summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* torture-krb5: Check for UPN hanlding in krb5.kdc.canon testAndrew Bartlett2015-01-231-18/+90
| | | | | | | | | This allows us to confirm correct behaviour when a UPN is in use, particularly with the canonicalize flag and with enterprise principal names Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Correctly return the krbtgt/realm@REALM principal from our KDCAndrew Bartlett2015-01-231-25/+31
| | | | | | | | | | This needs to vary depending on if the client requested the canonicalize flag This was found by our new krb5.kdc test Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move checking of server and client names to krb5.kdc.canonAndrew Bartlett2015-01-232-20/+25
| | | | | | | | This keeps this test in one place, rather than duplicated between krb5.kdc and krb5.kdc.canon Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to krb5.kdc.canonAndrew Bartlett2015-01-232-25/+11
| | | | | | | | | | This allows the impact of this to be verified with the other options we are setting This also removes duplication in the kdc.c testsuite. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Split the expected behaviour of the RODC upAndrew Bartlett2015-01-233-7/+14
| | | | | | | | The expectations of the cached accounts are different to those of the RODC in general. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-kdc: Skip the request-pac behaviour for now against an RODCAndrew Bartlett2015-01-231-0/+3
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add commentsAndrew Bartlett2015-01-232-0/+79
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Add TODO to remind us where we need to hook for RODC to get secretsAndrew Bartlett2015-01-231-0/+1
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix Samba's KDC to only change the principal in the right casesAndrew Bartlett2015-01-231-9/+23
| | | | | | | | | | | | | | | | If we are set to canonicalize, we get back the fixed UPPER case realm, and the real username (ie matching LDAP samAccountName) Otherwise, if we are set to enterprise, we get back the whole principal as-sent Finally, if we are not set to canonicalize, we get back the fixed UPPER case realm, but the as-sent username Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add tests for combinations of enterprise, cannon, and ↵Andrew Bartlett2015-01-235-7/+415
| | | | | | | | | | | different input principals This combinational test confirms the interactions between a number of differnet kerberos flags and principal types. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture: Extend krb5.kdc test to confirm correct RODC proxy behaviourAndrew Bartlett2015-01-233-5/+37
| | | | | | | | | | | The RODC should answer some requests locally, and others it should defer to the main DC. We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned to the KDC. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* sefltest: Add test for enterprise UPN in a different domainAndrew Bartlett2015-01-231-5/+18
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix enterpise principal name handlingAndrew Bartlett2015-01-232-11/+24
| | | | | | | | | | | | Based on a patch by Samuel Cabrero <scabrero@zentyal.com> This ensures we write the correct (implict, samAccountName) based UPN into the ticket, rather than the userPrincipalName, which will have a different realm. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not ↵Andrew Bartlett2015-01-231-4/+19
| | | | | | | | | | | overwritten This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Really bug in KDC handling of enterprise princsNicolas Williams2015-01-231-3/+2
| | | | | | | | | | | | | | | The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix bug in KDC handling of enterprise principalsNicolas Williams2015-01-231-35/+38
| | | | | | | | | | | | | | The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* torture: Extend KDC test to cover more options and modesAndrew Bartlett2015-01-232-7/+151
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Decode expected packets and test KDC behaviour for wrong passwordsAndrew Bartlett2015-01-231-9/+164
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Additionally run testsuite for krb5 and KDC behaviour against all ↵Andrew Bartlett2015-01-231-5/+5
| | | | | | | | the DC envs Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Additionally run testsuite for krb5 and KDC behaviour with ↵Andrew Bartlett2015-01-232-0/+25
| | | | | | | | unprivileged accounts Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Run new testsuite for krb5 and KDC behaviour with machine account alsoAndrew Bartlett2015-01-232-6/+15
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Start a new testsuite for krb5 and KDC behaviourAndrew Bartlett2015-01-236-37/+226
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-pam_smbpass: Correctly initialize variables.Andreas Schneider2015-01-221-2/+2
| | | | | | | | | | This fixes a coverity warning. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 22 22:51:59 CET 2015 on sn-devel-104
* s3-pam_smbpass: Remove superfluous NULL check for pam functions.Andreas Schneider2015-01-221-3/+0
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-pam_smbpass: Make sure PAM_MAXTRIES can be returned.Andreas Schneider2015-01-221-1/+2
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-pam_smbpass: Check the return code of secrets_init().Andreas Schneider2015-01-221-1/+5
| | | | | | | This fixes a coverity warning. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-pam_smbpass: Fix set_ctrl() return value.Andreas Schneider2015-01-222-2/+5
| | | | | | | This fixes a cppcheck warning. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-pam_smbpass: Make sure variables are initialized.Andreas Schneider2015-01-221-3/+3
| | | | | | | This fixes cppcheck warnings. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-smbspool: Use strtol() instead of atoi().Andreas Schneider2015-01-221-1/+8
