[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Apr 2 11:31:04 MDT 2014
The branch, master has been updated
via 85f57eb torture-samr: Add testing of account lockout and password change behaviour
via 311de5f selftest: Run rpc.samr.passwords.badpwdcount against s3dc
via 6a4bedd torture-samr: Add test for lockout with and without a password history
via 3c73178 torture-samr: Improve rpc.samr.passwords.badpwdcount test
via e266f61 selftest: Add test for password lockout
via 05c2f83 dsdb: Allow SAMR server to return the computed, not actual badPwdCount
via 6ac62b3 s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.
via 50b9748 s4:dsdb/samldb: rework samldb_user_account_control_change()
via 6cb91a8 libds: add UF_PARTIAL_SECRETS_ACCOUNT to UF_ACCOUNT_TYPE_MASK
via 245d0f1 s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()
via a6b82ee s4-samr: Escape the username in the LDAP filter
via f557f82 s4-auth: Support password history correctly, including allowing NTLM logins using the old password
via 9d5f4ca lib/param: Add new parameter "old password allowed period"
via afdd5fb dsdb: check type with talloc_get_type_abort in samdb_set_password
via c918230 dsdb: Implement password lockout on LDAP password changes
via 8a89f7f4 dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
via 26c0eb6 auth: Split out badPwdCount update into a helper function
via 752b817 kdc: call authsam_zero_bad_pwd_count on successful AS-REQ
via 997e120 kdc: Include values from msDS-User-Account-Control-Computed when checking user flags
via 10cbd5e kdc: Set flags.locked_out on a locked-out user.
via d202191 heimdal: Only indicate successful authentication after successful authz
via 580a705 heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out
via 30bae40 heimdal: Do not attempt password authentication for locked out accounts
via 7e653f5 s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
via 1a483a8 s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0
via 3ed5521 dsdb: collapse wrong password and no-password-hash errors into one handler
via 2dd71de dsdb: Add samdb_result_passwords_from_history helper function
via 0f3dd92 s4-auth: Rework memory handling to use a tmp_ctx
via ba4c985 samba-tool add password lockout handling to samba-tool domain passwordsettings
via 526f983 dsdb: give a better error message and return code on failed password change
via 3f07737 s4:auth: Add password lockout support to the AD DC
via a0de929 dsdb: Put password lockout support in samdb_result_passwords()
via 6f8fb16 dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
via 77e4beb dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputed
via 1d266b4 dsdb-operational: Implement msDS-User-Account-Control-Computed
via 9a3651e dsdb-operational: Use a list for the extra attributes that may be required
via 9a36fab s4:auth/sam: use a higher time resolution in authsam_account_ok()
via 5c1cfe2 s4:dsdb/util_samr: simplify dsdb_add_user()
via 090c556 selftest: Run rpc.samr.passwords.lockout against the s3dc environment
via 9e1a8dc dsdb-tests: Remove pointless creation of ldaptestou
via fa8a3ca torture-samr: Do not issue a TORTURE_FAIL unless *this* test failed
via ae81cca torture-samr: Lock accounts for 5 seconds in rpc.samr.passwords.badpwdcount test to ensure consistent results
via b53b3fa torture-samr: Try breaking the NT hash first, as the LM hash may not be being checked
via 8e147f8 torture-samr: set min password age to 0 for lockout and badpwdcount tests
via 2d2dbaf torture-samr: Make failures easier to trace with torture_assert
via 2acfba3 torture-samr: Indent samba3-skip block
via b822353 torture-samr: Actually fail on failures in rpc.samr, rather than just printing pretty warnings
via 60024cd kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
via befae7f ldb_ildap: Map some wrong username/password errors on to LDB_ERR_INVALID_CREDENTIALS
via c3baddf auth: Pass though error from GENSEC sub-mechanism
via 6f8297d selftest: make blackbox_setpassword.sh test run independently
via c8e4c6a s3-auth: Do not reset bad password count to 0 if account is disabled
via 56d3e52 s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_security
via 3f8f997 torture/samr: Re-open the user when checking for ACB_AUTOLOCK
via 5a2eae4 torture-samr: Set lockout_seconds to 60 for samba3
via 44a624d s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout
from 1dba07d dlinklist: Fix a typo
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 85f57ebda360092efd5d71744d018c4cadd6d86b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 31 16:57:10 2013 +1300
torture-samr: Add testing of account lockout and password change behaviour
This is the regression test to avoid a repeat of CVE-2013-4496
This includes confirming that badPwdCount is updated on login, not just on first failure
However the badPwdCount is not updated if the account is disabled
Note: that samr_QueryUserInfo return the effective bad_password_count in level
5, 16 and 21, while it returns the raw value in level 3.
(Sadly the s3 code does not do this correctly, so a knownfail is added)
Change-Id: I4fd8ac5c3b1357e7a98386756dac2a43eb778ecf
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Apr 2 19:30:59 CEST 2014 on sn-devel-104
commit 311de5fb4ae46536eb43178f4102728855625e20
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 5 11:43:41 2013 +1300
selftest: Run rpc.samr.passwords.badpwdcount against s3dc
Change-Id: I9529def954521bf8ab05212759a2ef6bbe9913f8
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6a4bedd36ad9877f35489ffa28eb38a458d4f01b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Mar 16 21:14:51 2014 +1300
torture-samr: Add test for lockout with and without a password history
Change-Id: I6f4b3e92feabe4ff09839329b0db3d33cc6c73b4
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3c731783e0e9ee4a7b4b9289544d4d8a465940b9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 9 14:25:06 2013 +1300
torture-samr: Improve rpc.samr.passwords.badpwdcount test
Change-Id: I89ac30d715e89f14aca049e0e5c5043a39ab93c7
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e266f610dbd421107c8a06e3ee07354456b9f521
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 25 10:03:05 2013 +1300
selftest: Add test for password lockout
Change-Id: Ia690b83f82b5ad7b02b203ffdecd2e05066b6711
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 05c2f83f266db208982858067680f888e637378b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 26 11:32:05 2014 +1300
dsdb: Allow SAMR server to return the computed, not actual badPwdCount
This matters after the lockout observation period has expired.
