[SCM] Samba Shared Repository - branch v4-8-test updated
Karolin Seeger
kseeger at samba.org
Tue Aug 14 10:17:44 UTC 2018
The branch, v4-8-test has been updated
via 47081d9 Merge tag 'samba-4.8.4' into v4-8-test
via 626c489 VERSION: Disable GIT_SNAPSHOT for the Samba 4.8.4 release.
via 032a6a4 WHATSNEW: Add release notes for Samba 4.8.4.
via 43aba6b CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
via 5ad366e ldb: Release LDB 1.3.5 for CVE-2018-1140
via 47bf6f6 CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
via ebc3a1a CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
via a36db4f CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
via 7331723 CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
via 95c95a4 CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
via a5245e4 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
via 6993f39 CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
via f0bd8cc CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
via 5fb35b7 CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
via 3454eae CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
via c775bd8 selftest/tests.py: remove always-needed, never-set with_cmocka flag
via a915e23 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
via 9891df4 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
via 1575ba4 CVE-2018-10919 acl_read: Flip the logic in the dirsync check
via f9fa4e5 CVE-2018-10919 acl_read: Small refactor to aclread_callback()
via 6e35ae3 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
via 7016bfd CVE-2018-10919 tests: test ldap searches for non-existent attributes.
via a90cb03 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
via 03dba18 CVE-2018-10919 tests: Add test case for object visibility with limited rights
via 77421f3 CVE-2018-10919 tests: Add tests for guessing confidential attributes
via a81f32e CVE-2018-10919 security: Add more comments to the object-specific access checks
via bbb72cf CVE-2018-10919 security: Move object-specific access checks into separate function
via 87aa836 CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
via 5923c3c CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
via 677fad5 CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
via 4954a6d VERSION: Bump version up to 4.8.4...
from 6f44ef8 s3/smbd: Ensure quota code is only called when quota support detected
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit 47081d9de81339d4e940c4747f6e2d735386e651
Merge: 6f44ef8 626c489
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Aug 14 12:16:21 2018 +0200
Merge tag 'samba-4.8.4' into v4-8-test
samba: tag release samba-4.8.4
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 94 +-
lib/ldb/ABI/{ldb-1.3.4.sigs => ldb-1.3.5.sigs} | 0
...b-util.py3-1.3.4.sigs => pyldb-util-1.3.5.sigs} | 0
...il.py3-1.3.4.sigs => pyldb-util.py3-1.3.5.sigs} | 0
lib/ldb/ldb_sqlite3/ldb_sqlite3.c | 3 +
lib/ldb/ldb_tdb/ldb_index.c | 18 +
lib/ldb/ldb_tdb/ldb_search.c | 16 +
lib/ldb/ldb_tdb/ldb_tdb.c | 27 +-
lib/ldb/tests/python/api.py | 156 +++
lib/ldb/wscript | 2 +-
libcli/auth/ntlm_check.c | 10 +-
libcli/auth/tests/ntlm_check.c | 413 ++++++++
libcli/auth/wscript_build | 13 +
libcli/security/access_check.c | 110 ++-
python/samba/tests/dns_invalid.py | 87 ++
selftest/knownfail | 3 +-
selftest/tests.py | 20 +-
source3/libsmb/libsmb_dir.c | 57 +-
source3/libsmb/libsmb_path.c | 9 +-
source3/selftest/tests.py | 2 +-
source3/utils/ntlm_auth.c | 6 +-
source4/dsdb/samdb/cracknames.c | 8 +-
source4/dsdb/samdb/ldb_modules/acl_read.c | 331 ++++++-
source4/dsdb/tests/python/acl.py | 68 ++
source4/dsdb/tests/python/confidential_attr.py | 1025 ++++++++++++++++++++
source4/dsdb/tests/python/ldap.py | 9 +
source4/selftest/tests.py | 6 +
source4/torture/drs/python/cracknames.py | 38 +
28 files changed, 2437 insertions(+), 94 deletions(-)
copy lib/ldb/ABI/{ldb-1.3.4.sigs => ldb-1.3.5.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.3.4.sigs => pyldb-util-1.3.5.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.3.4.sigs => pyldb-util.py3-1.3.5.sigs} (100%)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 python/samba/tests/dns_invalid.py
create mode 100755 source4/dsdb/tests/python/confidential_attr.py
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c2d922..d092972 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,94 @@
=============================
+ Release Notes for Samba 4.8.4
+ August 14, 2018
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2018-1139 (Weak authentication protocol allowed.)
