Skip to content

Commits on Source 2970

2,870 additional commits have been omitted to prevent performance issues.
Expand all Show whitespace changes
Inline Side-by-side
.gitlab-ci-private.yml 0 → 100644
View file @ 52a7abbf
include:
- '/.gitlab-ci.yml'
.private_template: &private_template
stage: build
tags:
- docker
- private
build_samba:
<<: *private_template
script:
# this one takes about 4 hours to finish
- python script/autobuild.py samba --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_nt4:
<<: *private_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-nt4 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_fileserver:
<<: *private_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-fileserver --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc:
<<: *private_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-ad-dc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
.gitlab-ci.yml
View file @ 52a7abbf
# see https://docs.gitlab.com/ce/ci/yaml/README.html for all available options
image: registry.gitlab.com/samba-team/samba:latest
variables:
GIT_STRATEGY: fetch
GIT_DEPTH: "3"
before_script:
- echo "Build starting ..."
- echo "Build starting (preparing swap)..."
- if [ $(df -m / --output=avail | tail -n1) -gt 10240 ]; then
sudo dd if=/dev/zero of=/samba-swap bs=1M count=6144;
sudo mkswap /samba-swap;
sudo swapon /samba-swap;
fi
after_script:
- tar -xf logs.tar.gz system-info.txt -O
build_samba:
.shared_template: &shared_template
stage: build
tags:
- autobuild
- docker
- shared
build_samba_none_env:
<<: *shared_template
script:
# this one takes about 4 hours to finish
- python script/autobuild.py samba --verbose --tail --testbase /tmp/samba-testbase
# this one takes about 1 hours to finish
- python script/autobuild.py samba-none-env --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_others:
stage: build
tags:
- autobuild
build_samba_nopython:
<<: *shared_template
script:
- python script/autobuild.py samba-nopython --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_systemkrb5:
<<: *shared_template
script:
- python script/autobuild.py samba-systemkrb5 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_xc:
<<: *shared_template
script:
- python script/autobuild.py samba-xc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_o3:
<<: *shared_template
script:
- python script/autobuild.py samba-nopython --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py samba-systemkrb5 --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py samba-xc --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py samba-o3 --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py samba-libs --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py samba-static --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py samba-o3 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc_2:
<<: *shared_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-ad-dc-2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_libs:
<<: *shared_template
script:
- python script/autobuild.py samba-libs --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_static:
<<: *shared_template
script:
- python script/autobuild.py samba-static --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_ctdb:
stage: build
tags:
- autobuild
<<: *shared_template
script:
- python script/autobuild.py samba-ctdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ctdb:
<<: *shared_template
script:
- python script/autobuild.py samba-ctdb --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py ctdb --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py ctdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_others:
stage: build
tags:
- autobuild
<<: *shared_template
script:
- python script/autobuild.py ldb --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py pidl --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py replace --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py talloc --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py tdb --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py tevent --verbose --tail --testbase /tmp/samba-testbase
- python script/autobuild.py ldb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py pidl --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py replace --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py talloc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py tdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py tevent --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
after_script:
- echo "Build finished!"
.travis.yml
View file @ 52a7abbf
......@@ -12,8 +12,13 @@ env:
- TASK=samba-libs
- TASK=samba-static
- TASK=samba-o3
- TASK=samba-none-env
- TASK=samba-nopython
- TASK=samba-systemkrb5
- TASK=samba-nt4
- TASK=samba-fileserver
- TASK=samba-ad-dc
- TASK=samba-ad-dc-2
- TASK=ldb
- TASK=tdb
- TASK=talloc
......@@ -27,8 +32,14 @@ matrix:
before_install:
- sudo apt-get update -qq
- sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjson-perl libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev nettle-dev perl perl-modules pkg-config python-all-dev python-crypto python-dbg python-dev python-dnspython python3-dnspython python-gpgme python3-gpgme python-markdown python3-markdown python3-dev xsltproc zlib1g-dev
- sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential ccache curl debhelper dnsutils docbook-xml docbook-xsl emacs24-nox flex gdb git htop jed krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjansson-dev libjson-perl libldap2-dev liblmdb-dev/trusty-backports libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev linux-tools-generic lmdb-utils/trusty-backports nettle-dev perl perl-modules pkg-config psmisc python3-dev python3-dnspython python3-gpgme python3-markdown python3-matplotlib python-all-dev python-crypto python-crypto python-dbg python-dev python-dnspython python-gpgme python-markdown python-novaclient python-pexpect rng-tools screen tshark xsltproc zlib1g-dev
- sudo apt-get install --assume-yes binutils-gold
- sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.gold" 20
- sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.bfd" 10
- sudo update-alternatives --set ld /usr/bin/ld.gold
script:
- git fetch --unshallow
- if [ $TASK = "pidl" ]; then
git fetch --unshallow;
fi
- ./script/autobuild.py --tail --testbase=/tmp $TASK
.ycm_extra_conf.py
View file @ 52a7abbf
......@@ -47,6 +47,7 @@ flags = [
'-D_XOPEN_SOURCE_EXTENDED=1',
'-DAD_DC_BUILD_IS_ENABLED=1',
'-DHAVE_IPV6=1',
'-DFALL_THROUGH',
'-I/usr/local/include',
'-I.',
'-Iauth',
......
