1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

375 Commits

Author SHA1 Message Date
Günther Deschner
c25460ee1f CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6c.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-14 13:57:15 +02:00
Jeremy Allison
c9656fd297 s3: libsmbclient: Fix cli_splice() fallback when reading less than a complete file.
We were always asking for SPLICE_BLOCK_SIZE even when the
remaining bytes we wanted were smaller than that. This works
when using cli_splice() on a complete file, as the cli_read()
terminated the read at the right place. We always have the
space to read SPLICE_BLOCK_SIZE bytes so this isn't an overflow.

Found by Bailey Berro <baileyberro@google.com>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13527

Signed-off-by: Bailey Berro <baileyberro@google.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Jul 13 14:57:14 CEST 2018 on sn-devel-144
2018-07-13 14:57:14 +02:00
Jeremy Allison
1c8d1cceff s3: torture: Test SMB1 cli_splice() fallback path when doing a non-full file splice.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13527

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2018-07-13 11:45:42 +02:00
Sachin Prabhu
7a0d82b694 s4-torture: add test for lease break after file unlink
When deleting a file, all leases granting handle caching lease to the
file should be recalled.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13458

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun  1 02:57:46 CEST 2018 on sn-devel-144
2018-06-01 02:57:46 +02:00
Ralph Boehme
aa096ab70a selftest: run smb2.streams tests against a share with vfs_streams_xattr
The tests are currently only run against streams_depot, where stream IO
is handle based, compared to streams_xattr which is path
based. vfs_streams_xattr is also used much more in real world setups, so
we should run our tests against it.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-05-30 19:10:25 +02:00
Christof Schmitt
8f121747b0 smbd: Cache dfree information based on query path
Sub directories in a SMB share can have different free space information
(e.g. when a different file system is mounted there). Caching the dfree
information per SMB share will return invalid data. Address this by
switching to memcache and store the cached data based on the query path.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-05-25 22:52:12 +02:00
Christof Schmitt
a55b3d2fcc selftest: Add test for 'dfree cache'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-05-25 22:52:12 +02:00
Jeremy Allison
52778afdab s3: vfs_fake_acls: Correctly implement the chmod/fchmod algorithm on fake acls.
We now pass samba3hide(nt4_dc), so remove it from knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 25 21:29:32 CEST 2018 on sn-devel-144
2018-05-25 21:29:32 +02:00
Jeremy Allison
d42f467a25 s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on directories.
Tests against a directory handle on the root of a share,
and a directory handle on a sub-directory in a share.

Check SEC_DIR_ADD_FILE and SEC_DIR_ADD_SUBDIR separately,
either allows flush to succeed.

Passes against Windows.

Regression test for:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13428

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 18 02:38:50 CEST 2018 on sn-devel-144
2018-05-18 02:38:50 +02:00
Christof Schmitt
a6fade4e10 rpc_server: Fix NetSessEnum with stale sessions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 25 22:49:07 CEST 2018 on sn-devel-144
2018-04-25 22:49:07 +02:00
Christof Schmitt
e04846c7df selftest: Add testcase for querying sessions after smbd crash
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-25 19:59:13 +02:00
Christof Schmitt
1775ac8aa4 winbindd: Do not ignore domain in the LOOKUPNAME request
A LOOKUPNAME request with a domain and a name containing a winbind
separator character would return the result for the joined domain,
instead of the specified domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr  6 21:03:31 CEST 2018 on sn-devel-144
2018-04-06 21:03:31 +02:00
Christof Schmitt
552a00ec1f Add test for wbinfo name lookup
This demonstrates that wbinfo -n / --name-to-sid returns information
instead of failing the request. More specifically the query for
INVALIDDOMAIN//user returns the user SID for the joined domain, instead
of failing the request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2018-04-06 17:58:38 +02:00
Andreas Schneider
ffb836f3fe selftest: Impove test names for samba.wbinfo_simple
This simplifies selecting a specific test to run.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Mar  3 05:19:38 CET 2018 on sn-devel-144
2018-03-03 05:19:38 +01:00
Christof Schmitt
7fa91fc479 smbd: Fix coredump on failing chdir during logoff
server_exit does an internal tree disconnect which requires a chdir to
the share directory. In case the file system encountered a problem and
the chdir call returns an error, this triggers a SERVER_EXIT_ABNORMAL
which in turn results in a panic and a coredump. As the log already
indicates the problem (chdir returned an error), avoid the
SERVER_EXIT_ABNORMAL in this case and not trigger a coredump.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 16 01:56:06 CET 2017 on sn-devel-144
2017-12-16 01:56:06 +01:00
Christof Schmitt
0d3000be2a selftest: Add test for failing chdir call in smbd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-15 21:43:19 +01:00
Stefan Metzmacher
2c720b20ab s4:selftest: remove samba.blackbox.pdbtest.s4winbind test
This is marked as knownfail for quite some time.

