[SCM] Samba Shared Repository - branch v4-6-test updated
Stefan Metzmacher
metze at samba.org
Sat Feb 25 04:29:03 UTC 2017
The branch, v4-6-test has been updated
via 39582f3 vfs_streams_xattr: use fsp, not base_fsp
via 0c9bc50 libcli/auth: use the correct creds value against servers without LogonSamLogonEx
via 8ee5fe5 librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping
via 8cb9f77 build: Fix generation of CTDB manpages while creating tarball
via a39218d ctdb-build: Add make target for generating manpages
via 706141a ctdb-build: Split dist() target to generate manpages separately
via a2c013b krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key
via dfb3795 s4:scripting: use generate_random_machine_password() for machine passwords
via 6153b15 samba-tool:provision: use generate_random_machine_password() for machine passwords
via f5df4eb samba-tool:domain: use generate_random_machine_password() for machine passwords
via f6dc073 samba-tool:domain: use generate_random_machine_password() for trusted domains
via 40366fd pyglue: add generate_random_machine_password() wrapper
via 705686e python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords
via 00d3c8e python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords
via c5a4e47 s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets.
via 7c75976 s4:libnet: make use of generate_random_machine_password()
via 53ef65b s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
via e0119dd s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
via aa79c0d s3:net_rpc_trust: make use of trust_pw_new_value()
via 2e125de s3:libnet_join: make use of trust_pw_new_value()
via fd09929 s3:libads: use trust_pw_new_value() for krb5 machine passwords
via c01b2c2 s3:libsmb: use trust_pw_new_value() in trust_pw_change()
via ae300c7 s3:libsmb: add trust_pw_new_value() helper function
via 38cfd61 s3:libsmb: let trust_pw_change() verify the new password at the end.
via 60d48a8 s3:libsmb: let trust_pw_change() debug more verbose information
via 39ebdf7 lib/util: add generate_random_machine_password() function
via 7132f093 libcli/auth: add netlogon_creds_cli_debug_string()
via bcfa544 libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
from 7567c0e WHATSNEW: Fix spelling of Messages
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test
- Log -----------------------------------------------------------------
commit 39582f31d34b3fa29a7deb112ea1fb83e76aa294
Author: Ralph Boehme <slow at samba.org>
Date: Fri Feb 17 08:10:53 2017 +0100
vfs_streams_xattr: use fsp, not base_fsp
The base_fsp's fd is always -1 as it's closed after being openend in
create_file_unixpath().
Additionally in streams_xattr_open force using of SMB_VFS_FSETXATTR() by
sticking the just created fd into the fsp (and removing it afterwards).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12591
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Feb 22 08:25:46 CET 2017 on sn-devel-144
(cherry picked from commit 021189e32ba507832b5e821e5cda8a2889225955)
Autobuild-User(v4-6-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-6-test): Sat Feb 25 05:28:51 CET 2017 on sn-devel-144
commit 0c9bc50bfeb63547382d6afd335130dc96caf7a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 15 08:58:20 2017 +0100
libcli/auth: use the correct creds value against servers without LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0ed2a65593b5abc9ba7f40992ed0ed8f448f5836)
commit 8ee5fe5ddb404b815fe33def0d731936e0c7cecb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 15 08:07:06 2017 +0100
librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping
Commit 1eef70872930fa4f9d3dedd23476b34cae638428 changed the mapping for
DCERPC_NCA_S_FAULT_INVALID_TAG from NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12585
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c97e39b34fcf260ded42ef1a9efe7ed55e65a1cf)
commit 8cb9f77afe5cc41d94aca478675596f3f78cde77
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Feb 21 22:33:48 2017 +1100
build: Fix generation of CTDB manpages while creating tarball
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12595
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Feb 23 19:25:11 CET 2017 on sn-devel-144
(cherry picked from commit a9211ec2860d7763e606e9a9e4b62c19846b3302)
commit a39218d7e2617db36891483c3fe7db949132959f
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Feb 21 22:44:10 2017 +1100
ctdb-build: Add make target for generating manpages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12595
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 3bb4fd545864aeb7f28230604c26ccc188ba360a)
commit 706141a7540d0ae80e94ca5408ed07fe03d3c215
Author: Amitay Isaacs <amitay at gmail.com>
Date: Tue Feb 21 22:30:30 2017 +1100
ctdb-build: Split dist() target to generate manpages separately
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12595
Signed-off-by: Amitay Isaacs <amitay at gmail.com>
Reviewed-by: Martin Schwenke <martin at meltin.net>