README.Coding
View file @ 52a7abbf
......@@ -16,15 +16,15 @@ style should never outweigh coding itself and so the guidelines
described here are hopefully easy enough to follow as they are very
common and supported by tools and editors.
The basic style for C code, also mentioned in prog_guide4.txt, is the Linux kernel
coding style (See Documentation/CodingStyle in the kernel source tree). This
closely matches what most Samba developers use already anyways, with a few
exceptions as mentioned below.
The basic style for C code is the Linux kernel coding style (See
Documentation/CodingStyle in the kernel source tree). This closely matches
what most Samba developers use already anyways, with a few exceptions as
mentioned below.
The coding style for Python code is documented in PEP8,
http://www.python.org/pep/pep8 (with spaces).
If you have ever worked on another free software Python project, you are
probably already familiar with it.
https://www.python.org/dev/peps/pep-0008/. New Python code should be compatible
with Python 2.6, 2.7, and Python 3.4 onwards. This means using Python 3 syntax
with the appropriate 'from __future__' imports.
But to save you the trouble of reading the Linux kernel style guide, here
are the highlights.
......@@ -99,6 +99,8 @@ BreakBeforeBraces: Linux
AllowShortIfStatementsOnASingleLine: false
IndentCaseLabels: false
BinPackParameters: false
BinPackArguments: false
SortIncludes: false
=========================
......@@ -201,8 +203,8 @@ parameters across lines and not as encourage for gratuitous line
splitting. Never split a line before columns 70 - 79 unless you
have a really good reason. Be smart about formatting.
One exception to the previous rule is function declarations and
definitions. In function declarations and definitions, either the
One exception to the previous rule is function calls, declarations, and
definitions. In function calls, declarations, and definitions, either the
declaration is a one-liner, or each parameter is listed on its own
line. The rationale is that if there are many parameters, each one
should be on its own line to make tracking interface changes easier.
......
VERSION
View file @ 52a7abbf
......@@ -24,7 +24,7 @@
# -> "3.0.0" #
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=8
SAMBA_VERSION_MINOR=9
SAMBA_VERSION_RELEASE=1
########################################################
......
WHATSNEW.txt
View file @ 52a7abbf
This diff is collapsed.
auth/auth_log.c
View file @ 52a7abbf
......@@ -43,7 +43,7 @@
#define AUTH_MAJOR 1
#define AUTH_MINOR 0
#define AUTHZ_MAJOR 1
#define AUTHZ_MINOR 0
#define AUTHZ_MINOR 1
#include "includes.h"
#include "../lib/tsocket/tsocket.h"
......@@ -56,48 +56,8 @@
#include "source4/lib/messaging/irpc.h"
#include "lib/util/server_id_db.h"
#include "lib/param/param.h"
/*
* Get a human readable timestamp.
*
* Returns the current time formatted as
* "Tue, 14 Mar 2017 08:38:42.209028 NZDT"
*
* The returned string is allocated by talloc in the supplied context.
* It is the callers responsibility to free it.
