The branch, master has been updated via 8296b6884df s4:torture: Replace calls to deprecated function via ce176425f8c s4:dsdb: Check return value of allocation functions via 92ad2c7b9b9 s4:dsdb: Fix leaks via 2d9a2c31389 s4:dsdb: Check ldb_binary_encode_string() return value via b5bd55fe85f s4:auth: Check ldb_binary_encode_string() return value via 07e53939dc0 s4-auth: Log correct function name via 21b23a7d5a0 netlogon:schannel: Fix typo via f1281b80c1a samba-tool domain: Run in interactive mode if no args are supplied via f573177c352 python: Safely clear structure members via 8d6e4473409 python:tests: Remove unused variables via 2a8db072934 auth: Return status code if configuration prohibits NTLM via 23a67d59c82 s4-dsdb:large_ldap: Remove unused variables via db5ef4e2bac s4-dsdb:large_ldap: Remove unused imports via 2d1d3b73142 pytest/password_lockout: Remove unused variables via 2b598a4b2e6 pytest/password_lockout: Use correct variable via b5ff0859521 pytest/password_lockout: Use more specific assertion methods via 2236daa7ca7 pytest/password_lockout: Remove unused imports via f9501f2ae4e samba-tool domain: Remove unnecessary variable via 5a2b187819f samba-tool domain: Use result of setup_local_server() instead of object field via 3eb95c8791a s4:dsdb:tests: Refactor security descriptor test via 2e5d08c908b s4:dsdb:tests: Refactor confidential attributes test via 76b15ec145d s4:dsdb:tests: Refactor ACL test via 80431fe7cf5 pyglue: use Py_ssize_t in random data generation functions via cea9b25571f lib:util: prefer size_t for random data generation functions via 72335e742e0 selftest: Change ad_dc environment to be 2016 functional level via 0252941bb36 selftest: Allow provision_ad_dc() to take functional_level as an argument via 287405862b7 selftest: Return fl2008dc to being an alias for ad_dc_ntvfs via cbfcbfb057a Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008 via 8de7d28f3c6 selftest: Move linked_attributes test to ad_dc selftest environment via 9f3dcf0e693 samba-tool domain join: Allow "ad dc functional level" to change which level we claim to be during an AD join via f94f174db45 samba-tool domain provision: Use "ad dc functional level" to control max functional level via 5d5fd0129ac python: Add function to get the functional level as a python intger from smb.conf via e5c3e076c8f param: Add new parameter "ad dc functional level" via 7953a9ba71b samba-tool domain provision: Use common functional_level.string_to_level() via 844eb073767 python: Move helper functions for functional levels into a new file from 59694ad0a4c rpc_server3: Pass winbind_env_set() state through to rpcd_*
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8296b6884dfcc2b3e94f60b0479ef92a5b50f53e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 10 13:06:18 2023 +1200 s4:torture: Replace calls to deprecated function Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed May 17 00:24:38 UTC 2023 on atb-devel-224 commit ce176425f8c66539cf7788902fa116657d2b6448 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:12:03 2023 +1200 s4:dsdb: Check return value of allocation functions Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 92ad2c7b9b9e0b7d49ccbb9bf18b3e5dfed2d299 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:11:37 2023 +1200 s4:dsdb: Fix leaks Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2d9a2c3138907e789a1fa9b25c8636ad871314fd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 16:10:59 2023 +1200 s4:dsdb: Check ldb_binary_encode_string() return value Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5bd55fe85f9a089b4b8242d73240c6521d3090e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 9 15:51:06 2023 +1200 s4:auth: Check ldb_binary_encode_string() return value Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 07e53939dc0e6207c8348cf7c76d34339cb1ce67 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 2 12:59:22 2023 +1200 s4-auth: Log correct function name Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 21b23a7d5a08a65fc13da1dbd1a948fe08648cbb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 2 12:51:52 2023 +1200 netlogon:schannel: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f1281b80c1ad68d380ce91c13076f6a60fbc627e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 26 10:31:51 2023 +1200 samba-tool domain: Run in interactive mode if no args are supplied BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f573177c352c2df89c7d5ffd425a37b46b12166c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Apr 24 10:42:39 2023 +1200 python: Safely clear structure members Using Py_CLEAR() ensures that these structures are observed in a consistent state by any Python code that may run during deconstruction. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8d6e4473409375f0e62dd06597ca983d22b941ca Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Apr 13 07:47:39 2023 +1200 python:tests: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2a8db072934f2b75b992b57c9133afba446b74f5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 19 16:45:55 2022 +1200 auth: Return status code if configuration prohibits NTLM Currently, we rely on ‘stored_nt’ being NULL to give an NT_STATUS_WRONG_PASSWORD error. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 23a67d59c82b71cada5578e1c393ff42ca9d1b17 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 15:05:38 2023 +1300 s4-dsdb:large_ldap: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit db5ef4e2bacb821ead3aabf2bab09e37602afdb3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 15:04:32 2023 +1300 s4-dsdb:large_ldap: Remove unused imports Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2d1d3b731421f6915d99b208fb1f29fcf5013acb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 14:56:56 2023 +1300 pytest/password_lockout: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2b598a4b2e643fce133423b195c1dd82e1213b19 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue May 16 12:21:02 2023 +1200 pytest/password_lockout: Use correct variable Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5ff0859521c4ca4798058a4b9344925a387479e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 14:56:24 2023 +1300 pytest/password_lockout: Use more specific assertion methods These methods produce better error messages if an assertion fails. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2236daa7ca715e6997756e70d5cb5097970ba437 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 14:55:31 2023 +1300 pytest/password_lockout: Remove unused imports Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f9501f2ae4ecf0d98f28c43834c5f6cdb19f324f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Feb 13 14:53:54 2023 +1300 samba-tool domain: Remove unnecessary variable It is conciser to use ‘r’ to refer to update_forest_info.entries[i]. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5a2b187819fdf2f2500a356d9746149ebaddd0cf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Apr 4 16:39:23 2023 +1200 samba-tool domain: Use result of setup_local_server() instead of object field The code is clearer if we consistently refer to the same variables. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3eb95c8791a069bb280c9ae588b7c5ea74abbf36 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jan 27 07:46:05 2023 +1300 s4:dsdb:tests: Refactor security descriptor test Use more specific unittest methods. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2e5d08c908b3fa48b9b374279a331061cb77bce3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jan 27 07:43:40 2023 +1300 s4:dsdb:tests: Refactor confidential attributes test Use more specific unittest methods, and remove unused code. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 76b15ec145d7686d7c6008d57a4d772b8f841daf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jan 27 07:39:05 2023 +1300 s4:dsdb:tests: Refactor ACL test Use more specific unittest methods; remove some unused variables. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 80431fe7cf51b94c7ee4b063df4d6a16d1002fd3 Author: Dmitry Antipov <danti...@cloudlinux.com> Date: Wed May 3 10:39:30 2023 +0300 pyglue: use Py_ssize_t in random data generation functions Prefer 'Py_ssize_t' over 'int' in random data generation functions to match both Python and (internally used through the library layer) GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data size is known. Signed-off-by: Dmitry Antipov <danti...