The branch, v4-14-test has been updated
       via  2a9a5185553 s4:auth: let authenticate_ldap_simple_bind() pass down 
the mapped nt4names
       via  65498505cbf auth: let auth logging prefer 
user_info->orig_client.{account,domain}_name if available
       via  f4179deb273 s4:auth: rename user_info->mapped_state to 
user_info->cracknames_called
       via  8fa656cdeed winbindd: don't set mapped_state in 
winbindd_dual_auth_passdb()
       via  9b631f4efeb nsswitch: let test_wbinfo.sh also test wbinfo -a 
$USERNAME@$DOMAIN
       via  57401a170aa s3:auth: make_user_info_map() should not set 
mapped_state
       via  311a4cc141a s4:auth: fix confusing DEBUG message in 
authsam_want_check()
       via  8bdf62eb2d3 s4:auth: check for user_info->mapped.account_name if it 
needs to be filled
       via  9981c6731d0 s4:rpc_server/samr: don't set mapped_state in 
auth_usersupplied_info for audit logging
       via  e0222e2fd8b s4:kdc: don't set mapped_state in 
auth_usersupplied_info for audit logging
       via  7ef4c442c63 s4:dsdb: don't set mapped_state in 
auth_usersupplied_info for audit logging
       via  1d8369c9232 s4:smb_server: don't set mapped_state explicitly in 
auth_usersupplied_info
       via  9d4b98aa568 auth/ntlmssp: don't set mapped_state explicitly in 
auth_usersupplied_info
       via  1ead3a4d0dd s4:auth: encrypt_user_info() should set password_state 
instead of mapped_state
       via  dd91493ed62 s4:auth: a simple bind uses the DCs name as workstation
       via  e7a0e1db90d s3:rpc_client: let rpccli_netlogon_network_logon() 
fallback to workstation = lp_netbios_name()
       via  c331fc104e7 rodc: Add tests for simple BIND alongside NTLMSSP binds
       via  1a0d92a9bef s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as 
inducation for an interactive logon
       via  f0891c0a891 s3:auth: let make_user_info_netlogon_interactive() set 
USER_INFO_INTERACTIVE_LOGON
       via  2472d44f9c9 dsdb/tests: add test_login_basics_simple()
       via  50954766056 dsdb/tests: prepare BasePasswordTestCase for simple 
bind tests
       via  275f57f3796 dsdb/tests: introduce assertLoginSuccess
       via  845d3674286 dsdb/tests: make use of assertLoginFailure helper
       via  6e43d4ca919 dsdb/tests: let all BasePasswordTestCase tests provide 
self.host_url[_ldaps]
       via  657c7c9a34b dsdb/tests: passwords.py don't need to import 
BasePasswordTestCase
       via  5ca48372032 python:tests: let insta_creds() also copy the bind_dn 
from the template
      from  0e793fe124b s3: smbd: Fix our leases code to return the correct 
error in the non-dynamic share case.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test


- Log -----------------------------------------------------------------
commit 2a9a5185553ba7b4abc6e65680f881ee936842a1
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 11:10:00 2022 +0100

    s4:auth: let authenticate_ldap_simple_bind() pass down the mapped nt4names
    
    authenticate_ldap_simple_bind*() needs to pass the
    result of the cracknames operation into the auth stack
    as user_info->client.{account,domain}_name, because
    user_info->client.{account,domain}_name is also used
    when forwarding the request via netrLogonSamLogon*
    to a remote server, for exactly that the values are
    also used in order to map a AUTH_PASSWORD_PLAIN into
    AUTH_PASSWORD_RESPONSE, where the NTLMv2 response
    contains the account and domain names passed in the
    netr_IdentityInfo value.
    
    Otherwise it would not be possible to forward the
    LDAP simple bind authentication request to a remote
    DC.
    
    Currently this only applies to an RODC that forwards
    the request to an RWDC.
    
    But note that LDAP simple binds (as on Windows) only
    work for users in the DCs forest, as the DsCrackNames
    need to work and it can't work for users of remote
    forests. I tested that in a DC of a forest root domain,
    if rejected the LDAP simple bind against a different forest,
    but allowed it for a users of a child domain in the
    same forest. The NTLMSSP bind worked in both cases.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
    Autobuild-Date(master): Thu Mar 10 04:10:54 UTC 2022 on sn-devel-184
    
    (cherry picked from commit 40f2070d3b2b1b13cc08f7844bfe4945e9f0cd86)
    
    Autobuild-User(v4-14-test): Jule Anger <jan...@samba.org>
    Autobuild-Date(v4-14-test): Wed Mar 16 15:37:02 UTC 2022 on sn-devel-184

commit 65498505cbfab81471e77fd1eedad4c7374be32d
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 11:10:00 2022 +0100

    auth: let auth logging prefer user_info->orig_client.{account,domain}_name 
if available
    
    The optional user_info->orig_client.{account,domain}_name are
    the once really used by the client and should be used in
    audit logging. But we still fallback to
    user_info->client.{account,domain}_name.
    
