[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Mon Nov 15 23:30:01 MST 2010


The branch, master has been updated
       via  ebd8e66 samba-tool Add test for --store-plaintext
       via  c8c52be Update dcerpc_server.pc library name to match reality.
       via  2e44d0d samba-tool pwsettings Allow setting 'store cleartext'
       via  95d33f2 s4-ldif_handlers Add handler for printing supplementalCredentials
       via  b863159 s4-test_kinit Add tests for lowercase realm combinations
       via  4908237 heimdal Build ticket with the canonical server name
       via  d76f11a s4-kdc Fix the realm handling again, this time pay attention to the flags
       via  5c72c6b s4-kdc use 'flags' to only create the 'admin data' elements when requested
       via  935d7a6 s4-kdc Add 'flags' parameter to db fetch calls
      from  fe5c48c waf: added --git-local-changes configure option

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ebd8e66ed0c1aae4d482ea933a8a492a2ab82e13
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 16:43:05 2010 +1100

    samba-tool Add test for --store-plaintext
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Tue Nov 16 06:29:04 UTC 2010 on sn-devel-104

commit c8c52be4558c1e5bcb0db81f89f5b954f7ac6c05
Author: Brad Hards <bradh at frogmouth.net>
Date:   Tue Nov 16 16:42:50 2010 +1100

    Update dcerpc_server.pc library name to match reality.

commit 2e44d0d32980eaec236c8cfc80989b7600c0d25a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 16:32:55 2010 +1100

    samba-tool pwsettings Allow setting 'store cleartext'
    
    This allows the 'store cleartext' password policy flag to be (un)set.
    
    Andrew Bartlett

commit 95d33f2f24d7300f2df54ea62b0595ed7d7d0a2c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 16:32:27 2010 +1100

    s4-ldif_handlers Add handler for printing supplementalCredentials

commit b8631597f579555416dbd87ded3f329051965e8b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 16:01:19 2010 +1100

    s4-test_kinit Add tests for lowercase realm combinations
    
    This tests that the handling of lowercase realms works in our KDC and
    libraries.
    
    Andrew Bartlett

commit 4908237403543f6b0e3015637c5c49af47b515b0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 15:05:33 2010 +1100

    heimdal Build ticket with the canonical server name
    
    We need to use the name that the HDB entry returned, otherwise we
    will not canonicalise the reply as requested.
    
    Andrew Bartlett

commit d76f11a8bd685517b0e5a3be4684bec41af9e822
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 14:16:31 2010 +1100

    s4-kdc Fix the realm handling again, this time pay attention to the flags
    
    The KDC sets different flags for the AS-REQ (this is client-depenent)
    and the TGS-REQ to determine if the realm should be forced to the
    canonical value.  If we do this always, or do this never, we get into
    trouble, so it's much better to honour the flags we are given.
    
    Andrew Bartlett

commit 5c72c6b760af479b3e88b10cce713025528496c3
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 14:12:17 2010 +1100

    s4-kdc use 'flags' to only create the 'admin data' elements when requested
    
    This avoids setting these values when the caller simply does not care
    
    Andrew Bartlett

commit 935d7a6f72567f09ccc8710079775fef0f077ada
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 16 14:07:18 2010 +1100

    s4-kdc Add 'flags' parameter to db fetch calls
    
    This will allow these calls to honour the flags passed in from the KDC
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 source4/heimdal/kdc/krb5tgs.c                      |    2 +-
 source4/kdc/db-glue.c                              |   77 ++++++++++++++------
 source4/lib/ldb-samba/ldif_handlers.c              |   23 ++++++
 source4/lib/ldb-samba/ldif_handlers.h              |    2 +-
 source4/rpc_server/dcerpc_server.pc.in             |    2 +-
 .../scripting/python/samba/netcmd/pwsettings.py    |   19 +++++-
 source4/setup/tests/blackbox_setpassword.sh        |    2 +-
 testprogs/blackbox/test_kinit.sh                   |    4 +
 8 files changed, 102 insertions(+), 29 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 26e3936..4af4c29 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -2142,7 +2142,7 @@ server_lookup:
 			 kvno,
 			 *auth_data,
 			 server,
-			 sp,
+			 server->entry.principal,
 			 spn,
 			 client,
 			 cp,
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 1dec6a5..b062282 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -541,12 +541,13 @@ out:
  * Construct an hdb_entry from a directory entry.
  */
 static krb5_error_code samba_kdc_message2entry(krb5_context context,
-					 struct samba_kdc_db_context *kdc_db_ctx,
-					 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
-					 enum samba_kdc_ent_type ent_type,
-					 struct ldb_dn *realm_dn,
-					 struct ldb_message *msg,
-					 hdb_entry_ex *entry_ex)
+					       struct samba_kdc_db_context *kdc_db_ctx,
+					       TALLOC_CTX *mem_ctx, krb5_const_principal principal,
+					       enum samba_kdc_ent_type ent_type,
+					       unsigned flags,
+					       struct ldb_dn *realm_dn,
+					       struct ldb_message *msg,
+					       hdb_entry_ex *entry_ex)
 {
 	struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
 	uint32_t userAccountControl;
@@ -644,7 +645,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		}
 	}
 
