Skip to content
Commits on Source (2951)
2,851 additional commits have been omitted to prevent performance issues.
Expand all Show whitespace changes
Inline Side-by-side
.gitattributes 0 → 100644
View file @ ac1215b0
*.dump binary
*.SAMBABACKUP binary
.github/contributing.md 0 → 100644
View file @ ac1215b0
## Samba is moving to GitLab
The samba project is moving to GitLab, please consider contributing there instead.
Instructions for setting up can be found at: https://wiki.samba.org/index.php/Samba_CI_on_gitlab
The GitLab repository can be found here: https://gitlab.com/samba-team/samba
.github/pull_request_template.md 0 → 100644
View file @ ac1215b0
## Samba is moving to GitLab
The samba project is moving to GitLab, please consider opening a merge request there instead.
Instructions for setting up can be found at: https://wiki.samba.org/index.php/Samba_CI_on_gitlab
The GitLab repository can be found here: https://gitlab.com/samba-team/samba
.gitlab-ci-private.yml
View file @ ac1215b0
......@@ -12,23 +12,30 @@ build_samba:
<<: *private_template
script:
# this one takes about 4 hours to finish
- python script/autobuild.py samba --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_nt4:
build_samba_py2:
<<: *private_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-nt4 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
# this one takes about 4 hours to finish
- script/autobuild.py samba-py2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_fileserver:
<<: *private_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-fileserver --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-fileserver --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc:
<<: *private_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-ad-dc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-ad-dc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc_py2:
<<: *private_template
script:
# this one takes about 1 hours to finish
- script/autobuild.py samba-ad-dc-py2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
.gitlab-ci.yml
View file @ ac1215b0
......@@ -7,12 +7,7 @@ variables:
GIT_DEPTH: "3"
before_script:
- echo "Build starting (preparing swap)..."
- if [ $(df -m / --output=avail | tail -n1) -gt 10240 ]; then
sudo dd if=/dev/zero of=/samba-swap bs=1M count=6144;
sudo mkswap /samba-swap;
sudo swapon /samba-swap;
fi
- echo "Build starting..."
after_script:
- tar -xf logs.tar.gz system-info.txt -O
......@@ -27,61 +22,93 @@ build_samba_none_env:
<<: *shared_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-none-env --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-none-env --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_none_env_py2:
<<: *shared_template
script:
# this one takes about 1 hours to finish
- script/autobuild.py samba-none-env-py2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_nopython:
<<: *shared_template
script:
- python script/autobuild.py samba-nopython --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-nopython --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_systemkrb5:
<<: *shared_template
script:
- python script/autobuild.py samba-systemkrb5 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-systemkrb5 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_xc:
<<: *shared_template
script:
- python script/autobuild.py samba-xc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-xc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_o3:
<<: *shared_template
script:
- python script/autobuild.py samba-o3 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-o3 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc_2:
<<: *shared_template
script:
# this one takes about 1 hours to finish
- python script/autobuild.py samba-ad-dc-2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-ad-dc-2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc_backup:
<<: *shared_template
script:
- script/autobuild.py samba-ad-dc-backup --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc_backup_py2:
<<: *shared_template
script:
- script/autobuild.py samba-ad-dc-backup-py2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ad_dc_2_py2:
<<: *shared_template
script:
# this one takes about 1 hours to finish
- script/autobuild.py samba-ad-dc-2-py2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_libs:
<<: *shared_template
script:
- python script/autobuild.py samba-libs --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-libs --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_libs_py2:
<<: *shared_template
script:
