Stefan Metzmacher [Tue, 15 Jan 2013 10:33:01 +0000 (11:33 +0100)]
VERSION: Bump version number up to 4.0.2.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 15 Jan 2013 08:39:07 +0000 (09:39 +0100)]
Merge tag 'samba-4.0.1' into v4-0-test
samba: tag release samba-4.0.1
Andrew Bartlett [Thu, 20 Dec 2012 12:05:55 +0000 (23:05 +1100)]
selftest: show that Samba honours "write list" and valid users
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The last 19 patches address bug #9518 - conn->share_access appears not be be
reset between users.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Jan 14 20:44:40 CET 2013 on sn-devel-104
Stefan Metzmacher [Thu, 10 Jan 2013 11:55:51 +0000 (12:55 +0100)]
VERSION: Bump version number up to 4.0.1. (CVE-2013-0172)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 10 Jan 2013 11:55:14 +0000 (12:55 +0100)]
WHATSNEW: Update release notes for Samba 4.0.1. (CVE-2013-0172)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 Jan 2013 22:30:38 +0000 (09:30 +1100)]
dsdb: Add test for modification of two attributes, one permitted, one denied (bug #9554 - CVE-2013-0172)
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Wed, 9 Jan 2013 05:59:18 +0000 (16:59 +1100)]
dsdb-acl: Run sec_access_check_ds on each attribute proposed to modify (bug #9554 - CVE-2013-0172)
This seems inefficient, but is needed for correctness. The
alternative might be to have the sec_access_check_ds code confirm that
*all* of the nodes in the object tree have been cleared to
node->remaining_bits == 0.
Otherwise, I fear that write access to one attribute will become write
access to all attributes.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 3 Jan 2013 09:39:23 +0000 (20:39 +1100)]
libcli/security: Ensure to fill in remaining_access for the initial case (bug #9554 - CVE-2013-0172)
It is critically important that we initialise this element as otherwise
all access is permitted.
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Jeremy Allison [Fri, 11 Jan 2013 19:14:48 +0000 (11:14 -0800)]
Fixup the change_to_user_by_session() case as called from become_user_by_session()
Use inside source3/printing/nt_printing.c:get_correct_cversion().
Allow check_user_ok() to be called with vuid==UID_FIELD_INVALID.
All this should do is throw away one entry in the vuid cache.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 11 Jan 2013 19:12:15 +0000 (11:12 -0800)]
Move create_share_access_mask() from smbd/service.c to smbd/uid.c
Make it static. Only called from uid.c now.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 4 Jan 2013 23:15:59 +0000 (15:15 -0800)]
Fix bug #9518 - conn->share_access appears not be be reset between users.
Ensure make_connection_snum() uses the same logic as check_user_ok()
to decide if a user can access a share.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 4 Jan 2013 23:13:53 +0000 (15:13 -0800)]
Factor code out of check_user_ok() into a call to check_user_share_access().
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 4 Jan 2013 19:05:03 +0000 (11:05 -0800)]
Initialize stack variables. Prelude to factoring out calls to check_user_share_access().
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 11 Jan 2013 19:01:25 +0000 (11:01 -0800)]
Add check_user_share_access()
This factors out the share security and read_only flag
setting code so this can be called from both make_connection_snum()
as well as check_user_ok(). Gives a consistent share security
check function.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 4 Jan 2013 23:06:35 +0000 (15:06 -0800)]
Correctly setup the conn->share_access based on the current user token.
Also use this to set conn->read_only. Cache the share_access
so we only evaluate this once per new user access on this share.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 11 Jan 2013 18:47:56 +0000 (10:47 -0800)]
Add parallel cache for share_access entries, one per connection struct.
Needed as we cannot change the VFS ABI for 4.0.x, but need to add the
equivalent of 'uint32_t share_access' to the struct vuid_cache referenced
in connection_struct.
Exports 2 accessor functions - lifetime managed by talloc on the conn
struct list.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 4 Jan 2013 23:04:26 +0000 (15:04 -0800)]
Change API for create_share_access_mask() - remove conn struct.
