summaryrefslogtreecommitdiffstats
path: root/source4
Commit message (Collapse)AuthorAgeFilesLines
* lib: Change uid_wrapper to preloadable version.Andreas Schneider2014-04-171-2/+2
| | | | | | | This imports version 1.0.1 of uid_wrapper. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* lib-util: rename memdup to smb_memdup and fix all callersBjörn Baumbach2014-04-161-2/+2
| | | | | Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Volker Lendecke <vl@samba.org>
* auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.cAndrew Bartlett2014-04-151-5/+0
| | | | | | | | | | | The comments indicate that this was needed for HP-UX at one point, but the configure code was never ported to WAF. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Apr 15 12:32:09 CEST 2014 on sn-devel-104
* auth: Remove USE_BOTH_CRYPT_CALLS block from pass_check.cAndrew Bartlett2014-04-151-20/+0
| | | | | | | | This code is dead since the move to the WAF build system, but was set for HP-UX 9, 10 and 11 in the autoconf build system. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove linux_bigcrypt support from pass_check.cAndrew Bartlett2014-04-151-8/+0
| | | | | | | This is dead code, and probably has been for quite some time. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove support for plaintext auth on systems that use getprpwnam()Andrew Bartlett2014-04-151-9/+0
| | | | | | | | The WAF build does not have the code to detect getprpwnam, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove afs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-4/+0
| | | | | | | | The waf build does not have code to detect support for AFS plaintext authentication, so this is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth: Remove dfs_auth() from pass_check.c and s4's auth_unixAndrew Bartlett2014-04-151-4/+0
| | | | | | | | The waf build has no logic to detect DCE/DFS, so this plaintext authentication mechanism is dead code. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* Do not install smbclient4 and nmblookup4Jeroen Dekkers2014-04-151-1/+2
| | | | | | | | | | Change-Id: I2d91d9c9faa2df084321d10fbdc948acbd2bb735 Signed-off-by: Jeroen Dekkers <jeroen@dekkers.ch> Reviewed-by: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Tue Apr 15 03:25:13 CEST 2014 on sn-devel-104
* Typo: s/preceeded/preceded/Jelmer Vernooij2014-04-141-1/+1
| | | | | | | | | | | Caught by lintian, the Debian package linter :) Change-Id: Ia7162ea8c2b1845155345526b66d71ae64f15227 Reviewed-on: https://gerrit.samba.org/216 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Mon Apr 14 03:51:15 CEST 2014 on sn-devel-104
* s4-wbclient: Fix wbc_sids_to_xids to correctly indicate the length of the ↵Andrew Bartlett2014-04-091-1/+1
| | | | | | | | | | | | | | | | | | SID list This uses the fact that we know the end of the string in p to avoid needing a strlen() call. Otherwise the winbindd validation that the extra_data is terminated may fail, if the un-initiliased memory is not zero. Andrew Bartlett Change-Id: I9b28068e4fbd3754c8d14724af93638d657810dd Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Wed Apr 9 18:26:40 CEST 2014 on sn-devel-104
* torture: add local verification trailer parsing testDavid Disseldorp2014-04-093-1/+104
| | | | | | | | Signed-off-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Apr 9 03:44:15 CEST 2014 on sn-devel-104
* s4-wbclient: Cope with winbind returning an errorAndrew Bartlett2014-04-081-0/+4
| | | | | | | | | Change-Id: I8eaf858f9e9e55eec20aa2c585db5459fb73b887 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Apr 8 12:53:13 CEST 2014 on sn-devel-104
* script to generate content for libcli/util/nterr.c & libcli/util/ntstatus.hNoel Power2014-04-021-0/+243
| | | | | | | | | | | | | | A ropey script to generate some missing NT_STATUS error codes and and descriptions. The script generates ntstatus.c & ntstatus.h whose contents are used to extend the existing contents of libcli/util/nterr.c & libcli/util/ntstatus.h Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Apr 2 22:40:06 CEST 2014 on sn-devel-104
* script to generate libcli/util/hresult.c & libcli/util/hresult.hNoel Power2014-04-021-0/+207
| | | | | | | | | | | This hacky script was used to generate the contents of libcli/util/hresult.c & libcli/util/hresult.h. It expects the table contents of http://msdn.microsoft.com/en-us/library/cc704587.aspx cut'n'pasted into the text file specified as it's single required input param Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* Allow FSRVP access generic HRESULT error message descriptionsNoel Power2014-04-021-2/+3