(cherry picked from commit 5005362122700ba3651b2c0c58f9026d415d031e)
commit a2c013be27b84c09ffd9953c03969cbba753f892
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 21 12:15:07 2017 +0100
krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key
Our own convert_string_talloc() function handles a wider range
of unicode code points than the MIT krb5 or heimdal code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Feb 21 20:08:16 CET 2017 on sn-devel-144
(cherry picked from commit 10e1b92c288ae27f775debb16c3e122b6063fa21)
commit dfb3795884d7b177e667fb4c5218919e8f7c85d3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 19:37:09 2017 +0100
s4:scripting: use generate_random_machine_password() for machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 383432d2cd3046c2c3768c1ae452211c7e583604)
commit 6153b1589b73d25edc7954ceea8d4e015165f86e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:40:24 2016 +0200
samba-tool:provision: use generate_random_machine_password() for machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ea57a204a1f6b4999e5347c1edb5753bed933fba)
commit f5df4eb085003aecbc0cd152e1757176200a9572
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:37:37 2016 +0200
samba-tool:domain: use generate_random_machine_password() for machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f04e09e1968c40483b8dc2f92b9c15bce0b0b55a)
commit f6dc0739f8d60205231991b63aae09ed441d4d56
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:27:19 2016 +0200
samba-tool:domain: use generate_random_machine_password() for trusted domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b2fac99ac63739398aa716c26d8e187a25bb8400)
commit 40366fd386b3793451857670109f7c0be7011230
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 09:35:50 2016 +0200
pyglue: add generate_random_machine_password() wrapper
We use PyUnicode_FromString() (which is available from 2.6)
because we really have non-ascii strings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d7840e77961cdc4ccc4f5549494d458b6b2c2cf4)
commit 705686ee1310bb305bcf33f6c1e7f7d8f6a52415
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 22:34:06 2017 +0100
python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b86c29b1e6fb2fb4cf203aa38c7764084d855730)
commit 00d3c8ebb0c9f62cdb2edceb9552d5ad3c3648e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Feb 17 00:10:12 2017 +0100
python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 99b8d6beccf4d3d24f9d87a4d8e5eadfe0e0dd33)
commit c5a4e47d416b998c4486f27912d538243ec06a15
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 19:01:21 2017 +0100
s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0ed258bfe48995db6b345cc14e1747c4af9d076d)
commit 7c75976138c5d1945abecc93ff286e4bf7b09f0d
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Feb 13 19:35:54 2017 +0100
s4:libnet: make use of generate_random_machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 26515dca99ba3fa393207df905137021a2177de1)
commit 53ef65bd3a0396948d91d73b732d68b98579b290
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:41:48 2016 +0200
s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e9c184088cbbb47e48d9e96fc753a56c544301dc)
commit e0119dd2158f0a4c0c768589fbaaf68c75939d3d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:41:48 2016 +0200
s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 21cbf8e4db6928a8a3fb712b3750bb50c1201948)
commit aa79c0d039d5d40c694e949628be2ea92a236f6f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 10:42:30 2016 +0200
s3:net_rpc_trust: make use of trust_pw_new_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 13fd543929c72fa5af1ae6e21ca8dda9a57a0f55)
commit 2e125def3ed195b0674cd5c257dcf79783d3bfb1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:09:57 2016 +0200
s3:libnet_join: make use of trust_pw_new_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 77edef9555acd6e0c843582637bc367fa0d2a203)
commit fd099294c728fd7bb991a461d9e29b07aaa3b646
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 10:38:58 2016 +0200
s3:libads: use trust_pw_new_value() for krb5 machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 00136940757ea6947f97c9c92b25207d9413727b)
commit c01b2c26324f899feb049267ccff6c06e51cf683
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:12:35 2016 +0200
s3:libsmb: use trust_pw_new_value() in trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c21e9981d04fa016ef708941ea82051d0438b7a7)
commit ae300c70dbe87859c79b82e27ce2bdd17227626e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 12:12:35 2016 +0200
s3:libsmb: add trust_pw_new_value() helper function
This generates a new trust password based on the secure channel type
and lp_security().
NT4 really has a limit of 28 UTF16 bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 9e26ad86fbd7e6f39f98fb9d037ac86f3146cb11)
commit 38cfd6116179aa6f36e2d2d097d910a56d015791
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 9 22:53:52 2017 +0100
s3:libsmb: let trust_pw_change() verify the new password at the end.