*
*/
static const char* get_timestamp(TALLOC_CTX *frame)
{
char buffer[40]; /* formatted time less usec and timezone */
char tz[10]; /* formatted time zone */
struct tm* tm_info; /* current local time */
struct timeval tv; /* current system time */
int r; /* response code from gettimeofday */
const char * ts; /* formatted time stamp */
r = gettimeofday(&tv, NULL);
if (r) {
DBG_ERR("Unable to get time of day: (%d) %s\n",
errno,
strerror(errno));
return NULL;
}
tm_info = localtime(&tv.tv_sec);
if (tm_info == NULL) {
DBG_ERR("Unable to determine local time\n");
return NULL;
}
strftime(buffer, sizeof(buffer)-1, "%a, %d %b %Y %H:%M:%S", tm_info);
strftime(tz, sizeof(tz)-1, "%Z", tm_info);
ts = talloc_asprintf(frame, "%s.%06ld %s", buffer, tv.tv_usec, tz);
if (ts == NULL) {
DBG_ERR("Out of memory formatting time stamp\n");
}
return ts;
}
#include "librpc/ndr/libndr.h"
#include "lib/audit_logging/audit_logging.h"
/*
* Determine the type of the password supplied for the
......@@ -111,320 +71,24 @@ static const char* get_password_type(const struct auth_usersupplied_info *ui);
#include <jansson.h>
#include "system/time.h"
/*
* Context required by the JSON generation
* routines
*
*/
struct json_context {
json_t *root;
bool error;
};
static NTSTATUS get_auth_event_server(struct imessaging_context *msg_ctx,
struct server_id *auth_event_server)
{
NTSTATUS status;
TALLOC_CTX *frame = talloc_stackframe();
unsigned num_servers, i;
struct server_id *servers;
status = irpc_servers_byname(msg_ctx, frame,
AUTH_EVENT_NAME,
&num_servers, &servers);
if (!NT_STATUS_IS_OK(status)) {
DBG_NOTICE("Failed to find 'auth_event' registered on the "
"message bus to send JSON authentication events to: %s\n",
nt_errstr(status));
TALLOC_FREE(frame);
return status;
}
/*
* Select the first server that is listening, because
* we get connection refused as
* NT_STATUS_OBJECT_NAME_NOT_FOUND without waiting
*/
for (i = 0; i < num_servers; i++) {
status = imessaging_send(msg_ctx, servers[i], MSG_PING,
&data_blob_null);
if (NT_STATUS_IS_OK(status)) {
*auth_event_server = servers[i];
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
}
DBG_NOTICE("Failed to find a running 'auth_event' server "
"registered on the message bus to send JSON "
"authentication events to\n");
TALLOC_FREE(frame);
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
static void auth_message_send(struct imessaging_context *msg_ctx,
const char *json)
{
struct server_id auth_event_server;
NTSTATUS status;
DATA_BLOB json_blob = data_blob_string_const(json);
if (msg_ctx == NULL) {
return;
}
/* Need to refetch the address each time as the destination server may
* have disconnected and reconnected in the interim, in which case
* messages may get lost, manifests in the auth_log tests
*/
status = get_auth_event_server(msg_ctx, &auth_event_server);
if (!NT_STATUS_IS_OK(status)) {
return;
}
status = imessaging_send(msg_ctx, auth_event_server, MSG_AUTH_LOG,
&json_blob);
/* If the server crashed, try to find it again */
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
status = get_auth_event_server(msg_ctx, &auth_event_server);
if (!NT_STATUS_IS_OK(status)) {
return;
}
imessaging_send(msg_ctx, auth_event_server, MSG_AUTH_LOG,
&json_blob);
}
}
/*
* Write the json object to the debug logs.
*
*/
static void log_json(struct imessaging_context *msg_ctx,
struct json_context *context,
const char *type, int debug_class, int debug_level)
{
char* json = NULL;
if (context->error) {
return;
}
json = json_dumps(context->root, 0);
if (json == NULL) {
DBG_ERR("Unable to convert JSON object to string\n");
context->error = true;
return;
}
DEBUGC(debug_class, debug_level, ("JSON %s: %s\n", type, json));
auth_message_send(msg_ctx, json);
if (json) {
free(json);
}
}
/*
* Create a new json logging context.
*
* Free with a call to free_json_context
*
*/
static struct json_context get_json_context(void) {
struct json_context context;
context.error = false;
context.root = json_object();
if (context.root == NULL) {
context.error = true;
DBG_ERR("Unable to create json_object\n");
}
return context;
}
/*
* free a previously created json_context
*
*/
static void free_json_context(struct json_context *context)
{
if (context->root) {
json_decref(context->root);
}
}
/*
* Output a JSON pair with name name and integer value value
*
*/
static void add_int(struct json_context *context,
const char* name,
const int value)
{
int rc = 0;
if (context->error) {
return;
}
rc = json_object_set_new(context->root, name, json_integer(value));
if (rc) {
DBG_ERR("Unable to set name [%s] value [%d]\n", name, value);
context->error = true;
}
}
/*
* Output a JSON pair with name name and string value value
*
*/
static void add_string(struct json_context *context,
const char* name,
const char* value)
{
int rc = 0;
if (context->error) {
return;
}
if (value) {
rc = json_object_set_new(context->root, name, json_string(value));
