[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Fri Jul 22 17:52:03 UTC 2016
The branch, master has been updated
via 281b73f build: Add hints on what libraries to install for gpgme support on failure
via 4a34070 WHATSNEW: recomment python-crypto and python-m2crypto
via aaee982 WHATSNEW: add 'Password sync as active directory domain controller'
via 88e968c s4:torture/ndr: Add supplementalCredentials blob from Samba with the new SambaGPG blob
via bbe3a6a python:samba/tests: use 'samba-tool user {getpassword,syncpasswords}' with --decrypt-samba-gpg
via a4efb11 selftest:Samba4: configure "password hash gpg key ids" for ad_dc (if available)
via d903338 s4:selftest: run samba.tests.samba_tool.user also against ad_dc:local
via 3e9a6c8 selftest:gnupg: add a gpg key for Samba Selftest <selftest at samba.example.com>
via f45a0ff samba-tool: add --decrypt-samba-gpg support to 'user getpasswords' and 'user syncpasswords'
via 763acdc s4:dsdb/samdb: optionally store package_PrimarySambaGPGBlob in supplementalCredentials
via 8d64999 drsblobs.idl: add package_PrimarySambaGPGBlob
via 81190f9 s4:dsdb/samdb: add configure checks for libgpgme
via b66ff2f docs-xml/smbdotconf: reference "unix password sync" with "password hash gpg key ids"
via f28d003 docs-xml/smbdotconf: add "password hash gpg key ids" option
via 39d194d .travis.yml: install libgpgme11-dev python[3]-gpgme
via eb33f73 docs-xml/smbdotconf: reference "unix password sync" with "samba-tool user syncpasswords"
via d5541ef docs-xml:samba-tool.8: document "user syncpasswords" command
via 8791960 python:samba/tests: add simple 'samba-tool user syncpasswords' test
via c68cb6a samba-tool: add 'user syncpasswords' command
via c8fb61c docs-xml:samba-tool.8: document "user getpassword" command
via 4ef5266 python:samba/tests: verify the packages order in supplementalCredentials
via 3add197 python:samba/tests: add simple 'samba-tool user getpassword' test
via deb2a02 samba-tool: add 'user getpassword' command
via 67404ba pycredentials: add set_utf16_[old_]password()
via a5591e5 pycredentials: add {get,set}_old_password()
via 1fd9271 WHATNEW: the default for "ntlm auth" is "no"
via 162c1f8 selftest: don't allow ntlmv1 for 'nt4_member' and 'ad_member'
via cd8dfed docs-xml:smbdotconf: default "ntlm auth" to "no"
via 70827ca selftest: set "ntlm auth = yes" for now as a lot of tests rely on it
via 7fd5629 s3:selftest: run smbclient_auth with a few more combinations
via 19b3712 s3:tests: add 'as user' to the test names in test_smbclient_auth.sh
via 9c994ba s3:ntlm_auth: call fault_setup() in order to get usefull backtraces
from c8f2bb1 WHATSNEW. Add text for Open File Description (OFD) locks.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 281b73f124dce47cb17b2e83b880fbba17daca5b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jun 29 10:35:16 2016 +1200
build: Add hints on what libraries to install for gpgme support on failure
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Jul 22 19:51:09 CEST 2016 on sn-devel-144
commit 4a340708de6510a8ce7c5a1f0a516b5709b5b694
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 27 08:25:30 2016 +0200
WHATSNEW: recomment python-crypto and python-m2crypto
They're used for some samba-tool commands.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit aaee982b4a5c4f1f7c5d4146be9d178b53907067
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 17 10:07:27 2016 +0100
WHATSNEW: add 'Password sync as active directory domain controller'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 88e968c9cce4a54eec92db6bb20b45a22d5eb492
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Jul 20 16:45:34 2016 +1200
s4:torture/ndr: Add supplementalCredentials blob from Samba with the new SambaGPG blob
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bbe3a6a1b177fa391dc72255fc03eb37a0fb6438
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 16 03:19:58 2016 +0100
python:samba/tests: use 'samba-tool user {getpassword,syncpasswords}' with --decrypt-samba-gpg
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit a4efb11964d508fc843915e606d7aec515567031
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 12 13:51:00 2016 +0100
selftest:Samba4: configure "password hash gpg key ids" for ad_dc (if available)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit d903338ed66d20525082b4e078b526045843d080
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 16 10:04:40 2016 +0100
s4:selftest: run samba.tests.samba_tool.user also against ad_dc:local
In future ad_dc_ntvfs and ad_dc will differ regarding the Primary:SambaGPG
password feature. So we should test both.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 3e9a6c85f763ccdaca241d5a7a1d4a9bf61c5970
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 12 13:51:00 2016 +0100
selftest:gnupg: add a gpg key for Samba Selftest <selftest at samba.example.com>
This key doesn't have a passphrase and allows automatic testing
of decryption.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit f45a0ffe868bdb4304c9a5619938407d5c1c7e83
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 22 21:52:26 2016 +0100
samba-tool: add --decrypt-samba-gpg support to 'user getpasswords' and 'user syncpasswords'
This get's the cleartext passwords by decrypting
the 'Primary:SambaGPG' value in order to provide the
virtual attributes: virtualClearTextUTF16, virtualClearTextUTF8,
virtualCryptSHA256, virtualCryptSHA512, virtualSSHA
The virtual attribute virtualSambaGPG provides the raw
(encrypted) value of the 'Primary:SambaGPG' value.