| | | | | | | | | | | | FSRVP can possibly return any HRESULT error in addition to it's own specific errors. This change searches the HRESULT errors for a description if the error doesn't match any of the known FSRVP ones. Also removed some errors defined in fsrvp.idl (now that they are defined in hresult.h) Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: David Disseldorp <ddiss@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Add testing of account lockout and password change behaviourAndrew Bartlett2014-04-021-39/+346
| | | | | | | | | | | | | | | | | | | | This is the regression test to avoid a repeat of CVE-2013-4496 This includes confirming that badPwdCount is updated on login, not just on first failure However the badPwdCount is not updated if the account is disabled Note: that samr_QueryUserInfo return the effective bad_password_count in level 5, 16 and 21, while it returns the raw value in level 3. (Sadly the s3 code does not do this correctly, so a knownfail is added) Change-Id: I4fd8ac5c3b1357e7a98386756dac2a43eb778ecf Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Wed Apr 2 19:30:59 CEST 2014 on sn-devel-104
* torture-samr: Add test for lockout with and without a password historyAndrew Bartlett2014-04-021-2/+18
| | | | | | Change-Id: I6f4b3e92feabe4ff09839329b0db3d33cc6c73b4 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* torture-samr: Improve rpc.samr.passwords.badpwdcount testAndrew Bartlett2014-04-021-10/+12
| | | | | | Change-Id: I89ac30d715e89f14aca049e0e5c5043a39ab93c7 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* selftest: Add test for password lockoutAndrew Bartlett2014-04-022-0/+1485
| | | | | | Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Allow SAMR server to return the computed, not actual badPwdCountAndrew Bartlett2014-04-022-13/+58
| | | | | | | | | | | | This matters after the lockout observation period has expired. Note: that QueryUserInfo level 3 returns the raw badPwdCount value. Andrew Bartlett Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.Stefan Metzmacher2014-04-021-15/+1
| | | | | | | | The samldb module will handle the verification and magic. Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/samldb: rework samldb_user_account_control_change()Stefan Metzmacher2014-04-021-99/+134
| | | | | | | | | | | | - Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags (combined with msDS-User-Account-Control-Computed) results in lockoutTime=0 (implying badPadCount=0). - We also do more validation of the account type flags now. Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()Stefan Metzmacher2014-04-021-10/+0
| | | | | | | | Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"! Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4-samr: Escape the username in the LDAP filterAndrew Bartlett2014-04-021-2/+2
| | | | | | Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Support password history correctly, including allowing NTLM logins ↵Andrew Bartlett2014-04-022-26/+297
| | | | | | | | | | | | | | | using the old password This is only done during a 1 hour allowed period, by default. We only update bad password count when not one of the last 3 passwords Andrew Bartlett Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb: check type with talloc_get_type_abort in samdb_set_passwordAndrew Bartlett2014-04-021-2/+5
| | | | | | Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Implement password lockout on LDAP password changesAndrew Bartlett2014-04-021-16/+134
| | | | | | | | | | | | | | | To do this, and have the badPwdCount update stick, we must abort, open, close and reopen transactions such that the badPwdCount update is in it's own transaction. To ensure the tests can confirm the correct behaviour here, we must output the Windows error code in the error message. Andrew Bartlett Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.cAndrew Bartlett2014-04-022-100/+113
| | | | | | | | | | This allows the password_hash code to call the same update routine. Andrew Bartlett Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* auth: Split out badPwdCount update into a helper functionAndrew Bartlett2014-04-021-48/+79
