summaryrefslogtreecommitdiff
path: root/source3
Commit message (Collapse)AuthorAgeFilesLines
...
* net: make use of secrets_*_password_change() for "net changesecretpw"Stefan Metzmacher2017-06-271-7/+44
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:trusts_util: make use the workstation password change more robustStefan Metzmacher2017-06-271-17/+187
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | We use secrets_{prepare,failed,defer,finish}_password_change() to make the process more robust. Even if we just just verified the current password with the DC it can still happen that the remote password change will fail. If a server has the RefusePasswordChange=1 under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD. This results in a successful local change, but a failing remote change, which means the domain membership is broken (as we don't fallback to the previous password for ntlmssp nor kerberos yet). An (at least Samba) RODC will also reject a password change, see https://bugzilla.samba.org/show_bug.cgi?id=12773. Even with this change we still have open problems, e.g. if the password was changed, but we didn't get the servers response. In order to fix that we need to use only netlogon and lsa over unprotected transports, just using schannel authentication (which supports the fallback to the old password). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet: make use of secrets_store_JoinCtx()Stefan Metzmacher2017-06-271-21/+5
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* net: add "net primarytrust dumpinfo" command that dumps the details of the ↵Stefan Metzmacher2017-06-271-0/+85
| | | | | | | | | workstation trust BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: add infrastructure to use secrets_domain_infoB to store credentialsStefan Metzmacher2017-06-272-0/+1419
| | | | | | | | | | | | | | | | | | | | We now store various hashed keys at change time and maintain a lot of details that will help debugging failed password changes. We keep storing the legacy values: SECRETS/SID/ SECRETS/DOMGUID/ SECRETS/MACHINE_LAST_CHANGE_TIME/ SECRETS/MACHINE_PASSWORD/ SECRETS/MACHINE_PASSWORD.PREV/ SECRETS/SALTING_PRINCIPAL/DES/ This allows downgrades to older Samba versions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* secrets.idl: add secrets_domain_info that will be used in secrets.tdb for ↵Stefan Metzmacher2017-06-272-2/+92
| | | | | | | | | | | | | | | | | | | | | | | | | | | machine account trusts This blob will be store in secrets.tdb. It makes it possible to store much more useful details about the workstation trust. The key feature that that triggered this change is the ability to store details for the next password change before doing the remote change. This will allow us to recover from failures. While being there I also thought about possible new features, which we may implement in the near future. We also store the raw UTF16 like cleartext buffer as well as derived keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys. This will allow us to avoid recalculating the keys for an in memory keytab in future. I also added pointer to an optional lsa_ForestTrustInformation structure, which might be useful to implement multi-tenancy in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()Stefan Metzmacher2017-06-271-12/+31
| | | | | | | | | | | | | Even in the case where only the password is known to the server, we should try to leave a valid authentication behind. We have better ways to indentify which password worked than only using the current one. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()Stefan Metzmacher2017-06-272-8/+50
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()Stefan Metzmacher2017-06-272-7/+27
| | | | | | | | | | | | This way the caller can pass more than 2 hashes and can only know which hash was used for a successful connection. We allow up to 4 hashes (next, current, old, older). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:trusts_util: pass dcname to trust_pw_change()Stefan Metzmacher2017-06-276-0/+15
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: use secrets_delete for all keys in ↵Stefan Metzmacher2017-06-271-4/+4
| | | | | | | | | | | | secrets_delete_machine_password_ex() We just want all values to be removed at the end, it doesn't matter if they didn't existed before. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: let secrets_delete_machine_password_ex() also remove the ↵Stefan Metzmacher2017-06-273-8/+15
| | | | | | | | | des_salt key BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID tooStefan Metzmacher2017-06-272-7/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variablesStefan Metzmacher2017-06-271-4/+22
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()Stefan Metzmacher2017-06-271-15/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when ↵Stefan Metzmacher2017-06-271-2/+9
| | | | | | | | | there's no value BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()Stefan Metzmacher2017-06-271-14/+5
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: re-add secrets_delete() helper to simplify deleting optional keysStefan Metzmacher2017-06-272-0/+20
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: rename secrets_delete() to secrets_delete_entry()Stefan Metzmacher2017-06-275-16/+16
| | | | | | | | | secrets_delete_entry() fails if the key doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()Stefan Metzmacher2017-06-271-5/+3
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: add some const to secrets_store_domain_guid()Stefan Metzmacher2017-06-272-2/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: split out a domain_guid_keystr() functionStefan Metzmacher2017-06-271-10/+14
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: rework des_salt_key() to take the realm as argumentStefan Metzmacher2017-06-271-12/+13
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:secrets: move kerberos_secrets_*salt related functions to ↵Stefan Metzmacher2017-06-275-100/+101
