[SCM] Samba Shared Repository - branch v4-8-test updated

Karolin Seeger kseeger at samba.org
Tue Aug 14 10:17:44 UTC 2018


The branch, v4-8-test has been updated
       via  47081d9 Merge tag 'samba-4.8.4' into v4-8-test
       via  626c489 VERSION: Disable GIT_SNAPSHOT for the Samba 4.8.4 release.
       via  032a6a4 WHATSNEW: Add release notes for Samba 4.8.4.
       via  43aba6b CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
       via  5ad366e ldb: Release LDB 1.3.5 for CVE-2018-1140
       via  47bf6f6 CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
       via  ebc3a1a CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
       via  a36db4f CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
       via  7331723 CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
       via  95c95a4 CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
       via  a5245e4 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
       via  6993f39 CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
       via  f0bd8cc CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
       via  5fb35b7 CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
       via  3454eae CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
       via  c775bd8 selftest/tests.py: remove always-needed, never-set with_cmocka flag
       via  a915e23 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
       via  9891df4 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
       via  1575ba4 CVE-2018-10919 acl_read: Flip the logic in the dirsync check
       via  f9fa4e5 CVE-2018-10919 acl_read: Small refactor to aclread_callback()
       via  6e35ae3 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
       via  7016bfd CVE-2018-10919 tests: test ldap searches for non-existent attributes.
       via  a90cb03 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
       via  03dba18 CVE-2018-10919 tests: Add test case for object visibility with limited rights
       via  77421f3 CVE-2018-10919 tests: Add tests for guessing confidential attributes
       via  a81f32e CVE-2018-10919 security: Add more comments to the object-specific access checks
       via  bbb72cf CVE-2018-10919 security: Move object-specific access checks into separate function
       via  87aa836 CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
       via  5923c3c CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
       via  677fad5 CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
       via  4954a6d VERSION: Bump version up to 4.8.4...
      from  6f44ef8 s3/smbd: Ensure quota code is only called when quota support detected

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test


- Log -----------------------------------------------------------------
commit 47081d9de81339d4e940c4747f6e2d735386e651
Merge: 6f44ef8 626c489
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Aug 14 12:16:21 2018 +0200

    Merge tag 'samba-4.8.4' into v4-8-test
    
    samba: tag release samba-4.8.4

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                       |   94 +-
 lib/ldb/ABI/{ldb-1.3.4.sigs => ldb-1.3.5.sigs}     |    0
 ...b-util.py3-1.3.4.sigs => pyldb-util-1.3.5.sigs} |    0
 ...il.py3-1.3.4.sigs => pyldb-util.py3-1.3.5.sigs} |    0
 lib/ldb/ldb_sqlite3/ldb_sqlite3.c                  |    3 +
 lib/ldb/ldb_tdb/ldb_index.c                        |   18 +
 lib/ldb/ldb_tdb/ldb_search.c                       |   16 +
 lib/ldb/ldb_tdb/ldb_tdb.c                          |   27 +-
 lib/ldb/tests/python/api.py                        |  156 +++
 lib/ldb/wscript                                    |    2 +-
 libcli/auth/ntlm_check.c                           |   10 +-
 libcli/auth/tests/ntlm_check.c                     |  413 ++++++++
 libcli/auth/wscript_build                          |   13 +
 libcli/security/access_check.c                     |  110 ++-
 python/samba/tests/dns_invalid.py                  |   87 ++
 selftest/knownfail                                 |    3 +-
 selftest/tests.py                                  |   20 +-
 source3/libsmb/libsmb_dir.c                        |   57 +-
 source3/libsmb/libsmb_path.c                       |    9 +-
 source3/selftest/tests.py                          |    2 +-
 source3/utils/ntlm_auth.c                          |    6 +-
 source4/dsdb/samdb/cracknames.c                    |    8 +-
 source4/dsdb/samdb/ldb_modules/acl_read.c          |  331 ++++++-
 source4/dsdb/tests/python/acl.py                   |   68 ++
 source4/dsdb/tests/python/confidential_attr.py     | 1025 ++++++++++++++++++++
 source4/dsdb/tests/python/ldap.py                  |    9 +
 source4/selftest/tests.py                          |    6 +
 source4/torture/drs/python/cracknames.py           |   38 +
 28 files changed, 2437 insertions(+), 94 deletions(-)
 copy lib/ldb/ABI/{ldb-1.3.4.sigs => ldb-1.3.5.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util.py3-1.3.4.sigs => pyldb-util-1.3.5.sigs} (100%)
 copy lib/ldb/ABI/{pyldb-util.py3-1.3.4.sigs => pyldb-util.py3-1.3.5.sigs} (100%)
 create mode 100644 libcli/auth/tests/ntlm_check.c
 create mode 100644 python/samba/tests/dns_invalid.py
 create mode 100755 source4/dsdb/tests/python/confidential_attr.py