-	{
+	if (flags & HDB_F_ADMIN_DATA) {
 		/* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
 		 * of the Heimdal KDC.  They are stored in a the traditional
 		 * DB for audit purposes, and still form part of the structure
@@ -1062,6 +1063,7 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
 					       struct samba_kdc_db_context *kdc_db_ctx,
 					       TALLOC_CTX *mem_ctx,
 					       krb5_const_principal principal,
+					       unsigned flags,
 					       hdb_entry_ex *entry_ex) {
 	struct ldb_dn *realm_dn;
 	krb5_error_code ret;
@@ -1075,8 +1077,9 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
 	}
 
 	ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
-				       principal, SAMBA_KDC_ENT_TYPE_CLIENT,
-				       realm_dn, msg, entry_ex);
+				      principal, SAMBA_KDC_ENT_TYPE_CLIENT,
+				      flags,
+				      realm_dn, msg, entry_ex);
 	return ret;
 }
 
@@ -1084,6 +1087,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 					      struct samba_kdc_db_context *kdc_db_ctx,
 					      TALLOC_CTX *mem_ctx,
 					      krb5_const_principal principal,
+					      unsigned flags,
 					      uint32_t krbtgt_number,
 					      hdb_entry_ex *entry_ex)
 {
@@ -1092,6 +1096,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 	struct ldb_message *msg = NULL;
 	struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
 
+	krb5_principal alloc_principal = NULL;
 	if (principal->name.name_string.len != 2
 	    || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
 		/* Not a krbtgt */
@@ -1141,9 +1146,32 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 			return HDB_ERR_NOENTRY;
 		}
 
+		if (flags & HDB_F_CANON) {
+			ret = krb5_copy_principal(context, principal, &alloc_principal);
+			if (ret) {
+				return ret;
+			}
+
+			/* When requested to do so, ensure that the
+			 * both realm values in the principal are set
+			 * to the upper case, canonical realm */
+			free(alloc_principal->name.name_string.val[1]);
+			alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
+			if (!alloc_principal->name.name_string.val[1]) {
+				ret = ENOMEM;
+				krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
+				return ret;
+			}
+			principal = alloc_principal;
+		}
+
 		ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
-					principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
-					realm_dn, msg, entry_ex);
+					      principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
+					      flags, realm_dn, msg, entry_ex);
+		if (flags & HDB_F_CANON) {
+			/* This is again copied in the message2entry call */
+			krb5_free_principal(context, alloc_principal);
+		}
 		if (ret != 0) {
 			krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
 		}
@@ -1278,10 +1306,11 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
 }
 
 static krb5_error_code samba_kdc_fetch_server(krb5_context context,
-					       struct samba_kdc_db_context *kdc_db_ctx,
-					       TALLOC_CTX *mem_ctx,
-					       krb5_const_principal principal,
-					       hdb_entry_ex *entry_ex)
+					      struct samba_kdc_db_context *kdc_db_ctx,
+					      TALLOC_CTX *mem_ctx,
+					      krb5_const_principal principal,
+					      unsigned flags,
+					      hdb_entry_ex *entry_ex)
 {
 	krb5_error_code ret;
 	struct ldb_dn *realm_dn;
@@ -1294,8 +1323,9 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context,
 	}
 
