[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Jun 30 05:17:03 UTC 2016
The branch, master has been updated
via 4406cf7 krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups
via 0fd4943 netlogon.idl: make netr_SidAttr public
via 74bccb3 auth/auth_sam_reply: make auth_convert_user_info_dc_sambaseinfo() a private helper
via 3b94fde s4:rpc_server/netlogon: make use of auth_convert_user_info_dc_saminfo{2,6}()
via 5128a87 s4:rpc_server/netlogon: initialize pointer to NULL in dcesrv_netr_LogonSamLogon_base()
via 49bc18f auth/auth_sam_reply: do a real copy of strings in auth_convert_user_info_dc_sambaseinfo()
via a872670 auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo2() helper function
via aee33fc auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo6() and implement level 3 as wrapper
via 3eba60a auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6
via b8068e0 auth/wbc_auth_util: fill in base.logon_domain in wbcAuthUserInfo_to_netr_SamInfo3()
via 5ddf5ad auth/auth_sam_reply: let make_user_info_dc_netlogon_validation() correctly handle level 6
via b67ea0e s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc()
via 6257003 s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
via 432e83b s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()
via b6c4c08 auth.idl: add user_principal_* and dns_domain_name to auth_user_info
via 70cc56d lib/param: add lpcfg_sam_dnsname() helper function
via 193de1c s4:dsdb/tests: let password_lockout.py verify the logonCount values
via 20ad79f s4:dsdb/tests: let password_lockout.py validate the lastLogon and lastLogonTimestamp interaction
via 72d16f9 s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow
via ca874c2 s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user()
via 4b35d54 s4:dsdb/tests: let password_lockout.py copy user{name,pass} from the template in insta_creds()
via 2c46122 s4:dsdb/tests: let password_lockout.py use creds and other_ldb as function arguments
via a37eef6 s4:dsdb/tests: let password_lockout.py use userpass variables in all functions
via e760319 s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3
via f03d490 s4:dsdb/tests: let password_lockout.py use userdn variables in all functions
via da4e419 s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects
via 73fb24c s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too
via 860c6b1 s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()
via f301623 s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()
via a9722a1 s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()
via 025e573 s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user
via 26a96d2 s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function
via 7b7d7be s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function
via 27d6846 s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful
via 58173f2 s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr
via 9e6c22d s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow
via 853c2a6 s4:auth/sam: update the logonCount for interactive logons
via 869616c s4:auth/sam: don't update lastLogon just because it's 0 currently
via 1acd477 s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already
via a35a5e9 s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()
via 8a74d8e test_pkinit_heimdal.sh: add a FILE: prefix to the KRB5CCNAME variable
via 5e4928c test_pkinit_heimdal.sh: add a helper VARIABLE to store the certificate paths
via cc262af samba-tool: add 'samba-tool user setpassword --smartcard-required/--clear-smartcard-required'
via 04f8ee3 samba-tool: do a password retype validation check for 'samba-tool user setpassword'
via 7ffffc9 samba-tool: add --smartcard-required option to 'samba-tool user create'
via 9a81861 samdb.py: add smartcard_required option to newuser()
via 8ac4218 s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED
via b73cb40 s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED
via f9989f2 s3:winbindd: pass 'interactive' down through winbindd_dual_auth_passdb()
via e81d25a s4:dsdb/common: remove unused samdb_result_force_password_change()
via a5efb21 s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
via 86b9bf9 s4:rpc_server/samr: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
via 9be4860 s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
via fdcdf34 krb5pac.idl: add PAC_CREDENTIAL related structures
via 92141c6 s4:kdc: add some const to samba_get_logon_info_pac_blob()
via 4034c0a auth/auth_sam_reply: add some const to input parameters
from 4524f59 tsocket: Do not dereference a NULL pointer
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4406cf792a599724f55777a45efb6367a9bd92b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 20 14:16:35 2016 +0200
krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
commit 0fd4943ea150ecc499fb4b49e836c86ec59ec714
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 20 14:18:35 2016 +0200
netlogon.idl: make netr_SidAttr public
It will be used in krb5pac.idl soon.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 74bccb3be1cd6fab808dac5e25c587238d850990
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 16:06:25 2016 +0100
auth/auth_sam_reply: make auth_convert_user_info_dc_sambaseinfo() a private helper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b94fde963be2c4e4dcd03cc020428383a809eeb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:59:49 2016 +0100
s4:rpc_server/netlogon: make use of auth_convert_user_info_dc_saminfo{2,6}()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5128a874c8089aacd9c7618196c52b2e4f0af86c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:59:03 2016 +0100
s4:rpc_server/netlogon: initialize pointer to NULL in dcesrv_netr_LogonSamLogon_base()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 49bc18f5d229a2b3eb8bbf504e2771bbd17a6325
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:46:10 2016 +0100
auth/auth_sam_reply: do a real copy of strings in auth_convert_user_info_dc_sambaseinfo()
That's much more expected by callers.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a872670fd6ccbd375f40ccacf29c74c8c9be9206