- script/autobuild.py samba-libs-py2 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_static:
<<: *shared_template
script:
- python script/autobuild.py samba-static --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-static --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_ctdb:
<<: *shared_template
script:
- python script/autobuild.py samba-ctdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py ctdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_ctdb:
<<: *shared_template
script:
- python script/autobuild.py ctdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py samba-ctdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_others:
<<: *shared_template
script:
- python script/autobuild.py ldb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py pidl --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py replace --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py talloc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py tdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- python script/autobuild.py tevent --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py ldb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py pidl --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py replace --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py talloc --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py tdb --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
- script/autobuild.py tevent --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
build_samba_buildpy2_only:
<<: *shared_template
script:
- python script/autobuild.py samba-buildpy2-only --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase
.travis.yml deleted 100644 → 0
View file @ 51996460
language: c
dist: trusty
sudo: true
cache: ccache
# Everything except samba and ctdb (long tests)
env:
- TASK=samba-xc
- TASK=samba-ctdb
- TASK=samba-libs
- TASK=samba-static
- TASK=samba-o3
- TASK=samba-none-env
- TASK=samba-nopython
- TASK=samba-systemkrb5
- TASK=samba-nt4
- TASK=samba-fileserver
- TASK=samba-ad-dc
- TASK=samba-ad-dc-2
- TASK=ldb
- TASK=tdb
- TASK=talloc
- TASK=replace
- TASK=tevent
- TASK=pidl
# Fail everything after the first job fails
matrix:
fast_finish: true
before_install:
- sudo apt-get update -qq
- sudo apt-get install --assume-yes acl attr autoconf bind9utils bison build-essential ccache curl debhelper dnsutils docbook-xml docbook-xsl emacs24-nox flex gdb git htop jed krb5-user libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libjansson-dev libjson-perl libldap2-dev liblmdb-dev/trusty-backports libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev linux-tools-generic lmdb-utils/trusty-backports nettle-dev perl perl-modules pkg-config psmisc python3-dev python3-dnspython python3-gpgme python3-markdown python3-matplotlib python-all-dev python-crypto python-crypto python-dbg python-dev python-dnspython python-gpgme python-markdown python-novaclient python-pexpect rng-tools screen tshark xsltproc zlib1g-dev
- sudo apt-get install --assume-yes binutils-gold
- sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.gold" 20
- sudo update-alternatives --install "/usr/bin/ld" "ld" "/usr/bin/ld.bfd" 10
- sudo update-alternatives --set ld /usr/bin/ld.gold
script:
- if [ $TASK = "pidl" ]; then
git fetch --unshallow;
fi
- ./script/autobuild.py --tail --testbase=/tmp $TASK
.ycm_extra_conf.py
View file @ ac1215b0
......@@ -252,6 +252,7 @@ else:
SOURCE_EXTENSIONS = [ '.C', '.cpp', '.cxx', '.cc', '.c', '.m', '.mm' ]
def DirectoryOfThisScript():
return os.path.dirname( os.path.abspath( __file__ ) )
......
Makefile
View file @ ac1215b0
# simple makefile wrapper to run waf
PYTHON?=python
WAF_BINARY=$(PYTHON) ./buildtools/bin/waf
WAF=WAF_MAKE=1 $(WAF_BINARY)
WAF=PYTHONHASHSEED=1 WAF_MAKE=1 $(WAF_BINARY)
all:
$(WAF) build
......
README.Coding
View file @ ac1215b0
......@@ -432,6 +432,22 @@ an iterator style:
... do something with opt ...
}
Another exception: DBG messages for example printing a SID or a GUID:
Here we don't expect any surprise from the printing functions, and the
main reason of this guideline is to make debugging easier. That reason
rarely exists for this particular use case, and we gain some
efficiency because the DBG_ macros don't evaluate their arguments if
the debuglevel is not high enough.
if (!NT_STATUS_IS_OK(status)) {
struct dom_sid_buf sid_buf;
struct GUID_txt_buf guid_buf;
DBG_WARNING(
"objectSID [%s] for GUID [%s] invalid\n",
dom_sid_str_buf(objectsid, &sid_buf),
GUID_buf_string(&cache->entries[idx], &guid_buf));
}
But in general, please try to avoid this pattern.
......