| | | | | | | | | | | | machine_account_secrets.c These don't use any krb5_context related functions and they just work on secrets.tdb, so they really belong to machine_account_secrets.c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()Stefan Metzmacher2017-06-272-10/+0
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ↵Stefan Metzmacher2017-06-271-6/+8
| | | | | | | | | ads_keytab_add_entry() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet: make use of kerberos_secrets_fetch_salt_princ()Stefan Metzmacher2017-06-271-3/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse_krb5: simplify fill_keytab_from_password() by using ↵Stefan Metzmacher2017-06-271-26/+14
| | | | | | | | | kerberos_fetch_salt_princ() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: provide a simpler kerberos_fetch_salt_princ() functionStefan Metzmacher2017-06-272-3/+9
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: remove kerberos_secrets_fetch_salting_principal() fallbackStefan Metzmacher2017-06-271-33/+4
| | | | | | | | | | | | | | | | | | The handling for per encryption type salts was removed in Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone has such an installation that got constantly upgraded over 10 years with an automatic password change nor rejoin. It also means that the KDC only has salt-less arcfour-hmac-md5 key together with the salted des keys. So there would only be a problem if the client whould try to use a des key to contact the smb server. Having this legacy code adds quite some complexity for no good reason. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: move kerberos_secrets_store_des_salt() to ↵Stefan Metzmacher2017-06-271-11/+10
| | | | | | | | | libnet_join_joindomain_store_secrets() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: move libnet_join_joindomain_store_secrets() to ↵Stefan Metzmacher2017-06-271-5/+4
| | | | | | | | | | | | libnet_join_post_processing() We should not store the secrets before we did all remote changes (except the optional dns updates). BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: call do_JoinConfig() after we did remote changes on the serverStefan Metzmacher2017-06-271-5/+10
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: split libnet_join_post_processing_ads() into modify/syncStefan Metzmacher2017-06-271-3/+21
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: move kerberos_secrets_store_des_salt() out of ↵Stefan Metzmacher2017-06-271-1/+12
| | | | | | | | | | | libnet_join_derive_salting_principal() We should separate the calculation and the storing steps. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: remember r->out.krb5_salt in ↵Stefan Metzmacher2017-06-271-0/+1
| | | | | | | | | libnet_join_derive_salting_principal() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join.idl: add krb5_salt to libnet_JoinCtxStefan Metzmacher2017-06-271-1/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: remember the domain_guid for AD domainsStefan Metzmacher2017-06-271-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join.idl: return the domain_guid in libnet_JoinCtxStefan Metzmacher2017-06-271-0/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()Stefan Metzmacher2017-06-271-9/+9
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libnet_join: remove dead code from libnet_join_connect_ads()Stefan Metzmacher2017-06-271-7/+2
| | | | | | | | | username[strlen(username)] is *always* '\0'! BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:libads: remove unused kerberos_secrets_store_salting_principal()Stefan Metzmacher2017-06-272-75/+0
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:librpc: let NDR_SECRETS depend on NDR_SECURITYStefan Metzmacher2017-06-271-1/+1
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:smbd: unimplement FSCTL_VALIDATE_NEGOTIATE_INFO with "server max protocol ↵Stefan Metzmacher2017-06-271-0/+17
| | | | | | | | | | | | | | | | | | | | | = SMB2_02" A client that supports SMB3 will do a signed FSCTL_VALIDATE_NEGOTIATE_INFO after a tree connect. This FSCTL_VALIDATE_NEGOTIATE_INFO call contains the client capabilities, client guid, security mode and the array of supported dialects. But if SMB 2.02 is negotiated the doesn't send these values to the server in the first connection attempt (when the client starts with a SMB1 Negotiate). Windows servers that only support SMB2 just return NT_STATUS_FILE_CLOSED as answer to FSCTL_VALIDATE_NEGOTIATE_INFO. We should do the same if we just pretend to support SMB 2.02, as SMB 2.10 always include an SMB2 Negotiate request we can leave it as is. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:selftest: run test_smbclient_basic.sh against nt4_dc_schannel with ↵Stefan Metzmacher2017-06-271-0/+6
| | | | | | | | | | | | various protocols This prepared a reproducer for bug #12772 'Clients with SMB3 support can't connect with "server max protocol = SMB2_02"'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12772 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:test_smbclient_basic.sh: make use of $incdir/common_test_fns.incStefan Metzmacher2017-06-271-20/+5
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:test_smbclient_basic.sh: make use of $ADDARGSStefan Metzmacher2017-06-271-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:gse_krb5: fix a possible crash in fill_mem_keytab_from_system_keytab()Michael Saxl2017-06-271-0/+8
| | | | | | | | | | | | | If the keytab file isn't readable, we may call krb5_kt_end_seq_get() with an invalid kt_cursor. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10490 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Saxl <mike@mwsys.mine.bz> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:tests: Add blackbox test for 'net usershare'Andreas Schneider2017-06-272-0/+84
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* s3:param: Allow to add usershare if uid_wrapper is loadedAndreas Schneider2017-06-271-2/+17
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
View Lorry Controller Status