Matthias Dieter Wallnöfer [Tue, 11 May 2010 20:52:55 +0000 (22:52 +0200)]
ldb:ldb_msg.c - use result constant
Matthias Dieter Wallnöfer [Thu, 13 May 2010 13:29:20 +0000 (15:29 +0200)]
s4:domainlevel.py - update the script to handle both domain level occourrences on s4
The second "modify" is located under a try-catch block to ignore the change
failure against Windows Server (there only the first change is required).
Matthias Dieter Wallnöfer [Thu, 13 May 2010 13:11:29 +0000 (15:11 +0200)]
s4:domain functional level - it is also specified in the domain object under partitions
Discovered by the "ldapcmp" tool
Matthias Dieter Wallnöfer [Thu, 13 May 2010 13:06:35 +0000 (15:06 +0200)]
s4:provision_configuration.ldif - add more extended rights objects
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:51:10 +0000 (14:51 +0200)]
s4:provision_users.ldif - fix up and reorder the well-known security principals
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:43:10 +0000 (14:43 +0200)]
s4:provision_configuration.ldif - add more Windows 2008 forest operations
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:33:40 +0000 (14:33 +0200)]
s4:provision_configuration.ldif - the revision level of "Windows2003Update" should obviously be 10
Compared against my Windows Server 2008 and Zahari's output.
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:24:02 +0000 (14:24 +0200)]
s4:provision_configuration.ldif - "CN=
94fdebc6-8eeb-4640-80de-
ec52b9ca17fa" operation is of version 3
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:22:14 +0000 (14:22 +0200)]
s4:provision*.ldif - always set the "msDS-NcType" attribute correctly
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:18:20 +0000 (14:18 +0200)]
s4:provision_configuration.ldif - set the right schedule on the default site in the NTDS site settings
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:14:31 +0000 (14:14 +0200)]
s4:provision_configuration.ldif - The "NTDS Quotas" object is system-critical
Matthias Dieter Wallnöfer [Thu, 13 May 2010 12:08:55 +0000 (14:08 +0200)]
s4:provision_configuration.ldif - "sites" object
- The default site doesn't contain a licensing object
- Adequate two other values (a "showInAdvancedViewOnly" and a "systemFlags" one)
Matthias Dieter Wallnöfer [Thu, 13 May 2010 10:10:54 +0000 (12:10 +0200)]
s4:provision.ldif - add IP security objects as they exist on Windows Server
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:45:43 +0000 (11:45 +0200)]
s4:provision.ldif - add more Windows 2008 domain operations
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:32:36 +0000 (11:32 +0200)]
s4:provision_users.ldif - On Windows Server >= 2008 security principal S-1-5-20 doesn't exist anymore
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:28:56 +0000 (11:28 +0200)]
s4:provision.ldif - "passwordSettingsContainer" add "showInAdvancedViewOnly"
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:24:20 +0000 (11:24 +0200)]
s4:provision.ldif - fix up "NTDS Quotas" "systemFlags"
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:22:43 +0000 (11:22 +0200)]
s4:provision_users.ldif - fix up Administrator's "userAccountControl"
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:21:39 +0000 (11:21 +0200)]
s4:provision_basedn_modify.ldif - fix up "maxPwdAge"
Matthias Dieter Wallnöfer [Thu, 13 May 2010 09:13:26 +0000 (11:13 +0200)]
s4:provision_users.ldif - Fix typos in user/group objects
Andrew Bartlett [Tue, 11 May 2010 11:37:30 +0000 (21:37 +1000)]
s3:winbindd Provide a winbindd_register_handlers() helper function for s3compat
This function provides a useful entry point for s3compat to set things
up in winbindd.
Andrew Bartlett
Andrew Bartlett [Tue, 11 May 2010 11:31:18 +0000 (21:31 +1000)]
s3:winbindd Split helper functions to allow s3compat to call them
This provides a more useful entry point for s3compat.