Eventually this will be indepentent of conn, just pass in the
readonly flag.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 4 Jan 2013 20:01:17 +0000 (12:01 -0800)]
Change API for create_share_access_mask() to pass in the token.
Don't automatically use the one from conn->session_info->security_token.
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Fri, 21 Dec 2012 17:45:03 +0000 (09:45 -0800)]
Fix API for create_share_access_mask().
Return the uint32_t share_access rather than directly
changing the conn struct.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
33167c070c085b30569317666a3fca079d970321)
Jeremy Allison [Fri, 21 Dec 2012 17:35:31 +0000 (09:35 -0800)]
Remove static from create_share_access_mask().
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
48187220ff47efe70616361fcef1a794aef765b4)
Jeremy Allison [Thu, 20 Dec 2012 19:55:09 +0000 (11:55 -0800)]
Remove unneeded variable "const struct auth_session_info *session_info"
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
5a3cda176f5eecd65b289c74132b0126357c5ef0)
Jeremy Allison [Thu, 20 Dec 2012 19:54:07 +0000 (11:54 -0800)]
Remove dead code now vuser can no longer be NULL.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
d35ba04e25eb3c396f791ea80c0ebb74543d4005)
Jeremy Allison [Thu, 20 Dec 2012 19:53:11 +0000 (11:53 -0800)]
Remove the second set of {} braces, no longer needed. (cherry picked from commit
ed0a34d163f777b2a0d4a2b358b7fb1b170d7686)
Jeremy Allison [Thu, 20 Dec 2012 19:52:27 +0000 (11:52 -0800)]
Remove one set of enclosing {} braces, no longer needed.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
d64ea67c78a5b09559971ff6953cd67feb2b1ec2)
Jeremy Allison [Thu, 20 Dec 2012 19:51:55 +0000 (11:51 -0800)]
Move the definition of struct vuid_cache_entry *ent outside blocks.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
092c9517acf5a4b11577ef7b5f1d645e5e463f6d)
Jeremy Allison [Thu, 20 Dec 2012 19:50:25 +0000 (11:50 -0800)]
Start to tidy-up check_user_ok().
Now we have removed "security=share" we cannot be
called with vuid == UID_FIELD_INVALID.
Signed-off-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
f0450e0d80c2ff56c4834b2f1271a7f84132ca5b)
Stefan Metzmacher [Thu, 13 Dec 2012 09:44:07 +0000 (10:44 +0100)]
s3:smb2_negprot: set the 'remote_proto' value (bug #9499)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5d721de7fdc250c6cb423c553134dd687590c1a0)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Fri Jan 11 18:01:07 CET 2013 on sn-devel-104
Björn Baumbach [Tue, 11 Dec 2012 12:39:11 +0000 (13:39 +0100)]
smb.conf(5): update list of available protocols (bug #9552)
Update protocol listing in variable substitution list.
Signed-off-by: Bjoern Baumbach <bb@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 9 21:22:18 CET 2013 on sn-devel-104
(cherry picked from commit
313da9dc7d8cb16f943ea7bde1c1d7bf8f02c0f0)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Fri Jan 11 12:26:50 CET 2013 on sn-devel-104
Björn Baumbach [Thu, 20 Dec 2012 14:57:43 +0000 (15:57 +0100)]
samba_dnsupdate: set KRB5_CONFIG for nsupdate command (bug #9517)
Let nslookup use krb5.conf, which is set in our KRB5_CONFIG.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4d1fd0b7daa089bd8863f0efcaf258bf30192c29)
Stefan Metzmacher [Sat, 15 Dec 2012 09:18:08 +0000 (10:18 +0100)]
s4:drsuapi: try to behave more like windows for usn order (bug #9508)
We don't behave completely like a Windows server, but it's much more
identical than before.