See the "password hash gpg key ids" option for the encryption part
of this feature.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 763acdc2e78f570b362914bb1ac1b3ed1fd94964
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 12 10:51:38 2016 +0100
s4:dsdb/samdb: optionally store package_PrimarySambaGPGBlob in supplementalCredentials
It's important that Primary:SambaGPG is added as the last element.
This is the indication that it matches the current password.
When a password change happens on a Windows DC,
it will keep the old Primary:SambaGPG value, but as the first element.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 8d64999d1c6239776a75503ff8df67b00ae5c4c8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 12 10:51:38 2016 +0100
drsblobs.idl: add package_PrimarySambaGPGBlob
This will be used to store the cleartext utf16 password
GPG encrypted in the supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 81190f910a3bd8083d963c0d983a1a3fd20f91ed
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 12 10:51:38 2016 +0100
s4:dsdb/samdb: add configure checks for libgpgme
This will be used to store the cleartext utf16 password
GPG encrypted as 'Primary:SambaGPG' in the
supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit b66ff2f47b374b4a2fd76567ef2aa89c680b2255
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 15 09:56:03 2016 +0100
docs-xml/smbdotconf: reference "unix password sync" with "password hash gpg key ids"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit f28d0038c857368f9b30449b5a091af6aeebbff4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 15 09:10:54 2016 +0100
docs-xml/smbdotconf: add "password hash gpg key ids" option
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 39d194d6c9f47e9da41ae4381226af7d11db3b27
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 16 07:01:18 2016 +0100
.travis.yml: install libgpgme11-dev python[3]-gpgme
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit eb33f7334fbfa2094d580a42ba376264f21ed273
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 15 09:56:03 2016 +0100
docs-xml/smbdotconf: reference "unix password sync" with "samba-tool user syncpasswords"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit d5541ef6272e030c6fcdf85f7ea6a5ae4167bd0e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 15 09:15:38 2016 +0100
docs-xml:samba-tool.8: document "user syncpasswords" command
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 8791960bf6bcca75a5790bfb7319acdbf63560f6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 16 03:19:58 2016 +0100
python:samba/tests: add simple 'samba-tool user syncpasswords' test
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit c68cb6a1d9d366ac3e564245ecca34348a4f1aa2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 22 21:52:26 2016 +0100
samba-tool: add 'user syncpasswords' command
This provides an easy way to keep passwords in sync with
another account database, e.g. an OpenLDAP server.
It provides a functionality like the "passwd program"
for the "unix password sync" feature of a standalone, member
and classic (NT4) server, but for an active directory domain
controller.
The provided script is called for each account/password related
change.
