[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed May 17 00:25:02 UTC 2023
The branch, master has been updated
via 8296b6884df s4:torture: Replace calls to deprecated function
via ce176425f8c s4:dsdb: Check return value of allocation functions
via 92ad2c7b9b9 s4:dsdb: Fix leaks
via 2d9a2c31389 s4:dsdb: Check ldb_binary_encode_string() return value
via b5bd55fe85f s4:auth: Check ldb_binary_encode_string() return value
via 07e53939dc0 s4-auth: Log correct function name
via 21b23a7d5a0 netlogon:schannel: Fix typo
via f1281b80c1a samba-tool domain: Run in interactive mode if no args are supplied
via f573177c352 python: Safely clear structure members
via 8d6e4473409 python:tests: Remove unused variables
via 2a8db072934 auth: Return status code if configuration prohibits NTLM
via 23a67d59c82 s4-dsdb:large_ldap: Remove unused variables
via db5ef4e2bac s4-dsdb:large_ldap: Remove unused imports
via 2d1d3b73142 pytest/password_lockout: Remove unused variables
via 2b598a4b2e6 pytest/password_lockout: Use correct variable
via b5ff0859521 pytest/password_lockout: Use more specific assertion methods
via 2236daa7ca7 pytest/password_lockout: Remove unused imports
via f9501f2ae4e samba-tool domain: Remove unnecessary variable
via 5a2b187819f samba-tool domain: Use result of setup_local_server() instead of object field
via 3eb95c8791a s4:dsdb:tests: Refactor security descriptor test
via 2e5d08c908b s4:dsdb:tests: Refactor confidential attributes test
via 76b15ec145d s4:dsdb:tests: Refactor ACL test
via 80431fe7cf5 pyglue: use Py_ssize_t in random data generation functions
via cea9b25571f lib:util: prefer size_t for random data generation functions
via 72335e742e0 selftest: Change ad_dc environment to be 2016 functional level
via 0252941bb36 selftest: Allow provision_ad_dc() to take functional_level as an argument
via 287405862b7 selftest: Return fl2008dc to being an alias for ad_dc_ntvfs
via cbfcbfb057a Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008
via 8de7d28f3c6 selftest: Move linked_attributes test to ad_dc selftest environment
via 9f3dcf0e693 samba-tool domain join: Allow "ad dc functional level" to change which level we claim to be during an AD join
via f94f174db45 samba-tool domain provision: Use "ad dc functional level" to control max functional level
via 5d5fd0129ac python: Add function to get the functional level as a python intger from smb.conf
via e5c3e076c8f param: Add new parameter "ad dc functional level"
via 7953a9ba71b samba-tool domain provision: Use common functional_level.string_to_level()
via 844eb073767 python: Move helper functions for functional levels into a new file
from 59694ad0a4c rpc_server3: Pass winbind_env_set() state through to rpcd_*
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8296b6884dfcc2b3e94f60b0479ef92a5b50f53e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 10 13:06:18 2023 +1200
s4:torture: Replace calls to deprecated function
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed May 17 00:24:38 UTC 2023 on atb-devel-224
commit ce176425f8c66539cf7788902fa116657d2b6448
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:12:03 2023 +1200
s4:dsdb: Check return value of allocation functions
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 92ad2c7b9b9e0b7d49ccbb9bf18b3e5dfed2d299
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:11:37 2023 +1200
s4:dsdb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d9a2c3138907e789a1fa9b25c8636ad871314fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 16:10:59 2023 +1200
s4:dsdb: Check ldb_binary_encode_string() return value
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5bd55fe85f9a089b4b8242d73240c6521d3090e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 9 15:51:06 2023 +1200
s4:auth: Check ldb_binary_encode_string() return value
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 07e53939dc0e6207c8348cf7c76d34339cb1ce67
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 2 12:59:22 2023 +1200
s4-auth: Log correct function name
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 21b23a7d5a08a65fc13da1dbd1a948fe08648cbb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 2 12:51:52 2023 +1200
netlogon:schannel: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f1281b80c1ad68d380ce91c13076f6a60fbc627e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 26 10:31:51 2023 +1200
samba-tool domain: Run in interactive mode if no args are supplied
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f573177c352c2df89c7d5ffd425a37b46b12166c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Apr 24 10:42:39 2023 +1200
python: Safely clear structure members
Using Py_CLEAR() ensures that these structures are observed in a
consistent state by any Python code that may run during deconstruction.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8d6e4473409375f0e62dd06597ca983d22b941ca
