[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Apr 7 10:25:02 UTC 2021
The branch, master has been updated
via 2f0ef147f99 auth/credentials: Remove unneeded try/except syntax
via c08f174c35f cracknames: Allow auto-conversion from an extended canonical name
via 7c2b26a431d auth/credentials: Add test for binding with an extended canonical name
via 7679995b95c auth/credentials: Add test for binding with a canonical name
via 6b575838300 cracknames: Add support for SID string format
via 3e531bb885c auth/credentials: Add test for binding with a domain SID
via 4d5fb7d279e dcesrv_core: fix build
via aac8be5419f s3: rpc_server: Store new association groups in the id tree
via f5178ef11e6 s3: rpc_server: Search for already created association groups
via 1e559f95870 selftest: Test RPC handles and association groups from different connection
via de28d915d7f s4:dsdb/password_hash: Add a more useful error message for passwords too long to be hashed
via e656d8b1ad4 provision tests: Add a test for hashing overly long passwords
via 0730b936d7a s4:dsdb/password_hash: Add additional check for crypt() and crypt_r() failure
via 609ca657652 provision: Decrease the length of random machine passwords
via 88b3d3443b3 s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account
via 05d70f92b63 provision tests: Add test for the CryptSHA256 and CryptSHA512 password hashing schemes
from 24ddc1ca9ca ldb/attrib_handler casefold: simplify space dropping
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2f0ef147f99374dc9543a741f3a9f2c27b904f29
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 30 16:08:40 2021 +1300
auth/credentials: Remove unneeded try/except syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Apr 7 10:24:17 UTC 2021 on sn-devel-184
commit c08f174c35fb0159d219f96eaf37f008d76fb41e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 30 16:02:27 2021 +1300
cracknames: Allow auto-conversion from an extended canonical name
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7c2b26a431daa29db99344632d0eda21139a558e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 30 16:01:44 2021 +1300
auth/credentials: Add test for binding with an extended canonical name
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 7679995b95c9d572a2e94213f5f55e3641844422
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 30 16:00:56 2021 +1300
auth/credentials: Add test for binding with a canonical name
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 6b57583830007f745360a5dcab9760a66fd3ad0e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 30 16:00:04 2021 +1300
cracknames: Add support for SID string format
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 3e531bb885c90c6d8f10570eda1be20ac44a7c9b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Mar 30 13:28:32 2021 +1300
auth/credentials: Add test for binding with a domain SID
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 4d5fb7d279ef899307a560da2bed037cda609f10
Author: Bernd Kuhls <bernd.kuhls at t-online.de>
Date: Sat Mar 27 17:17:34 2021 +0100
dcesrv_core: fix build
Move include of system/network.h to avoid a build error:
In file included from ../../lib/replace/system/network.h:35,
from ../../librpc/rpc/dcesrv_core.c:2658:
usr/include/unistd.h: At top level:
usr/include/unistd.h:675:16: error: conflicting types for ‘geteuid’
675 | extern __uid_t geteuid (void) __THROW;
Signed-off-by: Bernd Kuhls <bernd.kuhls at t-online.de>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aac8be5419fdd5e222263e3558d556c1d1dc4cef
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 26 17:20:32 2020 +0200
s3: rpc_server: Store new association groups in the id tree
Right now a new association group is created for each connection
assigning the legacy 0x53F0 id, but it is not stored anywhere. When a
second client request to join an association group by its id it is not
found and a new one is created with the same ID.
In practise, it means the association groups are not working even in the
same server process.
This commit stores the created association group in the idtree, but to
make use of it assigns a random id instead of the historical 0x53F0.
The test assoc_group_ok2 was wrongly passing before this change because
the same id 0x53F0 was assigned to all association groups.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f5178ef11e675b07ff49c8f1e0b1e193fc0babb2
Author: Samuel Cabrero <scabrero at samba.org>
Date: Thu Jun 18 18:40:16 2020 +0200
s3: rpc_server: Search for already created association groups
If the client requests to join to an association group in the bind operation
try to find it and do not create a new one.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1e559f958708998324dc4873cccb63899126e5b5
Author: Samuel Cabrero <scabrero at samba.org>
Date: Fri Jun 19 16:31:39 2020 +0200
selftest: Test RPC handles and association groups from different connection
Add a test to check if a RPC handle can be used from a different connection
than the one where it was created, when the same association group is
requested in the bind operation of the second connection.