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c2d922..d092972 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,94 @@
                    =============================
+                   Release Notes for Samba 4.8.4
+                           August 14, 2018
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2018-1139  (Weak authentication protocol allowed.)
+o  CVE-2018-1140  (Denial of Service Attack on DNS and LDAP server.)
+o  CVE-2018-10858 (Insufficient input validation on client directory
+		   listing in libsmbclient.)
+o  CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
+o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
+		   server.)
+
+
+=======
+Details
+=======
+
+o  CVE-2018-1139:
+   Vulnerability that allows authentication via NTLMv1 even if disabled.
+
+o  CVE-2018-1140:
+   Missing null pointer checks may crash the Samba AD DC, both over
+   DNS and LDAP.
+
+o  CVE-2018-10858:
+   A malicious server could return a directory entry that could corrupt
+   libsmbclient memory.
+
+o  CVE-2018-10918:
+   Missing null pointer checks may crash the Samba AD DC, over the
+   authenticated DRSUAPI RPC service.
+
+o  CVE-2018-10919:
+   Missing access control checks allow discovery of confidential attribute
+   values via authenticated LDAP search expressions.
+
+
+Changes since 4.8.3:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13453: CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
+     returns from malicious servers.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 13374: CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query
+     with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140
+   * BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
+     not servicePrincipalName is set on a user.
+
+o  Tim Beale <timbeale at catalyst.net.nz>
+   * BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized attribute access via
+     searches.
+
+o  G√ľnther Deschner <gd at samba.org>
+   * BUG 13360: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
+     is disabled via "ntlm auth".
+
+o  Andrej Gessel <Andrej.Gessel at janztec.com>
+   * BUG 13374: CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in
+     ltdb_index_dn_attr().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.8.3
                             June 26, 2018
                    =============================
@@ -84,8 +174,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.8.2
diff --git a/lib/ldb/ABI/ldb-1.3.4.sigs b/lib/ldb/ABI/ldb-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.4.sigs
copy to lib/ldb/ABI/ldb-1.3.5.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs b/lib/ldb/ABI/pyldb-util-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.5.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.5.sigs
diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index f94dc99..0f5abf8 100644
--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module,
 		 	const char *cdn = ldb_dn_get_casefold(
 						ldb_dn_new(mem_ctx, ldb,
 							      (const char *)value.data));
+			if (cdn == NULL) {
+				return NULL;
+			}
 
 			return lsqlite3_tprintf(mem_ctx,
 						"SELECT eid FROM ldb_entry "
diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c
index 40baeea..429c8f5 100644
--- a/lib/ldb/ldb_tdb/ldb_index.c
+++ b/lib/ldb/ldb_tdb/ldb_index.c
@@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
 		return LDB_SUCCESS;
 	}
 	if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+		bool valid_dn = false;
 		struct ldb_dn *dn
 			= ldb_dn_from_ldb_val(list,
 					      ldb_module_get_ctx(module),
@@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
 			return LDB_SUCCESS;
 		}
 
+		valid_dn = ldb_dn_validate(dn);
+		if (valid_dn == false) {
+			/* If we can't parse it, no match */
+			list->dn = NULL;
+			list->count = 0;
+			return LDB_SUCCESS;
+		}
+
 		/*
 		 * Re-use the same code we use for a SCOPE_BASE
 		 * search
@@ -1405,6 +1414,15 @@ static int ltdb_index_dn_attr(struct ldb_module *module,
 
 	/* work out the index key from the parent DN */
 	val.data = (uint8_t *)((uintptr_t)ldb_dn_get_casefold(dn));
+	if (val.data == NULL) {
+		const char *dn_str = ldb_dn_get_linearized(dn);
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       __location__
+				       ": Failed to get casefold DN "
+				       "from: %s",
+				       dn_str);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
 	val.length = strlen((char *)val.data);
 	key = ltdb_index_key(ldb, ltdb, attr, &val, NULL);
 	if (!key) {
diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c
index 0289086..d14be0f 100644
--- a/lib/ldb/ldb_tdb/ldb_search.c
+++ b/lib/ldb/ldb_tdb/ldb_search.c
@@ -295,6 +295,14 @@ int ltdb_search_dn1(struct ldb_module *module, struct ldb_dn *dn, struct ldb_mes
 	};
 	TALLOC_CTX *tdb_key_ctx = NULL;
 