Note: that QueryUserInfo level 3 returns the raw badPwdCount value.
Andrew Bartlett
Change-Id: I7b304a50984072bc6cb1daf3315b4427443632a9
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6ac62b30007d5b5870443f392d41f7ebfe52a5c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 25 07:12:04 2014 +0100
s4:rpc_server/samr: passdown unmodified acct_flags to the ldb layer.
The samldb module will handle the verification and magic.
Change-Id: If38e0ed229b98eac4db9b39988de4a25f9a352f2
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 50b9748fc5c0d49ab0720b0ddfb59fdb88c186bd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 25 07:10:02 2014 +0100
s4:dsdb/samldb: rework samldb_user_account_control_change()
- Removing ACB_AUTOLOCK/UF_LOCKOUT from the effective userAccountControl flags
(combined with msDS-User-Account-Control-Computed) results in
lockoutTime=0 (implying badPadCount=0).
- We also do more validation of the account type flags now.
Change-Id: If7f224cf60920037a0ae19a10d116ac265771a4c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6cb91a8f33516a33210a25e4019f3f3fbbfe61f2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 1 13:21:35 2014 +0200
libds: add UF_PARTIAL_SECRETS_ACCOUNT to UF_ACCOUNT_TYPE_MASK
Change-Id: Ie26520c37c393ab4d2e3c5782e3dca46d4d1f83c
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 245d0f1b3dd844c680bfa9b1d9e56d26305e6bae
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 1 10:54:27 2014 +0200
s4:dsdb/samldb: remove fantasy code from samldb_user_account_control_change()
Setting UF_PASSWORD_EXPIRED doesn't reset "pwdLastSet" to "0"!
Change-Id: I9e004195ad864b8b3fe036986b1087398d1f6fc5
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a6b82ee197f6f79bb74e0720d328c4a518e513fe
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 17 13:33:18 2014 +1300
s4-samr: Escape the username in the LDAP filter
Change-Id: I99945f0b86ea2862c88c00ad39c809ef1101ca9b
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f557f82acc54d0fddf8be31bebdbc525ea80a171
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 11 10:38:03 2013 +1300
s4-auth: Support password history correctly, including allowing NTLM logins using the old password
This is only done during a 1 hour allowed period, by default.
We only update bad password count when not one of the last 3 passwords
Andrew Bartlett
Change-Id: I76fd8010ce273a21efb55f9601d17b9978a0acf0
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9d5f4cabf3f491fd1c22dbc1daaad8a657d12914
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 9 14:23:49 2013 +1300
lib/param: Add new parameter "old password allowed period"
Change-Id: I46228b492ba71ba4f3fee380a1ccadb328e3ade1
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit afdd5fbd51b4dbde419da7bc64bab5eaf42a955d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 2 15:44:37 2013 +1300
dsdb: check type with talloc_get_type_abort in samdb_set_password
Change-Id: Ie5b534c70dd87ecf58d6a830e38750ecf16eb855
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c91823028f67a4581d282c15422aab1e7f7f5c87
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Nov 6 17:11:18 2013 +1300
dsdb: Implement password lockout on LDAP password changes
To do this, and have the badPwdCount update stick, we must abort,
open, close and reopen transactions such that the badPwdCount update
is in it's own transaction.
To ensure the tests can confirm the correct behaviour here, we must
output the Windows error code in the error message.
Andrew Bartlett
Change-Id: I5b1515b26b308301cf90ce8a3c848a3cedee85a2
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8a89f7f4bcf784852452ca5d6914a0d070c2786f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 28 16:18:31 2013 +1300
dsdb: Move dsdb_update_bad_pwd_count to dsdb/common/util.c
This allows the password_hash code to call the same update routine.
Andrew Bartlett
Change-Id: I3d954469defa3f5d26ffc5ae0583ec7e1957ea11
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 26c0eb623f2776a02569d78eabe6d903ad232409
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 28 15:42:07 2013 +1300
auth: Split out badPwdCount update into a helper function
This will allow password_hash to call this using dsdb_module_*() functions.
Andrew Bartlett
Change-Id: Ib6705300f3f12f4e5e9c73bfd041e6f72bb3ac4a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 752b8173659f6ee12db93981a588b1e2b884fb3e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 15:32:18 2013 +1300
kdc: call authsam_zero_bad_pwd_count on successful AS-REQ
Change-Id: I91bb663dcf1b1033cf756a860404c677e4ac4ade
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 997e120f664facfb48548b765a44063b31b96880
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 30 10:50:19 2013 +1300
kdc: Include values from msDS-User-Account-Control-Computed when checking user flags
Change-Id: I27280d7dd139c6c65dddac611dbdcd7e518ee536
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 10cbd5e43092b8bd1ee8d55879a1c37b27f3fbc4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 29 12:31:46 2013 +1300
kdc: Set flags.locked_out on a locked-out user.