@cloudlinux.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> [abart...@samba.org Fixed comments to correctly match the new check for just negative numbers] commit cea9b25571f1956e09fc376e1127f78c6f9a4a19 Author: Dmitry Antipov <danti...@cloudlinux.com> Date: Wed May 3 10:32:28 2023 +0300 lib:util: prefer size_t for random data generation functions Prefer 'size_t' over 'int' in generate_random_buffer(), generate_secret_buffer() and generate_nonce_buffer() to match an underlying gnutls_rnd() calls. Signed-off-by: Dmitry Antipov <danti...@cloudlinux.com> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 72335e742e041ea213598a62ae165edeed4b8c99 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 11 14:25:31 2023 +1200 selftest: Change ad_dc environment to be 2016 functional level This is not yet supported in full, but this makes ad_dc match our full set of available features. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 0252941bb36926c3a235593da4c717bc547104f9 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 11 10:38:20 2023 +1200 selftest: Allow provision_ad_dc() to take functional_level as an argument The $$$$$$$ is removed as it does not do what you think it does. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 287405862b734e507dd048ff741e96fb35fadb63 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 11 09:49:34 2023 +1200 selftest: Return fl2008dc to being an alias for ad_dc_ntvfs The change to make this independent in fc9845da69cabcc1bf046d7899b2c4aeae743170 was incorrect, as no distinct name was specified so this would conflict with the ad_dc_ntvfs environment over the IP and name "localdc". Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit cbfcbfb057a71b1824aabf40a083f713ea0bf265 Author: Andrew Bartlett <abart...@samba.org> Date: Thu May 11 10:03:30 2023 +1200 Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008 This will allow fl008dc to become an alias of ad_dc_ntvfs again. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 8de7d28f3c67d7681e24d6b2185c6cc6d23814ba Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 16 17:15:31 2023 +1200 selftest: Move linked_attributes test to ad_dc selftest environment The ad_dc_ntvfs environment will be set to use a 2008 schema (matching the 2008 FL it runs at) and this test needs a 2016 schema. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 9f3dcf0e693e49c87d35f56a69b801e6db5540ce Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 10 15:54:09 2023 +1200 samba-tool domain join: Allow "ad dc functional level" to change which level we claim to be during an AD join Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit f94f174db452015c3032e725e13f485bd51413dc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 10 15:24:23 2023 +1200 samba-tool domain provision: Use "ad dc functional level" to control max functional level This allows the DC to self-declare a higher level and so allow a 2016 domain to be created, for testing and controlled implementation purposes. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 5d5fd0129ac19258d15a452756f0d3647dbe1e34 Author: Andrew Bartlett <abart...@samba.org> Date: Wed May 10 15:46:55 2023 +1200 python: Add function to get the functional level as a python intger from smb.conf The lp.get() returns the normalised string from the enum handler Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit e5c3e076c8f85cda11bf0be29a6f26a852c5a343 Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 9 16:37:37 2023 +1200 param: Add new parameter "ad dc functional level" This allows the new unsupported functional levels to be unlocked, but with an smb.conf option that is easily seen. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 7953a9ba71b6c3de4001a325d8b778ecb912b15b Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 9 16:32:47 2023 +1200 samba-tool domain provision: Use common functional_level.string_to_level() This is instead of manually parsing the functional level strings. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 844eb0737676af73b499fd722b48256d6df587f4 Author: Andrew Bartlett <abart...