The branch, master has been updated
via 85437d7 samba_dnsupdate: Look for ForestDnsZones in the right place
via 270f7b3 s3:passdb: add pdb_get_trust_credentials()
via 354f146 acl: Fix typo: structrual -> structural
via 5ae9ada dsdb: Be less verbose when announcing kcc is being invoked.
from e3a796f s3:torture: in LOCAL-MESSAGING-FDPASS2, close fds after
passing them
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 85437d742612df88f1a20e8a2844a1cc9a5100c9
Author: Andrew Bartlett <[email protected]>
Date: Thu Sep 25 15:42:16 2014 -0700
samba_dnsupdate: Look for ForestDnsZones in the right place
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Sat Sep 27 22:09:29 CEST 2014 on sn-devel-104
commit 270f7b3441963904412aaf5594983f46caace59b
Author: Stefan Metzmacher <[email protected]>
Date: Wed Aug 7 16:34:28 2013 +0200
s3:passdb: add pdb_get_trust_credentials()
Signed-off-by: Stefan Metzmacher <[email protected]>
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Pair-programmed-with: Andrew Bartlett <[email protected]>
commit 354f1461b43e60068f826d0a77d281e789a5c249
Author: Jelmer Vernooij <[email protected]>
Date: Sat Sep 27 16:42:38 2014 +0200
acl: Fix typo: structrual -> structural
Change-Id: I859f62042e16d146ab4cb1490ab725d2bfa06db1
Signed-off-by: Jelmer Vernooij <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5ae9ada3a8708b0b64587640b7ff7ab1c04b29b7
Author: Jelmer Vernooij <[email protected]>
Date: Sat Sep 27 16:28:27 2014 +0200
dsdb: Be less verbose when announcing kcc is being invoked.
Change-Id: I94ab7d92e7e4f4311f0b20b1072c3ad05155d068
Signed-Off-By: Jelmer Vernooij <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/include/passdb.h | 5 +
.../passdb/ABI/{pdb-0.1.1.sigs => pdb-0.1.2.sigs} | 1 +
source3/passdb/ABI/pdb-0.sigs | 13 +-
source3/passdb/passdb.c | 252 ++++++++++++++++++--
source3/wscript_build | 4 +-
source4/dsdb/kcc/kcc_periodic.c | 2 +-
source4/dsdb/samdb/ldb_modules/acl.c | 2 +-
source4/scripting/bin/samba_dnsupdate | 4 +-
8 files changed, 256 insertions(+), 27 deletions(-)
copy source3/passdb/ABI/{pdb-0.1.1.sigs => pdb-0.1.2.sigs} (99%)
Changeset truncated at 500 lines:
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index f991808..86cb16e 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -715,6 +715,11 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd,
bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
const char **account_name,
enum netr_SchannelType *channel);
+struct cli_credentials;
+NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
+ const char *dns_domain, /* optional */
+ TALLOC_CTX *mem_ctx,
+ struct cli_credentials **_creds);
/* The following definitions come from passdb/pdb_compat.c */
diff --git a/source3/passdb/ABI/pdb-0.1.1.sigs
b/source3/passdb/ABI/pdb-0.1.2.sigs
similarity index 99%
copy from source3/passdb/ABI/pdb-0.1.1.sigs
copy to source3/passdb/ABI/pdb-0.1.2.sigs
index 99f9605..8b97bac 100644
--- a/source3/passdb/ABI/pdb-0.1.1.sigs
+++ b/source3/passdb/ABI/pdb-0.1.2.sigs
@@ -157,6 +157,7 @@ pdb_get_pw_history: const uint8_t *(const struct samu *,
uint32_t *)
pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *,
DATA_BLOB *, NTTIME *, struct security_descriptor **)
pdb_get_seq_num: bool (time_t *)
pdb_get_tevent_context: struct tevent_context *(void)
+pdb_get_trust_credentials: NTSTATUS (const char *, const char *, TALLOC_CTX *,
struct cli_credentials **)
pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct
pdb_trusted_domain **)
pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *,
struct pdb_trusted_domain **)
pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
diff --git a/source3/passdb/ABI/pdb-0.sigs b/source3/passdb/ABI/pdb-0.sigs
index ccb371b..e6e3f73 100644
--- a/source3/passdb/ABI/pdb-0.sigs
+++ b/source3/passdb/ABI/pdb-0.sigs
@@ -19,7 +19,6 @@ algorithmic_rid_base: int (void)
builtin_domain_name: const char *(void)
cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *)
cache_account_policy_set: bool (enum pdb_policy_type, uint32_t)
-pdb_create_builtin: NTSTATUS (uint32_t)
create_builtin_administrators: NTSTATUS (const struct dom_sid *)
create_builtin_users: NTSTATUS (const struct dom_sid *)
decode_account_policy_name: const char *(enum pdb_policy_type)
@@ -74,6 +73,7 @@ pdb_build_fields_present: uint32_t (struct samu *)
pdb_capabilities: uint32_t (void)
pdb_copy_sam_account: bool (struct samu *, struct samu *)
pdb_create_alias: NTSTATUS (const char *, uint32_t *)
+pdb_create_builtin: NTSTATUS (uint32_t)
pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t)
pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *)
pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *)
@@ -91,11 +91,6 @@ pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *,
const struct dom_sid
pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t)
pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char
*)
pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct
dom_sid)
-pdb_is_responsible_for_our_sam: bool (void)
-pdb_is_responsible_for_builtin: bool (void)
-pdb_is_responsible_for_wellknown: bool (void)
-pdb_is_responsible_for_unix_users: bool (void)
-pdb_is_responsible_for_unix_groups: bool (void)
pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct
dom_sid *, struct acct_info *)
pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *,
GROUP_MAP *)
pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *)
@@ -162,6 +157,7 @@ pdb_get_pw_history: const uint8_t *(const struct samu *,
uint32_t *)
pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *,
DATA_BLOB *, NTTIME *, struct security_descriptor **)
pdb_get_seq_num: bool (time_t *)
pdb_get_tevent_context: struct tevent_context *(void)
+pdb_get_trust_credentials: NTSTATUS (const char *, const char *, TALLOC_CTX *,
struct cli_credentials **)
pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct
pdb_trusted_domain **)
pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *,
struct pdb_trusted_domain **)
pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *)
@@ -181,6 +177,11 @@ pdb_gid_to_sid: bool (gid_t, struct dom_sid *)
pdb_group_rid_to_gid: gid_t (uint32_t)
pdb_increment_bad_password_count: bool (struct samu *)
pdb_is_password_change_time_max: bool (time_t)
+pdb_is_responsible_for_builtin: bool (void)
+pdb_is_responsible_for_our_sam: bool (void)
+pdb_is_responsible_for_unix_groups: bool (void)
+pdb_is_responsible_for_unix_users: bool (void)
+pdb_is_responsible_for_wellknown: bool (void)
pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char
**, enum lsa_SidType *)
pdb_new_rid: bool (uint32_t *)
pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *)
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 8cf592c..70d8626 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -30,6 +30,8 @@
#include "../libcli/security/security.h"
#include "../lib/util/util_pw.h"
#include "util_tdb.h"
+#include "auth/credentials/credentials.h"
+#include "lib/param/param.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
@@ -2298,13 +2300,26 @@ bool is_dc_trusted_domain_situation(const char
*domain_name)
Caller must free password, but not account_name.
*******************************************************************/
-bool get_trust_pw_clear(const char *domain, char **ret_pwd,
- const char **account_name,
- enum netr_SchannelType *channel)
+static bool get_trust_pw_clear2(const char *domain,
+ const char **account_name,
+ enum netr_SchannelType *channel,
+ char **cur_pw,
+ time_t *_last_set_time,
+ char **prev_pw)
{
char *pwd;
time_t last_set_time;
+ if (cur_pw != NULL) {
+ *cur_pw = NULL;
+ }
+ if (_last_set_time != NULL) {
+ *_last_set_time = 0;
+ }
+ if (prev_pw != NULL) {
+ *prev_pw = NULL;
+ }
+
/* if we are a DC and this is not our domain, then lookup an account
* for the domain trust */
@@ -2313,7 +2328,7 @@ bool get_trust_pw_clear(const char *domain, char
**ret_pwd,
return false;
}
- if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL,
+ if (!pdb_get_trusteddom_pw(domain, cur_pw, NULL,
&last_set_time))
{
DEBUG(0, ("get_trust_pw: could not fetch trust "
@@ -2330,6 +2345,10 @@ bool get_trust_pw_clear(const char *domain, char
**ret_pwd,
*account_name = lp_workgroup();
}
+ if (_last_set_time != NULL) {
+ *_last_set_time = last_set_time;
+ }
+
return true;
}
@@ -2353,34 +2372,98 @@ bool get_trust_pw_clear(const char *domain, char
**ret_pwd,
pwd = secrets_fetch_machine_password(lp_workgroup(), &last_set_time,
channel);
if (pwd != NULL) {
- *ret_pwd = pwd;
+ struct timeval expire;
+
+ *cur_pw = pwd;
+
if (account_name != NULL) {
*account_name = lp_netbios_name();
}
+ if (_last_set_time != NULL) {
+ *_last_set_time = last_set_time;
+ }
+
+ if (prev_pw == NULL) {
+ return true;
+ }
+
+ ZERO_STRUCT(expire);
+ expire.tv_sec = lp_machine_password_timeout();
+ expire.tv_sec /= 2;
+ expire.tv_sec += last_set_time;
+ if (timeval_expired(&expire)) {
+ return true;
+ }
+
+ pwd = secrets_fetch_prev_machine_password(lp_workgroup());
+ if (pwd != NULL) {
+ *prev_pw = pwd;
+ }
+
return true;
}
- DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+ DEBUG(5, ("get_trust_pw_clear2: could not fetch clear text trust "
"account password for domain %s\n", domain));
return false;
}
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+ const char **account_name,
+ enum netr_SchannelType *channel)
+{
+ return get_trust_pw_clear2(domain,
+ account_name,
+ channel,
+ ret_pwd,
+ NULL,
+ NULL);
+}
+
/*******************************************************************
Wrapper around retrieving the trust account password.