We should notice problems as early as possible, it makes no
sense to keep things working for a while and later find out
the we lost our trust relationship with our domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a2877541681e07f09aee7d7c21adbe50346755e3)
commit 60d48a8b63f4a98e34611b86c2a61eb6a8e65b30
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 18 19:57:30 2017 +0100
s3:libsmb: let trust_pw_change() debug more verbose information
Password changes caused much trouble in the past, so we better debug
them at log level 0 and may see them also in the syslog.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4185689dbf0085fcb3840ad8b520df21a33e5d2a)
commit 39ebdf726798fa20afe33c18c959eba2d81fcf1b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 23 09:30:05 2016 +0200
lib/util: add generate_random_machine_password() function
It generates more random password for the use as machine password,
restricted to codepoints <= 0xFFFF in order to be compatible
with MIT krb5 and Heimdal.
Note: the fallback to ascii if 'unix charset' is not 'utf8'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ad12cfae42cc592166d6a1c1ee323f1aae82f235)
commit 7132f093b9e7d28e81960118f9f6500cf59171e9
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 9 21:47:52 2017 +0100
libcli/auth: add netlogon_creds_cli_debug_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit abe427775ee8ed1d278d5094ca127f85289ca5a3)
commit bcfa544e9e8e8ba320e02ef98c742ac2f18ba967
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jan 18 19:02:21 2017 +0000
libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send()
We need to make sure we can convert the given string to an nthash.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8a209e5a0ca810d8cf0e5ebc1902fae8c5cb241e)
-----------------------------------------------------------------------
Summary of changes:
ctdb/Makefile | 3 +
ctdb/wscript | 44 ++++---
lib/krb5_wrap/krb5_samba.c | 37 ++++++
lib/util/genrand_util.c | 168 ++++++++++++++++++++++++-
lib/util/samba_util.h | 32 ++++-
libcli/auth/netlogon_creds_cli.c | 33 ++++-
libcli/auth/netlogon_creds_cli.h | 4 +
librpc/rpc/dcerpc_error.c | 8 +-
python/pyglue.c | 26 +++-
python/samba/__init__.py | 1 +
python/samba/join.py | 11 +-
python/samba/netcmd/domain.py | 29 +----
python/samba/netcmd/user.py | 2 +-
python/samba/provision/__init__.py | 6 +-
python/samba/provision/sambadns.py | 2 +-
python/samba/samdb.py | 2 +-
python/samba/upgradehelpers.py | 4 +-
source3/include/proto.h | 3 +
source3/include/smb.h | 6 -
source3/libads/util.c | 9 +-
source3/libnet/libnet_join.c | 16 ++-
source3/libsmb/trusts_util.c | 143 ++++++++++++++++-----
source3/modules/vfs_streams_xattr.c | 41 +++---
source3/utils/net_rpc_trust.c | 6 +-
source3/wscript_build | 1 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 84 +++++++++++++
source4/dsdb/samdb/ldb_modules/samldb.c | 25 ++--
source4/libcli/raw/smb.h | 7 --
source4/libnet/libnet_vampire.c | 2 +-
source4/scripting/bin/renamedc | 2 +-
wscript | 2 +-
31 files changed, 598 insertions(+), 161 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ctdb/Makefile b/ctdb/Makefile
index b0912f2..23ee780 100644
--- a/ctdb/Makefile
+++ b/ctdb/Makefile
@@ -27,6 +27,9 @@ show_version:
@touch .tmplock
@WAFLOCK=.tmplock $(WAF) show_version
+manpages:
+ $(WAF) manpages
+
dist:
touch .tmplock
WAFLOCK=.tmplock $(WAF) dist
diff --git a/ctdb/wscript b/ctdb/wscript
index 13384c8..d23358b 100644
--- a/ctdb/wscript
+++ b/ctdb/wscript
@@ -957,7 +957,27 @@ def show_version(ctx):
print VERSION
-def dist():
+def manpages(ctx):
+ BASE_URL = 'http://docbook.sourceforge.net/release/xsl/current'
+ MAN_XSL = '%s/manpages/docbook.xsl' % BASE_URL
+ HTML_XSL = '%s/html/docbook.xsl' % BASE_URL
+ CMD_TEMPLATE = 'xsltproc --xinclude -o %s --nonet %s %s'
+ manpages = manpages_binary + manpages_misc + manpages_etcd + manpages_ceph
+ for t in manpages:
+ cmd = CMD_TEMPLATE % ('doc/%s' % t, MAN_XSL, 'doc/%s.xml' % t)
+ ret = samba_utils.RUN_COMMAND(cmd)
+ if ret != 0:
+ print('Command %s failed with exit status %d' % (cmd, ret))
+ sys.exit(ret)
+