    This will be important for the next commit.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 24b580cae23860a0fe6c9d3a285d60564057043d)

commit f4179deb2736ece953c5fa9d29358f3cb4d01d1c
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 11:10:00 2022 +0100

    s4:auth: rename user_info->mapped_state to user_info->cracknames_called
    
    This makes it much clearer what it is used for and
    it is a special hack for authenticate_ldap_simple_bind_send()
    in order to avoid some additional work in
    authsam_check_password_internals().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 427125d182252d8aee3dd906ee34a909cdbb8ef3)

commit 8fa656cdeed16e24803ecae840397f94412821c2
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:23:21 2022 +0100

    winbindd: don't set mapped_state in winbindd_dual_auth_passdb()
    
    mapped_state is a special hack for authenticate_ldap_simple_bind_send()
    in order to avoid some additional work in authsam_check_password_internals()
    
    This doesn't apply here. We should also handle wbinfo -a
    authentication UPN names, e.g. administrator@DOMAIN,
    even if the account belongs to the local sam.
    
    With this change the behavior is consistent also locally on DCs and
    also an RODC can handle these requests locally for cached accounts.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 8dfdbe095a4c8a7bedd29341656a7c3164517713)

commit 9b631f4efebd45b921a7d0461fe2b548698003aa
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Mar 7 20:57:52 2022 +0100

    nsswitch: let test_wbinfo.sh also test wbinfo -a $USERNAME@$DOMAIN
    
    When winbindd forwards wbinfo -a via netrLogonSamLogon* to a remote
    DC work fine for upn names, e.g. administrator@DOMAIN.
    
    But it currently fails locally on a DC against the local sam.
    
    For the RODC only work because it forwards the request to
    an RWDC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15003
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit e1d2c59d360fb4e72dafe788b5d9dbb0572bf811)

commit 57401a170aaa097e42c6e310e7ed76d9ae5a0b60
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:24:25 2022 +0100

    s3:auth: make_user_info_map() should not set mapped_state
    
    mapped_state is only evaluated in authsam_check_password_internals()
    of auth_sam.c in source4, so setting it in the auth3 code
    doesn't make any difference. I've proved that with
    an SMB_ASSERT() and a full pipeline not triggering it.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit c56cb12f347b7582290ce1d4dfe3959d69050bd9)

commit 311a4cc141acaae8a10084f56e23efa352518ff3
Author: Stefan Metzmacher <me...@samba.org>
Date:   Mon Mar 7 21:16:51 2022 +0100

    s4:auth: fix confusing DEBUG message in authsam_want_check()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit a12683bd1206df4d4d87a3842d92e34a69e172b7)

commit 8bdf62eb2d3180b900e77992845d13f50689488a
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:14:10 2022 +0100

    s4:auth: check for user_info->mapped.account_name if it needs to be filled
    
    mapped_state is a special hack for authenticate_ldap_simple_bind_send()
    in order to avoid some additional work in 
authsam_check_password_internals().
    
    But that code will be changed in the next commits, so we can simplify
    the logic and only check for user_info->mapped.account_name being NULL.
    As it's the important factor that user_info->mapped.account_name is
    non-NULL down in the auth stack.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit c7b8c71b2b71bb9d95c33d403c4204376f443852)

commit 9981c6731d017f24991df9448687ed1bea709234
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:16:13 2022 +0100

    s4:rpc_server/samr: don't set mapped_state in auth_usersupplied_info for 
audit logging
    
    mapped_state is completely irrelevant for audit logging and
    will also be removed in the next commits.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 52787b9c1e9370133ff4481c62c2e7b9393c2439)

commit e0222e2fd8b9c84dd74356a5273741f57ea6ed42
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:16:13 2022 +0100

    s4:kdc: don't set mapped_state in auth_usersupplied_info for audit logging
    
    mapped_state is completely irrelevant for audit logging and
    will also be removed in the next commits.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit ca6948642bc2ff821ec4ca8ab24902b1ba9e8397)

commit 7ef4c442c6356e9670ae4f8253b129e4acc54725
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:16:13 2022 +0100

    s4:dsdb: don't set mapped_state in auth_usersupplied_info for audit logging
    
    mapped_state is completely irrelevant for audit logging and
    will also be removed in the next commits.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 99efe5f4e9ce426b28cef94d858849707ce15739)