appropriate account name is stored in account_name.
*******************************************************************/
-bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
- const char **account_name,
- enum netr_SchannelType *channel)
+static bool get_trust_pw_hash2(const char *domain,
+ const char **account_name,
+ enum netr_SchannelType *channel,
+ struct samr_Password *current_nt_hash,
+ time_t *last_set_time,
+ struct samr_Password **_previous_nt_hash)
{
- char *pwd = NULL;
- time_t last_set_time;
+ char *cur_pw = NULL;
+ char *prev_pw = NULL;
+ char **_prev_pw = NULL;
+ bool ok;
+
+ if (_previous_nt_hash != NULL) {
+ *_previous_nt_hash = NULL;
+ _prev_pw = &prev_pw;
+ }
- if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
- E_md4hash(pwd, ret_pwd);
- SAFE_FREE(pwd);
+ ok = get_trust_pw_clear2(domain, account_name, channel,
+ &cur_pw, last_set_time, _prev_pw);
+ if (ok) {
+ struct samr_Password *previous_nt_hash = NULL;
+
+ E_md4hash(cur_pw, current_nt_hash->hash);
+ SAFE_FREE(cur_pw);
+
+ if (prev_pw == NULL) {
+ return true;
+ }
+
+ previous_nt_hash = SMB_MALLOC_P(struct samr_Password);
+ if (previous_nt_hash == NULL) {
+ return false;
+ }
+
+ E_md4hash(prev_pw, previous_nt_hash->hash);
+ SAFE_FREE(prev_pw);
+
+ *_previous_nt_hash = previous_nt_hash;
return true;
} else if (is_dc_trusted_domain_situation(domain)) {
return false;
@@ -2388,8 +2471,9 @@ bool get_trust_pw_hash(const char *domain, uint8_t
ret_pwd[16],
/* as a fallback, try to get the hashed pwd directly from the tdb... */
- if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
- &last_set_time,
+ if (secrets_fetch_trust_account_password_legacy(domain,
+ current_nt_hash->hash,
+ last_set_time,
channel))
{
if (account_name != NULL) {
@@ -2403,3 +2487,139 @@ bool get_trust_pw_hash(const char *domain, uint8_t
ret_pwd[16],
"password for domain %s\n", domain));
return False;
}
+
+bool get_trust_pw_hash(const char *domain, uint8_t ret_pwd[16],
+ const char **account_name,
+ enum netr_SchannelType *channel)
+{
+ struct samr_Password current_nt_hash;
+ bool ok;
+
+ ok = get_trust_pw_hash2(domain, account_name, channel,
+ ¤t_nt_hash, NULL, NULL);
+ if (!ok) {
+ return false;
+ }
+
+ memcpy(ret_pwd, current_nt_hash.hash, sizeof(current_nt_hash.hash));
+ return true;
+}
+
+NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
+ const char *dns_domain, /* optional */
+ TALLOC_CTX *mem_ctx,
+ struct cli_credentials **_creds)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
+ struct loadparm_context *lp_ctx;
+ enum netr_SchannelType channel;
+ time_t last_set_time;
+ const char *_account_name;
+ const char *account_name;
+ char *cur_pw = NULL;
+ char *prev_pw = NULL;
+ struct samr_Password cur_nt_hash;
+ struct cli_credentials *creds = NULL;
+ struct pdb_get_trust_credentials_state *state = NULL;
+ bool ok;
+
+ ok = get_trust_pw_clear2(netbios_domain,
+ &_account_name,
+ &channel,
+ &cur_pw,
+ &last_set_time,
+ &prev_pw);
+ if (!ok) {
+ ok = get_trust_pw_hash2(netbios_domain,
+ &_account_name,
+ &channel,
+ &cur_nt_hash,
+ &last_set_time,
+ NULL);
+ if (!ok) {
+ DEBUG(1, ("get_trust_pw_*2 failed for domain[%s]\n",
+ netbios_domain));
+ status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ goto fail;
+ }
+ }
+
+ account_name = talloc_asprintf(frame, "%s$", _account_name);
+ if (account_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ DEBUG(1, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto fail;
+ }
+
+ creds = cli_credentials_init(mem_ctx);
