The branch, master has been updated
via e0777da s4:dsdb/tests: add pwdLastSet tests
via f77c82d s4:dsdb/samldb: pwdLastSet = -1 requires Unexpire-Password
right
via bafa016 s4:dsdb/samldb: fix comment "lockoutTime" reset as per
MS-SAMR 3.1.1.8.10
via 1d808bb s4:dsdb/password_hash: only allow pwdLastSet as "0" or "-1"
via 97534ff s4:rpc_server/samr: only set pwdLastSet to "0" or "-1"
via b6933b2 s4:dsdb/password_hash: allow pwdLastSet only changes
via cada33b s4:dsdb/password_hash: make it possible to specify
pwdLastSet together with a password change
via e536dbd s4:dsdb/password_hash: handle the
DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET control
via 9baae34 s4:dsdb/password_hash: make the
DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET code path more robust
via cad741c s4:dsdb/password_hash: only set pwdLastSet if required
via 786ee29 s4:dsdb/password_hash: create a shallow copy of the client
message for the final update
via 8262ec9 s4:dsdb/password_hash: move ldb_msg_add_empty() calls to
update_final_msg()
via 8ca1c02 s4:dsdb/password_hash: remember if we need to update the
passwords and/or pwdLastSet
via f3ce752 s4:dsdb/password_hash: call
ndr_pull_supplementalCredentialsBlob in setup_io()
via 02be8a1 s4:dsdb/password_hash: move the check for old passwords
into setup_io()
via 5e48dbb s4:dsdb/password_hash: leave the current value of
pwdLastSet as 0 an add
via 0a79948 s4:dsdb/password_hash: make the variable names in
setup_io() more clear
via fec7d40 s4:dsdb/password_hash: split out a update_final_msg()
function
via 94e0afb s4:dsdb/password_hash: split out a password_hash_needed()
function
via 58e2d65 s4:dsdb/password_hash: use full NTTIME resolution for
pwdLastSet
via 3b15a7a s4:dsdb/common: add some const to helper functions
via b74eac8 s4:samldb: pass down
DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID with changed userAccountControl
details
via 88b7cfa s4:dsdb/samdb: allocate
DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID
via 5980d12 s4:dsdb/samldb: add
DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID when defaulting pwdLastSet=0
via e68a9d2 s4:dsdb/samdb: allocate
DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID
via 011d849 s3:pdb_samba_dsdb: fix calucating of dsdb_flags
via 05fec3e s4:dsdb/tests: use more useful
userAccountControl/pwdLastSet values in the urgent_replication test
via c38a717 s4:selftest: run samba4.ldap.password_lockout.python only
against ad_dc_ntvfs
via e2a0dd9 s4:dsdb/repl_meta_data: pass now to replmd_add_fix_la
via 8156cd7 s4:dsdb/tests: improve error message in
test_new_user_default_attributes()
via 82d2b99 s4:dsdb/tests: let the user_account_control.py test recover
from a previous failure
via 6a73b5f s4:dsdb/tests: use GENSEC_SEAL for ldap connections in
sam.py
via 1bbab37 s4:dsdb/tests: use ncacn_ip_tcp:server[seal] for samr
connections
via 1e69c58 s4:dsdb/tests: make user_account_control.py executable
via 959384f samba-tool: really deprecate 'samba-tool user add'
via 9722f06 librpc/ndr: add support for NDR_ALIGN* to
ndr_push_short_relative_ptr2()
via 582f506 librpc/tools: correctly validate relative pointers in
ndrdump
via 3076b1e selftest: add save.env.sh helper script.
from 1ce7721 Revert "source4/scripting: add an option to samba_dnsupdate
to add ns records."