commit 1d8369c9232f9350fef001ed8f1138a903fdde8f
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:16:13 2022 +0100

    s4:smb_server: don't set mapped_state explicitly in auth_usersupplied_info
    
    We already use talloc_zero() and mapped_state will be removed in the
    next commits.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 859c7817350553259eb09c889bc40afebb60064a)

commit 9d4b98aa568ae7b7bc0a481587922eb869161740
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:15:31 2022 +0100

    auth/ntlmssp: don't set mapped_state explicitly in auth_usersupplied_info
    
    We already use talloc_zero() and mapped_state will be removed in the
    next commits.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 9a4ac8ab2e2c8ee48f6bf5a6ecf7988c435ba1c6)

commit 1ead3a4d0dd7d5b2c65b93c0501c3da9267e08dd
Author: Stefan Metzmacher <me...@samba.org>
Date:   Thu Mar 3 23:14:38 2022 +0100

    s4:auth: encrypt_user_info() should set password_state instead of 
mapped_state
    
    user_info->mapped_state has nothing to do with enum auth_password_state,
    user_info->password_state is the one that holds the auth_password_state 
value.
    
    Luckily user_info->password_state was never referenced in the
    encrypt_user_info() callers.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit a6fb598d9dcbfe21ef285b5f30fabcb88a259c93)

commit dd91493ed62fd2118f7a896e51251d3b3ea6493d
Author: Stefan Metzmacher <me...@samba.org>
Date:   Wed Mar 2 14:32:41 2022 +0100

    s4:auth: a simple bind uses the DCs name as workstation
    
    I've seen that in LogonSamLogonEx request triggered
    by a simple bind with a user of a trusted domain
    within the same forest. Note simple binds don't
    work with users for another forest/external domain,
    as the DsCrackNames call on the bind_dn fails.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 31db704882bbcd569c2abb764ac1d3691ee0a267)

commit e7a0e1db90d1accd7b3602e5d0a088de74bd329d
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 11:41:20 2022 +0100

    s3:rpc_client: let rpccli_netlogon_network_logon() fallback to workstation 
= lp_netbios_name()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14641
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 5c04c01354944fc3a64bb109bf3e9bf89086cc6f)

commit c331fc104e75d303e42ef88097bf88851941f4d2
Author: Garming Sam <garm...@catalyst.net.nz>
Date:   Mon Apr 1 15:46:48 2019 +1300

    rodc: Add tests for simple BIND alongside NTLMSSP binds
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 62fb6c1dc8527db6cf0f08d4d06e8813707f767a)

commit 1a0d92a9bef54a725266caec944f7882101a5a89
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 19:09:41 2022 +0100

    s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an 
interactive logon
    
    Using != AUTH_PASSWORD_RESPONSE is not the correct indication
    due to the local mappings from AUTH_PASSWORD_PLAIN via
    AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
    
    It means an LDAP simble bind will now honour
    'old password allowed period'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 2ad44686229ba02f98de5769c26a3dfeaf5ada2b)

commit f0891c0a8916dbddc422deb629557c51716d9064
Author: Stefan Metzmacher <me...@samba.org>
Date:   Tue Mar 8 15:14:09 2022 +0100

    s3:auth: let make_user_info_netlogon_interactive() set 
USER_INFO_INTERACTIVE_LOGON
    
    This is not really relevant for now, as USER_INFO_INTERACTIVE_LOGON is
    not evaluated in the source3/auth stack. But better add it to
    be consistent.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 012bd9f5b780f7a90cf3bd918f044ea67fae7017)

commit 2472d44f9c93ab03bc0919bebc61b6874348001e
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 21:53:06 2022 +0100

    dsdb/tests: add test_login_basics_simple()
    
    This demonstrates that 'old password allowed period' also
    applies to LDAP simple binds and not only to GSS-SPNEGO/NTLMSSP binds.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 3625d1381592f7af8ec14715c6c2dfa4d9f02676)

commit 50954766056e974f0ca4eb244e8c76e8c731a223
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 21:53:06 2022 +0100

    dsdb/tests: prepare BasePasswordTestCase for simple bind tests
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 0b1fbc9d56e2a25e3f1527ee5bc54880bdc65fc6)

commit 275f57f3796d7e74a2a9b69de51be53b89814f06
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 23:35:26 2022 +0100

    dsdb/tests: introduce assertLoginSuccess
    
    This makes it possible to catch failures with knownfail entries.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 751ce671a4af32bc1c56433a5a1c8161377856c5)

commit 845d3674286b410070d215a73f75af4e758935af
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 23:35:26 2022 +0100

    dsdb/tests: make use of assertLoginFailure helper
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 03ba5af3d9eaeb5f0c7c1a1a61ef2ac454eb8392)

commit 6e43d4ca919698c2153262294961fef944312dd8
Author: Stefan Metzmacher <me...@samba.org>
Date:   Sat Mar 5 00:09:17 2022 +0100

    dsdb/tests: let all BasePasswordTestCase tests provide self.host_url[_ldaps]
    