README README.md
View file @ ac1215b0
This is the release version of Samba, the free SMB and CIFS client and
server and Domain Controller for UNIX and other operating
systems. Samba is maintained by the Samba Team, who support the
original author, Andrew Tridgell.
About Samba
===========
Samba is the standard Windows interoperability suite of
programs for Linux and Unix.
Samba is Free Software licensed under the GNU General Public License and
the Samba project is a member of the Software Freedom Conservancy.
Since 1992, Samba has provided secure, stable and fast file and print services
for all clients using the SMB/CIFS protocol, such as all versions of DOS
and Windows, OS/2, Linux and many others.
Samba is an important component to seamlessly integrate Linux/Unix Servers and
Desktops into Active Directory environments. It can function both as a
domain controller or as a regular domain member.
>>>> Please read THE WHOLE of this file as it gives important information
>>>> about the configuration and use of Samba.
NOTE: Installation instructions may be found
for the file/print server and domain member in:
docs/htmldocs/Samba3-HOWTO/install.html
For the AD DC implementation a full HOWTO is provided at:
http://wiki.samba.org/index.php/Samba4/HOWTO
https://wiki.samba.org/index.php/Samba4/HOWTO
Community guidelines can be read at:
https://wiki.samba.org/index.php/How_to_do_Samba:_Nicely
This software is freely distributable under the GNU public license, a
copy of which you should have received with this software (in a file
called COPYING).
WHAT IS SMB/CIFS?
=================
This is a big question.
The very short answer is that it is the protocol by which a lot of
PC-related machines share files and printers and other information
such as lists of available files and printers. Operating systems that
support this natively include Windows 9x, Windows NT (and derivatives),
OS/2, Mac OS X and Linux. Add on packages that achieve the same
thing are available for DOS, Windows 3.1, VMS, Unix of all kinds,
MVS, and more. Some Web Browsers can speak this protocol as well
(smb://). Alternatives to SMB include Netware, NFS, Appletalk,
Banyan Vines, Decnet etc; many of these have advantages but none are
both public specifications and widely implemented in desktop machines
by default.
The Common Internet File system (CIFS) is what the new SMB initiative
is called. For details watch http://samba.org/cifs.
WHY DO PEOPLE WANT TO USE SMB?
==============================
1. Many people want to integrate their Microsoft desktop clients
with their Unix servers.
2. Others want to integrate their Microsoft (etc) servers with Unix
servers. This is a different problem to integrating desktop
clients.
3. Others want to replace protocols like NFS, DecNet and Novell NCP,
especially when used with PCs.
WHAT CAN SAMBA DO?
==================
Please refer to the WHATSNEW.txt included with this README for
a list of features in the latest Samba release.
Here is a very short list of what samba includes, and what it does.
For many networks this can be simply summarized by "Samba provides
a complete replacement for Windows NT, Warp, NFS or Netware servers."
- a SMB server, to provide Windows NT and LAN Manager-style file and print
services to SMB clients such as Windows 95, Warp Server, smbfs and others.
- a Windows Domain Controller (NT4 and AD) replacement.
- a file/print server that can act as a member of a Windows NT 4.0
or Active Directory domain.
- a NetBIOS (rfc1001/1002) nameserver, which amongst other things gives
browsing support. Samba can be the master browser on your LAN if you wish.
- a ftp-like SMB client so you can access PC resources (disks and
printers) from UNIX, Netware, and other operating systems
- a tar extension to the client for backing up PCs
- limited command-line tool that supports some of the NT administrative
functionality, which can be used on Samba, NT workstation and NT server.
For a much better overview have a look at the web site at
http://samba.org/samba, and browse the user survey.
Related packages include:
- cifsvfs, an advanced Linux-only filesystem allowing you to mount
remote SMB filesystems from PCs on your Linux box. This is included
as standard with Linux 2.5 and later.
- smbfs, the previous Linux-only filesystem allowing you to mount remote SMB
filesystems from PCs on your Linux box. This is included as standard with
Linux 2.0 and later.