This only changes the log output, the same error is still returned
Change-Id: Id3c13e9373140c276783e5bd288f29de2bf4a45d
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d202191f9c6f304cfd603b1a78a56bb5a33fec49
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Feb 18 13:53:38 2014 +1300
heimdal: Only indicate successful authentication after successful authz
This is needed to match Windows behaviour for NTLM logins.
Andrew Bartlett
Change-Id: I142de19b480cd6499d6f7f025f655e220558d54c
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 580a705b83014e94556b9d5a8877406816e02190
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 25 14:13:02 2013 +1300
heimdal: Match windows and return KRB5KDC_ERR_CLIENT_REVOKED when the account is locked out
Change-Id: I3c306d1516aa569549f5f024fe1fff2d4f2abefc
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 30bae409477da2c42d41ce2d42fa85b86d799c98
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 28 13:28:29 2013 +1300
heimdal: Do not attempt password authentication for locked out accounts
Change-Id: I49695cc4ae0dd0b02034e5411b277882ec5f5f44
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7e653f5ae28c822c2e9c42dd2853126f7f86f0f0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 11 11:35:12 2013 +1300
s4-auth: Add authsam_zero_bad_pwd_count to zero out badPwdCount and lockoutTime on successful login
Change-Id: I2530f08a91f9b6484203dbdaba988f2df1a04ea1
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1a483a8b4ba9640c2f57c34366433b6e219c27b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 25 07:23:04 2014 +0100
s4:dsdb/samldb: add let lockoutTime=0 reset badPwdCount=0
See [MS-SAMR] 3.1.1.8.3 lockoutTime.
Change-Id: Ic384a8e2b88c8e9eb1859df99ee09451ebd49fec
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3ed55210ff5301ca06ec924c5fb4b08bc8832d4b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 26 17:04:46 2013 +1300
dsdb: collapse wrong password and no-password-hash errors into one handler
This avoids giving away too much information to an attacker.
Andrew Bartlett
Change-Id: Id0c0ec508304990e64e5d728396d0d0c1cd7f966
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2dd71de11ac8c5bb5b1a3a68b7971adf75d9a8d3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 11 10:37:38 2013 +1300
dsdb: Add samdb_result_passwords_from_history helper function
Change-Id: I949c6c64551f68c4381b41b30120874ead82949e
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 0f3dd921b375d2ee56149abe3f50de739b17690b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 11 10:32:58 2013 +1300
s4-auth: Rework memory handling to use a tmp_ctx
Change-Id: Iceb4a04dbd04f581d2bbade86213c8ecfa35d306
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ba4c9851f2801c5f5654572a38cfdf3a724c2d4f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 8 13:38:22 2013 +1300
samba-tool add password lockout handling to samba-tool domain passwordsettings
Change-Id: I291924785b505b26b91152c0c13b4afd4de068a6
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 526f98308a58a2f1fd6bf70d56b9b8bb21bf0d55
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Nov 6 15:54:17 2013 +1300
dsdb: give a better error message and return code on failed password change
Change-Id: I064a7e192caccbb5acc17ba385f1625425c176d1
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3f07737fd4a92fc948cfc432bc46098d6dd5269a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Nov 6 10:39:42 2013 +1300
s4:auth: Add password lockout support to the AD DC
Including a fix by Arvid Requate <requate at univention.de>
Change-Id: I25d10da50dd6119801cd37349cce970599531c6b
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit a0de9290099a93413048a03740cfb04ca1355c78
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 4 21:37:17 2013 +1300
dsdb: Put password lockout support in samdb_result_passwords()
This seems to be the best choke point to check for locked out
accounts, as aside from the KDC, all the password authentication and
change callers use it.
Andrew Bartlett
Change-Id: I0f21a79697cb8b08ef639445bd05a896a2c9ee1b
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6f8fb163e02579d57e731c0c09eafee5627bec62
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 29 17:30:18 2013 +1300
dsdb: Rework samdb_result_acct_flags to use either userAccountControl or msDS-User-Account-Control-Computed
This allows us to avoid the domain lookup in the constructed attribute
when not required.
By using msDS-User-Account-Control-Computed the lockout and password
expiry checks are now handled in the operational ldb module.
Andrew Bartlett
Change-Id: I6eb94933e4602e2e50c2126062e9dfa83a46191b
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 77e4beb0e027bb49454716b86c782c98c2ed823b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 29 15:44:15 2013 +1300
dsdb-operational: Implement msDS-UserPasswordExpiryTimeComputed
This assists in testing this aspect of
msDS-User-Account-Control-Computed, and is exposed in AD for clients
to query.
Andrew Bartlett
Change-Id: I10fd214b0585a16f8addb00c252f656419a03f4a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1d266b493894ad55c6c30e73a4cf9bc6aa28f559
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 29 15:38:08 2013 +1300
dsdb-operational: Implement msDS-User-Account-Control-Computed
This is needed to get consistent account lockout support across the whole server.
Andrew Bartlett
Change-Id: I2fa1e707d33f5567b6cb4e2b27e340fa9f40cee9
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9a3651ece1ddd273fdf88b5d4fceef82babbf4a7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 29 12:30:58 2013 +1300
dsdb-operational: Use a list for the extra attributes that may be required
Change-Id: Ifa2e006c9401e92e71d6588d6ea879c6f437cdd5
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9a36fabde0e212b06c2b44db157070b7debdb06b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Mar 31 13:35:25 2014 +0200
s4:auth/sam: use a higher time resolution in authsam_account_ok()
Change-Id: I2961e7311f31e239a6768f56437e5c112a7a9bb0
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5c1cfe267ce10180e2c42105a1d84f84e7512c8d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Mar 26 01:25:34 2014 +0100
s4:dsdb/util_samr: simplify dsdb_add_user()
We can specify userAccountControl on the ldb_add() call.
