Age | Commit message (Collapse) | Author | Files | Lines |
|
hash
Previously, only the conversion from cleartext to the LM hash was deactivated,
and not when the user specified it directly through "dBCSPwd".
|
|
|
|
"ldb_msg_remove_attr" behaviour
|
|
|
|
|
|
This reverts commit 6276343ce1b7dd7d217e5a419c09f209f5f87379.
This is not needed anymore.
metze
|
|
before copying them"
This reverts commit fa87027592f71179c22f132e375038217bc9d36a.
This check is done one level above now.
metze
|
|
it's given
Sorry, I removed this logic while cleaning up indentation levels...
metze
|
|
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
|
|
|
|
copying them
|
|
This is to don't break the provision process at the moment. We need to find
a better solution.
|
|
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
|
|
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
|
|
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
|
|
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
|
|
metze
|
|
|
|
For add requests we need the add request messages, for modify requests we need
the modify request messages.
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
user.
Makes sure samAccountName has been specified before adding a
user. This happened while I was trying to add a user with the
posixAccount objectclass. I forgot to specify the user objectClass,
and samba segfaulted. It now returns LDB_ERR_CONSTRAINT_VIOLATION.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Rather than have a repeat of the bugs we found at the plugfest where
hexidecimal strings must be in upper or lower case in particular
places, ensure that each caller chooses which case they want.
This reverts most of the callers back to upper case, as things were
before tridge's patch. The critical call in the extended DN code is
of course handled in lower case.
Andrew Bartlett
|
|
|
|
According to abartlet's response on my post about "lp_workgroup" this should be
the right call.
|
|
And don't cut them out from the DNS hostname.
|
|
This was a bad idea all along, as Simo said at the time. With the
full MS schema and enforcement of it, it is an even worse idea.
This fixes the provision of the member server in 'make test'
Andrew Bartlett
|
|
These additional debug messages were added to help us track down
w2k8->s4 domain join
|
|
The previous commit changed the wrong end - we must fix our server,
not our client.
Andrew Bartlett
|
|
Additional notes:
- Bump the level to Windows Server 2008 R2 (we should support always the latest
version - if we provision ourself)
- In "descriptor.c" the check for the "domainFunctionality" level shouldn't be
needed: ACL owner groups (not owner user) are supported since Windows 2000
Server (first AD edition)
- I took the argument from: http://support.microsoft.com/kb/329194
|
|
Some corrections which make the code a bit more readable (no functional changes here)
|
|
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.
We also use the functional level to determine if we should store AES
Kerberos keys.
Andrew Bartlett
|
|
Guenther
|
|
Windows 7 sets it's join password using the unicodePwd attribute (as a
quoted, utf16 string), and does so during the LDAPAdd of the object.
Previously, this code only handled unicodePwd for modifies.
Andrew Bartlett
|
|
The clients that do only lanman auth are on their way out, the
passwords are case insensitive, it does not support unicode and we
should not store such a poor hash of the password if we can avoid it.
Andrew Bartlett
|
|
|
|
consistency with Samba 3.
|
|
The Win7-beta domain process has changed. It no longer uses SAMR for
setting the password, and instead uses a ldap modify on a SASL
encrypted ldap connection. We didn't handle that as the unicodePwd
attribute has a dual use, holding the nt style MD4 hases for DRS
replication, but holding a UTF-16 plaintext password for a LDAP
modify.
This patch copes with the ldap unicodePwd modify by recognising the
format and creating the correct attributes on the fly. Note that this
assumes we will never get a unicodePwd attribute set in NT MD4 format
with the first 2 and last 2 bytes set to 0x22 0x00.
Andrew Bartlett is looking at a more robust solution, possibly using a
flag to say that this modify came via ldap, and not internal ldb
calls.
|
|
The only 2 modules escaping the rule so far are rootdse and partitions
|
|
This fixes the creation of the user object for incoming trusts
in dcesrv_lsa_CreateTrustedDomain_base().
And now w2k3 trust samba4 just fine:-)
metze
|
|
now to work out how to test this ...
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
3.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
|
|
|
|
metze
(This used to be commit fac7c79afae05a88ecc2a63c8eb9f2fd53ab7ce6)
|
|
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
(This used to be commit 08618bbd508ede0bb9e1922fae562cffdca41cbd)
|
|
like windows
metze
(This used to be commit ca9cd81a1798fb15195566422b3cad7c282fce89)
|
|
metze
(This used to be commit 4ad73a0bf8952783d3d9a7339c0c4fd8ca28981a)
|