Like the 'user getpassword' command it allows virtual attributes like:
virtualClearTextUTF16, virtualClearTextUTF8,
virtualCryptSHA256, virtualCryptSHA512, virtualSSHA
Note that this command should just run on a single domain controller
(typically the PDC-emulator).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit c8fb61cadca367b53e8d7ee64a3d19ab5ebf75e4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 15 09:15:38 2016 +0100
docs-xml:samba-tool.8: document "user getpassword" command
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 4ef52663c1350b8ca0096448d3ce6af42ff4752e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 16 03:19:58 2016 +0100
python:samba/tests: verify the packages order in supplementalCredentials
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3add197e202d3d540d65e7b9b856e95b4829724f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 16 03:19:58 2016 +0100
python:samba/tests: add simple 'samba-tool user getpassword' test
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit deb2a0258e74b0fd6a570d7abbe3485a7d346b5f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jan 22 21:52:26 2016 +0100
samba-tool: add 'user getpassword' command
This provides an easy way to get the passwords of a user
including the cleartext passwords (if stored) and derived
hashes. This is done by providing virtual attributes like:
virtualClearTextUTF16, virtualClearTextUTF8,
virtualCryptSHA256, virtualCryptSHA512, virtualSSHA
This is much easier than using ldbsearch and manually parsing
the supplementalCredentials attribute.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
commit 67404bac52c1b4d303c4b131efb168c805cdfd78
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 12 09:57:16 2016 +0200
pycredentials: add set_utf16_[old_]password()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5591e597dbcbd74a6cb76786f479d5962a41cfd
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 12 08:14:36 2016 +0200
pycredentials: add {get,set}_old_password()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fd927136be7230d5b670bf9b9ffe91071ec94d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 21 20:04:10 2016 +0200
WHATNEW: the default for "ntlm auth" is "no"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 162c1f85bff47ef01febfb2d2c8b81a1cace0abb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 21 19:50:36 2016 +0200
selftest: don't allow ntlmv1 for 'nt4_member' and 'ad_member'
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cd8dfed1a67515c5fee14501d3e003e545e41d9e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Mar 15 21:59:42 2016 +0100
docs-xml:smbdotconf: default "ntlm auth" to "no"
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 70827ca78c63d41c555ea4d1219f71c55bbc23e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 21 09:26:27 2016 +0200
selftest: set "ntlm auth = yes" for now as a lot of tests rely on it
In future we should use a mix of environments some which support ntlmv1
and some without.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7fd562969405535a6c7b614b92e8049abbd0781c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 21 19:45:04 2016 +0200
s3:selftest: run smbclient_auth with a few more combinations
E.g. we try lanman, ntlmv1 and ntlmv2 authentication.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 19b3712b62c4632423b7c669f99dd0fc501c6036
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jul 21 19:41:57 2016 +0200
s3:tests: add 'as user' to the test names in test_smbclient_auth.sh
We already have 'as anon', having an indication for each case makes it
easier to mark some as knownfail.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c994ba86e645903d2b4ff98edb2460a8c8468fe
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 11 23:09:53 2016 +0200
s3:ntlm_auth: call fault_setup() in order to get usefull backtraces
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
.travis.yml | 2 +-
WHATSNEW.txt | 54 +-
auth/credentials/pycredentials.c | 85 +-
docs-xml/manpages/samba-tool.8.xml | 12 +
