Amitay Isaacs [Tue, 21 Mar 2017 05:48:45 +0000 (16:48 +1100)]
ctdb-daemon: Add tracking of migration records
Instead of using hopcount as a metric for hot records, use the number
of migrations per second as a metric.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 5 08:35:45 CEST 2017 on sn-devel-144
Amitay Isaacs [Mon, 3 Apr 2017 07:32:32 +0000 (17:32 +1000)]
ctdb-daemon: For hot records, use count instead of hopcount
This avoids tying hopcounts to hot records.
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 17 Mar 2017 07:00:40 +0000 (18:00 +1100)]
ctdb-common: Add hash_count abstraction
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Amitay Isaacs [Fri, 17 Mar 2017 07:00:16 +0000 (18:00 +1100)]
ctdb-common: Add traverse_update function to db_hash abstraction
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Gary Lockyer [Thu, 30 Mar 2017 18:03:30 +0000 (07:03 +1300)]
TestBase: restore setting FEATURE_SEAL in insta_creds
The setting of FEATURE_SEAL by default in insta_creds got removed when
the code was moved from password_lockout.py.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Wed Apr 5 04:46:29 CEST 2017 on sn-devel-144
Stefan Metzmacher [Tue, 28 Mar 2017 13:28:21 +0000 (15:28 +0200)]
wafsamba: move -L/some/path from LINKFLAGS_PYEMBED to LIBPATH_PYEMBED
LINKFLAGS should not have path components.
This fixes the build on systems like FreeBSD where python
is located in /usr/local/lib.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12724
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 4 16:10:18 CEST 2017 on sn-devel-144
Jeremy Allison [Sat, 1 Apr 2017 15:34:48 +0000 (15:34 +0000)]
s4: server: Fix crash in NTVFS server caused by ordering of destructor calls.
In the NTVFS server we have the following talloc heirarchy:
event_ctx
|
---------------------------------------------------- .. other children
| | |
msg_dgm_ref srv_conn msg_dgm_ref
^ |
| NTVFS structures
| |
| XXXXXX
| |
| |
--------------------- pointer to msg_dgm_ref
Some of the structures under NTVFS (marked XXXXX) can have
pointers to imessaging contexts which internally have pointers
to msg_dgm_ref structurs allocated off event_ctx.
The original code calls:
model_ops->terminate(event_ctx, srv_conn->lp_ctx, reason);
talloc_free(srv_conn);
But model_ops->terminate() calls talloc_free(event_ctx) and
then calls exit(). In this case srv_conn is never explicitly
freed, but only freed as a talloc child of the event_ctx.
Depending on the ordering of the linked list of talloc children
under event_ctx(which can be reordered via talloc_free/reinit
of msg_dgm_ref) a pointer to msg_dgm_ref under srv_conn can
be left pointing to memory that was already freed. This pointer
is then used in the destructor for a file object called when
srv_conn is freed.
Re-ordering this to explicitly call TALLOC_FREE(srv_conn) first
and then model_ops->terminate() fixes this problem.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Apr 2 05:18:39 CEST 2017 on sn-devel-144
Ralph Boehme [Wed, 29 Mar 2017 09:13:46 +0000 (11:13 +0200)]
winbindd: trigger possible passdb_dsdb initialisation
If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
from secrets.tdb. As we use the domain SID in various places, we must
ensure the domain SID is migrated from dsdb to secrets.tdb before
get_global_sam_sid() is called the first time.