@samba.org> Date: Tue May 9 15:50:46 2023 +1200 python: Move helper functions for functional levels into a new file Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: .../smbdotconf/protocol/addcfunctionallevel.xml | 56 ++++++++++++++ lib/ldb/pyldb.c | 19 ++--- lib/param/loadparm.c | 4 + lib/param/param_table.c | 7 ++ lib/tdb/pytdb.c | 2 +- lib/tevent/pytevent.c | 4 +- lib/util/genrand.c | 8 +- lib/util/genrand.h | 6 +- libcli/auth/ntlm_check.c | 8 ++ libcli/auth/ntlm_check.h | 1 + python/pyglue.c | 43 ++++++----- python/samba/functional_level.py | 83 ++++++++++++++++++++ python/samba/join.py | 9 ++- python/samba/netcmd/domain/__init__.py | 2 +- python/samba/netcmd/domain/common.py | 47 ------------ python/samba/netcmd/domain/functional_prep.py | 9 ++- python/samba/netcmd/domain/level.py | 13 ++-- python/samba/netcmd/domain/provision.py | 19 ++--- python/samba/netcmd/domain/trust.py | 26 +++---- python/samba/provision/__init__.py | 8 +- python/samba/tests/samba_tool/user.py | 12 +-- selftest/target/Samba4.pm | 50 +++++++----- source3/auth/check_samsec.c | 1 + source3/libsmb/pylibsmb.c | 8 +- source3/param/loadparm.c | 3 + source4/auth/ntlm/auth_sam.c | 1 + source4/auth/sam.c | 10 ++- source4/dsdb/common/util.c | 26 +++++-- source4/dsdb/common/util_samr.c | 32 +++++++- source4/dsdb/repl/drepl_partitions.c | 16 +++- source4/dsdb/samdb/cracknames.c | 89 +++++++++++++++++++--- source4/dsdb/samdb/ldb_modules/netlogon.c | 8 +- source4/dsdb/tests/python/acl.py | 64 ++++++++-------- source4/dsdb/tests/python/confidential_attr.py | 69 ++++------------- source4/dsdb/tests/python/large_ldap.py | 21 +---- source4/dsdb/tests/python/password_lockout.py | 52 ++++++------- source4/dsdb/tests/python/password_lockout_base.py | 70 ++++++++--------- source4/dsdb/tests/python/sec_descriptor.py | 4 +- source4/librpc/rpc/dcerpc_schannel.c | 2 +- source4/librpc/rpc/pyrpc.c | 5 +- source4/selftest/tests.py | 2 +- source4/torture/krb5/kdc-canon-heimdal.c | 2 +- source4/torture/krb5/kdc-heimdal.c | 4 +- 43 files changed, 562 insertions(+), 363 deletions(-) create mode 100644 docs-xml/smbdotconf/protocol/addcfunctionallevel.xml create mode 100644 python/samba/functional_level.py Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml new file mode 100644 index 00000000000..1bec654bfe3 --- /dev/null +++ b/docs-xml/smbdotconf/protocol/addcfunctionallevel.xml @@ -0,0 +1,56 @@ +<samba:parameter name="ad dc functional level" + context="G" + type="enum" + function="ad_dc_functional_level" + enumlist="enum_ad_functional_level" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>The value of the parameter (a string) is the Active + Directory functional level that this Domain Controller will claim + to support. </para> + + <para>Possible values are :</para> + <itemizedlist> + <listitem> + <para><constant>2008_R2</constant>: Similar to Windows + 2008 R2 Functional Level</para> + </listitem> + <listitem> + <para><constant>2016</constant>: Similar to Windows + 2016 Functional Level</para> + </listitem> + </itemizedlist> + + <para>Normally this option should not be set as Samba will operate + per the released functionality of the Samba Active Directory + Domain Controller. </para> + + <para>However to access incomplete features in domain functional + level 2016 it may be useful to + set this value, prior to upgrading the domain functional level. </para> + + <para>If this is set manually, the protection against mismatching + features between domain controllers is reduced, so all domain + controllers should be running the same version of Samba, to ensure + that behaviour as seen by the client is the same no matter which + DC is contacted.</para> + + <para>Setting this to <constant>2016</constant> will allow + raising the domain functional level with <command>samba-tool + domain level raise --domain-level=2016</command> and provide + access to Samba's Kerberos Claims and Dynamic Access + Control feature.</para> + + <warning><para> The Samba's Kerberos Claims and Dynamic Access + Control features enabled with <constant>2016</constant> are + incomplete in Samba 4.19. </para></warning> + + +</description> + +<!