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e0777da00b4cd5bfe70339c12a99485c3e661e68
Author: Stefan Metzmacher <[email protected]>
Date: Fri May 27 16:52:00 2016 +0200
s4:dsdb/tests: add pwdLastSet tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Mon Jun 27 08:52:48 CEST 2016 on sn-devel-144
commit f77c82d950688ff73f7454da9098fdc384179270
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 1 11:13:47 2016 +0200
s4:dsdb/samldb: pwdLastSet = -1 requires Unexpire-Password right
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit bafa0166eef50162888454c11258e3ec5811ab8e
Author: Stefan Metzmacher <[email protected]>
Date: Fri May 27 16:54:40 2016 +0200
s4:dsdb/samldb: fix comment "lockoutTime" reset as per MS-SAMR 3.1.1.8.10
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1d808bb5d79a43085c880dbbc675bba31fe71139
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 15:21:58 2016 +0200
s4:dsdb/password_hash: only allow pwdLastSet as "0" or "-1"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 97534fffe6d958827eff13d75aff9e6f68e97605
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 24 08:51:45 2016 +0200
s4:rpc_server/samr: only set pwdLastSet to "0" or "-1"
The password_hash module will take care of translating "-1"
to the current time.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit b6933b2fda0181855d2e561b11f8ae75b75ff563
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 11 20:07:18 2016 +0100
s4:dsdb/password_hash: allow pwdLastSet only changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit cada33bb97c6090bc9191318317fab7eea1fe52f
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 15:21:58 2016 +0200
s4:dsdb/password_hash: make it possible to specify pwdLastSet together with
a password change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit e536dbd4477cffd4c8cae35b7f01321e49aa4b93
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 15:21:58 2016 +0200
s4:dsdb/password_hash: handle the DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET
control
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 9baae34d44bfa174772fea592b2c06127f499602
Author: Stefan Metzmacher <[email protected]>
Date: Mon May 30 17:12:51 2016 +0200
s4:dsdb/password_hash: make the DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET code
path more robust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit cad741c7148eac6e723c6798969c89e0ec88d087
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 11:44:43 2016 +0200
s4:dsdb/password_hash: only set pwdLastSet if required
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 786ee29d4fb6abd9dd94e1762d5cf6fccfcee029
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 10:53:57 2016 +0200
s4:dsdb/password_hash: create a shallow copy of the client message for the
final update
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 8262ec92f7c3a8fd4e5e2bcb1c5af270f7574540
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 10:39:23 2016 +0200
s4:dsdb/password_hash: move ldb_msg_add_empty() calls to update_final_msg()
We should only replace attributes when we're asked to do so.
Currently that's always the case, but that will change soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 8ca1c02163901cea29aac1428607742318433ed3
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 10:09:58 2016 +0200
s4:dsdb/password_hash: remember if we need to update the passwords and/or
pwdLastSet
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit f3ce752043829d23d55bbaac481d2bbf63b90fc2
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jun 3 16:20:39 2016 +0200
s4:dsdb/password_hash: call ndr_pull_supplementalCredentialsBlob in
setup_io()
We should setup io->o.* (the old password attributes) completely in
setup_io().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 02be8a1e8b30346743d718dd57ea901039a4183b
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 09:43:57 2016 +0200
s4:dsdb/password_hash: move the check for old passwords into setup_io()
We get everything else of the existing object there too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5e48dbbf2a5778d850dcbb289400fd99aab172aa
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 09:39:07 2016 +0200
s4:dsdb/password_hash: leave the current value of pwdLastSet as 0 an add
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 0a7994881f6e6d29d70f6cf8902ff32b825f95d2
Author: Stefan Metzmacher <[email protected]>
Date: Wed May 25 13:43:29 2016 +0200
s4:dsdb/password_hash: make the variable names in setup_io() more clear
We get the message from the client and (optional) the existing object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit fec7d402e1dd82e78e09ccf62e603e22aeabd468
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 09:25:37 2016 +0200
s4:dsdb/password_hash: split out a update_final_msg() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 94e0afb98bdfe86309d9de8d63f9614c72e70e1f
Author: Stefan Metzmacher <[email protected]>
Date: Tue May 31 08:16:07 2016 +0200
s4:dsdb/password_hash: split out a password_hash_needed() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 58e2d6557c13e534f00f6efb67b6c19cd2e494f0