} else {
rc = json_object_set_new(context->root, name, json_null());
}
if (rc) {
DBG_ERR("Unable to set name [%s] value [%s]\n", name, value);
context->error = true;
}
}
/*
* Output a JSON pair with name name and object value
*
*/
static void add_object(struct json_context *context,
const char* name,
struct json_context *value)
{
int rc = 0;
if (value->error) {
context->error = true;
}
if (context->error) {
return;
}
rc = json_object_set_new(context->root, name, value->root);
if (rc) {
DBG_ERR("Unable to add object [%s]\n", name);
context->error = true;
}
}
/*
* Output a version object
*
* "version":{"major":1,"minor":0}
*
*/
static void add_version(struct json_context *context, int major, int minor)
{
struct json_context version = get_json_context();
add_int(&version, "major", major);
add_int(&version, "minor", minor);
add_object(context, "version", &version);
}
/*
* Output the current date and time as a timestamp in ISO 8601 format
*
* "timestamp":"2017-03-06T17:18:04.455081+1300"
*
*/
static void add_timestamp(struct json_context *context)
{
char buffer[40]; /* formatted time less usec and timezone */
char timestamp[50]; /* the formatted ISO 8601 time stamp */
char tz[10]; /* formatted time zone */
struct tm* tm_info; /* current local time */
struct timeval tv; /* current system time */
int r; /* response code from gettimeofday */
if (context->error) {
return;
}
r = gettimeofday(&tv, NULL);
if (r) {
DBG_ERR("Unable to get time of day: (%d) %s\n",
errno,
strerror(errno));
context->error = true;
return;
}
tm_info = localtime(&tv.tv_sec);
if (tm_info == NULL) {
DBG_ERR("Unable to determine local time\n");
context->error = true;
return;
}
strftime(buffer, sizeof(buffer)-1, "%Y-%m-%dT%T", tm_info);
strftime(tz, sizeof(tz)-1, "%z", tm_info);
snprintf(timestamp, sizeof(timestamp),"%s.%06ld%s",
buffer, tv.tv_usec, tz);
add_string(context,"timestamp", timestamp);
}
/*
* Output an address pair, with name name.
*
* "localAddress":"ipv6::::0"
*
*/
static void add_address(struct json_context *context,
const char *name,
const struct tsocket_address *address)
{
char *s = NULL;
TALLOC_CTX *frame = talloc_stackframe();
if (context->error) {
return;
}
s = tsocket_address_string(address, frame);
add_string(context, name, s);
talloc_free(frame);
}
/*
* Output a SID with name name
*
* "sid":"S-1-5-18"
*
*/
static void add_sid(struct json_context *context,
const char *name,
const struct dom_sid *sid)
struct loadparm_context *lp_ctx,
struct json_object *object,
const char *type,
int debug_class,
int debug_level)
{
char sid_buf[DOM_SID_STR_BUFLEN];
if (context->error) {
return;
audit_log_json(type, object, debug_class, debug_level);
if (msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx)) {
audit_message_send(msg_ctx,
AUTH_EVENT_NAME,
MSG_AUTH_LOG,
object);
}
dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
add_string(context, name, sid_buf);
}
/*
......@@ -450,6 +114,7 @@ static void add_sid(struct json_context *context,
static void log_authentication_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
......@@ -458,52 +123,87 @@ static void log_authentication_event_json(
struct dom_sid *sid,
int debug_level)
{
struct json_context context = get_json_context();
struct json_context authentication;
struct json_object wrapper = json_new_object();
struct json_object authentication;
char negotiate_flags[11];
add_timestamp(&context);
add_string(&context, "type", AUTH_JSON_TYPE);
json_add_timestamp(&wrapper);
json_add_string(&wrapper, "type", AUTH_JSON_TYPE);
authentication = get_json_context();
add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
add_string(&authentication, "status", nt_errstr(status));
add_address(&authentication, "localAddress", ui->local_host);
add_address(&authentication, "remoteAddress", ui->remote_host);
add_string(&authentication,
authentication = json_new_object();
json_add_version(&authentication, AUTH_MAJOR, AUTH_MINOR);
json_add_string(&authentication, "status", nt_errstr(status));
json_add_address(&authentication, "localAddress", ui->local_host);
json_add_address(&authentication, "remoteAddress", ui->remote_host);
json_add_string(&authentication,
"serviceDescription",
ui->service_description);
add_string(&authentication, "authDescription", ui->auth_description);
add_string(&authentication, "clientDomain", ui->client.domain_name);
add_string(&authentication, "clientAccount", ui->client.account_name);
add_string(&authentication, "workstation", ui->workstation_name);
add_string(&authentication, "becameAccount", account_name);
add_string(&authentication, "becameDomain", domain_name);
add_sid(&authentication, "becameSid", sid);
add_string(&authentication, "mappedAccount", ui->mapped.account_name);
add_string(&authentication, "mappedDomain", ui->mapped.domain_name);
add_string(&authentication,
json_add_string(&authentication,
"authDescription",
ui->auth_description);
