1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1176 Commits

Author SHA1 Message Date
Douglas Bagnall
cebad22ce0 python/graph: module for generating ASCII and graphviz visualisations
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
b4a90a650e samba_kcc: respect kcc.read_only flag on RODC
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
e579d5bd48 samba_kcc: kcc.debug module defers to samba.colour
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
a46c4a39c4 python: module containing ANSI colour sequences
This is going to be used by `samba-tool visualize` and samba_kcc.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:07 +01:00
Douglas Bagnall
f2762d0880 python tests: assert string equality, with diff
In the success case this works just like self.assertEqual(),
but when things fail you get a better representation of where it went
wrong (a unified diff).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:06 +01:00
Douglas Bagnall
3f2762d0b7 samba_kcc: documentation fix
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-01-13 17:37:06 +01:00
Volker Lendecke
977b3f60cf python: Print the finddcs error message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jan  9 22:41:28 CET 2018 on sn-devel-144
2018-01-09 22:41:28 +01:00
Björn Jacke
e3cc2af011 tests:docs: remove explicit exceptions for parametric options
we don't need to list them all as special cases because we exclude parametric
options generally now from the default value test.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-01-08 03:34:18 +01:00
Björn Jacke
ece75ea9a6 tests:docs: don't try to test parametric option defaults
we don't get the values of the parametric options.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2018-01-08 03:34:18 +01:00
Douglas Bagnall
8a42954775 samba-tool test: ensure samba-tool help works
We make sure the output is identical to `samba-tool --help` for the same
subcommands.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 22 07:50:21 CET 2017 on sn-devel-144
2017-12-22 07:50:21 +01:00
Douglas Bagnall
316594f211 samba-tool: treat 'samba-tool help foo' as 'samba-tool foo --help'
Vaguely keeping up with the modern style.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Douglas Bagnall
769197dfa3 samba-tool: give cache_loader pseudo-dict a .get() method
This makes it more dict-like, and makes the next patch (adding
samba-tool help) simpler.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Douglas Bagnall
cef83c0cc6 samba-tool: --help test, ensuring help tree coverage
`samba-tool [COMMAND] --help` will list sub-commands of COMMAND
(or top-level commands if COMMAND is omitted). This ensures that
`samba-tool COMMAND SUBCOMMAND --help` works for all the commands
found in the help tree.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-22 03:30:12 +01:00
Andrew Bartlett
6a6f0952a5 samba-tool domain schemaupgrade: Avoid reindex after every hunk
This takes advantage of the fact that a single LDB operation is atomic
even inside our transaction and so we can retry it after updating the
schema.

This makes the smaba-tool domain schemaupgrade take 1m30s compared with 4m4s.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 08:28:51 CET 2017 on sn-devel-144
2017-12-21 08:28:51 +01:00
Garming Sam
fafc6da6ab ldapcmp: Improve the difference checker of ldapcmp for 2012 R2
There are a number of new attributes which may be considered DNs.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 03:41:19 CET 2017 on sn-devel-144
2017-12-21 03:41:19 +01:00
Garming Sam
c4895cfd9a upgradeprovision: Mark tests as passing again (using functional prep)
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:12 +01:00
Garming Sam
c419ac4a2e domain.py: Command for prepping the domain for higher functional levels
Currently we support the 2012 and 2012 R2 prep levels.

Forest prep requires use of the schema master role.
Domain prep requires use of the infrastructure master role.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:12 +01:00
Garming Sam
b2d831f23d domain.py: Force schema upgrade to be used only on the schema master
While this may be enforced at lower levels, it would be better to warn
earlier rather than later.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
66895701c9 forest_update: Allow the script to add the missing forest containers
Before we set the prep level higher in default provisions, we should add
these objects to the initial ldif (so that our initial ldif represents a
full 2008R2 domain which we build consistently on).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
c4262753ae forest_update: Create a module to apply forest prep updates
This module uses information sourced from the Forest-Wide-Updates.md
file from one of Microsoft's Github repos to generate the operation
information.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
107fbaa8f1 domain_update: Add a new docstring for the main entry point
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
b5f7677af9 domain_update: Add an additional error with revision
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
60b70e9540 domain_update: Allow the revision version to be set
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
551ec22da8 domain_update: Respect the fix=False flag
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
23dbcb403a domain_update: Create a module to apply domain prep updates
These updates are referenced in documentation much like our
Forest-Wide-Updates.md file under the same MIT and CC attribution
licenses.

https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/Domain-Wide-Updates.md

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
8a4085fc2b ms_forest_updates_markdown: Write a parser for the forest updates .md
Unlike the schema markdown which appears generally as ldif, these
descriptions are textual.

We are only handling the add cases, with the rest being manually encoded.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
3cddb6ad07 2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate version 5 (FL)
Operation 75 {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}

 - Create the CN=Managed Service Accounts object

Operation 76 {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}

 - Add otherWellKnownObject link for CN=Managed Service Accounts

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
0efc061a62 ldapcmp: Add otherWellKnownObjects to ignore when using --two
wellKnownObjects already exists in this list.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:11 +01:00
Garming Sam
83c4c3b397 sambadns: Allow functional level 2016 (when added)
This is currently just a harmless check anyways.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-20 23:13:10 +01:00
Andrew Bartlett
44eee9ce9e selftest: Do not use dn= filter string
This accidentially worked with SCOPE_ONELEVEL against Samba but dn= filters are
not valid in AD.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-20 04:22:09 +01:00
Gary Lockyer
d120d7fe84 provision: Changes to support encrypted_secrets module
Changes to provision and join to create a database with
encrypted_secrets enabled and a key file generated.

Also adds the --plaintext-secrets option to join and provision commands
to allow the creation of unencrypted databases.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:17 +01:00
Gary Lockyer
b29ab3a0c1 tests dsdb encrypted secrets module
Add tests to check that the encrypted_secrets module encrypts
secrets/sensitive attributes on disk.

This test also proves that the provision and join operations correctly
configure the encrypted_secrets module.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
Gary Lockyer
e5ce0a4d73 pyglue: Add function to generate a random byte string
Adds a function to generate a random byte string using the samba random
routines.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
David Mulder
ac56f87018 gpo: Only commit the earliest change to the log
Otherwise we overwrite the original value,
leaving the setting tattooed on unapplied

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-15 21:43:19 +01:00
David Mulder
9ace2343ab gpo: Fix the empty apply log
The apply log wasn't being saved, apparently the pointers to elements
of the tree were getting lost.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-12-15 21:43:19 +01:00
Garming Sam
964bc8d19a markdown: Rename ms_markdown.py -> ms_schema_markdown.py
We also reduce the scope of the import so that python-markdown is only
required if interacting with 2012 code.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 12:34:04 CET 2017 on sn-devel-144
2017-12-14 12:34:03 +01:00
Andrew Bartlett
4f20416b38 provision: Use the official MS 2008R2 schema by default
This fixes us to have the official adminDescription etc.  While both schema were provided by
Microsoft this is a better quality one, but still under the same licence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:17 +01:00
Garming Sam
6bdbcb1d4c domain.py: Auto-patch the diffs for the adprep schemaupgrade
This creates a temporary directory where the markdown is parsed and the
diffs are then applied.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Garming Sam
5db10e0662 domain.py: Add a base dir option for schema upgrades
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
c22d022cea upgradeprovision: Change test to always use 2008 R2 schema
This tool (and the corresponding test) is designed to migrate a Samba DC
from a pre-4.0.0 release up to a more recent schema (i.e. Windows 2008R2).

