1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

103617 Commits

Author SHA1 Message Date
Stefan Metzmacher
e760319526 s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
f03d490b7b s4:dsdb/tests: let password_lockout.py use userdn variables in all functions
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
da4e419adf s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects
This is easier than doing it by hand...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
73fb24c2e4 s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
860c6b1e8f s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
f301623550 s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
a9722a17ee s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
025e573d84 s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
26a96d2964 s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
7b7d7be244 s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function
This is a complete copy of the code that's currently inline.
I'm doing this in multiple steps in order to keep the diff
in a reviewable state.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
27d68469e2 s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful
We should first check if the error number is as expected and
then check for a specific WERROR in the error string.

We also add the full error string as msg to assertTrue(),
so we'll actually see it if the assertion is wrong.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:25 +02:00
Stefan Metzmacher
58173f28ae s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
9e6c22dbbe s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow
This reduces the runtime of the test while still producing reliable results.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
853c2a6d8a s4:auth/sam: update the logonCount for interactive logons
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
869616ceb9 s4:auth/sam: don't update lastLogon just because it's 0 currently
Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
1acd477960 s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already
Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
a35a5e9022 s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
8a74d8e266 test_pkinit_heimdal.sh: add a FILE: prefix to the KRB5CCNAME variable
This makes the tests more robust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
5e4928c366 test_pkinit_heimdal.sh: add a helper VARIABLE to store the certificate paths
We also don't need the separation of admincert.pem and admincertupn.pem
anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
cc262afe1c samba-tool: add 'samba-tool user setpassword --smartcard-required/--clear-smartcard-required'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
04f8ee3ab3 samba-tool: do a password retype validation check for 'samba-tool user setpassword'
This matches the behavior of 'samba-tool user create' and 'samba-tool user password'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
7ffffc93f9 samba-tool: add --smartcard-required option to 'samba-tool user create'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
9a8186167e samdb.py: add smartcard_required option to newuser()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
8ac4218690 s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:24 +02:00
Stefan Metzmacher
b73cb40dd2 s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
f9989f2142 s3:winbindd: pass 'interactive' down through winbindd_dual_auth_passdb()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
e81d25a870 s4:dsdb/common: remove unused samdb_result_force_password_change()
The logic is incomplete and the correct logic is already available
via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
a5efb21a53 s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
86b9bf9591 s4:rpc_server/samr: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
9be4860511 s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
fdcdf34947 krb5pac.idl: add PAC_CREDENTIAL related structures
See [MS-PAC] 2.6 PAC Credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
92141c6b03 s4:kdc: add some const to samba_get_logon_info_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Stefan Metzmacher
4034c0a8ea auth/auth_sam_reply: add some const to input parameters
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-30 03:30:23 +02:00
Andreas Schneider
4524f5986c tsocket: Do not dereference a NULL pointer
Make sure the lrbsda pointer is not allocated and we will
not end up dereferencing a NULL pointer. In practice this
can't happen, but this change links the pointer with the
code that uses it.

Found by Coverity.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 30 02:53:02 CEST 2016 on sn-devel-144
2016-06-30 02:53:01 +02:00
Jeremy Allison
1d4b20d4f3 s4: ldb: Ignore case of "range" in sscanf as we've already checked for its presence.
https://bugzilla.samba.org/show_bug.cgi?id=11838

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-06-29 23:09:17 +02:00
Andreas Schneider
826f61960e s3-winbind: Fix memory leak with each cached credential login
When we allow offline logon and have a lot of logins, windbind will leak
4k of memory which each log in. On systems with heavy load this can grow
quickly and the OOM killer will kill Winbind.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11999

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 29 19:03:53 CEST 2016 on sn-devel-144
2016-06-29 19:03:52 +02:00
Andreas Schneider
1be45ab4d5 selftest: Skip the samba4.raw.eas tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
9da97e5572 selftest: Skip also s4 base.createx_sharemodes_dir
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
bba66ca459 selftest: Remove samba4.smb2.compound tests we skip
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
82f0c72c39 selftest: Remove samba4 delaywrite tests we skip
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
32d10fd77b selftest: Skip s4 smb2 rename tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
2240aff7ed selftest: Skip the Samba4 rap tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Andreas Schneider
ca0332e901 selftest: Skip smbtorture_s3 tests against ntvfs
This reduces the time our testsuite is running. We are not going to
implement these features so it doesn't make sense to run the test at
all. More will follow.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-29 15:15:06 +02:00
Jeremy Allison
04967d6e88 s3: tdb: On some platforms pthread_mutex_trylock() returns EBUSY not EDEADLK.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 29 15:14:44 CEST 2016 on sn-devel-144
2016-06-29 15:14:44 +02:00
Richard Sharpe
ed4af82a4f s4/selftests: test net ads dns register/unregister.
Add a new test for the net ads dns commands and the needed self test
setup. Currently tests that we can register a name and that it
turns up. Also, tests that we can register with -P.

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 28 22:35:35 CEST 2016 on sn-devel-144
2016-06-28 22:35:35 +02:00
Volker Lendecke
4e20d2448e ldb: Fix CID 1362935: CHECKED_RETURN
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-06-28 18:48:08 +02:00
Volker Lendecke
874a9d9c87 libnet: Fix CID 1362934: CHECKED_RETURN
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-06-28 18:48:07 +02:00
Jeremy Allison
6318615a63 s3: tldap: Make tldap_gensec_bind_send()/tldap_gensec_bind_recv() static.
Only expose a synchronous tldap_gensec_bind() call, as it can't
really be async anyway.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Jun 28 11:19:33 CEST 2016 on sn-devel-144
2016-06-28 11:19:33 +02:00
Jeremy Allison
48569065c8 s3: tldap: Remove asynchronous calls to gensec_update_send()/_recv() as for the spnego backend they're synchronous anyway.
This should prevent nested event loops, and won't make the
code performance worse anyway.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2016-06-28 07:27:18 +02:00
Ralph Boehme
2a322a7671 selftest: test idmap backend id allocation for unknown SIDS
If an SID is is not found becaues the RID doesn't exist in a domain and
the domain is configured to use a non-allocating idmap backend like
idmap_ad or idmap_rfc2307, winbindd must not return a mapping for the
SID.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-06-28 07:27:18 +02:00