The association group handling is one of the differences between the S3
and S4 RPC server implementations provided by the implementation
callbacks after the merge.
Association groups work fine in the S4 implementation as the RPC server
runs in one process, except for the 'smbd' embedded services provided
by the S3 implementation like winreg (see lp_enforce_ad_dc_settings()).
In the S3 implementation, association groups should work in the same
process, but the merge introduced a bug where a new association group is
always created even when it already exists in the same process.
Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit de28d915d7f135c43c35cf2b5167f9603e99b1f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Mar 12 14:41:13 2021 +1300
s4:dsdb/password_hash: Add a more useful error message for passwords too long to be hashed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e656d8b1ad4c70a7c85a66945d7c7d807fce9b6c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 24 02:52:06 2021 +1300
provision tests: Add a test for hashing overly long passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0730b936d7a8f55389873d72cb0996ab941f15d7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 24 02:46:38 2021 +1300
s4:dsdb/password_hash: Add additional check for crypt() and crypt_r() failure
While crypt_rn() always returns a null pointer in the event of
failure, crypt() and crypt_r() may instead return a string starting
with the character '*'. This commit adds a check to detect failure in
this case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 609ca657652862fd9c81fd11f818efb74f72ff55
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 24 02:03:25 2021 +1300
provision: Decrease the length of random machine passwords
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 88b3d3443b3a581ec301430346b3e9bf05d81b5e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Feb 24 01:13:41 2021 +1300
s4:dsdb/password_hash: Don't generate crypt() password for krbtgt account
Since the length of the krbtgt password after conversion to UTF-8 form is
typically greater than the maximum accepted by crypt(), the call usually
fails. This commit disables generation of crypt() passwords for this specific
account, as it's not necessary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 05d70f92b633284044d1cd14314eadb3645c1e09
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Feb 23 23:50:30 2021 +1300
provision tests: Add test for the CryptSHA256 and CryptSHA512 password hashing schemes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/tests/bind.py | 30 ++++-
librpc/rpc/dcesrv_core.c | 11 +-
python/samba/join.py | 2 +-
python/samba/provision/__init__.py | 2 +-
.../samba_tool/provision_userPassword_crypt.py | 67 +++++++++++
selftest/knownfail | 4 +-
source3/rpc_server/rpc_server.c | 81 +++++++++++--
source4/dsdb/samdb/cracknames.c | 34 +++++-
source4/dsdb/samdb/ldb_modules/password_hash.c | 29 ++++-
source4/libnet/libnet_vampire.c | 2 +-
source4/scripting/bin/renamedc | 2 +-
source4/selftest/tests.py | 1 +
source4/torture/drs/python/cracknames.py | 3 +-
source4/torture/rpc/bind.c | 126 +++++++++++++++++++++
source4/torture/rpc/drsuapi_cracknames.c | 2 -
15 files changed, 360 insertions(+), 36 deletions(-)
create mode 100644 python/samba/tests/samba_tool/provision_userPassword_crypt.py
Changeset truncated at 500 lines:
diff --git a/auth/credentials/tests/bind.py b/auth/credentials/tests/bind.py
index 8bee6f96c62..ad465e94968 100755
--- a/auth/credentials/tests/bind.py
+++ b/auth/credentials/tests/bind.py
@@ -53,6 +53,9 @@ creds_user1 = create_credential(lp, creds)
creds_user2 = create_credential(lp, creds)
creds_user3 = create_credential(lp, creds)
creds_user4 = create_credential(lp, creds)
+creds_user5 = create_credential(lp, creds)
+creds_user6 = create_credential(lp, creds)
+creds_user7 = create_credential(lp, creds)
class BindTests(samba.tests.TestCase):
@@ -169,7 +172,8 @@ unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode(
self.ldb.newuser(username=self.username, password=self.password)
ldb_res = self.ldb.search(base=self.domain_dn,
scope=SCOPE_SUBTREE,
- expression="(samAccountName=%s)" % self.username)
+ expression="(samAccountName=%s)" % self.username,
+ attrs=["objectSid"])
self.assertEqual(len(ldb_res), 1)
