summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* s4-auth: Support password history correctly, including allowing NTLM logins ↵Andrew Bartlett2014-04-023-27/+297
| | | | | | | | | | | | | | | using the old password This is only done during a 1 hour allowed period, by default. We only update bad password count when not one of the last 3 passwords Andrew Bartlett Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* lib/param: Add new parameter "old password allowed period"Andrew Bartlett2014-04-024-0/+24
| | | | | | Change-Id: I46228b492ba71ba4f3fee380a1ccadb328e3ade1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: check type with talloc_get_type_abort in samdb_set_passwordAndrew Bartlett2014-04-021-2/+5
| | | | | | Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Implement password lockout on LDAP password changesAndrew Bartlett2014-04-021-16/+134
| | | | | | | | | | | | | | | To do this, and have the badPwdCount update stick, we must abort, open, close and reopen transactions such that the badPwdCount update is in it's own transaction. To ensure the tests can confirm the correct behaviour here, we must output the Windows error code in the error message. Andrew Bartlett Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-022-100/+113
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Split out badPwdCount update into a helper functionAndrew Bartlett2014-04-021-48/+79
| | | | | | | | | | This will allow password_hash to call this using dsdb_module_*() functions. Andrew Bartlett Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: call authsam_zero_bad_pwd_count on successful AS-REQAndrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: Include values from msDS-User-Account-Control-Computed when checking ↵Andrew Bartlett2014-04-021-0/+20
| | | | | | | | user flags Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: Set flags.locked_out on a locked-out user.Andrew Bartlett2014-04-021-1/+1
| | | | | | | | This only changes the log output, the same error is still returned Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Only indicate successful authentication after successful authzAndrew Bartlett2014-04-021-4/+4
| | | | | | | | | | This is needed to match Windows behaviour for NTLM logins. Andrew Bartlett Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the ↵Andrew Bartlett2014-04-021-1/+1
| | | | | | | | account is locked out Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Do not attempt password authentication for locked out accountsAndrew Bartlett2014-04-021-0/+8
| | | | | | Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and ↵Andrew Bartlett2014-04-023-1/+67
| | | | | | | | lockoutTime on successful login Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0Stefan Metzmacher2014-04-021-0/+57
| | | | | | | | See [MS-SAMR] 3.1.1.8.3 lockoutTime. Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: collapse wrong password and no-password-hash errors into one handlerAndrew Bartlett2014-04-021-25/+3
| | | | | | | | | | This avoids giving away too much information to an attacker. Andrew Bartlett Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Add samdb_result_passwords_from_history helper functionAndrew Bartlett2014-04-021-0/+37
| | | | | | Change-Id: I949c6c64551f68c4381b41b30120874ead82949e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Rework memory handling to use a tmp_ctxAndrew Bartlett2014-04-021-17/+51
| | | | | | Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* samba-tool add password lockout handling to samba-tool domain passwordsettingsAndrew Bartlett2014-04-021-4/+73
| | | | | | Change-Id: I291924785b505b26b91152c0c13b4afd4de068a6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: give a better error message and return code on failed password changeAndrew Bartlett2014-04-021-0/+5
| | | | | | Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-025-4/+156
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-026-27/+68
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-025-43/+36
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputedAndrew Bartlett2014-04-021-1/+47
| | | | | | | | | | | | This assists in testing this aspect of msDS-User-Account-Control-Computed, and is exposed in AD for clients to query. Andrew Bartlett Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Implement msDS-User-Account-Control-ComputedAndrew Bartlett2014-04-021-1/+165
| | | | | | | | | | | This is needed to get consistent account lockout support across the whole server. Andrew Bartlett Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Use a list for the extra attributes that may be requiredAndrew Bartlett2014-04-021-28/+52
| | | | | | Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/sam: use a higher time resolution in authsam_account_ok()Stefan Metzmacher2014-04-021-2/+2
| | | | | | Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/util_samr: simplify dsdb_add_user()Stefan Metzmacher2014-04-021-42/+8
| | | | | | | | We can specify userAccountControl on the ldb_add() call. Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* selftest: Run rpc.samr.passwords.lockout against the s3dc environmentAndrew Bartlett2014-04-022-1/+2
| | | | | | Change-Id: I7ee562cbf1e067ed90b22e212002e88752450e34 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-tests: Remove pointless creation of ldaptestouAndrew Bartlett2014-04-021-1/+0