docs-xml/smbdotconf/security/ntlmauth.xml | 10 +-
.../smbdotconf/security/passwordhashgpgkeyids.xml | 45 +
docs-xml/smbdotconf/security/unixpasswordsync.xml | 10 +-
lib/param/loadparm.c | 2 +-
librpc/idl/drsblobs.idl | 8 +
python/samba/netcmd/user.py | 1309 ++++++++++++++++++++
python/samba/tests/samba_tool/user.py | 171 ++-
selftest/gnupg/gpg.conf | 4 +
selftest/gnupg/pubring.gpg | Bin 0 -> 1214 bytes
selftest/gnupg/secring.gpg | Bin 0 -> 2516 bytes
selftest/gnupg/trustdb.gpg | Bin 0 -> 1280 bytes
selftest/knownfail | 3 +-
selftest/selftest.pl | 1 +
selftest/target/Samba3.pm | 3 +
selftest/target/Samba4.pm | 33 +
source3/param/loadparm.c | 2 +-
source3/script/tests/test_smbclient_auth.sh | 18 +-
source3/selftest/tests.py | 9 +-
source3/utils/ntlm_auth.c | 1 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 242 +++-
source4/dsdb/samdb/ldb_modules/wscript | 32 +
.../dsdb/samdb/ldb_modules/wscript_build_server | 2 +-
source4/selftest/tests.py | 1 +
source4/torture/ndr/drsblobs.c | 101 ++
wscript | 2 +
30 files changed, 2124 insertions(+), 39 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml
create mode 100644 selftest/gnupg/gpg.conf
create mode 100644 selftest/gnupg/pubring.gpg
create mode 100644 selftest/gnupg/secring.gpg
create mode 100644 selftest/gnupg/trustdb.gpg
create mode 100644 source4/dsdb/samdb/ldb_modules/wscript
Changeset truncated at 500 lines:
diff --git a/.gitignore b/.gitignore
index 33e8fc5..46c01af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,6 +17,7 @@ autom4te.cache
*.patch
*.pyc
semantic.cache
+/selftest/gnupg/random_seed
/pidl/blib
/pidl/cover_db
/pidl/Makefile
diff --git a/.travis.yml b/.travis.yml
index cf1b0d2..483ad50 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,7 +25,7 @@ matrix:
before_install:
- sudo apt-get update -qq
- - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python3-crypto python3-dev python3-dnspython realpath screen xsltproc zlib1g-dev
+ - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python-gpgme python3-crypto python3-dev python3-dnspython python3-gpgme realpath screen xsltproc zlib1g-dev
script:
- git fetch --unshallow
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7d2405b..505d28b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -12,7 +12,19 @@ Samba 4.5 will be the next version of the Samba suite.
UPGRADING
=========
-Nothing special.
+NTLMv1 authentication disabled by default
+-----------------------------------------
+
+In order to improve security we have changed
+the default value for the "ntlm auth" option from
+"yes" to "no". This may have impact on very old
+client which doesn't support NTLMv2 yet.
+
+The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.
+
+By default Samba will only allow NTLMv2 via NTLMSSP now,
+as we have the following default "lanman auth = no",
+"ntlm auth = no" and "raw NTLMv2 auth = no".
NEW FEATURES/CHANGES
@@ -146,6 +158,26 @@ descriptors having file locks are opened onto the same file. An internal
tunable "smbd:force process locks = true" may be used to turn off OFD
locks if there appear to be problems with them.
+Password sync as active directory domain controller
+---------------------------------------------------
+
+The new commands 'samba-tool user getpassword'
+and 'samba-tool user syncpasswords' provide
+access and syncing of various password fields.
+
+If compiled with GPGME support (--with-gpgme) it's
+possible to store cleartext passwords in a PGP/OpenGPG
+encrypted form by configuring the new "password hash gpg key ids"
+option. This requires gpgme devel and python packages to be installed
+(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu).
+
+Python crypto requirements
+--------------------------
+
+Some samba-tool subcommands require python-crypto and/or
+python-m2crypto packages to be installed.
+
+
REMOVED FEATURES
================
@@ -154,15 +186,19 @@ only user and username parameters
These two parameters have long been deprecated and superseded by
"valid users" and "invalid users".