Going further than 2008R2 turns this test into a bit of a nightmare. We
now have a better adprep/'samba-tool domain schemaupgrade' option for
upgrading from 2008R2 to a more recent schema.

It seems to make most sense to leave this tests just running against
2008R2 schema provisions and add new tests to migrate from 2008R2 to
2012R2.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
ea9cde92fb domain.py: Add base-schema option to samba-tool provision
Allow a different base-schema to be used when provisioning a new domain.
This allows us to test the new 2012 schema without committing Samba to
using it by default.

If, in future, we change the default to use the 2012 schema, some
existing Samba tests (like upgradeprovision) rely on the 2012 schema.
So making the base-schema optional allows these tests to continue using
the older schema.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Tim Beale
1f60f5b51a schema: Add option of specifying the base schema for a provision
Add the ability to override the base schema files being used for the
new provision, e.g. instead of using the default supported schema,
the code can now potentially specify an older or newer schema to use.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:16 +01:00
Andrew Bartlett
d67f706b34 schema: Re-work extended rights handling in provision (prep for 2012R2)
Add the changes needed to provision a 2012 DC (mostly this just affects
the Extended Rights objects) by moving to the new extended-rights.ldif

The localizationDisplayId is not documented in MS-ATDS so these values
are moved to provision_configuation_modify.ldif and applied after the
display-specifiers.ldif

We don't enable the 2012R2 mode yet. The ${INC2012} variable
just gets replaced with '#' so the lines get commented out and not
applied.

This approach allows us to support provisioning both a 2008R2 DC or
a 2012R2 DC (so that we can test we can upgrade a 2008 DC to 2012).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-12-14 08:20:16 +01:00
Tim Beale
9327c5a35e domain.py: Add a schemaupgrade option to apply missing 2008R2 schema
We've identified some cases where we've gotten our implementation of the
2008R2 schema wrong. We can fix these up for new provisions going
forward, but it'd be nice to have some way of fixing up the schema on
existing DCs.

A lot of what we're missing is already documented in Microsoft's
Sch45.ldf file:
https://technet.microsoft.com/en-us/library/dd378890(v=ws.10).aspx

Unfortunately we can't just apply the Sch45.ldf file using the existing
'samba-tool domain schema-upgrade' option because:
- We have got some of the Sch45.ldf changes, just not all of them.
- We already say the Samba schema objectVersion is 47 (2008R2), so
  there's no way to tell if the Samba instance does or doesn't have the
  missing changes (apart from querying each change).

We may want to add this to dbcheck eventually, but the simplest
implementation option for now is to extend the new schemaupgrade command
to allow us to specify a particular .LDF file to apply.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Tim Beale
f9059c7c1b domain.py: Make schemaupgrade option work regardless of config
Currently the 'samba-tool domain schemaupgrade' command will only work
if the Samba config has the non-default option 'dsdb:schema update
allowed = yes'. The whole point of running this samba-tool option is to
upgrade the schema, so it would seem to make sense to bypass the setting
temporarily, in order to apply the schema updates successfully.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Tim Beale
580e6babaf domain.py: Add schema upgrade option to samba-tool
Microsoft has published the Schema updates that its Adprep.exe tool
applies when it upgrades a 2008R2 schema to 2012R2.

This patch adds an option to samba-tool to go through these update files
and apply each change one by one. Along the way we need to make a few
changes to the LDIF operations, e.g. change 'ntdsschemaadd' to 'add' and
so on.

The bulk of the changes involve parsing the .ldif file and separating
out each update into a separate operation.

There are a couple of errors that we've chosen to ignore:
- Trying to set isDefunct for an object we don't know about.
- Trying to set a value for an attribute OID that we don't know about
  (we may need to fix this in future, but it'll require some help from
   Microsoft about what the OIDs actually are).

To try to make life easier, I've added a ldif_schema_update helper
class. This provides convenient access of the DN the change applies to
and other such details (whether it's setting isDefunct, etc).

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
d66cbca4e1 adprep: Add the LDF data needed to upgrade to 2012R2 schema
This patch adds the LDF files corresponding to the changes that the
Windows Adprep.exe tool makes when upgrading a AD schema to Windows
2012R2.

This is based on information Microsoft has made public on github
(Schema-Updates.md - see the README.txt for more details).

The LDF files 48-56 are for upgrading to Windows Server 2012, and 57-69
are for Windows Server 2012 R2.

Unfortunately, the raw LDF information from Microsoft wasn't enough to
get the schema working. The .diff files contain changes we needed to
make on top of the raw LDF content from Microsoft.

The basic steps to regenerate the .LDF files are documented in the
README.txt file. The files used to generate the .LDF files are in the
WindowsServerDocs/ sub-directory. (The .LDF generation is done at runtime
during provision).

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
3257c7f60f ms_schema: Properly handle base64 encoded attributes
There used to be a special case for omobjectclass, but now there is just
generic handling for such attributes.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:15 +01:00
Garming Sam
ed6a3ddb2a ms_schema: Allow for CN=X and DC=X replacements
These occur in the newer 2012 and 2016 schemas.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:14 +01:00
Stefan Metzmacher
df1a06074e tests/posixacl.py: remove useless 'profile acls' based test
test_setntacl_smbd_dont_invalidate_getntacl_smbd() is basically
the same as test_setntacl_smbd_getntacl_smbd()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-12-13 20:34:24 +01:00
Andrew Bartlett
9f4eda9c24 selftest: Fix copyright header on samba.dsdb_lock
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13178

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Dec 13 13:03:16 CET 2017 on sn-devel-144
2017-12-13 13:03:16 +01:00
Andrew Bartlett
2a8b507084 selftest: Add cleanup of ForeignSecurityPrincipal in samba.dsdb test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 13 08:47:05 CET 2017 on sn-devel-144
2017-12-13 08:47:05 +01:00
Andrew Bartlett
d2b14b7578 selftest: Fix flapping samba.dsdb test
The check for the final digit in the SID was wrong, any domain SID
ending with a zero would fail the test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-12-13 04:47:37 +01:00
Jamie McClymont
698d28ee8c samba-tool: validate password early in domain provision
Checks password against default quality and length standards when it is entered,
allowing a second chance to enter one (if interactive), rather than running
through the provisioning process and bailing on an exception

Includes unit tests for the newly-added python wrapper of check_password_quality
plus black-box tests for the checks in samba-tool.

