Tim Beale [Fri, 6 Apr 2018 04:42:50 +0000 (16:42 +1200)]
dsdb/auth: Use PSO settings for lockOutThreshold/Duration
If a PSO applies to a user, use its lockOutThreshold/Duration settings
instead of the domain setting. When we lookup a user, we now include the
msDS-ResultantPSO attribute. If the attribute is present for a user,
then we lookup the corresponding PSO object to get the lockOutThreshold/
Duration settings.
Note: This is not quite enough to make the PSO lockout tests pass, as
msDS-User-Account-Control-Computed is still constructed based on the
domain lockoutDuration setting rather than the PSO.
Updating the password_hash.c code properly will be done in a subsequent
commit.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Tue, 8 May 2018 02:45:17 +0000 (14:45 +1200)]
tests: Extend PSO tests to cover password-history/length/complexity
Unhobble the PSO test cases so that they not only check the
msDS-ResultantPSO constructed attribute, but also that the corresponding
PSO's password-history, minimum password length, and complexity settings
are actually used.
The tests now fail once more, as actually using the PSO's settings isn't
implemented yet.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Tim Beale [Tue, 20 Mar 2018 21:45:38 +0000 (10:45 +1300)]
dsdb: Add msDS-ResultantPSO constructed attribute support
Add support for the msDS-ResultantPSO constructed attribute, which
indicates the PSO (if any) that should apply to a given user. First we
consider any PSOs that apply directly to a user. If none apply directly,
we consider PSOs that apply to any groups the user is a member of. (PSO
lookups are done by finding any 'msDS-PSOAppliesTo' links that apply to
the user or group SIDs we're interested in.
Note: the PSO should be selected based on the RevMembGetAccountGroups
membership, which doesn't include builtin groups. Looking at the spec,
it appears that perhaps our tokenGroups implementation should also
exclude builtin groups. However, in the short-term, I've added a new
ACCOUNT_GROUPS option to the enum, which is only used internally for
PSOs.
The PSO test cases (which are currently only checking the constructed
attribute) now pass, showing that the correct msDS-ResultantPSO value is
being returned, even if the corresponding password-policy settings are
not yet being applied.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Mon, 14 May 2018 02:34:25 +0000 (14:34 +1200)]
autobuild: build ldb --without-ldb-lmdb
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 23 05:11:13 CEST 2018 on sn-devel-144
Gary Lockyer [Tue, 6 Mar 2018 00:40:21 +0000 (13:40 +1300)]
ldb-samba: Handle generic mdb:// url scheme in ldb_relative_path()
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Tue, 6 Mar 2018 02:11:23 +0000 (15:11 +1300)]
ldb: Add MDB support to ldb://
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Tue, 13 Mar 2018 02:08:10 +0000 (15:08 +1300)]
ldb_mdb/tests: add tests for multiple opens across forks
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Mon, 12 Mar 2018 19:14:09 +0000 (08:14 +1300)]
ldb_mdb/tests: test large index key value
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Thu, 22 Mar 2018 22:29:25 +0000 (11:29 +1300)]
ldb_mdb: Remove implicit read lock and remove transaction counter
The way to know if we are in a transaction is if there is a non-NULL
transaction handle.
This allows the ldb_mdb_kv_ops_test test to be run.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Thu, 8 Mar 2018 03:47:59 +0000 (16:47 +1300)]
ldb_mdb/tests: Tests for wrap open
Tests to ensure that the mdb_env wrapping code correctly handles
multiple ldb's point to the same physical database file.
