any updates to the metadata.tdb (in the case of lmdb, where
reads do not block writes).

The alternative is to read-lock the entire metadata.tdb, however, this
allows more concurrency by allowing reads not to block writes.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-05 20:50:14 +01:00
Andrew Bartlett
1265346f6c partition: Use a transaction to write and a read lock to read the LDB_METADATA_SEQ_NUM
This is critical as otherwise we can read a sequence number in advance
of the data that it represents and so have a false cache.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-03-05 20:50:14 +01:00
Andreas Schneider
ffb836f3fe selftest: Impove test names for samba.wbinfo_simple
This simplifies selecting a specific test to run.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Mar  3 05:19:38 CET 2018 on sn-devel-144
2018-03-03 05:19:38 +01:00
Swen Schillig
e01d7d9d0f Replace NT_STATUS_HAVE_NO_MEMORY macro
Replaced NT_STATUS_HAVE_NO_MEMORY macro and fixed
memory leaking error-path.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Sat Mar  3 00:00:34 CET 2018 on sn-devel-144
2018-03-03 00:00:34 +01:00
Swen Schillig
6d0b6e937a Minor cleanup of libnet_LookupName_recv
Reduce indentation level and comply with 80 column rule.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-03-02 19:13:52 +01:00
Swen Schillig
14f83ff835 Zero libnet_LookupName out struct before using
Zero libnet_LookupName out struct before setting results,
preventing false result interpretation.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2018-03-02 19:13:52 +01:00
Andreas Schneider
a31147d675 s4:lib: Add FALL_THROUGH statements in http.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:44 +01:00
Andreas Schneider
1563f392c8 s4:dsdb: Add FALL_THROUGH statements in password_hash.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:44 +01:00
Andreas Schneider
856cda1037 s4:torture: Add FALL_THROUGH statements in rpc/spoolss.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
50d3a9e70d s4:torture: Add FALL_THROUGH statements in basic/misc.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
1508ff9cc4 s4:rpc_server: Add FALL_THROUGH statements in dcesrv_srvsvc.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
e2f1255840 s4:auth: Add FALL_THROUGH statements in gensec_krb5.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
69fa5ecb6a s4:auth: Add FALL_THROUGH statements in auth_sam.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
ef3ac405bf s4:auth: Add FALL_THROUGH statements in auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:43 +01:00
Andreas Schneider
487bd0a1e9 s4:samdb: Add FALL_THROUGH statements in linked_attributes.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
94d69cd4b8 s4:samdb: Add FALL_THROUGH statements in cracknames.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:42 +01:00
Andreas Schneider
d31a8cd800 s4:lib:com: Fix function declartions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-03-01 04:37:40 +01:00
Noel Power
0c31d38794 dsdb python tests: convert 'except X, (tuple)' to 'except X as e'
In addition to converting the except line another line is also added
for each except to extract the tuple contents.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:41 +01:00
Noel Power
9f61bf115e drs torture python: convert 'except X, (tuple)' to 'except X as e'
In addition to converting the except line another line is also added
for each except to extract the tuple contents.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-28 23:01:41 +01:00
Stefan Metzmacher
31b5328c46 s4:kdc: disable support for CROSS_ORGANIZATION domains
We don't support selective authentication yet,
so we shouldn't silently allow domain wide authentication
for such a trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 28 19:45:13 CET 2018 on sn-devel-144
2018-02-28 19:45:13 +01:00
Stefan Metzmacher
d0a813a173 s4:kdc: only support LSA_TRUST_TYPE_UPLEVEL domains in samba_kdc_trust_message2entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-28 14:33:19 +01:00
Stefan Metzmacher
274209f5cd s4:kdc: make use of dsdb_trust_parse_tdo_info() in samba_kdc_trust_message2entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-28 14:33:19 +01:00
Volker Lendecke
4da56e9f04 nbt_server: Factor out packet generation for netlogon reply
This also fixes an inaccuracy (or even a bug?):
The previous code pulled the reply mailslot always through
req.logon.mailslot_name, which is the union for
LOGON_SAM_LOGON_REQUESTs. The LOGON_PRIMARY_QUERY must be referenced by
req.pdc.mailslot_name. It might have worked by chance, but this should
be more correct.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 27 14:10:14 CET 2018 on sn-devel-144
2018-02-27 14:10:14 +01:00
Volker Lendecke
39827b7582 nbt_server: nbtd_netlogon_getdc doesn't need "src"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:18 +01:00
Volker Lendecke
7b06eacd59 nbt_server: Avoid a talloc call
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:18 +01:00
Volker Lendecke
1655701923 nbt_server: Avoid an "else" branch
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:18 +01:00
Volker Lendecke
5f9a0903a2 nbt_server: nbtd_netlogon_samlogon needs the dst_name, not the packet
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:18 +01:00
Volker Lendecke
33991e5c90 nbt_server: nbtd_netlogon_getdc needs just the dst_name
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
28f7a1f754 nbt_server: Fix a typo ("domian->domain")
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
d673ca0c35 nbt_server: nbtd_netlogon_samlogon needs the nbtsrv, not the inteface
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
e49e347078 nbt_server: nbtd_netlogon_getdc needs the nbtsrv, not the interface
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
7de9613385 nbt_server: Centralize a consistency check
This is a "should NEVER happen" and applies to both
LOGON_PRIMARY_QUERY and LOGON_SAM_LOGON_REQUEST