Breaks an openldap test which uses an invalid password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9710
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12235

Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:30 +01:00
Gary Lockyer
073328673f tests dsdb: Add tests for optionally unique objectSID's
It is possible for foreign security principals to have duplicate object
sids, this can be the result of:
 a replication race condition generating conflict resolution objects
 or the foreign security principal being deleted and then re-added on a
 join.

Rather than remove unique check on all objectSIDs we wish to allow
duplicate objectSIDs for foreign security principals.  But enforce the
unique constraint for local objects.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13004

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-12-10 00:47:29 +01:00
Andrew Bartlett
b8d0602e59 selftest: Rework samba.dsdb locking test to samba.dsdb_lock
This avoids running the test while samba is modifying and locking the same database,
as this can lead to a deadlock.

The deadlock is not seen in production as the LDB read lock is not held while
waiting for another process, but this test needs to do this to demonstrate
the locking safety.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  8 21:47:55 CET 2017 on sn-devel-144
2017-12-08 21:47:55 +01:00
Andreas Schneider
6f8e3f7cd0 python:tests: Create a test user for the dsdb test
We should never taint the Administrator account as we don't shut down
target envionments!

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Nov 25 14:13:24 CET 2017 on sn-devel-144
2017-11-25 14:13:23 +01:00
Andreas Schneider
8635465d77 build: Move pam_wrapper to third_party
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-11-25 10:14:13 +01:00
Stefan Metzmacher
239fbeb163 dbcheck: detect and fix duplicate links
Check with git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
9a631560c9 dbcheck: only calculate linked attribute helper variables once in check_dn()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Stefan Metzmacher
eb6bd6511a dbcheck: remove indentation level
Check with git show -w

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13095

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
527f2c95cf dbcheck: Use the GUID as the DN to fix replPropertyMetaData
This allows this to still work after an object is renamed under the deleted objects container.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:16 +01:00
Andrew Bartlett
3b111fbdbe dbcheck: Clarify error count bumping in deleted/gone DN handling
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-11-24 15:50:15 +01:00
Andreas Schneider
84a7baeef3 python:tests: Use bin/tdbdump only if built
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-24 01:13:14 +01:00
Garming Sam
6e7d037ace Fix formating of sources to be less than 80 lines
Signed-off-by: David Mulder <dmulder@suse.com>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Nov 21 01:51:59 CET 2017 on sn-devel-144
2017-11-21 01:51:59 +01:00
Andrew Bartlett
6d77776ce7 python: This function converts days to a relative (ie negative) NTTIME
It is not nttime2unix as it claimed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-11-20 21:41:15 +01:00
David Mulder
e60f49783e gpo: Apply kerberos settings
Add kdc kerberos settings to gpo.tdb, then retrieve those settings in
lpcfg_default_kdc_policy.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
4a7ccbeab7 gpo: Always enforce policy, even if unchanged
Policies should always be enforced, even if the gpo hasn't changed.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
8d4c7229e9 gpo: Add GPO unapply
Keep a log of applied settings, and add an option to samba_gpoupdate to allow unapply. An unapply will revert settings to a state prior to any policy application.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
e750e4a35f gpo: Add gpo tests
Lays down a sysvol gpttmpl.inf with password policies, then runs the samba_gpoupdate command. Verifies policies are applied to the samdb.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
de9cee2262 gpoupdate: Rewrite samba_gpoupdate
Use new python bindings and remove obsoleted code

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
8eba3b5d38 gpo: Make the gpclass more easily extensible
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:15 +01:00
David Mulder
115615d836 gpo: Make the gpoupdate script much more reliable
Using a static file blanks the file when samba_gpoupdate crashes. Transformed
to a tdb file and added transactions. Add info logging to monitor gpo changes,
etc. Also handle parse errors and log an error message, then recover. Modified
the parsing code to use ConfigParser. Also, use the backslash in path names
when opening smb files, otherwise it fails against a windows server.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Luke Morrison
5194cd4e8d gpo: Initial commit for GPO work
Enclosed is my Summer of Code 2013 patch to have vital password GPO always applied to the Samba4 Domain Controller using a GPO update service.

To try it out "make -j" your samba with the patch, apply a security password GPO and see the difference in ~20 seconds. It also takes GPO hierarchy into account.

Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Luke Morrison <luke@hubtrek.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-11-20 21:41:14 +01:00
Lumir Balhar
de5e23c236 python: tests: Add tests for samba.posix_eadb module
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov  8 21:54:59 CET 2017 on sn-devel-144
2017-11-08 21:54:59 +01:00
Lumir Balhar
e583a926eb python: Port tests of samba.messaging to Python 3 compatible form.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 23 15:40:48 CEST 2017 on sn-devel-144
2017-10-23 15:40:48 +02:00
Joe Guo
5dc773a5b0 python: use communicate to fix Popen deadlock
`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the
child process generates large output to a pipe such that it blocks waiting for
the OS pipe buffer to accept more data. Use communicate() to avoid that.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 19 09:27:16 CEST 2017 on sn-devel-144
2017-10-19 09:27:15 +02:00
Joe Guo
8ed3cac9e5 python: add a failed test to show Popen deadlock
`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the
child process generates large output to a pipe such that it blocks waiting for
the OS pipe buffer to accept more data. Use communicate() to avoid that.

This patch is commited to show the issue, a fix patch will come later.

Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-10-19 05:33:10 +02:00
Gary Lockyer
6d7a8d80cd tests: Add a blackbox test for smbcontrol
Add tests to check that samba processes have started and that they can be
pinged.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-10-19 05:33:09 +02:00
Andrew Bartlett
962a1b3220 dbcheck: Allow removal of one-way links to missing objects
If dbcheck is not run within the tombstone lifetime, these links can
persist in the database forever.  The risk of unintentional information loss
is why these links are only removed within the same partition.  A
replication may be in progress which has created only one end of
the link, so we must keep that.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 19 00:50:19 CEST 2017 on sn-devel-144
2017-10-19 00:50:19 +02:00
Lumir Balhar
88dc82d1f9 tests: Improve tests of samba.registry Python module
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-10-18 10:20:26 +02:00
Tim Beale
8c56aa2c91 selftest: Rename ntlmauth tests to ntlmdisabled
There are already some existing ntlm_auth tests, so the new tests I've
added make things a bit confusing. Also, ntlmdisabled probably better
reflects the specific case we're trying to test.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-26 00:41:16 +02:00
Andrew Bartlett
7665d999d2 provision: Add a fixed objectGUID to the tmp DB used for LDAP backend schema work
This DB holds a copy of the schema, but now needs to have an objectGUID on each record.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-23 05:26:15 +02:00
Andrew Bartlett
eabc344416 provision: make clear that the tmp ldb is running in @IDXGUID mode
This happended when the schema was set on the DB, forcing the full set of Samba behaviours

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-23 05:26:15 +02:00
Martin Schwenke
68c3ea773b selftest: Avoid a build started just before midnight failing
It looks like commit 070f24bc9d was incomplete because it doesn't
match on the trailing fullstop and newline.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Sep 19 05:32:22 CEST 2017 on sn-devel-144
2017-09-19 05:32:22 +02:00
Andreas Schneider
ffb7d6b50e python:provision: Do not change the owner of the sam.ldb.d dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-16 00:57:24 +02:00
Andreas Schneider
591b086bf1 python:provision: Change the group of the 'binddns dir' too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-16 00:57:24 +02:00
Andreas Schneider
4880e8a7e6 samba:provision: Give a hint to copy the krb5.conf and not symlink it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-09-16 00:57:24 +02:00
Andrew Bartlett
9516d4229f s4-provision: Ensure the dummy main-domain DB used for DLZ has an @INDEXLIST
The other databases are created from copies of the main provision, but this one
is not, so did not previously get a valid @INDEXLIST.