json_add_string(&authentication,
"clientDomain",
ui->client.domain_name);
json_add_string(&authentication,
"clientAccount",
ui->client.account_name);
json_add_string(&authentication,
"workstation",
ui->workstation_name);
json_add_string(&authentication, "becameAccount", account_name);
json_add_string(&authentication, "becameDomain", domain_name);
json_add_sid(&authentication, "becameSid", sid);
json_add_string(&authentication,
"mappedAccount",
ui->mapped.account_name);
json_add_string(&authentication,
"mappedDomain",
ui->mapped.domain_name);
json_add_string(&authentication,
"netlogonComputer",
ui->netlogon_trust_account.computer_name);
add_string(&authentication,
json_add_string(&authentication,
"netlogonTrustAccount",
ui->netlogon_trust_account.account_name);
snprintf(negotiate_flags,
sizeof( negotiate_flags),
"0x%08X",
ui->netlogon_trust_account.negotiate_flags);
add_string(&authentication, "netlogonNegotiateFlags", negotiate_flags);
add_int(&authentication,
json_add_string(&authentication,
"netlogonNegotiateFlags",
negotiate_flags);
json_add_int(&authentication,
"netlogonSecureChannelType",
ui->netlogon_trust_account.secure_channel_type);
add_sid(&authentication,
json_add_sid(&authentication,
"netlogonTrustAccountSid",
ui->netlogon_trust_account.sid);
add_string(&authentication, "passwordType", get_password_type(ui));
add_object(&context,AUTH_JSON_TYPE, &authentication);
json_add_string(&authentication, "passwordType", get_password_type(ui));
json_add_object(&wrapper, AUTH_JSON_TYPE, &authentication);
log_json(msg_ctx, &context, AUTH_JSON_TYPE, DBGC_AUTH_AUDIT, debug_level);
free_json_context(&context);
/*
* While not a general-purpose profiling solution this will
* assist some to determine how long NTLM and KDC
* authentication takes once this process can handle it. This
* covers transactions elsewhere but not (eg) the delay while
* this is waiting unread on the input socket.
*/
if (start_time != NULL) {
struct timeval current_time = timeval_current();
uint64_t duration = usec_time_diff(&current_time,
start_time);
json_add_int(&authentication,
"duration",
duration);
}
log_json(msg_ctx,
lp_ctx,
&wrapper,
AUTH_JSON_TYPE,
DBGC_AUTH_AUDIT,
debug_level);
json_free(&wrapper);
}
/*
......@@ -537,40 +237,53 @@ static void log_successful_authz_event_json(
struct auth_session_info *session_info,
int debug_level)
{
struct json_context context = get_json_context();
struct json_context authorization;
struct json_object wrapper = json_new_object();
struct json_object authorization;
char account_flags[11];
//start_object(&context, NULL);
add_timestamp(&context);
add_string(&context, "type", AUTHZ_JSON_TYPE);
authorization = get_json_context();
add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
add_address(&authorization, "localAddress", local);
add_address(&authorization, "remoteAddress", remote);
add_string(&authorization, "serviceDescription", service_description);
add_string(&authorization, "authType", auth_type);
add_string(&authorization, "domain", session_info->info->domain_name);
add_string(&authorization, "account", session_info->info->account_name);
add_sid(&authorization, "sid", &session_info->security_token->sids[0]);
add_string(&authorization,
json_add_timestamp(&wrapper);
json_add_string(&wrapper, "type", AUTHZ_JSON_TYPE);
authorization = json_new_object();
json_add_version(&authorization, AUTHZ_MAJOR, AUTHZ_MINOR);
json_add_address(&authorization, "localAddress", local);
json_add_address(&authorization, "remoteAddress", remote);
json_add_string(&authorization,
"serviceDescription",
service_description);
json_add_string(&authorization, "authType", auth_type);
json_add_string(&authorization,
"domain",
session_info->info->domain_name);
json_add_string(&authorization,
"account",
session_info->info->account_name);
json_add_sid(&authorization,
"sid",
&session_info->security_token->sids[0]);
json_add_guid(&authorization,
"sessionId",
&session_info->unique_session_token);
json_add_string(&authorization,
"logonServer",
session_info->info->logon_server);
add_string(&authorization, "transportProtection", transport_protection);
json_add_string(&authorization,
"transportProtection",
transport_protection);
snprintf(account_flags,
sizeof(account_flags),
"0x%08X",
session_info->info->acct_flags);
add_string(&authorization, "accountFlags", account_flags);
add_object(&context,AUTHZ_JSON_TYPE, &authorization);
json_add_string(&authorization, "accountFlags", account_flags);
json_add_object(&wrapper, AUTHZ_JSON_TYPE, &authorization);
log_json(msg_ctx,
&context,
lp_ctx,
&wrapper,
AUTHZ_JSON_TYPE,
DBGC_AUTH_AUDIT,
debug_level);
free_json_context(&context);
json_free(&wrapper);
}
#else
......@@ -582,13 +295,15 @@ static void log_no_json(struct imessaging_context *msg_ctx,
static bool auth_event_logged = false;
if (auth_event_logged == false) {
auth_event_logged = true;
