1
0
mirror of https://github.com/samba-team/samba.git synced 2025-03-16 06:50:24 +03:00

30905 Commits

Author SHA1 Message Date
Volker Lendecke
81a848be6d s3: Remove some unused variables 2010-01-10 22:43:02 +01:00
Volker Lendecke
fd1b6bdef9 s3: Fix some nonempty blank lines 2010-01-10 20:56:16 +01:00
Volker Lendecke
86a73e6eba s3: Use sid_check_is_domain instead of a direct sid_equal 2010-01-10 20:56:16 +01:00
Volker Lendecke
48251c3370 s3: Use sid_check_is_in_our_domain instead of a direct sid_peek_check_rid 2010-01-10 20:56:16 +01:00
Volker Lendecke
3ea64e0ad8 s3: Replace most calls to sid_append_rid() by sid_compose() 2010-01-10 20:56:16 +01:00
Volker Lendecke
50b7a3233f s3: Remove unused samr_make_sam_obj_sd 2010-01-10 20:56:16 +01:00
Volker Lendecke
081573091b s3: Remove the typedef for "auth_serversupplied_info" 2010-01-10 20:56:16 +01:00
Volker Lendecke
9bb4766bba s3: Remove the typedef for "auth_usersupplied_info" 2010-01-10 20:56:16 +01:00
Volker Lendecke
6f0e7b9465 s3: Trim libnss_wins.so 2010-01-10 13:37:40 +01:00
Volker Lendecke
0f9268bde9 s3: Trim down some utilities a bit 2010-01-10 13:28:08 +01:00
Volker Lendecke
fd92db55eb s3: Remove a pointless "else" branch from add_ccache_to_list() 2010-01-09 20:37:40 +01:00
Volker Lendecke
fc1757369f s3: Slightly simplify winbindd_store_creds 2010-01-09 20:37:39 +01:00
Volker Lendecke
43c841b6bd s3: Fix a segfault in winbindd_dual_ccache_ntlm_auth()
ntlmssp_update allocates the reply_blob as a child of ntlmssp_state. This means
with ntlmss_end() it will be gone. winbindd_dual_ccache_ntlm_auth used the blob
after the ntlmssp_end().
2010-01-09 20:37:39 +01:00
Jeremy Allison
d7713d11a6 Re-fix bug 5202 - cannot change ACLs on writable file with "dos filemode=yes"
This bug re-occurred for 3.3.x and above.

The reason is that to change a NT ACL we now have to open the file requesting
WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions
in posix_acls doesn't add these bits when "dos filemode = yes", so even though
the permission or owner change would be allowed by the POSIX ACL code, the
NTCreateX call fails with ACCESS_DENIED now we always check NT permissions
first.

Added in the mapping from "w" to WRITE_DAC and WRITE_OWNER access.

Jeremy.
2010-01-08 10:17:46 -08:00
Günther Deschner
1bc953088f s3-time: fix build warnings after we moved to shared time functions.
Bjoern, please check.

Guenther
2010-01-08 12:35:25 +01:00
Tim Prouty
34f0cff066 s3 torture: Prevent smbcli segfault when running smbtorture3 against an smbd with security=share 2010-01-07 15:32:27 -08:00
Michael Adam
dc68982711 s3:auth: don't update the bad pw count if pw is among last 2 history entries
This conforms to the behaviour of Windows 2003:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

This is supposed to fixes Bug #4347 .

Michael
2010-01-07 16:51:18 +01:00
Michael Adam
46111dc4e4 s3:auth:check_sam_security: introduce a bool var to control pad_pw_count incrementation
This is a preparatory patch for the last part in fixing bug #4347 .

Michael
2010-01-07 16:51:18 +01:00
Michael Adam
017ccd0bda s3:passdb: store the plain nt passwords hashes in history, not salted md5
This is in order to be able to do challenge response with the history,
so that this can be checked when an invalid password was entered:
If the given password is wrong but in the history, then the bad password
count should not be updated...

