[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Nov 15 23:30:01 MST 2010
The branch, master has been updated
via ebd8e66 samba-tool Add test for --store-plaintext
via c8c52be Update dcerpc_server.pc library name to match reality.
via 2e44d0d samba-tool pwsettings Allow setting 'store cleartext'
via 95d33f2 s4-ldif_handlers Add handler for printing supplementalCredentials
via b863159 s4-test_kinit Add tests for lowercase realm combinations
via 4908237 heimdal Build ticket with the canonical server name
via d76f11a s4-kdc Fix the realm handling again, this time pay attention to the flags
via 5c72c6b s4-kdc use 'flags' to only create the 'admin data' elements when requested
via 935d7a6 s4-kdc Add 'flags' parameter to db fetch calls
from fe5c48c waf: added --git-local-changes configure option
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ebd8e66ed0c1aae4d482ea933a8a492a2ab82e13
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 16:43:05 2010 +1100
samba-tool Add test for --store-plaintext
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Tue Nov 16 06:29:04 UTC 2010 on sn-devel-104
commit c8c52be4558c1e5bcb0db81f89f5b954f7ac6c05
Author: Brad Hards <bradh at frogmouth.net>
Date: Tue Nov 16 16:42:50 2010 +1100
Update dcerpc_server.pc library name to match reality.
commit 2e44d0d32980eaec236c8cfc80989b7600c0d25a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 16:32:55 2010 +1100
samba-tool pwsettings Allow setting 'store cleartext'
This allows the 'store cleartext' password policy flag to be (un)set.
Andrew Bartlett
commit 95d33f2f24d7300f2df54ea62b0595ed7d7d0a2c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 16:32:27 2010 +1100
s4-ldif_handlers Add handler for printing supplementalCredentials
commit b8631597f579555416dbd87ded3f329051965e8b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 16:01:19 2010 +1100
s4-test_kinit Add tests for lowercase realm combinations
This tests that the handling of lowercase realms works in our KDC and
libraries.
Andrew Bartlett
commit 4908237403543f6b0e3015637c5c49af47b515b0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 15:05:33 2010 +1100
heimdal Build ticket with the canonical server name
We need to use the name that the HDB entry returned, otherwise we
will not canonicalise the reply as requested.
Andrew Bartlett
commit d76f11a8bd685517b0e5a3be4684bec41af9e822
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 14:16:31 2010 +1100
s4-kdc Fix the realm handling again, this time pay attention to the flags
The KDC sets different flags for the AS-REQ (this is client-depenent)
and the TGS-REQ to determine if the realm should be forced to the
canonical value. If we do this always, or do this never, we get into
trouble, so it's much better to honour the flags we are given.
Andrew Bartlett
commit 5c72c6b760af479b3e88b10cce713025528496c3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 14:12:17 2010 +1100
s4-kdc use 'flags' to only create the 'admin data' elements when requested
This avoids setting these values when the caller simply does not care
Andrew Bartlett
commit 935d7a6f72567f09ccc8710079775fef0f077ada
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 14:07:18 2010 +1100
s4-kdc Add 'flags' parameter to db fetch calls
This will allow these calls to honour the flags passed in from the KDC
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/heimdal/kdc/krb5tgs.c | 2 +-
source4/kdc/db-glue.c | 77 ++++++++++++++------
source4/lib/ldb-samba/ldif_handlers.c | 23 ++++++
source4/lib/ldb-samba/ldif_handlers.h | 2 +-
source4/rpc_server/dcerpc_server.pc.in | 2 +-
.../scripting/python/samba/netcmd/pwsettings.py | 19 +++++-
source4/setup/tests/blackbox_setpassword.sh | 2 +-
testprogs/blackbox/test_kinit.sh | 4 +
8 files changed, 102 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 26e3936..4af4c29 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -2142,7 +2142,7 @@ server_lookup:
kvno,
*auth_data,
server,
- sp,
+ server->entry.principal,
spn,
client,
cp,
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 1dec6a5..b062282 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -541,12 +541,13 @@ out:
* Construct an hdb_entry from a directory entry.