user_dn = ldb_res[0]["dn"]
self.addCleanup(delete_force, self.ldb, user_dn)
@@ -198,6 +202,30 @@ unicodePwd:: """ + base64.b64encode(u"\"P at ssw0rd\"".encode('utf-16-le')).decode(
lp=lp, ldap_only=True)
res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
+ # do a simple bind and search with the user account SID
+ creds_user5.set_bind_dn(self.ldb.schema_format_value("objectSid", ldb_res[0]["objectSid"][0]).decode('utf8'))
+ creds_user5.set_password(self.password)
+ print("BindTest with: " + creds_user5.get_bind_dn())
+ ldb_user5 = samba.tests.connect_samdb(host, credentials=creds_user5,
+ lp=lp, ldap_only=True)
+ res = ldb_user5.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
+
+ # do a simple bind and search with the canonical name
+ creds_user6.set_bind_dn(user_dn.canonical_str())
+ creds_user6.set_password(self.password)
+ print("BindTest with: " + creds_user6.get_bind_dn())
+ ldb_user6 = samba.tests.connect_samdb(host, credentials=creds_user6,
+ lp=lp, ldap_only=True)
+ res = ldb_user6.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
+
+ # do a simple bind and search with the extended canonical name
+ creds_user7.set_bind_dn(user_dn.canonical_ex_str())
+ creds_user7.set_password(self.password)
+ print("BindTest with: " + creds_user7.get_bind_dn())
+ ldb_user7 = samba.tests.connect_samdb(host, credentials=creds_user7,
+ lp=lp, ldap_only=True)
+ res = ldb_user7.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
+
def test_user_account_bind_no_domain(self):
# create user
self.ldb.newuser(username=self.username, password=self.password)
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 8db17742701..b75336d0a85 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -33,6 +33,7 @@
#include "lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "lib/util/tevent_ntstatus.h"
+#include "system/network.h"
#undef DBGC_CLASS
@@ -2634,16 +2635,6 @@ _PUBLIC_ void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
}
}
-/* We need this include to be able to compile on some plateforms
- * (ie. freebsd 7.2) as it seems that <sys/uio.h> is not included
- * correctly.
- * It has to be that deep because otherwise we have a conflict on
- * const struct dcesrv_interface declaration.
- * This is mostly due to socket_wrapper defining #define bind swrap_bind
- * which conflict with the bind used before.
- */
-#include "system/network.h"
-
struct dcesrv_sock_reply_state {
struct dcesrv_connection *dce_conn;
struct dcesrv_call_state *call;
diff --git a/python/samba/join.py b/python/samba/join.py
index 28698e1744c..d78375441fb 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -136,7 +136,7 @@ class DCJoinContext(object):
if machinepass is not None:
ctx.acct_pass = machinepass
else:
- ctx.acct_pass = samba.generate_random_machine_password(128, 255)
+ ctx.acct_pass = samba.generate_random_machine_password(120, 120)
ctx.dnsdomain = ctx.samdb.domain_dns_name()
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index b87ad38eeff..2531f51ffc8 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1925,7 +1925,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
if krbtgtpass is None:
krbtgtpass = samba.generate_random_machine_password(128, 255)
if machinepass is None:
- machinepass = samba.generate_random_machine_password(128, 255)
+ machinepass = samba.generate_random_machine_password(120, 120)
if dnspass is None:
dnspass = samba.generate_random_password(128, 255)
diff --git a/python/samba/tests/samba_tool/provision_userPassword_crypt.py b/python/samba/tests/samba_tool/provision_userPassword_crypt.py
new file mode 100644
index 00000000000..07752e16c30
--- /dev/null
+++ b/python/samba/tests/samba_tool/provision_userPassword_crypt.py
@@ -0,0 +1,67 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Catalyst IT Ltd. 2021
+#
+# based on provision_lmdb_size.py:
+# Copyright (C) Catalyst IT Ltd. 2019
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.tests.samba_tool.base import SambaToolCmdTest
+import os
+import shutil
+
+
+class ProvisionUserPasswordTestCase(SambaToolCmdTest):
+ """Test for crypt() hashed passwords"""
+
+ def setUp(self):
+ super(ProvisionUserPasswordTestCase, self).setUp()
+ self.tempsambadir = os.path.join(self.tempdir, "samba")
+ os.mkdir(self.tempsambadir)
+
+ # provision a domain