+	bool valid_dn = ldb_dn_validate(dn);
+	if (valid_dn == false) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid Base DN: %s",
+				       ldb_dn_get_linearized(dn));
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
 	if (ltdb->cache->GUID_index_attribute == NULL) {
 		tdb_key_ctx = talloc_new(msg);
 		if (!tdb_key_ctx) {
@@ -803,6 +811,14 @@ int ltdb_search(struct ltdb_context *ctx)
 					       ldb_dn_get_linearized(req->op.search.base));
 		}
 			
+	} else if (ldb_dn_validate(req->op.search.base) == false) {
+
+		/* We don't want invalid base DNs here */
+		ldb_asprintf_errstring(ldb,
+				       "Invalid Base DN: %s",
+				       ldb_dn_get_linearized(req->op.search.base));
+		ret = LDB_ERR_INVALID_DN_SYNTAX;
+
 	} else {
 		/* If we are not checking the base DN life is easy */
 		ret = LDB_SUCCESS;
diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index 7014276..c7bf865 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -515,6 +515,16 @@ static int ltdb_add_internal(struct ldb_module *module,
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	int ret = LDB_SUCCESS;
 	unsigned int i;
+	bool valid_dn = false;
+
+	/* Check the new DN is reasonable */
+	valid_dn = ldb_dn_validate(msg->dn);
+	if (valid_dn == false) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid DN in ADD: %s",
+				       ldb_dn_get_linearized(msg->dn));
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
 
 	for (i=0;i<msg->num_elements;i++) {
 		struct ldb_message_element *el = &msg->elements[i];
@@ -1292,6 +1302,7 @@ static int ltdb_rename(struct ltdb_context *ctx)
 	int ret = LDB_SUCCESS;
 	TDB_DATA tdb_key, tdb_key_old;
 	struct ldb_dn *db_dn;
+	bool valid_dn = false;
 
 	ldb_request_set_state(req, LDB_ASYNC_PENDING);
 
@@ -1304,10 +1315,24 @@ static int ltdb_rename(struct ltdb_context *ctx)
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
+	/* Check the new DN is reasonable */
+	valid_dn = ldb_dn_validate(req->op.rename.newdn);
+	if (valid_dn == false) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid New DN: %s",
+				       ldb_dn_get_linearized(req->op.rename.newdn));
+		return LDB_ERR_INVALID_DN_SYNTAX;
+	}
+
 	/* we need to fetch the old record to re-add under the new name */
 	ret = ltdb_search_dn1(module, req->op.rename.olddn, msg,
 			      LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC);
-	if (ret != LDB_SUCCESS) {
+	if (ret == LDB_ERR_INVALID_DN_SYNTAX) {
+		ldb_asprintf_errstring(ldb_module_get_ctx(module),
+				       "Invalid Old DN: %s",
+				       ldb_dn_get_linearized(req->op.rename.newdn));
+		return ret;
+	} else if (ret != LDB_SUCCESS) {
 		/* not finding the old record is an error */
 		return ret;
 	}
diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py
index a62b241..48fac88 100755
--- a/lib/ldb/tests/python/api.py
+++ b/lib/ldb/tests/python/api.py
@@ -401,6 +401,19 @@ class SimpleLdb(LdbBaseTest):
         finally:
             l.delete(ldb.Dn(l, "dc=bar"))
 
+    def test_rename_bad_string_dns(self):
+        l = ldb.Ldb(self.url(), flags=self.flags())
+        m = ldb.Message()
+        m.dn = ldb.Dn(l, "dc=foo8")
+        m["bla"] = b"bla"
+        m["objectUUID"] = b"0123456789abcdef"
+        self.assertEqual(len(l.search()), 0)
+        l.add(m)
+        self.assertEqual(len(l.search()), 1)
+        self.assertRaises(ldb.LdbError,lambda: l.rename("dcXfoo8", "dc=bar"))
+        self.assertRaises(ldb.LdbError,lambda: l.rename("dc=foo8", "dcXbar"))
+        l.delete(ldb.Dn(l, "dc=foo8"))
+
     def test_empty_dn(self):
         l = ldb.Ldb(self.url(), flags=self.flags())
         self.assertEqual(0, len(l.search()))
@@ -1143,6 +1156,110 @@ class SearchTests(LdbBaseTest):
         # At some point we should fix this, but it isn't trivial
         self.assertEqual(len(res11), 1)
 