 	ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
-				principal, SAMBA_KDC_ENT_TYPE_SERVER,
-				realm_dn, msg, entry_ex);
+				      principal, SAMBA_KDC_ENT_TYPE_SERVER,
+				      flags,
+				      realm_dn, msg, entry_ex);
 	if (ret != 0) {
 		krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
 	}
@@ -1332,20 +1362,20 @@ krb5_error_code samba_kdc_fetch(krb5_context context,
 	}
 
 	if (flags & HDB_F_GET_CLIENT) {
-		ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
+		ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
 		if (ret != HDB_ERR_NOENTRY) goto done;
 	}
 	if (flags & HDB_F_GET_SERVER) {
 		/* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
-		ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, krbtgt_number, entry_ex);
+		ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, krbtgt_number, entry_ex);
 		if (ret != HDB_ERR_NOENTRY) goto done;
 
 		/* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
-		ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
+		ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
 		if (ret != HDB_ERR_NOENTRY) goto done;
 	}
 	if (flags & HDB_F_GET_KRBTGT) {
-		ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, krbtgt_number, entry_ex);
+		ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, krbtgt_number, entry_ex);
 		if (ret != HDB_ERR_NOENTRY) goto done;
 	}
 
@@ -1385,8 +1415,9 @@ static krb5_error_code samba_kdc_seq(krb5_context context,
 
 	if (priv->index < priv->count) {
 		ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
-					NULL, SAMBA_KDC_ENT_TYPE_ANY,
-					priv->realm_dn, priv->msgs[priv->index++], entry);
+					      NULL, SAMBA_KDC_ENT_TYPE_ANY,
+					      HDB_F_ADMIN_DATA|HDB_F_GET_ANY,
+					      priv->realm_dn, priv->msgs[priv->index++], entry);
 	} else {
 		ret = HDB_ERR_NOENTRY;
 	}
diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c
index 14da31e..5581cb1 100644
--- a/source4/lib/ldb-samba/ldif_handlers.c
+++ b/source4/lib/ldb-samba/ldif_handlers.c
@@ -887,6 +887,19 @@ static int ldif_write_dnsRecord(struct ldb_context *ldb, void *mem_ctx,
 			      true);
 }
 
+/*
+  convert a NDR formatted blob of a supplementalCredentials into text
+*/
+static int ldif_write_supplementalCredentialsBlob(struct ldb_context *ldb, void *mem_ctx,
+						  const struct ldb_val *in, struct ldb_val *out)
+{
+	return ldif_write_NDR(ldb, mem_ctx, in, out,
+			      sizeof(struct supplementalCredentialsBlob),
+			      (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob,
+			      (ndr_print_fn_t)ndr_print_supplementalCredentialsBlob,
+			      true);
+}
+
 
 static int extended_dn_write_hex(struct ldb_context *ldb, void *mem_ctx,
 				 const struct ldb_val *in, struct ldb_val *out)
@@ -1200,6 +1213,13 @@ static const struct ldb_schema_syntax samba_syntaxes[] = {
 		.canonicalise_fn  = ldb_handler_copy,
 		.comparison_fn	  = ldb_comparison_binary,
 		.operator_fn      = samba_syntax_operator_fn
+	},{
+		.name		  = LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS,
+		.ldif_read_fn	  = ldb_handler_copy,
+		.ldif_write_fn	  = ldif_write_supplementalCredentialsBlob,
+		.canonicalise_fn  = ldb_handler_copy,
+		.comparison_fn	  = ldb_comparison_binary,
+		.operator_fn      = samba_syntax_operator_fn
 	}
 };
 
@@ -1313,7 +1333,10 @@ static const struct {
 	{ "invocationId",			LDB_SYNTAX_SAMBA_GUID },
 	{ "parentGUID",				LDB_SYNTAX_SAMBA_GUID },
 	{ "msDS-OptionalFeatureGUID",		LDB_SYNTAX_SAMBA_GUID },
+
+	/* These NDR encoded things we want to be able to read with --show-binary */
 	{ "dnsRecord",				LDB_SYNTAX_SAMBA_DNSRECORD },
+	{ "supplementalCredentials",		LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS}
 };
 
 const struct ldb_schema_syntax *ldb_samba_syntax_by_name(struct ldb_context *ldb, const char *name)
diff --git a/source4/lib/ldb-samba/ldif_handlers.h b/source4/lib/ldb-samba/ldif_handlers.h
index 33373fa..62903c4 100644
--- a/source4/lib/ldb-samba/ldif_handlers.h
+++ b/source4/lib/ldb-samba/ldif_handlers.h
@@ -13,7 +13,7 @@
 #define LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR     "LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR"
 #define LDB_SYNTAX_SAMBA_RANGE64		"LDB_SYNTAX_SAMBA_RANGE64"
 #define LDB_SYNTAX_SAMBA_DNSRECORD		"LDB_SYNTAX_SAMBA_DNSRECORD"
-
+#define LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS "LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS"
 #include "lib/ldb-samba/ldif_handlers_proto.h"
 