+
smb.conf changes
-----------------
-
- Parameter Name Description Default
- -------------- ----------- -------
- only user Removed
- username Removed
- kccsrv:samba_kcc Changed default true
- smb2 leases Changed default yes
+================
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ kccsrv:samba_kcc Changed default yes
+ ntlm auth Changed default no
+ only user Removed
+ password hash gpg key ids New
+ smb2 leases Changed default yes
+ username Removed
+
KNOWN ISSUES
============
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 1344391..43fba37 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -64,7 +64,6 @@ static PyObject *py_creds_get_password(PyObject *self, PyObject *unused)
return PyString_FromStringOrNULL(cli_credentials_get_password(PyCredentials_AsCliCredentials(self)));
}
-
static PyObject *py_creds_set_password(PyObject *self, PyObject *args)
{
char *newval;
@@ -79,6 +78,78 @@ static PyObject *py_creds_set_password(PyObject *self, PyObject *args)
return PyBool_FromLong(cli_credentials_set_password(PyCredentials_AsCliCredentials(self), newval, obt));
}
+static PyObject *py_creds_set_utf16_password(PyObject *self, PyObject *args)
+{
+ enum credentials_obtained obt = CRED_SPECIFIED;
+ int _obt = obt;
+ PyObject *newval = NULL;
+ DATA_BLOB blob = data_blob_null;
+ Py_ssize_t size = 0;
+ int result;
+ bool ok;
+
+ if (!PyArg_ParseTuple(args, "O|i", &newval, &_obt)) {
+ return NULL;
+ }
+ obt = _obt;
+
+ result = PyBytes_AsStringAndSize(newval, (char **)&blob.data, &size);
+ if (result != 0) {
+ PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes");
+ return NULL;
+ }
+ blob.length = size;
+
+ ok = cli_credentials_set_utf16_password(PyCredentials_AsCliCredentials(self),
+ &blob, obt);
+
+ return PyBool_FromLong(ok);
+}
+
+static PyObject *py_creds_get_old_password(PyObject *self, PyObject *unused)
+{
+ return PyString_FromStringOrNULL(cli_credentials_get_old_password(PyCredentials_AsCliCredentials(self)));
+}
+
+static PyObject *py_creds_set_old_password(PyObject *self, PyObject *args)
+{
+ char *oldval;
+ enum credentials_obtained obt = CRED_SPECIFIED;
+ int _obt = obt;
+
+ if (!PyArg_ParseTuple(args, "s|i", &oldval, &_obt)) {
+ return NULL;
+ }
+ obt = _obt;
+
+ return PyBool_FromLong(cli_credentials_set_old_password(PyCredentials_AsCliCredentials(self), oldval, obt));
+}
+
+static PyObject *py_creds_set_old_utf16_password(PyObject *self, PyObject *args)
+{
+ PyObject *oldval = NULL;
+ DATA_BLOB blob = data_blob_null;
+ Py_ssize_t size = 0;
+ int result;
+ bool ok;
+
+ if (!PyArg_ParseTuple(args, "O", &oldval)) {
+ return NULL;
+ }
+
+ result = PyBytes_AsStringAndSize(oldval, (char **)&blob.data, &size);
+ if (result != 0) {
+ PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes");
+ return NULL;
+ }
+ blob.length = size;
+
+ ok = cli_credentials_set_old_utf16_password(PyCredentials_AsCliCredentials(self),
+ &blob);
+
+ return PyBool_FromLong(ok);
+}
+
static PyObject *py_creds_get_domain(PyObject *self, PyObject *unused)
{
return PyString_FromStringOrNULL(cli_credentials_get_domain(PyCredentials_AsCliCredentials(self)));
@@ -398,6 +469,18 @@ static PyMethodDef py_creds_methods[] = {
{ "set_password", py_creds_set_password, METH_VARARGS,
"S.set_password(password, obtained=CRED_SPECIFIED) -> None\n"
"Change password." },
+ { "set_utf16_password", py_creds_set_utf16_password, METH_VARARGS,
+ "S.set_utf16_password(password, obtained=CRED_SPECIFIED) -> None\n"
+ "Change password." },
+ { "get_old_password", py_creds_get_old_password, METH_NOARGS,
+ "S.get_old_password() -> password\n"
+ "Obtain old password." },
+ { "set_old_password", py_creds_set_old_password, METH_VARARGS,
+ "S.set_old_password(password, obtained=CRED_SPECIFIED) -> None\n"
+ "Change old password." },
+ { "set_old_utf16_password", py_creds_set_old_utf16_password, METH_VARARGS,
+ "S.set_old_utf16_password(password, obtained=CRED_SPECIFIED) -> None\n"
+ "Change old password." },
{ "get_domain", py_creds_get_domain, METH_NOARGS,
"S.get_domain() -> domain\n"
"Obtain domain name." },
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 3416ecf..dea984f 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -587,6 +587,18 @@
<para>Sets or resets the password of an user account.</para>
</refsect3>
+<refsect3>
+ <title>user getpassword <replaceable>username</replaceable> [options]</title>
+ <para>Gets the password of an user account.</para>
+</refsect3>
+
+<refsect3>
+ <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title>
+ <para>Syncs the passwords of all user accounts, using an optional script.</para>
+ <para>Note that this command should run on a single domain controller only
+ (typically the PDC-emulator).</para>
+</refsect3>
+
<refsect2>
<title>vampire [options] <replaceable>domain</replaceable></title>
<para>Join and synchronise a remote AD domain to the local server.