The test_ldb_close_with_multiple_connections tests are in
ldb_mod_op_test due to the utility code it uses from
elsewhere in that test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Tue, 13 Mar 2018 02:08:10 +0000 (15:08 +1300)]
ldb_mdb: prevent MDB_env reuse across forks
MDB_env's may not be reused accross forks. Check the pid that the lmdb
structure was created by, and return an error if it is being used by a
different process.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Tue, 20 Mar 2018 22:38:22 +0000 (11:38 +1300)]
ldb_mdb: handle EBADE from mdb_env_open
Under some circumstances mdb_env_open returns EBADE, we treat this as
indicating the file is not a valid lmdb format file.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Tue, 6 Mar 2018 23:05:34 +0000 (12:05 +1300)]
ldb_mdb: Wrap mdb_env_open
Wrap mdb_env_open to ensure that we only have one MDB_env opened per
database in each process
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Tue, 6 Mar 2018 02:27:51 +0000 (15:27 +1300)]
ldb_mdb: Apply LMDB key length restrictions at key-value layer
We need to enforce the GUID index mode so end-users do not get a
supprise in mid-operation and we enforce a max key length of 511 so
that the index key trunctation is done correctly.
Otherwise the DB will appear to work until a very long key (DN or
index) is used, after which it will be sad.
Because the previous ldb_lmdb_test confirmed the key length by
creating a large DN, those tests are re-worked to use the GUID index
mode. In turn, new tests are written that create a special DN around
the maximum key length.
Finally a test is included that demonstrates that adding entries to
the LMDB DB without GUID index mode fails.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Mon, 5 Mar 2018 20:13:31 +0000 (09:13 +1300)]
ldb_mdb/tests: Run api and index test also on lmdb
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Fri, 2 Feb 2018 02:30:53 +0000 (15:30 +1300)]
ldb_mdb/tests: Add tests to check for max key length and DB size
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Tue, 6 Mar 2018 23:05:34 +0000 (12:05 +1300)]
ldb_mdb: Don't allow modify operations on a read only db
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 20 May 2018 22:40:00 +0000 (10:40 +1200)]
selftest: Clean up ldb on tearDown from each packet in TrafficEmulatorPacketTests
Otherwise the LDB (and so the server resources) are in use until the end of the whole test
due to the way the objects are maintained in python for reporting.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 23 00:53:25 CEST 2018 on sn-devel-144
Andrew Bartlett [Mon, 21 May 2018 01:58:12 +0000 (13:58 +1200)]
auth: Use DBGC_AUTH as DBGC_CLASS for AD DC auth session code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 22 02:42:32 CEST 2018 on sn-devel-144
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 18 22:03:21 CEST 2018 on sn-devel-144
Noel Power [Fri, 4 May 2018 11:20:36 +0000 (12:20 +0100)]
python/samba/netcmd: Py2/Py3 misc replace range with enumerate
Replace various instances of xrange with enumerate.
Signed-off-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Fri May 18 05:24:42 CEST 2018 on sn-devel-144
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 18 02:38:50 CEST 2018 on sn-devel-144
../lib/audit_logging/audit_logging.c: In function ‘json_add_timestamp’:
../lib/audit_logging/audit_logging.c:603:12: error: ‘%s’ directive
output may be truncated writing up to 9 bytes into a region of size
between 0 and 43 [-Werror=format-truncation=]
"%s.%06ld%s",
^~
../lib/audit_logging/audit_logging.c:606:3:
tz);
~~
../lib/audit_logging/audit_logging.c:600:2: note: ‘snprintf’ output
between 8 and 70 bytes into a destination of size 50
snprintf(
^~~~~~~~~
timestamp,
~~~~~~~~~~
sizeof(timestamp),
~~~~~~~~~~~~~~~~~~
"%s.%06ld%s",
~~~~~~~~~~~~~
buffer,
~~~~~~~
tv.tv_usec,
~~~~~~~~~~~
tz);
~~~
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu May 17 20:17:35 CEST 2018 on sn-devel-144
../source3/passdb/pdb_smbpasswd.c: In function ‘mod_smbfilepwd_entry’:
../source3/passdb/pdb_smbpasswd.c:1015:7: error: ‘:LCT-’ directive
output may be truncated writing 5 bytes into a region of size between 0
and 255 [-Werror=format-truncat ion=]
"%s:LCT-%08X:",
^~~~~
../source3/passdb/pdb_smbpasswd.c:1015:4: note: using the range [0, 4294967295] for directive argument
"%s:LCT-%08X:",
^~~~~~~~~~~~~~
In file included from ../source3/include/includes.h:23,
from ../source3/passdb/pdb_smbpasswd.c:23:
../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output
between 15 and 270 bytes into a destination of size 255
#define slprintf snprintf
../source3/passdb/pdb_smbpasswd.c:1013:3: note: in expansion of macro ‘slprintf’
slprintf(&ascii_p16[strlen(ascii_p16)],
^~~~~~~~
../source3/lib/ldap_escape.c: In function ‘escape_ldap_string’:
../source3/lib/ldap_escape.c:79:4: error: ‘strncpy’ output truncated
before terminating nul copying 3 bytes from a string of the same length
[-Werror=stringop-truncation]
strncpy (p, sub, 3);
^~~~~~~~~~~~~~~~~~~
We concatenat and do not care about NUL-termination till the loop has
finished.