| | | | | | | This fixes a coverity warning. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* winbind: Fix idmap initializationVolker Lendecke2015-01-221-6/+8
| | | | | | | | | | | | | | | | | | The fix is in the sscanf line: %u in the sscanf format mandates the use of a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On little endian 64-bit this might at least put the correct values into low_id and high_id, but might overwrite the read_only bit set earlier, depending on structure alignment and packing. On big endian 64-bit, this will just fail. Automatic conversion to uint32_t will happen only at assignment, not when you take a pointer of such a thing. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104
* s3-pam_smbpass: Fix memory leak in pam_sm_authenticate().Andreas Schneider2015-01-221-2/+9
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11066 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>
* vfs: Fix a typoVolker Lendecke2015-01-221-1/+1
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jan 22 13:14:38 CET 2015 on sn-devel-104
* Remove use of the "staticforward" macroPetr Viktorin2015-01-228-22/+22
| | | | | | | | | | This macro was used for compatibility with broken compilers. Since Python 2.3, it is always defined as `static`, and only exists "for source compatibility with old C extensions". Signed-off-by: Petr Viktorin <pviktori@redhat.com> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett2015-01-221-3/+63
| | | | | | | | | | | | | | | if no account set Also confirm what bits have to be ignored, or otherwise processed Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104
* dsdb-samldb: Clarify userAccountControl manipulation code by always using ↵Andrew Bartlett2015-01-221-8/+6
| | | | | | | | | | | | UF_ flags The use of ACB_ flags was required before msDS-User-Account-Control-Computed was implemented Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-samldb: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett2015-01-221-3/+8
| | | | | | | | | | if no account set Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-samldb: Only allow known and settable userAccountControl bits to be setAndrew Bartlett2015-01-222-8/+22
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Show that we can not change the primaryGroupID of a DCAndrew Bartlett2015-01-221-0/+110
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: let samldb_prim_group_change() protect ↵Stefan Metzmacher2015-01-221-2/+26
| | | | | | | | | | | | DOMAIN_RID_{READONLY_,}DCS Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Improve userAccountControl handlingAndrew Bartlett2015-01-222-32/+158
| | | | | | | | | | | | | | | | We now always check the ACL and invarient rules using the same function The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type This list should only be of the account exclusive account type bits. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Add new test samba4.user_account_control.pythonAndrew Bartlett2015-01-222-0/+522
| | | | | | | | | | | | | | This confirms security behaviour of the userAccountControl attribute as well as the behaviour on ADD as well as MODIFY, for every userAccountControl bit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Default to UF_NORMAL_ACCOUNT when no account type is specifiedAndrew Bartlett2015-01-221-3/+3
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account typeAndrew Bartlett2015-01-222-12/+10
| | | | | | | | | | | | | | | | This list should only be of the account exclusive account type bits. Note, this corrects the behaviour in samldb modifies of userAccountControl. This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Align sam.py with Windows 2012R2 and uncomment ↵Andrew Bartlett2015-01-221-82/+68
| | | | | | | | | | | | | | userAccountControl tests These tests now pass against Samba and Windows 2012R2. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* vfs:glusterfs: whitespace fix.Michael Adam2015-01-221-3/+3
| | | | | | | | Signed-off-by: Michael Adam <obnox@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Thu Jan 22 03:20:17 CET 2015 on sn-devel-104
* vfs_snapper: encode and decode Snapper DBus stringsDavid Disseldorp2015-01-221-16/+94
| | | | | | | | | | | | Snapper uses a special character encoding for strings used in DBus requests and responses. This change ensures that Samba packs and unpacks strings in the corresponding format, using the previously added encode/decode helper functions. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* vfs_snapper: add DBus string encoding and decoding helpersDavid Disseldorp2015-01-221-0/+124
| | | | | | | | | | | | | | Snapper uses the following mechanism for encoding and decoding strings used in DBus traffic: Characters above 127 (0x7F - ASCII DEL) must be encoded hexadecimal as "\x??". As a consequence "\" must be encoded as "\\". This change adds string encoding and decoding helpers to vfs_snapper. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* vfs_snapper: free dbus req messages in error pathsDavid Disseldorp2015-01-221-0/+4
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11055 Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* vfs_glusterfs: Replace eventfd with pipes, for AIO useIra Cooper2015-01-212-97/+41
| | | | | | | | | | | | | | Pipes clean up the AIO implementation substantially, due to the fact that they implement a natural ithread safe queue instead of us creating our own queue. Signed-off-by: Ira Cooper <ira@samba.org> Signed-off-by: Poornima G <pgurusid@redhat.com> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Ira Cooper <ira@samba.org> Autobuild-Date(master): Wed Jan 21 20:40:11 CET 2015 on sn-devel-104
* libcli/auth: add netlogon_creds_cli_GetForestTrustInformation*()Stefan Metzmacher2015-01-212-0/+281
| | | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Wed Jan 21 17:19:33 CET 2015 on sn-devel-104
generated by cgit (git 2.34.1) at 2025-09-25 01:33:40 +0000