+ #
+ # returns the tuple (ret, stdout, stderr)
+ def provision(self, machinepass=None):
+ command = (
+ "samba-tool " +
+ "domain provision " +
+ "--use-rfc230 " +
+ "--realm=\"EXAMPLE.COM\" " +
+ "--domain=\"EXAMPLE\" " +
+ "--adminpass=\"FooBar123\" " +
+ "--server-role=dc " +
+ "--host-ip=10.166.183.55 " +
+ "--option=\"password hash userPassword " +
+ "schemes=CryptSHA256 CryptSHA512\" " +
+ ("--targetdir=\"%s\" " % self.tempsambadir) +
+ "--use-ntvfs"
+ )
+ if machinepass:
+ command += ("--machinepass=\"%s\"" % machinepass)
+
+ return self.run_command(command)
+
+ def test_crypt(self):
+ (result, out, err) = self.provision()
+ self.assertEqual(0, result)
+
+ def test_length(self):
+ (result, out, err) = self.provision(machinepass="FooBar123" + ("a"*1024))
+ self.assertNotEqual(0, result)
+
+ def tearDown(self):
+ super(ProvisionUserPasswordTestCase, self).tearDown()
+ shutil.rmtree(self.tempsambadir)
diff --git a/selftest/knownfail b/selftest/knownfail
index f4035a6dec2..0be542c5c1e 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -345,11 +345,11 @@
^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_no_auth_presentation_ctx_invalid4
^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_spnego_change_auth_type2
^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_spnego_change_transfer
-# Association groups not implemented yet in s3 server implementation
+# Association groups between processes not implemented yet in s3 server implementation
+^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_assoc_group_ok2\(ad_member\)
^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_assoc_group_fail1\(ad_member\)
^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_assoc_group_fail2\(ad_member\)
^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_assoc_group_fail3\(ad_member\)
-^samba.tests.dcerpc.raw_protocol.*.TestDCERPC_BIND.test_assoc_group_diff1\(ad_member\)
^samba4.rpc.echo.*on.*with.object.echo.doublepointer.*nt4_dc
^samba4.rpc.echo.*on.*with.object.echo.surrounding.*nt4_dc
^samba4.rpc.echo.*on.*with.object.echo.enum.*nt4_dc
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 01350d67283..b96bd90daf0 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -612,8 +612,19 @@ void dcesrv_log_successful_authz(
TALLOC_FREE(frame);
}
-static NTSTATUS dcesrv_assoc_group_new(struct dcesrv_call_state *call,
- uint32_t assoc_group_id)
+static int dcesrv_assoc_group_destructor(struct dcesrv_assoc_group *assoc_group)
+{
+ int ret;
+ ret = idr_remove(assoc_group->dce_ctx->assoc_groups_idr,
+ assoc_group->id);
+ if (ret != 0) {
+ DBG_ERR("Failed to remove assoc_group 0x%08x\n",
+ assoc_group->id);
+ }
+ return 0;
+}
+
+static NTSTATUS dcesrv_assoc_group_new(struct dcesrv_call_state *call)
{
struct dcesrv_connection *conn = call->conn;
struct dcesrv_context *dce_ctx = conn->dce_ctx;
@@ -621,18 +632,74 @@ static NTSTATUS dcesrv_assoc_group_new(struct dcesrv_call_state *call,
enum dcerpc_transport_t transport =
dcerpc_binding_get_transport(endpoint->ep_description);
struct dcesrv_assoc_group *assoc_group = NULL;
+ int id;
assoc_group = talloc_zero(conn, struct dcesrv_assoc_group);
if (assoc_group == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ id = idr_get_new_random(dce_ctx->assoc_groups_idr,
+ assoc_group,
+ UINT16_MAX);
+ if (id == -1) {
+ TALLOC_FREE(assoc_group);
+ DBG_ERR("Out of association groups!\n");
+ return NT_STATUS_RPC_OUT_OF_RESOURCES;
+ }
+
assoc_group->transport = transport;
- assoc_group->id = assoc_group_id;
+ assoc_group->id = id;
assoc_group->dce_ctx = dce_ctx;
call->conn->assoc_group = assoc_group;
+ talloc_set_destructor(assoc_group, dcesrv_assoc_group_destructor);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_assoc_group_reference(struct dcesrv_call_state *call,
+ uint32_t assoc_group_id)
+{
+ struct dcesrv_connection *conn = call->conn;
+ const struct dcesrv_endpoint *endpoint = conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
+ struct dcesrv_assoc_group *assoc_group = NULL;
+ void *id_ptr = NULL;
+
+ /* find an association group given a assoc_group_id */
+ id_ptr = idr_find(conn->dce_ctx->assoc_groups_idr, assoc_group_id);
+ if (id_ptr == NULL) {
+ /*
+ * FIXME If the association group is not found it has
+ * been created in other process (preforking daemons).