The migration is done as part of the passdb_dsdb initialisation, calling
pdb_get_domain_info() triggers it.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144
Ralph Boehme [Fri, 31 Mar 2017 14:24:05 +0000 (16:24 +0200)]
selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
This test passes even without the fix, as in sids2xids we use the
lookupnames just to determine the mapping domain, using the default
idmap domain as fallback if that fails.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 31 Mar 2017 14:06:18 +0000 (16:06 +0200)]
selftest: wbinfo -s tests for wellknown SIDs
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 30 Mar 2017 21:41:59 +0000 (23:41 +0200)]
winbindd: use passdb backend for well-known SIDs
On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
local domain, otherwise something simple like this fails with
WBC_ERR_DOMAIN_NOT_FOUND:
$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1
localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-1-0
On a member server asking our DC works and is what we're currently
doing, but changing it to ask passdb avoids the overhead.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 29 Mar 2017 18:11:37 +0000 (11:11 -0700)]
s4: messaging. Add imessaging_reinit_all() function.
Ensure it is called from process_standard.c after
every fork().
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Mar 31 14:48:17 CEST 2017 on sn-devel-144
Andreas Schneider [Fri, 17 Mar 2017 09:04:19 +0000 (10:04 +0100)]
selftest: Define template homedir for 'ad_member' env
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
Andreas Schneider [Wed, 15 Mar 2017 11:37:08 +0000 (12:37 +0100)]
s3:tests: Add a subsitution test for %D %u %g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Christof Schmitt [Mon, 27 Mar 2017 22:11:08 +0000 (15:11 -0700)]
winbindd: Fix password policy for pam authentication
Authenticating users from trusted domains would return the password
policy of the joined domain. Fix the code so that the password policy of
the joined domain is only returned for users from that domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12725
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Wed Mar 29 22:54:47 CEST 2017 on sn-devel-144
Amitay Isaacs [Tue, 7 Mar 2017 03:13:10 +0000 (14:13 +1100)]
ctdb-tools: Avoid deferencing argv[0] if argc == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12723
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Mar 29 11:07:18 CEST 2017 on sn-devel-144
Andrew Bartlett [Mon, 27 Mar 2017 00:17:35 +0000 (13:17 +1300)]
WHATSNEW: Add entry for auth audit
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 29 06:35:12 CEST 2017 on sn-devel-144
Garming Sam [Fri, 24 Mar 2017 00:52:58 +0000 (13:52 +1300)]
whitespace: auth_log_pass_change.py python conventions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Thu, 23 Mar 2017 23:20:19 +0000 (12:20 +1300)]
ldap_server: Move a variable into a smaller scope
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Thu, 23 Mar 2017 22:33:51 +0000 (11:33 +1300)]
whitespace: auth_log.c C code conventions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Thu, 23 Mar 2017 21:51:05 +0000 (10:51 +1300)]
whitespace: auth_log.py python conventions
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Gary Lockyer [Thu, 23 Mar 2017 22:02:36 +0000 (11:02 +1300)]
auth log: Add tests for anonymous bind and SamLogon
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 23 Mar 2017 03:30:05 +0000 (16:30 +1300)]
python: Add bindings for NTLMSSP
This is helpful for building NTLMv2 packets in python for testing against the SamLogon server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 22 Mar 2017 03:40:40 +0000 (16:40 +1300)]
pycredentials: Add bindings for get_ntlm_response()
This should make testing of SamLogon from python practical
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 23 Mar 2017 01:05:56 +0000 (14:05 +1300)]
rpc_server: Re-order and rename remote and local address in np_open()
We use this order and name consistently eleswhere.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Wed, 22 Mar 2017 23:39:25 +0000 (12:39 +1300)]
ldap_server: Log failures to find a valid user in the simple bind
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 17 Mar 2017 02:58:17 +0000 (15:58 +1300)]
dsdb: Add authentication audit logging for LDAP password change
This ensures this particular vector is not forgotten
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 17 Mar 2017 00:26:13 +0000 (13:26 +1300)]
samr: Add logging of password change success and failure
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 20 Mar 2017 20:59:45 +0000 (09:59 +1300)]
auth log tests: password change tests
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 21 Feb 2017 01:07:54 +0000 (14:07 +1300)]
heimdal: Pass extra information to hdb_auth_status() to log success and failures
We now pass on the original client name and the client address to allow
consistent audit logging in Samba across multiple protocols.