Andrew Bartlett
Andrew Bartlett [Tue, 11 May 2010 10:24:42 +0000 (20:24 +1000)]
s3:Winbindd Move winbindd_event_context to a different file
This allows this function to be easily replaced in s3compat
Andrew Bartlett
Andrew Bartlett [Tue, 11 May 2010 10:22:06 +0000 (20:22 +1000)]
s3:winbindd Rename 'children' to 'winbindd_children' and make static
Andrew Bartlett [Tue, 11 May 2010 00:04:30 +0000 (10:04 +1000)]
s3:libsmb/namecache Remove namecache_enable()
No caller honours the return value, and this call only prints a
DEBUG(). Removing this reduces the number of initialisation
boilerplate calls s3compat has to make.
Andrew Bartlett
Andrew Bartlett [Tue, 11 May 2010 00:02:52 +0000 (10:02 +1000)]
s3:smbd Remove calls to namecache_enable()
This only prints a DEBUG()
Andrew Bartlett
Andrew Bartlett [Mon, 10 May 2010 23:59:48 +0000 (09:59 +1000)]
s3:winbindd Remove call to namecache_enable().
This call only prints a DEBUG()
Andrew Bartlett
Andrew Bartlett [Mon, 14 Dec 2009 08:43:59 +0000 (19:43 +1100)]
s3:auth Make get_ntlm_challenge more like Samba4
This helps with the upcoming NTLMSSP merge, and allows errors to be returned.
Andrew Bartlett
Jeremy Allison [Wed, 12 May 2010 22:19:45 +0000 (15:19 -0700)]
Pass more SMB2 oplock tests. Only oplock stream tests left to fix.
Jeremy.
Julien Kerihuel [Wed, 12 May 2010 10:55:56 +0000 (12:55 +0200)]
Choose between local tevent_status.h header file and installed one
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Julien Kerihuel [Wed, 12 May 2010 10:34:54 +0000 (12:34 +0200)]
Install util/tevent_* public headers. Required by OpenChange for compiling IDL
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 12 May 2010 17:18:36 +0000 (19:18 +0200)]
s4:librpc: remove explicit ../librpc/gen_ndr/ndr_drsblobs.o from python_drsblobs
It already comes via RPC_NDR_DRSBLOBS.
metze
Karolin Seeger [Wed, 12 May 2010 14:21:56 +0000 (16:21 +0200)]
s3-docs: Unify capitalization.
Karolin
Karolin Seeger [Wed, 12 May 2010 14:17:33 +0000 (16:17 +0200)]
s3-docs: Add documentation of the net g_lock subcommand.
Karolin
Karolin Seeger [Wed, 12 May 2010 09:24:57 +0000 (11:24 +0200)]
s3-docs: Move -D option to the right paragraph in man winbindd.
Fix bug #7260 (Command line option documentation in wrong place in winbindd man
page.). Thanks to Ged Haywood <samba@jubileegroup.co.uk> for reporting!
Karolin
Stefan Metzmacher [Wed, 12 May 2010 07:42:44 +0000 (09:42 +0200)]
s4:heimdal_build: undefine __APPLE__ as we don't need that magic
This hopefully fixes the build on Mac OS 10.
metze
Stefan Metzmacher [Wed, 12 May 2010 07:08:32 +0000 (09:08 +0200)]
s4:heimdal_build: remove heimdal/lib/hcrypto/evp-cc.c from autoconf build
metze
Olaf Flebbe [Tue, 11 May 2010 09:30:04 +0000 (11:30 +0200)]
work around AIX6.1 name space pollution rename mod_name to module_name
Günther Deschner [Tue, 11 May 2010 10:16:52 +0000 (12:16 +0200)]
s3-rap: fix cli_oem_change_password() and give room for the convert reply word.
Any servers I could find so far return it.
Guenther
Günther Deschner [Fri, 7 May 2010 17:20:09 +0000 (19:20 +0200)]
s3-lanman: use samr for api_SamOEMChangePassword().
Guenther
Günther Deschner [Tue, 11 May 2010 22:18:42 +0000 (00:18 +0200)]
s4-smbtorture: create/delete testusers via SAMR in RAP-SAM.
Unless we spent time researching the RAP useradd calls (and implement them in
s3) it is far more easy to use existing SAMR calls to create and delete test
users that are used for RAP change password operations.
Guenther
Günther Deschner [Fri, 7 May 2010 20:58:42 +0000 (22:58 +0200)]
s4-smbtorture: add test_oemchangepassword to RAP-SAM.