../source4/torture/basic/mangle_test.c: In function ‘gen_name’:
../source4/torture/basic/mangle_test.c:148:3: error: ‘strncpy’ output
truncated before terminating nul copying 5 bytes from a string of the
same length [-Werror=stringop-truncation]
strncpy(p, "ABCDE", 5);
^~~~~~~~~~~~~~~~~~~~~~
../source3/utils/smbpasswd.c: In function ‘process_root’:
../source3/utils/smbpasswd.c:414:37: error: ‘$’ directive output may be truncated writing 1 byte into a region of size between 0 and 255 [-Werror=format-truncation=]
slprintf(buf, sizeof(buf) - 1, "%s$", user_name);
^
In file included from ../source3/include/includes.h:23,
from ../source3/utils/smbpasswd.c:19:
../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 2 and 257 bytes into a destination of size 255
#define slprintf snprintf
../source3/utils/smbpasswd.c:414:3: note: in expansion of macro ‘slprintf’
slprintf(buf, sizeof(buf) - 1, "%s$", user_name);
^~~~~~~~
../source3/utils/smbpasswd.c:397:35: error: ‘$’ directive output may be truncated writing 1 byte into a region of size between 0 and 255 [-Werror=format-truncation=]
slprintf(buf, sizeof(buf)-1, "%s$", user_name);
^
In file included from ../source3/include/includes.h:23,
from ../source3/utils/smbpasswd.c:19:
../lib/replace/../replace/replace.h:514:18: note: ‘snprintf’ output between 2 and 257 bytes into a destination of size 255
#define slprintf snprintf
../source3/utils/smbpasswd.c:397:3: note: in expansion of macro ‘slprintf’
slprintf(buf, sizeof(buf)-1, "%s$", user_name);
^~~~~~~~
cc1: some warnings being treated as errors
s4-torture: fix format-truncation warning in smb2 session tests.
../source4/torture/smb2/session.c: In function ‘test_session_reauth5’:
../source4/torture/smb2/session.c:645:36: error: ‘\file.dat’ directive output may be truncated writing 9 bytes into a region of size between 1 and 256 [-Werror=format-truncation=]
snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
^~~~~~~~~~
../source4/torture/smb2/session.c:645:2: note: ‘snprintf’ output between 10 and 265 bytes into a destination of size 256
snprintf(fname, sizeof(fname), "%s\\file.dat", dname);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../source4/torture/smb2/session.c:696:38: error: ‘\file2.dat’ directive output may be truncated writing 10 bytes into a region of size between 1 and 256 [-Werror=format-truncation=]
snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
^~~~~~~~~~~
../source4/torture/smb2/session.c:696:2: note: ‘snprintf’ output between 11 and 266 bytes into a destination of size 256
snprintf(fname2, sizeof(fname2), "%s\\file2.dat", dname);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: some warnings being treated as errors
s3-printing: fix format-truncation in print_queue_update()
../source3/printing/printing.c: In function ‘print_queue_update’:
../source3/printing/printing.c:1809:42: error: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 244 [-Werror=format-truncation=]
snprintf(key, sizeof(key), "MSG_PENDING/%s", sharename);
^~ ~~~~~~~~~
../source3/printing/printing.c:1809:2: note: ‘snprintf’ output between 13 and 268 bytes into a destination of size 256
snprintf(key, sizeof(key), "MSG_PENDING/%s", sharename);
Andrew Bartlett [Wed, 16 May 2018 18:37:28 +0000 (06:37 +1200)]
FIXUP: Improve memory handling on py_net_change_password
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu May 17 14:28:19 CEST 2018 on sn-devel-144
Noel Power [Wed, 16 May 2018 15:51:34 +0000 (16:51 +0100)]
python/samba/netcmd: net.change_password should be passed string
password param which in python2 (is str) is incorrectly encoded
before passing to net.change_password.