    This will make further changes easier.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 5a3214c99048a88b0a9f509e3b5b38326529b02c)

commit 657c7c9a34bd8a848ac2d41cb2541c51e5716563
Author: Stefan Metzmacher <me...@samba.org>
Date:   Sat Mar 5 01:36:50 2022 +0100

    dsdb/tests: passwords.py don't need to import BasePasswordTestCase
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit 90754591a7e4d5a3af70c01425930f4ec063c516)

commit 5ca483720320fa8662ab3aca375c48b9e1347859
Author: Stefan Metzmacher <me...@samba.org>
Date:   Fri Mar 4 21:50:15 2022 +0100

    python:tests: let insta_creds() also copy the bind_dn from the template
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
    
    Signed-off-by: Stefan Metzmacher <me...@samba.org>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    (cherry picked from commit a30a7626254c863f95b98c97ea46ff54b98078ad)

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_log.c                                    | 20 +++++--
 auth/common_auth.h                                 |  4 +-
 auth/ntlmssp/ntlmssp_server.c                      |  1 -
 nsswitch/tests/test_wbinfo.sh                      |  2 +
 python/samba/tests/__init__.py                     |  4 ++
 source3/auth/auth_util.c                           |  3 +-
 source3/rpc_client/cli_netlogon.c                  |  4 ++
 source3/winbindd/winbindd_pam.c                    |  3 --
 source4/auth/ntlm/auth.c                           |  7 +--
 source4/auth/ntlm/auth_sam.c                       | 13 ++---
 source4/auth/ntlm/auth_simple.c                    | 10 ++--
 source4/auth/ntlm/auth_util.c                      |  4 +-
 source4/dsdb/samdb/ldb_modules/password_hash.c     |  1 -
 source4/dsdb/tests/python/login_basics.py          | 32 +++++++----
 source4/dsdb/tests/python/password_lockout.py      |  7 ++-
 source4/dsdb/tests/python/password_lockout_base.py | 36 ++++++++++---
 source4/dsdb/tests/python/passwords.py             |  1 -
 source4/dsdb/tests/python/rodc_rwdc.py             | 63 ++++++++++++++--------
 source4/kdc/hdb-samba4.c                           |  1 -
 source4/rpc_server/samr/samr_password.c            |  1 -
 source4/smb_server/smb/sesssetup.c                 |  2 -
 21 files changed, 138 insertions(+), 81 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/auth_log.c b/auth/auth_log.c
index 60bc6334591..dc1cea12390 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -152,6 +152,12 @@ static void log_authentication_event_json(
        char negotiate_flags[11];
        char logon_id[19];
        int rc = 0;
+       const char *clientDomain = ui->orig_client.domain_name ?
+                                  ui->orig_client.domain_name :
+                                  ui->client.domain_name;
+       const char *clientAccount = ui->orig_client.account_name ?
+                                   ui->orig_client.account_name :
+                                   ui->client.account_name;
 
        authentication = json_new_object();
        if (json_is_invalid(&authentication)) {
@@ -203,12 +209,12 @@ static void log_authentication_event_json(
                goto failure;
        }
        rc = json_add_string(
-           &authentication, "clientDomain", ui->client.domain_name);
+           &authentication, "clientDomain", clientDomain);
        if (rc != 0) {
                goto failure;
        }
        rc = json_add_string(
-           &authentication, "clientAccount", ui->client.account_name);
+           &authentication, "clientAccount", clientAccount);
        if (rc != 0) {
                goto failure;
        }
@@ -594,6 +600,12 @@ static void log_authentication_event_human_readable(
        char *trust_account_name = NULL;
        char *logon_line = NULL;
        const char *password_type = NULL;
+       const char *clientDomain = ui->orig_client.domain_name ?
+                                  ui->orig_client.domain_name :
+                                  ui->client.domain_name;
+       const char *clientAccount = ui->orig_client.account_name ?
+                                   ui->orig_client.account_name :
+                                   ui->client.account_name;
 
        frame = talloc_stackframe();
 