This is important as otherwise we will not correctly notice support for
the GUID index or new DSDB features in @SAMBA_DSDB as this is gated
on seeing @SAMBA_FEATURES_SUPPORTED in @INDEXLIST.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-14 18:43:16 +02:00
Andrew Bartlett
51be27522c selftest: Check re-opening sam.ldb corrects the @ATTRIBUTES and @INDEXLIST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-09-14 18:43:16 +02:00
Andrew Bartlett
c938f61d33 python: Allow debug classes to be specified on the command line for python tools
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep  7 10:43:33 CEST 2017 on sn-devel-144
2017-09-07 10:43:33 +02:00
Andrew Bartlett
dc48fa9822 drs repl: Only print raw DRS replication traffic at level 9
This can be sensitive even with the passwords still encrypted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13017
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-07 06:56:27 +02:00
Andrew Bartlett
070f24bc9d selftest: Avoid a build started just before midnight failing
By allowing 41 or 42 days, we still test the expiry but are less sensitive to the
current time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-09-07 06:56:26 +02:00
Lumir Balhar
6f877285a3 python: Add tests for check_access function from samba.security.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-09-06 11:35:18 +02:00
Andreas Schneider
8f2dee256e python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
This provisions the bind_dlz files in the 'binddns dir'. If you want to
migrate to the new files strcuture you can run samba_upgradedns!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andreas Schneider
3b1aa2ca5f python:samba: Remove code to change group
This is the wrong place, it will just prepare the ldif. The file is not
created here.

The code is corrently changing the group in:
    python/samba/provision/__init__.py

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Andreas Schneider
47c039792a dynconfig: Change permission of the private dir to 0700
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
2017-09-05 23:58:20 +02:00
Tim Beale
f812c29d40 drs_utils: Add GET_TGT support to 'samba-tool drs replicate --local'
Update drs_Replicate.replicate() so it handles being passed the GET_TGT
flag (more_flags). To do this, we need to always use a v10 GetNCChanges
request (v8 and v10 are essentially the same except for the more_flags).

If the replicate_chunk() call into the C bindings throws an error, check
to see whether the error could be fixed by setting the GET_TGT flag, and
re-send the request if so.

Unfortunately because WERR_DS_DRA_RECYCLED_TARGET isn't documented with
the other AD error codes, I've left it hardcoded for now (Microsoft
should be fixing up their Docs).

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12972
2017-08-18 06:07:12 +02:00
Gary Lockyer
beeec1ff7c tests: replace traffic_summary test with python blackbox test
Replace the shell subunit test for script/traffic_summary.pl with a
python black box test.

This involves moving the test files to more standard locations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Aug 17 07:59:38 CEST 2017 on sn-devel-144
2017-08-17 07:59:38 +02:00
Gary Lockyer
7057abcfcd scripts: Scripts to replay and generate samba traffic
Scripts to generate representative network traffic and replay this to a
samba instance.  For load testing, performance profiling and capacity
planning.

traffic_learner  process a file generated by traffic_summary and
                 generate a model that can be used by traffic_replay to
                 generate samba network traffic.

traffic_replay   Replay a summary file generated by traffic_summary, or
                 use a model created by traffic_learner to generate
                 network traffic.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Tim Beale <timbeale@catalyst.net.nz>
2017-08-17 04:06:06 +02:00
Gary Lockyer
74ebcf6dfc blackbox tests: method to check specific exit codes
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-08-17 04:06:06 +02:00
Gary Lockyer
29b3a2b0d1 samba-tool dns query: Allow '*' in names
As DNS wild cards are now supported we need to allow '*' characters in
the domain names.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
3d2bd849f1 samba-tool dns: Test support of DNS wild card in names
As DNS wild cards are now supported we need to allow '*' characters in
the domain names.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Gary Lockyer
1184770a76 dnsserver: Tests for dns wildcard entries
Add tests for dns wildcards.
Tests validated against Windows Server 2012 R2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12952
2017-08-15 08:07:10 +02:00
Andreas Schneider
eb691cd024 python:tests: Add test for warn_pwd_expire
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Aug  7 19:11:02 CEST 2017 on sn-devel-144
2017-08-07 19:11:02 +02:00
Andreas Schneider
0a7db4dd43 python:tests: Do not overwrite exit code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-08-07 15:20:04 +02:00
Marc Muehlfeld
d51d4c9458 python: Fix incorrect kdc.conf parameter name in kerberos.py
Signed-off-by: Marc Muehlfeld <mmuehlfeld@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-08-07 15:20:04 +02:00
Gary Lockyer
6d65d679f1 tests samba_tool: fix flapping user-virtualCryptSHA test
Fix flapping test, occasionally a password would be generated that failed
the password criteria, which resulted in the test user not being
created.  The tests relying on this user being present then failed.

This patch ensures that the generated password contains at least one digit,
at least one upper case letter and at least one lower case letter.
The generated passwords do not contain special characters to avoid shell
escaping issues.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Mon Aug  7 05:34:24 CEST 2017 on sn-devel-144
2017-08-07 05:34:23 +02:00
Andrew Bartlett
d5750f0163 dsdb: Fix dsdb_next_callback to correctly use ldb_module_done() etc
If we do not call ldb_module_done() then we do not know that up_req->callback()
has been called, and ldb_next_request() will call the callback again.

If called twice, the new ldb_lock_backend_callback() in ldb 1.2.0 will segfault.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12904

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Aug  1 07:52:38 CEST 2017 on sn-devel-144
2017-08-01 07:52:38 +02:00
Tim Beale
4bd8467018 drs_utils: HWM in 'samba-tool drs replicate --local' always zero
The code to check for the 'repsFrom' highwatermark didn't have any
effect because the hwm variable was overwritten (initialized to all
zeroes) further down.

Using a zero HWM probably wouldn't have impacted functionality because
we were still correctly using the uptodatenessvector, which should
avoid a full replication.