+o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
+o CVE-2018-10858 (Insufficient input validation on client directory
+ listing in libsmbclient.)
+o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
+o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
+ server.)
+
+
+=======
+Details
+=======
+
+o CVE-2018-1139:
+ Vulnerability that allows authentication via NTLMv1 even if disabled.
+
+o CVE-2018-1140:
+ Missing null pointer checks may crash the Samba AD DC, both over
+ DNS and LDAP.
+
+o CVE-2018-10858:
+ A malicious server could return a directory entry that could corrupt
+ libsmbclient memory.
+
+o CVE-2018-10918:
+ Missing null pointer checks may crash the Samba AD DC, over the
+ authenticated DRSUAPI RPC service.
+
+o CVE-2018-10919:
+ Missing access control checks allow discovery of confidential attribute
+ values via authenticated LDAP search expressions.
+
+
+Changes since 4.8.3:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13453: CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
+ returns from malicious servers.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 13374: CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query
+ with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140
+ * BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
+ not servicePrincipalName is set on a user.
+
+o Tim Beale <timbeale at catalyst.net.nz>
+ * BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized attribute access via
+ searches.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 13360: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
+ is disabled via "ntlm auth".
+
+o Andrej Gessel <Andrej.Gessel at janztec.com>
+ * BUG 13374: CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in
+ ltdb_index_dn_attr().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.8.3
June 26, 2018
=============================
@@ -84,8 +174,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.8.2
diff --git a/lib/ldb/ABI/ldb-1.3.4.sigs b/lib/ldb/ABI/ldb-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.4.sigs
copy to lib/ldb/ABI/ldb-1.3.5.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs b/lib/ldb/ABI/pyldb-util-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.5.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.5.sigs
diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index f94dc99..0f5abf8 100644
--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module,
const char *cdn = ldb_dn_get_casefold(
ldb_dn_new(mem_ctx, ldb,
(const char *)value.data));
+ if (cdn == NULL) {
+ return NULL;
+ }
return lsqlite3_tprintf(mem_ctx,
"SELECT eid FROM ldb_entry "
diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c
index 40baeea..429c8f5 100644
--- a/lib/ldb/ldb_tdb/ldb_index.c
+++ b/lib/ldb/ldb_tdb/ldb_index.c
@@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
return LDB_SUCCESS;
}
if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+ bool valid_dn = false;
struct ldb_dn *dn
= ldb_dn_from_ldb_val(list,
ldb_module_get_ctx(module),
@@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
return LDB_SUCCESS;
}
+ valid_dn = ldb_dn_validate(dn);
+ if (valid_dn == false) {
+ /* If we can't parse it, no match */
+ list->dn = NULL;
+ list->count = 0;
+ return LDB_SUCCESS;
+ }
+
/*
* Re-use the same code we use for a SCOPE_BASE
* search
@@ -1405,6 +1414,15 @@ static int ltdb_index_dn_attr(struct ldb_module *module,
/* work out the index key from the parent DN */
val.data = (uint8_t *)((uintptr_t)ldb_dn_get_casefold(dn));
+ if (val.data == NULL) {
+ const char *dn_str = ldb_dn_get_linearized(dn);
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ __location__
+ ": Failed to get casefold DN "
+ "from: %s",
+ dn_str);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
val.length = strlen((char *)val.data);
key = ltdb_index_key(ldb, ltdb, attr, &val, NULL);
if (!key) {
diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c
index 0289086..d14be0f 100644
--- a/lib/ldb/ldb_tdb/ldb_search.c
+++ b/lib/ldb/ldb_tdb/ldb_search.c
@@ -295,6 +295,14 @@ int ltdb_search_dn1(struct ldb_module *module, struct ldb_dn *dn, struct ldb_mes
};
TALLOC_CTX *tdb_key_ctx = NULL;
+ bool valid_dn = ldb_dn_validate(dn);
+ if (valid_dn == false) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid Base DN: %s",
+ ldb_dn_get_linearized(dn));
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
if (ltdb->cache->GUID_index_attribute == NULL) {
tdb_key_ctx = talloc_new(msg);
if (!tdb_key_ctx) {
@@ -803,6 +811,14 @@ int ltdb_search(struct ltdb_context *ctx)
ldb_dn_get_linearized(req->op.search.base));
}
+ } else if (ldb_dn_validate(req->op.search.base) == false) {
+
+ /* We don't want invalid base DNs here */
+ ldb_asprintf_errstring(ldb,
+ "Invalid Base DN: %s",
+ ldb_dn_get_linearized(req->op.search.base));
+ ret = LDB_ERR_INVALID_DN_SYNTAX;
+
} else {
/* If we are not checking the base DN life is easy */
ret = LDB_SUCCESS;
diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index 7014276..c7bf865 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -515,6 +515,16 @@ static int ltdb_add_internal(struct ldb_module *module,
struct ldb_context *ldb = ldb_module_get_ctx(module);
int ret = LDB_SUCCESS;
unsigned int i;
+ bool valid_dn = false;
+
+ /* Check the new DN is reasonable */
+ valid_dn = ldb_dn_validate(msg->dn);
+ if (valid_dn == false) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid DN in ADD: %s",
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
for (i=0;i<msg->num_elements;i++) {
struct ldb_message_element *el = &msg->elements[i];
@@ -1292,6 +1302,7 @@ static int ltdb_rename(struct ltdb_context *ctx)
int ret = LDB_SUCCESS;
TDB_DATA tdb_key, tdb_key_old;
struct ldb_dn *db_dn;
+ bool valid_dn = false;
ldb_request_set_state(req, LDB_ASYNC_PENDING);
@@ -1304,10 +1315,24 @@ static int ltdb_rename(struct ltdb_context *ctx)
return LDB_ERR_OPERATIONS_ERROR;
}
+ /* Check the new DN is reasonable */
+ valid_dn = ldb_dn_validate(req->op.rename.newdn);
+ if (valid_dn == false) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid New DN: %s",
+ ldb_dn_get_linearized(req->op.rename.newdn));
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
/* we need to fetch the old record to re-add under the new name */
ret = ltdb_search_dn1(module, req->op.rename.olddn, msg,
LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC);
- if (ret != LDB_SUCCESS) {
+ if (ret == LDB_ERR_INVALID_DN_SYNTAX) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid Old DN: %s",
+ ldb_dn_get_linearized(req->op.rename.newdn));
+ return ret;
+ } else if (ret != LDB_SUCCESS) {
/* not finding the old record is an error */
return ret;
}
diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py
index a62b241..48fac88 100755
--- a/lib/ldb/tests/python/api.py
+++ b/lib/ldb/tests/python/api.py
@@ -401,6 +401,19 @@ class SimpleLdb(LdbBaseTest):
finally:
l.delete(ldb.Dn(l, "dc=bar"))
+ def test_rename_bad_string_dns(self):
+ l = ldb.Ldb(self.url(), flags=self.flags())
+ m = ldb.Message()
+ m.dn = ldb.Dn(l, "dc=foo8")
+ m["bla"] = b"bla"
+ m["objectUUID"] = b"0123456789abcdef"
+ self.assertEqual(len(l.search()), 0)
+ l.add(m)
+ self.assertEqual(len(l.search()), 1)
+ self.assertRaises(ldb.LdbError,lambda: l.rename("dcXfoo8", "dc=bar"))
+ self.assertRaises(ldb.LdbError,lambda: l.rename("dc=foo8", "dcXbar"))
+ l.delete(ldb.Dn(l, "dc=foo8"))
+
def test_empty_dn(self):
l = ldb.Ldb(self.url(), flags=self.flags())
self.assertEqual(0, len(l.search()))
@@ -1143,6 +1156,110 @@ class SearchTests(LdbBaseTest):
# At some point we should fix this, but it isn't trivial
self.assertEqual(len(res11), 1)
+ def test_distinguishedName_filter_one(self):
+ """Testing that a distinguishedName= filter succeeds
+ when the scope is SCOPE_ONELEVEL.
