Andrew Bartlett [Thu, 4 May 2017 09:39:21 +0000 (11:39 +0200)]
ldb: Add ldb_handle_get_event_context()
This will allow us to obtain a private event context for use while we hold
locks in ldb_tdb, that is not shared with the global state of the application.
This will ensure we do not perform other operations while we hold the lock
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 4 May 2017 20:27:24 +0000 (22:27 +0200)]
ldb: Add ldb_build_req_common() helper function
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 30 Mar 2017 00:10:22 +0000 (13:10 +1300)]
ldb_tdb: Avoid reading the index list from the DB if we are already set to override it
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 30 Mar 2017 00:23:44 +0000 (13:23 +1300)]
ldb: Allow a caller (in particular Samba) to handle the list of attributes with an index
By doing that, Samba will use a binary search to locate the attributes
rather than an O(n) search, during every search or modify of the database.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 30 Mar 2017 00:21:34 +0000 (13:21 +1300)]
ldb_tdb: consistently use ltdb->cache->attribute_indexes to determine if we have indexes
This is instead of checking the number of elements via ltdb->cache->indexlist->num_elements
In turn, this allows us to avoid fetching ltdb->cache->indexlist in the future
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 30 Mar 2017 00:07:16 +0000 (13:07 +1300)]
ldb_tdb: change the arguments to ldb_is_indexed() to provide the ltdb_private
By doing this, we can be more efficient in locating if we have an index in
the future.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Thu, 30 Mar 2017 00:10:08 +0000 (13:10 +1300)]
ldb_tdb: Split index load out into a sub-funciton: ltdb_index_load
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 31 06:33:00 CEST 2017 on sn-devel-144
Volker Lendecke [Mon, 29 May 2017 14:15:50 +0000 (16:15 +0200)]
lib: Remove use of MSG_NOSIGNAL
According to susv4 sendmsg, NOSIGAL is effective for stream-oriented sockets.
Datagram sockets won't send SIGPIPE anyway. Looking at Linux kernel sources,
this is only looked at in stream functions. I guess this is a left-over from my
tmsgd attempts, which was based on stream sockets. messaging_dgm still only
uses datagram sockets, so MSG_NOSIGNAL is not needed here.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue May 30 16:39:12 CEST 2017 on sn-devel-144
This is completely untested and from reading the code it doesn't really
do anything beside always returning None from the get_class_object() method.
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 30 12:16:57 CEST 2017 on sn-devel-144
Garming Sam [Tue, 11 Apr 2017 03:51:50 +0000 (15:51 +1200)]
netlogon: Implement SendToSam along with its winbind forwarding
This allows you to forward bad password count resets to 0. Currently,
there is a missing access check for the RODC to ensure it only applies
to cached users (msDS-Allowed-Password-Replication-Group).
(further patches still need to address forcing a RWDC contact)
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Thu, 20 Apr 2017 04:55:58 +0000 (16:55 +1200)]
netlogon_creds_cli: Do not corrupt authenticator state on application level errors
If the NETLOGON response was an error e.g. NT_STATUS_NOT_IMPLEMENTED, any subsequent
calls failed with NT_STATUS_ACCESS_DENIED. This is likely to be the cause of RODC DNS
updates falling off and never continuing.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Tue, 4 Apr 2017 00:42:17 +0000 (12:42 +1200)]
libads: Decide to have no fallback option
Before this change, it would always possibly choose another server at
random despite later using the original principal when it got back to
the connection initialization in the the winbind connection manager.
This caused bizarre authentication failures.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Amitay Isaacs [Tue, 7 Mar 2017 05:44:08 +0000 (16:44 +1100)]
ctdb-tools: Always exit with positive return value
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue May 30 08:05:56 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 26 May 2017 13:42:46 +0000 (15:42 +0200)]
s4/torture: add a leases test with stat open
This test passes against Windows 2016 but currently fails against Samba
for some reason. The test does the following:
1. A stat open on a file, then
2. a second open with a RWH-lease request
Windows grants a RWH-lease in step 2, while Samba only grants a
R-lease. Go figure...
