[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sat Mar 12 01:15:03 UTC 2016
The branch, master has been updated
via 2ef0eed selftest: mark samba4.winbind.struct.domain_info.ad_member as flapping
via 7b4ad69 s4:dsdb/test/sort: avoid 'from collections import Counter'
via 1a315be s4:dsdb/test/notification: make test_invalid_filter more resilient against ordering races
via 0b500d4 Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
from ad5b9c3 ctdb-client: Increase the timeout for TRANS3_COMMIT control
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2ef0eed07e494546ba6720a17f00b40d9bafa8ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 10:49:21 2016 +0100
selftest: mark samba4.winbind.struct.domain_info.ad_member as flapping
See https://lists.samba.org/archive/samba-technical/2016-March/112861.html
found 517 lines matching '^UNEXPECTED' in 641 files matching 'samba.stdout$'
175 UNEXPECTED(failure): samba4.winbind.struct.domain_info(ad_member:local)
19 UNEXPECTED(failure): samba4.winbind.struct.domain_info(s3member:local)
12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_encrypt_decrypt_wrong_key(ad_dc_ntvfs)
12 UNEXPECTED(failure): samba4.drs.delete_object.python(promoted_dc).delete_object.DrsDeleteObjectTestCase.test_ReplicateDeletedObject1(promoted_dc)
12 UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_ntvfs)
11 UNEXPECTED(failure): samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)
We'll see if we also need to add
samba4.winbind.struct.domain_info.s3member
before we're able to identify and fix the problem.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Mar 12 02:14:39 CET 2016 on sn-devel-144
commit 7b4ad69b59e8951b90545dd02befa579e90f8582
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 10:39:13 2016 +0100
s4:dsdb/test/sort: avoid 'from collections import Counter'
This is only available in python 2.7 and >= 3.1
This should fix make test with python 2.6.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a315bec2720aafc9f0efa48eb36509fc26a6ebf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Mar 11 10:16:27 2016 +0100
s4:dsdb/test/notification: make test_invalid_filter more resilient against ordering races
We saw a lot of flapping tests with:
[1793(11038)/1892 at 1h55m26s]
samba4.ldap.notification.python(ad_dc_ntvfs)(ad_dc_ntvfs)
UNEXPECTED(failure):
samba4.ldap.notification.python(ad_dc_ntvfs).__main__.LDAPNotificationTest.test_max_search(ad_dc_ntvfs)
REASON: Exception: Exception: Traceback (most recent call last):
File
"/memdisk/autobuild/fl/b1782183/samba/source4/dsdb/tests/python/notification.py",
line 181, in test_max_search
self.assertEquals(num, ERR_TIME_LIMIT_EXCEEDED)
AssertionError: 11 != 3
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0b500d413c5b76188c0c566318be7079b777237c
Author: Herwin Weststrate <herwin at quarantainenet.nl>
Date: Wed Dec 9 18:47:47 2015 +0100
Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).
It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.
It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).
After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
Logon failure (0xc000006d)
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11694
Signed-off-by: Herwin Weststrate <herwin at quarantainenet.nl>
Reviewed-by: Kai Blin <kai at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/ntlm_auth.1.xml | 5 +++++
nsswitch/libwbclient/wbclient.h | 1 +
selftest/flapping | 1 +
source3/utils/ntlm_auth.c | 7 +++++++
source4/dsdb/tests/python/notification.py | 15 +++++++++++----
source4/dsdb/tests/python/sort.py | 9 +++++++--
source4/utils/ntlm_auth.c | 8 ++++++++
7 files changed, 40 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml
index 042893a..616d537 100644
--- a/docs-xml/manpages/ntlm_auth.1.xml
+++ b/docs-xml/manpages/ntlm_auth.1.xml
@@ -381,6 +381,11 @@
</varlistentry>
<varlistentry>
+ <term>--allow-mschapv2</term>
+ <listitem><para>Explicitly allow MSCHAPv2.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>--offline-logon</term>
<listitem><para>Allow offline logons for plain text auth.