CONTRIBUTIONS
=============
1. To contribute via GitHub
- fork the official Samba team repository on GitHub
* see https://github.com/samba-team/samba
1. To contribute via GitLab
- fork the official Samba team repository on GitLab
* see https://gitlab.com/samba-team/samba
- become familiar with the coding standards as described in README.Coding
- make sure you read the Samba copyright policy
* see https://www.samba.org/samba/devel/copyright-policy.html
......@@ -110,30 +42,31 @@ CONTRIBUTIONS
- make changes
- when committing, be sure to add signed-off-by tags
* see https://wiki.samba.org/index.php/CodeReview#commit_message_tags
- send a pull request for your branch through GitHub
- this will trigger an email to the samba-technical mailing list
- send a merge request for your branch through GitLab
- this will send an email to everyone registered on GitLab
- discussion happens on the samba-technical mailing list as described below
- more info on using Git for Samba development can be found on the Samba Wiki
* see https://wiki.samba.org/index.php/Using_Git_for_Samba_Development
2. If you want to contribute to the development of the software then
please join the mailing list. The Samba team accepts patches
(preferably in "diff -u" format, see http://samba.org/samba/devel/
(preferably in "diff -u" format, see https://www.samba.org/samba/devel/
for more details) and are always glad to receive feedback or
suggestions to the address samba@lists.samba.org. More information
on the various Samba mailing lists can be found at http://lists.samba.org/.
on the various Samba mailing lists can be found at https://lists.samba.org/.
You can also get the Samba sourcecode straight from the git repository - see
http://wiki.samba.org/index.php/Using_Git_for_Samba_Development.
https://wiki.samba.org/index.php/Using_Git_for_Samba_Development.
If you like a particular feature then look through the git change-log
(on the web at http://gitweb.samba.org/?p=samba.git;a=summary) and see
(on the web at https://gitweb.samba.org/?p=samba.git;a=summary) and see
who added it, then send them an email.
Remember that free software of this kind lives or dies by the response
we get. If no one tells us they like it then we'll probably move onto
something else.
MORE INFO
=========
......@@ -159,15 +92,15 @@ MAILING LIST
Please do NOT send subscription/unsubscription requests to the lists!
There is a mailing list for discussion of Samba. For details go to
<http://lists.samba.org/> or send mail to <samba-subscribe@lists.samba.org>
<https://lists.samba.org/> or send mail to <samba-subscribe@lists.samba.org>
There is also an announcement mailing list where new versions are
announced. To subscribe go to <http://lists.samba.org/> or send mail
announced. To subscribe go to <https://lists.samba.org/> or send mail
to <samba-announce-subscribe@lists.samba.org>. All announcements also
go to the samba list, so you only need to be on one.
For details of other Samba mailing lists and for access to archives, see
<http://lists.samba.org/>
<https://lists.samba.org/>
MAILING LIST ETIQUETTE
......@@ -212,17 +145,16 @@ A few tips when submitting to this or any mailing list.
7. Give as much *relevant* information as possible such as Samba
release number, OS, kernel version, etc...
8. RTFM. Google. groups.google.com.
8. RTFM. Google.
WEBSITE
--------
-------
A Samba WWW site has been setup with lots of useful info. Connect to:
A Samba website has been setup with lots of useful info. Connect to:
http://samba.org/
https://www.samba.org/
As well as general information and documentation, this also has searchable
archives of the mailing list and a user survey that shows who else is using
this package.
archives of the mailing list and links to other useful resources such as
the wiki.
VERSION
View file @ ac1215b0
......@@ -24,8 +24,8 @@
# -> "3.0.0" #
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=9
SAMBA_VERSION_RELEASE=5
SAMBA_VERSION_MINOR=10
SAMBA_VERSION_RELEASE=0
########################################################
# If a official release has a serious bug #
......