+ cmd = CMD_TEMPLATE % ('doc/%s.html' % t, HTML_XSL, 'doc/%s.xml' % t)
+ ret = samba_utils.RUN_COMMAND(cmd)
+ if ret != 0:
+ print('Command %s failed with exit status %d' % (cmd, ret))
+ sys.exit(ret)
+
+
+def distonly(ctx):
samba_dist.DIST_FILES('VERSION:VERSION', extend=True)
t = 'include/ctdb_version.h'
@@ -979,24 +999,8 @@ def dist():
sys.exit(ret)
samba_dist.DIST_FILES('ctdb/%s:%s' % (t, t), extend=True)
- BASE_URL = 'http://docbook.sourceforge.net/release/xsl/current'
- MAN_XSL = '%s/manpages/docbook.xsl' % BASE_URL
- HTML_XSL = '%s/html/docbook.xsl' % BASE_URL
- CMD_TEMPLATE = 'xsltproc --xinclude -o %s --nonet %s %s'
manpages = manpages_binary + manpages_misc + manpages_etcd + manpages_ceph
for t in manpages:
- cmd = CMD_TEMPLATE % ('doc/%s' % t, MAN_XSL, 'doc/%s.xml' % t)
- ret = samba_utils.RUN_COMMAND(cmd)
- if ret != 0:
- print('Command %s failed with exit status %d' % (cmd, ret))
- sys.exit(ret)
-
- cmd = CMD_TEMPLATE % ('doc/%s.html' % t, HTML_XSL, 'doc/%s.xml' % t)
- ret = samba_utils.RUN_COMMAND(cmd)
- if ret != 0:
- print('Command %s failed with exit status %d' % (cmd, ret))
- sys.exit(ret)
-
samba_dist.DIST_FILES('ctdb/doc/%s:doc/%s' % (t, t), extend=True)
samba_dist.DIST_FILES('ctdb/doc/%s.html:doc/%s.html' % (t, t),
extend=True)
@@ -1004,6 +1008,12 @@ def dist():
samba_dist.dist()
+def dist():
+ import Scripting
+ Scripting.commands.append('manpages')
+ Scripting.commands.append('distonly')
+
+
def rpmonly(ctx):
opts = os.getenv('RPM_OPTIONS') or ''
cmd = 'rpmbuild -ta --clean --rmsource %s ctdb-%s.tar.gz' % (opts, VERSION)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index f8f3b16..10b42de 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "system/filesys.h"
#include "krb5_samba.h"
+#include "lib/crypto/crypto.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
@@ -300,6 +301,42 @@ int smb_krb5_create_key_from_string(krb5_context context,
return -1;
}
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t *utf16 = NULL;
+ size_t utf16_size = 0;
+ uint8_t nt_hash[16];
+ bool ok;
+
+ ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+ password->data, password->length,
+ (void **)&utf16, &utf16_size);
+ if (!ok) {
+ if (errno == 0) {
+ errno = EINVAL;
+ }
+ ret = errno;
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ mdfour(nt_hash, utf16, utf16_size);
+ memset(utf16, 0, utf16_size);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ nt_hash,
+ sizeof(nt_hash),
+ key);
+ ZERO_STRUCT(nt_hash);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
{/* MIT */
krb5_data _salt;
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index fbd9998..76b7cd9 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -210,7 +210,7 @@ again:
}
/**
- * Generate a random text password.
+ * Generate a random text password (based on printable ascii characters).
*/
_PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max)
@@ -258,6 +258,172 @@ again:
}
/**
+ * Generate a random machine password (based on random utf16 characters,
+ * converted to utf8). min must be at least 14, max must be at most 255.
+ *
+ * If 'unix charset' is not utf8, the password consist of random ascii
+ * values!
+ */
+
+_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max)
+{
+ TALLOC_CTX *frame = NULL;
+ struct generate_random_machine_password_state {
+ uint8_t password_buffer[256 * 2];
+ uint8_t tmp;
+ } *state;
+ char *new_pw = NULL;
+ size_t len = max;
+ char *utf8_pw = NULL;
+ size_t utf8_len = 0;
+ char *unix_pw = NULL;
+ size_t unix_len = 0;
+ size_t diff;
+ size_t i;
+ bool ok;
+ int cmp;
+
+ if (max > 255) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (min < 14) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (min > max) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ frame = talloc_stackframe_pool(2048);
+ state = talloc_zero(frame, struct generate_random_machine_password_state);
+
+ diff = max - min;
+
+ if (diff > 0) {
+ size_t tmp;
+
+ generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+
+ tmp %= diff;
+
+ len = min + tmp;
+ }
+
+ /*
+ * Create a random machine account password
+ * We create a random buffer and convert that to utf8.