Guenther
Günther Deschner [Mon, 10 May 2010 10:14:58 +0000 (12:14 +0200)]
s4-selftest: skip RAP-SAM tests against Samba 4.
Guenther
Günther Deschner [Fri, 7 May 2010 20:18:30 +0000 (22:18 +0200)]
s3-selftest: enable RAP-SAM against Samba 3.
Guenther
Günther Deschner [Fri, 7 May 2010 13:45:23 +0000 (15:45 +0200)]
s4-smbtorture: add RAP-SAM testsuite with a rap_NetUserPasswordSet2 test.
Guenther
Günther Deschner [Sat, 8 May 2010 23:08:11 +0000 (01:08 +0200)]
s4-smbtorture: getting serious about checking rap status return codes.
Guenther
Günther Deschner [Tue, 11 May 2010 21:55:53 +0000 (23:55 +0200)]
s4-smbtorture: add torture_create_testuser_max_pwlen() that allows to set maxpwlen.
required for upcoming rap pwd tests.
Guenther
Günther Deschner [Tue, 11 May 2010 15:46:18 +0000 (17:46 +0200)]
s4-smbtorture: autolookup domain in torture_create_testuser() if none was given.
Guenther
Jeremy Allison [Tue, 11 May 2010 21:00:38 +0000 (14:00 -0700)]
Fix more SMB2-OPLOCK bugs. Only 3 more issues to address then we're good to go on this test.
Jeremy.
Andrew Bartlett [Thu, 6 May 2010 02:45:14 +0000 (12:45 +1000)]
s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATA
All the callers just want the PAC_LOGON_INFO, so search for that in
ads_verify_ticket(), and don't bother the callers with the rest of the
PAC.
This change makes sense on it's own (removing boilerplate wrappers
that just confuse the code), but it also makes it much easier to
implement a matching ads_verify_ticket() function in Samba4 for the
s3compat proposal.
Andrew Bartlett
Signed-off-by: Günther Deschner <gd@samba.org>
Günther Deschner [Tue, 11 May 2010 11:39:37 +0000 (13:39 +0200)]
s4-smbtorture: test netservergetinfo level 1 also against s3.
Guenther
Björn Jacke [Tue, 11 May 2010 18:46:19 +0000 (20:46 +0200)]
not all versions of env like more than one argument...
Björn Jacke [Tue, 11 May 2010 17:11:38 +0000 (19:11 +0200)]
pidl: fix build on systems that don't have perl in /usr/bin/
Stefan Metzmacher [Tue, 11 May 2010 08:34:19 +0000 (10:34 +0200)]
s4:dsdb: cached results of samdb_rodc()
metze
Stefan Metzmacher [Tue, 11 May 2010 14:42:14 +0000 (16:42 +0200)]
tdb: commit ABI/tdb-1.2.2.sigs
metze
Stefan Metzmacher [Tue, 11 May 2010 16:10:32 +0000 (18:10 +0200)]
s4:heimdal: remove unused heimdal/lib/hcrypto/evp-cc.c
metze
Stefan Metzmacher [Tue, 11 May 2010 14:21:45 +0000 (16:21 +0200)]
s4:heimdal_build: remove heimdal/lib/hcrypto/evp-cc.c from the build
This is not needed and contains one big #ifdef __APPLE__
and breaks the build on Mac OS 10.
metze
Michael Adam [Wed, 24 Mar 2010 16:00:01 +0000 (17:00 +0100)]
s3:configure: fix a message
Matthias Dieter Wallnöfer [Tue, 11 May 2010 14:13:45 +0000 (16:13 +0200)]
s4:torture/rpc/netlogon.c - don't use constant "AF_LOCAL" but do use "AF_UNIX" instead
"AF_LOCAL" isn't portable but has the same value as "AF_UNIX".
Stefan Metzmacher [Tue, 11 May 2010 14:07:19 +0000 (16:07 +0200)]
s3:Makefile: build smbtorture4 as static binary with socket_wrapper support
metze
Björn Jacke [Tue, 11 May 2010 13:23:54 +0000 (15:23 +0200)]
waf:libreplace: set _OSF_SOURCE to fix build on Tru64
Matthias Dieter Wallnöfer [Tue, 11 May 2010 12:58:19 +0000 (14:58 +0200)]
README.Coding - cosmetic changes
- Fix typos
- Wrap lines
- Remove trailing whitespaces
- use ":" instead of "::" - one colon should in all cases be enough
Kai Blin [Tue, 11 May 2010 12:24:47 +0000 (14:24 +0200)]
build: skip missing executables in testwaf.sh
Günther Deschner [Tue, 11 May 2010 11:40:12 +0000 (13:40 +0200)]
tdb: remove unused variable in tdb_new_database().