python2 - password is either unicode or str, if str we should
decode to get unicode (and then pass to net.change_password).
python3 - password is either str or bytes, if bytes then decode
(and pass as 'str' to net.change_password). Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Wed, 16 May 2018 15:46:41 +0000 (16:46 +0100)]
s4/libnet: Allow passwords containing non ascii characters to be passed
Although we can pass unicode to py_net_change_password unfortunately in
Python2 unicode strings are encoded with the default encoding (e.g. ascii)
when extracting the unicode string to buffer.
In Python3 the default encoding for "s" format is utf8. Use the "es"
format instead of "s" so we can specify the encoding so behaviour is
correct in py2/py3.
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Mon, 14 May 2018 12:38:20 +0000 (13:38 +0100)]
python/samba: Fix incorrect encode of password
In python2 you can encode a 'str' type which doesn't really make sense
since it is already bytes (as such). In python3 this isn't possible you
can't encode bytes or decode strings. Also because you can call encode
on 'str' in python2 it tries to to what you wanted and it implicity
calls decode('ascii') before performing the encode. This is why we get
mention of ascii codec in the error. This patch should future proof for
python3 also.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13435 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Mon, 14 May 2018 12:48:18 +0000 (13:48 +0100)]
s4/setup/tests: Add test for non ascii password setting samba-tool
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13435 Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 2 May 2018 13:26:05 +0000 (15:26 +0200)]
winbindd: Introduce "bool_dispatch_table"
This is meant to replace the synchronous "dispatch_table".
The current dispatch_table assumes that every synchronous function does
the request_ok or request_error itself. This mixes two concerns: Doing
the work and shipping the reply to the winbind client. This new dispatch
table will make it possible to centralize shipping the reply to the
client. At a later stage this will enable easier statistics on how long
request processing took precisely.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Martin Schwenke [Tue, 24 Apr 2018 05:55:11 +0000 (15:55 +1000)]
ctdb: Drop configuration file ctdbd.conf
Drop function loadconfig(), replacing uses with "load_system_config
ctdb". Drop translation of old-style configuration to new
configuration file. Drop export of debugging variables. Drop
documentation and configuration examples.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Amitay Isaacs <amitay@samba.org>
Autobuild-Date(master): Thu May 17 07:03:04 CEST 2018 on sn-devel-144
Martin Schwenke [Wed, 2 May 2018 08:38:41 +0000 (18:38 +1000)]
ctdb-tests: Clean up tests to not expose script options
The tests still use the script options but the event scripts no longer
see them exported from the test infrastructure. Testing now depends
on the event scripts successfully fetching the options from the
configuration file.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Wed, 2 May 2018 08:06:05 +0000 (18:06 +1000)]
ctdb-tests: Add ctdb-config wrapper stub for event script tests
Create a shim helper around that simply invokes ctdb-config via its
real location.
This is needed because the event script tests set CTDB_HELPER_BINDIR
to the stubs directory because all other helpers used by event script
testing are currently stubs.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Martin Schwenke [Mon, 16 Apr 2018 03:20:36 +0000 (13:20 +1000)]
ctdb-scripts: Translate old style options into new configuration file
This allows the relevant command-line options to be removed from the
daemon while still leaving the old ctdbd.conf options file in place.
It is a temporary measure to enable testing in an old testing
environment.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
projects / thirdparty / samba.git / log