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:23:56 2016 +0100
auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo2() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aee33fc38ab496af621df770c91b5d05e17ff617
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:15:14 2016 +0100
auth/auth_sam_reply: add auth_convert_user_info_dc_saminfo6() and implement level 3 as wrapper
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3eba60aa65e23d31cc97021305a19ff0e25b111c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:10:26 2016 +0100
auth/wbc_auth_util: change wbcAuthUserInfo_to_netr_SamInfo* from level 3 to 6
This includes user_principal_name and dns_domain_name.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b8068e01999b2c1b5a13baea458f60f999cc6564
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:13:09 2016 +0100
auth/wbc_auth_util: fill in base.logon_domain in wbcAuthUserInfo_to_netr_SamInfo3()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5ddf5add81ac8d1c989c578e2dcbf7b0b4e6714e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:06:46 2016 +0100
auth/auth_sam_reply: let make_user_info_dc_netlogon_validation() correctly handle level 6
We need to take care of extra sids in level 3 and 6!
And level 6 also includes user_principal_name and dns_domain_name.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b67ea0e12310979c02b1837e2179573cb081e151
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 15:01:16 2016 +0100
s4:auth/kerberos: improve error message in kerberos_pac_to_user_info_dc()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6257003dff558f5736eb89fc909b623aadd121c9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 14:55:07 2016 +0100
s4:auth: fill user_principal_* and dns_domain_name in authsam_make_user_info_dc()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 432e83bf5bebd9f4fadb98fcadb82a32eb1b88ed
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 14:52:25 2016 +0100
s4:auth: make use of lpcfg_sam_name() in authsam_get_user_info_dc_principal()
This is more generic and matches all other places.
As this is only used in the KDC it's not a real logic change.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6c4c0853633ce0090c3d5d9eecedb4c77b7d9cb
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 14:46:24 2016 +0100
auth.idl: add user_principal_* and dns_domain_name to auth_user_info
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 70cc56d3e702fa25a661bed41842684f9b5c6282
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 14:40:02 2016 +0100
lib/param: add lpcfg_sam_dnsname() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 193de1c0e985c384e13f410806f218f8d46fa8f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py verify the logonCount values
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 20ad79fecb87829b1e2b420eb69762372be4f668
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py validate the lastLogon and lastLogonTimestamp interaction
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72d16f9900d991e930f674e47f7646bb0253b5ab
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py test with all combinations of krb5, ntlmssp and lockOutObservationWindow
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ca874c200e9672a5180f2457f93db290fe1276a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py verify more fields in _readd_user()
The results differ depending on Kerberos or NTLMSSP usage
and the lockOutObservationWindow.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b35d540fa50bece2b832d78b6ca2f89fcddff20
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py copy user{name,pass} from the template in insta_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2c4612243a68cc05e9edeb5e965aaed4519efd85
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py use creds and other_ldb as function arguments
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a37eef6b7de08d9220558e58218d6b0c282e1f34
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py use userpass variables in all functions
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e760319526a84058cfc70b77b163d73410be3e26
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py use other_ldb variables instead of self.ldb3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f03d490b7be48e5758189d6b3d76e51b6297f37b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py use userdn variables in all functions
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit da4e419adf50080e3a1f4f5bbcb462fcf7133fa1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py make use of self.addCleanup() to cleanup objects
This is easier than doing it by hand...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 73fb24c2e4fdd167032771fb15dc09e20791385e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py use _readd_user() for testuser3 too
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 860c6b1e8f53ccb64038d89297b08db824420ec4
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py pass creds as argument to _readd_user()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f301623550deee7ec9d651af02a042ae76b458a0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py use user{name,pass,dn} variables in _readd_user()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a9722a17ee06de3b47b917bfb22761728ce621aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py pass username,userpass optionally to insta_creds()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 025e573d84cc0ac69defad06c045c81fed5ab1e6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py let _readd_user() return the ldb connection as user
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 26a96d296420246f428584681485bb07de094063
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py make use of the _readd_user() helper function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b7d7be244e8951778434037ef878c3bb13629d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py add a _readd_user() helper function
This is a complete copy of the code that's currently inline.