This was introduced in commit e2ba17d26a, presumably by
accident.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-28 00:25:15 +02:00
Tim Beale
314b96e183 drs: support sync-forced for 'samba-tool drs replicate --local'
The sync-forced option wasn't being passed into the replication request
when the --local option was used. This meant if outbound replication
were disabled on the target DC, then the replicate --local command would
fail.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
e91782541e selftest: Add and use new helper function get_creds_ccache_name()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
f7089c0262 python/getopt: Add --krb5-ccache (for samba-tool etc) to match the C binaries
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
dc940ad0e0 pycredentials: Add set_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:14 +02:00
Andrew Bartlett
a5f62958cc selftest: Add tests for credentials.get_named_ccache()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-07-28 00:25:13 +02:00
Andrew Bartlett
a420b1bdcc selftest: Use NETLOGON_NEG_STRONG_KEYS constant in AuthLogTestsNetLogonBadCreds
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jul 25 03:21:19 CEST 2017 on sn-devel-144
2017-07-25 03:21:19 +02:00
Gary Lockyer
f3d3e6da5a tests auth_log: Add new tests for NETLOGON
Tests for the logging of NETLOGON authentications in the
netr_ServerAuthenticate3 message processing

Test code based on the existing auth_log tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
5c27c5b6ef tests auth_log: Modify existing tests to handle NETLOGON messages
Modify the existing tests to ignore auth logging for NETLOGON messages.
NETLOGON authentication is logged once per session, and is tested
separately.  Ignoring it in these tests avoids order dependencies.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12865

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Gary Lockyer
ddfe8aa9cc auth_log: use symbolic constant to replace /root/ncalrpc_as_system
Modified to use constant AS_SYSTEM_MAGIC_PATH_TOKEN instead of
string literal "/root/ncalrpc_as_system"

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-24 23:29:23 +02:00
Tim Beale
4e04f025a0 selftest: Add test for password change when NTLM is disabled
When NTLM is disabled, the server should reject NTLM-based password
changes. Changing the password is a bit complicated from python, but
because the server should reject the password change outright with
NTLM_BLOCKED, the test doesn't actually need to provide valid
credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144
2017-07-21 13:54:35 +02:00
Rowland Penny
3c03ac750f Add test for 'samba-tool user edit'
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-05 13:36:09 +02:00
Rowland Penny
2ab239be0d Easily edit a users object in AD, as if using ldbedit.
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2017-07-05 13:36:09 +02:00
Lumir Balhar
31019d338d python: tests: Add test for tdb_copy function from tdb_util module.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jul  5 02:00:25 CEST 2017 on sn-devel-144
2017-07-05 02:00:25 +02:00
Tim Beale
c278fa65eb selftest: Add test to confirm NTLM authentication is enabled
(or later, that it is disabled)

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
2017-07-04 06:57:20 +02:00
Andrew Bartlett
353de79af2 selftest: Add test for support for MSCHAPv2 and NTLMv1 on a server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-07-04 06:57:20 +02:00
Tim Beale
e13b21d964 tests: Add simple check whether netlogon server is running
Netlogon only needs to run in DC environment. This is a simple test to
check whether the netlogon service is running. This will allow us to
disable the netlogon service on setups that don't require it.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-07-04 06:57:20 +02:00
Andrew Bartlett
4894f47e2e dsdb: Add tests showing that the CN=CONFIGURATION partition is also locked
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
b3db6558d3 dsdb: Add new test adding a record to the top level sam.ldb file
This shows that locks are made on this file as well

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Stefan Metzmacher
4b5ff4a309 dsdb: Add more locking more tests, confirming blocking locks in both directions
These extended tests allow us to show that a search (read) blocks a
transaction commit (write), and that a transaction commit blocks a
search.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
c5b4cbf34e dsdb: Add test showing a search can't start while a transaction is already repared in a backend partition
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
c0e2909595 dsdb: Add test showing a search can't start while a transaction is already repared
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-07-02 17:35:20 +02:00
Andrew Bartlett
587af50936 dsdb: Add a dummy module to replace show_deleted
This helps when we improve show_deleted in a way that the fake database in samba3sam can not cover

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-30 02:12:22 +02:00
Gary Lockyer
624960272e tests py_credentials: Fix encrypt_netr_crypt_password test
The test uses NetrServerPasswordSet2 to change a password, this tests
the end to end encryption.  The original call to NetrServerPasswordSet2
was not utf-16 encoding the new password.  However the call to
netr_DsrEnumerateDomainTrusts was using cached credentials and not
using the new password, so this was not detected.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 29 06:50:32 CEST 2017 on sn-devel-144
2017-06-29 06:50:32 +02:00
Garming Sam
7f1ff6bc84 samba_kcc: debugging: say intrasite when we mean intrasite
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jun 23 06:45:47 CEST 2017 on sn-devel-144
2017-06-23 06:45:47 +02:00
Douglas Bagnall
ab40b4013a samba_kcc: drop all connections from non-existent DSAs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-23 02:25:26 +02:00
Douglas Bagnall
6d78cbe2fa samba_kcc: comment typo
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-23 02:25:26 +02:00
Douglas Bagnall
822c4b9852 samba_kcc: avoid crash on odd networks with --dot-file-dir
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-23 02:25:25 +02:00
Douglas Bagnall
d5b123e461 python/getopt: -d/--debuglevel saves value in options for scripts
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-23 02:25:25 +02:00
Stefan Metzmacher
e73202aaec python/tests: test SMB1 and SMB2/3 in auth_log.py
We should do this explicitly in order to make
the tests independent of 'client max protocol'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-06-22 13:07:39 +02:00
Gary Lockyer
8c909cd7fa pycredentials: Add support for netr_crypt_password
Add code to encrypt a netr_CryptPassword structure with the current
session key.  This allows the making of Netr_ServerPasswordSet2 calls
from python.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Gary Lockyer
b68a3374a5 pycredentials: add function to return the netr_Authenticator
Add method new_client_authenticator that returns data to allow a
netr_Authenticator to be constructed.
Allows python to make netr_LogonSamLogonWithFlags,
netr_LogonGetDomainInfo and similar calls

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Gary Lockyer
4cc979aba7 Tests lsa.String: add String constructor, str and repr
Tests for the String constructor, str and repr methods added to
the samba.dcerpc.lsa.String python object

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-22 08:56:22 +02:00
Andrew Bartlett
5067bceaa2 selftest: confirm that two attributes are also correctly set in the @ records
This shows that the current behaviour in dsdb_schema_set_indices_and_attributes(), while
not ideal, is not actually buggy.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2017-06-16 19:34:17 +02:00
Douglas Bagnall
142d8617fe python/test: delete_force() passes on command line args
This allows you to use e.g.:

     delete_force(self.ldb, ou, controls=['tree_delete:1'])