We use config->db[0] to find the first database to record incorrect
users.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 13 Mar 2017 22:01:54 +0000 (11:01 +1300)]
s3-rpc_server: Provide hooks required for JSON message logging for the no-auth case
This is triggered in the ncacn_np pass-though case in particular
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 16 Mar 2017 21:29:02 +0000 (10:29 +1300)]
s3-rpc_server: Re-order and rename remote and local address in make_external_rpc_pipe{,_p}()
We use this order and name consistently eleswhere.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 16 Mar 2017 21:26:03 +0000 (10:26 +1300)]
s3-rpc_server: pass remote and local address to rpc_pipe_open_external
We want the real client address here for audit purposes, if possible.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Thu, 9 Mar 2017 23:43:42 +0000 (12:43 +1300)]
s4-ntvfs: Correct mixup between local/remote addresses
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 9 Mar 2017 23:13:24 +0000 (12:13 +1300)]
s3-rpc_server: Rename client -> remote_client and server -> local_server
This changes struct dcerpc_ncacn_conn
While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.
By using both names we avoid a little of this.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 9 Mar 2017 23:38:33 +0000 (12:38 +1300)]
s3-rpc_server: Re-order local and remote address in make_server_pipes_struct()
The rest of the code uses remote before local, and this
often causes bugs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 9 Mar 2017 23:33:06 +0000 (12:33 +1300)]
s3-named_pipe_auth: Rename client -> remote_client and server -> local_server
This brings the callers of named_pipe_auth in line with that subsystem.
Much of Samba uses remote_address and local_address, and this difference
has hidden bugs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 9 Mar 2017 22:38:56 +0000 (11:38 +1300)]
s4-named_pipe_auth: Rename client -> remote_client and server -> local_server
This brings the callers of named_pipe_auth in line with that subsystem.
While these names may be better, the rest of Samba consistently uses
remote_address and local_address, and this difference has hidden bugs
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 9 Mar 2017 22:37:56 +0000 (11:37 +1300)]
named_pipe_auth: Rename client -> remote_client and server -> local_server
While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Fri, 24 Mar 2017 02:19:32 +0000 (15:19 +1300)]
selftest: Turn on auth event notification and so allow tests to pass
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 24 Mar 2017 02:18:46 +0000 (15:18 +1300)]
auth: Add hooks for notification of authentication events over the message bus
This will allow tests to be written to confirm the correct events are triggered.
We pass in a messaging context from the callers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 24 Mar 2017 02:16:34 +0000 (15:16 +1300)]
auth_log: Improve comment
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 7 Mar 2017 03:50:38 +0000 (16:50 +1300)]
auth_log: Prepared to allow logging JSON events to a server over the message bus
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Fri, 24 Mar 2017 02:11:35 +0000 (15:11 +1300)]
s4-messaging: split up messaging into a smaller library for send only
This will help avoid a dep loop when the low-level auth code relies on the message
code to deliver authentication messages
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 6 Mar 2017 03:16:51 +0000 (16:16 +1300)]
auth_log: Add JSON logging of Authorisation and Authentications
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-Programmed: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 6 Mar 2017 01:10:17 +0000 (14:10 +1300)]
auth: Log the transport connection for the authorization
We also log if a simple bind was over TLS, as this particular case matters to a lot of folks
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 2 Mar 2017 23:53:06 +0000 (12:53 +1300)]
ldap_server: Log access without a bind
This can be over the privileged ldapi socket, or just as the implicit anonymous access
However, do not log for setting up StartTLS, or a rootDSE search.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2017 23:40:04 +0000 (12:40 +1300)]
auth_log: Split up auth/authz logging levels and handle anonymous better
We typically do not want a lot of logging of anonymous access, as this is often
simple a preperation for authenticated access, so we make that level 5.