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sun May 28 18:52:52 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 26 May 2017 09:57:08 +0000 (11:57 +0200)]
s3/smbd: fix exclusive lease optimisation
We need to expect any amount of "stat" opens on the file without
triggering an assert.
This is the correct fix for bug #11844. I guess we haven't seens this
very often before bug #12766 got fixed, because most clients were using
LEASES instead of OPLOCKS.
Jeremy Allison [Thu, 25 May 2017 18:38:26 +0000 (11:38 -0700)]
s3: VFS: Fruit. Move to using struct smb_filename instead of char * paths.
Cleans up and removes some code.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri May 26 20:53:02 CEST 2017 on sn-devel-144
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Amitay Isaacs <amitay@gmail.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Fri May 26 05:24:34 CEST 2017 on sn-devel-144
Gary Lockyer [Tue, 23 May 2017 02:11:35 +0000 (14:11 +1200)]
libnet join: Fix error handling on provision_store_self_join failure
This avoids leaving the error string NULL.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 25 06:28:02 CEST 2017 on sn-devel-144
Gary Lockyer [Tue, 23 May 2017 02:13:14 +0000 (14:13 +1200)]
source4/provision: fix talloc_steal on unallocated memory
The caller will steal *error_string on failure, if it
is not NULL.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 23 May 2017 01:03:03 +0000 (13:03 +1200)]
tests net_join: use private secrets database.
Tests were leaving entries in the secrets database that caused
subsequent test cases to fail.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Wed, 26 Apr 2017 19:12:34 +0000 (07:12 +1200)]
source4 rpc: binding.c enable DCERPC_SCHANNEL_AUTO for schannel connections
Enable the DCERPC_SCHANNEL_AUTO option in dceprc bindings. If not enabled
calls to netlogon.netlogon from python fail with NT_STATUS_DOWNGRADE_DETECTED
if schannel bindings are specified.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
The challenge parameter was being treated as a string rather than as a
data blob. This was causing intermittent seg faults. Removed the
server_timestamp parameter as it's not currently used.
Unable to produce a test case to reliably replicate the failure.
However auth_log_samlogon does flap
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Fri, 28 Apr 2017 01:13:28 +0000 (13:13 +1200)]
auth pycredentials: correct docstring of get_ntlm_response method
Fix copy paste error was incorrectly named "get_ntlm_username_domain"
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 27 Apr 2017 22:16:39 +0000 (10:16 +1200)]
auth_log: Add test that execises the SamLogon python bindings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 21 May 2017 21:49:17 +0000 (09:49 +1200)]
tests password_hash: Add ldap based tests for WDigest
Add tests of the WDigest values using ldap. This allows the tests to be
run against Windows, to validate the calculated values.
Tests validated against Windows Server 2012 R2
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 18 May 2017 02:38:37 +0000 (14:38 +1200)]
tests password_hash: update array indexes for readabliity
Use an n-1 pattern in the indexes to the digest array to simplify checking
against the documentation and samba-tool user tests.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 15 May 2017 00:19:22 +0000 (12:19 +1200)]
samba-tool add support for userPassword
Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes.
The values are now calculated as follows:
1) If a value exists in 'Primary:userPassword' with
the specified number of rounds it is returned.