+ * Until this is properly fixed we just create a new
+ * association group in this process
+ */
+ DBG_NOTICE("Failed to find assoc_group 0x%08x in this "
+ "server process, creating a new one\n",
+ assoc_group_id);
+ return dcesrv_assoc_group_new(call);
+ }
+ assoc_group = talloc_get_type_abort(id_ptr, struct dcesrv_assoc_group);
+
+ if (assoc_group->transport != transport) {
+ const char *at =
+ derpc_transport_string_by_transport(
+ assoc_group->transport);
+ const char *ct =
+ derpc_transport_string_by_transport(
+ transport);
+
+ DBG_NOTICE("assoc_group 0x%08x (transport %s) "
+ "is not available on transport %s",
+ assoc_group_id, at, ct);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ conn->assoc_group = talloc_reference(conn, assoc_group);
return NT_STATUS_OK;
}
@@ -642,12 +709,12 @@ NTSTATUS dcesrv_assoc_group_find(
{
uint32_t assoc_group_id = call->pkt.u.bind.assoc_group_id;
- /* If not requested by client create a new association group */
- if (assoc_group_id == 0) {
- assoc_group_id = 0x53F0;
+ if (assoc_group_id != 0) {
+ return dcesrv_assoc_group_reference(call, assoc_group_id);
}
- return dcesrv_assoc_group_new(call, assoc_group_id);
+ /* If not requested by client create a new association group */
+ return dcesrv_assoc_group_new(call);
}
void dcesrv_transport_terminate_connection(struct dcesrv_connection *dce_conn,
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 544a5f6a88c..f298ef3df6f 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -889,6 +889,9 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
const char * const _domain_attrs_display[] = { "ncName", "dnsRoot", NULL};
const char * const _result_attrs_display[] = { "displayName", "samAccountName", NULL};
+ const char * const _domain_attrs_sid[] = { "ncName", "dnsRoot", NULL};
+ const char * const _result_attrs_sid[] = { "objectSid", NULL};
+
const char * const _domain_attrs_none[] = { "ncName", "dnsRoot" , NULL};
const char * const _result_attrs_none[] = { NULL};
@@ -923,6 +926,10 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
domain_attrs = _domain_attrs_spn;
result_attrs = _result_attrs_spn;
break;
+ case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY:
+ domain_attrs = _domain_attrs_sid;
+ result_attrs = _result_attrs_sid;
+ break;
default:
domain_attrs = _domain_attrs_none;
result_attrs = _result_attrs_none;
@@ -1271,12 +1278,25 @@ static WERROR DsCrackNameOneFilter(struct ldb_context *sam_ctx, TALLOC_CTX *mem_
}
return WERR_OK;
}
- case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN:
- case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
+ case DRSUAPI_DS_NAME_FORMAT_DNS_DOMAIN: {
info1->dns_domain_name = NULL;
info1->status = DRSUAPI_DS_NAME_STATUS_RESOLVE_ERROR;
return WERR_OK;
}
+ case DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY: {
+ const struct dom_sid *sid = samdb_result_dom_sid(mem_ctx, result, "objectSid");
+
+ if (sid == NULL) {
+ info1->status = DRSUAPI_DS_NAME_STATUS_NO_MAPPING;
+ return WERR_OK;
+ }
+
+ info1->result_name = dom_sid_string(mem_ctx, sid);
+ W_ERROR_HAVE_NO_MEMORY(info1->result_name);
+
+ info1->status = DRSUAPI_DS_NAME_STATUS_OK;
+ return WERR_OK;
+ }
case DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL: {
info1->result_name = ldb_msg_find_attr_as_string(result, "userPrincipalName", NULL);
if (!info1->result_name) {
@@ -1487,14 +1507,24 @@ NTSTATUS crack_auto_name_to_nt4_name(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+ /*
+ * Here we only consider a subset of the possible name forms listed in
+ * [MS-ADTS] 5.1.1.1.1, and we don't retry with a different name form if
+ * the first attempt fails.
+ */
+
if (strchr_m(name, '=')) {
format_offered = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
} else if (strchr_m(name, '@')) {
format_offered = DRSUAPI_DS_NAME_FORMAT_USER_PRINCIPAL;
} else if (strchr_m(name, '\\')) {
format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
+ } else if (strchr_m(name, '\n')) {
+ format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL_EX;
} else if (strchr_m(name, '/')) {
format_offered = DRSUAPI_DS_NAME_FORMAT_CANONICAL;
+ } else if ((name[0] == 'S' || name[0] == 's') && name[1] == '-') {
+ format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
} else {
return NT_STATUS_NO_SUCH_USER;
}
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 5bdd23c13e9..c98b3401320 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1540,6 +1540,7 @@ static int setup_primary_userPassword_hash(
* RHEL 7 behaviour.