-- DO NOT MODIFY without discussion: take care to only update this + default once Samba implements the core aspects of Active + Directory Domain and Forest Functional Level 2016 --> +<value type="default">2008_R2</value> +<value type="example">2016</value> +</samba:parameter> diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index aa38e115ce4..11d093c0429 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -2134,10 +2134,7 @@ static int py_ldb_search_iterator_reply_destructor(struct py_ldb_search_iterator reply->py_iter = NULL; } - if (reply->obj != NULL) { - Py_DECREF(reply->obj); - reply->obj = NULL; - } + Py_CLEAR(reply->obj); return 0; } @@ -2679,9 +2676,9 @@ static PyTypeObject PyLdb = { static void py_ldb_result_dealloc(PyLdbResultObject *self) { talloc_free(self->mem_ctx); - Py_DECREF(self->msgs); - Py_DECREF(self->referals); - Py_DECREF(self->controls); + Py_CLEAR(self->msgs); + Py_CLEAR(self->referals); + Py_CLEAR(self->controls); Py_TYPE(self)->tp_free(self); } @@ -2775,10 +2772,10 @@ static PyTypeObject PyLdbResult = { static void py_ldb_search_iterator_dealloc(PyLdbSearchIteratorObject *self) { - Py_XDECREF(self->state.exception); + Py_CLEAR(self->state.exception); TALLOC_FREE(self->mem_ctx); ZERO_STRUCT(self->state); - Py_DECREF(self->ldb); + Py_CLEAR(self->ldb); Py_TYPE(self)->tp_free(self); } @@ -2885,7 +2882,7 @@ static PyObject *py_ldb_search_iterator_abandon(PyLdbSearchIteratorObject *self, return NULL; } - Py_XDECREF(self->state.exception); + Py_CLEAR(self->state.exception); TALLOC_FREE(self->mem_ctx); ZERO_STRUCT(self->state); Py_RETURN_NONE; @@ -4289,7 +4286,7 @@ static int py_module_del_transaction(struct ldb_module *mod) static int py_module_destructor(struct ldb_module *mod) { - Py_DECREF((PyObject *)mod->private_data); + Py_CLEAR(mod->private_data); return 0; } diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 15322b391f0..65e3fa06da4 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3154,6 +3154,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "rpc start on demand helpers", "yes"); + lpcfg_do_global_parameter(lp_ctx, + "ad dc functional level", + "2008_R2"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 512de250a2f..820c8abae16 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -34,6 +34,7 @@ #include "libcli/auth/ntlm_check.h" #include "libcli/smb/smb_constants.h" #include "libds/common/roles.h" +#include "libds/common/flags.h" #include "source4/lib/tls/tls.h" #include "auth/credentials/credentials.h" #include "source3/librpc/gen_ndr/ads.h" @@ -430,6 +431,12 @@ static const struct enum_list enum_debug_syslog_format[] = { {-1, NULL} }; +static const struct enum_list enum_ad_functional_level[] = { + {DS_DOMAIN_FUNCTION_2008_R2, "2008_R2"}, + {DS_DOMAIN_FUNCTION_2016, "2016"}, + {-1, NULL} +}; + /* Note: We do not initialise the defaults union - it is not allowed in ANSI C * * NOTE: Handling of duplicated (synonym) parameters: diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c index 85df1b18621..ed22803328c 100644 --- a/lib/tdb/pytdb.c +++ b/lib/tdb/pytdb.c @@ -450,7 +450,7 @@ static PyObject *tdb_iter_next(PyTdbIteratorObject *self) static void tdb_iter_dealloc(PyTdbIteratorObject *self) { - Py_DECREF(self->iteratee); + Py_CLEAR(self->iteratee); PyObject_Del(self); } diff --git a/lib/tevent/pytevent.c b/lib/tevent/pytevent.c index 1af6f16c0fb..aa2331c1d6c 100644 --- a/lib/tevent/pytevent.c +++ b/lib/tevent/pytevent.c @@ -241,7 +241,7 @@ static void py_tevent_timer_dealloc(TeventTimer_Object *self) if (self->timer) { talloc_free(self->timer); } - Py_DECREF(self->callback); + Py_CLEAR(self->callback); PyObject_Del(self); } @@ -282,7 +282,7 @@ struct TeventTimer_Object_ref { static int TeventTimer_Object_ref_destructor(struct TeventTimer_Object_ref *ref) { ref->obj->timer = NULL; - Py_DECREF(ref->obj); + Py_CLEAR(ref->obj); return 0; } diff --git a/lib/util/genrand.c b/lib/util/genrand.c index fd6f457d27d..d0b49db1423 100644 --- a/lib/util/genrand.c +++ b/lib/util/genrand.c @@ -45,7 +45,7 @@ _NORETURN_ static void genrand_panic(int err, } -_PUBLIC_ void generate_random_buffer(uint8_t *out, int len) +_PUBLIC_ void generate_random_buffer(uint8_t *out, size_t