summaryrefslogtreecommitdiff
path: root/selftest/knownfail
Commit message (Collapse)AuthorAgeFilesLines
* Merge tag 'samba-4.7.9' into v4-7-testKarolin Seeger2018-08-141-1/+2
|\ | | | | | | samba: tag release samba-4.7.9
| * CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled ↵Günther Deschner2018-08-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | via "ntlm auth". This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. Found by Vivek Das <vdas@redhat.com> (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* | s3: libsmbclient: Fix cli_splice() fallback when reading less than a ↵Jeremy Allison2018-07-281-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | complete file. We were always asking for SPLICE_BLOCK_SIZE even when the remaining bytes we wanted were smaller than that. This works when using cli_splice() on a complete file, as the cli_read() terminated the read at the right place. We always have the space to read SPLICE_BLOCK_SIZE bytes so this isn't an overflow. Found by Bailey Berro <baileyberro@google.com> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13527 Signed-off-by: Bailey Berro <baileyberro@google.com> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> Autobuild-User(master): David Disseldorp <ddiss@samba.org> Autobuild-Date(master): Fri Jul 13 14:57:14 CEST 2018 on sn-devel-144 (cherry picked from commit c9656fd2977557ab20ec4e3d87c385a9b2f1bf43)
* | s3: torture: Test SMB1 cli_splice() fallback path when doing a non-full file ↵Jeremy Allison2018-07-281-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | splice. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13527 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org> (cherry picked from commit 1c8d1cceff852acaca4a0ec0da37b053ed03fe4a) (cherry picked from commit 49d6c3f061284aac31c3ef21f88f9d69bdd86bd8) Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Jul 14 00:14:13 CEST 2018 on sn-devel-144
* | selftest: run smb2.streams tests against a share with vfs_streams_xattrRalph Boehme2018-07-121-0/+3
|/ | | | | | | | | | | | | The tests are currently only run against streams_depot, where stream IO is handle based, compared to streams_xattr which is path based. vfs_streams_xattr is also used much more in real world setups, so we should run our tests against it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13451 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (backported from commit aa096ab70a466388a9947f73a525b2dcbb9821e5)
* s3: smbtorture: Add new SMB2-DIR-FSYNC test to show behavior of FSYNC on ↵Jeremy Allison2018-06-191-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | directories. Tests against a directory handle on the root of a share, and a directory handle on a sub-directory in a share. Check SEC_DIR_ADD_FILE and SEC_DIR_ADD_SUBDIR separately, either allows flush to succeed. Passes against Windows. Regression test for: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13428 Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri May 18 02:38:50 CEST 2018 on sn-devel-144 (cherry picked from commit d42f467a25e75e5487a00378609a24809ddc83ee)
* smbd: Cache dfree information based on query pathChristof Schmitt2018-06-071-1/+0
| | | | | | | | | | | | | Sub directories in a SMB share can have different free space information (e.g. when a different file system is mounted there). Caching the dfree information per SMB share will return invalid data. Address this by switching to memcache and store the cached data based on the query path. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 8f121747b06ca78cf51801a3931b2ddd1a424c77)
* selftest: Add test for 'dfree cache'Christof Schmitt2018-06-071-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13446 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit a55b3d2fcc2f7737a2702bf908dcf1f80969bf21)
* rpc_server: Fix NetSessEnum with stale sessionsChristof Schmitt2018-05-071-1/+0
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Apr 25 22:49:07 CEST 2018 on sn-devel-144 (cherry picked from commit a6fade4e10760284ef56abf45d3fa70038091cbe)
* selftest: Add testcase for querying sessions after smbd crashChristof Schmitt2018-05-071-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13407 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit e04846c7df8e3eec1f3dbb2fc5eaf47ceb1c44d2)
* winbindd: Do not ignore domain in the LOOKUPNAME requestChristof Schmitt2018-04-111-2/+0
| | | | | | | | | | | | | | | | | | | A LOOKUPNAME request with a domain and a name containing a winbind separator character would return the result for the joined domain, instead of the specified domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri Apr 6 21:03:31 CEST 2018 on sn-devel-144 (cherry picked from commit 1775ac8aa4dc00b9a0845ade238254ebb8b32429) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Wed Apr 11 13:53:02 CEST 2018 on sn-devel-144
* Add test for wbinfo name lookupChristof Schmitt2018-04-111-0/+2