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 6af1908..884ee9d 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -12,8 +12,14 @@
<para>If this option, and <command moreinfo="none">lanman
auth</command> are both disabled, then only NTLMv2 logins will be
permited. Not all clients support NTLMv2, and most will require
- special configuration to use it.</para>
+ special configuration to use it.</para>
+
+ <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para>
+
+ <para>The default changed from "yes" to "no" with Samba 4.5.</para>
</description>
-<value type="default">yes</value>
+<related>lanman auth</related>
+<related>raw NTLMv2 auth</related>
+<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml
new file mode 100644
index 0000000..e53cdbe
--- /dev/null
+++ b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml
@@ -0,0 +1,45 @@
+<samba:parameter name="password hash gpg key ids"
+ context="G"
+ type="cmdlist"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>If <command moreinfo="none">samba</command> is running as an
+ active directory domain controller, it is possible to store the
+ cleartext password of accounts in a PGP/OpenGPG encrypted form.</para>
+
+ <para>You can specify one or more recipients by key id or user id.
+ Note that 32bit key ids are not allowed, specify at least 64bit.</para>
+
+ <para>The value is stored as 'Primary:SambaGPG' in the
+ <command moreinfo="none">supplementalCredentials</command> attribute.</para>
+
+ <para>As password changes can occur on any domain controller,
+ you should configure this on each of them. Note that this feature is currently
+ available only on Samba domain controllers.</para>
+
+ <para>This option is only available if <command moreinfo="none">samba</command>
+ was compiled with <command moreinfo="none">gpgme</command> support.</para>
+
+ <para>You may need to export the <command moreinfo="none">GNUPGHOME</command>
+ environment variable before starting <command moreinfo="none">samba</command>.
+ <emphasis>It is strongly recommended to only store the public key in this
+ location. The private key is not used for encryption and should be
+ only stored where decryption is required.</emphasis></para>
+
+ <para>Being able to restore the cleartext password helps, when they need to be imported
+ into other authentication systems later (see <command moreinfo="none">samba-tool user getpassword</command>)
+ or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server
+ (see <command moreinfo="none">samba-tool user syncpasswords</command>).</para>
+
+ <para>While this option needs to be configured on all domain controllers, the
+ <command moreinfo="none">samba-tool user syncpasswords</command> command should
+ run on a single domain controller only (typically the PDC-emulator).</para>
+</description>
+
+<related>unix password sync</related>
+
+<value type="default"></value>
+<value type="example">4952E40301FAB41A</value>
+<value type="example">selftest at samba.example.com</value>
+<value type="example">selftest at samba.example.com, 4952E40301FAB41A</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/unixpasswordsync.xml b/docs-xml/smbdotconf/security/unixpasswordsync.xml
index 321ece5..89b0158 100644
--- a/docs-xml/smbdotconf/security/unixpasswordsync.xml
+++ b/docs-xml/smbdotconf/security/unixpasswordsync.xml
@@ -9,12 +9,18 @@
If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd
program</parameter> parameter is called <emphasis>AS ROOT</emphasis> -
to allow the new UNIX password to be set without access to the
- old UNIX password (as the SMB password change code has no
- access to the old password cleartext, only the new).</para>
+ old UNIX password (as the SMB password change code has no
+ access to the old password cleartext, only the new).</para>
+
+ <para>This option has no effect if <command moreinfo="none">samba</command>
+ is running as an active directory domain controller, in that case have a
+ look at the <smbconfoption name="password hash gpg key ids"/> option and the
+ <command moreinfo="none">samba-tool user syncpasswords</command> command.</para>
</description>
<related>passwd program</related>
<related>passwd chat</related>
+<related>password hash gpg key ids</related>
