The branch, v4-6-test has been updated via 39582f3 vfs_streams_xattr: use fsp, not base_fsp via 0c9bc50 libcli/auth: use the correct creds value against servers without LogonSamLogonEx via 8ee5fe5 librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping via 8cb9f77 build: Fix generation of CTDB manpages while creating tarball via a39218d ctdb-build: Add make target for generating manpages via 706141a ctdb-build: Split dist() target to generate manpages separately via a2c013b krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key via dfb3795 s4:scripting: use generate_random_machine_password() for machine passwords via 6153b15 samba-tool:provision: use generate_random_machine_password() for machine passwords via f5df4eb samba-tool:domain: use generate_random_machine_password() for machine passwords via f6dc073 samba-tool:domain: use generate_random_machine_password() for trusted domains via 40366fd pyglue: add generate_random_machine_password() wrapper via 705686e python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords via 00d3c8e python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords via c5a4e47 s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets. via 7c75976 s4:libnet: make use of generate_random_machine_password() via 53ef65b s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH via e0119dd s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH via aa79c0d s3:net_rpc_trust: make use of trust_pw_new_value() via 2e125de s3:libnet_join: make use of trust_pw_new_value() via fd09929 s3:libads: use trust_pw_new_value() for krb5 machine passwords via c01b2c2 s3:libsmb: use trust_pw_new_value() in trust_pw_change() via ae300c7 s3:libsmb: add trust_pw_new_value() helper function via 38cfd61 s3:libsmb: let trust_pw_change() verify the new password at the end. via 60d48a8 s3:libsmb: let trust_pw_change() debug more verbose information via 39ebdf7 lib/util: add generate_random_machine_password() function via 7132f093 libcli/auth: add netlogon_creds_cli_debug_string() via bcfa544 libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send() from 7567c0e WHATSNEW: Fix spelling of Messages
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test - Log ----------------------------------------------------------------- commit 39582f31d34b3fa29a7deb112ea1fb83e76aa294 Author: Ralph Boehme <s...@samba.org> Date: Fri Feb 17 08:10:53 2017 +0100 vfs_streams_xattr: use fsp, not base_fsp The base_fsp's fd is always -1 as it's closed after being openend in create_file_unixpath(). Additionally in streams_xattr_open force using of SMB_VFS_FSETXATTR() by sticking the just created fd into the fsp (and removing it afterwards). Bug: https://bugzilla.samba.org/show_bug.cgi?id=12591 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Feb 22 08:25:46 CET 2017 on sn-devel-144 (cherry picked from commit 021189e32ba507832b5e821e5cda8a2889225955) Autobuild-User(v4-6-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-6-test): Sat Feb 25 05:28:51 CET 2017 on sn-devel-144 commit 0c9bc50bfeb63547382d6afd335130dc96caf7a4 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 15 08:58:20 2017 +0100 libcli/auth: use the correct creds value against servers without LogonSamLogonEx If we use the credential chain we need to use the value from netlogon_creds_client_authenticator() to make sure we have the current value to encrypt in logon info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 0ed2a65593b5abc9ba7f40992ed0ed8f448f5836) commit 8ee5fe5ddb404b815fe33def0d731936e0c7cecb Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 15 08:07:06 2017 +0100 librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping Commit 1eef70872930fa4f9d3dedd23476b34cae638428 changed the mapping for DCERPC_NCA_S_FAULT_INVALID_TAG from NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12585 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c97e39b34fcf260ded42ef1a9efe7ed55e65a1cf) commit 8cb9f77afe5cc41d94aca478675596f3f78cde77 Author: Amitay Isaacs <ami...