@@ -640,8 +652,8 @@ static void log_authentication_event_human_readable(
                " %s\n",
                ui->service_description,
                ui->auth_description,
-               log_escape(frame, ui->client.domain_name),
-               log_escape(frame, ui->client.account_name),
+               log_escape(frame, clientDomain),
+               log_escape(frame, clientAccount),
                ts,
                password_type,
                nt_errstr(status),
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 0452c673ebc..d922b66ab4d 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -49,14 +49,14 @@ struct auth_usersupplied_info
 
        uint32_t logon_parameters;
 
-       bool mapped_state;
+       bool cracknames_called;
        bool was_mapped;
        uint64_t logon_id;
        /* the values the client gives us */
        struct {
                const char *account_name;
                const char *domain_name;
-       } client, mapped;
+       } client, mapped, orig_client;
 
        enum auth_password_state password_state;
 
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index ce78af1d32d..e077c2f7379 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -771,7 +771,6 @@ static NTSTATUS ntlmssp_server_preauth(struct 
gensec_security *gensec_security,
 
        user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | 
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
        user_info->flags = 0;
-       user_info->mapped_state = false;
        user_info->client.account_name = ntlmssp_state->user;
        user_info->client.domain_name = ntlmssp_state->domain;
        user_info->workstation_name = ntlmssp_state->client.netbios_name;
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 2ac83828a0e..198918494cf 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -294,6 +294,8 @@ testit "wbinfo --user-sids against $TARGET" $wbinfo 
--user-sids $admin_sid || fa
 
 testit "wbinfo -a against $TARGET with domain creds" $wbinfo -a 
"$DOMAIN/$USERNAME"%"$PASSWORD" || failed=`expr $failed + 1`
 
+testit "wbinfo -a against $TARGET with domain upn creds" $wbinfo -a 
"$USERNAME@$DOMAIN"%"$PASSWORD" || failed=$(expr $failed + 1)
+
 testit "wbinfo --getdcname against $TARGET" $wbinfo --getdcname=$DOMAIN
 
 testit "wbinfo -p against $TARGET" $wbinfo -p || failed=`expr $failed + 1`
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index 3812f5bad4a..d0cf59e4615 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -172,6 +172,8 @@ class TestCase(unittest.TestCase):
             username = template.get_username()
             userpass = template.get_password()
 
+        simple_bind_dn = template.get_bind_dn()
+
         if kerberos_state is None:
             kerberos_state = template.get_kerberos_state()
 
@@ -185,6 +187,8 @@ class TestCase(unittest.TestCase):
         c.set_gensec_features(c.get_gensec_features()
                               | gensec.FEATURE_SEAL)
         c.set_kerberos_state(kerberos_state)
+        if simple_bind_dn:
+            c.set_bind_dn(simple_bind_dn)
         return c
 
     def assertStringsEqual(self, a, b, msg=None, strip=False):
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 7a97dd45f11..a0260b67c19 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -136,8 +136,6 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
                                lm_interactive_pwd, nt_interactive_pwd,
                                plaintext, password_state);
        if (NT_STATUS_IS_OK(result)) {
-               /* We have tried mapping */
-               (*user_info)->mapped_state = true;
                /* did we actually map the user to a different name? */
                (*user_info)->was_mapped = was_mapped;
        }
@@ -264,6 +262,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX 
*mem_ctx,
 
                if (NT_STATUS_IS_OK(nt_status)) {
                        (*user_info)->logon_parameters = logon_parameters;
+                       (*user_info)->flags |= USER_INFO_INTERACTIVE_LOGON;
                }
 
                ret = NT_STATUS_IS_OK(nt_status) ? true : false;
diff --git a/source3/rpc_client/cli_netlogon.c 
b/source3/rpc_client/cli_netlogon.c
index 175f83d6750..efaa6f9ead6 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -656,6 +656,10 @@ NTSTATUS rpccli_netlogon_network_logon(
                return NT_STATUS_NO_MEMORY;
        }
 
+       if (workstation == NULL) {
+               workstation = lp_netbios_name();
+       }
+
        if (workstation[0] != '\\' && workstation[1] != '\\') {
                workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", 
workstation);
        } else {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d50439de424..4f371bebeee 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1430,9 +1430,6 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX 
*mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       /* We don't want any more mapping of the username */
-       user_info->mapped_state = True;
-
        /* We don't want to come back to winbindd or to do PAM account checks */
        user_info->flags |= USER_INFO_INFO3_AND_NO_AUTHZ;
 
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 3dd2ffc9276..09d660a392b 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -220,17 +220,12 @@ _PUBLIC_ struct tevent_req 
*auth_check_password_send(TALLOC_CTX *mem_ctx,
        state->user_info        = user_info;
        state->authoritative    = 1;
 