Author: Stefan Metzmacher <[email protected]>
Date: Fri Feb 12 13:56:26 2016 +0100
s4:dsdb/password_hash: use full NTTIME resolution for pwdLastSet
Windows does the same...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 3b15a7a16b2f7ebd4b19af3378f2d2e67e82f8a6
Author: Stefan Metzmacher <[email protected]>
Date: Wed May 25 16:00:29 2016 +0200
s4:dsdb/common: add some const to helper functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit b74eac8d77be490680bf84df962bc588805e9b2b
Author: Stefan Metzmacher <[email protected]>
Date: Fri May 27 16:53:48 2016 +0200
s4:samldb: pass down DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID with
changed userAccountControl details
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 88b7cfa881e919bb7fabdf73e6510a605cf9695f
Author: Stefan Metzmacher <[email protected]>
Date: Fri May 27 16:52:54 2016 +0200
s4:dsdb/samdb: allocate DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 5980d123b8eaaff5d543f309c7886f6cb16efbe4
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 11 08:31:46 2016 +0100
s4:dsdb/samldb: add DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID when
defaulting pwdLastSet=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit e68a9d2fea9c7898b0afd14a7d72f953440b550a
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 11 08:31:46 2016 +0100
s4:dsdb/samdb: allocate DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID
This will be used to let the "password_hash" module know that
the value of pwdLastSet was defaulted to 0 in the "samldb" module
on add.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 011d849a96e77a19150708b42acadabdeb3e52c9
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 11 08:59:09 2016 +0100
s3:pdb_samba_dsdb: fix calucating of dsdb_flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 05fec3ef4bdd39d865a1946d2d0165126730138c
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 1 00:18:05 2016 +0200
s4:dsdb/tests: use more useful userAccountControl/pwdLastSet values in the
urgent_replication test
Using UF_SMARDCARD_REQUIRED has some side effects, so we better use
UF_DONT_EXPIRE_PASSWD which doesn't trigger additional actions.
Setting pwdLastSet to "1" is not allowed, only "-1" is able to change
an existing value of "0".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9654
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit c38a7176810d3d9cf06618c5a530347b53503d77
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 4 17:44:05 2016 +0100
s4:selftest: run samba4.ldap.password_lockout.python only against
ad_dc_ntvfs
This test runs over 4-5 mins.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit e2a0dd977078fe67e83d7f37639729fcbbe8deda
Author: Stefan Metzmacher <[email protected]>
Date: Wed May 25 17:28:38 2016 +0200
s4:dsdb/repl_meta_data: pass now to replmd_add_fix_la
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 8156cd736fad819fc9bd4d581a761098bc412121
Author: Stefan Metzmacher <[email protected]>
Date: Wed May 25 16:05:14 2016 +0200
s4:dsdb/tests: improve error message in test_new_user_default_attributes()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 82d2b99718c2c1d919e6f7d9590dbe421abb4898
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 15:08:43 2016 +0200
s4:dsdb/tests: let the user_account_control.py test recover from a previous
failure
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 6a73b5f1989923000ac308beac43e98fce2bd770
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 15:08:43 2016 +0200
s4:dsdb/tests: use GENSEC_SEAL for ldap connections in sam.py
This allows the tests to pass against a fully patched Windows Server.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1bbab37d7cab90826bb66a016956fafd321dd0c2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 15:08:43 2016 +0200
s4:dsdb/tests: use ncacn_ip_tcp:server[seal] for samr connections
This allows the tests to pass against a fully patched Windows Server.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 1e69c5886728a2483559bcf9d97148711bb7fb62
Author: Stefan Metzmacher <[email protected]>
Date: Wed May 25 17:30:05 2016 +0200
s4:dsdb/tests: make user_account_control.py executable
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 959384ff1843254c3d07a5856687436ea94f2da7
Author: Stefan Metzmacher <[email protected]>
Date: Thu Jun 2 15:15:52 2016 +0200
samba-tool: really deprecate 'samba-tool user add'
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 9722f064e71ba960e6c7db8eda0cbadb60e07519
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 6 13:25:45 2016 +0100
librpc/ndr: add support for NDR_ALIGN* to ndr_push_short_relative_ptr2()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 582f506655e3dd5e51611ac9a8de9f317e87bc16
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 6 13:28:02 2016 +0100
librpc/tools: correctly validate relative pointers in ndrdump
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
commit 3076b1ed444c899b4b89755699a0b974d04f66b6
Author: Stefan Metzmacher <[email protected]>
Date: Fri Jan 22 21:24:31 2016 +0100
selftest: add save.env.sh helper script.