Bad passwords remain at level 2, successful password authentication is level 3
and successful authorization (eg kerberos login to SMB) is level 4.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2017 23:03:04 +0000 (12:03 +1300)]
s3-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2017 22:49:43 +0000 (11:49 +1300)]
s4-rpc_server: Log authorization to DCE/RPC for anonymous and ncacn_np pass-though
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Mar 2017 03:49:01 +0000 (16:49 +1300)]
ldap_server: Log authorization for simple binds
Existing comment is no longer relevant.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Mar 2017 03:28:06 +0000 (16:28 +1300)]
s4-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
gensec_session_info() is not called for bare NTLM, so we have to log manually
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Mar 2017 03:27:51 +0000 (16:27 +1300)]
s3-auth: Log SMB authorization for bare NTLM (NTLMSSP/krb5 already done)
gensec_session_info() is not called for bare NTLM, so we have to log manually
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Mar 2017 03:00:03 +0000 (16:00 +1300)]
auth_log: Also log the final type of authentication (ntlmssp,krb5)
Administrators really care about how their users were authenticated, so make
this clear.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Mar 2017 02:06:25 +0000 (15:06 +1300)]
auth_log: Expand to include the type of password used (eg ntlmv2)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Wed, 1 Mar 2017 01:19:50 +0000 (14:19 +1300)]
dns: Provide local and remote socket address to GENSEC
This can be used for logging and for Kerberos channel bindings
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 28 Feb 2017 23:18:49 +0000 (12:18 +1300)]
auth: Add logging of service authorization
In ntlm_auth.c and authdata.c, the session info will be incomplete
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Fri, 24 Feb 2017 00:29:12 +0000 (13:29 +1300)]
rpc: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 23 Feb 2017 01:31:52 +0000 (14:31 +1300)]
auth: Always supply both the remote and local address to the auth subsystem
This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 28 Feb 2017 22:23:28 +0000 (11:23 +1300)]
s3-auth: Clarify the role and purpose of the auth_serversupplied_info->security_token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 23 Feb 2017 00:50:14 +0000 (13:50 +1300)]
auth: Generate a human readable Authentication log message.
Add a human readable authentication log line, to allow
verification that all required details are being passed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Feb 2017 22:39:17 +0000 (11:39 +1300)]
debug: Add debug class for auth_audit
This will be an audit stream of authentication and connection-level authorization
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 28 Feb 2017 22:22:43 +0000 (11:22 +1300)]
s3-auth: Split out get_user_sid_info3_and_extra() from create_local_nt_token_from_info3()
This will allow us to get the SID in another location for logging
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Tue, 28 Feb 2017 22:10:29 +0000 (11:10 +1300)]
lib/util: Add functions to escape log lines but not break all non-ascii
We do not want to turn every non-ascii username into a pile of hex, so we instead focus
on avoding newline insertion attacks and other low control chars
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 21 Feb 2017 03:22:07 +0000 (16:22 +1300)]
s4-rpc_server: Correct comment about where the current iface can be found
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 23:14:12 +0000 (12:14 +1300)]
winbindd: Clarify that we do not pre-hash the password for rpccli_netlogon_password_logon()
rpccli_netlogon_password_logon() is called in winbind_samlogon_retry_loop() if interactive
is set, and does not use the hashed passwords.
This is only needed for winbindd_dual_auth_passdb(), and by moving the call we both
avoid the extra work and allow it to also be removed in this code path
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 22:57:57 +0000 (11:57 +1300)]
auth: Add "auth_description" to allow logs to distinguish simple bind (etc)
This will allow the authentication log to indicate clearly how the password was
supplied to the server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 02:57:03 +0000 (15:57 +1300)]
ldap_server: Move code into authenticate_ldap_simple_bind()
This function is only called for simple binds, and by moving the mapping into
the function call we allow the unmapped values to be included in the
user_info and so logged.