WHATSNEW.txt
View file @ ac1215b0
This diff is collapsed.
auth/auth_log.c
View file @ ac1215b0
......@@ -41,7 +41,7 @@
* increment the major version.
*/
#define AUTH_MAJOR 1
#define AUTH_MINOR 0
#define AUTH_MINOR 1
#define AUTHZ_MAJOR 1
#define AUTHZ_MINOR 1
......@@ -57,6 +57,7 @@
#include "lib/util/server_id_db.h"
#include "lib/param/param.h"
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/windows_event_ids.h"
#include "lib/audit_logging/audit_logging.h"
/*
......@@ -90,6 +91,31 @@ static void log_json(struct imessaging_context *msg_ctx,
}
}
/*
* Determine the Windows logon type for the current authorisation attempt.
*
* Currently Samba only supports
*
* 2 Interactive A user logged on to this computer.
* 3 Network A user or computer logged on to this computer from
* the network.
* 8 NetworkCleartext A user logged on to this computer from the network.
* The user's password was passed to the authentication
* package in its unhashed form.
*
*/
static enum event_logon_type get_logon_type(
const struct auth_usersupplied_info *ui)
{
if ((ui->logon_parameters & MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED)
|| (ui->password_state == AUTH_PASSWORD_PLAIN)) {
return EVT_LOGON_NETWORK_CLEAR_TEXT;
} else if (ui->flags & USER_INFO_INTERACTIVE_LOGON) {
return EVT_LOGON_INTERACTIVE;
}
return EVT_LOGON_NETWORK;
}
/*
* Write a machine parsable json formatted authentication log entry.
*
......@@ -119,6 +145,7 @@ static void log_authentication_event_json(
const char *account_name,
const char *unix_username,
struct dom_sid *sid,
enum event_id_type event_id,
int debug_level)
{
struct json_object wrapper = json_empty_object;
......@@ -134,6 +161,16 @@ static void log_authentication_event_json(
if (rc != 0) {
goto failure;
}
rc = json_add_int(&authentication,
"eventId",
event_id);
if (rc != 0) {
goto failure;
}
rc = json_add_int(&authentication, "logonType", get_logon_type(ui));
if (rc != 0) {
goto failure;
}
rc = json_add_string(&authentication, "status", nt_errstr(status));
if (rc != 0) {
goto failure;
......@@ -454,6 +491,7 @@ static void log_authentication_event_json(
const char *account_name,
const char *unix_username,
struct dom_sid *sid,
enum event_id_type event_id,
int debug_level)
{
log_no_json(msg_ctx, lp_ctx);
......@@ -573,14 +611,13 @@ static void log_authentication_event_human_readable(
local = tsocket_address_string(ui->local_host, frame);
if (NT_STATUS_IS_OK(status)) {
char sid_buf[DOM_SID_STR_BUFLEN];
struct dom_sid_buf sid_buf;
dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
logon_line = talloc_asprintf(frame,
" became [%s]\\[%s] [%s].",
log_escape(frame, domain_name),
log_escape(frame, account_name),
sid_buf);
dom_sid_str_buf(sid, &sid_buf));
} else {
logon_line = talloc_asprintf(
frame,
......@@ -632,9 +669,11 @@ void log_authentication_event(
{
/* set the log level */
int debug_level = AUTH_FAILURE_LEVEL;
enum event_id_type event_id = EVT_ID_UNSUCCESSFUL_LOGON;
if (NT_STATUS_IS_OK(status)) {
debug_level = AUTH_SUCCESS_LEVEL;
event_id = EVT_ID_SUCCESSFUL_LOGON;
if (dom_sid_equal(sid, &global_sid_Anonymous)) {
debug_level = AUTH_ANONYMOUS_LEVEL;
}
......@@ -660,6 +699,7 @@ void log_authentication_event(
account_name,
unix_username,
sid,
event_id,
debug_level);
}
}
......@@ -685,7 +725,7 @@ static void log_successful_authz_event_human_readable(
const char *ts = NULL; /* formatted current time */
char *remote_str = NULL; /* formatted remote host */
char *local_str = NULL; /* formatted local host */
char sid_buf[DOM_SID_STR_BUFLEN];
struct dom_sid_buf sid_buf;
frame = talloc_stackframe();
......@@ -695,10 +735,6 @@ static void log_successful_authz_event_human_readable(
remote_str = tsocket_address_string(remote, frame);
local_str = tsocket_address_string(local, frame);
dom_sid_string_buf(&session_info->security_token->sids[0],
sid_buf,
sizeof(sid_buf));
DEBUGC(DBGC_AUTH_AUDIT, debug_level,
("Successful AuthZ: [%s,%s] user [%s]\\[%s] [%s]"
" at [%s]"
......@@ -708,7 +744,8 @@ static void log_successful_authz_event_human_readable(
auth_type,
log_escape(frame, session_info->info->domain_name),
log_escape(frame, session_info->info->account_name),
sid_buf,
dom_sid_str_buf(&session_info->security_token->sids[0],
&sid_buf),
ts,
remote_str,
local_str));
......
