[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Tue Feb 21 19:09:02 UTC 2017
The branch, master has been updated
via 10e1b92 krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key
via 383432d s4:scripting: use generate_random_machine_password() for machine passwords
via ea57a20 samba-tool:provision: use generate_random_machine_password() for machine passwords
via f04e09e samba-tool:domain: use generate_random_machine_password() for machine passwords
via b2fac99 samba-tool:domain: use generate_random_machine_password() for trusted domains
via d7840e77 pyglue: add generate_random_machine_password() wrapper
via b86c29b python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords
via 99b8d6b python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords
via 0ed258b s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets.
via 26515dc s4:libnet: make use of generate_random_machine_password()
via e9c1840 s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
via 21cbf8e s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
via 13fd543 s3:net_rpc_trust: make use of trust_pw_new_value()
via 77edef9 s3:libnet_join: make use of trust_pw_new_value()
via 0013694 s3:libads: use trust_pw_new_value() for krb5 machine passwords
via c21e998 s3:libsmb: use trust_pw_new_value() in trust_pw_change()
via 9e26ad8 s3:libsmb: add trust_pw_new_value() helper function
via a287754 s3:libsmb: let trust_pw_change() verify the new password at the end.
via 4185689 s3:libsmb: let trust_pw_change() debug more verbose information
via ad12cfa lib/util: add generate_random_machine_password() function
via abe4277 libcli/auth: add netlogon_creds_cli_debug_string()
via 8a209e5 libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
via 0ed2a65 libcli/auth: use the correct creds value against servers without LogonSamLogonEx
via cebcc2a s3:winbindd: make sure cm_prepare_connection() only returns OK with a valid tree connect
via c97e39b librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping
from e36e1f7 build:wafsamba: Remove ambiguous 'if x in conf.env' constructs
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 10e1b92c288ae27f775debb16c3e122b6063fa21
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 21 12:15:07 2017 +0100
krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key
Our own convert_string_talloc() function handles a wider range
of unicode code points than the MIT krb5 or heimdal code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Feb 21 20:08:16 CET 2017 on sn-devel-144
commit 383432d2cd3046c2c3768c1ae452211c7e583604
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 19:37:09 2017 +0100
s4:scripting: use generate_random_machine_password() for machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ea57a204a1f6b4999e5347c1edb5753bed933fba
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:40:24 2016 +0200
samba-tool:provision: use generate_random_machine_password() for machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit f04e09e1968c40483b8dc2f92b9c15bce0b0b55a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:37:37 2016 +0200
samba-tool:domain: use generate_random_machine_password() for machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b2fac99ac63739398aa716c26d8e187a25bb8400
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:27:19 2016 +0200
samba-tool:domain: use generate_random_machine_password() for trusted domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d7840e77961cdc4ccc4f5549494d458b6b2c2cf4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 09:35:50 2016 +0200
pyglue: add generate_random_machine_password() wrapper
We use PyUnicode_FromString() (which is available from 2.6)
because we really have non-ascii strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b86c29b1e6fb2fb4cf203aa38c7764084d855730
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 22:34:06 2017 +0100
python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 99b8d6beccf4d3d24f9d87a4d8e5eadfe0e0dd33
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 17 00:10:12 2017 +0100
python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0ed258bfe48995db6b345cc14e1747c4af9d076d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 19:01:21 2017 +0100
s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 26515dca99ba3fa393207df905137021a2177de1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 19:35:54 2017 +0100
s4:libnet: make use of generate_random_machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit e9c184088cbbb47e48d9e96fc753a56c544301dc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:41:48 2016 +0200
s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 21cbf8e4db6928a8a3fb712b3750bb50c1201948
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:41:48 2016 +0200
s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 13fd543929c72fa5af1ae6e21ca8dda9a57a0f55
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 10:42:30 2016 +0200
s3:net_rpc_trust: make use of trust_pw_new_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 77edef9555acd6e0c843582637bc367fa0d2a203
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:09:57 2016 +0200
s3:libnet_join: make use of trust_pw_new_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 00136940757ea6947f97c9c92b25207d9413727b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 10:38:58 2016 +0200
s3:libads: use trust_pw_new_value() for krb5 machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c21e9981d04fa016ef708941ea82051d0438b7a7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:12:35 2016 +0200
s3:libsmb: use trust_pw_new_value() in trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9e26ad86fbd7e6f39f98fb9d037ac86f3146cb11
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:12:35 2016 +0200
s3:libsmb: add trust_pw_new_value() helper function
This generates a new trust password based on the secure channel type
and lp_security().