We also include the local address and the remote address of the client
for future logging
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 02:55:34 +0000 (15:55 +1300)]
auth: Add a reminder about the strings currently used for auditing
We will soon have a much better replacement, but a note here may help some in the transition
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Thu, 9 Mar 2017 02:10:14 +0000 (15:10 +1300)]
s4-ldap_server: Do not set conn->session_info to NULL, keep valid at all times
We need this to be valid, right up until a new session_info is created and
it is replaced.
We need this to have a valid value at all times, and we are still anonymous
until the new bind completes
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 21 Feb 2017 01:15:05 +0000 (14:15 +1300)]
s4-ldap_server: Set remote and local address values into GENSEC
This will allow channel bindings and logging of the address values used during
authentication
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 02:54:47 +0000 (15:54 +1300)]
s4-ldap_server: Split gensec setup into a helper function
This makes the error handling simpler when we set more
details onto the gensec context.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:52:07 +0000 (14:52 +1300)]
auth: Fill in user_info->service_description from all callers
This will allow the logging code to make clear which protocol an authentication was for.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:18:57 +0000 (14:18 +1300)]
ntlm_auth: Set ntlm_auth as the service_description into gensec
This allows this use case to be clearly found when logged.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:17:34 +0000 (14:17 +1300)]
s3-auth: Pass service_description into gensec via auth_generic_prepare()
This allows the GENSEC service description to be set from the various callers
that go via this function.
The RPC service description is the name of the interface from the IDL.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 01:15:46 +0000 (14:15 +1300)]
gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSP
This allows the GENSEC service description to be read at authentication time
for logging, eg that the user authenticated to the SAMR server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Mon, 20 Feb 2017 00:32:47 +0000 (13:32 +1300)]
gensec: Add gensec_{get,set}_target_service_description()
This allows a free text description of what the server-side service is for logging
purposes where the various services may be using the same Kerberos service or not
use Kerberos.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Feb 2017 23:04:52 +0000 (12:04 +1300)]
s4-netlogon: Remember many more details in the auth_usersupplied info for future logs
This will allow a very verbose JSON line to be logged that others can audit from in the future
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Sun, 19 Feb 2017 23:01:37 +0000 (12:01 +1300)]
s4-smbd: Remember the original client and server IPs from the SMB connection
We need to know in the RPC server the original address the client came from
so that we can log this with the authentication audit information
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 14 Mar 2017 03:43:06 +0000 (16:43 +1300)]
auth_log: Add tests by listening for JSON messages over the message bus
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Pair-programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 16 Mar 2017 03:24:20 +0000 (16:24 +1300)]
TestBase: move insta_creds from password_lockout.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Mon, 20 Mar 2017 20:58:18 +0000 (09:58 +1300)]
python net: add username, oldpassword and domain to change_password
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Tue, 21 Mar 2017 03:00:38 +0000 (16:00 +1300)]
pysmb: Check for credentials using same method as pyrpc
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Andrew Bartlett [Tue, 21 Mar 2017 22:07:49 +0000 (11:07 +1300)]
pysmb: Extend py_smb_new to allow use_ntlmv2 and use_spnego to be set by callers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Sun, 12 Mar 2017 17:13:48 +0000 (18:13 +0100)]
s3/smbd: make copy chunk asynchronous
Just use SMB_VFS_PREAD_SEND/RECV and SMB_VFS_PWRITE_SEND/RECV in a
sensible loop.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 28 21:36:18 CEST 2017 on sn-devel-144
Ralph Boehme [Sun, 12 Mar 2017 16:23:09 +0000 (17:23 +0100)]
vfs_default: move check for fsp->op validity
Move the check whether fsp->of is valid out of the copy loop in
vfswrap_copy_chunk_send().