-       if (!user_info->mapped_state) {
+       if (user_info->mapped.account_name == NULL) {
                struct auth_usersupplied_info *user_info_tmp;
 
                /*
                 * We don't really do any mapping here.
                 *
-                * So we don't set user_info->mapped_state,
-                * but we set mapped.domain_name and
-                * mapped.account_name to the client
-                * provided values.
-                *
                 * It's up to the backends to do mappings
                 * for their authentication.
                 */
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index dbbf97665db..cf0656ae0da 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -410,10 +410,11 @@ static NTSTATUS authsam_password_check_and_record(struct 
auth4_context *auth_con
                        return NT_STATUS_WRONG_PASSWORD;
                }
 
-               if (user_info->password_state != AUTH_PASSWORD_RESPONSE) {
+               if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
                        /*
                         * The authentication was OK against the previous 
password,
-                        * but it's not a NTLM network authentication.
+                        * but it's not a NTLM network authentication,
+                        * LDAP simple bind or something similar.
                         *
                         * We just return the original wrong password.
                         * This skips the update of the bad pwd count,
@@ -657,7 +658,7 @@ static NTSTATUS authsam_check_password_internals(struct 
auth_method_context *ctx
         * really, really want to get back to exactly the same account
         * we got the DN for.
         */
-       if (user_info->mapped_state == false) {
+       if (!user_info->cracknames_called) {
                p = strchr_m(account_name, '@');
        } else {
                /*
@@ -866,17 +867,17 @@ static NTSTATUS authsam_want_check(struct 
auth_method_context *ctx,
                return NT_STATUS_OK;
        }
 
-       if (user_info->mapped_state) {
+       if (user_info->cracknames_called) {
                /*
                 * The caller already did a cracknames call.
                 */
-               DBG_DEBUG("%s is not one domain name (DC)\n",
+               DBG_DEBUG("%s is not own domain name (DC)\n",
                          effective_domain);
                return NT_STATUS_NOT_IMPLEMENTED;
        }
 
        if (!strequal(effective_domain, "")) {
-               DBG_DEBUG("%s is not one domain name (DC)\n",
+               DBG_DEBUG("%s is not own domain name (DC)\n",
                          effective_domain);
                return NT_STATUS_NOT_IMPLEMENTED;
        }
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index b2e76381395..006e4d8279a 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -26,6 +26,7 @@
 #include "lib/util/tevent_ntstatus.h"
 #include "auth/auth.h"
 #include "dsdb/samdb/samdb.h"
+#include "lib/param/param.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -80,7 +81,7 @@ _PUBLIC_ struct tevent_req 
*authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
        /* No client.domain_name, use account_name instead */
        /* user_info->mapped.* will be filled below */
 
-       user_info->workstation_name = NULL;
+       user_info->workstation_name = lpcfg_netbios_name(lp_ctx);
 
        user_info->remote_host = remote_address;
        user_info->local_host = local_address;
@@ -120,9 +121,10 @@ _PUBLIC_ struct tevent_req 
*authenticate_ldap_simple_bind_send(TALLOC_CTX *mem_c
                return tevent_req_post(req, ev);
        }
 
-       user_info->mapped.account_name = nt4_username;
-       user_info->mapped.domain_name = nt4_domain;
-       user_info->mapped_state = true;
+       user_info->orig_client = user_info->client;
+       user_info->client.account_name = nt4_username;
+       user_info->client.domain_name = nt4_domain;
+       user_info->cracknames_called = true;
 
        subreq = auth_check_password_send(state, ev,
                                          state->auth_context,
diff --git a/source4/auth/ntlm/auth_util.c b/source4/auth/ntlm/auth_util.c
index a0d061dca2a..58e97fb4a77 100644
--- a/source4/auth/ntlm/auth_util.c
+++ b/source4/auth/ntlm/auth_util.c
@@ -73,7 +73,7 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct 
auth4_context *auth_conte
                                return NT_STATUS_NO_MEMORY;
                        }
                        *user_info_temp = *user_info_in;
-                       user_info_temp->mapped_state = to_state;
+                       user_info_temp->password_state = to_state;
                        
                        nt_status = auth_get_challenge(auth_context, chal);
                        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -147,7 +147,7 @@ NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct 
auth4_context *auth_conte
                                return NT_STATUS_NO_MEMORY;
                        }
                        *user_info_temp = *user_info_in;
-                       user_info_temp->mapped_state = to_state;
+                       user_info_temp->password_state = to_state;
                        