| | | | | | | | | | | | | This demonstrates that wbinfo -n / --name-to-sid returns information instead of failing the request. More specifically the query for INVALIDDOMAIN//user returns the user SID for the joined domain, instead of failing the request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13312 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 552a00ec1f6795b9025298931a6cc50ebe552052)
* smbd: Fix coredump on failing chdir during logoffChristof Schmitt2018-01-021-1/+0
| | | | | | | | | | | | | | | | | | | | | | server_exit does an internal tree disconnect which requires a chdir to the share directory. In case the file system encountered a problem and the chdir call returns an error, this triggers a SERVER_EXIT_ABNORMAL which in turn results in a panic and a coredump. As the log already indicates the problem (chdir returned an error), avoid the SERVER_EXIT_ABNORMAL in this case and not trigger a coredump. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Dec 16 01:56:06 CET 2017 on sn-devel-144 (cherry picked from commit 7fa91fc4791d076c609eaf119753e38dd3c50a1c) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Tue Jan 2 14:19:44 CET 2018 on sn-devel-144
* selftest: Add test for failing chdir call in smbdChristof Schmitt2018-01-021-0/+1
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13189 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 0d3000be2af8f8c4a37892d95ae694ad834d7b3a)
* selftest: Split out dbcheck runs from dangling_multi_valued testAndrew Bartlett2017-11-291-1/+1
| | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit b99d2ee122991d0bf1742fa5665656bbbba44057)
* selftest: Also run smbtorture smb2.compound with aio enabledChristof Schmitt2017-11-011-0/+1
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13047 Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Sep 22 09:49:30 CEST 2017 on sn-devel-144 (cherry picked from commit 3a360f552d6641952931d3aa8a9ce85a648de3e1)
* selftest: Add test for password change when NTLM is disabledTim Beale2017-08-161-0/+2
| | | | | | | | | | | | | | | | | | | | | When NTLM is disabled, the server should reject NTLM-based password changes. Changing the password is a bit complicated from python, but because the server should reject the password change outright with NTLM_BLOCKED, the test doesn't actually need to provide valid credentials. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jul 21 13:54:35 CEST 2017 on sn-devel-144 (cherry picked from commit 4e04f025a0665e2573bdd92efe9ba5aa9dcd82d7) Autobuild-User(v4-7-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-7-test): Wed Aug 16 13:03:26 CEST 2017 on sn-devel-144
* samdb/cracknames: support user and service principal as desired formatBob Campbell2017-07-311-1/+0
| | | | | | | | | | | | | | | | | | This adds support for DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL and DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL as desired formats. This also causes the test in cracknames.py to no longer fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842 Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 24 11:10:26 CEST 2017 on sn-devel-144 (cherry picked from commit eb2e77970e41c1cb62c041877565e939c78ff52d)
* python/tests: add python test for cracknamesBob Campbell2017-07-311-0/+1
| | | | | | | | | | | | | | This fails due the bug, which causes the related test in drsuapi_cracknames.c to flap. It also fails due to us not yet supporting DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL or DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12842 Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> (cherry picked from commit 4779afe0d2dd14371b68e80f47d11942456bb365)
* selftest: Disable NTLM authentication in ktest environmentTim Beale2017-07-041-0/+2
| | | | | | | | | This allows us to prove that "ntlm auth = disabled" works Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
* s3-rpc_server: Disable the NETLOGON server by defaultAndrew Bartlett2017-07-041-0/+4
| | | | | | | | | The NETLOGON server is only needed when the classic/NT4 DC is enabled and has been the source of security issues in the past. Therefore reduce the attack surface. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4/torture: test fetching a resume key twiceRalph Boehme2017-07-031-0/+1
| | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* netlogon: Add necessary security checks for SendToSamGarming Sam2017-05-301-1/+0
| | | | | | | | We eliminate a small race between GUID -> DN and ensure RODC can only reset bad password count on accounts it is allowed to cache locally. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/rodc: Check SID restriction for SendToSamGarming Sam2017-05-301-0/+1
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* rodc: Set non-authoritative for RODC bad passwordsGarming Sam2017-05-301-1/+0