@gmail.com> Date: Tue Feb 21 22:33:48 2017 +1100 build: Fix generation of CTDB manpages while creating tarball BUG: https://bugzilla.samba.org/show_bug.cgi?id=12595 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Martin Schwenke <mar...@meltin.net> Autobuild-User(master): Martin Schwenke <mart...@samba.org> Autobuild-Date(master): Thu Feb 23 19:25:11 CET 2017 on sn-devel-144 (cherry picked from commit a9211ec2860d7763e606e9a9e4b62c19846b3302) commit a39218d7e2617db36891483c3fe7db949132959f Author: Amitay Isaacs <ami...@gmail.com> Date: Tue Feb 21 22:44:10 2017 +1100 ctdb-build: Add make target for generating manpages BUG: https://bugzilla.samba.org/show_bug.cgi?id=12595 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Martin Schwenke <mar...@meltin.net> (cherry picked from commit 3bb4fd545864aeb7f28230604c26ccc188ba360a) commit 706141a7540d0ae80e94ca5408ed07fe03d3c215 Author: Amitay Isaacs <ami...@gmail.com> Date: Tue Feb 21 22:30:30 2017 +1100 ctdb-build: Split dist() target to generate manpages separately BUG: https://bugzilla.samba.org/show_bug.cgi?id=12595 Signed-off-by: Amitay Isaacs <ami...@gmail.com> Reviewed-by: Martin Schwenke <mar...@meltin.net> (cherry picked from commit 5005362122700ba3651b2c0c58f9026d415d031e) commit a2c013be27b84c09ffd9953c03969cbba753f892 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 21 12:15:07 2017 +0100 krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key Our own convert_string_talloc() function handles a wider range of unicode code points than the MIT krb5 or heimdal code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Autobuild-User(master): Ralph Böhme <s...@samba.org> Autobuild-Date(master): Tue Feb 21 20:08:16 CET 2017 on sn-devel-144 (cherry picked from commit 10e1b92c288ae27f775debb16c3e122b6063fa21) commit dfb3795884d7b177e667fb4c5218919e8f7c85d3 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 13 19:37:09 2017 +0100 s4:scripting: use generate_random_machine_password() for machine passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 383432d2cd3046c2c3768c1ae452211c7e583604) commit 6153b1589b73d25edc7954ceea8d4e015165f86e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:40:24 2016 +0200 samba-tool:provision: use generate_random_machine_password() for machine passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit ea57a204a1f6b4999e5347c1edb5753bed933fba) commit f5df4eb085003aecbc0cd152e1757176200a9572 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:37:37 2016 +0200 samba-tool:domain: use generate_random_machine_password() for machine passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit f04e09e1968c40483b8dc2f92b9c15bce0b0b55a) commit f6dc0739f8d60205231991b63aae09ed441d4d56 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:27:19 2016 +0200 samba-tool:domain: use generate_random_machine_password() for trusted domains BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b2fac99ac63739398aa716c26d8e187a25bb8400) commit 40366fd386b3793451857670109f7c0be7011230 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 09:35:50 2016 +0200 pyglue: add generate_random_machine_password() wrapper We use PyUnicode_FromString() (which is available from 2.6) because we really have non-ascii strings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d7840e77961cdc4ccc4f5549494d458b6b2c2cf4) commit 705686ee1310bb305bcf33f6c1e7f7d8f6a52415 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 13 22:34:06 2017 +0100 python/samba: use an explicit .encode('utf-8') where we expect utf8 passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b86c29b1e6fb2fb4cf203aa38c7764084d855730) commit 00d3c8ebb0c9f62cdb2edceb9552d5ad3c3648e3 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Feb 17 00:10:12 2017 +0100 python/samba: provision_dns_add_samba.ldif expects utf-16-le passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 99b8d6beccf4d3d24f9d87a4d8e5eadfe0e0dd33) commit c5a4e47d416b998c4486f27912d538243ec06a15 