Change-Id: Ic990a74eaf9b38ddc1db3183a964972c786dbfdf
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 090c55681db410ac2bbf9ec2f9e2208329ed8d5b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 4 12:30:55 2013 +1300
selftest: Run rpc.samr.passwords.lockout against the s3dc environment
Change-Id: I7ee562cbf1e067ed90b22e212002e88752450e34
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9e1a8dc8b7214782f8bc07b60a31ad6d6ab13aea
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Mar 16 22:17:51 2014 +1300
dsdb-tests: Remove pointless creation of ldaptestou
This is not used in this test, and is not removed by the test either.
Andrew Bartlett
Change-Id: I34366d469a1ebed04c3cea5a7f206cb0bf433e03
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fa8a3ca0b8237989b3b124713fb9aabf90f9b6e2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sun Mar 16 22:59:32 2014 +1300
torture-samr: Do not issue a TORTURE_FAIL unless *this* test failed
Change-Id: I349d8ac77a98b934cd4b11b01a96a231097eeeed
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit ae81cca5b7a88076c2d386d4ade9afd72bd7071c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 5 16:57:49 2013 +1300
torture-samr: Lock accounts for 5 seconds in rpc.samr.passwords.badpwdcount test to ensure consistent results
For "samba3" we use 60 seconds as in test_Password_lockout().
Change-Id: I886eb83d4c620e4d719a38ec47b45bacd1406b9d
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit b53b3fa2a0ec6f2dd00dab417a9ee2bcc67ac242
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Nov 7 17:04:14 2013 +1300
torture-samr: Try breaking the NT hash first, as the LM hash may not be being checked
Change-Id: Iea9040bc7130f8b779c35bd367a9915633cd494d
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8e147f838edbb2739830d58ce9ea6b5d38a11495
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 8 16:21:39 2013 +1300
torture-samr: set min password age to 0 for lockout and badpwdcount tests
Change-Id: I0d44fcc712e6f239d9adc739fdafc1b20dd2beba
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2d2dbafd2b761d6ae554484a22283338da224f02
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 31 16:57:47 2013 +1300
torture-samr: Make failures easier to trace with torture_assert
Change-Id: I729ba2f0a0501575357977754401a0cb40d95b34
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 2acfba33c694f09f8e1af306c8b7c82967f275d0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 30 14:16:27 2013 +1300
torture-samr: Indent samba3-skip block
Change-Id: I2bb9f175e61401606742737a883604b922044ea5
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit b8223531de83066626dff87d400a9059790b4db7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 30 14:16:03 2013 +1300
torture-samr: Actually fail on failures in rpc.samr, rather than just printing pretty warnings
Change-Id: I00d66ecd84cd1a7d733f491d19328cec93ba8d2b
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 60024cdd730bc2c97ab80b1e8c7d26da9f9bd624
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 25 14:09:48 2013 +1300
kerberos: Map KRB5KDC_ERR_CLIENT_REVOKED to NT_STATUS_ACCOUNT_LOCKED_OUT
Change-Id: I333083e11a56d0f99ec36df25a96804d0ff2d110
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit befae7f6e65add893cf24a088b93f0350b0b482e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 25 14:09:26 2013 +1300
ldb_ildap: Map some wrong username/password errors on to LDB_ERR_INVALID_CREDENTIALS
This is better than just LDB_ERR_OPERATIONS_ERROR for all errors.
Andrew Bartlett
Change-Id: Id832cf02fcd1dc0347d5ab9eb9a2db78fda39dc6
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c3baddf271b9d09819aff4ce05314f940c6f1e4d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 25 14:08:38 2013 +1300
auth: Pass though error from GENSEC sub-mechanism
This allows wrong-password or account-locked-out errors to be passed
though from Kerberos (gssapi).
Andrew Bartlett
Change-Id: I4bc11a1ad98dfbcc5a4ad9101cd843a7a59f0b59
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6f8297d3cfa0beb4c21101b528dfa598a24700ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 14 23:13:37 2014 +1300
selftest: make blackbox_setpassword.sh test run independently
Change-Id: I8f3cdfc2c66800f9a1e11aec4f25a42752b6b205
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c8e4c6a022046e70461e9faa2a7e39d9489f9b42
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 5 16:06:46 2013 +1300
s3-auth: Do not reset bad password count to 0 if account is disabled
Change-Id: I895435fb278eae5d92b4a8e15d062769c0e8a71a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 56d3e528bd31a4ee0d24fa476aeff8eaf2da236b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 31 16:59:16 2013 +1300
s3-auth: Only call pdb_get_acct_ctrl() once in check_sam_security
Change-Id: I43792711543e25c50c29ab5a24d16f614c670cca
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3f8f9972f491228b2bbe8880cc139387e9332b09
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 25 17:23:53 2013 +1300
torture/samr: Re-open the user when checking for ACB_AUTOLOCK
This flag appears to be cached from the open, so the test incorrectly
indicated that the flag was not set over SAMR.
Andrew Bartlett
Change-Id: I2f1f017191dddb6c2ac496712064fa1b6b48be53
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5a2eae4229192c8bc009ec8c8d30f372ff4d32e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Nov 4 12:26:18 2013 +1300
torture-samr: Set lockout_seconds to 60 for samba3
The source3 account policy code deals with lockouts in terms of
minutes, not nanoseconds, so we have to lock out for at least 60
seconds otherwise we do not wait long enough.