This can be used to store the environment from within
make testenv.
It can be restored with:
. bin/restore.env.source
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
librpc/ndr/ndr.c | 42 +-
librpc/tools/ndrdump.c | 21 +-
python/samba/netcmd/user.py | 6 +-
selftest/save.env.sh | 15 +
source3/passdb/pdb_samba_dsdb.c | 4 +-
source4/dsdb/common/util.c | 49 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 832 +++++++++++++--------
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 9 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 182 ++++-
.../dsdb/samdb/ldb_modules/tombstone_reanimate.c | 2 +-
source4/dsdb/samdb/samdb.h | 17 +
source4/dsdb/tests/python/password_lockout.py | 2 +-
source4/dsdb/tests/python/sam.py | 215 +++++-
source4/dsdb/tests/python/token_group.py | 4 +-
source4/dsdb/tests/python/urgent_replication.py | 4 +-
source4/dsdb/tests/python/user_account_control.py | 10 +-
source4/rpc_server/samr/dcesrv_samr.c | 28 +-
source4/selftest/tests.py | 7 +-
source4/setup/schema_samba4.ldif | 2 +
19 files changed, 1082 insertions(+), 369 deletions(-)
create mode 100755 selftest/save.env.sh
mode change 100644 => 100755 source4/dsdb/tests/python/user_account_control.py
Changeset truncated at 500 lines:
diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index f66029a..78cde20 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -1440,9 +1440,44 @@ _PUBLIC_ enum ndr_err_code
ndr_push_short_relative_ptr2(struct ndr_push *ndr, co
{
uint32_t save_offset;
uint32_t ptr_offset = 0xFFFF;
+ uint32_t relative_offset;
+ size_t pad;
+ size_t align = 1;
+
if (p == NULL) {
return NDR_ERR_SUCCESS;
}
+
+ if (ndr->offset < ndr->relative_base_offset) {
+ return ndr_push_error(ndr, NDR_ERR_BUFSIZE,
+ "ndr_push_relative_ptr2 ndr->offset(%u) <
ndr->relative_base_offset(%u)",
+ ndr->offset, ndr->relative_base_offset);
+ }
+
+ relative_offset = ndr->offset - ndr->relative_base_offset;
+
+ if (ndr->flags & LIBNDR_FLAG_NOALIGN) {
+ align = 1;
+ } else if (ndr->flags & LIBNDR_FLAG_ALIGN2) {
+ align = 2;
+ } else if (ndr->flags & LIBNDR_FLAG_ALIGN4) {
+ align = 4;
+ } else if (ndr->flags & LIBNDR_FLAG_ALIGN8) {
+ align = 8;
+ }
+
+ pad = ndr_align_size(relative_offset, align);
+ if (pad != 0) {
+ NDR_CHECK(ndr_push_zero(ndr, pad));
+ }
+
+ relative_offset = ndr->offset - ndr->relative_base_offset;
+ if (relative_offset > UINT16_MAX) {
+ return ndr_push_error(ndr, NDR_ERR_BUFSIZE,
+ "ndr_push_relative_ptr2
relative_offset(%u) > UINT16_MAX",
+ relative_offset);
+ }
+
save_offset = ndr->offset;
NDR_CHECK(ndr_token_retrieve(&ndr->relative_list, p, &ptr_offset));
if (ptr_offset > ndr->offset) {
@@ -1451,12 +1486,7 @@ _PUBLIC_ enum ndr_err_code
ndr_push_short_relative_ptr2(struct ndr_push *ndr, co
ptr_offset, ndr->offset);
}
ndr->offset = ptr_offset;
- if (save_offset < ndr->relative_base_offset) {
- return ndr_push_error(ndr, NDR_ERR_BUFSIZE,