I'm doing this in multiple steps in order to keep the diff
in a reviewable state.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 27d68469e27536270c1a0c0a06430cd32a4816b5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py make the LDAP error string checks more useful
We should first check if the error number is as expected and
then check for a specific WERROR in the error string.
We also add the full error string as msg to assertTrue(),
so we'll actually see it if the assertion is wrong.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 58173f28aeb78c8346b6a55424617085079cc7a6
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py cross-check the lastLogon value with samr
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9e6c22dbbe5a2da93bf2aa1beea3e5a0e23a2ae3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 5 08:37:53 2016 +0100
s4:dsdb/tests: let password_lockout.py reduce the values for lockoutDuration and lockOutObservationWindow
This reduces the runtime of the test while still producing reliable results.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 853c2a6d8a82f83f0c7fb996839eead724dd8661
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 3 19:33:51 2016 +0100
s4:auth/sam: update the logonCount for interactive logons
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 869616ceb913d90ce0108fc8ccd97ae0844fd66c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 3 19:33:51 2016 +0100
s4:auth/sam: don't update lastLogon just because it's 0 currently
Non interactive logons doesn't trigger an update
unless the (effective) badPwdCount is not 0 and lockoutTime is 0.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1acd477960dc30e6a3b9d6480a2d78437520a959
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 3 19:33:51 2016 +0100
s4:auth/sam: only reset badPwdCount when the effetive value is not 0 already
Non interactive logons doesn't reset badPwdCount to 0
when the effective badPwdCount is already 0
(with (badPasswordTime + lockOutObservationWindows) < now).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a35a5e90223604aaa15bd14b42a67f39dd34e047
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 29 13:20:12 2016 +0200
s4:dsdb: add some const to {samdb_result,dsdb}_effective_badPwdCount()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8a74d8e26696c66bed66d4c9953f58134a7032dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 3 18:19:40 2016 +0200
test_pkinit_heimdal.sh: add a FILE: prefix to the KRB5CCNAME variable
This makes the tests more robust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e4928c36638761e21cdea7f760cada1b331d263
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 19:23:27 2016 +0200
test_pkinit_heimdal.sh: add a helper VARIABLE to store the certificate paths
We also don't need the separation of admincert.pem and admincertupn.pem
anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cc262afe1cf26e92f3ae083e69ef90f25a762d6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 15:15:15 2016 +0200
samba-tool: add 'samba-tool user setpassword --smartcard-required/--clear-smartcard-required'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 04f8ee3ab34bc4dc3b1993dece24c7c407df92d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 14:25:12 2016 +0200
samba-tool: do a password retype validation check for 'samba-tool user setpassword'
This matches the behavior of 'samba-tool user create' and 'samba-tool user password'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7ffffc93f973a3f7135c1eca425a200769ea5780
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 14:19:37 2016 +0200
samba-tool: add --smartcard-required option to 'samba-tool user create'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a8186167ebec9d8fd4aeef846d77bc102408f14
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 14:17:17 2016 +0200
samdb.py: add smartcard_required option to newuser()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8ac4218690a4d6ea5251388ba55b4eaf88887b3e
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 17:47:12 2016 +0200
s4:kdc: don't allow interactive password logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b73cb40dd280e815549ce99e4a44a1b39b5094d4
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 14:14:06 2016 +0200
s4:auth_sam: don't allow interactive logons with UF_SMARTCARD_REQUIRED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9989f21422e3ec5877003a15eaa5515994dab99
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 2 18:13:40 2016 +0200
s3:winbindd: pass 'interactive' down through winbindd_dual_auth_passdb()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e81d25a8709ee5e25d8ad37fdb56dc7f5445be11
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 4 00:53:45 2016 +0200