It's sufficient to check src_fsp->op and dest_fsp->op once before the
copy loop. fsp->op can only be NULL for internal opens (cf file_new()),
it's not expected to become NULL behind our backs.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 21 Mar 2017 17:34:22 +0000 (18:34 +0100)]
s3/smbd: optimize copy-chunk by merging chunks if possible
Merge chunks with adjacent ranges. This results in fewer IO requests for
the typical server-side file copy usecase: just one 16 MB copy instead
of sixteen 1 MB.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 21 Mar 2017 08:17:03 +0000 (09:17 +0100)]
s3/smbd: implement a serializing async copy-chunk loop
Later commits will make the low level copy-chunk implementation async
using a thread pool. That means the individual chunks may be scheduled
and copied out-of-order at the low level.
According to conversation with MS Dochelp, a server implementation
must process individual chunks in order.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 21 Mar 2017 07:26:37 +0000 (08:26 +0100)]
s3/smbd: move cc_copy into fsctl_srv_copychunk_state
No change, in behaviour, just preperational stuff to unroll the core
copy loop.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sun, 12 Mar 2017 16:18:39 +0000 (17:18 +0100)]
vfs_default: let copy_chunk_send use const from IDL
This also increases the buffer size from 8 MB to the current value of
COPYCHUNK_MAX_TOTAL_LEN which is 16 MB.
For the typical case when vfswrap_copy_chunk_send is called from the SMB
layer for an copy_chunk ioctl() the parameter "num" is guaranteed to be
at most 1 MB though.
It will only be larger for special callers like vfs_fruit for their
special implementation of copyfile where num will be the size of a file
to copy.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Wed, 8 Mar 2017 14:07:06 +0000 (15:07 +0100)]
s3/smbd: move copychunk ioctl limits to IDL
This will be needed in the next commit in vfs_default.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Björn Baumbach [Mon, 27 Mar 2017 15:43:07 +0000 (17:43 +0200)]
tdb/tools: add documentation for the tdbbackup -n option
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org
Uri Simchoni [Sun, 26 Mar 2017 09:02:09 +0000 (12:02 +0300)]
s3-libsmb: support rename and replace for SMB1
Add cli_smb1_rename_send() which renames a file via
setting FileRenameInformation.
Curretly this path is invoked only if replacing
an existing file is requested. This is because as far
as I can see, Windows uses CIFS rename for anything below
SMB2.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 26 Mar 2017 06:14:43 +0000 (09:14 +0300)]
s3-libsmb: fail rename and replace inside cifs variant
Another refactoring step - fail request to rename and
replace existing file from within the CIFS version,
allowing the soon-to-be-added SMB version to succeed.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 26 Mar 2017 05:54:42 +0000 (08:54 +0300)]
s3-libsmb: cli_cifs_rename_send()
Pure refactoring - current rename is [MS-CIFS] - style
rename. In later patch we'll introduce [MS-SMB] rename.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Sun, 26 Mar 2017 05:10:34 +0000 (08:10 +0300)]
libcli: introduce smbXcli_conn_support_passthrough()
This routine queries the client connenction whether
it supports query/set InfoLevels beyond 1000 (which,
in Windows OS, is a pass-through mechanism to the
file system).
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:56:35 +0000 (23:56 +0200)]
manpages: update smbclient manpage with rename -f option
Document the -f option of the rename command.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:26:05 +0000 (23:26 +0200)]
smbclient: add -f option to rename command
This option causes the rename to request that the
destination file / directory be replaced if it exists.
Supported only in SMB2 and higher protocol.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:13:07 +0000 (23:13 +0200)]
s3: libsmb: add replace support to cli_rename()
Adds support for replacing the destination file at
the higher-level cli_rename(). This is actually supported
only by SMB2, and fails with invalid parameter with SMB1.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Uri Simchoni [Tue, 21 Mar 2017 21:02:48 +0000 (23:02 +0200)]
s3: libsmb: add replace support to SMB2 rename
SMB2 rename operation supports replacing the
destination file if it exists.
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>