| | | | | | | | This requires as a pre-requisite that the auth stack is not run twice. We remove the knownfail introduced in the earlier patch. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/rodc: Test for NTLM wrong password forwardingGarming Sam2017-05-301-0/+1
| | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* winbindd: Do not run SAM auth stack in winbind SamLogonGarming Sam2017-05-301-0/+4
| | | | | | | | pdbtest.s4winbind no longer is applicable without a live NETLOGON connection. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4/torture: add a leases test with stat openRalph Boehme2017-05-281-0/+1
| | | | | | | | | | | | | | | | | | | | This test passes against Windows 2016 but currently fails against Samba for some reason. The test does the following: 1. A stat open on a file, then 2. a second open with a RWH-lease request Windows grants a RWH-lease in step 2, while Samba only grants a R-lease. Go figure... Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Sun May 28 18:52:52 CEST 2017 on sn-devel-144
* auth pycredentials: incorrect PyArg_ParseTupleAndKeywords callGary Lockyer2017-05-251-2/+0
| | | | | | | | | | | | | The challenge parameter was being treated as a string rather than as a data blob. This was causing intermittent seg faults. Removed the server_timestamp parameter as it's not currently used. Unable to produce a test case to reliably replicate the failure. However auth_log_samlogon does flap Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth_log: Add test that execises the SamLogon python bindingsGary Lockyer2017-05-251-0/+2
| | | | | | Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool add support for userPasswordGary Lockyer2017-05-251-8/+0
| | | | | | | | | | | | | | | Changes to virtualCryptSHA256 and virtualCryptSHA512 attributes. The values are now calculated as follows: 1) If a value exists in 'Primary:userPassword' with the specified number of rounds it is returned. 2) If 'Primary:CLEARTEXT, or 'Primary:SambaGPG' with '--decrypt-samba-gpg'. Calculate a hash with the specified number of rounds 3) Return the first {CRYPT} value in 'Primary:userPassword' with a matching algorithm Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool tests: add tests for userPasswordGary Lockyer2017-05-251-0/+8
| | | | | | | | | | Tests to ensure that precomputed SHA256 and SHA512 hashes in 'supplementalCredentials Primary:userPassword' are used correctly in the calculation of virtualCryptSHA256 and virtualCryptSHA512 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* password_hash: generate and store Primary:userPasswordGary Lockyer2017-05-251-9/+0
| | | | | | | | | Generate sha256 and sha512 password hashes and store them in supplementalCredentials Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests password_hash: add tests for Primary:userPasswordGary Lockyer2017-05-251-0/+9
| | | | | | | | | Add tests to verify the generation and storage of sha256 and sha512 password hashes in suplementalCredentials Primary:userPassword Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool user: add rounds option to virtualCryptSHAxxxGary Lockyer2017-05-251-3/+0
| | | | | | | | | | | | Allow the number of rounds to be specified when calculating the virtualCryptSHA256 and virtualCryptSHA512 attributes. i.e. --attributes="virtualCryptSHA256;rounds=3000" will calculate the hash using 3,000 rounds. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool tests: Tests for virtualCryptSHAxxx roundsGary Lockyer2017-05-251-0/+3
| | | | | | | | | Add tests to for the new rounds option for the virtualCryptSHA256 and virtualCryptSHA512 attributes. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool user: Support for virtualWDigest attributesGary Lockyer2017-05-251-14/+0
| | | | | | | | | | Add new virtualWDigest attributes, these return the hashes stored in supplementalCredentials Primary:WDigest, in a form suitable for htdigest authentication Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* samba-tool user: Tests for virtualWDigest attributesGary Lockyer2017-05-251-0/+14
| | | | | | | | | | Add tests for the new virtualWDigest attributes, these return the hashes stored in supplementalCredentials Primary:WDigest in a form suitable for use with htdigest authentication. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4/torture: smb2.ioctl: add copy-chunk test with stream to smb2.ioctlRalph Boehme2017-05-171-0/+1
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=12787 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* source3 smdb: fix null pointer dereferenceGary Lockyer2017-04-281-2/+0
| | | | | | | | | | | | Fix the null pointer dereference in smbd, introduced in the auth logging changes. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Apr 28 07:18:54 CEST 2017 on sn-devel-144
* source3 smbd: tests for null pointer dereferenceGary Lockyer2017-04-281-0/+2