NT4 really has a limit of 28 UTF16 bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a2877541681e07f09aee7d7c21adbe50346755e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 9 22:53:52 2017 +0100
s3:libsmb: let trust_pw_change() verify the new password at the end.
We should notice problems as early as possible, it makes no
sense to keep things working for a while and later find out
the we lost our trust relationship with our domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4185689dbf0085fcb3840ad8b520df21a33e5d2a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 18 19:57:30 2017 +0100
s3:libsmb: let trust_pw_change() debug more verbose information
Password changes caused much trouble in the past, so we better debug
them at log level 0 and may see them also in the syslog.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ad12cfae42cc592166d6a1c1ee323f1aae82f235
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 09:30:05 2016 +0200
lib/util: add generate_random_machine_password() function
It generates more random password for the use as machine password,
restricted to codepoints <= 0xFFFF in order to be compatible
with MIT krb5 and Heimdal.
Note: the fallback to ascii if 'unix charset' is not 'utf8'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit abe427775ee8ed1d278d5094ca127f85289ca5a3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 9 21:47:52 2017 +0100
libcli/auth: add netlogon_creds_cli_debug_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 8a209e5a0ca810d8cf0e5ebc1902fae8c5cb241e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 18 19:02:21 2017 +0000
libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
We need to make sure we can convert the given string to an nthash.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0ed2a65593b5abc9ba7f40992ed0ed8f448f5836
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 15 08:58:20 2017 +0100
libcli/auth: use the correct creds value against servers without LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit cebcc2adc7e568d492466bb69f21ba2a9630a0d2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jan 31 15:19:00 2017 +0100
s3:winbindd: make sure cm_prepare_connection() only returns OK with a valid tree connect
If cm_get_ipc_credentials() returned anonymous creds and signing is required
we were returning the result of cm_get_ipc_credentials() instead of
the original error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12588
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c97e39b34fcf260ded42ef1a9efe7ed55e65a1cf
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 15 08:07:06 2017 +0100
librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping
Commit 1eef70872930fa4f9d3dedd23476b34cae638428 changed the mapping for
DCERPC_NCA_S_FAULT_INVALID_TAG from NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12585
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 37 ++++++
lib/util/genrand_util.c | 168 ++++++++++++++++++++++++-
lib/util/samba_util.h | 32 ++++-
libcli/auth/netlogon_creds_cli.c | 33 ++++-
libcli/auth/netlogon_creds_cli.h | 4 +
librpc/rpc/dcerpc_error.c | 8 +-
python/pyglue.c | 26 +++-
python/samba/__init__.py | 1 +
python/samba/join.py | 11 +-
python/samba/netcmd/domain.py | 29 +----
python/samba/netcmd/user.py | 2 +-
python/samba/provision/__init__.py | 6 +-
python/samba/provision/sambadns.py | 2 +-
python/samba/samdb.py | 2 +-
python/samba/upgradehelpers.py | 4 +-
source3/include/proto.h | 3 +
source3/include/smb.h | 6 -
source3/libads/util.c | 9 +-
source3/libnet/libnet_join.c | 16 ++-
source3/libsmb/trusts_util.c | 143 ++++++++++++++++-----
source3/utils/net_rpc_trust.c | 6 +-
source3/winbindd/winbindd_cm.c | 13 +-
source3/wscript_build | 1 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 84 +++++++++++++
source4/dsdb/samdb/ldb_modules/samldb.c | 25 ++--
source4/libcli/raw/smb.h | 7 --
source4/libnet/libnet_vampire.c | 2 +-
source4/scripting/bin/renamedc | 2 +-
28 files changed, 560 insertions(+), 122 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index bb0b5df..0c98147 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "system/filesys.h"
#include "krb5_samba.h"
+#include "lib/crypto/crypto.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
@@ -300,6 +301,42 @@ int smb_krb5_create_key_from_string(krb5_context context,
return -1;
}
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t *utf16 = NULL;
+ size_t utf16_size = 0;
+ uint8_t nt_hash[16];
+ bool ok;
+
+ ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+ password->data, password->length,
+ (void **)&utf16, &utf16_size);
+ if (!ok) {
+ if (errno == 0) {
+ errno = EINVAL;
+ }
+ ret = errno;
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ mdfour(nt_hash, utf16, utf16_size);
+ memset(utf16, 0, utf16_size);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ nt_hash,
+ sizeof(nt_hash),
+ key);
+ ZERO_STRUCT(nt_hash);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
{/* MIT */
krb5_data _salt;
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index fbd9998..76b7cd9 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -210,7 +210,7 @@ again:
}
/**
- * Generate a random text password.