+
+ This should be made more consistent, but for now lock in
+ the behaviour
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_ONELEVEL,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+ self.assertEqual(len(res11), 1)
+
+ def test_distinguishedName_filter_subtree(self):
+ """Testing that a distinguishedName= filter succeeds
+ when the scope is SCOPE_SUBTREE"""
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_SUBTREE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+ self.assertEqual(len(res11), 1)
+
+ def test_distinguishedName_filter_base(self):
+ """Testing that (incorrectly) a distinguishedName= filter works
+ when the scope is SCOPE_BASE"""
+
+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_BASE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+
+ # At some point we should fix this, but it isn't trivial
+ self.assertEqual(len(res11), 1)
+
+ def test_bad_dn_filter_base(self):
+ """Testing that a dn= filter on an invalid DN works
+ when the scope is SCOPE_BASE but
+ returns zero results"""
+
+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_BASE,
+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+
+ # At some point we should fix this, but it isn't trivial
+ self.assertEqual(len(res11), 0)
+
+
+ def test_bad_dn_filter_one(self):
+ """Testing that a dn= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_ONELEVEL search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_ONELEVEL,
+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
+ def test_bad_dn_filter_subtree(self):
+ """Testing that a dn= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_SUBTREE search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_SUBTREE,
+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
+ def test_bad_distinguishedName_filter_base(self):
+ """Testing that a distinguishedName= filter on an invalid DN works
+ when the scope is SCOPE_BASE but
+ returns zero results"""
+
+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_BASE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+
+ # At some point we should fix this, but it isn't trivial
+ self.assertEqual(len(res11), 0)
+
+
+ def test_bad_distinguishedName_filter_one(self):
+ """Testing that a distinguishedName= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_ONELEVEL search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_ONELEVEL,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
+ def test_bad_distinguishedName_filter_subtree(self):
+ """Testing that a distinguishedName= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_SUBTREE search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_SUBTREE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
class IndexedSearchTests(SearchTests):
"""Test searches using the index, to ensure the index doesn't
@@ -1291,6 +1408,17 @@ class AddModifyTests(LdbBaseTest):
enum = err.args[0]
self.assertEqual(enum, ldb.ERR_ENTRY_ALREADY_EXISTS)
+ def test_add_bad(self):
+ try:
+ self.l.add({"dn": "BAD,DC=SAMBA,DC=ORG",
+ "name": b"Admins",
+ "x": "z", "y": "a",
+ "objectUUID": b"0123456789abcde1"})
+ self.fail("Should have failed adding entry with invalid DN")
+ except ldb.LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
def test_add_del_add(self):
self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
"name": b"Admins",
@@ -1372,6 +1500,34 @@ class AddModifyTests(LdbBaseTest):
enum = err.args[0]
self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
+ def test_move_bad(self):
+ self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+ "name": b"Admins",
+ "x": "z", "y": "a",
+ "objectUUID": b"0123456789abcde2"})
+
+ try:
+ self.l.rename("OUXDUP,DC=SAMBA,DC=ORG",
+ "OU=DUP2,DC=SAMBA,DC=ORG")
+ self.fail("Should have failed on invalid DN")
+ except ldb.LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
+ def test_move_bad2(self):
+ self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+ "name": b"Admins",
+ "x": "z", "y": "a",
+ "objectUUID": b"0123456789abcde2"})
+
+ try:
+ self.l.rename("OU=DUP,DC=SAMBA,DC=ORG",
+ "OUXDUP2,DC=SAMBA,DC=ORG")
+ self.fail("Should have failed on missing")
+ except ldb.LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
def test_move_fail_move_add(self):
self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
"name": b"Admins",
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 15a7cae..27b4df1 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.3.4'
+VERSION = '1.3.5'
blddir = 'bin'
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc..b68e9c8 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
} else if (client_lanman && stored_lanman) {
if (!lanman_auth) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
--
Samba Shared Repository
More information about the samba-cvs
mailing list