auth/auth_util.c 0 → 100644
View file @ ac1215b0
/*
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "librpc/ndr/libndr.h"
#include "librpc/gen_ndr/ndr_auth.h"
#include "auth_util.h"
struct auth_session_info *copy_session_info(TALLOC_CTX *mem_ctx,
const struct auth_session_info *src)
{
struct auth_session_info *dst;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
ndr_err = ndr_push_struct_blob(
&blob,
talloc_tos(),
src,
(ndr_push_flags_fn_t)ndr_push_auth_session_info);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_push_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
return NULL;
}
dst = talloc(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(blob.data);
return NULL;
}
ndr_err = ndr_pull_struct_blob(
&blob,
dst,
dst,
(ndr_pull_flags_fn_t)ndr_pull_auth_session_info);
TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DBG_ERR("copy_session_info(): ndr_pull_auth_session_info "
"failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
}
return dst;
}
auth/auth_util.h 0 → 100644
View file @ ac1215b0
/*
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2017
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
struct auth_session_info *copy_session_info(
TALLOC_CTX *mem_ctx,
const struct auth_session_info *src);
auth/credentials/credentials_krb5.c
View file @ ac1215b0
......@@ -270,14 +270,14 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return ENOMEM;
}
realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
princ);
realm = smb_krb5_principal_get_realm(
cred, ccache->smb_krb5_context->krb5_context, princ);
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
if (realm == NULL) {
return ENOMEM;
}
ok = cli_credentials_set_realm(cred, realm, obtained);
SAFE_FREE(realm);
TALLOC_FREE(realm);
if (!ok) {
return ENOMEM;
}
......@@ -351,16 +351,17 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
if (ret) {
(*error_string) = error_message(ret);
TALLOC_FREE(ccc);
return ret;
}
}
cred->ccache = ccc;
cred->ccache_obtained = obtained;
talloc_steal(cred, ccc);
cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained);
return 0;
}
cli_credentials_invalidate_client_gss_creds(
cred, cred->ccache_obtained);
return 0;
}
......@@ -896,12 +897,26 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
const struct ccache_container *old_ccc = NULL;
struct ccache_container *ccc = NULL;
char *ccache_name = NULL;
krb5_principal princ;
old_ccc = cred->ccache;
if (old_ccc == NULL) {
return 0;
}
ret = krb5_cc_get_principal(
old_ccc->smb_krb5_context->krb5_context,
old_ccc->ccache,
&princ);
if (ret != 0) {
/*
* This is an empty ccache. No point in copying anything.