+ * Generate a random text password (based on printable ascii characters).
*/
_PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max)
@@ -258,6 +258,172 @@ again:
}
/**
+ * Generate a random machine password (based on random utf16 characters,
+ * converted to utf8). min must be at least 14, max must be at most 255.
+ *
+ * If 'unix charset' is not utf8, the password consist of random ascii
+ * values!
+ */
+
+_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max)
+{
+ TALLOC_CTX *frame = NULL;
+ struct generate_random_machine_password_state {
+ uint8_t password_buffer[256 * 2];
+ uint8_t tmp;
+ } *state;
+ char *new_pw = NULL;
+ size_t len = max;
+ char *utf8_pw = NULL;
+ size_t utf8_len = 0;
+ char *unix_pw = NULL;
+ size_t unix_len = 0;
+ size_t diff;
+ size_t i;
+ bool ok;
+ int cmp;
+
+ if (max > 255) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (min < 14) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (min > max) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ frame = talloc_stackframe_pool(2048);
+ state = talloc_zero(frame, struct generate_random_machine_password_state);
+
+ diff = max - min;
+
+ if (diff > 0) {
+ size_t tmp;
+
+ generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+
+ tmp %= diff;
+
+ len = min + tmp;
+ }
+
+ /*
+ * Create a random machine account password
+ * We create a random buffer and convert that to utf8.
+ * This is similar to what windows is doing.
+ *
+ * In future we may store the raw random buffer,
+ * but for now we need to pass the password as
+ * char pointer through some layers.
+ *
+ * As most kerberos keys are derived from the
+ * utf8 password we need to fallback to
+ * ASCII passwords if "unix charset" is not utf8.
+ */
+ generate_secret_buffer(state->password_buffer, len * 2);
+ for (i = 0; i < len; i++) {
+ size_t idx = i*2;
+ uint16_t c;
+
+ /*
+ * both MIT krb5 and HEIMDAL only
+ * handle codepoints up to 0xffff.
+ *
+ * It means we need to avoid
+ * 0xD800 - 0xDBFF (high surrogate)
+ * and
+ * 0xDC00 - 0xDFFF (low surrogate)
+ * in the random utf16 data.
+ *
+ * 55296 0xD800 0154000 0b1101100000000000
+ * 57343 0xDFFF 0157777 0b1101111111111111
+ * 8192 0x2000 020000 0b10000000000000
+ *
+ * The above values show that we can check
+ * for 0xD800 and just add 0x2000 to avoid
+ * the surrogate ranges.
+ *
+ * The rest will be handled by CH_UTF16MUNGED
+ * see utf16_munged_pull().
+ */
+ c = SVAL(state->password_buffer, idx);
+ if (c & 0xD800) {
+ c |= 0x2000;
+ }
+ SSVAL(state->password_buffer, idx, c);
+ }
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UTF8,
+ state->password_buffer, len * 2,
+ (void *)&utf8_pw, &utf8_len);
+ if (!ok) {
+ DEBUG(0, ("%s: convert_string_talloc() failed\n",
+ __func__));
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UNIX,
+ state->password_buffer, len * 2,
+ (void *)&unix_pw, &unix_len);
+ if (!ok) {
+ goto ascii_fallback;
+ }
+
+ if (utf8_len != unix_len) {
+ goto ascii_fallback;
+ }
+
+ cmp = memcmp((const uint8_t *)utf8_pw,
+ (const uint8_t *)unix_pw,
+ utf8_len);
+ if (cmp != 0) {
+ goto ascii_fallback;
+ }
+
+ new_pw = talloc_strdup(mem_ctx, utf8_pw);
+ if (new_pw == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ talloc_set_name_const(new_pw, __func__);
+ TALLOC_FREE(frame);
+ return new_pw;
+
+ascii_fallback:
+ for (i = 0; i < len; i++) {
+ /*
+ * truncate to ascii
+ */
+ state->tmp = state->password_buffer[i] & 0x7f;
+ if (state->tmp == 0) {
+ state->tmp = state->password_buffer[i] >> 1;
+ }
+ if (state->tmp == 0) {
+ state->tmp = 0x01;
+ }
+ state->password_buffer[i] = state->tmp;
+ }
+ state->password_buffer[i] = '\0';
+
+ new_pw = talloc_strdup(mem_ctx, (const char *)state->password_buffer);
+ if (new_pw == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ talloc_set_name_const(new_pw, __func__);
+ TALLOC_FREE(frame);
+ return new_pw;
+}
+
+/**
* Generate an array of unique text strings all of the same length.
* The returned string will be allocated.