DBG_ERR("auth event notification = true but Samba was not compiled with jansson\n");
DBG_ERR("auth event notification = true but Samba was "
"not compiled with jansson\n");
}
} else {
static bool json_logged = false;
if (json_logged == false) {
json_logged = true;
DBG_NOTICE("JSON auth logs not available unless compiled with jansson\n");
DBG_NOTICE("JSON auth logs not available unless "
"compiled with jansson\n");
}
}
......@@ -598,6 +313,7 @@ static void log_no_json(struct imessaging_context *msg_ctx,
static void log_authentication_event_json(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
......@@ -705,7 +421,7 @@ static void log_authentication_event_human_readable(
password_type = get_password_type(ui);
/* Get the current time */
ts = get_timestamp(frame);
ts = audit_get_timestamp(frame);
/* Only log the NETLOGON details if they are present */
if (ui->netlogon_trust_account.computer_name ||
......@@ -769,8 +485,10 @@ static void log_authentication_event_human_readable(
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
void log_authentication_event(struct imessaging_context *msg_ctx,
void log_authentication_event(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *domain_name,
......@@ -799,7 +517,9 @@ void log_authentication_event(struct imessaging_context *msg_ctx,
}
if (CHECK_DEBUGLVLC(DBGC_AUTH_AUDIT_JSON, debug_level) ||
(msg_ctx && lp_ctx && lpcfg_auth_event_notification(lp_ctx))) {
log_authentication_event_json(msg_ctx, lp_ctx,
log_authentication_event_json(msg_ctx,
lp_ctx,
start_time,
ui,
status,
domain_name,
......@@ -836,7 +556,7 @@ static void log_successful_authz_event_human_readable(
frame = talloc_stackframe();
/* Get the current time */
ts = get_timestamp(frame);
ts = audit_get_timestamp(frame);
remote_str = tsocket_address_string(remote, frame);
local_str = tsocket_address_string(local, frame);
......@@ -874,7 +594,8 @@ static void log_successful_authz_event_human_readable(
* NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the
* authentication events over the message bus.
*/
void log_successful_authz_event(struct imessaging_context *msg_ctx,
void log_successful_authz_event(
struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct tsocket_address *remote,
const struct tsocket_address *local,
......
auth/common_auth.h
View file @ 52a7abbf
......@@ -122,6 +122,9 @@ struct auth4_context {
/* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */
struct ldb_context *sam_ctx;
/* The time this authentication started */
struct timeval start_time;
/* Private data for the callbacks on this auth context */
void *private_data;
......@@ -178,6 +181,7 @@ struct auth4_context {
*/
void log_authentication_event(struct imessaging_context *msg_ctx,
struct loadparm_context *lp_ctx,
const struct timeval *start_time,
const struct auth_usersupplied_info *ui,
NTSTATUS status,
const char *account_name,
......
auth/credentials/credentials.c
View file @ 52a7abbf
......@@ -1277,17 +1277,21 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credenti
*++p = '\0'; /* advance p, and null-terminate pass */
break;
}
/* fall through */
FALL_THROUGH;
case 0:
if (p - pass) {
*p = '\0'; /* null-terminate it, just in case... */
p = NULL; /* then force the loop condition to become false */
break;
} else {
fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n");
return false;
}
fprintf(stderr,
"Error reading password from file descriptor "
"%d: empty password\n",
fd);
return false;
default:
fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
fd, strerror(errno));
......
auth/credentials/credentials_krb5.c
View file @ 52a7abbf
......@@ -34,6 +34,7 @@
#include "auth/kerberos/kerberos_util.h"
#include "auth/kerberos/pac_utils.h"
#include "param/param.h"
#include "../libds/common/flags.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
......@@ -974,7 +975,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
const char *upn = NULL;
const char *realm = cli_credentials_get_realm(cred);
char *salt_principal = NULL;
bool is_computer = false;
uint32_t uac_flags = 0;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
......@@ -999,9 +1000,15 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
switch (cred->secure_channel_type) {
case SEC_CHAN_WKSTA:
case SEC_CHAN_BDC:
case SEC_CHAN_RODC:
is_computer = true;
uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
break;
case SEC_CHAN_BDC:
uac_flags = UF_SERVER_TRUST_ACCOUNT;
break;
case SEC_CHAN_DOMAIN:
case SEC_CHAN_DNS_DOMAIN:
uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
break;
default:
upn = cli_credentials_get_principal(cred, mem_ctx);
......@@ -1009,13 +1016,14 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
TALLOC_FREE(mem_ctx);
return ENOMEM;
}
uac_flags = UF_NORMAL_ACCOUNT;
break;
}
ret = smb_krb5_salt_principal(realm,
username, /* sAMAccountName */
upn, /* userPrincipalName */
is_computer,
uac_flags,
mem_ctx,
&salt_principal);
if (ret) {
......