- "ndr_push_relative_ptr2 save_offset(%u) <
ndr->relative_base_offset(%u)",
- save_offset, ndr->relative_base_offset);
- }
- NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, save_offset -
ndr->relative_base_offset));
+ NDR_CHECK(ndr_push_uint16(ndr, NDR_SCALARS, relative_offset));
ndr->offset = save_offset;
return NDR_ERR_SUCCESS;
}
diff --git a/librpc/tools/ndrdump.c b/librpc/tools/ndrdump.c
index 2dbc427..2827e8d 100644
--- a/librpc/tools/ndrdump.c
+++ b/librpc/tools/ndrdump.c
@@ -463,7 +463,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const
char *format, ...)
}
if (dumpdata) {
- printf("%d bytes consumed\n", ndr_pull->offset);
+ printf("%d bytes consumed\n", highest_ofs);
ndrdump_data(blob.data, blob.length, dumpdata);
}
@@ -487,6 +487,7 @@ static void ndr_print_dummy(struct ndr_print *ndr, const
char *format, ...)
struct ndr_push *ndr_v_push;
struct ndr_pull *ndr_v_pull;
struct ndr_print *ndr_v_print;
+ uint32_t highest_v_ofs;
uint32_t i;
uint8_t byte_a, byte_b;
bool differ;
@@ -523,11 +524,17 @@ static void ndr_print_dummy(struct ndr_print *ndr, const
char *format, ...)
exit(1);
}
+ if (ndr_v_pull->offset > ndr_v_pull->relative_highest_offset) {
+ highest_v_ofs = ndr_v_pull->offset;
+ } else {
+ highest_v_ofs = ndr_v_pull->relative_highest_offset;
+ }
- if (ndr_v_pull->offset != ndr_v_pull->data_size) {
- printf("WARNING! %d unread bytes in validation\n",
ndr_v_pull->data_size - ndr_v_pull->offset);
- ndrdump_data(ndr_v_pull->data+ndr_v_pull->offset,
- ndr_v_pull->data_size - ndr_v_pull->offset,
+ if (highest_v_ofs != ndr_v_pull->data_size) {
+ printf("WARNING! %d unread bytes in validation\n",
+ ndr_v_pull->data_size - highest_v_ofs);
+ ndrdump_data(ndr_v_pull->data + highest_v_ofs,
+ ndr_v_pull->data_size - highest_v_ofs,
dumpdata);
}
@@ -541,9 +548,9 @@ static void ndr_print_dummy(struct ndr_print *ndr, const
char *format, ...)
(unsigned long long)blob.length, (unsigned long
long)v_blob.length);
}
- if (ndr_pull->offset != ndr_v_pull->offset) {
+ if (highest_ofs != highest_v_ofs) {
printf("WARNING! orig pulled bytes:%llu validated
pulled bytes:%llu\n",
- (unsigned long long)ndr_pull->offset, (unsigned
long long)ndr_v_pull->offset);
+ (unsigned long long)highest_ofs, (unsigned long
long)highest_v_ofs);
}
differ = false;
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index cf640b0..7391af5 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -208,10 +208,10 @@ class cmd_user_add(cmd_user_create):
# migrate to create
def run(self, *args, **kwargs):
- self.err.write(
+ self.outf.write(
"Note: samba-tool user add is deprecated. "
"Please use samba-tool user create for the same function.\n")
- return super(self, cmd_user_add).run(*args, **kwargs)
+ return super(cmd_user_add, self).run(*args, **kwargs)
class cmd_user_delete(Command):
@@ -615,7 +615,7 @@ class cmd_user(SuperCommand):
"""User management."""
