summaryrefslogtreecommitdiffstats
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
...
* torture-krb5: Check for UPN hanlding in krb5.kdc.canon testAndrew Bartlett2015-01-231-18/+90
| | | | | | | | | This allows us to confirm correct behaviour when a UPN is in use, particularly with the canonicalize flag and with enterprise principal names Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Correctly return the krbtgt/realm@REALM principal from our KDCAndrew Bartlett2015-01-231-25/+31
| | | | | | | | | | This needs to vary depending on if the client requested the canonicalize flag This was found by our new krb5.kdc test Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move checking of server and client names to krb5.kdc.canonAndrew Bartlett2015-01-232-20/+25
| | | | | | | | This keeps this test in one place, rather than duplicated between krb5.kdc and krb5.kdc.canon Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to krb5.kdc.canonAndrew Bartlett2015-01-232-25/+11
| | | | | | | | | | This allows the impact of this to be verified with the other options we are setting This also removes duplication in the kdc.c testsuite. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Split the expected behaviour of the RODC upAndrew Bartlett2015-01-233-7/+14
| | | | | | | | The expectations of the cached accounts are different to those of the RODC in general. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-kdc: Skip the request-pac behaviour for now against an RODCAndrew Bartlett2015-01-231-0/+3
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add commentsAndrew Bartlett2015-01-232-0/+79
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Add TODO to remind us where we need to hook for RODC to get secretsAndrew Bartlett2015-01-231-0/+1
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix Samba's KDC to only change the principal in the right casesAndrew Bartlett2015-01-231-9/+23
| | | | | | | | | | | | | | | | If we are set to canonicalize, we get back the fixed UPPER case realm, and the real username (ie matching LDAP samAccountName) Otherwise, if we are set to enterprise, we get back the whole principal as-sent Finally, if we are not set to canonicalize, we get back the fixed UPPER case realm, but the as-sent username Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add tests for combinations of enterprise, cannon, and ↵Andrew Bartlett2015-01-234-6/+408
| | | | | | | | | | | different input principals This combinational test confirms the interactions between a number of differnet kerberos flags and principal types. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture: Extend krb5.kdc test to confirm correct RODC proxy behaviourAndrew Bartlett2015-01-232-5/+26
| | | | | | | | | | | The RODC should answer some requests locally, and others it should defer to the main DC. We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned to the KDC. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* kdc: Fix enterpise principal name handlingAndrew Bartlett2015-01-232-11/+24
| | | | | | | | | | | | Based on a patch by Samuel Cabrero <scabrero@zentyal.com> This ensures we write the correct (implict, samAccountName) based UPN into the ticket, rather than the userPrincipalName, which will have a different realm. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* heimdal: Ensure that HDB_ERR_NOT_FOUND_HERE, critical for the RODC, is not ↵Andrew Bartlett2015-01-231-4/+19
| | | | | | | | | | | overwritten This change ensures that our RODC will correctly proxy when asked to provide a ticket for a service or user where the keys are not on this RODC. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Really bug in KDC handling of enterprise princsNicolas Williams2015-01-231-3/+2
| | | | | | | | | | | | | | | The value of this commit to Samba is to continue to match Heimdal's upstream code in this area. Because we set HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL there is no runtime difference. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit 9aa7883ff2efb3e0a60016c9090c577acfd0779f Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* heimdal: Fix bug in KDC handling of enterprise principalsNicolas Williams2015-01-231-35/+38
| | | | | | | | | | | | | | The useful change in Samba from this commit is that we gain validation of the enterprise principal name. (commit message by Andrew Bartlett) Cherry-pick of Heimdal commit c76ec8ec6a507a6f34ca80c11e5297146acff83f Reviewed-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* torture: Extend KDC test to cover more options and modesAndrew Bartlett2015-01-231-7/+147
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Decode expected packets and test KDC behaviour for wrong passwordsAndrew Bartlett2015-01-231-9/+164
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Additionally run testsuite for krb5 and KDC behaviour against all ↵Andrew Bartlett2015-01-231-5/+5
| | | | | | | | the DC envs Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Additionally run testsuite for krb5 and KDC behaviour with ↵Andrew Bartlett2015-01-231-0/+4
| | | | | | | | unprivileged accounts Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Run new testsuite for krb5 and KDC behaviour with machine account alsoAndrew Bartlett2015-01-232-6/+15
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Start a new testsuite for krb5 and KDC behaviourAndrew Bartlett2015-01-236-37/+226
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Remove use of the "staticforward" macroPetr Viktorin2015-01-222-2/+2
| | | | | | | | | | This macro was used for compatibility with broken compilers. Since Python 2.3, it is always defined as `static`, and only exists "for source compatibility with old C extensions". Signed-off-by: Petr Viktorin <pviktori@redhat.com> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* dsdb-tests: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett2015-01-221-3/+63
| | | | | | | | | | | | | | | if no account set Also confirm what bits have to be ignored, or otherwise processed Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jan 22 10:16:42 CET 2015 on sn-devel-104
* dsdb-samldb: Clarify userAccountControl manipulation code by always using ↵Andrew Bartlett2015-01-221-8/+6
| | | | | | | | | | | | UF_ flags The use of ACB_ flags was required before msDS-User-Account-Control-Computed was implemented Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-samldb: Clarify that accounts really do fall back to UF_NORMAL_ACCOUNT ↵Andrew Bartlett2015-01-221-3/+8
| | | | | | | | | | if no account set Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-samldb: Only allow known and settable userAccountControl bits to be setAndrew Bartlett2015-01-221-4/+9
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Show that we can not change the primaryGroupID of a DCAndrew Bartlett2015-01-221-0/+110