* Returns NULL if the number of unique combinations cannot be created.
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index 8aa8eba..7a74617 100644
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -97,11 +97,41 @@ _PUBLIC_ uint32_t generate_random(void);
_PUBLIC_ bool check_password_quality(const char *s);
/**
- * Generate a random text password.
+ * Generate a random text password (based on printable ascii characters).
+ * This function is designed to provide a password that
+ * meats the complexity requirements of UF_NORMAL_ACCOUNT objects
+ * and they should be human readable and writeable on any keyboard layout.
+ *
+ * Characters used are:
+ * ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+_-#.,@$%&!?:;<=>()[]~
*/
_PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max);
/**
+ * Generate a random machine password
+ *
+ * min and max are the number of utf16 characters used
+ * to generate on utf8 compatible password.
+ *
+ * Note: if 'unix charset' is not 'utf8' (the default)
+ * then each utf16 character is only filled with
+ * values from 0x01 to 0x7f (ascii values without 0x00).
+ * This is important as the password neets to be
+ * a valid value as utf8 string and at the same time
+ * a valid value in the 'unix charset'.
+ *
+ * If 'unix charset' is 'utf8' (the default) then
+ * each utf16 character is a random value from 0x0000
+ * 0xFFFF (exluding the surrogate ranges from 0xD800-0xDFFF)
+ * while the translation from CH_UTF16MUNGED
+ * to CH_UTF8 replaces invalid values (see utf16_munged_pull()).
+ *
+ * Note: these passwords may not pass the complexity requirements
+ * for UF_NORMAL_ACCOUNT objects (except krbtgt accounts).
+ */
+_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max);
+
+/**
Use the random number generator to generate a random string.
**/
_PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const char *list);
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 38b1351..d55142e 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -484,6 +484,14 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
return NT_STATUS_OK;
}
+char *netlogon_creds_cli_debug_string(
+ const struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx)
+{
+ return talloc_asprintf(mem_ctx, "netlogon_creds_cli:%s",
+ context->db.key_name);
+}
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context)
{
@@ -1747,7 +1755,11 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
/*
* netr_ServerPasswordSet
*/
- E_md4hash(new_password, state->samr_password.hash);
+ ok = E_md4hash(new_password, state->samr_password.hash);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
/*
* netr_ServerPasswordSet2
@@ -2075,11 +2087,24 @@ struct netlogon_creds_cli_LogonSamLogon_state {
/*
* the read only credentials before we started the operation
+ * used for netr_LogonSamLogonEx() if required (validation_level = 3).
*/
struct netlogon_creds_CredentialState *ro_creds;
+ /*
+ * The (locked) credentials used for the credential chain
+ * used for netr_LogonSamLogonWithFlags() or
+ * netr_LogonSamLogonWith().
+ */
struct netlogon_creds_CredentialState *lk_creds;
+ /*
+ * While we have locked the global credentials (lk_creds above)
+ * we operate an a temporary copy, because a server
+ * may not support netr_LogonSamLogonWithFlags() and
+ * didn't process our netr_Authenticator, so we need to
+ * restart from lk_creds.
+ */
struct netlogon_creds_CredentialState tmp_creds;
struct netr_Authenticator req_auth;
struct netr_Authenticator rep_auth;
@@ -2311,7 +2336,7 @@ static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
return;
}
- netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
+ netlogon_creds_encrypt_samlogon_logon(&state->tmp_creds,
state->logon_level,
state->logon);
@@ -2414,8 +2439,10 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
/*
* We got a race, lets retry with on authenticator
* protection.
+ *
+ * netlogon_creds_cli_LogonSamLogon_start()
+ * will TALLOC_FREE(state->ro_creds);
*/
- TALLOC_FREE(state->ro_creds);
state->try_logon_ex = false;
netlogon_creds_cli_LogonSamLogon_start(req);
return;
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 006367a..949e03b 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -52,6 +52,10 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **_context);
+char *netlogon_creds_cli_debug_string(
+ const struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx);
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context);
diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c
index bfcd216..d8ff0ab 100644
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -50,12 +50,10 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
_FAULT_STR(DCERPC_NCA_S_FAULT_INT_DIV_BY_ZERO, NT_STATUS_RPC_FP_DIV_ZERO),
_FAULT_STR(DCERPC_NCA_S_FAULT_INT_OVERFLOW, NT_STATUS_RPC_FP_OVERFLOW),
/*
- * What's the difference between NT_STATUS_RPC_INVALID_TAG
- * and NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ???
- *
- * Our callers expect NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+ * Our callers expect NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ * instead of NT_STATUS_RPC_INVALID_TAG.