| | | | | | | | | | This will allow password_hash to call this using dsdb_module_*() functions. Andrew Bartlett Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: call authsam_zero_bad_pwd_count on successful AS-REQAndrew Bartlett2014-04-021-0/+2
| | | | | | Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: Include values from msDS-User-Account-Control-Computed when checking ↵Andrew Bartlett2014-04-021-0/+20
| | | | | | | | user flags Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* kdc: Set flags.locked_out on a locked-out user.Andrew Bartlett2014-04-021-1/+1
| | | | | | | | This only changes the log output, the same error is still returned Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Only indicate successful authentication after successful authzAndrew Bartlett2014-04-021-4/+4
| | | | | | | | | | This is needed to match Windows behaviour for NTLM logins. Andrew Bartlett Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the ↵Andrew Bartlett2014-04-021-1/+1
| | | | | | | | account is locked out Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* heimdal: Do not attempt password authentication for locked out accountsAndrew Bartlett2014-04-021-0/+8
| | | | | | Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and ↵Andrew Bartlett2014-04-022-0/+67
| | | | | | | | lockoutTime on successful login Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0Stefan Metzmacher2014-04-021-0/+57
| | | | | | | | See [MS-SAMR] 3.1.1.8.3 lockoutTime. Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* dsdb: collapse wrong password and no-password-hash errors into one handlerAndrew Bartlett2014-04-021-25/+3
| | | | | | | | | | This avoids giving away too much information to an attacker. Andrew Bartlett Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Add samdb_result_passwords_from_history helper functionAndrew Bartlett2014-04-021-0/+37
| | | | | | Change-Id: I949c6c64551f68c4381b41b30120874ead82949e Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-auth: Rework memory handling to use a tmp_ctxAndrew Bartlett2014-04-021-17/+51
| | | | | | Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: give a better error message and return code on failed password changeAndrew Bartlett2014-04-021-0/+5
| | | | | | Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth: Add password lockout support to the AD DCAndrew Bartlett2014-04-025-4/+156
| | | | | | | | Including a fix by Arvid Requate <requate@univention.de> Change-Id: I25d10da50dd6119801cd37349cce970599531c6b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Put password lockout support in samdb_result_passwords()Andrew Bartlett2014-04-026-27/+68
| | | | | | | | | | | | This seems to be the best choke point to check for locked out accounts, as aside from the KDC, all the password authentication and change callers use it. Andrew Bartlett Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb: Rework samdb_result_acct_flags to use either userAccountControl or ↵Andrew Bartlett2014-04-024-37/+31
| | | | | | | | | | | | | | | | msDS-User-Account-Control-Computed This allows us to avoid the domain lookup in the constructed attribute when not required. By using msDS-User-Account-Control-Computed the lockout and password expiry checks are now handled in the operational ldb module. Andrew Bartlett Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputedAndrew Bartlett2014-04-021-1/+47
| | | | | | | | | | | | This assists in testing this aspect of msDS-User-Account-Control-Computed, and is exposed in AD for clients to query. Andrew Bartlett Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Implement msDS-User-Account-Control-ComputedAndrew Bartlett2014-04-021-1/+165
| | | | | | | | | | | This is needed to get consistent account lockout support across the whole server. Andrew Bartlett Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* dsdb-operational: Use a list for the extra attributes that may be requiredAndrew Bartlett2014-04-021-28/+52
| | | | | | Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4:auth/sam: use a higher time resolution in authsam_account_ok()Stefan Metzmacher2014-04-021-2/+2
| | | | | | Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:dsdb/util_samr: simplify dsdb_add_user()Stefan Metzmacher2014-04-021-42/+8
| | | | | | | | We can specify userAccountControl on the ldb_add() call. Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
generated by cgit (git 2.34.1) at 2024-09-24 20:35:02 +0000