+ if (creds == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ cli_credentials_set_conf(creds, lp_ctx);
+
+ cli_credentials_set_secure_channel_type(creds, channel);
+ cli_credentials_set_password_last_changed_time(creds, last_set_time);
+
+ ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (dns_domain != NULL) {
+ ok = cli_credentials_set_realm(creds, dns_domain,
CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (cur_pw == NULL) {
+ ok = cli_credentials_set_nt_hash(creds, &cur_nt_hash,
CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ goto done;
+ }
+
+ ok = cli_credentials_set_password(creds, cur_pw, CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+
+ if (prev_pw != NULL) {
+ ok = cli_credentials_set_old_password(creds, prev_pw,
CRED_SPECIFIED);
+ if (!ok) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+ }
+ }
+
+ done:
+ *_creds = creds;
+ creds = NULL;
+ status = NT_STATUS_OK;
+ fail:
+ TALLOC_FREE(creds);
+ SAFE_FREE(cur_pw);
+ SAFE_FREE(prev_pw);
+ TALLOC_FREE(frame);
+ return status;
+}
diff --git a/source3/wscript_build b/source3/wscript_build
index ca46dad..0038262 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -162,7 +162,7 @@ bld.SAMBA3_LIBRARY('pdb',
passdb/pdb_interface.c
passdb/pdb_secrets.c
passdb/pdb_unixid.c''',
- deps='secrets3 GROUPDB SERVER_MUTEX wbclient LIBCLI_AUTH
flag_mapping',
+ deps='secrets3 GROUPDB SERVER_MUTEX wbclient LIBCLI_AUTH
flag_mapping samba-credentials',
private_library=False,
pc_files=[],
public_headers_install=True,
@@ -172,7 +172,7 @@ bld.SAMBA3_LIBRARY('pdb',
passdb/lookup_sid.h''',
abi_match=private_pdb_match,
abi_directory='passdb/ABI',
- vnum='0.1.1')
+ vnum='0.1.2')
bld.SAMBA3_LIBRARY('smbldaphelper',
source='passdb/pdb_ldap_schema.c passdb/pdb_ldap_util.c',
diff --git a/source4/dsdb/kcc/kcc_periodic.c b/source4/dsdb/kcc/kcc_periodic.c
index 34bae96..0e84e42 100644
--- a/source4/dsdb/kcc/kcc_periodic.c
+++ b/source4/dsdb/kcc/kcc_periodic.c
@@ -661,7 +661,7 @@ NTSTATUS kccsrv_samba_kcc(struct kccsrv_service *service,
/* kill any existing child */
TALLOC_FREE(service->periodic.subreq);
- DEBUG(0,("Calling samba_kcc script\n"));
+ DEBUG(2, ("Calling samba_kcc script\n"));
service->periodic.subreq = samba_runcmd_send(service,
service->task->event_ctx,
timeval_current_ofs(40, 0),
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
b/source4/dsdb/samdb/ldb_modules/acl.c
index 2ba57b7..e75fb2a 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -867,7 +867,7 @@ static int acl_add(struct ldb_module *module, struct
ldb_request *req)
&objectclass->schemaIDGUID, req);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb_module_get_ctx(module),
- "acl: unable to find or validate
structrual objectClass on %s\n",
+ "acl: unable to find or validate
structural objectClass on %s\n",
ldb_dn_get_linearized(req->op.add.message->dn));
return ret;
}
diff --git a/source4/scripting/bin/samba_dnsupdate
b/source4/scripting/bin/samba_dnsupdate
index 30d5608..181e67f 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -299,6 +299,8 @@ def get_subst_vars(samdb):
vars['IF_RWGC'] = ""
basedn = str(samdb.get_default_basedn())
+ forestdn = str(samdb.get_root_basedn())
+
if "msDS-hasMasterNCs" in res[0]:
for e in res[0]["msDS-hasMasterNCs"]:
if str(e) == "DC=DomainDnsZones,%s" % basedn:
@@ -307,7 +309,7 @@ def get_subst_vars(samdb):
vars['IF_RODNS_DOMAIN'] = ""
else:
vars['IF_RWDNS_DOMAIN'] = ""
- if str(e) == "DC=ForestDnsZones,%s" % basedn:
+ if str(e) == "DC=ForestDnsZones,%s" % forestdn:
vars['IF_DNS_FOREST'] = ""
if am_rodc:
vars['IF_RODNS_FOREST'] = ""
--
Samba Shared Repository