+    def test_distinguishedName_filter_one(self):
+        """Testing that a distinguishedName= filter succeeds
+        when the scope is SCOPE_ONELEVEL.
+
+        This should be made more consistent, but for now lock in
+        the behaviour
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_ONELEVEL,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+        self.assertEqual(len(res11), 1)
+
+    def test_distinguishedName_filter_subtree(self):
+        """Testing that a distinguishedName= filter succeeds
+        when the scope is SCOPE_SUBTREE"""
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_SUBTREE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+        self.assertEqual(len(res11), 1)
+
+    def test_distinguishedName_filter_base(self):
+        """Testing that (incorrectly) a distinguishedName= filter works
+        when the scope is SCOPE_BASE"""
+
+        res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_BASE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+
+        # At some point we should fix this, but it isn't trivial
+        self.assertEqual(len(res11), 1)
+
+    def test_bad_dn_filter_base(self):
+        """Testing that a dn= filter on an invalid DN works
+        when the scope is SCOPE_BASE but
+        returns zero results"""
+
+        res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_BASE,
+                              expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+
+        # At some point we should fix this, but it isn't trivial
+        self.assertEqual(len(res11), 0)
+
+
+    def test_bad_dn_filter_one(self):
+        """Testing that a dn= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_ONELEVEL search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_ONELEVEL,
+                              expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
+    def test_bad_dn_filter_subtree(self):
+        """Testing that a dn= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_SUBTREE search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_SUBTREE,
+                              expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
+    def test_bad_distinguishedName_filter_base(self):
+        """Testing that a distinguishedName= filter on an invalid DN works
+        when the scope is SCOPE_BASE but
+        returns zero results"""
+
+        res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_BASE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+
+        # At some point we should fix this, but it isn't trivial
+        self.assertEqual(len(res11), 0)
+
+
+    def test_bad_distinguishedName_filter_one(self):
+        """Testing that a distinguishedName= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_ONELEVEL search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_ONELEVEL,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
+    def test_bad_distinguishedName_filter_subtree(self):
+        """Testing that a distinguishedName= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_SUBTREE search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_SUBTREE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
 
 class IndexedSearchTests(SearchTests):
     """Test searches using the index, to ensure the index doesn't
@@ -1291,6 +1408,17 @@ class AddModifyTests(LdbBaseTest):
             enum = err.args[0]
             self.assertEqual(enum, ldb.ERR_ENTRY_ALREADY_EXISTS)
 
+    def test_add_bad(self):
+        try:
+            self.l.add({"dn": "BAD,DC=SAMBA,DC=ORG",
+                        "name": b"Admins",
+                        "x": "z", "y": "a",
+                        "objectUUID": b"0123456789abcde1"})
+            self.fail("Should have failed adding entry with invalid DN")
+        except ldb.LdbError as err:
+            enum = err.args[0]
+            self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
     def test_add_del_add(self):
         self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
                     "name": b"Admins",
@@ -1372,6 +1500,34 @@ class AddModifyTests(LdbBaseTest):
             enum = err.args[0]
             self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
 
+    def test_move_bad(self):
+        self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+                    "name": b"Admins",
+                    "x": "z", "y": "a",
+                    "objectUUID": b"0123456789abcde2"})
+
+        try:
+            self.l.rename("OUXDUP,DC=SAMBA,DC=ORG",
+                          "OU=DUP2,DC=SAMBA,DC=ORG")
+            self.fail("Should have failed on invalid DN")
+        except ldb.LdbError as err:
+            enum = err.args[0]
+            self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
+    def test_move_bad2(self):
+        self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+                    "name": b"Admins",
+                    "x": "z", "y": "a",
+                    "objectUUID": b"0123456789abcde2"})
+
+        try:
+            self.l.rename("OU=DUP,DC=SAMBA,DC=ORG",
+                          "OUXDUP2,DC=SAMBA,DC=ORG")
+            self.fail("Should have failed on missing")
+        except ldb.LdbError as err:
+            enum = err.args[0]
+            self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
     def test_move_fail_move_add(self):
         self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
                     "name": b"Admins",
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 15a7cae..27b4df1 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 
 APPNAME = 'ldb'
-VERSION = '1.3.4'
+VERSION = '1.3.5'
 
 blddir = 'bin'
 
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc..b68e9c8 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 			     const struct samr_Password *stored_nt)
 {
 	if (stored_nt == NULL) {
-		DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", 
+		DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
 			 username));
 	}
 
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
 		if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
 			return NT_STATUS_OK;
 		} else {
-			DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+			DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
 				 username));
 			return NT_STATUS_WRONG_PASSWORD;
 		}
 
 	} else if (client_lanman && stored_lanman) {
 		if (!lanman_auth) {
-			DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+			DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
 				 username));
 			return NT_STATUS_WRONG_PASSWORD;
 		}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list