</para></listitem>
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 6ec8377..8c1803b 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -316,6 +316,7 @@ struct wbcChangePasswordParams {
#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020
#define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200
#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800
+#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000
/* wbcAuthUserParams->flags */
diff --git a/selftest/flapping b/selftest/flapping
index 81629f9..2f0ef55 100644
--- a/selftest/flapping
+++ b/selftest/flapping
@@ -29,3 +29,4 @@
^samba4.drs.delete_object.python # flakey on sn-devel
^samba4.blackbox.samba_tool_demote # flakey on sn-devel
^samba4.smb2.create.mkdir-dup\(ad_dc_ntvfs\) # This test (for bug 11486) involves a race, not always protected against in the NTVFS file server
+^samba4.winbind.struct.domain_info.ad_member # flakey on sn-devel-104 and sn-devel-144
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index f37cfa3..25c20d8 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -169,6 +169,7 @@ static int request_lm_key;
static int request_user_session_key;
static int use_cached_creds;
static int offline_logon;
+static int opt_allow_mschapv2;
static const char *require_membership_of;
static const char *require_membership_of_sid;
@@ -533,6 +534,10 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
request.data.auth_crap.logon_parameters = extra_logon_parameters
| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+ if (opt_allow_mschapv2) {
+ request.data.auth_crap.logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+ }
+
if (require_membership_of_sid)
fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
@@ -2185,6 +2190,7 @@ enum {
OPT_DIAGNOSTICS,
OPT_REQUIRE_MEMBERSHIP,
OPT_USE_CACHED_CREDS,
+ OPT_ALLOW_MSCHAPV2,
OPT_PAM_WINBIND_CONF,
OPT_TARGET_SERVICE,
OPT_TARGET_HOSTNAME,
@@ -2225,6 +2231,7 @@ enum {
{ "request-lm-key", 0, POPT_ARG_NONE, &request_lm_key, OPT_LM_KEY, "Retrieve LM session key"},
{ "request-nt-key", 0, POPT_ARG_NONE, &request_user_session_key, OPT_USER_SESSION_KEY, "Retrieve User (NT) session key"},
{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "Use cached credentials if no password is given"},
+ { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
{ "offline-logon", 0, POPT_ARG_NONE, &offline_logon,
OPT_OFFLINE_LOGON,
"Use cached passwords when DC is offline"},
diff --git a/source4/dsdb/tests/python/notification.py b/source4/dsdb/tests/python/notification.py
index d799c91..afc6343 100755
--- a/source4/dsdb/tests/python/notification.py
+++ b/source4/dsdb/tests/python/notification.py
@@ -168,6 +168,8 @@ delete: otherLoginWorkstations
attrs=["name"],
controls=["notification:1"],
timeout=1)
+ num_admin_limit = 0
+ num_time_limit = 0
for i in xrange(0, max_notifications + 1):
try:
for msg in notifies[i]:
@@ -175,10 +177,15 @@ delete: otherLoginWorkstations
res = notifies[i].result()
self.fail()
except LdbError, (num, _):
- if i >= max_notifications:
- self.assertEquals(num, ERR_ADMIN_LIMIT_EXCEEDED)
- else:
- self.assertEquals(num, ERR_TIME_LIMIT_EXCEEDED)
+ if num == ERR_ADMIN_LIMIT_EXCEEDED:
+ num_admin_limit += 1
+ continue
+ if num == ERR_TIME_LIMIT_EXCEEDED:
+ num_time_limit += 1
+ continue
+ raise
+ self.assertEqual(num_admin_limit, 1)
+ self.assertEqual(num_time_limit, max_notifications)
def test_invalid_filter(self):
"""Testing invalid filters for notifications"""
diff --git a/source4/dsdb/tests/python/sort.py b/source4/dsdb/tests/python/sort.py
index c4d2c44..b7b9d83 100644
--- a/source4/dsdb/tests/python/sort.py
+++ b/source4/dsdb/tests/python/sort.py
@@ -5,7 +5,6 @@ from unicodedata import normalize
import locale
locale.setlocale(locale.LC_ALL, ('en_US', 'UTF-8'))
-from collections import Counter
import optparse
import sys
import os
@@ -191,7 +190,13 @@ class BaseSortTests(samba.tests.TestCase):
self.expected_results[k] = (fixed, list(reversed(fixed)))
for k in ('streetAddress', 'postalAddress'):
if k in self.expected_results:
- c = Counter([u[k] for u in self.users])
+ c = {}
+ for u in self.users:
+ x = u[k]
+ if x in c:
+ c[x] += 1
+ continue
+ c[x] = 1
fixed = []
for x in FIENDISH_TESTS:
fixed += [norm(x)] * c[x]
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index f7c95eb..0816024 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -104,6 +104,7 @@ static const char *opt_workstation;
static const char *opt_password;
static int opt_multiplex;
static int use_cached_creds;
+static int opt_allow_mschapv2;
static void mux_printf(unsigned int mux_id, const char *format, ...) PRINTF_ATTRIBUTE(2, 3);
@@ -174,6 +175,7 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
if (!mem_ctx) {
nt_status = NT_STATUS_NO_MEMORY;
} else {
+ uint32_t logon_parameters = 0;
E_md4hash(opt_password, nt_pw.hash);
if (E_deshash(opt_password, lm_pw.hash)) {
@@ -183,10 +185,14 @@ static NTSTATUS local_pw_check_specified(struct loadparm_context *lp_ctx,
}
nt_pwd = &nt_pw;
+ if (opt_allow_mschapv2) {
+ logon_parameters |= MSV1_0_ALLOW_MSVCHAPV2;
+ }
nt_status = ntlm_password_check(mem_ctx,
lpcfg_lanman_auth(lp_ctx),
lpcfg_ntlm_auth(lp_ctx),
+ logon_parameters |
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
challenge,
@@ -1043,6 +1049,7 @@ enum {
OPT_REQUIRE_MEMBERSHIP,
OPT_MULTIPLEX,
OPT_USE_CACHED_CREDS,
+ OPT_ALLOW_MSCHAPV2,
};
int main(int argc, const char **argv)
@@ -1069,6 +1076,7 @@ int main(int argc, const char **argv)
{ "password", 0, POPT_ARG_STRING, &opt_password, OPT_PASSWORD, "User's plaintext password"},
{ "multiplex", 0, POPT_ARG_NONE, &opt_multiplex, OPT_MULTIPLEX, "Multiplex Mode"},
{ "use-cached-creds", 0, POPT_ARG_NONE, &use_cached_creds, OPT_USE_CACHED_CREDS, "silently ignored for compatibility reasons"},
+ { "allow-mschapv2", 0, POPT_ARG_NONE, &opt_allow_mschapv2, OPT_ALLOW_MSCHAPV2, "Explicitly allow MSCHAPv2" },
POPT_COMMON_SAMBA
POPT_COMMON_VERSION
{ NULL }
--
Samba Shared Repository
More information about the samba-cvs
mailing list