subcommands = {}
- subcommands["add"] = cmd_user_create()
+ subcommands["add"] = cmd_user_add()
subcommands["create"] = cmd_user_create()
subcommands["delete"] = cmd_user_delete()
subcommands["disable"] = cmd_user_disable()
diff --git a/selftest/save.env.sh b/selftest/save.env.sh
new file mode 100755
index 0000000..9906f95
--- /dev/null
+++ b/selftest/save.env.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+{
+ vars=`set | \
+ grep "^[a-zA-Z][^=]*='[^']*'$" | \
+ grep -v '^IFS=' | \
+ grep -v '^TERM' | \
+ grep -v '^PPID' | \
+ grep -v '^PS[1-9]=' | \
+ cat `
+ echo "${vars}"
+ echo "${vars}" | sed -e 's!^\([a-zA-Z][^=]*\)=.*$!export \1!'
+} > bin/restore.env.source
+
+echo "RUN: '. bin/restore.env.source'"
diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c
index 56f3f10..19c6705 100644
--- a/source3/passdb/pdb_samba_dsdb.c
+++ b/source3/passdb/pdb_samba_dsdb.c
@@ -366,7 +366,7 @@ static int pdb_samba_dsdb_replace_by_sam(struct
pdb_samba_dsdb_state *state,
/* If we set a plaintext password, the system will
* force the pwdLastSet to now() */
if (need_update(sam, PDB_PASSLASTSET)) {
- dsdb_flags = DSDB_PASSWORD_BYPASS_LAST_SET;
+ dsdb_flags |= DSDB_PASSWORD_BYPASS_LAST_SET;
ret |= pdb_samba_dsdb_add_time(msg, "pwdLastSet",
pdb_get_pass_last_set_time(sam));
@@ -473,7 +473,7 @@ static int pdb_samba_dsdb_replace_by_sam(struct
pdb_samba_dsdb_state *state,
}
if (changed_lm_pw || changed_nt_pw || changed_history) {
/* These attributes can only be modified directly by
using a special control */
- dsdb_flags = DSDB_BYPASS_PASSWORD_HASH;
+ dsdb_flags |= DSDB_BYPASS_PASSWORD_HASH;
}
}
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 667bd86..4ad827a 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -597,7 +597,7 @@ NTSTATUS samdb_result_passwords_from_history(TALLOC_CTX
*mem_ctx,
NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
- struct ldb_message *msg,
+ const struct ldb_message *msg,
struct samr_Password **lm_pwd,
struct samr_Password **nt_pwd)
{
@@ -637,7 +637,7 @@ NTSTATUS samdb_result_passwords_no_lockout(TALLOC_CTX
*mem_ctx,
NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
- struct ldb_message *msg,
+ const struct ldb_message *msg,
struct samr_Password **lm_pwd,
struct samr_Password **nt_pwd)
{
@@ -691,7 +691,7 @@ struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX
*mem_ctx, struct ldb_
(if not null) the attributes 'attr' be already
included in msg
*/
-uint32_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
+uint32_t samdb_result_acct_flags(const struct ldb_message *msg, const char
*attr)
{
uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg,
"userAccountControl", 0);
uint32_t attr_flags = 0;
@@ -772,13 +772,21 @@ struct ldb_message_element *samdb_find_attribute(struct
ldb_context *ldb,
return NULL;
}
-int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message
*msg, const char *name, const char *set_value)
+static int samdb_find_or_add_attribute_ex(struct ldb_context *ldb,
+ struct ldb_message *msg,
+ const char *name,
+ const char *set_value,
+ bool *added)
{
int ret;
struct ldb_message_element *el;
el = ldb_msg_find_element(msg, name);
if (el) {
+ if (added != NULL) {
+ *added = false;
+ }
+
return LDB_SUCCESS;
}
@@ -787,9 +795,17 @@ int samdb_find_or_add_attribute(struct ldb_context *ldb,
struct ldb_message *msg
return ret;
}
msg->elements[msg->num_elements - 1].flags = LDB_FLAG_MOD_ADD;
+ if (added != NULL) {
+ *added = true;
+ }
return LDB_SUCCESS;
}