Only in tests of course.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-15 17:33:10 +02:00
Garming Sam
e244ba4a8f repl: Set GET_ALL_GROUP_MEMBERSHIP flag in the drepl server
Although we do not currently support this in the server, this will cause
data loss against a Windows DC unless we set this flag as per the docs.
This flag is required for the RODC.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Jun 15 05:31:59 CEST 2017 on sn-devel-144
2017-06-15 05:31:59 +02:00
Andrew Bartlett
cf99f2c923 selftest: Pass the dcerpc binding object to self.waitForMessages in auth_log
This ensures that object is not cleaned up, triggering a disconnect before we get back
the audit messages.  Otherwise they can be lost when the server task calls exit()
while the message thread is still trying to send them.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
b158f68323 selftest: Add test for gss_krb5/ntlmssp -> SPNEGO
These bare mechs are permitted to go direct to SPNEGO, which must cope with them

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
995f5c03c5 selftest: Add pygensec tests for GSS-SPNEGO and Win2000 emulated SPNEGO
This is to provide some unit testing coverage for these different modes of operation

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Andrew Bartlett
33b818a510 selftest: Add a test for @ATTRIBUTES and @INDEXLIST generation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-15 01:24:25 +02:00
Stefan Metzmacher
0eb99bd988 python/samba/tests: don't use hardcoded names in *pam_winbind* tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Lumir Balhar
ba4cabb74f python: Port simple libpython module to Python 3 compatible form
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-06-13 22:46:14 +02:00
Andrew Bartlett
75eb2e3a09 join.py Add DNS records at domain join time
This avoids issues getting replication going after the DC first starts
as the rest of the domain does not have to wait for samba_dnsupdate to
run successfully

We do not just run samba_dnsupdate as we want to strictly
operate against the DC we just joined:
 - We do not want to query another DNS server
 - We do not want to obtain a Kerberos ticket for the new DC
   (as the KDC we select may not be the DC we just joined,
   and so may not be in sync with the password we just set)
 - We do not wish to set the _ldap records until we have started
 - We do not wish to use NTLM (the --use-samba-tool mode forces
   NTLM)

The downside to using DCE/RPC rather than DNS is that these will
be regarded as static entries, and (against windows) have a the ACL
assigned for static entries.  However this is still better than no
DNS at all.

Because some tests want a DNS record matching their own name
this fixes some tests and removes entires from knownfail

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Jun 11 02:04:52 CEST 2017 on sn-devel-144
2017-06-11 02:04:51 +02:00
Andrew Bartlett
dfe739a252 selftest: Add test confirming join-created DNS entries can be modified as the DC
This ensures that samba_dnsupdate can run in the long term against the new DNS entries

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:22 +02:00
Andrew Bartlett
e36d908106 selftest: Test join.py and confirm that the DNS record is created
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
d0c211691e provision: Allow removing an existing account when force=True is set
This allows a practical override for use in test scripts

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
db475ed6b4 provision: Move default handler for site=None down into dc_join object creation
This makes this code easier to call from a test script

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
b36d4e9ca4 selftest: Use TestCaseInTempDir as base class in dns tests
This will help when we add a new join test based on this code

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
9229809f75 selftest: Create new common base class for dns.py and dns_tkey.py
This will allow more DNS tests to be written in the future with less
code duplication.
2017-06-10 21:48:21 +02:00
Andrew Bartlett
11ba6f8cde selftest: merge DNSTest boilerplate
This will help unifying dns.py and dns_tkey.py to use common subclasses

The code was originally copied, but has since divereged.  This handles
that divergence.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
589a6621ee selftest: move make_txt_record() onto self in samba.tests.dns
This will help unifying dns.py and dns_tkey.py to use common subclasses

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
c1bf6d2493 dns_server: clobber MNAME in the SOA
Otherwise, we always report the first server we created/provisioned the AD domain on
which does not match AD behaviour.  AD is multi-master so all RW servers are a master.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
21e76e2379 selftest: run dns tests in multiple envs
This will let us check the negative behaviour: that updates against RODCs fail
and un-authenticated updates fail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
46380ad97d selftest: confirm we clobber the MNAME in the SOA query in the DNS server
All RW DCs should be their own master DNS server.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:21 +02:00
Andrew Bartlett
00de59a478 join.py: Do not expose the old machine password over NTLM if -k yes was set
This makes the test for a valid machine account stricter (as a kerberos error could
cause this to fail and so skip the validation), but we never wish to use NTLM
if the administrator disabled it on the command line

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:20 +02:00
Andrew Bartlett
970fdfae6a pydsdb_dns: Allow the partition DN to be specified into py_dsdb_dns_lookup
This allows lookups to be confined to one partition, which in turn avoids issues
when running this against MS Windows, which does not match Samba behaviour
for dns_common_zones()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:20 +02:00
Andrew Bartlett
fa3c026983 python: Allow sd_utils to take a Dn object, not just a string DN
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:20 +02:00
Andrew Bartlett
e7bc974333 pydns: Also return the DN of the LDB object when finding a DNS record
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-06-10 21:48:20 +02:00
Rowland Penny
b64f0b5da6 samba-tool: You cannot add members to a group if the member exists as a sAMAccountName and a CN.
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Jun  9 23:24:47 CEST 2017 on sn-devel-144
2017-06-09 23:24:47 +02:00
Gary Lockyer
7bce7e150e samba tool - tests: Fix shell metacharacters in generated password
Restrict the random password to [A-Za-z0-9] to ensure there are no shell
metacharacters in the generated password.

The tests use "samba-tool user create" to create the test user.
Occasionally the generated password contained shell metachatacters and
the command failed.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun  9 09:50:28 CEST 2017 on sn-devel-144
2017-06-09 09:50:27 +02:00
Amitay Isaacs
0098a7b556 provision: Update root DNS servers list
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-06-09 05:43:21 +02:00
Garming Sam
df2b71d1db samba-tool/spn: Add a missing newline to error message
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Andreas Schneider
330d82c1bc python: Create the kdc.conf in the Samba private directory
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-26 11:26:17 +02:00
Andreas Schneider
acec88dc1f python: Do not use the glue code directly
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-26 11:26:16 +02:00
Gary Lockyer
468dc02e84 tests net_join: use private secrets database.
Tests were leaving entries in the secrets database that caused
subsequent test cases to fail.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:13 +02:00
Gary Lockyer
68ccebfa59 auth_log: Add test that execises the SamLogon python bindings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
6419909094 tests password_hash: Add ldap based tests for WDigest
Add tests of the WDigest values using ldap.  This allows the tests to be
run against Windows, to validate the calculated values.