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 13 19:01:21 2017 +0100 s4:dsdb: autogenerate a random utf16 buffer for krbtgt password resets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 0ed258bfe48995db6b345cc14e1747c4af9d076d) commit 7c75976138c5d1945abecc93ff286e4bf7b09f0d Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 13 19:35:54 2017 +0100 s4:libnet: make use of generate_random_machine_password() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 26515dca99ba3fa393207df905137021a2177de1) commit 53ef65bd3a0396948d91d73b732d68b98579b290 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:41:48 2016 +0200 s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit e9c184088cbbb47e48d9e96fc753a56c544301dc) commit e0119dd2158f0a4c0c768589fbaaf68c75939d3d Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:41:48 2016 +0200 s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 21cbf8e4db6928a8a3fb712b3750bb50c1201948) commit aa79c0d039d5d40c694e949628be2ea92a236f6f Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 10:42:30 2016 +0200 s3:net_rpc_trust: make use of trust_pw_new_value() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 13fd543929c72fa5af1ae6e21ca8dda9a57a0f55) commit 2e125def3ed195b0674cd5c257dcf79783d3bfb1 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:09:57 2016 +0200 s3:libnet_join: make use of trust_pw_new_value() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 77edef9555acd6e0c843582637bc367fa0d2a203) commit fd099294c728fd7bb991a461d9e29b07aaa3b646 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 10:38:58 2016 +0200 s3:libads: use trust_pw_new_value() for krb5 machine passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 00136940757ea6947f97c9c92b25207d9413727b) commit c01b2c26324f899feb049267ccff6c06e51cf683 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:12:35 2016 +0200 s3:libsmb: use trust_pw_new_value() in trust_pw_change() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c21e9981d04fa016ef708941ea82051d0438b7a7) commit ae300c70dbe87859c79b82e27ce2bdd17227626e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 12:12:35 2016 +0200 s3:libsmb: add trust_pw_new_value() helper function This generates a new trust password based on the secure channel type and lp_security(). NT4 really has a limit of 28 UTF16 bytes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 9e26ad86fbd7e6f39f98fb9d037ac86f3146cb11) commit 38cfd6116179aa6f36e2d2d097d910a56d015791 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 9 22:53:52 2017 +0100 s3:libsmb: let trust_pw_change() verify the new password at the end. We should notice problems as early as possible, it makes no sense to keep things working for a while and later find out the we lost our trust relationship with our domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit a2877541681e07f09aee7d7c21adbe50346755e3) commit 60d48a8b63f4a98e34611b86c2a61eb6a8e65b30 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 18 19:57:30 2017 +0100 s3:libsmb: let trust_pw_change() debug more verbose information Password changes caused much trouble in the past, so we better debug them at log level 0 and may see them also in the syslog. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 4185689dbf0085fcb3840ad8b520df21a33e5d2a) commit 39ebdf726798fa20afe33c18c959eba2d81fcf1b Author: Stefan Metzmacher <me...@samba.org> Date: Tue Aug 23 09:30:05 2016 +0200 lib/util: add generate_random_machine_password() function It generates more random password for the use as machine password, restricted to codepoints <= 0xFFFF in order to be compatible with MIT krb5 and Heimdal. Note: the fallback to ascii if 'unix charset' is not 'utf8'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit ad12cfae42cc592166d6a1c1ee323f1aae82f235) commit 7132f093b9e7d28e81960118f9f6500cf59171e9 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 9 21:47:52 2017 +0100 libcli/auth: add netlogon_creds_cli_debug_string() BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit abe427775ee8ed1d278d5094ca127f85289ca5a3) commit bcfa544e9e8e8ba320e02ef98c742ac2f18ba967 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Jan 18 19:02:21 2017 +0000 libcli/auth: check E_md4hash() result in netlogon_creds_cli_ServerPasswordSet_send() We need to make sure we can convert the given string to an nthash. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 8a209e5a0ca810d8cf0e5ebc1902fae8c5cb241e) ----------------------------------------------------------------------- Summary of changes: ctdb/Makefile | 3 + ctdb/wscript | 44 ++++--- lib/krb5_wrap/krb5_samba.c | 37 ++++++ lib/util/genrand_util.c | 168 ++++++++++++++++++++++++- lib/util/samba_util.h | 32 ++++- libcli/auth/netlogon_creds_cli.c | 33 ++++- libcli/auth/netlogon_creds_cli.h | 4 + librpc/rpc/dcerpc_error.c | 8 +- python/pyglue.c | 26 +++- python/samba/__init__.py | 1 + python/samba/join.py | 11 +- python/samba/netcmd/domain.py | 29 +---- python/samba/netcmd/user.py | 2 +- python/samba/provision/__init__.py | 6 +- python/samba/provision/sambadns.py | 2 +- python/samba/samdb.py | 2 +- python/samba/upgradehelpers.py | 4 +- source3/include/proto.h | 3 + source3/include/smb.h | 6 - source3/libads/util.c | 9 +- source3/libnet/libnet_join.c | 16 ++- source3/libsmb/trusts_util.c | 143 ++++++++++++++++----- source3/modules/vfs_streams_xattr.c | 41 +++--- source3/utils/net_rpc_trust.c | 6 +- source3/wscript_build | 1 + source4/dsdb/samdb/ldb_modules/password_hash.c | 84 +++++++++++++ source4/dsdb/samdb/ldb_modules/samldb.c | 25 ++-- source4/libcli/raw/smb.h | 7 -- source4/libnet/libnet_vampire.c | 2 +- source4/scripting/bin/renamedc | 2 +- wscript | 2 +- 31 files changed, 598 insertions(+), 161 deletions(-) Changeset truncated at 500 lines: diff --git a/ctdb/Makefile b/ctdb/Makefile index b0912f2..23ee780 100644 --- a/ctdb/Makefile +++ b/ctdb/Makefile @@ -27,6 +27,9 @@ show_version: @touch .tmplock @WAFLOCK=.tmplock $(WAF) show_version +manpages: + $(WAF) manpages + dist: touch .tmplock WAFLOCK=.tmplock $(WAF) dist diff --git a/ctdb/wscript b/ctdb/wscript index 13384c8..d23358b 100644 --- a/ctdb/wscript +++ b/ctdb/wscript @@ -957,7 +957,27 @@ def show_version(ctx): print VERSION -def dist(): +def manpages(ctx): + BASE_URL = 'http://docbook.sourceforge.net/release/xsl/current' + MAN_XSL = '%s/manpages/docbook.xsl' % BASE_URL + HTML_XSL = '%s/html/docbook.xsl' % BASE_URL + CMD_TEMPLATE = 'xsltproc --xinclude -o %s --nonet %s %s' + manpages = manpages_binary + manpages_misc + manpages_etcd + manpages_ceph + for t in manpages: + cmd = CMD_TEMPLATE % ('doc/%s' % t, MAN_XSL, 'doc/%s.xml' % t) + ret = samba_utils.RUN_COMMAND(cmd) + if ret != 0: + print('Command %s failed with exit status %d' % (cmd, ret)) + sys.exit(ret) + + cmd = CMD_TEMPLATE % ('doc/%s.html' % t, HTML_XSL, 'doc/%s.xml' % t) + ret = samba_utils.RUN_COMMAND(cmd) + if ret != 0: + print('Command %s failed with exit status %d' % (cmd, ret)) + sys.exit(ret) + + +def distonly(ctx): samba_dist.DIST_FILES('VERSION:VERSION', extend=True) t = 'include/ctdb_version.h' @@ -979,24 +999,8 @@ def dist(): sys.exit(ret) samba_dist.DIST_FILES('ctdb/%s:%s' % (t, t), extend=True) - BASE_URL = 'http://docbook.sourceforge.net/release/xsl/current' - MAN_XSL = '%s/manpages/docbook.xsl' % BASE_URL - HTML_XSL = '%s/html/docbook.xsl' % BASE_URL - CMD_TEMPLATE = 'xsltproc --xinclude -o %s --nonet %s %s' manpages = manpages_binary + manpages_misc + manpages_etcd + manpages_ceph for t in manpages: - cmd = CMD_TEMPLATE % ('doc/%s' % t, MAN_XSL, 'doc/%s.xml' % t) - ret = samba_utils.RUN_COMMAND(cmd) - if ret != 0: - print('Command %s failed with exit status %d' % (cmd, ret)) - sys.exit(ret) - - cmd = CMD_TEMPLATE % ('doc/%s.html' % t, HTML_XSL, 'doc/%s.xml' % t) - ret = samba_utils.RUN_COMMAND(cmd) - if ret != 0: - print('Command %s failed with exit status %d' % (cmd, ret)) - sys.exit(ret) - samba_dist.DIST_FILES('ctdb/doc/%s:doc/%s' % (t, t), extend=True) samba_dist.DIST_FILES('ctdb/doc/%s.html:doc/%s.html' % (t, t), extend=True) @@ -1004,6 +1008,12 @@ def dist(): samba_dist.dist() +def dist(): + import Scripting + Scripting.commands.append('manpages') + Scripting.commands.append('distonly') + + def rpmonly(ctx): opts = os.getenv('RPM_OPTIONS') or '' cmd = 'rpmbuild -ta --clean --rmsource %s ctdb-%s.tar.gz' % (opts, VERSION) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index f8f3b16..10b42de 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -23,6 +23,7 @@ #include "includes.h" #include "system/filesys.h" #include "krb5_samba.h" +#include "lib/crypto/crypto.h" #ifdef HAVE_COM_ERR_H #include <com_err.h> @@ -300,6 +301,42 @@ int smb_krb5_create_key_from_string(krb5_context context, return -1; } + if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) { + TALLOC_CTX *frame = talloc_stackframe(); + uint8_t *utf16 = NULL; + size_t utf16_size = 0; + uint8_t nt_hash[16]; + bool ok; + + ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE, + password->data, password->length, + (void **)&utf16, &utf16_size); + if (!ok) { + if (errno == 0) { + errno = EINVAL; + } + ret = errno; + TALLOC_FREE(frame); + return ret; + } + + mdfour(nt_hash, utf16, utf16_size); + memset(utf16, 0, utf16_size); + ret = smb_krb5_keyblock_init_contents(context, + ENCTYPE_ARCFOUR_HMAC, + nt_hash, + sizeof(nt_hash), + key); + ZERO_STRUCT(nt_hash); + if (ret != 0) { + TALLOC_FREE(frame); + return ret; + } + + TALLOC_FREE(frame); + return 0; + } + #if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY) {/* MIT */ krb5_data _salt; diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c index fbd9998..76b7cd9 100644 --- a/lib/util/genrand_util.c +++ b/lib/util/genrand_util.c @@ -210,7 +210,7 @@ again: } /** - * Generate a random text password. + * Generate a random text password (based on printable ascii characters). */ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max) @@ -258,6 +258,172 @@ again: } /** + * Generate a random machine password (based on random utf16 characters, + * converted to utf8). min must be at least 14, max must be at most 255. + * + * If 'unix charset' is not utf8, the password consist of random ascii + * values! + */ + +_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max) +{ + TALLOC_CTX *frame = NULL; + struct generate_random_machine_password_state { + uint8_t password_buffer[256 * 2]; + uint8_t tmp; + } *state; + char *new_pw = NULL; + size_t len = max; + char *utf8_pw = NULL; + size_t utf8_len = 0; + char *unix_pw = NULL; + size_t unix_len = 0; + size_t diff; + size_t i; + bool ok; + int cmp; + + if (max > 255) { + errno = EINVAL; + return NULL; + } + + if (min < 14) { + errno = EINVAL; + return NULL; + } + + if (min > max) { + errno = EINVAL; + return NULL; + } + + frame = talloc_stackframe_pool(2048); + state = talloc_zero(frame, struct generate_random_machine_password_state); + + diff = max - min; + + if (diff > 0) { + size_t tmp; + + generate_random_buffer((uint8_t *)&tmp, sizeof(tmp)); + + tmp %= diff; + + len = min + tmp; + } + + /* + * Create a random machine account password + * We create a random buffer and convert that to utf8. + * This is similar to what windows is doing. + * + * In future we may store the raw random buffer, + * but for now we need to pass the password as + * char pointer through some layers. + * + * As most kerberos keys are derived from the + * utf8 password we need to fallback to + * ASCII passwords if "unix charset" is not utf8. + */ + generate_secret_buffer(state->password_buffer, len * 2); + for (i = 0; i < len; i++) { + size_t idx = i*2; + uint16_t c; + + /* + * both MIT krb5 and HEIMDAL only + * handle codepoints up to 0xffff. + * + * It means we need to avoid + * 0xD800 - 0xDBFF (high surrogate) + * and + * 0xDC00 - 0xDFFF (low surrogate) + * in the random utf16 data. + * + * 55296 0xD800 0154000 0b1101100000000000 + * 57343 0xDFFF 0157777 0b1101111111111111 + * 8192 0x2000 020000 0b10000000000000 + * + * The above values show that we can check + * for 0xD800 and just add 0x2000 to avoid + * the surrogate ranges. + * + * The rest will be handled by CH_UTF16MUNGED + * see utf16_munged_pull(). + */ + c = SVAL(state->password_buffer, idx); + if (c & 0xD800) { + c |= 0x2000; + } + SSVAL(state->password_buffer, idx, c); + } + ok = convert_string_talloc(frame, + CH_UTF16MUNGED, CH_UTF8, + state->password_buffer, len * 2, + (void *)&utf8_pw, &utf8_len); + if (!ok) { + DEBUG(0, ("%s: convert_string_talloc() failed\n", + __func__)); + TALLOC_FREE(frame); + return NULL; + } + + ok = convert_string_talloc(frame, + CH_UTF16MUNGED, CH_UNIX, + state->password_buffer, len * 2, + (void *)&unix_pw, &unix_len); + if (!ok) { + goto ascii_fallback; + } + + if (utf8_len != unix_len) { + goto ascii_fallback; + } + + cmp = memcmp((const uint8_t *)utf8_pw, + (const uint8_t *)unix_pw, + utf8_len); + if (cmp != 0) { + goto ascii_fallback; + } + + new_pw = talloc_strdup(mem_ctx, utf8_pw); + if (new_pw == NULL) { + TALLOC_FREE(frame); + return NULL; + } + talloc_set_name_const(new_pw, __func__); + TALLOC_FREE(frame); + return new_pw; + +ascii_fallback: + for (i = 0; i < len; i++) { + /* + * truncate to ascii + */ + state->tmp = state->password_buffer[i] & 0x7f; + if (state->tmp == 0) { + state->tmp = state->password_buffer[i] >> 1; + } + if (state->tmp == 0) { + state->tmp = 0x01; + } + state->password_buffer[i] = state->tmp; + } + state->password_buffer[i] = '\0'; + + new_pw = talloc_strdup(mem_ctx, (const char *)state->password_buffer); + if (new_pw == NULL) { + TALLOC_FREE(frame); + return NULL; + } + talloc_set_name_const(new_pw, __func__); + TALLOC_FREE(frame); + return new_pw; +} + +/** * Generate an array of unique text strings all of the same length. * The returned string will be allocated. * Returns NULL if the number of unique combinations cannot be created. diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h index 897e0f5..18c6a1a 100644 --- a/lib/util/samba_util.h +++ b/lib/util/samba_util.h @@ -100,11 +100,41 @@ _PUBLIC_ uint32_t generate_random(void); _PUBLIC_ bool check_password_quality(const char *s); /** - * Generate a random text password. + * Generate a random text password (based on printable ascii characters). + * This function is designed to provide a password that + * meats the complexity requirements of UF_NORMAL_ACCOUNT objects + * and they should be human readable and writeable on any keyboard layout. + * + * Characters used are: + * ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+_-#.,@$%&!?:;<=>()[]~ */ _PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min, size_t max); /** + * Generate a random machine password + * + * min and max are the number of utf16 characters used + * to generate on utf8 compatible password. + * + * Note: if 'unix charset' is not 'utf8' (the default) + * then each utf16 character is only filled with + * values from 0x01 to 0x7f (ascii values without 0x00). + * This is important as the password neets to be + * a valid value as utf8 string and at the same time + * a valid value in the 'unix charset'. + * + * If 'unix charset' is 'utf8' (the default) then + * each utf16 character is a random value from 0x0000 + * 0xFFFF (exluding the surrogate ranges from 0xD800-0xDFFF) + * while the translation from CH_UTF16MUNGED + * to CH_UTF8 replaces invalid values (see utf16_munged_pull()). + * + * Note: these passwords may not pass the complexity requirements + * for UF_NORMAL_ACCOUNT objects (except krbtgt accounts). + */ +_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t min, size_t max); + +/** Use the random number generator to generate a random string. **/ _PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const char *list); diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 38b1351..d55142e 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -484,6 +484,14 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer, return NT_STATUS_OK; } +char *netlogon_creds_cli_debug_string( + const struct netlogon_creds_cli_context *context, + TALLOC_CTX *mem_ctx) +{ + return talloc_asprintf(mem_ctx, "netlogon_creds_cli:%s", + context->db.key_name); +} + enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( struct netlogon_creds_cli_context *context) { @@ -1747,7 +1755,11 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx /* * netr_ServerPasswordSet */ - E_md4hash(new_password, state->samr_password.hash); + ok = E_md4hash(new_password, state->samr_password.hash); + if (!ok) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); + } /* * netr_ServerPasswordSet2 @@ -2075,11 +2087,24 @@ struct netlogon_creds_cli_LogonSamLogon_state { /* * the read only credentials before we started the operation + * used for netr_LogonSamLogonEx() if required (validation_level = 3). */ struct netlogon_creds_CredentialState *ro_creds; + /* + * The (locked) credentials used for the credential chain + * used for netr_LogonSamLogonWithFlags() or + * netr_LogonSamLogonWith(). + */ struct netlogon_creds_CredentialState *lk_creds; + /* + * While we have locked the global credentials (lk_creds above) + * we operate an a temporary copy, because a server + * may not support netr_LogonSamLogonWithFlags() and + * didn't process our netr_Authenticator, so we need to + * restart from lk_creds. + */ struct netlogon_creds_CredentialState tmp_creds; struct netr_Authenticator req_auth; struct netr_Authenticator rep_auth; @@ -2311,7 +2336,7 @@ static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req) return; } - netlogon_creds_encrypt_samlogon_logon(state->ro_creds, + netlogon_creds_encrypt_samlogon_logon(&state->tmp_creds, state->logon_level, state->logon); @@ -2414,8 +2439,10 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq) /* * We got a race, lets retry with on authenticator * protection. + * + * netlogon_creds_cli_LogonSamLogon_start() + * will TALLOC_FREE(state->ro_creds); */ - TALLOC_FREE(state->ro_creds); state->try_logon_ex = false; netlogon_creds_cli_LogonSamLogon_start(req); return; diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h index 006367a..949e03b 100644 --- a/libcli/auth/netlogon_creds_cli.h +++ b/libcli/auth/netlogon_creds_cli.h @@ -52,6 +52,10 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer, TALLOC_CTX *mem_ctx, struct netlogon_creds_cli_context **_context); +char *netlogon_creds_cli_debug_string( + const struct netlogon_creds_cli_context *context, + TALLOC_CTX *mem_ctx); + enum dcerpc_AuthLevel netlogon_creds_cli_auth_level( struct netlogon_creds_cli_context *context); diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c index bfcd216..d8ff0ab 100644 --- a/librpc/rpc/dcerpc_error.c +++ b/librpc/rpc/dcerpc_error.c @@ -50,12 +50,10 @@ static const struct dcerpc_fault_table dcerpc_faults[] = _FAULT_STR(DCERPC_NCA_S_FAULT_INT_DIV_BY_ZERO, NT_STATUS_RPC_FP_DIV_ZERO), _FAULT_STR(DCERPC_NCA_S_FAULT_INT_OVERFLOW, NT_STATUS_RPC_FP_OVERFLOW), /* - * What's the difference between NT_STATUS_RPC_INVALID_TAG - * and NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ??? - * - * Our callers expect NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE. + * Our callers expect NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE + * instead of NT_STATUS_RPC_INVALID_TAG. */ - _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE), + _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE), _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_INVALID_TAG), _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_BOUND, NT_STATUS_RPC_INVALID_BOUND), _FAULT_STR(DCERPC_NCA_S_FAULT_RPC_VERSION_MISMATCH, NT_STATUS_RPC_PROTOCOL_ERROR), diff --git a/python/pyglue.c b/python/pyglue.c index dbe7eb4..0e80ba6 100644 --- a/python/pyglue.c +++ b/python/pyglue.c @@ -60,6 +60,23 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args) return ret; } +static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *args) +{ + int min, max; + PyObject *ret; + char *retstr; + if (!PyArg_ParseTuple(args, "ii", &min, &max)) -- Samba Shared Repository