IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is to mirror the check in get_nc_changes_build_object.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Dec 21 04:37:54 CET 2016 on sn-devel-144
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
GENSEC expects NULL as no password.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 17:37:56 CET 2016 on sn-devel-144
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 11:40:07 CET 2016 on sn-devel-144
This allows the optimized checksum->verify() function to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
This way we can have a very simple get_cmdline_auth_info_creds() function,
which can be used pass cli_credentials down the stack instead of
constantly translating from user_auth_info to cli_credentials, while
loosing information.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 20 04:57:05 CET 2016 on sn-devel-144
All users of POPT_COMMON_CREDENTIALS basically need the same logic,
while some ignore a broken smb.conf and some complain about it.
This will allow the future usage of config options in the
credential post processing.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We now first just remember the domain, realm, username, password values
(the last value wins).
At the end we call cli_credentials_set_{realm,domain,password}()
followed by cli_credentials_parse_string() for 'username'.
It means the last 'username' line beats the domain, realm or password lines, e.g.:
username=USERDOMAIN\username
domain=DOMAIN
will result in cli_credentials_get_domain() returning "USERDOMAIN" instead of
DOMAIN.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Some existing source3 tests (test_smbclient_s3.sh test_auth_file()) use a credentials file
that looks like this:
username=DOMAIN/username
password=password
domain=DOMAIN
This change allows us to parse the same.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we reset username we need to reset principal if it was set at the same level.
If domain is reset we also need to use it as realm if realm
was set at the same level. Otherwise we'd build a principal
that belongs to a different user, which would not work
and only increment the wrong lockout counter and result
in wrong authorization tokens to be used.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If cli_credentials_parse_string() is used we should no longer use
any guessed values and need to make sure username and domain
are reset if principal and realm are set.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As we don't want to create a new smb.conf file
we just simulate it with "creds.set_realm(realm, credentials.UNINITIALISED)".
That's basically the same as the cli_credentials_set_conf() behaviour
if a realm is specified in the configuration.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should not have cli_credentials_get_realm() return "" without a
configured (default) realm in smb.conf.
Note that the existing tests with creds.get_realm() == lp.get("realm")
also work with "" as string.
At the same time we should never let cli_credentials_get_principal()
return "@REALM.EXAMPLE.COM" nor "username@".
If cli_credentials_parse_string() gets "OTHERDOMAIN\username"
we must not use cli_credentials_get_realm() to generate
a principal unless cli_credentials_get_domain() returns
also "OTHERDOMAIN". What we need to do is using
username@OTHERDOMAIN as principal, whild we still
use cli_credentials_get_realm to get a default kdc,
(which may route us to the correct kdc with WRONG_REALM
messages).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows the NETLOGON server to scale better, as it is often a bottleneck
What we are doing here is keeping the forced single process only for
other servers that declare they use DCE/RPC handles.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We need this because once we make NETLOGON run in multiple processes,
it will need its own port, and socket_wrapper can not currently allocate
and ephemeral port. It also tests the option, which others have asked be
made available to firewall drsuapi.
Likewise the 'rpc server port' option is used to confirm it
functions for the default port'.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@samba.org>
If this RPC server is not going to use handles (actually a generic
flag) then do not check the assocation group provided. This in turn
allows us to easily make NETLOGON run in multiple processes.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
To do this we must get the ncacn_ip_tcp listener to split out (for example)
netlogon onto a distinct port, so we change the registration code to split up each
ncacn_ip_tcp registration to create a new interface for indicated services.
The new option "rpc server port" allows control of the default port and
"rpc server port:netlogon" (also valid for any other pipe from the IDL name)
allows us to both work around limitations in socket_wrapper against
double-binding and allows specification of the port by the administrator.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This will allow the NETLOGON server in the AD DC to declare that it does not use
handles, and so allow some more flexibility with association groups
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 19 13:41:15 CET 2016 on sn-devel-144
This allows SMB3 encryption instead of returning NT_STATUS_NOT_SUPPORTED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This can be used temporarily to do the required kinit if we use kerberos
and the password has been specified.
In future this should be done in the gensec layer on demand, but there's
more work attached to doing it in the gensec_gse module.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