Guenther
Anatoliy Atanasov [Tue, 11 May 2010 08:35:54 +0000 (11:35 +0300)]
Revert "s4-rodc: Fix provision warnings by creating ntds objectGUID in provision"
This reverts commit
c3cbb846d0bfbaa11fd255bada7fa5fe502d4d96.
The fix is not correct, we should cache a bool to answer amIRODC
Stefan Metzmacher [Tue, 11 May 2010 06:34:35 +0000 (08:34 +0200)]
Revert "s4:password_hash LDB module - don't break the provision"
This reverts commit
6276343ce1b7dd7d217e5a419c09f209f5f87379.
This is not needed anymore.
metze
Stefan Metzmacher [Tue, 11 May 2010 06:38:02 +0000 (08:38 +0200)]
Revert "s4:password hash LDB module - check that password hashes are != NULL before copying them"
This reverts commit
fa87027592f71179c22f132e375038217bc9d36a.
This check is done one level above now.
metze
Stefan Metzmacher [Tue, 11 May 2010 06:32:40 +0000 (08:32 +0200)]
s4:dsdb/password_hash: only try to handle a hash in the unicodePwd field if it's given
Sorry, I removed this logic while cleaning up indentation levels...
metze
Stefan Metzmacher [Tue, 11 May 2010 06:03:56 +0000 (08:03 +0200)]
README.Coding: fix good example
metze
Günther Deschner [Mon, 10 May 2010 21:41:08 +0000 (23:41 +0200)]
s4-smbtorture: fix smbcli_rap_netuserpasswordset2().
Guenther
Günther Deschner [Mon, 10 May 2010 19:48:10 +0000 (21:48 +0200)]
s4-smbtorture: fix smbcli_rap_netoemchangepassword.
Guenther
Günther Deschner [Mon, 10 May 2010 22:53:41 +0000 (00:53 +0200)]
s4-smbtorture: correctly fill in trans.in.data in rap_cli_do_call().
Guenther
Matthias Dieter Wallnöfer [Mon, 10 May 2010 21:46:21 +0000 (23:46 +0200)]
s4:password_hash LDB module - we might not have a cleartext password at all
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
Jeremy Allison [Mon, 10 May 2010 21:23:44 +0000 (14:23 -0700)]
SMB2 always have level2 oplock capability. Correct mapping from break messages to SMB2 oplock levels.
Jeremy.
Jeremy Allison [Mon, 10 May 2010 20:58:41 +0000 (13:58 -0700)]
Stop us crashing in SMB2-OPLOCK test. Don't allow more than one outstanding immediate event.
Jeremy.
Kamen Mazdrashki [Sat, 8 May 2010 07:20:00 +0000 (10:20 +0300)]
s4/tort: Add test for comparing special DNs
Kamen Mazdrashki [Sat, 8 May 2010 07:19:14 +0000 (10:19 +0300)]
s4/dn: handle case 'base' dn has no components
This could if the 'base' dn is special for example.
Günther Deschner [Fri, 7 May 2010 20:10:51 +0000 (22:10 +0200)]
s4-smbtorture: add smbcli_rap_netoemchangepassword().
Guenther
Günther Deschner [Fri, 7 May 2010 17:26:43 +0000 (19:26 +0200)]
rap: add rap_NetOEMChangePassword() to IDL.
Guenther
Jeremy Allison [Mon, 10 May 2010 18:29:34 +0000 (11:29 -0700)]
Fix the processing of unlocks followed by locks. We now pass SMB2-LOCK test.
Jeremy.
Jeremy Allison [Mon, 10 May 2010 18:09:41 +0000 (11:09 -0700)]
Fix more of the SMB2-LOCK tests. Correctly unlock locks on error.
Jeremy.