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 13 07:47:39 2023 +1200
python:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a8db072934f2b75b992b57c9133afba446b74f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu May 19 16:45:55 2022 +1200
auth: Return status code if configuration prohibits NTLM
Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 23a67d59c82b71cada5578e1c393ff42ca9d1b17
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 15:05:38 2023 +1300
s4-dsdb:large_ldap: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit db5ef4e2bacb821ead3aabf2bab09e37602afdb3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 15:04:32 2023 +1300
s4-dsdb:large_ldap: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d1d3b731421f6915d99b208fb1f29fcf5013acb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 14:56:56 2023 +1300
pytest/password_lockout: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2b598a4b2e643fce133423b195c1dd82e1213b19
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue May 16 12:21:02 2023 +1200
pytest/password_lockout: Use correct variable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5ff0859521c4ca4798058a4b9344925a387479e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 14:56:24 2023 +1300
pytest/password_lockout: Use more specific assertion methods
These methods produce better error messages if an assertion fails.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2236daa7ca715e6997756e70d5cb5097970ba437
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 14:55:31 2023 +1300
pytest/password_lockout: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9501f2ae4ecf0d98f28c43834c5f6cdb19f324f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Feb 13 14:53:54 2023 +1300
samba-tool domain: Remove unnecessary variable
It is conciser to use ‘r’ to refer to update_forest_info.entries[i].
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5a2b187819fdf2f2500a356d9746149ebaddd0cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Apr 4 16:39:23 2023 +1200
samba-tool domain: Use result of setup_local_server() instead of object field
The code is clearer if we consistently refer to the same variables.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3eb95c8791a069bb280c9ae588b7c5ea74abbf36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 07:46:05 2023 +1300
s4:dsdb:tests: Refactor security descriptor test
Use more specific unittest methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2e5d08c908b3fa48b9b374279a331061cb77bce3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 07:43:40 2023 +1300
s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 76b15ec145d7686d7c6008d57a4d772b8f841daf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jan 27 07:39:05 2023 +1300
s4:dsdb:tests: Refactor ACL test
Use more specific unittest methods; remove some unused variables.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 80431fe7cf51b94c7ee4b063df4d6a16d1002fd3
Author: Dmitry Antipov <dantipov at cloudlinux.com>
Date: Wed May 3 10:39:30 2023 +0300
pyglue: use Py_ssize_t in random data generation functions
Prefer 'Py_ssize_t' over 'int' in random data generation functions
to match both Python and (internally used through the library layer)
GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data
size is known.
Signed-off-by: Dmitry Antipov <dantipov at cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org Fixed comments to correctly match the
new check for just negative numbers]
commit cea9b25571f1956e09fc376e1127f78c6f9a4a19
Author: Dmitry Antipov <dantipov at cloudlinux.com>
Date: Wed May 3 10:32:28 2023 +0300
lib:util: prefer size_t for random data generation functions
Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.
Signed-off-by: Dmitry Antipov <dantipov at cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 72335e742e041ea213598a62ae165edeed4b8c99
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 11 14:25:31 2023 +1200
selftest: Change ad_dc environment to be 2016 functional level
This is not yet supported in full, but this makes ad_dc match our full set of available features.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 0252941bb36926c3a235593da4c717bc547104f9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 11 10:38:20 2023 +1200
selftest: Allow provision_ad_dc() to take functional_level as an argument
The $$$$$$$ is removed as it does not do what you think it does.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 287405862b734e507dd048ff741e96fb35fadb63
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 11 09:49:34 2023 +1200
selftest: Return fl2008dc to being an alias for ad_dc_ntvfs
The change to make this independent in fc9845da69cabcc1bf046d7899b2c4aeae743170
was incorrect, as no distinct name was specified so this would conflict with
the ad_dc_ntvfs environment over the IP and name "localdc".