The partition head is always the first object followed by the rest
sorted by uSNChanged.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 1 21:09:42 CET 2013 on sn-devel-104
(cherry picked from commit
f77bfed088b93f3ed0f00d0c172ad495c6c2b09b)
Stefan Metzmacher [Tue, 18 Dec 2012 14:16:28 +0000 (15:16 +0100)]
s4:drsuapi: make use of LDB_TYPESAFE_QSORT() and pass getnc_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
16aef75c4f83c114206aa7637fedc9c2c2486877)
Stefan Metzmacher [Tue, 18 Dec 2012 13:59:20 +0000 (14:59 +0100)]
s4:drsuapi: make sure we report the meta data from the cycle start (bug #9508)
We should build the final highwatermark and uptodatevector of
a replication cycle at the start of the cycle. Before we
search for the currently missing objects.
Otherwise we risk that some objects get lost.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
88833b089a90e8f685d15b508f2e4615afb3a16f)
Stefan Metzmacher [Tue, 18 Dec 2012 12:40:33 +0000 (13:40 +0100)]
s4:drsuapi: check the source_dsa_invocation_id (bug #9508)
The given highwatermark is only valid relative to the
specified source_dsa_invocation_id.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1f89d641d09ef983f6a5055bb75099dc0ce57aa8)
Stefan Metzmacher [Mon, 17 Dec 2012 10:30:26 +0000 (11:30 +0100)]
s4:drsuapi: make sure we never return the same highwatermark twice in a replication cycle (bug #9508)
If the highwatermark given by the client is not the one we expect,
we need to start a new replication cycle. Otherwise the destination dsa
skips objects and linked attribute values.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
91f7f2c04fd00e281b0755a331ca632a4905e3b5)
Stefan Metzmacher [Mon, 17 Dec 2012 10:13:43 +0000 (11:13 +0100)]
s4:drsuapi: add drsuapi_DsReplicaHighWaterMark_cmp()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7e511b58318cef1b325a8191685ee156a7fc0cb7)
Stefan Metzmacher [Mon, 17 Dec 2012 15:34:25 +0000 (16:34 +0100)]
s4:drsuapi: always use the current uptodateness_vector
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
02de5b140cfe6ea31e0686e5f0ff726a22153020)
Stefan Metzmacher [Tue, 18 Dec 2012 11:44:43 +0000 (12:44 +0100)]
s4:drsuapi: avoid a ldb_dn_copy() and use talloc_move() instead
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
025c6d62f3c1b0f760aaacb7b3960135319031da)
Stefan Metzmacher [Mon, 17 Dec 2012 12:48:01 +0000 (13:48 +0100)]
s4:drsuapi: remove unused 'highest_usn' from drsuapi_getncchanges_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
30be17bc5d6b3cf2ee0aef6663af78b153b2ab9a)
Stefan Metzmacher [Mon, 17 Dec 2012 13:08:56 +0000 (14:08 +0100)]
s4:drsuapi: move struct drsuapi_getncchanges_state to the top of getncchanges.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
551bb2ccea6a1d82dbe0d4a21c19a8d8bd13ccbc)
Stefan Metzmacher [Wed, 19 Dec 2012 16:31:28 +0000 (17:31 +0100)]
s4:dsdb/drepl: update the source_dsa_obj/invocation_id in repsFrom
The highwatermark is relative to the source_dsa_invocation_id.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2e9b06412b09163d4b851135ef509d73bb6d61fc)
Stefan Metzmacher [Wed, 19 Dec 2012 16:33:13 +0000 (17:33 +0100)]
s4:dsdb/common: use 01.01.1970 as last_sync_success for our entry in the uptodatevector
This matches a Windows 2008R2 and 2012 server.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e7a26d02413005294180a1d9cd4c90d4ac4d9733)
Stefan Metzmacher [Wed, 19 Dec 2012 11:47:43 +0000 (12:47 +0100)]
s4:dsdb/common: use LDB_SEQ_HIGHEST_SEQ for our entry in the uptodatevector
We should use the global highestCommittedUSN, not the per partition value.