| | | | | | | | | Test case to replicate null pointer dereference in smbd, introduced in the auth logging changes. Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* password-lockout: Allow RODC to ensure lockout and lockout resetGarming Sam2017-04-131-1/+0
| | | | | | | Prior to this, the modification of lockoutTime triggered referrals. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* password_lockout: Tests against RODC (once preloaded)Garming Sam2017-04-131-0/+1
| | | | | | | | | | In this scenario, both the login server and the verification server are the RODC. This tests that a user is locked out correctly once the lockout limit is reached and they are also unlocked correctly when the lockout time period expires. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* tests/rodc: Add a number of tests for RODC-RWDC interactionGarming Sam2017-04-131-0/+1
| | | | | | | | | | This tests password fallback to RWDC in preloaded and non-preloaded cases. It also tests some basic scenarios around what things are replicated between the two DCs. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* rodc: Force all RODC add and delete to cause a referralGarming Sam2017-04-131-2/+1
| | | | | | | | | | | | | | | Previously, you could add or delete and cause replication conflicts on an RODC. Modifies are already partly restricted in repl_meta_data and have more specific requirements, so they cannot be handled here. We still differ against Windows for modifies of non-replicated attributes over LDAP. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
* selftest: Add ldap rodc python testGarming Sam2017-04-131-0/+3
| | | | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12008
* libcli/security: fix dom_sid_in_domain()Ralph Boehme2017-04-121-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ensure the SID has exactly one component more then the domain SID, eg Domain SID: S-1-5-21-1-2-3 SID: S-1-5-21-1-2-3-4 This will return true. If the SID has more components, eg SID: S-1-5-21-1-2-3-4-5, or SID: S-1-5-21-1-2-3-4-5-6-7-8 dom_sid_in_domain() must return false. This was verified against Windows: lsa_LookupSids: struct lsa_LookupSids out: struct lsa_LookupSids domains : * domains : * domains: struct lsa_RefDomainList count : 0x00000002 (2) domains : * domains: ARRAY(2) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'W4EDOM-L4' sid : * sid : S-1-5-21-278041429-3399921908-1452754838 max_size : 0x00000020 (32) names : * names: struct lsa_TransNameArray count : 0x00000004 (4) names : * names: ARRAY(4) names: struct lsa_TranslatedName sid_type : SID_NAME_USER (1) name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'Administrator' sid_index : 0x00000001 (1) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x005c (92) size : 0x005e (94) string : * string : 'S-1-5-21-278041429-3399921908-1452754838-500-1' sid_index : 0xffffffff (4294967295) names: struct lsa_TranslatedName sid_type : SID_NAME_ALIAS (4) name: struct lsa_String length : 0x001c (28) size : 0x001c (28) string : * string : 'Administrators' sid_index : 0x00000000 (0) names: struct lsa_TranslatedName sid_type : SID_NAME_UNKNOWN (8) name: struct lsa_String length : 0x001c (28) size : 0x001e (30) string : * string : 'S-1-5-32-544-9' sid_index : 0xffffffff (4294967295) count : * count : 0x00000002 (2) result : STATUS_SOME_UNMAPPED Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth4: avoid map_user_info() in auth_check_password_send()Stefan Metzmacher2017-04-101-4/+0
| | | | | | | | | | | | | | | | The cracknames call is done in the "sam" backend now. In order to support trusted domains correctly, the backends need to get the raw values from the client. This is the important change in order to no longer silently map users from trusted domains to local users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:selftest: run test_trust_ntlm.sh against various environmentsStefan Metzmacher2017-04-101-0/+14
| | | | | | | | | | | | | | | | | | This shows that NTLM authentication is currently completely broken on an DCs of AD domains with trusts. Currently we completely ignore the client provided domain and try to authenticate against the username in our local sam.ldb. If the same username/password combination exists in both domains, the user of the trusted domain silenty impersonates the user of the local domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12709 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* winbindd: trigger possible passdb_dsdb initialisationRalph Boehme2017-04-011-4/+0
| | | | | | | | | | | | | | | | | | If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not from secrets.tdb. As we use the domain SID in various places, we must ensure the domain SID is migrated from dsdb to secrets.tdb before get_global_sam_sid() is called the first time. The migration is done as part of the passdb_dsdb initialisation, calling pdb_get_domain_info() triggers it. Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 1 21:18:59 CEST 2017 on sn-devel-144
View Lorry Controller Status