*/
cred->ccache = NULL;
return 0;
}
krb5_free_principal(old_ccc->smb_krb5_context->krb5_context, princ);
ccc = talloc(cred, struct ccache_container);
if (ccc == NULL) {
return ENOMEM;
......
auth/credentials/pycredentials.c
View file @ ac1215b0
......@@ -171,16 +171,18 @@ static PyObject *py_creds_get_password(PyObject *self, PyObject *unused)
static PyObject *py_creds_set_password(PyObject *self, PyObject *args)
{
char *newval;
const char *newval = NULL;
enum credentials_obtained obt = CRED_SPECIFIED;
int _obt = obt;
if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
PyObject *result = NULL;
if (!PyArg_ParseTuple(args, PYARG_STR_UNI"|i", "utf8", &newval, &_obt)) {
return NULL;
}
obt = _obt;
return PyBool_FromLong(cli_credentials_set_password(PyCredentials_AsCliCredentials(self), newval, obt));
result = PyBool_FromLong(cli_credentials_set_password(PyCredentials_AsCliCredentials(self), newval, obt));
PyMem_Free(discard_const_p(void*, newval));
return result;
}
static PyObject *py_creds_set_utf16_password(PyObject *self, PyObject *args)
......@@ -659,7 +661,7 @@ static PyObject *py_creds_new_client_authenticator(PyObject *self,
netlogon_creds_client_authenticator(
nc,
&auth);
ret = Py_BuildValue("{ss#si}",
ret = Py_BuildValue("{s"PYARG_BYTES_LEN"si}",
"credential",
(const char *) &auth.cred, sizeof(auth.cred),
"timestamp", auth.timestamp);
......
auth/credentials/tests/bind.py
View file @ ac1215b0
#!/usr/bin/env python
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This is unit with tests for LDAP access checks
......@@ -7,7 +7,6 @@ import optparse
import sys
import base64
import copy
import time
sys.path.insert(0, "bin/python")
import samba
......@@ -20,6 +19,13 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE
from samba import gensec
import samba.tests
from samba.tests import delete_force
from samba.credentials import Credentials
def create_credential(lp, other):
c = Credentials()
c.guess(lp)
c.set_gensec_features(other.get_gensec_features())
return c
parser = optparse.OptionParser("ldap [options] <host>")
sambaopts = options.SambaOptions(parser)
......@@ -40,11 +46,12 @@ host = args[0]
lp = sambaopts.get_loadparm()
creds = credopts.get_credentials(lp)
creds.set_gensec_features(creds.get_gensec_features() | gensec.FEATURE_SEAL)
creds_machine = copy.deepcopy(creds)
creds_user1 = copy.deepcopy(creds)
creds_user2 = copy.deepcopy(creds)
creds_user3 = copy.deepcopy(creds)
creds_user4 = copy.deepcopy(creds)
creds_machine = create_credential(lp, creds)
creds_user1 = create_credential(lp, creds)
creds_user2 = create_credential(lp, creds)
creds_user3 = create_credential(lp, creds)
creds_user4 = create_credential(lp, creds)
class BindTests(samba.tests.TestCase):
......@@ -164,4 +171,5 @@ unicodePwd:: """ + base64.b64encode(u"\"P@ssw0rd\"".encode('utf-16-le')).decode(
res = ldb_user4.search(base="", expression="", scope=SCOPE_BASE, attrs=["*"])
TestProgram(module=__name__, opts=subunitopts)
auth/gensec/gensec.c
View file @ ac1215b0
......@@ -293,6 +293,8 @@ _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
{
bool ok;
/*
* gensec_want_feature(GENSEC_FEATURE_SIGN)
* and
......@@ -319,6 +321,20 @@ static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
}
}
if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) {
return NT_STATUS_OK;
}
ok = gensec_have_feature(gensec_security,
GENSEC_FEATURE_SIGN_PKT_HEADER);
if (!ok) {
DBG_ERR("backend [%s] does not support header signing! "
"auth_level[0x%x]\n",
gensec_security->ops->name,
gensec_security->dcerpc_auth_level);
return NT_STATUS_INTERNAL_ERROR;
}
return NT_STATUS_OK;
}
......