Matthias Dieter Wallnöfer [Mon, 10 May 2010 18:04:37 +0000 (20:04 +0200)]
s4:password_hash LDB module - quiet a warning
Matthias Dieter Wallnöfer [Mon, 10 May 2010 18:02:21 +0000 (20:02 +0200)]
s4:password hash LDB module - check that password hashes are != NULL before copying them
Matthias Dieter Wallnöfer [Mon, 10 May 2010 17:51:31 +0000 (19:51 +0200)]
s4:password_hash LDB module - don't break the provision
This is to don't break the provision process at the moment. We need to find
a better solution.
Matthias Dieter Wallnöfer [Sat, 10 Apr 2010 18:04:13 +0000 (20:04 +0200)]
s4:passwords.py - add a python unittest for additional testing of my passwords work
This performs checks on direct password changes over LDB/LDAP. Indirect
password changes over the RPCs are already tested by some torture suite (SAMR
passwords). So no need to do this again here.
Matthias Dieter Wallnöfer [Thu, 3 Dec 2009 09:48:44 +0000 (10:48 +0100)]
s4:samdb_set_password - adapt it for the user password change handling
Make use of the new "change old password checked" control.
Matthias Dieter Wallnöfer [Sat, 26 Sep 2009 10:09:07 +0000 (12:09 +0200)]
s4:samdb_set_password/samdb_set_password_sid - Rework
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
Stefan Metzmacher [Mon, 10 May 2010 15:36:54 +0000 (17:36 +0200)]
s4:password_hash - Implement password restrictions
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
Matthias Dieter Wallnöfer [Wed, 23 Sep 2009 17:25:54 +0000 (19:25 +0200)]
s4:password_hash - Rework to handle password changes
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
Matthias Dieter Wallnöfer [Fri, 23 Oct 2009 10:51:47 +0000 (12:51 +0200)]
s4:password_hash - Rework unique value checks
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
Matthias Dieter Wallnöfer [Fri, 23 Oct 2009 10:51:47 +0000 (12:51 +0200)]
s4:password_hash - Various (mostly cosmetic) prework
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
Matthias Dieter Wallnöfer [Wed, 23 Sep 2009 17:25:54 +0000 (19:25 +0200)]
s4:dsdb: add new controls
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
Stefan Metzmacher [Mon, 10 May 2010 10:25:32 +0000 (12:25 +0200)]
s4:setup: mark DSDB_CONTROL_DN_STORAGE_FORMAT_OID 1.3.6.1.4.1.7165.4.3.4 as allocated
metze
Zahari Zahariev [Mon, 10 May 2010 10:53:56 +0000 (13:53 +0300)]
v2 Latest enhancements in ldapcmp tool
- Added support for replicating hosts versus hosts in different domains
- Added switches for the following modes:
= two - ignores additional attributes that cannot be the same
in two different provisions (domains)
= quiet - display nothing, only return code
= verbose - display all dn objects through compare fase
= default - display only objects with differences
- Added more placeholders for nETBIOSDomainName and ServerName
Anatoliy Atanasov [Mon, 10 May 2010 10:52:27 +0000 (13:52 +0300)]
s4-rodc: Fix provision warnings by creating ntds objectGUID in provision
Günther Deschner [Mon, 10 May 2010 12:44:30 +0000 (14:44 +0200)]
s3-rpcclient: fix two more invalid typecasts in spoolss commands.
Guenther
Jelmer Vernooij [Mon, 10 May 2010 12:48:41 +0000 (14:48 +0200)]
s3: Work around dependency bug in Samba 4 waf build in merged build.
Volker Lendecke [Mon, 10 May 2010 10:05:01 +0000 (12:05 +0200)]
libwbclient: Fix a fd-leak at dlclose-time
__attribute__((destructor)) makes winbind_close_sock() being called at
dlclose() time.
Found while testing apache on Linux with mod_auth_pam.
Other platforms will have to find a different fix. One possibility would be to
always close the socket after each operation, but this badly sucks
performance-wise.
Volker Lendecke [Mon, 10 May 2010 09:53:03 +0000 (11:53 +0200)]
s3: Test for "__attribute__((destructor))"
Matthias Dieter Wallnöfer [Mon, 10 May 2010 10:37:50 +0000 (12:37 +0200)]
s4:acl ldb module - fix typos