<value type="default">no</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 548d105..5f4610e 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2630,7 +2630,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
- lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
+ lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl
index 645ec38..09168a8 100644
--- a/librpc/idl/drsblobs.idl
+++ b/librpc/idl/drsblobs.idl
@@ -445,6 +445,14 @@ interface drsblobs {
[in] package_PrimaryWDigestBlob blob
);
+ typedef [public] struct {
+ [flag(NDR_REMAINING)] DATA_BLOB gpg_blob;
+ } package_PrimarySambaGPGBlob;
+
+ void decode_PrimarySambaGPG(
+ [in] package_PrimarySambaGPGBlob blob
+ );
+
typedef struct {
[value(0)] uint32 size;
} AuthInfoNone;
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index e087de8..5adc287 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -20,13 +20,28 @@
import samba.getopt as options
import ldb
import pwd
+import os
+import sys
+import fcntl
+import signal
+import errno
+import time
+import base64
+import binascii
+from subprocess import Popen, PIPE, STDOUT
from getpass import getpass
from samba.auth import system_session
from samba.samdb import SamDB
+from samba.dcerpc import misc
+from samba.dcerpc import security
+from samba.dcerpc import drsblobs
+from samba.ndr import ndr_unpack, ndr_pack, ndr_print
from samba import (
+ credentials,
dsdb,
gensec,
generate_random_password,
+ Ldb,
)
from samba.net import Net
@@ -38,6 +53,127 @@ from samba.netcmd import (
)
+try:
+ import io
+ import gpgme
+ gpgme_support = True
+ decrypt_samba_gpg_help = "Decrypt the SambaGPG password as cleartext source"
+except ImportError as e:
+ gpgme_support = False
+ decrypt_samba_gpg_help = "Decrypt the SambaGPG password not supported, " + \
+ "python-gpgme required"
+
+disabled_virtual_attributes = {
+ }
+
+virtual_attributes = {
+ "virtualClearTextUTF8": {
+ "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
+ },
+ "virtualClearTextUTF16": {
+ "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
+ },
+ "virtualSambaGPG": {
+ "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF,
+ },
+ }
+
+get_random_bytes_fn = None
+if get_random_bytes_fn is None:
+ try:
+ import Crypto.Random
+ get_random_bytes_fn = Crypto.Random.get_random_bytes
+ except ImportError as e:
+ pass
+if get_random_bytes_fn is None:
+ try:
+ import M2Crypto.Rand
+ get_random_bytes_fn = M2Crypto.Rand.rand_bytes
+ except ImportError as e:
+ pass
+
+def check_random():
+ if get_random_bytes_fn is not None:
+ return None
+ return "Crypto.Random or M2Crypto.Rand required"
+
+def get_random_bytes(num):
+ random_reason = check_random()
+ if random_reason is not None:
+ raise ImportError(random_reason)
+ return get_random_bytes_fn(num)
+
+def get_crypt_value(alg, utf8pw):
+ algs = {
+ "5": {"length": 43},
+ "6": {"length": 86},
+ }
+ assert alg in algs
+ salt = get_random_bytes(16)
+ # The salt needs to be in [A-Za-z0-9./]
+ # base64 is close enough and as we had 16
+ # random bytes but only need 16 characters
+ # we can ignore the possible == at the end
+ # of the base64 string
+ # we just need to replace '+' by '.'
+ b64salt = base64.b64encode(salt)
+ crypt_salt = "$%s$%s$" % (alg, b64salt[0:16].replace('+', '.'))
+ crypt_value = crypt.crypt(utf8pw, crypt_salt)
+ if crypt_value is None:
+ raise NotImplementedError("crypt.crypt(%s) returned None" % (crypt_salt))
+ expected_len = len(crypt_salt) + algs[alg]["length"]
+ if len(crypt_value) != expected_len:
+ raise NotImplementedError("crypt.crypt(%s) returned a value with length %d, expected length is %d" % (
+ crypt_salt, len(crypt_value), expected_len))
+ return crypt_value
+
+try:
+ random_reason = check_random()
+ if random_reason is not None:
+ raise ImportError(random_reason)
+ import hashlib
+ h = hashlib.sha1()
+ h = None
+ virtual_attributes["virtualSSHA"] = {
+ }
+except ImportError as e:
+ reason = "hashlib.sha1()"
+ if random_reason:
+ reason += " and " + random_reason
+ reason += " required"
+ disabled_virtual_attributes["virtualSSHA"] = {
+ "reason" : reason,
+ }
+
+for (alg, attr) in [("5", "virtualCryptSHA256"), ("6", "virtualCryptSHA512")]:
+ try:
+ random_reason = check_random()
+ if random_reason is not None:
--
Samba Shared Repository
More information about the samba-cvs
mailing list