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit cbfcbfb057a71b1824aabf40a083f713ea0bf265
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 11 10:03:30 2023 +1200
Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008
This will allow fl008dc to become an alias of ad_dc_ntvfs again.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 8de7d28f3c67d7681e24d6b2185c6cc6d23814ba
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 16 17:15:31 2023 +1200
selftest: Move linked_attributes test to ad_dc selftest environment
The ad_dc_ntvfs environment will be set to use a 2008 schema
(matching the 2008 FL it runs at) and this test needs a 2016 schema.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 9f3dcf0e693e49c87d35f56a69b801e6db5540ce
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 10 15:54:09 2023 +1200
samba-tool domain join: Allow "ad dc functional level" to change which
level we claim to be during an AD join
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit f94f174db452015c3032e725e13f485bd51413dc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 10 15:24:23 2023 +1200
samba-tool domain provision: Use "ad dc functional level" to control max functional level
This allows the DC to self-declare a higher level and so allow a 2016
domain to be created, for testing and controlled implementation purposes.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 5d5fd0129ac19258d15a452756f0d3647dbe1e34
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed May 10 15:46:55 2023 +1200
python: Add function to get the functional level as a python intger from smb.conf
The lp.get() returns the normalised string from the enum handler
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit e5c3e076c8f85cda11bf0be29a6f26a852c5a343
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 9 16:37:37 2023 +1200
param: Add new parameter "ad dc functional level"
This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 7953a9ba71b6c3de4001a325d8b778ecb912b15b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 9 16:32:47 2023 +1200
samba-tool domain provision: Use common functional_level.string_to_level()
This is instead of manually parsing the functional level strings.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
commit 844eb0737676af73b499fd722b48256d6df587f4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue May 9 15:50:46 2023 +1200
python: Move helper functions for functional levels into a new file
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
.../smbdotconf/protocol/addcfunctionallevel.xml | 56 ++++++++++++++
lib/ldb/pyldb.c | 19 ++---
lib/param/loadparm.c | 4 +
lib/param/param_table.c | 7 ++
lib/tdb/pytdb.c | 2 +-
lib/tevent/pytevent.c | 4 +-
lib/util/genrand.c | 8 +-
lib/util/genrand.h | 6 +-
libcli/auth/ntlm_check.c | 8 ++
libcli/auth/ntlm_check.h | 1 +
python/pyglue.c | 43 ++++++-----
python/samba/functional_level.py | 83 ++++++++++++++++++++
python/samba/join.py | 9 ++-
python/samba/netcmd/domain/__init__.py | 2 +-
python/samba/netcmd/domain/common.py | 47 ------------
python/samba/netcmd/domain/functional_prep.py | 9 ++-
python/samba/netcmd/domain/level.py | 13 ++--
python/samba/netcmd/domain/provision.py | 19 ++---
python/samba/netcmd/domain/trust.py | 26 +++----
python/samba/provision/__init__.py | 8 +-
python/samba/tests/samba_tool/user.py | 12 +--
selftest/target/Samba4.pm | 50 +++++++-----
source3/auth/check_samsec.c | 1 +
source3/libsmb/pylibsmb.c | 8 +-
source3/param/loadparm.c | 3 +
source4/auth/ntlm/auth_sam.c | 1 +
source4/auth/sam.c | 10 ++-
source4/dsdb/common/util.c | 26 +++++--
source4/dsdb/common/util_samr.c | 32 +++++++-
source4/dsdb/repl/drepl_partitions.c | 16 +++-
source4/dsdb/samdb/cracknames.c | 89 +++++++++++++++++++---
source4/dsdb/samdb/ldb_modules/netlogon.c | 8 +-
source4/dsdb/tests/python/acl.py | 64 ++++++++--------
source4/dsdb/tests/python/confidential_attr.py | 69 ++++-------------
source4/dsdb/tests/python/large_ldap.py | 21 +----
source4/dsdb/tests/python/password_lockout.py | 52 ++++++-------