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
211a6072ad nbt_server: Make nbtd_mailslot_netlogon_handler a bit more idiomatic
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
724349090c nbt_server: Factor out dgram sending from reply construction
Separation of concerns. Only one call to dgram_mailslot_netlogon_reply, which
does the UDP send.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
f604c98ac2 nbt_server: Remove a pointless assignment
I don't see how data.msg.dest_name.type is accessed further down

dgram_mailslot_netlogon_reply only accesses packet->src_addr, packet->src_port
and packet->data.msg.source_name, *not* data.msg.dest_name. Also, "packet" is
thrown away after this call.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
4897f86056 nbt_server: Remove some unused parameters
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
5ec14fd981 libdgram: Remove an unused parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
92580b3f2f libdgram: Remove an unused parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Volker Lendecke
d88f826c7b libsocket: Add "mem_ctx" to socket_create()
Every caller did a talloc_steal() after socket_create(). Just pass in the
correct memory context.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-02-27 09:14:17 +01:00
Swen Schillig
106ea7a1bc Minor cleanup to libnet_join_member
Prevent code duplication by consolidating cleanup task
at the end of the function.

Signed-off-by: Swen Schillig <swen@vnet.ibm.com>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Feb 24 23:19:05 CET 2018 on sn-devel-144
2018-02-24 23:19:05 +01:00
Andreas Schneider
72d780efca s4:lib:com: Fix function declartions
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-24 10:54:07 +01:00
Douglas Bagnall
bc56913271 repl_md: avoid returning LDB_SUCCESS on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-24 10:54:07 +01:00
Stefan Metzmacher
07844a9a13 dsdb/encrypted_secrets: remove dependency to libnettle and use our own aes_gcm_128_*()
We already rely on gnutls in order to implement SSL/TLS, so using that
to speed up crypto like aes gcm 128 is fine, but as we already have
code for that algorithm, we should use that instead of adding a new
dependency to libnettle.

Some (I guess newer versions) of gnutls use nettle internally, so
we may end up using that code, but we should not have a direct dependency.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13276

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-23 12:47:25 +01:00
Stefan Metzmacher
57762229da s4:auth_sam: allow logons with an empty domain name
It turns out that an empty domain name maps to the local SAM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 23 04:08:26 CET 2018 on sn-devel-144
2018-02-23 04:08:26 +01:00
Douglas Bagnall
a4c853a7de util/rfc1738_unescape(): return end pointer or NULL on error
At present we don't detect errors, but when we do we'll return NULL.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-22 01:04:18 +01:00
Stefan Metzmacher
5d113f8094 s4:rpc_server: fix call_id truncation in dcesrv_find_fragmented_call()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13289

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Feb 21 19:02:56 CET 2018 on sn-devel-144
2018-02-21 19:02:56 +01:00
Bjoern Jacke
3a7ebd0e94 heimdal_build: use closefrom from libreplace
this silences a lot of "... has been redefined" compiler warnings on
platforms that don't have closefrom

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
e9d5b8b6b4 s4:rpc_server/lsa: implement forwarding lsa_Lookup{Sids,Names}() requests to winbindd
This might not be perfect yet, but it's enough to allow names from trusted
forests/domain to be resolved, which is very important for samba based
domain members.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
3801c417db s4:rpc_server/lsa: rewrite lookup sids/names code to honor the given lookup level
[MS-LSAT] 2.2.16 LSAP_LOOKUP_LEVEL defines the which views each level should
consult.

Up to now we support some wellknown sids, the builtin domain and our
account domain, but all levels query all views.

This commit implements 3 views (predefined, builtin, account domain)
+ a dummy winbind view (which will later be used to implement the
gc, forest and trust views)..

Depending on the level we select the required views.