*/
static krb5_error_code samba_kdc_message2entry(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- TALLOC_CTX *mem_ctx, krb5_const_principal principal,
- enum samba_kdc_ent_type ent_type,
- struct ldb_dn *realm_dn,
- struct ldb_message *msg,
- hdb_entry_ex *entry_ex)
+ struct samba_kdc_db_context *kdc_db_ctx,
+ TALLOC_CTX *mem_ctx, krb5_const_principal principal,
+ enum samba_kdc_ent_type ent_type,
+ unsigned flags,
+ struct ldb_dn *realm_dn,
+ struct ldb_message *msg,
+ hdb_entry_ex *entry_ex)
{
struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
uint32_t userAccountControl;
@@ -644,7 +645,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
- {
+ if (flags & HDB_F_ADMIN_DATA) {
/* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
* of the Heimdal KDC. They are stored in a the traditional
* DB for audit purposes, and still form part of the structure
@@ -1062,6 +1063,7 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
+ unsigned flags,
hdb_entry_ex *entry_ex) {
struct ldb_dn *realm_dn;
krb5_error_code ret;
@@ -1075,8 +1077,9 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context,
}
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
- principal, SAMBA_KDC_ENT_TYPE_CLIENT,
- realm_dn, msg, entry_ex);
+ principal, SAMBA_KDC_ENT_TYPE_CLIENT,
+ flags,
+ realm_dn, msg, entry_ex);
return ret;
}
@@ -1084,6 +1087,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
+ unsigned flags,
uint32_t krbtgt_number,
hdb_entry_ex *entry_ex)
{
@@ -1092,6 +1096,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
struct ldb_message *msg = NULL;
struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
+ krb5_principal alloc_principal = NULL;
if (principal->name.name_string.len != 2
|| (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
/* Not a krbtgt */
@@ -1141,9 +1146,32 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
return HDB_ERR_NOENTRY;
}
+ if (flags & HDB_F_CANON) {
+ ret = krb5_copy_principal(context, principal, &alloc_principal);
+ if (ret) {
+ return ret;
+ }
+
+ /* When requested to do so, ensure that the
+ * both realm values in the principal are set
+ * to the upper case, canonical realm */
+ free(alloc_principal->name.name_string.val[1]);
+ alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
+ if (!alloc_principal->name.name_string.val[1]) {
+ ret = ENOMEM;
+ krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
+ return ret;
+ }
+ principal = alloc_principal;
+ }
+
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
- principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
- realm_dn, msg, entry_ex);
+ principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
+ flags, realm_dn, msg, entry_ex);
+ if (flags & HDB_F_CANON) {
+ /* This is again copied in the message2entry call */
+ krb5_free_principal(context, alloc_principal);
+ }
if (ret != 0) {
krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
}
@@ -1278,10 +1306,11 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context,
}
static krb5_error_code samba_kdc_fetch_server(krb5_context context,
- struct samba_kdc_db_context *kdc_db_ctx,
- TALLOC_CTX *mem_ctx,
- krb5_const_principal principal,
- hdb_entry_ex *entry_ex)
+ struct samba_kdc_db_context *kdc_db_ctx,
+ TALLOC_CTX *mem_ctx,
+ krb5_const_principal principal,
+ unsigned flags,
+ hdb_entry_ex *entry_ex)
{
krb5_error_code ret;
struct ldb_dn *realm_dn;
@@ -1294,8 +1323,9 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context,
}
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
- principal, SAMBA_KDC_ENT_TYPE_SERVER,
- realm_dn, msg, entry_ex);
+ principal, SAMBA_KDC_ENT_TYPE_SERVER,
+ flags,
+ realm_dn, msg, entry_ex);
if (ret != 0) {
krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
}
@@ -1332,20 +1362,20 @@ krb5_error_code samba_kdc_fetch(krb5_context context,
}
if (flags & HDB_F_GET_CLIENT) {
- ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
+ ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_SERVER) {
/* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
- ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, krbtgt_number, entry_ex);
+ ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, krbtgt_number, entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
/* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
- ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
+ ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
}
if (flags & HDB_F_GET_KRBTGT) {
- ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, krbtgt_number, entry_ex);
+ ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, krbtgt_number, entry_ex);
if (ret != HDB_ERR_NOENTRY) goto done;
}
@@ -1385,8 +1415,9 @@ static krb5_error_code samba_kdc_seq(krb5_context context,
if (priv->index < priv->count) {
ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
- NULL, SAMBA_KDC_ENT_TYPE_ANY,
- priv->realm_dn, priv->msgs[priv->index++], entry);
+ NULL, SAMBA_KDC_ENT_TYPE_ANY,
+ HDB_F_ADMIN_DATA|HDB_F_GET_ANY,
+ priv->realm_dn, priv->msgs[priv->index++], entry);
} else {
ret = HDB_ERR_NOENTRY;
}
diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c
index 14da31e..5581cb1 100644
--- a/source4/lib/ldb-samba/ldif_handlers.c
+++ b/source4/lib/ldb-samba/ldif_handlers.c
@@ -887,6 +887,19 @@ static int ldif_write_dnsRecord(struct ldb_context *ldb, void *mem_ctx,
true);
}
+/*
+ convert a NDR formatted blob of a supplementalCredentials into text
+*/
+static int ldif_write_supplementalCredentialsBlob(struct ldb_context *ldb, void *mem_ctx,
+ const struct ldb_val *in, struct ldb_val *out)
+{
+ return ldif_write_NDR(ldb, mem_ctx, in, out,
+ sizeof(struct supplementalCredentialsBlob),
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob,
+ (ndr_print_fn_t)ndr_print_supplementalCredentialsBlob,
+ true);
+}
+
static int extended_dn_write_hex(struct ldb_context *ldb, void *mem_ctx,
const struct ldb_val *in, struct ldb_val *out)
@@ -1200,6 +1213,13 @@ static const struct ldb_schema_syntax samba_syntaxes[] = {
.canonicalise_fn = ldb_handler_copy,
.comparison_fn = ldb_comparison_binary,
.operator_fn = samba_syntax_operator_fn
+ },{
+ .name = LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS,
+ .ldif_read_fn = ldb_handler_copy,
+ .ldif_write_fn = ldif_write_supplementalCredentialsBlob,
+ .canonicalise_fn = ldb_handler_copy,
+ .comparison_fn = ldb_comparison_binary,
+ .operator_fn = samba_syntax_operator_fn
}
};
@@ -1313,7 +1333,10 @@ static const struct {
{ "invocationId", LDB_SYNTAX_SAMBA_GUID },
{ "parentGUID", LDB_SYNTAX_SAMBA_GUID },
{ "msDS-OptionalFeatureGUID", LDB_SYNTAX_SAMBA_GUID },
+
+ /* These NDR encoded things we want to be able to read with --show-binary */
{ "dnsRecord", LDB_SYNTAX_SAMBA_DNSRECORD },
+ { "supplementalCredentials", LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS}
};
const struct ldb_schema_syntax *ldb_samba_syntax_by_name(struct ldb_context *ldb, const char *name)
diff --git a/source4/lib/ldb-samba/ldif_handlers.h b/source4/lib/ldb-samba/ldif_handlers.h
index 33373fa..62903c4 100644
--- a/source4/lib/ldb-samba/ldif_handlers.h
+++ b/source4/lib/ldb-samba/ldif_handlers.h
@@ -13,7 +13,7 @@
#define LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR "LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR"
#define LDB_SYNTAX_SAMBA_RANGE64 "LDB_SYNTAX_SAMBA_RANGE64"
#define LDB_SYNTAX_SAMBA_DNSRECORD "LDB_SYNTAX_SAMBA_DNSRECORD"
-
+#define LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS "LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS"
#include "lib/ldb-samba/ldif_handlers_proto.h"
#undef _PRINTF_ATTRIBUTE
diff --git a/source4/rpc_server/dcerpc_server.pc.in b/source4/rpc_server/dcerpc_server.pc.in
index 0aaffae..d521436 100644
--- a/source4/rpc_server/dcerpc_server.pc.in
+++ b/source4/rpc_server/dcerpc_server.pc.in
@@ -7,5 +7,5 @@ Name: dcerpc_server
Description: DCE/RPC server library
Requires: dcerpc
Version: @PACKAGE_VERSION@
-Libs: -L${libdir} -ldcerpc_server
+Libs: -L${libdir} -ldcerpc-server