*/
errno = 0;
+
#ifdef HAVE_CRYPT_RN
hash = crypt_rn((char *)io->n.cleartext_utf8->data,
cmd,
@@ -1554,18 +1555,29 @@ static int setup_primary_userPassword_hash(
*/
hash = crypt((char *)io->n.cleartext_utf8->data, cmd);
#endif
- if (hash == NULL) {
+ /*
+ * On error, crypt() and crypt_r() may return a null pointer,
+ * or a pointer to an invalid hash beginning with a '*'.
+ */
+ if (hash == NULL || hash[0] == '*') {
char buf[1024];
- int err = strerror_r(errno, buf, sizeof(buf));
- if (err != 0) {
- strlcpy(buf, "Unknown error", sizeof(buf)-1);
+ const char *reason = NULL;
+ if (errno == ERANGE) {
+ reason = "Password exceeds maximum length allowed for crypt() hashing";
+ } else {
+ int err = strerror_r(errno, buf, sizeof(buf));
+ if (err == 0) {
+ reason = buf;
+ } else {
+ reason = "Unknown error";
+ }
}
ldb_asprintf_errstring(
ldb,
"setup_primary_userPassword: generation of a %s "
"password hash failed: (%s)",
scheme,
- buf);
+ reason);
TALLOC_FREE(frame);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -2031,7 +2043,12 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
num_packages++;
}
- if (io->ac->userPassword_schemes) {
+ /*
+ * Don't generate crypt() or similar password for the krbtgt account.
+ * It's unnecessary, and the length of the cleartext in UTF-8 form
+ * exceeds the maximum (CRYPT_MAX_PASSPHRASE_SIZE) allowed by crypt().
+ */
+ if (io->ac->userPassword_schemes && !io->u.is_krbtgt) {
/*
* setup 'Primary:userPassword' element
*/
diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c
index a0de1b7d3e0..3f07b3f20d6 100644
--- a/source4/libnet/libnet_vampire.c
+++ b/source4/libnet/libnet_vampire.c
@@ -164,7 +164,7 @@ NTSTATUS libnet_vampire_cb_prepare_db(void *private_data,
settings.realm = s->realm;
settings.domain = s->domain_name;
settings.server_dn_str = p->dest_dsa->server_dn_str;
- settings.machine_password = generate_random_machine_password(s, 128, 255);
+ settings.machine_password = generate_random_machine_password(s, 120, 120);
settings.targetdir = s->targetdir;
settings.use_ntvfs = true;
status = provision_bare(s, s->lp_ctx, &settings, &result);
diff --git a/source4/scripting/bin/renamedc b/source4/scripting/bin/renamedc
index 6a9bd1c82bd..ef3aa75db76 100755
--- a/source4/scripting/bin/renamedc
+++ b/source4/scripting/bin/renamedc
@@ -95,7 +95,7 @@ if __name__ == '__main__':
# Then change password and samaccountname and dnshostname
msg = ldb.Message(newdn)
- machinepass = samba.generate_random_machine_password(128, 255)
+ machinepass = samba.generate_random_machine_password(120, 120)
mputf16 = machinepass.encode('utf-16-le')
account = "%s$" % opts.newname.upper()
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index cd5730e672f..6017f5b6481 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -792,6 +792,7 @@ planpythontestsuite("schema_dc:local", "samba.tests.samba_tool.schema")
planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.ntacl")
planpythontestsuite("none", "samba.tests.samba_tool.provision_password_check")
planpythontestsuite("none", "samba.tests.samba_tool.provision_lmdb_size")
+planpythontestsuite("none", "samba.tests.samba_tool.provision_userPassword_crypt")
planpythontestsuite("none", "samba.tests.samba_tool.help")
planpythontestsuite("ad_dc_default:local", "samba.tests.samba_tool.passwordsettings")
planpythontestsuite("ad_dc:local", "samba.tests.samba_tool.dsacl")
diff --git a/source4/torture/drs/python/cracknames.py b/source4/torture/drs/python/cracknames.py
index e4884ea0f63..f2446050d8c 100644
--- a/source4/torture/drs/python/cracknames.py
--
Samba Shared Repository
More information about the samba-cvs
mailing list