*/
- _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE),
+ _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE),
_FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_INVALID_TAG),
_FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_BOUND, NT_STATUS_RPC_INVALID_BOUND),
_FAULT_STR(DCERPC_NCA_S_FAULT_RPC_VERSION_MISMATCH, NT_STATUS_RPC_PROTOCOL_ERROR),
diff --git a/python/pyglue.c b/python/pyglue.c
index dbe7eb4..0e80ba6 100644
--- a/python/pyglue.c
+++ b/python/pyglue.c
@@ -60,6 +60,23 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args)
return ret;
}
+static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *args)
+{
+ int min, max;
+ PyObject *ret;
+ char *retstr;
+ if (!PyArg_ParseTuple(args, "ii", &min, &max))
+ return NULL;
+
+ retstr = generate_random_machine_password(NULL, min, max);
+ if (retstr == NULL) {
+ return NULL;
+ }
+ ret = PyUnicode_FromString(retstr);
+ talloc_free(retstr);
+ return ret;
+}
+
static PyObject *py_unix2nttime(PyObject *self, PyObject *args)
{
time_t t;
@@ -261,7 +278,14 @@ static PyMethodDef py_misc_methods[] = {
"Generate random string with specified length." },
{ "generate_random_password", (PyCFunction)py_generate_random_password,
METH_VARARGS, "generate_random_password(min, max) -> string\n"
- "Generate random password with a length >= min and <= max." },
+ "Generate random password (based on printable ascii characters) "
+ "with a length >= min and <= max." },
+ { "generate_random_machine_password", (PyCFunction)py_generate_random_machine_password,
+ METH_VARARGS, "generate_random_machine_password(min, max) -> string\n"
+ "Generate random password "
+ "(based on random utf16 characters converted to utf8 or "
+ "random ascii characters if 'unix charset' is not 'utf8')"
+ "with a length >= min (at least 14) and <= max (at most 255)." },
{ "unix2nttime", (PyCFunction)py_unix2nttime, METH_VARARGS,
"unix2nttime(timestamp) -> nttime" },
{ "nttime2unix", (PyCFunction)py_nttime2unix, METH_VARARGS,
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 5f91531..19d5e38 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -396,6 +396,7 @@ nttime2string = _glue.nttime2string
nttime2unix = _glue.nttime2unix
unix2nttime = _glue.unix2nttime
generate_random_password = _glue.generate_random_password
+generate_random_machine_password = _glue.generate_random_machine_password
strcasecmp_m = _glue.strcasecmp_m
strstr_m = _glue.strstr_m
is_ntvfs_fileserver_built = _glue.is_ntvfs_fileserver_built
diff --git a/python/samba/join.py b/python/samba/join.py
index 058fa08..9b211ac 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -105,7 +105,7 @@ class dc_join(object):
if machinepass is not None:
ctx.acct_pass = machinepass
else:
- ctx.acct_pass = samba.generate_random_password(32, 40)
+ ctx.acct_pass = samba.generate_random_machine_password(128, 255)
ctx.dnsdomain = ctx.samdb.domain_dns_name()
if clone_only:
@@ -684,7 +684,7 @@ class dc_join(object):
pass
ctx.net.set_password(account_name=ctx.samname,
domain_name=ctx.domain_name,
- newpassword=ctx.acct_pass)
+ newpassword=ctx.acct_pass.encode('utf-8'))
res = ctx.samdb.search(base=ctx.acct_dn, scope=ldb.SCOPE_BASE,
attrs=["msDS-KeyVersionNumber"])
@@ -708,7 +708,7 @@ class dc_join(object):
{"DNSDOMAIN": ctx.dnsdomain,
"DOMAINDN": ctx.base_dn,
"HOSTNAME" : ctx.myname,
- "DNSPASS_B64": b64encode(ctx.dnspass),
+ "DNSPASS_B64": b64encode(ctx.dnspass.encode('utf-16-le')),
"DNSNAME" : ctx.dnshostname}))
for changetype, msg in recs:
assert changetype == ldb.CHANGETYPE_NONE
@@ -880,7 +880,7 @@ class dc_join(object):
repl_creds.guess(ctx.lp)
repl_creds.set_kerberos_state(DONT_USE_KERBEROS)
repl_creds.set_username(ctx.samname)
- repl_creds.set_password(ctx.acct_pass)
+ repl_creds.set_password(ctx.acct_pass.encode('utf-8'))
else:
repl_creds = ctx.creds
@@ -1330,7 +1330,8 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
ctx.domsid = security.random_sid()
ctx.acct_dn = None
--
Samba Shared Repository
More information about the samba-cvs
mailing list