The branch, master has been updated via ebd8e66 samba-tool Add test for --store-plaintext via c8c52be Update dcerpc_server.pc library name to match reality. via 2e44d0d samba-tool pwsettings Allow setting 'store cleartext' via 95d33f2 s4-ldif_handlers Add handler for printing supplementalCredentials via b863159 s4-test_kinit Add tests for lowercase realm combinations via 4908237 heimdal Build ticket with the canonical server name via d76f11a s4-kdc Fix the realm handling again, this time pay attention to the flags via 5c72c6b s4-kdc use 'flags' to only create the 'admin data' elements when requested via 935d7a6 s4-kdc Add 'flags' parameter to db fetch calls from fe5c48c waf: added --git-local-changes configure option
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ebd8e66ed0c1aae4d482ea933a8a492a2ab82e13 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 16:43:05 2010 +1100 samba-tool Add test for --store-plaintext Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Tue Nov 16 06:29:04 UTC 2010 on sn-devel-104 commit c8c52be4558c1e5bcb0db81f89f5b954f7ac6c05 Author: Brad Hards <br...@frogmouth.net> Date: Tue Nov 16 16:42:50 2010 +1100 Update dcerpc_server.pc library name to match reality. commit 2e44d0d32980eaec236c8cfc80989b7600c0d25a Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 16:32:55 2010 +1100 samba-tool pwsettings Allow setting 'store cleartext' This allows the 'store cleartext' password policy flag to be (un)set. Andrew Bartlett commit 95d33f2f24d7300f2df54ea62b0595ed7d7d0a2c Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 16:32:27 2010 +1100 s4-ldif_handlers Add handler for printing supplementalCredentials commit b8631597f579555416dbd87ded3f329051965e8b Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 16:01:19 2010 +1100 s4-test_kinit Add tests for lowercase realm combinations This tests that the handling of lowercase realms works in our KDC and libraries. Andrew Bartlett commit 4908237403543f6b0e3015637c5c49af47b515b0 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 15:05:33 2010 +1100 heimdal Build ticket with the canonical server name We need to use the name that the HDB entry returned, otherwise we will not canonicalise the reply as requested. Andrew Bartlett commit d76f11a8bd685517b0e5a3be4684bec41af9e822 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 14:16:31 2010 +1100 s4-kdc Fix the realm handling again, this time pay attention to the flags The KDC sets different flags for the AS-REQ (this is client-depenent) and the TGS-REQ to determine if the realm should be forced to the canonical value. If we do this always, or do this never, we get into trouble, so it's much better to honour the flags we are given. Andrew Bartlett commit 5c72c6b760af479b3e88b10cce713025528496c3 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 14:12:17 2010 +1100 s4-kdc use 'flags' to only create the 'admin data' elements when requested This avoids setting these values when the caller simply does not care Andrew Bartlett commit 935d7a6f72567f09ccc8710079775fef0f077ada Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 16 14:07:18 2010 +1100 s4-kdc Add 'flags' parameter to db fetch calls This will allow these calls to honour the flags passed in from the KDC Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: source4/heimdal/kdc/krb5tgs.c | 2 +- source4/kdc/db-glue.c | 77 ++++++++++++++------ source4/lib/ldb-samba/ldif_handlers.c | 23 ++++++ source4/lib/ldb-samba/ldif_handlers.h | 2 +- source4/rpc_server/dcerpc_server.pc.in | 2 +- .../scripting/python/samba/netcmd/pwsettings.py | 19 +++++- source4/setup/tests/blackbox_setpassword.sh | 2 +- testprogs/blackbox/test_kinit.sh | 4 + 8 files changed, 102 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index 26e3936..4af4c29 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -2142,7 +2142,7 @@ server_lookup: kvno, *auth_data, server, - sp, + server->entry.principal, spn, client, cp, diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 1dec6a5..b062282 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -541,12 +541,13 @@ out: * Construct an hdb_entry from a directory entry. */ static krb5_error_code samba_kdc_message2entry(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - TALLOC_CTX *mem_ctx, krb5_const_principal principal, - enum samba_kdc_ent_type ent_type, - struct ldb_dn *realm_dn, - struct ldb_message *msg, - hdb_entry_ex *entry_ex) + struct samba_kdc_db_context *kdc_db_ctx, + TALLOC_CTX *mem_ctx, krb5_const_principal principal, + enum samba_kdc_ent_type ent_type, + unsigned flags, + struct ldb_dn *realm_dn, + struct ldb_message *msg, + hdb_entry_ex *entry_ex) { struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx; uint32_t userAccountControl; @@ -644,7 +645,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } } - { + if (flags & HDB_F_ADMIN_DATA) { /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use * of the Heimdal KDC. They are stored in a the traditional * DB for audit purposes, and still form part of the structure @@ -1062,6 +1063,7 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, + unsigned flags, hdb_entry_ex *entry_ex) { struct ldb_dn *realm_dn; krb5_error_code ret; @@ -1075,8 +1077,9 @@ static krb5_error_code samba_kdc_fetch_client(krb5_context context, } ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, - principal, SAMBA_KDC_ENT_TYPE_CLIENT, - realm_dn, msg, entry_ex); + principal, SAMBA_KDC_ENT_TYPE_CLIENT, + flags, + realm_dn, msg, entry_ex); return ret; } @@ -1084,6 +1087,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, + unsigned flags, uint32_t krbtgt_number, hdb_entry_ex *entry_ex) { @@ -1092,6 +1096,7 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, struct ldb_message *msg = NULL; struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); + krb5_principal alloc_principal = NULL; if (principal->name.name_string.len != 2 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) { /* Not a krbtgt */ @@ -1141,9 +1146,32 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context, return HDB_ERR_NOENTRY; } + if (flags & HDB_F_CANON) { + ret = krb5_copy_principal(context, principal, &alloc_principal); + if (ret) { + return ret; + } + + /* When requested to do so, ensure that the + * both realm values in the principal are set + * to the upper case, canonical realm */ + free(alloc_principal->name.name_string.val[1]); + alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx)); + if (!alloc_principal->name.name_string.val[1]) { + ret = ENOMEM; + krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!"); + return ret; + } + principal = alloc_principal; + } + ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, - principal, SAMBA_KDC_ENT_TYPE_KRBTGT, - realm_dn, msg, entry_ex); + principal, SAMBA_KDC_ENT_TYPE_KRBTGT, + flags, realm_dn, msg, entry_ex); + if (flags & HDB_F_CANON) { + /* This is again copied in the message2entry call */ + krb5_free_principal(context, alloc_principal); + } if (ret != 0) { krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed"); } @@ -1278,10 +1306,11 @@ static krb5_error_code samba_kdc_lookup_server(krb5_context context, } static krb5_error_code samba_kdc_fetch_server(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - TALLOC_CTX *mem_ctx, - krb5_const_principal principal, - hdb_entry_ex *entry_ex) + struct samba_kdc_db_context *kdc_db_ctx, + TALLOC_CTX *mem_ctx, + krb5_const_principal principal, + unsigned flags, + hdb_entry_ex *entry_ex) { krb5_error_code ret; struct ldb_dn *realm_dn; @@ -1294,8 +1323,9 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context, } ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, - principal, SAMBA_KDC_ENT_TYPE_SERVER, - realm_dn, msg, entry_ex); + principal, SAMBA_KDC_ENT_TYPE_SERVER, + flags, + realm_dn, msg, entry_ex); if (ret != 0) { krb5_warnx(context, "samba_kdc_fetch: message2entry failed"); } @@ -1332,20 +1362,20 @@ krb5_error_code samba_kdc_fetch(krb5_context context, } if (flags & HDB_F_GET_CLIENT) { - ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, entry_ex); + ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; } if (flags & HDB_F_GET_SERVER) { /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */ - ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, krbtgt_number, entry_ex); + ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, krbtgt_number, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */ - ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, entry_ex); + ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; } if (flags & HDB_F_GET_KRBTGT) { - ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, krbtgt_number, entry_ex); + ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, krbtgt_number, entry_ex); if (ret != HDB_ERR_NOENTRY) goto done; } @@ -1385,8 +1415,9 @@ static krb5_error_code samba_kdc_seq(krb5_context context, if (priv->index < priv->count) { ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx, - NULL, SAMBA_KDC_ENT_TYPE_ANY, - priv->realm_dn, priv->msgs[priv->index++], entry); + NULL, SAMBA_KDC_ENT_TYPE_ANY, + HDB_F_ADMIN_DATA|HDB_F_GET_ANY, + priv->realm_dn, priv->msgs[priv->index++], entry); } else { ret = HDB_ERR_NOENTRY; } diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c index 14da31e..5581cb1 100644 --- a/source4/lib/ldb-samba/ldif_handlers.c +++ b/source4/lib/ldb-samba/ldif_handlers.c @@ -887,6 +887,19 @@ static int ldif_write_dnsRecord(struct ldb_context *ldb, void *mem_ctx, true); } +/* + convert a NDR formatted blob of a supplementalCredentials into text +*/ +static int ldif_write_supplementalCredentialsBlob(struct ldb_context *ldb, void *mem_ctx, + const struct ldb_val *in, struct ldb_val *out) +{ + return ldif_write_NDR(ldb, mem_ctx, in, out, + sizeof(struct supplementalCredentialsBlob), + (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob, + (ndr_print_fn_t)ndr_print_supplementalCredentialsBlob, + true); +} + static int extended_dn_write_hex(struct ldb_context *ldb, void *mem_ctx, const struct ldb_val *in, struct ldb_val *out) @@ -1200,6 +1213,13 @@ static const struct ldb_schema_syntax samba_syntaxes[] = { .canonicalise_fn = ldb_handler_copy, .comparison_fn = ldb_comparison_binary, .operator_fn = samba_syntax_operator_fn + },{ + .name = LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS, + .ldif_read_fn = ldb_handler_copy, + .ldif_write_fn = ldif_write_supplementalCredentialsBlob, + .canonicalise_fn = ldb_handler_copy, + .comparison_fn = ldb_comparison_binary, + .operator_fn = samba_syntax_operator_fn } }; @@ -1313,7 +1333,10 @@ static const struct { { "invocationId", LDB_SYNTAX_SAMBA_GUID }, { "parentGUID", LDB_SYNTAX_SAMBA_GUID }, { "msDS-OptionalFeatureGUID", LDB_SYNTAX_SAMBA_GUID }, + + /* These NDR encoded things we want to be able to read with --show-binary */ { "dnsRecord", LDB_SYNTAX_SAMBA_DNSRECORD }, + { "supplementalCredentials", LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS} }; const struct ldb_schema_syntax *ldb_samba_syntax_by_name(struct ldb_context *ldb, const char *name) diff --git a/source4/lib/ldb-samba/ldif_handlers.h b/source4/lib/ldb-samba/ldif_handlers.h index 33373fa..62903c4 100644 --- a/source4/lib/ldb-samba/ldif_handlers.h +++ b/source4/lib/ldb-samba/ldif_handlers.h @@ -13,7 +13,7 @@ #define LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR "LDB_SYNTAX_SAMBA_REPLUPTODATEVECTOR" #define LDB_SYNTAX_SAMBA_RANGE64 "LDB_SYNTAX_SAMBA_RANGE64" #define LDB_SYNTAX_SAMBA_DNSRECORD "LDB_SYNTAX_SAMBA_DNSRECORD" - +#define LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS "LDB_SYNTAX_SAMBA_SUPPLEMENTALCREDENTIALS" #include "lib/ldb-samba/ldif_handlers_proto.h" #undef _PRINTF_ATTRIBUTE diff --git a/source4/rpc_server/dcerpc_server.pc.in b/source4/rpc_server/dcerpc_server.pc.in index 0aaffae..d521436 100644 --- a/source4/rpc_server/dcerpc_server.pc.in +++ b/source4/rpc_server/dcerpc_server.pc.in @@ -7,5 +7,5 @@ Name: dcerpc_server Description: DCE/RPC server library Requires: dcerpc Version: @PACKAGE_VERSION@ -Libs: -L${libdir} -ldcerpc_server +Libs: -L${libdir} -ldcerpc-server Cflags: -I${includedir} -DHAVE_IMMEDIATE_STRUCTURES=1 diff --git a/source4/scripting/python/samba/netcmd/pwsettings.py