source4/dsdb/tests/python/password_lockout_base.py | 70 ++++++++---------
source4/dsdb/tests/python/sec_descriptor.py | 4 +-
source4/librpc/rpc/dcerpc_schannel.c | 2 +-
source4/librpc/rpc/pyrpc.c | 5 +-
source4/selftest/tests.py | 2 +-
source4/torture/krb5/kdc-canon-heimdal.c | 2 +-
source4/torture/krb5/kdc-heimdal.c | 4 +-
43 files changed, 562 insertions(+), 363 deletions(-)
create mode 100644 docs-xml/smbdotconf/protocol/addcfunctionallevel.xml
create mode 100644 python/samba/functional_level.py
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml
new file mode 100644
index 00000000000..1bec654bfe3
--- /dev/null
+++ b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml
@@ -0,0 +1,56 @@
+<samba:parameter name="ad dc functional level"
+ context="G"
+ type="enum"
+ function="ad_dc_functional_level"
+ enumlist="enum_ad_functional_level"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>The value of the parameter (a string) is the Active
+ Directory functional level that this Domain Controller will claim
+ to support. </para>
+
+ <para>Possible values are :</para>
+ <itemizedlist>
+ <listitem>
+ <para><constant>2008_R2</constant>: Similar to Windows
+ 2008 R2 Functional Level</para>
+ </listitem>
+ <listitem>
+ <para><constant>2016</constant>: Similar to Windows
+ 2016 Functional Level</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Normally this option should not be set as Samba will operate
+ per the released functionality of the Samba Active Directory
+ Domain Controller. </para>
+
+ <para>However to access incomplete features in domain functional
+ level 2016 it may be useful to
+ set this value, prior to upgrading the domain functional level. </para>
+
+ <para>If this is set manually, the protection against mismatching
+ features between domain controllers is reduced, so all domain
+ controllers should be running the same version of Samba, to ensure
+ that behaviour as seen by the client is the same no matter which
+ DC is contacted.</para>
+
+ <para>Setting this to <constant>2016</constant> will allow
+ raising the domain functional level with <command>samba-tool
+ domain level raise --domain-level=2016</command> and provide
+ access to Samba's Kerberos Claims and Dynamic Access
+ Control feature.</para>
+
+ <warning><para> The Samba's Kerberos Claims and Dynamic Access
+ Control features enabled with <constant>2016</constant> are
+ incomplete in Samba 4.19. </para></warning>
+
+
+</description>
+
+<!-- DO NOT MODIFY without discussion: take care to only update this
+ default once Samba implements the core aspects of Active
+ Directory Domain and Forest Functional Level 2016 -->
+<value type="default">2008_R2</value>
+<value type="example">2016</value>
+</samba:parameter>
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index aa38e115ce4..11d093c0429 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -2134,10 +2134,7 @@ static int py_ldb_search_iterator_reply_destructor(struct py_ldb_search_iterator
reply->py_iter = NULL;
}
- if (reply->obj != NULL) {
- Py_DECREF(reply->obj);
- reply->obj = NULL;
- }
+ Py_CLEAR(reply->obj);
return 0;
}
@@ -2679,9 +2676,9 @@ static PyTypeObject PyLdb = {
static void py_ldb_result_dealloc(PyLdbResultObject *self)
{
talloc_free(self->mem_ctx);
- Py_DECREF(self->msgs);
- Py_DECREF(self->referals);
- Py_DECREF(self->controls);
+ Py_CLEAR(self->msgs);
+ Py_CLEAR(self->referals);
+ Py_CLEAR(self->controls);
Py_TYPE(self)->tp_free(self);
}
@@ -2775,10 +2772,10 @@ static PyTypeObject PyLdbResult = {
static void py_ldb_search_iterator_dealloc(PyLdbSearchIteratorObject *self)
{
- Py_XDECREF(self->state.exception);
+ Py_CLEAR(self->state.exception);
TALLOC_FREE(self->mem_ctx);
ZERO_STRUCT(self->state);
- Py_DECREF(self->ldb);
+ Py_CLEAR(self->ldb);
Py_TYPE(self)->tp_free(self);
}
@@ -2885,7 +2882,7 @@ static PyObject *py_ldb_search_iterator_abandon(PyLdbSearchIteratorObject *self,
return NULL;
}
- Py_XDECREF(self->state.exception);
+ Py_CLEAR(self->state.exception);