2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with
'--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds
3) Return the first {CRYPT} value in 'Primary:userPassword' with a
matching algorithm
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 15 May 2017 00:20:58 +0000 (12:20 +1200)]
samba-tool tests: add tests for userPassword
Tests to ensure that precomputed SHA256 and SHA512 hashes in
'supplementalCredentials Primary:userPassword' are used correctly in the
calculation of virtualCryptSHA256 and virtualCryptSHA512
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 4 Apr 2017 04:05:08 +0000 (16:05 +1200)]
password_hash: generate and store Primary:userPassword
Generate sha256 and sha512 password hashes and store them in
supplementalCredentials
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 11 Apr 2017 21:12:56 +0000 (09:12 +1200)]
tests password_hash: add tests for Primary:userPassword
Add tests to verify the generation and storage of sha256 and sha512
password hashes in suplementalCredentials Primary:userPassword
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 9 May 2017 02:38:06 +0000 (14:38 +1200)]
docs: configuration options for extra password hashes
Add the configuration options for the generation and storage of crypt()
based sha256 and sha512 password hashes in supplementalCredentials
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 11 Apr 2017 21:09:27 +0000 (09:09 +1200)]
tests password_hash: fix white space issues
Clean up white space issues in password_hash.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 11 Apr 2017 21:08:24 +0000 (09:08 +1200)]
tests password_hash: remove unused import
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 4 Apr 2017 04:00:20 +0000 (16:00 +1200)]
idl drsblobs: add the blobs required for Primary:userPassword
Add the blobs required to allow the storing of an sha256 or sha512 hash of
the password in supplemental credentials
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 8 May 2017 23:20:15 +0000 (11:20 +1200)]
samba-tool user: add rounds option to virtualCryptSHAxxx
Allow the number of rounds to be specified when calculating the
virtualCryptSHA256 and virtualCryptSHA512 attributes.
i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the
hash using 3,000 rounds.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 8 May 2017 23:15:19 +0000 (11:15 +1200)]
samba-tool tests: Tests for virtualCryptSHAxxx rounds
Add tests to for the new rounds option for the virtualCryptSHA256 and
virtualCryptSHA512 attributes.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 7 May 2017 22:00:58 +0000 (10:00 +1200)]
samba-tool user: Support for virtualWDigest attributes
Add new virtualWDigest attributes, these return the hashes stored in
supplementalCredentials Primary:WDigest, in a form suitable for
htdigest authentication
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 7 May 2017 22:00:09 +0000 (10:00 +1200)]
samba-tool user: Tests for virtualWDigest attributes
Add tests for the new virtualWDigest attributes, these return the hashes
stored in supplementalCredentials Primary:WDigest in a form suitable for
use with htdigest authentication.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
During revoking readonly delegations, if one of the nodes disappears,
then there is no point re-trying revoking readonly delegation immedately.
The database needs to be recovered before the revoke operation can
succeed.
However, if the revoke is successful, then all the write requests need
to be processed immediately before the read-only requests. This avoids
starving write requests, in case there are read-only requests coming
from other nodes.
In deferred_call_destructor, the result of revoke is not available and
deferred calls cannot be correctly ordered. To correctly order the
deferred calls, process them in revokechild_destructor where the result
of revoke is known.
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Martin Schwenke <martin@meltin.net>
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed May 24 14:34:30 CEST 2017 on sn-devel-144
Andrew Bartlett [Thu, 4 May 2017 08:12:46 +0000 (10:12 +0200)]
dsdb: Do not search the sam.ldb file when trying to search all partitions
The sam.ldb file does not contain the same kind of data as the partitions, we do not wish to
mix these results. This also avoids taking out locks on the sam.ldb file.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 23 05:18:04 CEST 2017 on sn-devel-144
Andrew Bartlett [Wed, 3 May 2017 20:51:30 +0000 (22:51 +0200)]
dsdb: Take out the transaction and prepare_commit locks in the same order
We must, when starting the transaction and preparing to commit the transaction, take
out the locks in the same order across all the databases, otherwise we may deadlock.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Jeremy Allison [Thu, 18 May 2017 20:28:23 +0000 (13:28 -0700)]
s3: smbd: Correctly identify a snapshot path using UCF_GMT_PATHNAME.
All our client code already does this correctly for @GMT names.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 22 22:49:17 CEST 2017 on sn-devel-144
projects / thirdparty / samba.git / log