This matches a Windows 2008R2 and 2012 server.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
81fa179b155a62f2f652fbb1fc4978c9f6eb5462)
Stefan Metzmacher [Tue, 18 Dec 2012 13:46:23 +0000 (14:46 +0100)]
s4:dsdb/repl_meta_data: don't merge highwatermark and uptodatevector (bug #9508)
We should not do any magic regarding the highwatermark we got from
the source dsa. We need to treat it as opaque and not try to be smart
and merge it into the uptodatevector.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5ecbc892b5226d3d31da2c62ae5261a8d8a73072)
Stefan Metzmacher [Thu, 20 Dec 2012 14:46:05 +0000 (15:46 +0100)]
s4:dsdb/repl_meta_data: also update the last_sync_success in replUpToDateVector
This matches Windows 2008R2 and Windows 2012.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ad43bb6086a7dbf48b405d0372ae85d2244384d9)
Stefan Metzmacher [Wed, 19 Dec 2012 16:29:04 +0000 (17:29 +0100)]
s4:dsdb/repl_meta_data: store the last results and timestamps in the repsFrom
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
634f8cf7c43bd60507d842d35cf46c0017e34dce)
Stefan Metzmacher [Tue, 18 Dec 2012 13:46:23 +0000 (14:46 +0100)]
s4:dsdb/repl_meta_data: always treat the highwatermark as opaque (bug #9508)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a37f46a9a83a03157276485eb583649b36fb6ee1)
Stefan Metzmacher [Tue, 18 Dec 2012 13:46:23 +0000 (14:46 +0100)]
s4:scripting/python: always treat the highwatermark as opaque (bug #9508)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
257ae5443631e645842cfcc9c1cedce6c41d5afa)
Stefan Metzmacher [Fri, 4 Jan 2013 12:27:26 +0000 (13:27 +0100)]
s4:lib/messaging: terminate the irpc_servers_byname() result with server_id_set_disconnected() (bug #9540)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8d9a77f8646cd26371dc2ec1d3ed52730ac19eb9)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Thu Jan 10 11:46:05 CET 2013 on sn-devel-104
Volker Lendecke [Tue, 8 Jan 2013 14:34:19 +0000 (15:34 +0100)]
smbd: Fix bug 9549 -- Memleak in the async echo handler
Reviewed by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 8 23:30:41 CET 2013 on sn-devel-104
(cherry picked from commit
3d5c534f0cc7c6e3eead7462eef4a178c7035857)
Samba-JP oota [Wed, 2 Jan 2013 09:21:51 +0000 (10:21 +0100)]
docs: Fix typo in vfs_tsmsm.8.xml.
Reviewed-by: Karolin Seeger <kseeger@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Wed Jan 2 12:12:12 CET 2013 on sn-devel-104
(cherry picked from commit
6cb7c4f45e1657245443c3bcc6dab219e5f1d9b5)
Fix bug #9530 - Typo in vfs_tsmsm.8.xml.
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Wed Jan 2 14:25:40 CET 2013 on sn-devel-104
Samba-JP oota [Wed, 2 Jan 2013 08:12:14 +0000 (09:12 +0100)]
docs: Remove superfluous bracket.
Reviewed-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit
ab43e2db64ae3ef387ceb0e7e6a6f82c9e6d301d)
Fix bug 9528 - Superfluous bracket in samba.8.xml.
Jeremy Allison [Fri, 14 Dec 2012 16:39:26 +0000 (08:39 -0800)]
Fix bug #9196 - defer_open is triggered multiple times on the same request.
get_deferred_open_message_state_smb2() is buggy in that it is checking
the wrong things to determine if an open is in the deferred state.
It checks if (smb2req->async_te == NULL) which is incorrect,
as we're not always async in a deferred open - remove this.
It should check instead state->open_was_deferred as this
is explicity set to 'true' when an open is going deferred,
so add this check.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 18 14:19:13 CET 2012 on sn-devel-104
(cherry picked from commit
2148d86c7a2facd6e128b753aef98722843af3e1)
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Wed Jan 2 12:18:40 CET 2013 on sn-devel-104
Karolin Seeger [Tue, 11 Dec 2012 17:07:32 +0000 (18:07 +0100)]
VERSION: Bump version number up to 4.0.1.