TALLOC_FREE(self->mem_ctx);
ZERO_STRUCT(self->state);
Py_RETURN_NONE;
@@ -4289,7 +4286,7 @@ static int py_module_del_transaction(struct ldb_module *mod)
static int py_module_destructor(struct ldb_module *mod)
{
- Py_DECREF((PyObject *)mod->private_data);
+ Py_CLEAR(mod->private_data);
return 0;
}
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 15322b391f0..65e3fa06da4 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3154,6 +3154,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"rpc start on demand helpers",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "ad dc functional level",
+ "2008_R2");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 512de250a2f..820c8abae16 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -34,6 +34,7 @@
#include "libcli/auth/ntlm_check.h"
#include "libcli/smb/smb_constants.h"
#include "libds/common/roles.h"
+#include "libds/common/flags.h"
#include "source4/lib/tls/tls.h"
#include "auth/credentials/credentials.h"
#include "source3/librpc/gen_ndr/ads.h"
@@ -430,6 +431,12 @@ static const struct enum_list enum_debug_syslog_format[] = {
{-1, NULL}
};
+static const struct enum_list enum_ad_functional_level[] = {
+ {DS_DOMAIN_FUNCTION_2008_R2, "2008_R2"},
+ {DS_DOMAIN_FUNCTION_2016, "2016"},
+ {-1, NULL}
+};
+
/* Note: We do not initialise the defaults union - it is not allowed in ANSI C
*
* NOTE: Handling of duplicated (synonym) parameters:
diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c
index 85df1b18621..ed22803328c 100644
--- a/lib/tdb/pytdb.c
+++ b/lib/tdb/pytdb.c
@@ -450,7 +450,7 @@ static PyObject *tdb_iter_next(PyTdbIteratorObject *self)
static void tdb_iter_dealloc(PyTdbIteratorObject *self)
{
- Py_DECREF(self->iteratee);
+ Py_CLEAR(self->iteratee);
PyObject_Del(self);
}
diff --git a/lib/tevent/pytevent.c b/lib/tevent/pytevent.c
index 1af6f16c0fb..aa2331c1d6c 100644
--- a/lib/tevent/pytevent.c
+++ b/lib/tevent/pytevent.c
@@ -241,7 +241,7 @@ static void py_tevent_timer_dealloc(TeventTimer_Object *self)
if (self->timer) {
talloc_free(self->timer);
}
- Py_DECREF(self->callback);
+ Py_CLEAR(self->callback);
PyObject_Del(self);
}
@@ -282,7 +282,7 @@ struct TeventTimer_Object_ref {
static int TeventTimer_Object_ref_destructor(struct TeventTimer_Object_ref *ref)
{
ref->obj->timer = NULL;
- Py_DECREF(ref->obj);
+ Py_CLEAR(ref->obj);
return 0;
}
diff --git a/lib/util/genrand.c b/lib/util/genrand.c
index fd6f457d27d..d0b49db1423 100644
--- a/lib/util/genrand.c
+++ b/lib/util/genrand.c
@@ -45,7 +45,7 @@ _NORETURN_ static void genrand_panic(int err,
}
-_PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
+_PUBLIC_ void generate_random_buffer(uint8_t *out, size_t len)
{
/* Random number generator for temporary keys. */
int ret = gnutls_rnd(GNUTLS_RND_RANDOM, out, len);
@@ -54,7 +54,7 @@ _PUBLIC_ void generate_random_buffer(uint8_t *out, int len)
}
}
-_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
+_PUBLIC_ void generate_secret_buffer(uint8_t *out, size_t len)
{
/*
* Random number generator for long term keys.
@@ -62,7 +62,7 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
* The key generator, will re-seed after a fixed amount of bytes is
* generated (typically less than the nonce), and will also re-seed
* based on time, i.e., after few hours of operation without reaching
- * the limit for a re-seed. For its re-seed it mixes mixes data obtained
+ * the limit for a re-seed. For its re-seed it mixes data obtained
* from the OS random device with the previous key.
*/
int ret = gnutls_rnd(GNUTLS_RND_KEY, out, len);
@@ -71,7 +71,7 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len)
}
}
-_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len)
+_PUBLIC_ void generate_nonce_buffer(uint8_t *out, size_t len)
{
/*
* Random number generator for nonce and initialization vectors.
diff --git a/lib/util/genrand.h b/lib/util/genrand.h
index 70f36312e58..76e9b987dcf 100644
--- a/lib/util/genrand.h
+++ b/lib/util/genrand.h
@@ -26,7 +26,7 @@
*
* @param[in] len The size of the buffer to fill.