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: let samldb_prim_group_change() protect ↵Stefan Metzmacher2015-01-221-2/+26
| | | | | | | | | | | | DOMAIN_RID_{READONLY_,}DCS Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Improve userAccountControl handlingAndrew Bartlett2015-01-222-32/+158
| | | | | | | | | | | | | | | | We now always check the ACL and invarient rules using the same function The change to libds is because UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account type This list should only be of the account exclusive account type bits. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Add new test samba4.user_account_control.pythonAndrew Bartlett2015-01-222-0/+522
| | | | | | | | | | | | | | This confirms security behaviour of the userAccountControl attribute as well as the behaviour on ADD as well as MODIFY, for every userAccountControl bit. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I8cd0e0b3c8d40e8b8aea844189703c756cc372f0 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Default to UF_NORMAL_ACCOUNT when no account type is specifiedAndrew Bartlett2015-01-221-3/+3
| | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* libds: UF_PARTIAL_SECRETS_ACCOUNT is a flag, not an account typeAndrew Bartlett2015-01-221-10/+9
| | | | | | | | | | | | | | | | This list should only be of the account exclusive account type bits. Note, this corrects the behaviour in samldb modifies of userAccountControl. This reverts 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2 Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Align sam.py with Windows 2012R2 and uncomment ↵Andrew Bartlett2015-01-221-82/+68
| | | | | | | | | | | | | | userAccountControl tests These tests now pass against Samba and Windows 2012R2. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I1d7ba5e6a720b8da88c667bbbf3a4302c54642f4 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:kdc/db-glue: fix supported_enctypes samba_kdc_trust_message2entry()Stefan Metzmacher2015-01-211-5/+5
| | | | | | | | This avoids writing invalid memory, because num_keys was calculated in a wrong way... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* CVE-2014-8143:dsdb-samldb: Check for extended access rights before we allow ↵Andrew Bartlett2015-01-154-2/+210
| | | | | | | | | | | | | | | | changes to userAccountControl This requires an additional control to be used in the LSA server to add domain trust account objects. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Thu Jan 15 14:54:47 CET 2015 on sn-devel-104
* CVE-2014-8143:dsdb: Allow use of dsdb_autotransaction_request outside util.cAndrew Bartlett2015-01-151-2/+2
| | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: If6bc90305a1e9a5a92562a01ba7e44330de91cc1 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2014-8143:pydsdb: Pull in UF_USE_AES_KEYS flagAndrew Bartlett2015-01-151-0/+1
| | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Change-Id: I36ad5ebc5d8a4811c41b59af90a3add4ae5fd857 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* CVE-2014-8143:auth: Force talloc type of session_info pointer to matchAndrew Bartlett2015-01-151-0/+5
| | | | | | | | | | | | | This helps us keep things safe in LDB where we put this in a opaque pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10993 Andrew Bartlett Change-Id: I46fe53ba655ca0810c276b72fbca524884cdf22d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:torture:vfs_fruit: fix model name checkRalph Boehme2015-01-081-7/+1
| | | | | | | | | | Don't abort when the model string is not "Samba", simply log it. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Thu Jan 8 15:31:44 CET 2015 on sn-devel-104
* s4:rpc_server/lsa: remove msDS-TrustForestTrustInfo if FOREST_TRANSITIVE is ↵Stefan Metzmacher2015-01-061-1/+24
| | | | | | | | | | cleared Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Simo Sorce <idra@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jan 6 22:50:23 CET 2015 on sn-devel-104
* s4:rpc_server/lsa: allow LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE to be changed.Stefan Metzmacher2015-01-061-5/+15
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Simo Sorce <idra@samba.org>
* Happy New Year 2015!Stefan Metzmacher2015-01-011-1/+1
| | | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jan 1 02:47:59 CET 2015 on sn-devel-104
* dsdb: Add tokenGroupsGlobalAndUniversal, tokenGroups, tokenGroupsNoGCAcceptableGarming Sam2014-12-222-15/+399
| | | | | | | | | | | | | | | | This includes additional tests based directly on the docs, rather than simply testing our internal implementation in client and server contexts, that create a user and groups. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11022 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming-Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Dec 22 17:17:02 CET 2014 on sn-devel-104
* dsdb: Ignore errors from search in dns_notify moduleAndrew Bartlett2014-12-221-14/+12
| | | | | | | | This ensures the error messages are unchanged Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Use a fixed set of attributes in search in dns_notify moduleAndrew Bartlett2014-12-221-2/+4
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Use ldb_attr_cmp() for comparing objectclass namesAndrew Bartlett2014-12-221-3/+3
| | | | | | | | This is the same as strcasecmp, but it is best to remain consistent. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-dns: Reload DNS zones from dsdb when zones are modified through RPC or DRSSamuel Cabrero2014-12-225-39/+565
| | | | | | | | | | | | | Setup a RPC management call on the internal DNS server triggered a new LDB module which sniffs dnsZone object add, delete and modify operations. This way the notification is triggered when zones are modified either from RPC or replicated by inbound DRS. Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> (shadowed variable error corrected by abartlet) Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* selftest: Run samba.tests.dns in :local environment so it can access credentialsAndrew Bartlett2014-12-221-1/+1
| | | | | | | | This allows it to access the machine account, and use that to modify the DNS zones Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: Only parse SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DNAndrew Bartlett2014-12-221-1/+3
| | | | | | | | This avoids trying to parse some other rule, like bitwise and, that may be applied to this attribute Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb: Fix not freed temp memory contextSamuel Cabrero2014-12-221-0/+1
| | | | | | Signed-off-by: Samuel Cabrero <samuelcabrero@kernevil.me> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2025-08-30 05:36:50 +0000