auth/credentials/credentials_secrets.c
View file @ 52a7abbf
......@@ -109,7 +109,7 @@ static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
if (!whenChanged || ldb_val_to_time(whenChanged, &lct) != LDB_SUCCESS) {
/* This attribute is mandetory */
/* This attribute is mandatory */
talloc_free(mem_ctx);
return NT_STATUS_NOT_FOUND;
}
......@@ -120,7 +120,10 @@ static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
return NT_STATUS_NOT_FOUND;
}
if (lct == secrets_tdb_last_change_time && secrets_tdb_password && strcmp(password, secrets_tdb_password) != 0) {
if ((lct == secrets_tdb_last_change_time) &&
(secrets_tdb_password != NULL) &&
(password != NULL) &&
(strcmp(password, secrets_tdb_password) != 0)) {
talloc_free(mem_ctx);
return NT_STATUS_NOT_FOUND;
}
......@@ -235,14 +238,23 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
{
struct db_context *db_ctx;
char *secrets_tdb_path;
int hash_size, tdb_flags;
secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets");
if (secrets_tdb_path == NULL) {
return NT_STATUS_NO_MEMORY;
}
db_ctx = dbwrap_local_open(cred, lp_ctx, secrets_tdb_path, 0,
TDB_DEFAULT, O_RDWR, 0600,
hash_size = lpcfg_tdb_hash_size(lp_ctx, secrets_tdb_path);
tdb_flags = lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT);
db_ctx = dbwrap_local_open(
cred,
secrets_tdb_path,
hash_size,
tdb_flags,
O_RDWR,
0600,
DBWRAP_LOCK_ORDER_1,
DBWRAP_FLAG_NONE);
TALLOC_FREE(secrets_tdb_path);
......@@ -372,7 +384,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
if (security != SEC_ADS) {
break;
}
/* fall through */
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
use_kerberos = CRED_AUTO_USE_KERBEROS;
break;
......
auth/credentials/pycredentials.c
View file @ 52a7abbf
......@@ -130,7 +130,7 @@ static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyOb
ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN
"s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}",
"flags", flags,
"lm_reponse",
"lm_response",
(const char *)lm_response.data, lm_response.length,
"nt_response",
(const char *)nt_response.data, nt_response.length,
......@@ -680,6 +680,16 @@ static PyObject *py_creds_set_secure_channel_type(PyObject *self, PyObject *args
Py_RETURN_NONE;
}
static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args)
{
enum netr_SchannelType channel_type = SEC_CHAN_NULL;
channel_type = cli_credentials_get_secure_channel_type(
PyCredentials_AsCliCredentials(self));
return PyInt_FromLong(channel_type);
}
static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
PyObject *args)
{
......@@ -815,6 +825,8 @@ static PyMethodDef py_creds_methods[] = {
"Get a new client NETLOGON_AUTHENTICATOR"},
{ "set_secure_channel_type", py_creds_set_secure_channel_type,
METH_VARARGS, NULL },
{ "get_secure_channel_type", py_creds_get_secure_channel_type,
METH_VARARGS },
{ "encrypt_netr_crypt_password",
py_creds_encrypt_netr_crypt_password,
METH_VARARGS,
......