s4:dsdb/common: remove unused samdb_result_force_password_change()
The logic is incomplete and the correct logic is already available
via the constructed "msDS-UserPasswordExpiryTimeComputed" attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5efb21a53b8c890490c98229842a333a1158d2e
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 4 00:48:56 2016 +0200
s4:kdc: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 86b9bf95916b307bd081af4c61ef00d461e60bdc
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 4 00:48:56 2016 +0200
s4:rpc_server/samr: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9be48605117e0d7807b07823b63a3e5b3dab2f90
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Jun 4 00:48:56 2016 +0200
s4:auth/sam: use "msDS-UserPasswordExpiryTimeComputed" instead of samdb_result_force_password_change()
The logic in samdb_result_force_password_change() is incomplete
and the correct logic is already available via the constructed
"msDS-UserPasswordExpiryTimeComputed" attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fdcdf349473430b590a7a2ea8d1ba663e46b9b98
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 2 08:36:39 2016 +0200
krb5pac.idl: add PAC_CREDENTIAL related structures
See [MS-PAC] 2.6 PAC Credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 92141c6b0304125216a502490f4bd7b8b6f11e65
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 13 14:20:07 2016 +0200
s4:kdc: add some const to samba_get_logon_info_pac_blob()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4034c0a8ea818b9b956bae64bcd43fb477351d56
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jan 7 14:50:27 2016 +0100
auth/auth_sam_reply: add some const to input parameters
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_sam_reply.c | 273 ++++++--
auth/auth_sam_reply.h | 23 +-
auth/wbc_auth_util.c | 123 ++--
lib/param/param.h | 1 +
lib/param/util.c | 10 +
librpc/idl/auth.idl | 3 +
librpc/idl/krb5pac.idl | 51 +-
librpc/idl/netlogon.idl | 2 +-
python/samba/netcmd/user.py | 95 ++-
python/samba/samdb.py | 8 +-
source3/auth/auth_util.c | 13 +-
source3/auth/server_info.c | 28 +-
source3/winbindd/winbindd_pam.c | 13 +-
source4/auth/auth.h | 1 +
source4/auth/kerberos/kerberos_pac.c | 7 +-
source4/auth/ntlm/auth_sam.c | 20 +-
source4/auth/ntlm/auth_winbind.c | 15 +-
source4/auth/sam.c | 73 +-
source4/dsdb/common/util.c | 43 +-
source4/dsdb/tests/python/password_lockout.py | 973 +++++++++++++++-----------
source4/kdc/db-glue.c | 80 ++-
source4/kdc/pac-glue.c | 3 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 52 +-
source4/rpc_server/samr/dcesrv_samr.c | 11 +-
testprogs/blackbox/test_pkinit_heimdal.sh | 14 +-
25 files changed, 1237 insertions(+), 698 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 4ede02c..1929cd9 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -25,14 +25,14 @@
#include "libcli/security/security.h"
#include "auth/auth_sam_reply.h"
-NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
- struct auth_user_info_dc *user_info_dc,
- struct netr_SamBaseInfo **_sam)
+static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *user_info_dc,
+ struct netr_SamBaseInfo *sam)
{
NTSTATUS status;
- struct auth_user_info *info;
- struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo);
- NT_STATUS_HAVE_NO_MEMORY(sam);
+ const struct auth_user_info *info;
+
+ ZERO_STRUCTP(sam);
if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) {
status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX],
@@ -66,12 +66,23 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
sam->allow_password_change = info->allow_password_change;
sam->force_password_change = info->force_password_change;
- sam->account_name.string = info->account_name;
- sam->full_name.string = info->full_name;
- sam->logon_script.string = info->logon_script;
- sam->profile_path.string = info->profile_path;
- sam->home_directory.string = info->home_directory;
- sam->home_drive.string = info->home_drive;
+#define _COPY_STRING_TALLOC(src_name, dst_name) do { \
+ if (info->src_name != NULL) {\
+ sam->dst_name.string = talloc_strdup(mem_ctx, info->src_name); \
+ if (sam->dst_name.string == NULL) { \
+ return NT_STATUS_NO_MEMORY; \
+ } \
+ } \
+} while(0)
+ _COPY_STRING_TALLOC(account_name, account_name);
+ _COPY_STRING_TALLOC(full_name, full_name);
+ _COPY_STRING_TALLOC(logon_script, logon_script);
+ _COPY_STRING_TALLOC(profile_path, profile_path);
+ _COPY_STRING_TALLOC(home_directory, home_directory);
+ _COPY_STRING_TALLOC(home_drive, home_drive);
+ _COPY_STRING_TALLOC(logon_server, logon_server);
+ _COPY_STRING_TALLOC(domain_name, logon_domain);
+#undef _COPY_STRING_TALLOC
sam->logon_count = info->logon_count;
sam->bad_password_count = info->bad_password_count;