Tests validated against Windows Server 2012 R2

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
f5cd83247f tests password_hash: update array indexes for readabliity
Use an n-1 pattern in the indexes to the digest array to simplify checking
against the documentation and samba-tool user tests.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
b14bb68417 samba-tool add support for userPassword
Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes.
The values are now calculated as follows:
  1) If a value exists in 'Primary:userPassword' with
     the specified number of rounds it is returned.
  2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with
     '--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds
  3) Return the first {CRYPT} value in 'Primary:userPassword' with a
     matching algorithm

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
8a5308bea0 samba-tool tests: add tests for userPassword
Tests to ensure that precomputed SHA256 and SHA512 hashes in
'supplementalCredentials Primary:userPassword' are used correctly in the
calculation of virtualCryptSHA256 and virtualCryptSHA512

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
de5299d155 tests password_hash: add tests for Primary:userPassword
Add tests to verify the generation and storage of sha256 and sha512
    password hashes in suplementalCredentials Primary:userPassword

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
adae071daa tests password_hash: fix white space issues
Clean up white space issues in password_hash.py

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
601dbca8f9 tests password_hash: remove unused import
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d4bc91a964 samba-tool user: add rounds option to virtualCryptSHAxxx
Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.

i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
d51253609d samba-tool tests: Tests for virtualCryptSHAxxx rounds
Add tests to for the new rounds option for the virtualCryptSHA256 and
virtualCryptSHA512 attributes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Gary Lockyer
3bcd384dcf samba-tool user: Support for virtualWDigest attributes
Add new virtualWDigest attributes, these return the hashes stored in
supplementalCredentials Primary:WDigest, in a form suitable for
htdigest authentication

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:11 +02:00
Gary Lockyer
81312ba4e2 samba-tool user: Tests for virtualWDigest attributes
Add tests for the new virtualWDigest attributes, these return the hashes
stored in supplementalCredentials Primary:WDigest in a form suitable for
use with htdigest authentication.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:11 +02:00
Petr Viktorin
e99c0e6503 python3:tests: Fix Python 3 test issues
- Forgotten text strings that should be binary
- Inverted PY3 condition

Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-19 22:20:16 +02:00
Petr Viktorin
40e409bf9e python3: Use "y#" instead of "s#" for binary data in PyArg_ParseTuple
The "s#" format code for PyArg_ParseTupleAndKeywords and Py_BuildValue
converts a char* and size to/from Python str (with utf-8 encoding under
Python 3).
In some cases, we want bytes (str on Python 2, bytes on 3) instead. The
code for this is "y#" in Python 3, but that is not available in 2.

Introduce a PYARG_BYTES_LEN macro that expands to "s#" or "y#", and use
that in:
- credentials.get_ntlm_response (for input and output)
- ndr_unpack argument in PIDL generated code

Signed-off-by: Petr Viktorin <pviktori@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-19 22:20:15 +02:00
Andreas Schneider
e11ee75d9f samba-tool: Rename Samba4 to Samba AD
We should stop talking about Samba4 and use the terms Samba AD and
Samba FS.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May  5 15:51:54 CEST 2017 on sn-devel-144
2017-05-05 15:51:54 +02:00
Stefan Metzmacher
4c17850ae7 samba-tool: fix log message of 'samba-tool user syncpasswords'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12768

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri May  5 01:37:45 CEST 2017 on sn-devel-144
2017-05-05 01:37:45 +02:00
Stefan Metzmacher
afa15e6128 samba-tool: let 'samba-tool user syncpasswords' report deletions immediately
We need to use the show-recycled control in addition to the
notification control in order to get notifications about deletions.

There's no real problem as the next modification will report the deletion.
But it might be delayed a few minutes.

Note that show-recycled is a superset of show-deleted, so we only need one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12767

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2017-05-04 21:36:23 +02:00
Andreas Schneider
57edd3e781 waf: Move python build instructions to wscript
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
9b932d6a19 python: Add provisioning support for MIT KDC in samba-tool
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
18917d28a9 python: Add py_is_heimdal_built() to pyglue
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
fecbc81c60 waf: Create kerberos_implementation.py for provisioning
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:11 +02:00
Andreas Schneider
7556c20d4b param: Add 'mit kdc command' to change the default.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Gary Lockyer
85e98d2a31 source3 smbd: tests for null pointer dereference
Test case to replicate null pointer dereference in smbd, introduced in
the auth logging changes.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-28 03:18:23 +02:00
Gary Lockyer
9342b3ebf7 pyrpc: Fix segfault in ClientConnection
Fix segfault when connecting over TCP, the endpoints list in dummy_table
was not initialised this caused a segfault when attempting to connect
over TCP.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 21 16:10:12 CEST 2017 on sn-devel-144
2017-04-21 16:10:12 +02:00
Noel Power
8050db2303 param: Check for valid values of 'name resolve order' option
This variable is populated by a list of values where each value should
be a known option. This patch ensures that illegal values are detected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12739

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
2017-04-13 11:26:28 +02:00
Garming Sam
58113e5bc9 join.py: Allow RODC to have push replication at join
Normally DsAddEntry connects to DRSUAPI, however not in the RODC case. This meant that
it never called DsReplicaUpdateRefs and so never got push-replication after join.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-13 07:29:18 +02:00
Andreas Schneider
0641653c30 python: Add a simple pam_winbind test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr  7 14:19:23 CEST 2017 on sn-devel-144
2017-04-07 14:19:23 +02:00
Gary Lockyer
5ee494cbd7 tests dsdb: load paramaters from test environment
Load the test environment specific parameters

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 10:06:05 CEST 2017 on sn-devel-144
2017-04-06 10:06:04 +02:00
Gary Lockyer
d1f4fc9ee3 password_hash: Add tests to allow refactoring
Add tests for password_hash.c to allow refactoring of setup_supplemental_field

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-04-06 06:07:23 +02:00
Gary Lockyer
9566eb25be TestBase: restore setting FEATURE_SEAL in insta_creds
The setting of FEATURE_SEAL by default in insta_creds got removed when
the code was moved from password_lockout.py.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Apr  5 04:46:29 CEST 2017 on sn-devel-144
2017-04-05 04:46:28 +02:00
Garming Sam
49f3a92cb3 whitespace: auth_log_pass_change.py python conventions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Garming Sam
3e0a08a3d1 whitespace: auth_log.py python conventions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Gary Lockyer
67cd3e6cbd auth log: Add tests for anonymous bind and SamLogon
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
43f52fc425 pycredentials: Add bindings for get_ntlm_response()
This should make testing of SamLogon from python practical

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Gary Lockyer
8aff845db8 ldap_server: Log failures to find a valid user in the simple bind
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
638b10adb0 dsdb: Add authentication audit logging for LDAP password change
This ensures this particular vector is not forgotten

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-29 02:37:29 +02:00
Gary Lockyer
a70e944c80 auth log tests: password change tests
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:29 +02:00
Andrew Bartlett
3ee82de26d auth_log: Add tests by listening for JSON messages over the message bus
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Gary Lockyer
41f1da3a1a TestBase: move insta_creds from password_lockout.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:25 +02:00
Gary Lockyer
16e9448174 pymessaging: add single element tupple form of the server_id
This avoids the python code needing to call getpid() internally,
while declaring a stable task_id.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-28 09:23:11 +02:00
Andrew Bartlett
8c75d9fc73 pymessaging: Add a hook to run the event loop, make callbacks practical
These change allow us to write a messaging server in python.