And re-enable git snapshots.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 17:01:14 +0000 (18:01 +0100)]
VERSION: Bump version number up to 4.0.0.
And disable git snapshots.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 16:56:18 +0000 (17:56 +0100)]
WHATSNEW: Update changes since rc6.
Karolin
Michael Adam [Tue, 11 Dec 2012 15:13:39 +0000 (16:13 +0100)]
selftest: skip the samba4.rpc.samr.passwords test in ncacn_np(dc) and s4member environments
These currently fail in a corner case.
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Karolin Seeger <kseeger@samba.org>
The last 9 patches address bug #9414 - 'samba-tool user add' ignores password
complexity settings.
Michael Adam [Tue, 11 Dec 2012 12:34:49 +0000 (13:34 +0100)]
s4:torture:rpc:samr: fix password age calculation in test_ChangePasswordUser3()
The min_password_age field is the negative of the age.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:21:11 +0000 (13:21 +0100)]
s4:torture/samr: allow STATUS_PASSWORD_RESTRICTIONS from ChangePasswordUser
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:18:00 +0000 (13:18 +0100)]
s4:rpc_server/samr: do WRONG_PASSWORD checks after the complexity checks
This matches the windows behavior.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Michael Adam [Tue, 11 Dec 2012 12:04:22 +0000 (13:04 +0100)]
s4:dsdb/password_hash: do the min password age checks first
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 10 Dec 2012 22:56:47 +0000 (23:56 +0100)]
s4:dsdb/common: only pass the DSDB_CONTROL_PASSWORD_HASH_VALUES_OID if required
This should give the password_hash module a chance to detect if the called
was the cleartext password or not.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Michael Adam [Tue, 11 Dec 2012 10:42:11 +0000 (11:42 +0100)]
s4:torture:rpc:samr: add debugging of result of (many) dcerpc_samr_* calls
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 23 Nov 2012 10:49:05 +0000 (11:49 +0100)]
s4:dsdb/password_hash: Honor password complexity settings.
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Karolin Seeger [Tue, 11 Dec 2012 14:32:11 +0000 (15:32 +0100)]
WHATSNEW: Fix typo.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 13:56:02 +0000 (14:56 +0100)]
WHATSNEW: Add link to the whitepaper.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 13:44:31 +0000 (14:44 +0100)]
WHATSNEW: Move AD stuff to the corresponding paragraph.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 12:24:26 +0000 (13:24 +0100)]
WHATSNEW: Update release notes.
Apply changes provided by Andrew Bartlett.
Thanks!
Karolin
Karolin Seeger [Tue, 11 Dec 2012 11:04:24 +0000 (12:04 +0100)]
WHATSNEW: Update release notes.
Karolin
Karolin Seeger [Tue, 11 Dec 2012 08:05:47 +0000 (09:05 +0100)]
WHATSNEW: Update changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Tue Dec 11 10:49:36 CET 2012 on sn-devel-104
Stefan Metzmacher [Tue, 11 Dec 2012 02:15:26 +0000 (03:15 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
(cherry picked from commit
914a61d9e5b7a182592f3afe60f4dad1cd342fc4)
Stefan Metzmacher [Tue, 11 Dec 2012 02:15:26 +0000 (03:15 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
8eb359c23c6379be1ccc32e27fd2316d77a7c7b3)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
19b03834f08c2a6645a31fe18121534c692c18d1)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e1301fef735b305736db0b6db335c37aa9fea832)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
ebb0a88722d416ad470497fd6ffa7b26abfe58bc)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
999c068113af6158355634eb9a9c4b5a4d3066d8)
Stefan Metzmacher [Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)]
s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
649fb5b61492562f1400996a6ccf33af17af5b6b)
Stefan Metzmacher [Tue, 11 Dec 2012 01:01:12 +0000 (02:01 +0100)]
s4:dsdb/descriptor: pass object_list to create_security_descriptor()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
a97b5f219678e409a851d9caf8317a6ef130c12f)
Stefan Metzmacher [Tue, 11 Dec 2012 02:17:42 +0000 (03:17 +0100)]
libcli/security: calculate the correct inherited_object GUID
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
d20c46a520a7e39dd87476cd81edab56b5543892)
Stefan Metzmacher [Tue, 11 Dec 2012 01:00:38 +0000 (02:00 +0100)]
libcli/security: implement object_in_list()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
75729e6703c5b5dff7feefed590086898fc03c74)
Karolin Seeger [Tue, 11 Dec 2012 08:00:44 +0000 (09:00 +0100)]
WHATSNEW: Update release notes for Samba 4.0.0.