@@ -80,7 +91,7 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
if (user_info_dc->num_sids > 2) {
size_t i;
- sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
+ sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute,
user_info_dc->num_sids);
if (sam->groups.rids == NULL)
@@ -106,8 +117,6 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
sam->user_flags |= NETLOGON_GUEST;
}
sam->acct_flags = user_info_dc->info->acct_flags;
- sam->logon_server.string = user_info_dc->info->logon_server;
- sam->logon_domain.string = user_info_dc->info->domain_name;
sam->sub_auth_status = 0;
sam->last_successful_logon = 0;
sam->last_failed_logon = 0;
@@ -125,61 +134,132 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
sizeof(sam->LMSessKey.key));
}
- *_sam = sam;
-
return NT_STATUS_OK;
}
-/* Note that the validity of the _sam3 structure is only as long as
+/* Note that the validity of the _sam6 structure is only as long as
* the user_info_dc it was generated from */
-NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
- struct auth_user_info_dc *user_info_dc,
- struct netr_SamInfo3 **_sam3)
+NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *user_info_dc,
+ struct netr_SamInfo6 **_sam6)
{
- struct netr_SamBaseInfo *sam;
- struct netr_SamInfo3 *sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
NTSTATUS status;
+ struct netr_SamInfo6 *sam6 = NULL;
size_t i;
- NT_STATUS_HAVE_NO_MEMORY(sam3);
- status = auth_convert_user_info_dc_sambaseinfo(sam3, user_info_dc, &sam);
+ sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
+ if (sam6 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = auth_convert_user_info_dc_sambaseinfo(sam6,
+ user_info_dc,
+ &sam6->base);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(sam3);
+ TALLOC_FREE(sam6);
return status;
}
- sam3->base = *sam;
- sam3->sidcount = 0;
- sam3->sids = NULL;
-
- sam3->sids = talloc_array(sam, struct netr_SidAttr,
+ sam6->sids = talloc_array(sam6, struct netr_SidAttr,
user_info_dc->num_sids);
- if (sam3->sids == NULL) {
- TALLOC_FREE(sam3);
+ if (sam6->sids == NULL) {
+ TALLOC_FREE(sam6);
return NT_STATUS_NO_MEMORY;
}
/* We don't put the user and group SIDs in there */
for (i=2; i<user_info_dc->num_sids; i++) {
- if (dom_sid_in_domain(sam->domain_sid, &user_info_dc->sids[i])) {
+ if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i])) {
continue;
}
- sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &user_info_dc->sids[i]);
- if (sam3->sids[sam3->sidcount].sid == NULL) {
- TALLOC_FREE(sam3);
+ sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i]);
+ if (sam6->sids[sam6->sidcount].sid == NULL) {
+ TALLOC_FREE(sam6);
return NT_STATUS_NO_MEMORY;
}
- sam3->sids[sam3->sidcount].attributes =
+ sam6->sids[sam6->sidcount].attributes =
SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
- sam3->sidcount += 1;
+ sam6->sidcount += 1;
}
- if (sam3->sidcount) {
- sam3->base.user_flags |= NETLOGON_EXTRA_SIDS;
+ if (sam6->sidcount) {
+ sam6->base.user_flags |= NETLOGON_EXTRA_SIDS;
} else {
- sam3->sids = NULL;
+ sam6->sids = NULL;
}
- *_sam3 = sam3;
+ if (user_info_dc->info->dns_domain_name != NULL) {
+ sam6->dns_domainname.string = talloc_strdup(sam6,
+ user_info_dc->info->dns_domain_name);
+ if (sam6->dns_domainname.string == NULL) {
+ TALLOC_FREE(sam6);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (user_info_dc->info->user_principal_name != NULL) {
+ sam6->principal_name.string = talloc_strdup(sam6,
+ user_info_dc->info->user_principal_name);
+ if (sam6->principal_name.string == NULL) {
+ TALLOC_FREE(sam6);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ *_sam6 = sam6;
+ return NT_STATUS_OK;
+}
+
+/* Note that the validity of the _sam2 structure is only as long as
+ * the user_info_dc it was generated from */
+NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *user_info_dc,
+ struct netr_SamInfo2 **_sam2)
+{
+ NTSTATUS status;
+ struct netr_SamInfo6 *sam6 = NULL;
+ struct netr_SamInfo2 *sam2 = NULL;
+
+ sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
+ if (sam2 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sam2);
+ return status;
+ }
+ sam2->base = sam6->base;
+
+ *_sam2 = sam2;
+ return NT_STATUS_OK;
+}
+
+/* Note that the validity of the _sam3 structure is only as long as
+ * the user_info_dc it was generated from */
+NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *user_info_dc,
+ struct netr_SamInfo3 **_sam3)
+{
+ NTSTATUS status;
+ struct netr_SamInfo6 *sam6 = NULL;
+ struct netr_SamInfo3 *sam3 = NULL;
+
+ sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+ if (sam3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(sam3);
+ return status;
+ }
+ sam3->base = sam6->base;
+ sam3->sidcount = sam6->sidcount;
+ sam3->sids = sam6->sids;
+
+ *_sam3 = sam3;
return NT_STATUS_OK;
}