Andrew Bartlett.
Change-Id: I2b30d1c0d9b020b3aba6ed3343361e9a576b7d9a
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 44a624d6ce97078f93baf83f36737238363f788e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Oct 30 14:09:15 2013 +1300
s3-samr: Refuse to set lockout_duration < lockout_window per rpc.samr.passwords.lockout
This was not noticed previously because the test was not run.
Andrew Bartlett
Change-Id: I88701b6c3057ec26f44b3ccab4134ac9aabe552a
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 2 +-
.../security/oldpasswordallowedperiod.xml | 13 +
lib/ldb-samba/ldb_ildap.c | 10 +-
lib/param/loadparm.c | 1 +
lib/param/param_table.c | 9 +
libds/common/flags.h | 3 +-
python/samba/netcmd/domain.py | 77 +-
selftest/knownfail | 4 +-
selftest/skip | 1 +
source3/auth/check_samsec.c | 32 +-
source3/libads/krb5_errs.c | 2 +-
source3/param/loadparm.c | 1 +
source3/passdb/pdb_samba_dsdb.c | 11 +-
source3/rpc_server/samr/srv_samr_nt.c | 17 +
source3/selftest/tests.py | 2 +-
source4/auth/gensec/gensec_gssapi.c | 3 +
source4/auth/ntlm/auth_sam.c | 388 +++++-
source4/auth/sam.c | 123 ++-
source4/dsdb/common/util.c | 259 ++++-
source4/dsdb/common/util_samr.c | 50 +-
source4/dsdb/samdb/ldb_modules/operational.c | 292 ++++-
source4/dsdb/samdb/ldb_modules/password_hash.c | 199 ++-
source4/dsdb/samdb/ldb_modules/samldb.c | 292 +++--
source4/dsdb/tests/python/password_lockout.py | 1484 ++++++++++++++++++++
source4/dsdb/tests/python/sam.py | 1 -
source4/heimdal/kdc/kerberos5.c | 18 +-
source4/kdc/db-glue.c | 22 +-
source4/kdc/hdb-samba4.c | 20 +-
source4/kdc/kpasswdd.c | 9 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 +-
source4/rpc_server/samr/dcesrv_samr.c | 55 +-
source4/rpc_server/samr/samr_password.c | 32 +-
source4/rpc_server/wscript_build | 2 +-
source4/selftest/tests.py | 1 +
source4/setup/tests/blackbox_setpassword.sh | 2 +
source4/torture/rpc/samr.c | 916 ++++++++----
36 files changed, 3697 insertions(+), 668 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
create mode 100755 source4/dsdb/tests/python/password_lockout.py
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 7e9dcae..20cacdb 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -705,7 +705,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
spnego_state->sub_sec_security = NULL;
DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
- return NT_STATUS_INVALID_PARAMETER;
+ return nt_status;
}
diff --git a/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
new file mode 100644
index 0000000..ead720a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/oldpasswordallowedperiod.xml
@@ -0,0 +1,13 @@
+<samba:parameter name="old password allowed period"
+ context="G"
+ advanced="1"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>Number of minutes to permit an NTLM login after a password change or reset using the old password. This allows the user to re-cache the new password on multiple clients without disrupting a network reconnection in the meantime. </para>
+
+ <para>This parameter only applies when <smbconfoption name="server role"/> is set to Active Directory Domain Controller</para>
+</description>
+
+<value type="default">60</value>
+</samba:parameter>
diff --git a/lib/ldb-samba/ldb_ildap.c b/lib/ldb-samba/ldb_ildap.c
index 18853eb..6ec363d 100644
--- a/lib/ldb-samba/ldb_ildap.c
+++ b/lib/ldb-samba/ldb_ildap.c
@@ -791,7 +791,7 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
{
struct ldb_module *module;
struct ildb_private *ildb;
- NTSTATUS status;
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
@@ -862,6 +862,14 @@ static int ildb_connect(struct ldb_context *ldb, const char *url,
failed:
talloc_free(module);
+ if (NT_STATUS_IS_LDAP(status)) {
+ return NT_STATUS_LDAP_CODE(status);
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)
+ || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
+ || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE)
+ || NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ return LDB_ERR_INVALID_CREDENTIALS;
+ }
return LDB_ERR_OPERATIONS_ERROR;
}
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index fd5e5e3..97a06a0 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2082,6 +2082,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ReadRaw", "True");
lpcfg_do_global_parameter(lp_ctx, "WriteRaw", "True");
lpcfg_do_global_parameter(lp_ctx, "NullPasswords", "False");
+ lpcfg_do_global_parameter(lp_ctx, "old password allowed period", "60");
lpcfg_do_global_parameter(lp_ctx, "ObeyPamRestrictions", "False");
lpcfg_do_global_parameter(lp_ctx, "TimeServer", "False");
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 40f8eb5..8df7d1b 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -490,6 +490,15 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED | FLAG_DEPRECATED,
},
{
+ .label = "old password allowed period",
+ .type = P_INTEGER,
+ .p_class = P_GLOBAL,
+ .offset = GLOBAL_VAR(old_password_allowed_period),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "obey pam restrictions",
.type = P_BOOL,
.p_class = P_GLOBAL,
diff --git a/libds/common/flags.h b/libds/common/flags.h
index 96709af..4975024 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -64,7 +64,8 @@
UF_NORMAL_ACCOUNT |\
UF_INTERDOMAIN_TRUST_ACCOUNT |\
UF_WORKSTATION_TRUST_ACCOUNT |\
- UF_SERVER_TRUST_ACCOUNT \
+ UF_SERVER_TRUST_ACCOUNT |\
+ UF_PARTIAL_SECRETS_ACCOUNT \
)
#define UF_SETTABLE_BITS (\
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 2765902..0e00bd5 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -1079,8 +1079,11 @@ class cmd_domain_level(Command):
class cmd_domain_passwordsettings(Command):
"""Set password settings.