+int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message
*msg, const char *name, const char *set_value)
+{
+ return samdb_find_or_add_attribute_ex(ldb, msg, name, set_value, NULL);
+}
+
/*
add a dom_sid element to a message
*/
@@ -5225,12 +5241,15 @@ NTSTATUS dsdb_update_bad_pwd_count(TALLOC_CTX *mem_ctx,
* codePage, countryCode, lastLogoff, lastLogon
* logonCount, pwdLastSet
*/
-int dsdb_user_obj_set_defaults(struct ldb_context *ldb, struct ldb_message
*usr_obj)
+int dsdb_user_obj_set_defaults(struct ldb_context *ldb,
+ struct ldb_message *usr_obj,
+ struct ldb_request *req)
{
int i, ret;
const struct attribute_values {
const char *name;
const char *value;
+ const char *add_control;
} map[] = {
{
.name = "accountExpires",
@@ -5266,16 +5285,30 @@ int dsdb_user_obj_set_defaults(struct ldb_context *ldb,
struct ldb_message *usr_
},
{
.name = "pwdLastSet",
- .value = "0"
+ .value = "0",
+ .add_control =
DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID,
}
};
for (i = 0; i < ARRAY_SIZE(map); i++) {
- ret = samdb_find_or_add_attribute(ldb, usr_obj,
- map[i].name, map[i].value);
+ bool added = false;
+
+ ret = samdb_find_or_add_attribute_ex(ldb, usr_obj,
+ map[i].name,
+ map[i].value,
+ &added);
if (ret != LDB_SUCCESS) {
return ret;
}
+
+ if (req != NULL && added && map[i].add_control != NULL) {
+ ret = ldb_request_add_control(req,
+ map[i].add_control,
+ false, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
}
return LDB_SUCCESS;
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c
b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 05b0854..76c63a6 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -89,6 +89,8 @@ struct ph_context {
struct ldb_reply *search_res;
+ struct ldb_message *update_msg;
+
struct dsdb_control_password_change_status *status;
struct dsdb_control_password_change *change;
@@ -96,7 +98,10 @@ struct ph_context {
bool change_status;
bool hash_values;
bool userPassword;
+ bool update_password;
+ bool update_lastset;
bool pwd_last_set_bypass;
+ bool pwd_last_set_default;
};
@@ -153,6 +158,12 @@ struct setup_password_fields_io {
} g;
};
+static int msg_find_old_and_new_pwd_val(const struct ldb_message *msg,
+ const char *name,
+ enum ldb_request_type operation,
+ const struct ldb_val **new_val,
+ const struct ldb_val **old_val);
+
static int password_hash_bypass(struct ldb_module *module, struct ldb_request
*request)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
@@ -1397,7 +1408,6 @@ static int setup_supplemental_field(struct
setup_password_fields_io *io)
{
struct ldb_context *ldb;
struct supplementalCredentialsBlob scb;
- struct supplementalCredentialsBlob _old_scb;
struct supplementalCredentialsBlob *old_scb = NULL;
/* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
uint32_t num_names = 0;
@@ -1452,27 +1462,17 @@ static int setup_supplemental_field(struct
setup_password_fields_io *io)
return LDB_SUCCESS;
}
- /* if there's an old supplementaCredentials blob then parse it */
+ /* if there's an old supplementaCredentials blob then use it */
if (io->o.supplemental) {
- ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
- &_old_scb,
-
(ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
- ldb_asprintf_errstring(ldb,
- "setup_supplemental_field: "
- "failed to pull old
supplementalCredentialsBlob: %s",
- nt_errstr(status));
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- if (_old_scb.sub.signature ==
SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