auth/credentials/tests/bind.py
View file @ 52a7abbf
......@@ -2,6 +2,7 @@
# -*- coding: utf-8 -*-
# This is unit with tests for LDAP access checks
from __future__ import print_function
import optparse
import sys
import base64
......@@ -95,13 +96,13 @@ operatingSystem: Windows Server 2003
dn: """ + self.computer_dn + """
changetype: modify
replace: unicodePwd
unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode('utf8') + """
""")
# do a simple bind and search with the machine account
creds_machine.set_bind_dn(self.computer_dn)
creds_machine.set_password(self.password)
print "BindTest with: " + creds_machine.get_bind_dn()
print("BindTest with: " + creds_machine.get_bind_dn())
ldb_machine = samba.tests.connect_samdb(host, credentials=creds_machine,
lp=lp, ldap_only=True)
res = ldb_machine.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
......@@ -119,7 +120,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
# do a simple bind and search with the user account in format user@realm
creds_user1.set_bind_dn(self.username + "@" + creds.get_realm())
creds_user1.set_password(self.password)
print "BindTest with: " + creds_user1.get_bind_dn()
print("BindTest with: " + creds_user1.get_bind_dn())
ldb_user1 = samba.tests.connect_samdb(host, credentials=creds_user1,
lp=lp, ldap_only=True)
res = ldb_user1.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
......@@ -127,7 +128,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
# do a simple bind and search with the user account in format domain\user
creds_user2.set_bind_dn(creds.get_domain() + "\\" + self.username)
creds_user2.set_password(self.password)
print "BindTest with: " + creds_user2.get_bind_dn()
print("BindTest with: " + creds_user2.get_bind_dn())
ldb_user2 = samba.tests.connect_samdb(host, credentials=creds_user2,
lp=lp, ldap_only=True)
res = ldb_user2.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
......@@ -135,7 +136,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
# do a simple bind and search with the user account DN
creds_user3.set_bind_dn(str(user_dn))
creds_user3.set_password(self.password)
print "BindTest with: " + creds_user3.get_bind_dn()
print("BindTest with: " + creds_user3.get_bind_dn())
ldb_user3 = samba.tests.connect_samdb(host, credentials=creds_user3,
lp=lp, ldap_only=True)
res = ldb_user3.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
......@@ -154,7 +155,7 @@ unicodePwd:: """ + base64.b64encode("\"P@ssw0rd\"".encode('utf-16-le')) + """
creds_user4.set_password(self.password)
creds_user4.set_domain('')
creds_user4.set_workstation('')
print "BindTest (no domain) with: " + self.username
print("BindTest (no domain) with: " + self.username)
try:
ldb_user4 = samba.tests.connect_samdb(host, credentials=creds_user4,
lp=lp, ldap_only=True)
......
auth/credentials/wscript_build
View file @ 52a7abbf
......@@ -25,8 +25,11 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_NTLM',
deps='samba-credentials')
for env in bld.gen_python_environments():
pytalloc_util = bld.pyembed_libname('pytalloc-util')
pyparam_util = bld.pyembed_libname('pyparam_util')
bld.SAMBA_PYTHON('pycredentials',
source='pycredentials.c',
public_deps='samba-credentials cmdline-credentials pytalloc-util pyparam_util CREDENTIALS_KRB5 CREDENTIALS_SECRETS',
public_deps='samba-credentials cmdline-credentials %s %s CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pytalloc_util, pyparam_util),
realname='samba/credentials.so'
)
auth/gensec/spnego.c
View file @ 52a7abbf
......@@ -1649,7 +1649,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
/* fall through */
FALL_THROUGH;
case SPNEGO_CLIENT_START:
case SPNEGO_SERVER_START:
......
auth/kerberos/gssapi_pac.c
View file @ 52a7abbf
......@@ -165,7 +165,7 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
DEBUG(1, ("unable to obtain a PAC against this GSSAPI library. "
"GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8\n"));
} else if (gss_maj != 0) {
DEBUG(2, ("obtaining PAC via GSSAPI gss_inqiure_sec_context_by_oid (Heimdal OID) failed: %s\n",
DEBUG(2, ("obtaining PAC via GSSAPI gss_inquire_sec_context_by_oid (Heimdal OID) failed: %s\n",
gssapi_error_string(mem_ctx, gss_maj, gss_min, gss_mech_krb5)));
} else {
if (set == GSS_C_NO_BUFFER_SET) {
......
auth/ntlmssp/gensec_ntlmssp_server.c
View file @ 52a7abbf
......@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
}
}
if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (role == ROLE_STANDALONE) {
ntlmssp_state->server.is_standalone = true;
......
auth/ntlmssp/ntlmssp_client.c
View file @ 52a7abbf
......@@ -777,7 +777,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
ntlmssp_state->use_nt_response = \
gensec_setting_bool(gensec_security->settings,
"ntlmssp_client",
"send_nt_response",
true);
ntlmssp_state->allow_lm_response = lpcfg_client_lanman_auth(gensec_security->settings->lp_ctx);
......@@ -865,6 +869,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
}
}
if (ntlmssp_state->force_wrap_seal) {
bool ret;
/*
* We want also work against old Samba servers
* which didn't had GENSEC_FEATURE_LDAP_STYLE
......@@ -872,6 +881,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* in a few years. As all servers should have
* GENSEC_FEATURE_LDAP_STYLE by then.
*/
ret = gensec_setting_bool(gensec_security->settings,
"ntlmssp_client",
"ldap_style_send_seal",
true);
if (ret) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
}
......
auth/ntlmssp/ntlmssp_server.c
View file @ 52a7abbf
......@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
data_blob_free(&ntlmssp_state->challenge_blob);
if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
/*
* We need to handle NTLMSSP_NEGOTIATE_SIGN as
* NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
* is requested.
*/
ntlmssp_state->force_wrap_seal = true;
}
nt_status = ntlmssp_sign_init(ntlmssp_state);
}
......