- Password complexity, history length, minimum password length, the minimum
- and maximum password age) on a Samba4 server.
+ Password complexity, password lockout policy, history length,
+ minimum password length, the minimum and maximum password age) on
+ a Samba AD DC server.
+
+ Use against a Windows DC is possible, but group policy will override it.
"""
synopsis = "%prog (show|set <options>) [options]"
@@ -1107,13 +1110,20 @@ class cmd_domain_passwordsettings(Command):
help="The minimum password age (<integer in days> | default). Default is 1.", type=str),
Option("--max-pwd-age",
help="The maximum password age (<integer in days> | default). Default is 43.", type=str),
+ Option("--account-lockout-duration",
+ help="The the length of time an account is locked out after exeeding the limit on bad password attempts (<integer in mins> | default). Default is 30 mins.", type=str),
+ Option("--account-lockout-threshold",
+ help="The number of bad password attempts allowed before locking out the account (<integer> | default). Default is 0 (never lock out).", type=str),
+ Option("--reset-account-lockout-after",
+ help="After this time is elapsed, the recorded number of attempts restarts from zero (<integer> | default). Default is 30.", type=str),
]
takes_args = ["subcommand"]
def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None,
quiet=False, complexity=None, store_plaintext=None, history_length=None,
- min_pwd_length=None, credopts=None, sambaopts=None,
+ min_pwd_length=None, account_lockout_duration=None, account_lockout_threshold=None,
+ reset_account_lockout_after=None, credopts=None, sambaopts=None,
versionopts=None):
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
@@ -1124,7 +1134,8 @@ class cmd_domain_passwordsettings(Command):
domain_dn = samdb.domain_dn()
res = samdb.search(domain_dn, scope=ldb.SCOPE_BASE,
attrs=["pwdProperties", "pwdHistoryLength", "minPwdLength",
- "minPwdAge", "maxPwdAge"])
+ "minPwdAge", "maxPwdAge", "lockoutDuration", "lockoutThreshold",
+ "lockOutObservationWindow"])
assert(len(res) == 1)
try:
pwd_props = int(res[0]["pwdProperties"][0])
@@ -1136,6 +1147,13 @@ class cmd_domain_passwordsettings(Command):
cur_max_pwd_age = 0
else:
cur_max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24))
+ cur_account_lockout_threshold = int(res[0]["lockoutThreshold"][0])
+ # ticks -> mins
+ if int(res[0]["lockoutDuration"][0]) == -0x8000000000000000:
+ cur_account_lockout_duration = 0
+ else:
+ cur_account_lockout_duration = abs(int(res[0]["lockoutDuration"][0])) / (1e7 * 60)
+ cur_reset_account_lockout_after = abs(int(res[0]["lockOutObservationWindow"][0])) / (1e7 * 60)
except Exception, e:
raise CommandError("Could not retrieve password properties!", e)
@@ -1154,6 +1172,9 @@ class cmd_domain_passwordsettings(Command):
self.message("Minimum password length: %d" % cur_min_pwd_len)
self.message("Minimum password age (days): %d" % cur_min_pwd_age)
self.message("Maximum password age (days): %d" % cur_max_pwd_age)
+ self.message("Account lockout duration (mins): %d" % cur_account_lockout_duration)
+ self.message("Account lockout threshold (attempts): %d" % cur_account_lockout_threshold)
+ self.message("Reset account lockout after (mins): %d" % cur_reset_account_lockout_after)
elif subcommand == "set":
msgs = []
m = ldb.Message()
@@ -1240,6 +1261,54 @@ class cmd_domain_passwordsettings(Command):
ldb.FLAG_MOD_REPLACE, "maxPwdAge")
msgs.append("Maximum password age changed!")
+ if account_lockout_duration is not None:
+ if account_lockout_duration == "default":
+ account_lockout_duration = 30
+ else:
+ account_lockout_duration = int(account_lockout_duration)
+
+ if account_lockout_duration < 0 or account_lockout_duration > 99999:
+ raise CommandError("Maximum password age must be in the range of 0 to 99999!")
+
+ # days -> ticks
+ if account_lockout_duration == 0:
+ account_lockout_duration_ticks = -0x8000000000000000
+ else:
+ account_lockout_duration_ticks = -int(account_lockout_duration * (60 * 1e7))
+
+ m["lockoutDuration"] = ldb.MessageElement(str(account_lockout_duration_ticks),
+ ldb.FLAG_MOD_REPLACE, "lockoutDuration")
+ msgs.append("Account lockout duration changed!")
+
+ if account_lockout_threshold is not None:
+ if account_lockout_threshold == "default":
+ account_lockout_threshold = 0
+ else:
+ account_lockout_threshold = int(account_lockout_threshold)
+
+ m["lockoutThreshold"] = ldb.MessageElement(str(account_lockout_threshold),
+ ldb.FLAG_MOD_REPLACE, "lockoutThreshold")
+ msgs.append("Account lockout threshold changed!")