len) { /* Random number generator for temporary keys. */ int ret = gnutls_rnd(GNUTLS_RND_RANDOM, out, len); @@ -54,7 +54,7 @@ _PUBLIC_ void generate_random_buffer(uint8_t *out, int len) } } -_PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) +_PUBLIC_ void generate_secret_buffer(uint8_t *out, size_t len) { /* * Random number generator for long term keys. @@ -62,7 +62,7 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) * The key generator, will re-seed after a fixed amount of bytes is * generated (typically less than the nonce), and will also re-seed * based on time, i.e., after few hours of operation without reaching - * the limit for a re-seed. For its re-seed it mixes mixes data obtained + * the limit for a re-seed. For its re-seed it mixes data obtained * from the OS random device with the previous key. */ int ret = gnutls_rnd(GNUTLS_RND_KEY, out, len); @@ -71,7 +71,7 @@ _PUBLIC_ void generate_secret_buffer(uint8_t *out, int len) } } -_PUBLIC_ void generate_nonce_buffer(uint8_t *out, int len) +_PUBLIC_ void generate_nonce_buffer(uint8_t *out, size_t len) { /* * Random number generator for nonce and initialization vectors. diff --git a/lib/util/genrand.h b/lib/util/genrand.h index 70f36312e58..76e9b987dcf 100644 --- a/lib/util/genrand.h +++ b/lib/util/genrand.h @@ -26,7 +26,7 @@ * * @param[in] len The size of the buffer to fill. */ -void generate_random_buffer(uint8_t *out, int len); +void generate_random_buffer(uint8_t *out, size_t len); /** * @brief Generate random values for long term keys and passwords. @@ -35,7 +35,7 @@ void generate_random_buffer(uint8_t *out, int len); * * @param[in] len The size of the buffer to fill. */ -void generate_secret_buffer(uint8_t *out, int len); +void generate_secret_buffer(uint8_t *out, size_t len); /** * @brief Generate random values for a nonce buffer. @@ -46,4 +46,4 @@ void generate_secret_buffer(uint8_t *out, int len); * * @param[in] len The size of the buffer to fill. */ -void generate_nonce_buffer(uint8_t *out, int len); +void generate_nonce_buffer(uint8_t *out, size_t len); diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c index cb4be7f6507..3927dfa7836 100644 --- a/libcli/auth/ntlm_check.c +++ b/libcli/auth/ntlm_check.c @@ -259,12 +259,19 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx, NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, bool lanman_auth, + enum ntlm_auth_level ntlm_auth, const struct samr_Password *client_lanman, const struct samr_Password *client_nt, const char *username, const struct samr_Password *stored_lanman, const struct samr_Password *stored_nt) { + if (ntlm_auth == NTLM_AUTH_DISABLED) { + DBG_WARNING("hash_password_check: NTLM authentication not " + "permitted by configuration.\n"); + return NT_STATUS_NTLM_BLOCKED; + } + if (stored_nt == NULL) { DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n", username)); @@ -387,6 +394,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, } return hash_password_check(mem_ctx, lanman_auth, + ntlm_auth, lm_ok ? &client_lm : NULL, nt_response->length ? &client_nt : NULL, username, diff --git a/libcli/auth/ntlm_check.h b/libcli/auth/ntlm_check.h index 86cab9b2d13..3fcd1f4ccbb 100644 --- a/libcli/auth/ntlm_check.h +++ b/libcli/auth/ntlm_check.h @@ -45,6 +45,7 @@ struct samr_Password; NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, bool lanman_auth, + enum ntlm_auth_level ntlm_auth, const struct samr_Password *client_lanman, const struct samr_Password *client_nt, const char *username, diff --git a/python/pyglue.c b/python/pyglue.c index 64be7389b70..808a86b444f 100644 --- a/python/pyglue.c +++ b/python/pyglue.c @@ -34,40 +34,41 @@ static PyObject *PyExc_DsExtendedError; static PyObject *py_generate_random_str(PyObject *self, PyObject *args) { - int len; + Py_ssize_t len; PyObject *ret; char *retstr; - if (!PyArg_ParseTuple(args, "i", &len)) { + + if (!PyArg_ParseTuple(args, "n", &len)) { return NULL; } if (len < 0) { PyErr_Format(PyExc_ValueError, - "random string length should be positive, not %d", + "random string length should be positive, not %zd", len); return NULL; } retstr = generate_random_str(NULL, len); - ret = PyUnicode_FromString(retstr); + ret = PyUnicode_FromStringAndSize(retstr, len); talloc_free(retstr); return ret; } static PyObject *py_generate_random_password(PyObject *self, PyObject *args) { - int min, max; + Py_ssize_t min, max; PyObject *ret; char *retstr; - if (!PyArg_ParseTuple(args, "ii", &min, &max)) { + + if (!PyArg_ParseTuple(args, "nn", &min, &max)) { return NULL; } if (max < 0 || min < 0) { /* - * The real range checks happen in generate_random_password(). - * Here we are just checking the values won't overflow into - * numbers when cast to size_t. + * The real range checks happens in generate_random_password(). + * Here just filter out any negative numbers. */ PyErr_Format(PyExc_ValueError, - "invalid range: %d - %d", + "invalid range: %zd - %zd", min, max); return NULL; } @@ -76,7 +77,7 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args) if (retstr == NULL) { if (errno == EINVAL) { PyErr_Format(PyExc_ValueError, - "invalid range: %d - %d", + "invalid range: %zd - %zd", min, max); } return NULL; @@ -88,21 +89,21 @@ static PyObject *py_generate_random_password(PyObject *self, PyObject *args) static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *args) { - int min, max; + Py_ssize_t min, max; PyObject *ret; char *retstr; - if (!PyArg_ParseTuple(args, "ii", &min, &max)) { + + if (!PyArg_ParseTuple(args, "nn", &min, &max)) { return NULL; } if (max < 0 || min < 0) { /* - * The real range checks happen in + * The real range checks happens in * generate_random_machine_password(). - * Here we are just checking the values won't overflow into - * numbers when cast to size_t. + * Here we are just filter out any negative numbers. */ PyErr_Format(PyExc_ValueError, - "invalid range: %d - %d", + "invalid range: %zd - %zd", min, max); return NULL; } @@ -111,7 +112,7 @@ static PyObject *py_generate_random_machine_password(PyObject *self, PyObject *a if (retstr == NULL) { if (errno == EINVAL) { PyErr_Format(PyExc_ValueError, - "invalid range: %d - %d", + "invalid range: %zd - %zd", min, max); } return NULL; @@ -134,16 +135,16 @@ static PyObject *py_check_password_quality(PyObject *self, PyObject *args) static PyObject *py_generate_random_bytes(PyObject *self, PyObject *args) { - int len; + Py_ssize_t len; PyObject *ret; uint8_t *bytes = NULL; - if (!PyArg_ParseTuple(args, "i", &len)) { + if (!PyArg_ParseTuple(args, "n", &len)) { return NULL; } if (len < 0) { PyErr_Format(PyExc_ValueError, - "random bytes length should be positive, not %d", + "random bytes length should be positive, not %zd", len); return NULL; } diff --git a/python/samba/functional_level.py b/python/samba/functional_level.py new file mode 100644 index 00000000000..4c1142273b0 --- /dev/null +++ b/python/samba/functional_level.py @@ -0,0 +1,83 @@ +# domain management - common code +# +# Copyright Catlayst .Net Ltd 2017-2023 +# Copyright Jelmer Vernooij 2007-2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +from samba.dsdb import ( + DS_DOMAIN_FUNCTION_2000, + DS_DOMAIN_FUNCTION_2003, + DS_DOMAIN_FUNCTION_2008, + DS_DOMAIN_FUNCTION_2008_R2, + DS_DOMAIN_FUNCTION_2012, + DS_DOMAIN_FUNCTION_2012_R2, + DS_DOMAIN_FUNCTION_2003_MIXED, + DS_DOMAIN_FUNCTION_2016 +) + +string_version_to_constant = { + "2000": DS_DOMAIN_FUNCTION_2000, + "2003": DS_DOMAIN_FUNCTION_2003, + "2008": DS_DOMAIN_FUNCTION_2008, + "2008_R2": DS_DOMAIN_FUNCTION_2008_R2, + "2012": DS_DOMAIN_FUNCTION_2012, + "2012_R2": DS_DOMAIN_FUNCTION_2012_R2, + "2016": DS_DOMAIN_FUNCTION_2016, +} + + +def string_to_level(string): + """Interpret a string indicating a functional level.""" + return string_version_to_constant[string] + + +def level_to_string(level): + """turn the level enum number into a printable string.""" + if level < DS_DOMAIN_FUNCTION_2000: + return "invalid" + strings = { + DS_DOMAIN_FUNCTION_2000: "2000", + DS_DOMAIN_FUNCTION_2003_MIXED: \ + "2003 with mixed domains/interim (NT4 DC support)", + DS_DOMAIN_FUNCTION_2003: "2003", + DS_DOMAIN_FUNCTION_2008: "2008", + DS_DOMAIN_FUNCTION_2008_R2: "2008 R2", + DS_DOMAIN_FUNCTION_2012: "2012", + DS_DOMAIN_FUNCTION_2012_R2: "2012 R2", + DS_DOMAIN_FUNCTION_2016: "2016", + } + return strings.get(level, "higher than 2016") + -- Samba Shared Repository