Karolin
Michael Adam [Mon, 10 Dec 2012 14:06:27 +0000 (15:06 +0100)]
s3:auth: fix create_token_from_sid() to not fail in the winbindd case
Commit
1c3c5e2156d9096f60bd53a96b88c2f1001d898a which factored
the sid-based variant out of create_token_from_username() broke
the case of a user handled by winbindd in that the "found_username"
was set to NULL which caused the function to fail with
NT_STATUS_NO_MEMORY further down.
This patch fixes the function so that the case of found_username == NULL
is cleanly separated from the NO_MEMORY case and the caller can provide
the username in this case, if required.
This fixes bug #9457.
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Dec 10 18:18:54 CET 2012 on sn-devel-104
(cherry picked from commit
c5b150b33fc54ed97dbd0736cc6f4c15977d6e70)
Michael Adam [Mon, 10 Dec 2012 20:56:42 +0000 (21:56 +0100)]
s3:auth: fix function header comment for user_sid_in_group_sid()
This is embarrassing: the commit
0770a4c01bef26ec51321cd5b97aea4eab9e00a8
which intended to fix an earlier copy'n'paste error, contained another
typo, fixed with this commit...
Signed-off-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec 11 00:04:45 CET 2012 on sn-devel-104
(cherry picked from commit
1d949cb0e51a086006612271d6f08305b68aa09c)
Michael Adam [Mon, 10 Dec 2012 13:48:43 +0000 (14:48 +0100)]
s3:auth: fix header comment for user_sid_in_group_sid()
This function was created in
1c3c5e2156d9096f60bd53a96b88c2f1001d898a
and the header comment contained copy'n'paste errors from the original
function user_in_group_sid() that took the user name.
Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
0770a4c01bef26ec51321cd5b97aea4eab9e00a8)
Stefan Metzmacher [Fri, 7 Dec 2012 17:58:57 +0000 (18:58 +0100)]
s4:dsdb/tests/sec_descriptor: verify the search of a windows dc join keeps working
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Dec 10 15:41:12 CET 2012 on sn-devel-104
(cherry picked from commit
53b736444d55c4eed3abbc34974b655cc2607cd6)
The last 13 patches address bug #9470 - MMC crashes.
Stefan Metzmacher [Thu, 6 Dec 2012 13:04:47 +0000 (14:04 +0100)]
s4:dsdb/tests/sec_descriptor: verify the nTSecurityDescriptor and sd_flags interaction
This is a regression test for bug #9470.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e617a3fecb797031cf5a6545d51d7e116716ab52)
Stefan Metzmacher [Thu, 6 Dec 2012 14:56:26 +0000 (15:56 +0100)]
s4:dsdb/operational: fix stripping of the nTSecurityDescriptor attribute
If the sd_flags control is specified, we should return nTSecurityDescriptor
only if the client asked for all attributes.