+
+ if reset_account_lockout_after is not None:
+ if reset_account_lockout_after == "default":
+ reset_account_lockout_after = 30
+ else:
+ reset_account_lockout_after = int(reset_account_lockout_after)
+
+ if reset_account_lockout_after < 0 or reset_account_lockout_after > 99999:
+ raise CommandError("Maximum password age must be in the range of 0 to 99999!")
+
+ # days -> ticks
+ if reset_account_lockout_after == 0:
+ reset_account_lockout_after_ticks = -0x8000000000000000
+ else:
+ reset_account_lockout_after_ticks = -int(reset_account_lockout_after * (60 * 1e7))
+
+ m["lockOutObservationWindow"] = ldb.MessageElement(str(reset_account_lockout_after_ticks),
+ ldb.FLAG_MOD_REPLACE, "lockOutObservationWindow")
+ msgs.append("Duration to reset account lockout after changed!")
+
if max_pwd_age > 0 and min_pwd_age >= max_pwd_age:
raise CommandError("Maximum password age (%d) must be greater than minimum password age (%d)!" % (max_pwd_age, min_pwd_age))
diff --git a/selftest/knownfail b/selftest/knownfail
index 65f9fd2..35dba20 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -96,8 +96,6 @@
^samba4.rpc.netlogon.*.GetTrustPasswords
^samba4.rpc.netlogon.*.DatabaseRedo
^samba4.rpc.netlogon.*.ServerGetTrustInfo
-^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet
-^samba4.rpc.samr.passwords.lockout
^samba4.base.charset.*.Testing partial surrogate
^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
.*net.api.delshare.* # DelShare isn't implemented yet
@@ -213,6 +211,8 @@
^samba3.smb2.session.*reauth5 # some special anonymous checks?
^samba3.smb2.compound.interim2 # wrong return code (STATUS_CANCELLED)
^samba3.raw.session.*reauth2 # maybe fix this?
+^samba3.rpc.samr.passwords.badpwdcount.samr.badPwdCount\(s3dc\) # We fail this test currently
+^samba3.rpc.samr.passwords.lockout.*\(s3dc\)$ # We fail this test currently
^samba3.rpc.spoolss.printer.addprinter.driver_info_winreg # knownfail or flapping?
^samba3.rpc.spoolss.printer.addprinterex.driver_info_winreg # knownfail or flapping?
^samba3.rpc.spoolss.printer.*.publish_toggle\(.*\)$ # needs spoolss AD member env
diff --git a/selftest/skip b/selftest/skip
index c16dcf5..ed20649 100644
--- a/selftest/skip
+++ b/selftest/skip
@@ -44,6 +44,7 @@
^samba3.smb2.durable-open-disconnect # Not a test, but a way to create a disconnected durable
^samba3.smb2.scan # No tests
^samba3.smb2.oplock.levelii501 # No test yet
+^samba3.rpc.samr.passwords.lockout\(plugin_s4_dc\) # No point running this version, it just waits 12 times longer the samba4 version of this test, covering the same code
^samba4.base.iometer
^samba4.base.casetable
^samba4.base.nttrans
diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 7c97170..ff634aa 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -379,6 +379,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
const char *username;
const uint8_t *nt_pw;
const uint8_t *lm_pw;
+ uint32_t acct_ctrl;
/* the returned struct gets kept on the server_info, by means
of a steal further down */
@@ -401,19 +402,20 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
return NT_STATUS_NO_SUCH_USER;
}
+ acct_ctrl = pdb_get_acct_ctrl(sampass);
username = pdb_get_username(sampass);
nt_pw = pdb_get_nt_passwd(sampass);
lm_pw = pdb_get_lanman_passwd(sampass);
/* Quit if the account was locked out. */
- if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
+ if (acct_ctrl & ACB_AUTOLOCK) {
DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
TALLOC_FREE(sampass);
return NT_STATUS_ACCOUNT_LOCKED_OUT;
}
nt_status = sam_password_ok(mem_ctx,
- username, pdb_get_acct_ctrl(sampass),
+ username, acct_ctrl,
challenge, lm_pw, nt_pw,
user_info, &user_sess_key, &lm_sess_key);
@@ -426,7 +428,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
bool increment_bad_pw_count = false;
if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) &&
- pdb_get_acct_ctrl(sampass) & ACB_NORMAL &&
+ (acct_ctrl & ACB_NORMAL) &&
NT_STATUS_IS_OK(update_login_attempts_status))
{
increment_bad_pw_count =
@@ -456,16 +458,22 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
goto done;
}
- if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
- (pdb_get_bad_password_count(sampass) > 0)){
- pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
- pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
- updated_badpw = True;
+ /*
+ * We must only reset the bad password count if the login was
+ * successful, including checking account policies
+ */
+ nt_status = sam_account_ok(mem_ctx, sampass, user_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ goto done;
}
- if (updated_badpw){
+ if ((acct_ctrl & ACB_NORMAL) &&
+ (pdb_get_bad_password_count(sampass) > 0)){
NTSTATUS status;
+ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
+ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
+
become_root();
status = pdb_update_sam_account(sampass);
unbecome_root();
@@ -476,12 +484,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
}
}
- nt_status = sam_account_ok(mem_ctx, sampass, user_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto done;
- }
-
become_root();
nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
unbecome_root();
diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c
index d4ff09a..8eb5d82 100644
--- a/source3/libads/krb5_errs.c
+++ b/source3/libads/krb5_errs.c
@@ -28,7 +28,7 @@ static const struct {