Cflags: -I${includedir} -DHAVE_IMMEDIATE_STRUCTURES=1
diff --git a/source4/scripting/python/samba/netcmd/pwsettings.py b/source4/scripting/python/samba/netcmd/pwsettings.py
index bfec13c..4a1645d 100644
--- a/source4/scripting/python/samba/netcmd/pwsettings.py
+++ b/source4/scripting/python/samba/netcmd/pwsettings.py
@@ -27,7 +27,7 @@ import ldb
from samba.auth import system_session
from samba.samdb import SamDB
-from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX
+from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT
from samba.netcmd import Command, CommandError, Option
class cmd_pwsettings(Command):
@@ -50,6 +50,8 @@ class cmd_pwsettings(Command):
Option("--quiet", help="Be quiet", action="store_true"),
Option("--complexity", type="choice", choices=["on","off","default"],
help="The password complexity (on | off | default). Default is 'on'"),
+ Option("--store-plaintext", type="choice", choices=["on","off","default"],
+ help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"),
Option("--history-length",
help="The password history length (<integer> | default). Default is 24.", type=str),
Option("--min-pwd-length",
@@ -63,7 +65,7 @@ class cmd_pwsettings(Command):
takes_args = ["subcommand"]
def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
- quiet=False, complexity=None, history_length=None,
+ quiet=False, complexity=None, store_plaintext=None, history_length=None,
min_pwd_length=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
@@ -94,6 +96,10 @@ class cmd_pwsettings(Command):
self.message("Password complexity: on")
else:
self.message("Password complexity: off")
+ if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0:
+ self.message("Store plaintext passwords: on")
+ else:
+ self.message("Store plaintext passwords: off")
self.message("Password history length: %d" % pwd_hist_len)
self.message("Minimum password length: %d" % cur_min_pwd_len)
self.message("Minimum password age (days): %d" % cur_min_pwd_age)
@@ -111,6 +117,15 @@ class cmd_pwsettings(Command):
pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX)
msgs.append("Password complexity deactivated!")
+ if store_plaintext is not None:
+ if store_plaintext == "on" or store_plaintext == "default":
+ pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT
+ msgs.append("Plaintext password storage for changed passwords activated!")
+ elif store_plaintext == "off":
+ pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT)
+ msgs.append("Plaintext password storage for changed passwords deactivated!")
+
+ if complexity is not None or store_plaintext is not None:
m["pwdProperties"] = ldb.MessageElement(str(pwd_props),
ldb.FLAG_MOD_REPLACE, "pwdProperties")
diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh
index 6c40567..da2dcc5 100755
--- a/source4/setup/tests/blackbox_setpassword.sh
+++ b/source4/setup/tests/blackbox_setpassword.sh
@@ -23,6 +23,6 @@ testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/
testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp at ssw0Rd --must-change-at-next-login
-testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default
+testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
exit $failed
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh
index 3eb2343..b3b6eb3 100755
--- a/testprogs/blackbox/test_kinit.sh
+++ b/testprogs/blackbox/test_kinit.sh
@@ -163,6 +163,10 @@ test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`exp
KRB5CCNAME="$PREFIX/tmpccache"
export KRB5CCNAME
+lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
+test_smbclient "Test login with user kerberos lowercase realm" 'ls' -k yes -Unettestuser@$lowerrealm%$NEWUSERPASS || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' -k yes -Unettestuser@$REALM%$NEWUSERPASS --realm=$lowerrealm || failed=`expr $failed + 1`
+
testit "del user with kerberos ccache" $VALGRIND $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=`expr $failed + 1`
rm -f $KRB5CCNAME
--
Samba Shared Repository
More information about the samba-cvs
mailing list