+ * This is similar to what windows is doing.
+ *
+ * In future we may store the raw random buffer,
+ * but for now we need to pass the password as
+ * char pointer through some layers.
+ *
+ * As most kerberos keys are derived from the
+ * utf8 password we need to fallback to
+ * ASCII passwords if "unix charset" is not utf8.
+ */
+ generate_secret_buffer(state->password_buffer, len * 2);
+ for (i = 0; i < len; i++) {
+ size_t idx = i*2;
+ uint16_t c;
+
+ /*
+ * both MIT krb5 and HEIMDAL only
+ * handle codepoints up to 0xffff.
+ *
+ * It means we need to avoid
+ * 0xD800 - 0xDBFF (high surrogate)
+ * and
+ * 0xDC00 - 0xDFFF (low surrogate)
+ * in the random utf16 data.
+ *
+ * 55296 0xD800 0154000 0b1101100000000000
+ * 57343 0xDFFF 0157777 0b1101111111111111
+ * 8192 0x2000 020000 0b10000000000000
+ *
+ * The above values show that we can check
+ * for 0xD800 and just add 0x2000 to avoid
+ * the surrogate ranges.
+ *
+ * The rest will be handled by CH_UTF16MUNGED
+ * see utf16_munged_pull().
+ */
+ c = SVAL(state->password_buffer, idx);
+ if (c & 0xD800) {
+ c |= 0x2000;
+ }
+ SSVAL(state->password_buffer, idx, c);
+ }
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UTF8,
+ state->password_buffer, len * 2,
+ (void *)&utf8_pw, &utf8_len);
+ if (!ok) {
+ DEBUG(0, ("%s: convert_string_talloc() failed\n",
+ __func__));
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UNIX,
+ state->password_buffer, len * 2,
+ (void *)&unix_pw, &unix_len);
+ if (!ok) {
+ goto ascii_fallback;
+ }
+
+ if (utf8_len != unix_len) {
+ goto ascii_fallback;
+ }
+
+ cmp = memcmp((const uint8_t *)utf8_pw,
+ (const uint8_t *)unix_pw,
+ utf8_len);
+ if (cmp != 0) {
+ goto ascii_fallback;
+ }
+
+ new_pw = talloc_strdup(mem_ctx, utf8_pw);
+ if (new_pw == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ talloc_set_name_const(new_pw, __func__);
+ TALLOC_FREE(frame);
+ return new_pw;
+
+ascii_fallback:
+ for (i = 0; i < len; i++) {
+ /*
+ * truncate to ascii
+ */
+ state->tmp = state->password_buffer[i] & 0x7f;
+ if (state->tmp == 0) {
+ state->tmp = state->password_buffer[i] >> 1;
+ }
+ if (state->tmp == 0) {
+ state->tmp = 0x01;
+ }
+ state->password_buffer[i] = state->tmp;
+ }
+ state->password_buffer[i] = '\0';
+
+ new_pw = talloc_strdup(mem_ctx, (const char *)state->password_buffer);
+ if (new_pw == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ talloc_set_name_const(new_pw, __func__);
+ TALLOC_FREE(frame);
+ return new_pw;
+}
+
+/**
* Generate an array of unique text strings all of the same length.
* The returned string will be allocated.
* Returns NULL if the number of unique combinations cannot be created.
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index 897e0f5..18c6a1a 100644
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -100,11 +100,41 @@ _PUBLIC_ uint32_t generate_random(void);
_PUBLIC_ bool check_password_quality(const char *s);
/**
- * Generate a random text password.
+ * Generate a random text password (based on printable ascii characters).
+ * This function is designed to provide a password that
+ * meats the complexity requirements of UF_NORMAL_ACCOUNT objects
+ * and they should be human readable and writeable on any keyboard layout.
+ *
+ * Characters used are:
+ * ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+_-#.,@$%&!?:;<=>()[]~
*/
_PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max);
/**
+ * Generate a random machine password
+ *
+ * min and max are the number of utf16 characters used
+ * to generate on utf8 compatible password.
+ *
+ * Note: if 'unix charset' is not 'utf8' (the default)
+ * then each utf16 character is only filled with
+ * values from 0x01 to 0x7f (ascii values without 0x00).