} krb5_to_nt_status_map[] = {
{KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR},
{KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER},
- {KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCESS_DENIED},
+ {KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCOUNT_LOCKED_OUT},
{KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
{KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
#if defined(KRB5KDC_ERR_KEY_EXP) /* MIT */
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ad87972..8006167 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -802,6 +802,7 @@ static void init_globals(bool reinit_globals)
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
+ Globals.old_password_allowed_period = 60;
Globals.obey_pam_restrictions = false;
Globals.syslog = 1;
Globals.syslog_only = false;
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index dee20ef..01e747a 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -272,12 +272,12 @@ static NTSTATUS pdb_samba_dsdb_init_sam_from_priv(struct pdb_methods *m,
}
pdb_set_user_sid(sam, sid, PDB_SET);
- n = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+ n = samdb_result_acct_flags(msg, "msDS-User-Account-Control-Computed");
if (n == 0) {
DEBUG(10, ("Could not pull userAccountControl\n"));
goto fail;
}
- pdb_set_acct_ctrl(sam, ds_uf2acb(n), PDB_SET);
+ pdb_set_acct_ctrl(sam, n, PDB_SET);
blob = ldb_msg_find_ldb_val(msg, "unicodePwd");
if (blob) {
@@ -614,7 +614,8 @@ static NTSTATUS pdb_samba_dsdb_getsamupriv(struct pdb_samba_dsdb_state *state,
"sAMAccountName", "displayName", "homeDirectory",
"homeDrive", "scriptPath", "profilePath", "description",
"userWorkstations", "comment", "userParameters", "objectSid",
- "primaryGroupID", "userAccountControl", "logonHours",
+ "primaryGroupID", "userAccountControl",
+ "msDS-User-Account-Control-Computed", "logonHours",
"badPwdCount", "logonCount", "countryCode", "codePage",
"unicodePwd", "dBCSPwd", NULL };
@@ -1936,9 +1937,7 @@ static bool pdb_samba_dsdb_search_filter(struct pdb_methods *m,
}
sid_peek_rid(sid, &e->rid);
- e->acct_flags = samdb_result_acct_flags(state->ldb, tmp_ctx,
- res->msgs[i],
- ldb_get_default_basedn(state->ldb));
+ e->acct_flags = samdb_result_acct_flags(res->msgs[i], "userAccountControl");
e->account_name = ldb_msg_find_attr_as_string(
res->msgs[i], "samAccountName", NULL);
if (e->account_name == NULL) {
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 48cfc7e..5318ba2 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6378,6 +6378,23 @@ static NTSTATUS set_dom_info_12(TALLOC_CTX *mem_ctx,
{
time_t u_lock_duration, u_reset_time;
+ /*
+ * It is not possible to set lockout_duration < lockout_window.
+ * (The test is the other way around since the negative numbers
+ * are stored...)
+ *
+ * This constraint is documented here for the samr rpc service:
+ * MS-SAMR 3.1.1.6 Attribute Constraints for Originating Updates
+ * http://msdn.microsoft.com/en-us/library/cc245667%28PROT.10%29.aspx
+ *
+ * And here for the ldap backend:
+ * MS-ADTS 3.1.1.5.3.2 Constraints
+ * http://msdn.microsoft.com/en-us/library/cc223462(PROT.10).aspx
+ */
+ if (r->lockout_duration > r->lockout_window) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
u_lock_duration = nt_time_to_unix_abs((NTTIME *)&r->lockout_duration);
if (u_lock_duration != -1) {
u_lock_duration /= 60;
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 81ef184..e64cf77 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -301,7 +301,7 @@ rpc = ["rpc.authcontext", "rpc.samba3.bind", "rpc.samba3.srvsvc", "rpc.samba3.sh
"rpc.lsa", "rpc.lsa-getuser", "rpc.lsa.lookupsids", "rpc.lsa.lookupnames",
"rpc.lsa.privileges", "rpc.lsa.secrets",
"rpc.samr", "rpc.samr.users", "rpc.samr.users.privileges", "rpc.samr.passwords",
- "rpc.samr.passwords.pwdlastset", "rpc.samr.large-dc", "rpc.samr.machine.auth",
+ "rpc.samr.passwords.pwdlastset", "rpc.samr.passwords.lockout", "rpc.samr.passwords.badpwdcount", "rpc.samr.large-dc", "rpc.samr.machine.auth",
"rpc.samr.priv", "rpc.samr.passwords.validate",
"rpc.netlogon.admin",
"rpc.schannel", "rpc.schannel2", "rpc.bench-schannel1", "rpc.join", "rpc.bind"]
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 0bb307f..63fda1f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -306,6 +306,9 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
DEBUG(1, ("Wrong username or password: %s\n", error_string));
return NT_STATUS_LOGON_FAILURE;
+ case KRB5KDC_ERR_CLIENT_REVOKED:
+ DEBUG(1, ("Account locked out: %s\n", error_string));
+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s : %s\n", gensec_gssapi_state->target_principal, error_string));
return NT_STATUS_NO_LOGON_SERVERS;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index c8d6e5b..6b184f8 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -33,6 +33,7 @@
#include "param/param.h"
#include "librpc/gen_ndr/ndr_irpc_c.h"
#include "lib/messaging/irpc.h"
+#include "libcli/auth/libcli_auth.h"
NTSTATUS auth_sam_init(void);
@@ -127,13 +128,6 @@ static NTSTATUS authsam_password_ok(struct auth4_context *auth_context,
break;
}
- if (user_sess_key && user_sess_key->data) {
- talloc_steal(auth_context, user_sess_key->data);
- }
- if (lm_sess_key && lm_sess_key->data) {
- talloc_steal(auth_context, lm_sess_key->data);
- }
-
return NT_STATUS_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list