The "lucky" bit here is that the md5 has and the nt hash (md4) both are
16 bytes long.

This is part of the fix for bug #4347 .

Michael
2010-01-07 16:51:17 +01:00
Michael Adam
667b6f3322 s3:smbd:password_in_history: treat entry with 0 salt as 0 + plain nt hash
This is to introduce a new format of the password history, maintaining backwards
compatibility: The old format was 16 byte hash + 16 byte md5(salt + nt hash).
The new format is 16 zero bytes and 16 bytes nt hash.

This will allow us to respect the last X entries of the nt password history
when deciding whether to increment the bad password count.

This is part of the fix for bug #4347 .

Michael
2010-01-07 16:51:17 +01:00
Volker Lendecke
801edeccc6 s3: Remove some code that has become unnecessary
The code I just removed was checked in with e5466fffc286a99f as a bug fix for
https://bugzilla.samba.org/show_bug.cgi?id=3319. With the changes to
is_visible_file made with 9e8b8f8c16612 these lines have become unnecessary,
even with "hide unreadable = yes" dead msdfs symlinks show. This is because we
can not stat(2) them and default to showing them.

Why this change? I have a user who wants to use "hide unreadable" on msdfs
links. Because you can't edit acls on symlinks themselves, the user created the
targets as bogus, empty files that just exist as acl placeholders. With the
code in place that this patch removes, we never allow this to work.

Jeremy, please check! :-)

Thanks,

Volker
2010-01-07 14:58:55 +01:00
Volker Lendecke
8289b46173 s3: Lock down some srvsvc calls according to what w2k3 seems to do 2010-01-07 12:05:33 +01:00
Michael Adam
7248873b48 s3:auth:check_sam_security: improve calling and logging of pdb_update_sam_account
Log what went wrongl, and also call pdb_update_sam_account inside
become_root/unbecome_root: do the logging outside.

Michael
2010-01-07 11:07:57 +01:00
Michael Adam
5ad1b7e0c5 s3:auth:check_sam_security: fix a leading tab/ws mixup
Michael
2010-01-07 11:07:57 +01:00
Michael Adam
970317c413 s3:auth:check_sam_security: create (and use) a common exit point
for use after sam_password_ok() has been called.

Michael
2010-01-07 11:07:56 +01:00
Michael Adam
de4fb80bee s3:auth:check_sam_security: null out sampass after it has been stolen.
So that a later talloc_free would not harm. I could have used
talloc_move instead of talloc steal in make_server_info_sam(),
but this would have required a change of the signature.

Michael
2010-01-07 11:07:56 +01:00
Michael Adam
3634859450 s3:auth:sam_password_ok: take username, acct_ctrl and nt/lm hashes, not sampass
This is in preparation to extending check_sam_security to also check
against the password history before updating the bad password count.
This way, sam_password_ok can more easily be reused for that purpose.

Michael
2010-01-07 11:07:56 +01:00
Michael Adam
c0f404a2e4 s3:auth: use data_blob_null instead of data_blob(NULL, 0) in sam_password_ok()
This way it is more explicit that there is no allocated data here
that may leak.

Michael
2010-01-07 11:07:56 +01:00
Michael Adam
0172587d8d s3:auth:sam_password_ok: fix allocation of a data blob.
data_blob(mem_ctx, 16) does not use mem_ctx as a talloc ctx but
copies 16 bytes from mem_ctx into the newly allocated data blob.
This can not have been intentional. A blank uint8_t array of
length 16 is allocated by passing NULL instead of mem_ctx.
And using data_blob_talloc(mem_ctx, NULL, 16) adds the allocated
blank 16 byte array to mem_ctx - so this is what must have been
intended.

Michael
2010-01-07 11:07:56 +01:00
Michael Adam
7ac18c743b s3:auth:sam_password_ok: enhance readability (imho) by adding some pointers
and removing bool variables and several checks.