This might not be perfect in all details, but it's enough
to pass all existing tests, which already revealed bugs
during the development of this patch.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:19 +01:00
Stefan Metzmacher
e9ace1852f s4:dsdb: add dsdb_trust_domain_by_{sid,name}()
This gets the lsa_ForestTrustDomainInfo for the searched
domain as well as the lsa_TrustDomainInfoInfoEx for the
direct trust (which might be the same for external trust or
the forest root domain).

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
9b6a0b1a63 s4:rpc_server/lsa: prepare dcesrv_lsa_LookupNames* for async processing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
ab7988aa2f s4:rpc_server/lsa: prepare dcesrv_lsa_LookupSids* for async processing
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
e6c9984bd5 s4:rpc_server/lsa: base dcesrv_lsa_LookupNames2() on dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
37cb34d164 s4:rpc_server/lsa: base dcesrv_lsa_LookupNames() on dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
ec55c18ced s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupNames2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c78c17dc2f s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids2()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
c0f6103dde s4:rpc_server/lsa: rename 'state' variable to 'policy_state' in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
7c1c9bf53f s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupNames()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
5d868fd875 s4:rpc_server/lsa: simplify [ref] pointer handling in dcesrv_lsa_LookupSids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
e8a0223633 s4:rpc_server/lsa: remove unused 'status' variable in dcesrv_lsa_LookupSids_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
fe43dd8678 s4:rpc_server/lsa: make sure dcesrv_lsa_LookupNames2() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
3339a1c572 s4:rpc_server/lsa: expect prepared [ref] pointers in dcesrv_lsa_LookupNames_common()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
f6e60d2c2e s4:rpc_server/lsa: make sure dcesrv_lsa_LookupSids_common() gets prepared [ref] pointers
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
3909f8fcfe s4:rpc_server/lsa: use LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES/LSA_CLIENT_REVISION_1 in compat code
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13286

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:18 +01:00
Stefan Metzmacher
7b86b94c71 s4:torture: zero initialize variables in test_LookupSidsReply()
This avoids crashes if the server returns unexpected results.  The test
should just report the failure in that case.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13282

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-02-21 14:19:17 +01:00
Douglas Bagnall
9c9c2754a9 python/tests/sites: ensure we can't manipulate subnets as non-admin
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Garming Sam
7b45dc6841 subnet: Avoid a segfault when renaming subnet objects
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13031

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-19 19:17:12 +01:00
Garming Sam
9952eda7a1 repl_metadata: Avoid silent skipping an object during DRS (due to RODC rename collisions)
No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Feb 15 10:18:42 CET 2018 on sn-devel-144
2018-02-15 10:18:42 +01:00
Garming Sam
59fa9e7ecf repl_metadata: Avoid silent skipping an object during DRS (due to RODC name collisions)
No error code was being set in this case, and so, we would commit the
HWM and UDV without actually having all the updates.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 05:42:03 +01:00
Garming Sam
45d19167d5 tests/replica_sync_rodc: Test conflict handling on an RODC
There are two cases we are interested in:

1) RODC receives two identical DNs which conflict
2) RODC receives a rename to a DN which already exists

Currently these issues are ignored, but the UDV and HWM are being
updated, leading to objects/updates being skipped.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 05:42:03 +01:00
Garming Sam
ff9e63f976 tests/drs_base: Allow the net drs replicate to try with a single object
This eventually passes down the replicate single object exop.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13269

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 05:42:03 +01:00
Garming Sam
19fcd872ec tests/replica_sync: Add some additional replication in setUp
This should avoid some failures due to stale objects.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 05:42:03 +01:00
Douglas Bagnall
bf2086e137 drs torture python: convert 'except X, e' to 'except X as e'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:30 +01:00
Douglas Bagnall
f43cb7c38d source4/scripting python: convert 'except X, e' to 'except X as e'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:30 +01:00
Douglas Bagnall
20e38fbd45 dsdb python tests: convert 'except X, e' to 'except X as e'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:30 +01:00
Andrew Bartlett
b415f9202f selftest: GnuTLS is already mandetory to build the AD DC
This change avoids the code behind 'if have_tls_support' becoming untested
if the configure logic changes.  We already assert that we have GnuTLS
elsewhere in the AD DC build scripts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-02-15 00:18:29 +01:00
Andrew Bartlett
8e54bc463a selftest: Require jansson support for selftest of the AD DC
This avoids this code becoming untested if a package is not installed or
the configure test is accidentially broken.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-02-15 00:18:29 +01:00
Douglas Bagnall
a12925b6ed test samba-tool drs showrepl: test --json output
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00
Douglas Bagnall
2cd7097868 test samba-tool drs showrepl: test expected output more strictly
We try to ensure the output has all the expected information in the
expected order.

Soon we're going to add a JSON output mode, and we are strengthening
the tests here to ensure we don't break anything.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-02-15 00:18:29 +01:00