The previous ping_speed test did not actually test anything, so
we use .loop_once() to make it actually work.  To enable practial use
a context is supplied in the tuple with the callback, and the server_id
for the reply is not placed inside an additional tuple.

In order to get at the internal event context on which to loop, we
expose imessaging_context in messaging_internal.h and allow the python
bindings to use that header.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
2017-03-28 09:23:11 +02:00
Andrew Bartlett
0c25c40315 selftest: Test server_id database add and removal
This tests indirectly server_id_db_lookup() and
server_id_db_prune_name(), as well as the imessaging
and the imessaging python bindings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
e77c18019a pymessaging: Add irpc_remove_name
This allows tests to be indirectly added for server_id_db_lookup()
and server_id_db_prune_name()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
3bd9e5f4ed pymessaging: Add support for irpc_add_name
This allows tests to be indirectly added for server_id_db_lookup()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
a47a8e41bd samba-tool: Ensure that samba-tool processes --name=not-existing does not error
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Andrew Bartlett
f21c17c6d0 selftest: Add more tests for "samba-tool processes"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12705
2017-03-28 09:23:11 +02:00
Garming Sam
f55399fb39 samba_dnsupdate: Add additional debugging
Tests are still flapping, because it claims it needs a cache rebuild.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 28 00:04:54 CEST 2017 on sn-devel-144
2017-03-28 00:04:54 +02:00
Alexander Bokovoy
bbeef554f2 lib/crypto: implement samba.crypto Python module for RC4
Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.

When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.

Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.

Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
2017-03-15 01:30:24 +01:00
Garming Sam
6bbcd3bbd8 dbcheck: Improve dbcheck to find (and may fix) dangling msDS-RevealedUsers
We cannot add missing backlinks because of the duplicate checking. There
seems to be no trivial way to add the bypass.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:12 +01:00
Garming Sam
213349b4bf python/dsdb_dn: Add a generic get_bytes method on DNs
Pair-programmed-with: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:10 +01:00
Garming Sam
6bcc856b20 samba-tool/domain: Correctly re-enable replication
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:10 +01:00
Garming Sam
f1147106ef werror: Correct the error code checking
Broken in commit ea3c3f10ed

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-13 05:10:10 +01:00
Ian Stakenvicius
676e80bb5f waf: disable-python - don't build python/
Signed-off-by: Ian Stakenvicius <axs@gentoo.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:12 +01:00
Andrew Bartlett
0d83cec7c9 python: Remove unused import PY3
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:12 +01:00
Lumir Balhar
64bc64ce64 python: samba.gensec: Port module to Python 3 compatible form
Port samba.gensec and samba.tests.gensec modules to Python 3
compatible form, enable execution of tests with Python 3 and
remove unused import of samba.gensec from samba.tests module
__init__.py file.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:12 +01:00
Lumir Balhar
9ada914f90 python: samba.getopt: Port module to Python 3 compatible form
Port samba.getopt module to Python 3 compatible form.

Remove unused and untested `get_hostconfig()` function. Andrew Bartlett
suggested this removal because it is the simpliest way how to break
a long dependency line of Python modules which have to be ported
at once.
More info: https://lists.samba.org/archive/samba-technical/2017-January/118150.html

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:12 +01:00
Lumir Balhar
da71c39f46 python: samba.tests.core: Port and enable core tests in Python 3
Port samba core tests to Python 3 compatible form and enable their
execution with Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
afe1e830de python: samba.tests: Move import of ported modules out of PY3 condition
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
e9a464911c python: samba._ldb: Port of samba._ldb to Python 3 compatible form
Port of samba._ldb Python module to Python 3 compatible form.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
9d8bcead4f python: samba.tests.auth: Add tests for samba.auth module
Add some tests which test that `system_session` object has
correct attributes and methods.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Douglas Bagnall
e481aed28d dcerpc/misc tests: asset GUID ordering in python 2 and 3
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:11 +01:00
Lumir Balhar
9843ccef87 python: samba.tests.dcerpc.misc: Port and enable tests
Port tests of samba.dcerpc.misc module to Python 3 compatible form
and enable their execution with Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
fe8bba5f81 python: wscript_build: Build some modules for Python 3
Update a few wscript_build files to build Python 3-compatible modules
for Python 3.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
6fa125e121 python: Make top-level samba modules Python 3 compatible
New file compat.py will help with porting to Python 3. For now, it
contains only PY3 variable based on six.PY3 which simplifies
condition mentioned below.

The added `if not PY3` conditions enable us to bootstrap running
tests with Python 3 even if most modules are not ported yet.
The plan is to move modules outside this condition as they are ported.
The `PY3` condition is currently used only in tests and for
the samba._ldb module which is not ported yet and has a lot of
dependencies.

The other changes are related to differences between Python 2 and 3.
Python 2.6 introduced the `0o` prefix for octal literals as an
alternative to plain `0`. In Python 3, support for plain `0` is
dropped and octal literals have to start with `0o` prefix.
Python 2.6 introduced a clearer `except` syntax:
`except ExceptionType as target:` instead of
`except ExceptionType, target:`. In Python 3, the old syntax
is no longer allowed.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:11 +01:00
Lumir Balhar
211df4a1e4 python: samba.tests.dcerpc: Move Class RawDCERPCTest to separated file.
The class is quite big, used in only one place, and it complicates
situation around bootstrapping of Python 3 port.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Lumir Balhar
9c55bb9f65 python: samba.tests.glue: Add new tests for samba._glue.
Add new file with tests of samba._glue module.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Lumir Balhar
b454b0903c python: samba._glue: Port samba._glue module to Python 3.
Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Lumir Balhar
5123f15072 python: samba.tests.param: Add missing tests
Add some new tests of samba.param Python bindings.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Lumir Balhar
31cef92cd3 python: samba.param: Port param module to Python 3
Port Python bindings of samba.param module to
Python3-compatible form.

Because native Python file objects are officially
no longer backed by FILE*, API of some _dump()
functions is changed. File argument is now
optional and contains only name of file. Stdout
is default if no file name is specified. Otherwise
opening and closing files is done on C layer
instead of Python.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Lumir Balhar
035e6dce4f python: samba.tests.credentials: Python 3 compatible tests
Port test of pycredentials to Python 3 compatible form.

Signed-off-by: Lumir Balhar <lbalhar@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2017-03-10 07:31:10 +01:00
Douglas Bagnall
d424c7d5af python/examples/winreg: two variable name typos on a single line
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:10 +01:00
Douglas Bagnall
b7cd0f2843 python sites/subnets: correctly spell variable name
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:10 +01:00
Douglas Bagnall
cedb991e6f python provision: FDSBackend takes forced uri
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:10 +01:00
Douglas Bagnall
b9c56142b5 python/remove_dc: avoid using non-existent variable
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:10 +01:00
Douglas Bagnall
732233ff3d samba-tool domain: correctly spell variable name
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:09 +01:00
Douglas Bagnall
495383c9a6 python/join: correct spelling of "ctx.del_noerror"
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-03-10 07:31:09 +01:00