 #undef _PRINTF_ATTRIBUTE
diff --git a/source4/rpc_server/dcerpc_server.pc.in b/source4/rpc_server/dcerpc_server.pc.in
index 0aaffae..d521436 100644
--- a/source4/rpc_server/dcerpc_server.pc.in
+++ b/source4/rpc_server/dcerpc_server.pc.in
@@ -7,5 +7,5 @@ Name: dcerpc_server
 Description: DCE/RPC server library
 Requires: dcerpc
 Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -ldcerpc_server
+Libs: -L${libdir} -ldcerpc-server
 Cflags: -I${includedir} -DHAVE_IMMEDIATE_STRUCTURES=1
diff --git a/source4/scripting/python/samba/netcmd/pwsettings.py b/source4/scripting/python/samba/netcmd/pwsettings.py
index bfec13c..4a1645d 100644
--- a/source4/scripting/python/samba/netcmd/pwsettings.py
+++ b/source4/scripting/python/samba/netcmd/pwsettings.py
@@ -27,7 +27,7 @@ import ldb
 
 from samba.auth import system_session
 from samba.samdb import SamDB
-from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
+from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
 from samba.netcmd import Command, CommandError, Option
 
 class cmd_pwsettings(Command):
@@ -50,6 +50,8 @@ class cmd_pwsettings(Command):
         Option("--quiet", help="Be quiet", action="store_true"),
         Option("--complexity", type="choice", choices=["on","off","default"],
           help="The password complexity (on | off | default). Default is 'on'"),
+        Option("--store-plaintext", type="choice", choices=["on","off","default"],
+          help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
         Option("--history-length",
           help="The password history length (<integer> | default).  Default is 24.", type=str),
         Option("--min-pwd-length",
@@ -63,7 +65,7 @@ class cmd_pwsettings(Command):
     takes_args = ["subcommand"]
 
     def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
-            quiet=False, complexity=None, history_length=None,
+            quiet=False, complexity=None, store_plaintext=None, history_length=None,
             min_pwd_length=None, credopts=None, sambaopts=None,
             versionopts=None):
         lp = sambaopts.get_loadparm()
@@ -94,6 +96,10 @@ class cmd_pwsettings(Command):
                 self.message("Password complexity: on")
             else:
                 self.message("Password complexity: off")
+            if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
+                self.message("Store plaintext passwords: on")
+            else:
+                self.message("Store plaintext passwords: off")
             self.message("Password history length: %d" % pwd_hist_len)
             self.message("Minimum password length: %d" % cur_min_pwd_len)
             self.message("Minimum password age (days): %d" % cur_min_pwd_age)
@@ -111,6 +117,15 @@ class cmd_pwsettings(Command):
                     pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
                     msgs.append("Password complexity deactivated!")
 
+            if store_plaintext is not None:
+                if store_plaintext == "on" or store_plaintext == "default":
+                    pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
+                    msgs.append("Plaintext password storage for changed passwords activated!")
+                elif store_plaintext == "off":
+                    pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
+                    msgs.append("Plaintext password storage for changed passwords deactivated!")
+
+            if complexity is not None or store_plaintext is not None:
                 m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
                   ldb.FLAG_MOD_REPLACE, "pwdProperties")
 
diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh
index 6c40567..da2dcc5 100755
--- a/source4/setup/tests/blackbox_setpassword.sh
+++ b/source4/setup/tests/blackbox_setpassword.sh
@@ -23,6 +23,6 @@ testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/
 
 testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp at ssw0Rd --must-change-at-next-login
 
-testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default
+testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
 
 exit $failed
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 3eb2343..b3b6eb3 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -163,6 +163,10 @@ test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`exp
 KRB5CCNAME="$PREFIX/tmpccache"
 export KRB5CCNAME
 
+lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
+test_smbclient "Test login with user kerberos lowercase realm" 'ls' -k yes -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=`expr $failed + 1`
+
 testit "del user with kerberos ccache" $VALGRIND $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=`expr $failed + 1`
 
 rm -f $KRB5CCNAME


-- 
Samba Shared Repository


More information about the samba-cvs mailing list