I don't think such a test is a reason to the 'auth methods' option.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-13 20:34:23 +01:00
Andrew Bartlett
b99d2ee122 selftest: Split out dbcheck runs from dangling_multi_valued test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Ralph Boehme
d147698840 selftest: run raw.acls test with XDR NFS41 ACLs
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:09 +01:00
Ralph Boehme
e981b41a37 selftest: run raw.acls tests against a share with XDR NFS4 ACLs
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:09 +01:00
Ralph Boehme
08a6ae4419 selftest: test vfs_nfs4acl_xattr with NFS 4.1 ACLs
Only tests with "nfs4:mode = simple" as mode special is supposed to be
broken anyway and simple is recommended.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
12f4263b28 selftest: add explicit default NFS4 acl version
This is the current default, just make it explicit. A subsequent commit
will bump the default to 4.1.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
d4d7e38bf6 vfs_nfs4acl_xattr: fsp->fh->fd can legally be -1
We only open the underlying file if the open access mode contains

FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA|FILE_EXECUTE

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
7f62b16a12 vfs_nfs4acl_xattr: modernize ACL inheritance
This changes the way ACL inheritance is achieved in this
module.

Previously the module recursed to the next parent directory until the
share root was reached or a directory with an ACL xattr. If the share
root didn't contain an ACL xattr either a default ACL would be used.

This commit removed this recursive scanning and replaces it with the
same mechanism used by vfs_acl_xattr: by setting "inherit acls = yes"
just let smbd do the heavy lefting and inheritance.

For any file without ACL xattr we still synthesize a default ACL,
leveraging the existing default ACL function used by vfs_acl_xattr.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:08 +01:00
Ralph Boehme
f3f119e456 selftest: split out failing owner related subtest from samba3.raw.acls.create_file|dir
All the other subtests in samba3.raw.acls.create_file|dir pass with
nfs4acl_xattr, it's just the subtest that tries to set the owner which
fails with everything else then acl_xattr.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-11-08 00:20:07 +01:00
Tim Beale
8c56aa2c91 selftest: Rename ntlmauth tests to ntlmdisabled
There are already some existing ntlm_auth tests, so the new tests I've
added make things a bit confusing. Also, ntlmdisabled probably better
reflects the specific case we're trying to test.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-26 00:41:16 +02:00
Tim Beale
1a1c4ad71c selftest: Add new AD DC testenv with NTLM disabled
This is so that we test the source4 case as well. Currently the only
testenv with NTLM disabled is ktest, and that only exercises the source3
code.

I've tried to support the new test environment with minimal changes to the
Samba4.pm setup code.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-26 00:41:16 +02:00
Christof Schmitt
3a360f552d selftest: Also run smbtorture smb2.compound with aio enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13047

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep 22 09:49:30 CEST 2017 on sn-devel-144
2017-09-22 09:49:30 +02:00
Stefan Metzmacher
615b0d83d0 winbindd: as DC we should try to get the target_domain from @SOMETHING part of the username in wb_irpc_SamLogon()
We still need a full routing table including all upn suffixes,
but this is a start to support NTLM authentication using user@REALM
against structed domains.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Stefan Metzmacher
b88f9384b0 s4:auth/ntlmssp: add support for using "winbind" as DC
This adds support for trusted domains to the auth stack on AD DCs.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:03 +02:00
Christof Schmitt
ffee37c243 torture: Add sharemode tests for SMB2
There are two pieces: Test access with different sharemodes through SMB
and verify access, and also provide tests that can be used with file
systems enforcing share modes outside of Samba.