                        if (E_deshash(user_info_in->password.plaintext, 
lanman.hash)) {
                                user_info_temp->password.hash.lanman = 
talloc(user_info_temp,
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c 
b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 0e08f4889ee..1b8a713ecf5 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -3011,7 +3011,6 @@ static int check_password_restrictions_and_log(struct 
setup_password_fields_io *
                 * logs are consistent, even if some elements are always NULL.
                 */
                struct auth_usersupplied_info ui = {
-                       .mapped_state = true,
                        .was_mapped = true,
                        .client = {
                                .account_name = io->u.sAMAccountName,
diff --git a/source4/dsdb/tests/python/login_basics.py 
b/source4/dsdb/tests/python/login_basics.py
index d265441826d..d28b56c6065 100755
--- a/source4/dsdb/tests/python/login_basics.py
+++ b/source4/dsdb/tests/python/login_basics.py
@@ -48,24 +48,32 @@ class BasicUserAuthTests(BasePasswordTestCase):
 
     def setUp(self):
         self.host = host
-        self.host_url = host_url
+        self.host_url = "ldap://%s"; % host
+        self.host_url_ldaps = "ldaps://%s" % host
         self.lp = lp
         self.global_creds = global_creds
         self.ldb = SamDB(url=self.host_url, credentials=self.global_creds,
                          session_info=system_session(self.lp), lp=self.lp)
         super(BasicUserAuthTests, self).setUp()
 
-    def _test_login_basics(self, creds):
+    def _test_login_basics(self, creds, simple=False):
         username = creds.get_username()
         userpass = creds.get_password()
         userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
         if creds.get_kerberos_state() == MUST_USE_KERBEROS:
             logoncount_relation = 'greater'
             lastlogon_relation = 'greater'
+            ldap_url = self.host_url
             print("Performs a lockout attempt against LDAP using Kerberos")
+        elif simple:
+            logoncount_relation = 'equal'
+            lastlogon_relation = 'equal'
+            ldap_url = self.host_url_ldaps
+            print("Performs a lockout attempt against LDAP using Simple")
         else:
             logoncount_relation = 'equal'
             lastlogon_relation = 'equal'
+            ldap_url = self.host_url
             print("Performs a lockout attempt against LDAP using NTLM")
 
         # get the intial logon values for this user
@@ -87,7 +95,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
 
         # check logging in with the wrong password fails
         test_creds.set_password("thatsAcomplPASS1xBAD")
-        self.assertLoginFailure(self.host_url, test_creds, self.lp)
+        self.assertLoginFailure(ldap_url, test_creds, self.lp)
         res = self._check_account(userdn,
                                   badPwdCount=1,
                                   badPasswordTime=("greater", badPasswordTime),
@@ -101,7 +109,7 @@ class BasicUserAuthTests(BasePasswordTestCase):
 
         # check logging in with the correct password succeeds
         test_creds.set_password(userpass)
-        user_ldb = SamDB(url=self.host_url, credentials=test_creds, lp=self.lp)
+        user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
         res = self._check_account(userdn,
                                   badPwdCount=0,
                                   badPasswordTime=badPasswordTime,
@@ -132,7 +140,7 @@ userPassword: %s
 
         # for Kerberos, logging in with the old password fails
         if creds.get_kerberos_state() == MUST_USE_KERBEROS:
-            self.assertLoginFailure(self.host_url, test_creds, self.lp)
+            self.assertLoginFailure(ldap_url, test_creds, self.lp)
             info_msg = 'Test Kerberos login with old password fails'
             expectBadPwdTime = ("greater", badPasswordTime)
             res = self._check_account(userdn,
@@ -147,9 +155,11 @@ userPassword: %s
             badPasswordTime = int(res[0]["badPasswordTime"][0])
         else:
             # for NTLM, logging in with the old password succeeds
-            user_ldb = SamDB(url=self.host_url, credentials=test_creds,
-                             lp=self.lp)
-            info_msg = 'Test NTLM login with old password succeeds'
+            user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
+            if simple:
+                info_msg = 'Test simple-bind login with old password succeeds'
+            else:
+                info_msg = 'Test NTLM login with old password succeeds'
             res = self._check_account(userdn,
                                       badPwdCount=0,
                                       badPasswordTime=badPasswordTime,
@@ -162,7 +172,7 @@ userPassword: %s
 
         # check logging in with the new password succeeds
         test_creds.set_password(new_password)
-        user_ldb = SamDB(url=self.host_url, credentials=test_creds, lp=self.lp)
+        user_ldb = self.assertLoginSuccess(ldap_url, test_creds, self.lp)
         res = self._check_account(userdn,
                                   badPwdCount=0,
                                   badPasswordTime=badPasswordTime,
@@ -179,7 +189,7 @@ userPassword: %s
     def test_login_basics_ntlm(self):
         self._test_login_basics(self.lockout1ntlm_creds)
 