*/
-void generate_random_buffer(uint8_t *out, int len);
+void generate_random_buffer(uint8_t *out, size_t len);
/**
* @brief Generate random values for long term keys and passwords.
@@ -35,7 +35,7 @@ void generate_random_buffer(uint8_t *out, int len);
*
* @param[in] len The size of the buffer to fill.
*/
-void generate_secret_buffer(uint8_t *out, int len);
+void generate_secret_buffer(uint8_t *out, size_t len);
/**
* @brief Generate random values for a nonce buffer.
@@ -46,4 +46,4 @@ void generate_secret_buffer(uint8_t *out, int len);
*
* @param[in] len The size of the buffer to fill.
*/
-void generate_nonce_buffer(uint8_t *out, int len);
+void generate_nonce_buffer(uint8_t *out, size_t len);
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index cb4be7f6507..3927dfa7836 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -259,12 +259,19 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
bool lanman_auth,
+ enum ntlm_auth_level ntlm_auth,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
const struct samr_Password *stored_lanman,
const struct samr_Password *stored_nt)
{
+ if (ntlm_auth == NTLM_AUTH_DISABLED) {
+ DBG_WARNING("hash_password_check: NTLM authentication not "
+ "permitted by configuration.\n");
+ return NT_STATUS_NTLM_BLOCKED;
+ }
+
if (stored_nt == NULL) {
DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
@@ -387,6 +394,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
}
return hash_password_check(mem_ctx,
lanman_auth,
+ ntlm_auth,
lm_ok ? &client_lm : NULL,
nt_response->length ? &client_nt : NULL,
username,
diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h
index 86cab9b2d13..3fcd1f4ccbb 100644
--- a/libcli/auth/ntlm_check.h
+++ b/libcli/auth/ntlm_check.h
@@ -45,6 +45,7 @@ struct samr_Password;
NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
bool lanman_auth,
+ enum ntlm_auth_level ntlm_auth,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
diff --git a/python/pyglue.c b/python/pyglue.c
index 64be7389b70..808a86b444f 100644
--- a/python/pyglue.c
+++ b/python/pyglue.c
@@ -34,40 +34,41 @@ static PyObject *PyExc_DsExtendedError;
static PyObject *py_generate_random_str(PyObject *self, PyObject *args)
{
- int len;
+ Py_ssize_t len;
PyObject *ret;
char *retstr;
- if (!PyArg_ParseTuple(args, "i", &len)) {
+
+ if (!PyArg_ParseTuple(args, "n", &len)) {
return NULL;
}
if (len < 0) {
PyErr_Format(PyExc_ValueError,
- "random string length should be positive, not %d",
+ "random string length should be positive, not %zd",
len);
return NULL;
}
retstr = generate_random_str(NULL, len);
- ret = PyUnicode_FromString(retstr);
+ ret = PyUnicode_FromStringAndSize(retstr, len);
talloc_free(retstr);
return ret;
}
static PyObject *py_generate_random_password(PyObject *self, PyObject *args)
{
- int min, max;
+ Py_ssize_t min, max;
PyObject *ret;
char *retstr;
- if (!PyArg_ParseTuple(args, "ii", &min, &max)) {
+
+ if (!PyArg_ParseTuple(args, "nn", &min, &max)) {
return NULL;
}
if (max < 0 || min < 0) {
/*
- * The real range checks happen in generate_random_password().
- * Here we are just checking the values won't overflow into
- * numbers when cast to size_t.
+ * The real range checks happens in generate_random_password().
+ * Here just filter out any negative numbers.