- old_scb = &_old_scb;
+ if (io->o.scb.sub.signature ==
SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
+ old_scb = &io->o.scb;
} else {
ldb_debug(ldb, LDB_DEBUG_ERROR,
- "setup_supplemental_field: "
- "supplementalCredentialsBlob
signature[0x%04X] expected[0x%04X]",
- _old_scb.sub.signature,
SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
+ "setup_supplemental_field: "
+ "supplementalCredentialsBlob "
+ "signature[0x%04X] expected[0x%04X]",
+ io->o.scb.sub.signature,
+ SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
}
}
/* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain
functionality level is 2008 or higher */
@@ -1686,7 +1686,12 @@ static int setup_supplemental_field(struct
setup_password_fields_io *io)
static int setup_last_set_field(struct setup_password_fields_io *io)
{
+ struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
const struct ldb_message *msg = NULL;
+ struct timeval tv = { .tv_sec = 0 };
+ const struct ldb_val *old_val = NULL;
+ const struct ldb_val *new_val = NULL;
+ int ret;
switch (io->ac->req->operation) {
case LDB_ADD:
@@ -1701,14 +1706,23 @@ static int setup_last_set_field(struct
setup_password_fields_io *io)
}
if (io->ac->pwd_last_set_bypass) {
- struct ldb_message_element *el;
+ struct ldb_message_element *el1 = NULL;
+ struct ldb_message_element *el2 = NULL;
if (msg == NULL) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- el = ldb_msg_find_element(msg, "pwdLastSet");
- if (el == NULL) {
+ el1 = dsdb_get_single_valued_attr(msg, "pwdLastSet",
+ io->ac->req->operation);
+ if (el1 == NULL) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ el2 = ldb_msg_find_element(msg, "pwdLastSet");
+ if (el2 == NULL) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if (el1 != el2) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
@@ -1716,8 +1730,110 @@ static int setup_last_set_field(struct
setup_password_fields_io *io)
return LDB_SUCCESS;
}
- /* set it as now */
- unix_to_nt_time(&io->g.last_set, time(NULL));
+ ret = msg_find_old_and_new_pwd_val(msg, "pwdLastSet",
+ io->ac->req->operation,
+ &new_val, &old_val);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (old_val != NULL && new_val == NULL) {
+ ldb_set_errstring(ldb,
+ "'pwdLastSet' deletion is not allowed!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
+ io->g.last_set = UINT64_MAX;
+ if (new_val != NULL) {
+ struct ldb_message *tmp_msg = NULL;
+
+ tmp_msg = ldb_msg_new(io->ac);
+ if (tmp_msg == NULL) {
+ return ldb_module_oom(io->ac->module);
+ }
+
+ if (old_val != NULL) {
+ NTTIME old_last_set = 0;
+
+ ret = ldb_msg_add_value(tmp_msg, "oldval",
+ old_val, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ old_last_set = samdb_result_nttime(tmp_msg,
+ "oldval",
+ 1);
+ if (io->u.pwdLastSet != old_last_set) {
+ return dsdb_module_werror(io->ac->module,
+ LDB_ERR_NO_SUCH_ATTRIBUTE,
+ WERR_DS_CANT_REM_MISSING_ATT_VAL,
+ "setup_last_set_field: old pwdLastSet "
+ "value not found!");
+ }
+ }
+
+ ret = ldb_msg_add_value(tmp_msg, "newval",
+ new_val, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ io->g.last_set = samdb_result_nttime(tmp_msg,
+ "newval",
+ 1);
+ } else if (ldb_msg_find_element(msg, "pwdLastSet")) {
+ ldb_set_errstring(ldb,
+ "'pwdLastSet' deletion is not allowed!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
+ /* only 0 or -1 (0xFFFFFFFFFFFFFFFF) are allowed */
+ switch (io->g.last_set) {
+ case 0:
+ if (!io->ac->pwd_last_set_default) {
+ break;
--
Samba Shared Repository