| | | | | | | | | | This is not used in this test, and is not removed by the test either. Andrew Bartlett Change-Id: I34366d469a1ebed04c3cea5a7f206cb0bf433e03 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Do not issue a TORTURE_FAIL unless *this* test failedAndrew Bartlett2014-04-021-3/+5
| | | | | | Change-Id: I349d8ac77a98b934cd4b11b01a96a231097eeeed Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Lock accounts for 5 seconds in rpc.samr.passwords.badpwdcount ↵Andrew Bartlett2014-04-021-0/+10
| | | | | | | | | | test to ensure consistent results For "samba3" we use 60 seconds as in test_Password_lockout(). Change-Id: I886eb83d4c620e4d719a38ec47b45bacd1406b9d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Try breaking the NT hash first, as the LM hash may not be ↵Andrew Bartlett2014-04-021-6/+6
| | | | | | | | being checked Change-Id: Iea9040bc7130f8b779c35bd367a9915633cd494d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: set min password age to 0 for lockout and badpwdcount testsAndrew Bartlett2014-04-021-1/+5
| | | | | | Change-Id: I0d44fcc712e6f239d9adc739fdafc1b20dd2beba Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Make failures easier to trace with torture_assertAndrew Bartlett2014-04-021-42/+17
| | | | | | Change-Id: I729ba2f0a0501575357977754401a0cb40d95b34 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Indent samba3-skip blockAndrew Bartlett2014-04-021-20/+20
| | | | | | Change-Id: I2bb9f175e61401606742737a883604b922044ea5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Actually fail on failures in rpc.samr, rather than just ↵Andrew Bartlett2014-04-021-174/+174
| | | | | | | | printing pretty warnings Change-Id: I00d66ecd84cd1a7d733f491d19328cec93ba8d2b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUTAndrew Bartlett2014-04-022-1/+4
| | | | | | Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* ldb_ildap: Map some wrong username/password errors on to ↵Andrew Bartlett2014-04-021-1/+9
| | | | | | | | | | | | LDB_ERR_INVALID_CREDENTIALS This is better than just LDB_ERR_OPERATIONS_ERROR for all errors. Andrew Bartlett Change-Id: Id832cf02fcd1dc0347d5ab9eb9a2db78fda39dc6 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Pass though error from GENSEC sub-mechanismAndrew Bartlett2014-04-021-1/+1
| | | | | | | | | | | This allows wrong-password or account-locked-out errors to be passed though from Kerberos (gssapi). Andrew Bartlett Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* selftest: make blackbox_setpassword.sh test run independentlyAndrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I8f3cdfc2c66800f9a1e11aec4f25a42752b6b205 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Do not reset bad password count to 0 if account is disabledAndrew Bartlett2014-04-021-11/+11
| | | | | | Change-Id: I895435fb278eae5d92b4a8e15d062769c0e8a71a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_securityAndrew Bartlett2014-04-021-4/+6
| | | | | | Change-Id: I43792711543e25c50c29ab5a24d16f614c670cca Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture/samr: Re-open the user when checking for ACB_AUTOLOCKAndrew Bartlett2014-04-021-12/+24
| | | | | | | | | | | This flag appears to be cached from the open, so the test incorrectly indicated that the flag was not set over SAMR. Andrew Bartlett Change-Id: I2f1f017191dddb6c2ac496712064fa1b6b48be53 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Set lockout_seconds to 60 for samba3Andrew Bartlett2014-04-021-0/+4
| | | | | | | | | | | | The source3 account policy code deals with lockouts in terms of minutes, not nanoseconds, so we have to lock out for at least 60 seconds otherwise we do not wait long enough. Andrew Bartlett. Change-Id: I2b30d1c0d9b020b3aba6ed3343361e9a576b7d9a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s3-samr: Refuse to set lockout_duration < lockout_window per ↵Andrew Bartlett2014-04-021-0/+17
| | | | | | | | | | | | rpc.samr.passwords.lockout This was not noticed previously because the test was not run. Andrew Bartlett Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dlinklist: Fix a typoVolker Lendecke2014-04-025-5/+5
| | | | | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Wed Apr 2 17:11:37 CEST 2014 on sn-devel-104
* selftest: Rename wbinfo_s3 to wbinfo_simple and reorder code for clarityAndrew Bartlett2014-04-022-27/+27
| | | | | | | | | Change-Id: Ic2e06e448fce1d91422b711abf663b9253009a53 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Wed Apr 2 13:07:24 CEST 2014 on sn-devel-104
* winbindd: Ensure we do not look at rid_array before checking if it was returnedAndrew Bartlett2014-04-021-3/+3
| | | | | | | | We no longer return early if there are no members, we just return an empty array. Change-Id: I7b0949e0c0b9277426a8007514a8658615f6c709 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-auth: Add prototype for plugin function to reduce warnings in auth_samba4Andrew Bartlett2014-04-021-0/+1
| | | | | | Change-Id: I0aa703bb2766f1353a176a0c3f25424bbc4953f5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-auth: Remember to always free the talloc_stackframe() in auth_samba4Andrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I94469de9d463ee90365bae43094231efaf0a7d8c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
generated by cgit (git 2.34.1) at 2025-09-24 23:48:21 +0000