*/
PyErr_Format(PyExc_ValueError,
- "invalid range: %d - %d",
+ "invalid range: %zd - %zd",
min, max);
return NULL;
}
@@ -76,7 +77,7 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args)
if (retstr == NULL) {
if (errno == EINVAL) {
PyErr_Format(PyExc_ValueError,
- "invalid range: %d - %d",
+ "invalid range: %zd - %zd",
min, max);
}
return NULL;
@@ -88,21 +89,21 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args)
static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *args)
{
- int min, max;
+ Py_ssize_t min, max;
PyObject *ret;
char *retstr;
- if (!PyArg_ParseTuple(args, "ii", &min, &max)) {
+
+ if (!PyArg_ParseTuple(args, "nn", &min, &max)) {
return NULL;
}
if (max < 0 || min < 0) {
/*
- * The real range checks happen in
+ * The real range checks happens in
* generate_random_machine_password().
- * Here we are just checking the values won't overflow into
- * numbers when cast to size_t.
+ * Here we are just filter out any negative numbers.
*/
PyErr_Format(PyExc_ValueError,
- "invalid range: %d - %d",
+ "invalid range: %zd - %zd",
min, max);
return NULL;
}
@@ -111,7 +112,7 @@ static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *a
if (retstr == NULL) {
if (errno == EINVAL) {
PyErr_Format(PyExc_ValueError,
- "invalid range: %d - %d",
+ "invalid range: %zd - %zd",
min, max);
}
return NULL;
@@ -134,16 +135,16 @@ static PyObject *py_check_password_quality(PyObject *self, PyObject *args)
static PyObject *py_generate_random_bytes(PyObject *self, PyObject *args)
{
- int len;
+ Py_ssize_t len;
PyObject *ret;
uint8_t *bytes = NULL;
- if (!PyArg_ParseTuple(args, "i", &len)) {
+ if (!PyArg_ParseTuple(args, "n", &len)) {
return NULL;
}
if (len < 0) {
PyErr_Format(PyExc_ValueError,
- "random bytes length should be positive, not %d",
+ "random bytes length should be positive, not %zd",
len);
return NULL;
}
diff --git a/python/samba/functional_level.py b/python/samba/functional_level.py
new file mode 100644
index 00000000000..4c1142273b0
--- /dev/null
+++ b/python/samba/functional_level.py
@@ -0,0 +1,83 @@
+# domain management - common code
+#
+# Copyright Catlayst .Net Ltd 2017-2023
+# Copyright Jelmer Vernooij 2007-2012
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+from samba.dsdb import (
+ DS_DOMAIN_FUNCTION_2000,
+ DS_DOMAIN_FUNCTION_2003,
+ DS_DOMAIN_FUNCTION_2008,
+ DS_DOMAIN_FUNCTION_2008_R2,
+ DS_DOMAIN_FUNCTION_2012,
+ DS_DOMAIN_FUNCTION_2012_R2,
+ DS_DOMAIN_FUNCTION_2003_MIXED,
+ DS_DOMAIN_FUNCTION_2016
+)
+
+string_version_to_constant = {
+ "2000": DS_DOMAIN_FUNCTION_2000,
+ "2003": DS_DOMAIN_FUNCTION_2003,
+ "2008": DS_DOMAIN_FUNCTION_2008,
+ "2008_R2": DS_DOMAIN_FUNCTION_2008_R2,
+ "2012": DS_DOMAIN_FUNCTION_2012,
+ "2012_R2": DS_DOMAIN_FUNCTION_2012_R2,
+ "2016": DS_DOMAIN_FUNCTION_2016,
+}
+
+
+def string_to_level(string):
+ """Interpret a string indicating a functional level."""
+ return string_version_to_constant[string]
+
+
+def level_to_string(level):
+ """turn the level enum number into a printable string."""
+ if level < DS_DOMAIN_FUNCTION_2000:
+ return "invalid"
+ strings = {
+ DS_DOMAIN_FUNCTION_2000: "2000",
+ DS_DOMAIN_FUNCTION_2003_MIXED: \
+ "2003 with mixed domains/interim (NT4 DC support)",
+ DS_DOMAIN_FUNCTION_2003: "2003",
+ DS_DOMAIN_FUNCTION_2008: "2008",
+ DS_DOMAIN_FUNCTION_2008_R2: "2008 R2",
+ DS_DOMAIN_FUNCTION_2012: "2012",
+ DS_DOMAIN_FUNCTION_2012_R2: "2012 R2",
+ DS_DOMAIN_FUNCTION_2016: "2016",
+ }
+ return strings.get(level, "higher than 2016")
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list