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul 26 09:30:31 CEST 2017 on sn-devel-144
2017-07-26 09:30:31 +02:00
Bob Campbell
eb2e77970e samdb/cracknames: support user and service principal as desired format
This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats.

This also causes the test in cracknames.py to no longer fail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144
2017-07-24 11:10:26 +02:00
Bob Campbell
4779afe0d2 python/tests: add python test for cracknames
This fails due the bug, which causes the related test in
drsuapi_cracknames.c to flap. It also fails due to us not yet supporting
DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or
DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-24 07:14:10 +02:00
Tim Beale
4e04f025a0 selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
2017-07-21 13:54:35 +02:00
Tim Beale
831861ecf9 selftest: Disable NTLM authentication in ktest environment
This allows us to prove that "ntlm auth = disabled" works

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:21 +02:00
Andrew Bartlett
e23e8d9ff9 s3-rpc_server: Disable the NETLOGON server by default
The NETLOGON server is only needed when the classic/NT4 DC is enabled
and has been the source of security issues in the past.  Therefore
reduce the attack surface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Ralph Boehme
492930779a s4/torture: test fetching a resume key twice
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-03 19:59:08 +02:00
Garming Sam
d3e8bcbc9b netlogon: Add necessary security checks for SendToSam
We eliminate a small race between GUID -> DN and ensure RODC can only
reset bad password count on accounts it is allowed to cache locally.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
452170db2c tests/rodc: Check SID restriction for SendToSam
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:07 +02:00
Garming Sam
f40fdaea7f rodc: Set non-authoritative for RODC bad passwords
This requires as a pre-requisite that the auth stack is not run twice.
We remove the knownfail introduced in the earlier patch.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
44b0ebefb2 tests/rodc: Test for NTLM wrong password forwarding
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
2368f57b4d winbindd: Do not run SAM auth stack in winbind SamLogon
pdbtest.s4winbind no longer is applicable without a live NETLOGON
connection.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Ralph Boehme
15367ce4b4 s4/torture: add a leases test with stat open
This test passes against Windows 2016 but currently fails against Samba
for some reason. The test does the following:

1. A stat open on a file, then
2. a second open with a RWH-lease request

Windows grants a RWH-lease in step 2, while Samba only grants a
R-lease. Go figure...

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun May 28 18:52:52 CEST 2017 on sn-devel-144
2017-05-28 18:52:52 +02:00
Gary Lockyer
610919e5e6 auth pycredentials: incorrect PyArg_ParseTupleAndKeywords call
The challenge parameter was being treated as a string rather than as a
data blob.  This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.

Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:13 +02:00
Gary Lockyer
68ccebfa59 auth_log: Add test that execises the SamLogon python bindings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
b14bb68417 samba-tool add support for userPassword
Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes.
The values are now calculated as follows:
  1) If a value exists in 'Primary:userPassword' with
     the specified number of rounds it is returned.
  2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with
     '--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds
  3) Return the first {CRYPT} value in 'Primary:userPassword' with a
     matching algorithm

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
8a5308bea0 samba-tool tests: add tests for userPassword
Tests to ensure that precomputed SHA256 and SHA512 hashes in
'supplementalCredentials Primary:userPassword' are used correctly in the
calculation of virtualCryptSHA256 and virtualCryptSHA512

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
4b49e18c14 password_hash: generate and store Primary:userPassword
Generate sha256 and sha512 password hashes and store them in
supplementalCredentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
de5299d155 tests password_hash: add tests for Primary:userPassword
Add tests to verify the generation and storage of sha256 and sha512
    password hashes in suplementalCredentials Primary:userPassword

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d4bc91a964 samba-tool user: add rounds option to virtualCryptSHAxxx
Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.

i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00