If there's a list of only explicit attribute names, we should ignore
the sd_flags control.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
6bc2caed8b3f153f92af013275f39c803f886a22)
Stefan Metzmacher [Thu, 6 Dec 2012 11:36:09 +0000 (12:36 +0100)]
s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the sd_flags control is given (bug #9470)
Not returning the nTSecurityDescriptor causes a lot of problems.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
22bb2fd868b8df2244b801aeaa515a8a4036bce8)
Stefan Metzmacher [Thu, 6 Dec 2012 11:29:49 +0000 (12:29 +0100)]
s4:dsdb/acl_read: give some variables a better name
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
4f8558ffaf4c9fb9e350ec528ec1ce60de5f2e24)
Stefan Metzmacher [Fri, 7 Dec 2012 17:40:25 +0000 (18:40 +0100)]
s4:dsdb/acl_read: fix the calculation of the attribute array for the sub search
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
db15fcfa899e1fe4d6994f68ceb299921b8aa6f1)
Stefan Metzmacher [Fri, 7 Dec 2012 17:39:29 +0000 (18:39 +0100)]
s4:dsdb/acl_read: check the ldb_attr_list_copy_add() result
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
e2181617a00d7982e4e6ced1c51aa2ee8a40df26)
Stefan Metzmacher [Fri, 7 Dec 2012 18:02:10 +0000 (19:02 +0100)]
s4:dsdb/dirsync: fix potential talloc hierachy problems (bug #9470)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
6bcafceb750d5c4d24e2ddbef35b411bebccd66f)
Stefan Metzmacher [Fri, 7 Dec 2012 12:56:21 +0000 (12:56 +0000)]
s4:dsdb/descriptor: fix replication of NC heads
The sub NC heads maybe replicated with the parent partition,
if we don't need to recalculate the nTSecurityDescriptor attribute in that
case, the replication of the of the sub partition should handle that.
This fixes error messages like this:
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=s40dom,DC=base not found under DC=s40dom,DC=base
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
734d14b54834a4d03e67bcaece4f4e3cf1d10925)
Stefan Metzmacher [Fri, 7 Dec 2012 12:39:31 +0000 (13:39 +0100)]
s4:dsdb/acl_read: improve debugging for fatal error
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
802124789513ef207a154ee950dc03e66a80e0b1)
Stefan Metzmacher [Fri, 7 Dec 2012 10:02:49 +0000 (11:02 +0100)]
s4:dsdb/acl_read: keep the ldb_message of the sub search (bug #9470)
Some modules might not allocate values on the correct memory context.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
14b5b729049d92c30ba518adb82c9396fdddd09f)
Stefan Metzmacher [Fri, 7 Dec 2012 10:08:14 +0000 (10:08 +0000)]
s4:dsdb/schema_data.c: correctly move the CN=Aggregate attributes to msg->elements[i].values (bug #9470)
We should keep the talloc hierarchy sane.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
3535f8effefef6a68d2b686abe2769d797531dd9)
Stefan Metzmacher [Fri, 7 Dec 2012 09:34:58 +0000 (10:34 +0100)]
s4:dsdb/schema: fix dsdb_schema_set_el_from_ldb_msg() (bug #9470)
We should always update the ts_last_change.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit
944b6863a71efc48ccc8cd9ae8ad1a3081bc1805)
Karolin Seeger [Mon, 10 Dec 2012 09:12:59 +0000 (10:12 +0100)]
WHATSNEW: Update changes since rc6.
Karolin
Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Mon Dec 10 11:56:00 CET 2012 on sn-devel-104
Günther Deschner [Fri, 7 Dec 2012 11:51:10 +0000 (12:51 +0100)]
s4-torture: call the s4u2self tests with arcfour and aes.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Dec 9 21:24:44 CET 2012 on sn-devel-104
(cherry picked from commit
ade5bfd304cc806758a58f04b35834cd730dd9ba)
The last 28 patches address bug #9438 - netr_ServerPasswordSet2,
netr_LogonSamLogon with netlogon AES broken.
Günther Deschner [Fri, 7 Dec 2012 11:57:18 +0000 (12:57 +0100)]
s4-torture: precalculate expected session keys from samlogon in schannel test.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
d0bad6c3350698b26ba009bb0c91d0265cc22f60)
Günther Deschner [Fri, 7 Dec 2012 11:38:16 +0000 (12:38 +0100)]
libcli/auth: support AES decryption in netlogon_creds_decrypt_samlogon().
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f6cb8049b2fe62054d254a006b8a39f000d1d1d5)