Michael
2010-01-07 11:07:55 +01:00
Michael Adam
b5fcb34d6c s3:check_sam_security: untangle assignment from statement
Michael
2010-01-07 11:07:55 +01:00
Volker Lendecke
53a1ed9b6c s3: Factor password_in_history() out of check_passwd_history() 2010-01-07 11:07:55 +01:00
Volker Lendecke
5e2fc28b63 s3: Simplify pdb_set_plaintext_passwd: pwhistory==NULL can not happen anymore 2010-01-07 11:07:54 +01:00
Volker Lendecke
2a11f3b3d7 s3: Simplify pdb_set_plaintext_passwd: pwHistLen==0 was checked above 2010-01-07 11:07:54 +01:00
Volker Lendecke
ec0998ada5 s3: Add a paranoia check to pdb_set_plaintext_passwd() 2010-01-07 11:07:54 +01:00
Volker Lendecke
a3f522202d s3: Simplify pdb_set_plaintext_passwd() by removing a redundant condition
if (current_history_len != pwHistLen) {
     if (current_history_len < pwHistLen) {
     }
}

The second "if" is a bit pointless here
2010-01-07 11:07:54 +01:00
Volker Lendecke
7633837026 s3: Simplify pdb_set_plaintext_passwd: memcpy deals fine with 0 bytes 2010-01-07 11:07:53 +01:00
Volker Lendecke
864ed92954 s3: Simplify pdb_set_plaintext_passwd by using talloc_zero_array 2010-01-07 11:07:53 +01:00
Volker Lendecke
e7290255f5 s3: Make use of talloc_array in pdb_set_plaintext_passwd() 2010-01-07 11:07:53 +01:00
Volker Lendecke
7ba006430f s3: Simplify pdb_set_plaintext_passwd() a bit
Remove an indentation by the early return in

+       if (pwHistLen == 0) {
+               /* Set the history length to zero. */
+               pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED);
+               return true;
+       }
2010-01-07 11:07:52 +01:00
Volker Lendecke
ca6c1cdd5f s3: Simplify pdb_set_plaintext_passwd() slightly
No functional change, this just removes an indentation level by the early
"return True;" in

+       if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) {
+               /*
+                * No password history for non-user accounts
+                */
+               return true;
+       }

Volker
2010-01-07 11:07:52 +01:00
Volker Lendecke
3d8394986a s3: Fix a typo 2010-01-07 11:07:52 +01:00
Volker Lendecke
147a2c057c s3: Avoid a memset(, 0, ) call 2010-01-07 11:07:51 +01:00
Michael Adam
2fad148b27 s3:pdb_set_pw_history: free the old history before setting the new.
This is not strictly necessary, since this only leaks into the
struct samu, and this is not so long-lived in the code path that
changes the password, but it definitely correct and does not harm.

Michael
2010-01-07 11:07:51 +01:00
Michael Adam
71e3de6c9f s3:pdb_ldap:init_sam_from_ldap: untangle an assignment from the check
to enhance readability and denbuggability.

Michael
2010-01-07 11:07:51 +01:00
Björn Jacke
f5729dbb6e s3:lib/time: remove TIME_T_MIN/MAX defines
we already get them from lib/util/time.h
2010-01-07 00:50:38 +01:00
Björn Jacke
b3e065e0c6 ѕ3:lib/time: replace make_dos_ and put_dos_ functions with those from lib/util/ 2010-01-07 00:50:10 +01:00
Björn Jacke
c5f24c3eac s3:lib/time: remoce null_mtime() - use null_time() 2010-01-07 00:49:57 +01:00
Björn Jacke
c1c7b6cecb s3:lib/time: remove unused nt_time_equals
we have nt_time_equal doing the same in lib/util/
2010-01-07 00:49:49 +01:00
Jeremy Allison
d5995eec7e Second part of the fix for bug #7020 - smbd using 2G memory.
There was a second leak in the processing of the out_data.frag
prs_struct. It needs freeing once the current pdu has been returned
asynchronously.

Jeremy.
2010-01-06 13:11:00 -08:00