@@ -191,7 +271,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
const char *account_name,
- struct netr_SamBaseInfo *base,
+ const struct netr_SamBaseInfo *base,
bool authenticated,
struct auth_user_info **_user_info)
{
@@ -259,13 +339,17 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
- union netr_Validation *validation,
+ const union netr_Validation *validation,
bool authenticated,
struct auth_user_info_dc **_user_info_dc)
{
NTSTATUS status;
- struct auth_user_info_dc *user_info_dc;
- struct netr_SamBaseInfo *base = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
+ const struct netr_SamBaseInfo *base = NULL;
+ uint32_t sidcount = 0;
+ const struct netr_SidAttr *sids = NULL;
+ const char *dns_domainname = NULL;
+ const char *principal = NULL;
uint32_t i;
switch (validation_level) {
@@ -280,12 +364,18 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
base = &validation->sam3->base;
+ sidcount = validation->sam3->sidcount;
+ sids = validation->sam3->sids;
break;
case 6:
if (!validation || !validation->sam6) {
return NT_STATUS_INVALID_PARAMETER;
}
base = &validation->sam6->base;
+ sidcount = validation->sam6->sidcount;
+ sids = validation->sam6->sids;
+ dns_domainname = validation->sam6->dns_domainname.string;
+ principal = validation->sam6->principal_name.string;
break;
default:
return NT_STATUS_INVALID_LEVEL;
@@ -339,26 +429,29 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
*/
- if (validation_level == 3) {
+ /*
+ * The IDL layer would be a better place to check this, but to
+ * guard the integer addition below, we double-check
+ */
+ if (sidcount > UINT16_MAX) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (sidcount > 0) {
struct dom_sid *dgrps = user_info_dc->sids;
- size_t sidcount;
+ size_t dgrps_count;
- /* The IDL layer would be a better place to check this, but to
- * guard the integer addition below, we double-check */
- if (validation->sam3->sidcount > 65535) {
- return NT_STATUS_INVALID_PARAMETER;
+ dgrps_count = user_info_dc->num_sids + sidcount;
+ dgrps = talloc_realloc(user_info_dc, dgrps, struct dom_sid,
+ dgrps_count);
+ if (dgrps == NULL) {
+ return NT_STATUS_NO_MEMORY;
}
- sidcount = user_info_dc->num_sids + validation->sam3->sidcount;
- if (validation->sam3->sidcount > 0) {
- dgrps = talloc_realloc(user_info_dc, dgrps, struct dom_sid, sidcount);
- NT_STATUS_HAVE_NO_MEMORY(dgrps);
-
- for (i = 0; i < validation->sam3->sidcount; i++) {
- if (validation->sam3->sids[i].sid) {
- dgrps[user_info_dc->num_sids] = *validation->sam3->sids[i].sid;
- user_info_dc->num_sids++;
- }
+ for (i = 0; i < sidcount; i++) {
+ if (sids[i].sid) {
+ dgrps[user_info_dc->num_sids] = *sids[i].sid;
+ user_info_dc->num_sids++;
}
}
@@ -372,6 +465,22 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
return status;
}
+ if (dns_domainname != NULL) {
+ user_info_dc->info->dns_domain_name = talloc_strdup(user_info_dc->info,
+ dns_domainname);
+ if (user_info_dc->info->dns_domain_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (principal != NULL) {
+ user_info_dc->info->user_principal_name = talloc_strdup(user_info_dc->info,
+ principal);
+ if (user_info_dc->info->user_principal_name == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
/* ensure we are never given NULL session keys */
if (all_zero(base->key.key, sizeof(base->key.key))) {
@@ -396,15 +505,19 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
* Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon
*/
NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
- struct PAC_LOGON_INFO *pac_logon_info,
+ const struct PAC_LOGON_INFO *pac_logon_info,
struct auth_user_info_dc **_user_info_dc)
{
uint32_t i;
NTSTATUS nt_status;
union netr_Validation validation;
struct auth_user_info_dc *user_info_dc;
+ const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
+ size_t sidcount;
+
+ rg = &pac_logon_info->resource_groups;
- validation.sam3 = &pac_logon_info->info3;
+ validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3);
nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
true, /* This user was authenticated */
@@ -413,11 +526,19 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
return nt_status;
}
- if (pac_logon_info->res_groups.count > 0) {
- size_t sidcount;
+ if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
+ rg = &pac_logon_info->resource_groups;
+ }
+
+ if (rg == NULL) {
+ *_user_info_dc = user_info_dc;
+ return NT_STATUS_OK;
+ }
+
+ if (rg->groups.count > 0) {
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
- if (pac_logon_info->res_groups.count > 65535) {
+ if (rg->groups.count > 65535) {
talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -427,12 +548,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
trusted domains, and verify that the SID
matches.