b/source4/scripting/python/samba/netcmd/pwsettings.py index bfec13c..4a1645d 100644 --- a/source4/scripting/python/samba/netcmd/pwsettings.py +++ b/source4/scripting/python/samba/netcmd/pwsettings.py @@ -27,7 +27,7 @@ import ldb from samba.auth import system_session from samba.samdb import SamDB -from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX +from samba.dcerpc.samr import DOMAIN_PASSWORD_COMPLEX, DOMAIN_PASSWORD_STORE_CLEARTEXT from samba.netcmd import Command, CommandError, Option class cmd_pwsettings(Command): @@ -50,6 +50,8 @@ class cmd_pwsettings(Command): Option("--quiet", help="Be quiet", action="store_true"), Option("--complexity", type="choice", choices=["on","off","default"], help="The password complexity (on | off | default). Default is 'on'"), + Option("--store-plaintext", type="choice", choices=["on","off","default"], + help="Store plaintext passwords where account have 'store passwords with reversible encryption' set (on | off | default). Default is 'off'"), Option("--history-length", help="The password history length (<integer> | default). Default is 24.", type=str), Option("--min-pwd-length", @@ -63,7 +65,7 @@ class cmd_pwsettings(Command): takes_args = ["subcommand"] def run(self, subcommand, H=None, min_pwd_age=None, max_pwd_age=None, - quiet=False, complexity=None, history_length=None, + quiet=False, complexity=None, store_plaintext=None, history_length=None, min_pwd_length=None, credopts=None, sambaopts=None, versionopts=None): lp = sambaopts.get_loadparm() @@ -94,6 +96,10 @@ class cmd_pwsettings(Command): self.message("Password complexity: on") else: self.message("Password complexity: off") + if pwd_props & DOMAIN_PASSWORD_STORE_CLEARTEXT != 0: + self.message("Store plaintext passwords: on") + else: + self.message("Store plaintext passwords: off") self.message("Password history length: %d" % pwd_hist_len) self.message("Minimum password length: %d" % cur_min_pwd_len) self.message("Minimum password age (days): %d" % cur_min_pwd_age) @@ -111,6 +117,15 @@ class cmd_pwsettings(Command): pwd_props = pwd_props & (~DOMAIN_PASSWORD_COMPLEX) msgs.append("Password complexity deactivated!") + if store_plaintext is not None: + if store_plaintext == "on" or store_plaintext == "default": + pwd_props = pwd_props | DOMAIN_PASSWORD_STORE_CLEARTEXT + msgs.append("Plaintext password storage for changed passwords activated!") + elif store_plaintext == "off": + pwd_props = pwd_props & (~DOMAIN_PASSWORD_STORE_CLEARTEXT) + msgs.append("Plaintext password storage for changed passwords deactivated!") + + if complexity is not None or store_plaintext is not None: m["pwdProperties"] = ldb.MessageElement(str(pwd_props), ldb.FLAG_MOD_REPLACE, "pwdProperties") diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh index 6c40567..da2dcc5 100755 --- a/source4/setup/tests/blackbox_setpassword.sh +++ b/source4/setup/tests/blackbox_setpassword.sh @@ -23,6 +23,6 @@ testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/ testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=te...@ssw0rd --must-change-at-next-login -testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default +testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on exit $failed diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index 3eb2343..b3b6eb3 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -163,6 +163,10 @@ test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`exp KRB5CCNAME="$PREFIX/tmpccache" export KRB5CCNAME +lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]') +test_smbclient "Test login with user kerberos lowercase realm" 'ls' -k yes -unettestu...@$lowerrealm%$newuserpass || failed=`expr $failed + 1` +test_smbclient "Test login with user kerberos lowercase realm 2" 'ls' -k yes -unettestu...@$realm%$newuserpass --realm=$lowerrealm || failed=`expr $failed + 1` + testit "del user with kerberos ccache" $VALGRIND $samba_tool user delete nettestuser $CONFIGURATION -k yes $@ || failed=`expr $failed + 1` rm -f $KRB5CCNAME -- Samba Shared Repository