+ * This is important as the password neets to be
+ * a valid value as utf8 string and at the same time
+ * a valid value in the 'unix charset'.
+ *
+ * If 'unix charset' is 'utf8' (the default) then
+ * each utf16 character is a random value from 0x0000
+ * 0xFFFF (exluding the surrogate ranges from 0xD800-0xDFFF)
+ * while the translation from CH_UTF16MUNGED
+ * to CH_UTF8 replaces invalid values (see utf16_munged_pull()).
+ *
+ * Note: these passwords may not pass the complexity requirements
+ * for UF_NORMAL_ACCOUNT objects (except krbtgt accounts).
+ */
+_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max);
+
+/**
Use the random number generator to generate a random string.
**/
_PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const char *list);
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 38b1351..d55142e 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -484,6 +484,14 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
return NT_STATUS_OK;
}
+char *netlogon_creds_cli_debug_string(
+ const struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx)
+{
+ return talloc_asprintf(mem_ctx, "netlogon_creds_cli:%s",
+ context->db.key_name);
+}
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context)
{
@@ -1747,7 +1755,11 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
/*
* netr_ServerPasswordSet
*/
- E_md4hash(new_password, state->samr_password.hash);
+ ok = E_md4hash(new_password, state->samr_password.hash);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
/*
* netr_ServerPasswordSet2
@@ -2075,11 +2087,24 @@ struct netlogon_creds_cli_LogonSamLogon_state {
/*
* the read only credentials before we started the operation
+ * used for netr_LogonSamLogonEx() if required (validation_level = 3).
*/
struct netlogon_creds_CredentialState *ro_creds;
+ /*
+ * The (locked) credentials used for the credential chain
+ * used for netr_LogonSamLogonWithFlags() or
+ * netr_LogonSamLogonWith().
+ */
struct netlogon_creds_CredentialState *lk_creds;
+ /*
+ * While we have locked the global credentials (lk_creds above)
+ * we operate an a temporary copy, because a server
+ * may not support netr_LogonSamLogonWithFlags() and
+ * didn't process our netr_Authenticator, so we need to
+ * restart from lk_creds.
+ */
struct netlogon_creds_CredentialState tmp_creds;
struct netr_Authenticator req_auth;
struct netr_Authenticator rep_auth;
@@ -2311,7 +2336,7 @@ static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
return;
}
- netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
+ netlogon_creds_encrypt_samlogon_logon(&state->tmp_creds,
state->logon_level,
state->logon);
@@ -2414,8 +2439,10 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
/*
* We got a race, lets retry with on authenticator
* protection.
+ *
+ * netlogon_creds_cli_LogonSamLogon_start()
+ * will TALLOC_FREE(state->ro_creds);
*/
- TALLOC_FREE(state->ro_creds);
state->try_logon_ex = false;
netlogon_creds_cli_LogonSamLogon_start(req);
return;
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 006367a..949e03b 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -52,6 +52,10 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **_context);
+char *netlogon_creds_cli_debug_string(
+ const struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx);
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context);
diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c
index bfcd216..d8ff0ab 100644
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -50,12 +50,10 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
_FAULT_STR(DCERPC_NCA_S_FAULT_INT_DIV_BY_ZERO, NT_STATUS_RPC_FP_DIV_ZERO),
_FAULT_STR(DCERPC_NCA_S_FAULT_INT_OVERFLOW, NT_STATUS_RPC_FP_OVERFLOW),
/*
- * What's the difference between NT_STATUS_RPC_INVALID_TAG
- * and NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ???
- *
- * Our callers expect NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+ * Our callers expect NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ * instead of NT_STATUS_RPC_INVALID_TAG.
*/
- _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE),
+ _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE),
_FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_INVALID_TAG),
_FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_BOUND, NT_STATUS_RPC_INVALID_BOUND),
_FAULT_STR(DCERPC_NCA_S_FAULT_RPC_VERSION_MISMATCH, NT_STATUS_RPC_PROTOCOL_ERROR),
diff --git a/python/pyglue.c b/python/pyglue.c
index dbe7eb4..0e80ba6 100644
--- a/python/pyglue.c
+++ b/python/pyglue.c
@@ -60,6 +60,23 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args)
return ret;
}
+static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *args)
+{
+ int min, max;
+ PyObject *ret;
+ char *retstr;
+ if (!PyArg_ParseTuple(args, "ii", &min, &max))
--
Samba Shared Repository
More information about the samba-cvs
mailing list