*/
- if (!pac_logon_info->res_group_dom_sid) {
+ if (rg->domain_sid == NULL) {
+ talloc_free(user_info_dc);
DEBUG(0, ("Cannot operate on a PAC without a resource domain SID"));
return NT_STATUS_INVALID_PARAMETER;
}
- sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count;
+ sidcount = user_info_dc->num_sids + rg->groups.count;
user_info_dc->sids
= talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount);
if (user_info_dc->sids == NULL) {
@@ -440,10 +562,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
- user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid;
- if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
- pac_logon_info->res_groups.rids[i].rid)) {
+ for (i = 0; i < rg->groups.count; i++) {
+ bool ok;
+
+ user_info_dc->sids[user_info_dc->num_sids] = *rg->domain_sid;
+ ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
+ rg->groups.rids[i].rid);
+ if (!ok) {
return NT_STATUS_INVALID_PARAMETER;
}
user_info_dc->num_sids++;
diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index 5481eb2..5d86830 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -33,16 +33,19 @@
/* The following definitions come from auth/auth_sam_reply.c */
NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
- const char *account_name,
- struct netr_SamBaseInfo *base,
+ const const char *account_name,
+ const struct netr_SamBaseInfo *base,
bool authenticated,
struct auth_user_info **_user_info);
-NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
- struct auth_user_info_dc *user_info_dc,
- struct netr_SamBaseInfo **_sam);
+NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *user_info_dc,
+ struct netr_SamInfo6 **_sam6);
+NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
+ const struct auth_user_info_dc *user_info_dc,
+ struct netr_SamInfo2 **_sam2);
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
- struct auth_user_info_dc *user_info_dc,
+ const struct auth_user_info_dc *user_info_dc,
struct netr_SamInfo3 **_sam3);
/**
@@ -51,22 +54,22 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
- union netr_Validation *validation,
- bool authenticated,
+ const union netr_Validation *validation,
+ bool authenticated,
struct auth_user_info_dc **_user_info_dc);
/**
* Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon
*/
NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
- struct PAC_LOGON_INFO *pac_logon_info,
+ const struct PAC_LOGON_INFO *pac_logon_info,
struct auth_user_info_dc **_user_info_dc);
/* The following definitions come from auth/wbc_auth_util.c */
struct wbcAuthUserInfo;
-struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+struct netr_SamInfo6 *wbcAuthUserInfo_to_netr_SamInfo6(TALLOC_CTX *mem_ctx,
const struct wbcAuthUserInfo *info);
#undef _PRINTF_ATTRIBUTE
diff --git a/auth/wbc_auth_util.c b/auth/wbc_auth_util.c
index 1c50b18..52573e2 100644
--- a/auth/wbc_auth_util.c
+++ b/auth/wbc_auth_util.c
@@ -106,14 +106,14 @@ static NTSTATUS wbcsids_to_netr_SidAttrArray(
#define RET_NOMEM(ptr) do { \
if (!ptr) { \
- TALLOC_FREE(info3); \
+ TALLOC_FREE(info6); \
return NULL; \
} } while(0)
--
Samba Shared Repository
More information about the samba-cvs
mailing list