-
-host_url = "ldap://%s"; % host
+    def test_login_basics_simple(self):
+        self._test_login_basics(self.lockout1simple_creds, simple=True)
 
 TestProgram(module=__name__, opts=subunitopts)
diff --git a/source4/dsdb/tests/python/password_lockout.py 
b/source4/dsdb/tests/python/password_lockout.py
index 445944862b8..e162f4e037d 100755
--- a/source4/dsdb/tests/python/password_lockout.py
+++ b/source4/dsdb/tests/python/password_lockout.py
@@ -69,7 +69,8 @@ import password_lockout_base
 class PasswordTests(password_lockout_base.BasePasswordTestCase):
     def setUp(self):
         self.host = host
-        self.host_url = host_url
+        self.host_url = "ldap://%s"; % host
+        self.host_url_ldaps = "ldaps://%s" % host
         self.lp = lp
         self.global_creds = global_creds
         self.ldb = SamDB(url=self.host_url, 
session_info=system_session(self.lp),
@@ -140,7 +141,7 @@ lockoutTime: 0
         cmd = cmd_sambatool.subcommands['user'].subcommands['unlock']
         result = cmd._run("samba-tool user unlock",
                           username,
-                          "-H%s" % host_url,
+                          "-H%s" % self.host_url,
                           "-U%s%%%s" % (global_creds.get_username(),
                                         global_creds.get_password()))
         self.assertEqual(result, None)
@@ -1422,6 +1423,4 @@ class PasswordTestsWithDefaults(PasswordTests):
         self._test_login_lockout(self.lockout1ntlm_creds,
                                  wait_lockout_duration=False)
 
-host_url = "ldap://%s"; % host
-
 TestProgram(module=__name__, opts=subunitopts)
diff --git a/source4/dsdb/tests/python/password_lockout_base.py 
b/source4/dsdb/tests/python/password_lockout_base.py
index 0f9617da1e6..f311502da3c 100644
--- a/source4/dsdb/tests/python/password_lockout_base.py
+++ b/source4/dsdb/tests/python/password_lockout_base.py
@@ -6,6 +6,7 @@ from samba.credentials import Credentials, DONT_USE_KERBEROS, 
MUST_USE_KERBEROS
 from ldb import SCOPE_BASE, LdbError
 from ldb import ERR_CONSTRAINT_VIOLATION
 from ldb import ERR_INVALID_CREDENTIALS
+from ldb import SUCCESS as LDB_SUCCESS
 from ldb import Message, MessageElement, Dn
 from ldb import FLAG_MOD_REPLACE
 from samba import gensec, dsdb
@@ -213,11 +214,17 @@ class BasePasswordTestCase(PasswordTestCase):
                                                        FLAG_MOD_REPLACE, 
"lockOutObservationWindow")
         self.ldb.modify(m)
 
-    def _readd_user(self, creds, lockOutObservationWindow=0):
+    def _readd_user(self, creds, lockOutObservationWindow=0, simple=False):
         username = creds.get_username()
         userpass = creds.get_password()
         userdn = "cn=%s,cn=users,%s" % (username, self.base_dn)
 
+        if simple:
+            creds.set_bind_dn(userdn)
+            ldap_url = self.host_url_ldaps
+        else:
+            ldap_url = self.host_url
+
         delete_force(self.ldb, userdn)
         self.ldb.add({
              "dn": userdn,
@@ -248,15 +255,10 @@ userPassword: """ + userpass + """
         self._check_account_initial(userdn)
 
         # Fail once to get a badPasswordTime
-        try:
-            ldb = SamDB(url=self.host_url, credentials=fail_creds, lp=self.lp)
-            self.fail()
-        except LdbError as e:
-            (num, msg) = e.args
-            self.assertEqual(num, ERR_INVALID_CREDENTIALS)
+        self.assertLoginFailure(ldap_url, fail_creds, self.lp)
 
         # Succeed to reset everything to 0
-        ldb = SamDB(url=self.host_url, credentials=creds, lp=self.lp)
+        ldb = self.assertLoginSuccess(ldap_url, creds, self.lp)
 
         return ldb
 
@@ -271,6 +273,17 @@ userPassword: """ + userpass + """
                                                "(got err %d, expected %d)" %
                                                (num, errno)))
 
+    def assertLoginSuccess(self, url, creds, lp):
+        try:
+            ldb = SamDB(url=url, credentials=creds, lp=lp)


-- 
Samba Shared Repository

Reply via email to