| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
That's currently always the case and will simplifies the callers.
WORKS now???
TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba4.rpc.lsa.secrets.*ncacn_np.*Kerberos.*Samba3.*fl2000dc'
and
TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba3.rpc.lsa.*ncacn_ip_tcp.*nt4_dc'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Dec 23 21:33:51 CET 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
| |
Update the minor version of the Authorisation to reflect the addition of
the "eventId" and "logonType" elements.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a new "logonType" element to the Authorisation JSON log messages.
This contains a Windows Logon Type, the supported logon types are:
2 Interactive
3 Network
8 NetworkCleartext
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
| |
Add a new "eventId" element to the Authorisation JSON log messages.
This contains a Windows Event Code Id either:
4624 Successful logon
4625 Unsuccessful logon
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Dec 14 18:00:40 CET 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To log JSON the human-readable logs must also have been enabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13715
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Dec 14 14:32:25 CET 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Feedback from real-world users is that they really want raw JSON
strings in the log.
We can not easily remove the leading " " but the other strings above
and before the JSON are really annoying to strip back off
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13714
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In PY3 both deepcopy & (shallow)copy fail with
Traceback (most recent call last):
File "auth/credentials/tests/bind.py", line 42, in <module>
creds_machine = copy.copy(creds)
File "/usr/lib64/python3.6/copy.py", line 96, in copy
rv = reductor(4)
TypeError: can't pickle credentials.Credentials objects
This patch avoids the nasty copies but creating and populating the
Credential objects instead of copying
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
set_password processes input using ParseTuple with "s" format, this
accepts string or unicode but...
Some py2 code is incorrectly using code like
credentials.set_password(pass.encode('utf8'))
however that won't work in PY3. We should just make sure the string
retrieved from unicode passed in is encoded with 'utf8'
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
|
|
| |
ccc was already allocated off cred, this talloc_steal was a no-op.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
|
|
|
|
| |
This is an extension of bb2f7e3aee7e9b8: Without this fix in the
"empty ccache" case we never set cred->ccache, so the whole call to
cli_credentials_set_ccache became pointless
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
|
|
| |
We'll add one in the next commit
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
| |
new_client_authenticator returns a dictionary. The key
'credential' needs to return bytes in Python3, without this
change the the code will attempt to convert the binary data to
a string (resulting sometimes in decode errors).
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Salt principal for the interdomain trust is krbtgt/DOMAIN@REALM where
DOMAIN is the sAMAccountName without the dollar sign ($)
The salt principal for the BLA$ user object was generated wrong.
dn: CN=bla.base,CN=System,DC=w4edom-l4,DC=base
securityIdentifier: S-1-5-21-4053568372-2049667917-3384589010
trustDirection: 3
trustPartner: bla.base
trustPosixOffset: -2147483648
trustType: 2
trustAttributes: 8
flatName: BLA
dn: CN=BLA$,CN=Users,DC=w4edom-l4,DC=base
userAccountControl: 2080
primaryGroupID: 513
objectSid: S-1-5-21-278041429-3399921908-1452754838-1597
accountExpires: 9223372036854775807
sAMAccountName: BLA$
sAMAccountType: 805306370
pwdLastSet: 131485652467995000
The salt stored by Windows in the package_PrimaryKerberosBlob
(within supplementalCredentials) seems to be
'W4EDOM-L4.BASEkrbtgtBLA' for the above trust
and Samba stores 'W4EDOM-L4.BASEBLA$'.
While the salt used when building the keys from
trustAuthOutgoing/trustAuthIncoming is
'W4EDOM-L4.BASEkrbtgtBLA.BASE', which we handle correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 5 03:57:22 CEST 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
| |
found 1
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| |
|
|
|
|
| |
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| |
|
|
|
|
| |
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| |
|
|
|
|
| |
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
| |
Modify the auditing JSON API to return a response code, as the consensus
was that the existing error handling was aesthetically displeasing.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
| |
This is the common location of the audit logging code now
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.
Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.
This complements a similar patch set to log the transaction duration.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
| |
Re-factor the common calls to json_dumps DEBUGC and audit_message_send
into a separate function.
Add functions to retrieve json object and json array elements
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.
This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.
We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).
As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This will be used to similate a Windows client only
using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
on an LDAP connection, which is indicated internally by
GENSEC_FEATURE_LDAP_STYLE.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Thanks to Rowland for a clear description of the behaviour for the smb.conf manpage.
This means that those not wanting to link to libarchive will just need to
build --without-json-audit.
In general, we prefer that optional libraries be required by default
so that they are not accidentially missed, particularly in packages.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun May 13 00:24:35 CEST 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
| |
We have only set, need get.
Signed-off-by: Joe Guo <joeg@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
| |
Log the unique_session_token GUID on successful Authorizations.
This patch adds the "sessionID" attribute to the Authorization object
and increments the version to 1.1
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
| |
|
|
|
| |
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
|
| |
|
|
|
| |
Autobuild-User(master): Björn Baumbach <bbaumbach@samba.org>
Autobuild-Date(master): Fri Apr 20 21:12:33 CEST 2018 on sn-devel-144
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new configure option:
--with-json-audit
Build with JSON auth audit support (default=auto). This requires
the jansson devel package.
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): <bbaumbach@samba.org>
Autobuild-Date(master): Wed Apr 18 15:25:42 CEST 2018 on sn-devel-144
|
| |
|
|
|
|
| |
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When Samba is compiled with JSON support it logs an error message
at log level 3 by default for every authentication event:
get_auth_event_server: Failed to find 'auth_event' registered on the
message bus to send JSON authentication events to:
NT_STATUS_OBJECT_NAME_NOT_FOUND
This patch adjusts the log_json function to consider the smb.conf
parameter "auth event notification" before calling auth_message_send.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13381
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 12 08:12:39 CEST 2018 on sn-devel-144
|
