Age | Commit message (Collapse) | Author | Files | Lines |
|
This changes (again...) our system md5 detection to cope with how
OpenIndiana does md5. I'm becoming increasingly convinced this isn't
worth our while (we should have just done samba_md5...), but for now
this change seems to work on FreeBSD, OpenIndiana and Linux with
libbsd.
This needs us to rename struct MD5Context -> MD5_CTX, but we provide a
config.h define to rename the type bad if MD5_CTX does not exist (it does
however exist in the md5.h from libbsd).
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 19 21:32:36 CEST 2013 on sn-devel-104
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
terminated string
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Pair-Programmed-With: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
|
|
This reverts commit f8056b7a6998e002f473b0ad79eee046236a7032.
A better fix will follow.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
|
|
Honor password complexity settings when creating new users.
Without this patch, you could set simple passwords although the complexity
settings were enabled. This was an issue with 'samba-tool user add' and also
when adding new users via Windows' "Active Directory Users and Computers"
MMC Snap-In.
The following scenarios were tested successfully after applying the patch:
-'samba-tool user add' against s4
-'samba-tool user add -H' against a Windows DC
-Adding a new user on a s4 DC using Windows' "Active Directory Users and
Computers" MMC Snap-In.
Please note that this bug was caused by a mistake in the documentation.
Fix bug #9414 - 'samba-tool user add' ignores password complexity settings.
Pair-programmed-with: Karolin Seeger <kseeger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 6 05:11:43 CET 2012 on sn-devel-104
|
|
This was an interesting hack, and the local_password module still exists, but
until it has a use case and a test case, remove the bypass of password_hash.
Andrew Bartlett
|
|
Guenther
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
supplementalCredentials
If this is missing a w2k8r2 server will reboot, when someone tries to
change a password.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Jan 16 17:10:07 CET 2012 on sn-devel-104
|
|
Bail out on other LDB request types (only add and modify allowed).
|
|
Which allows the caller to pass a given 'pwdLastSet' value
(every useful for migrations).
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Oct 7 15:28:13 CEST 2011 on sn-devel-104
|
|
|
|
convert_string*()
we shouldn't accept bad multi-byte strings, it just hides problems
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
|
|
|
|
this preserves the request hierarchy for dsdb_module_*() calls inside
dsdb ldb modules
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
used
Make it much harder to import bad data into the password attributes.
This isn't 100% safe, but much better than no checks.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Dec 13 16:17:36 CET 2010 on sn-devel-104
|
|
This seems to have been broken some time ago - till someone on the
mailing list noticed it.
I've also added a testsuite (and some additional SamDB python helpers) which
should prove this.
|
|
|
|
conversion errors
This errors can happen also on a regular basis - then we shouldn't return
ERR_OPERATIONS_ERROR (this error code is reserved for very serious failures).
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov 13 12:37:36 UTC 2010 on sn-devel-104
|
|
The cleartext_utf16_str variable was declared char **, but due to the
cast on convert_string_talloc() and the lack of type checking here and
on data_blob_const (due to void *) it was able to be used as if it was
a char *.
The simple solution seems to be to fill in cleartext_utf16 blob directly.
Andrew Bartlett
|
|
The UTF16MUNGED helper will map all invalid sequences (except odd
input length) to valid input sequences, per the rules. Therefore if
it fails, we need to bail out, somehing serious is wrong.
Andrew Bartlett
|
|
according to the "dSHeuristics"
|
|
the password_hash LDB module
It's only used there and so I think it doesn't really belong in
"dsdb/common/util.c" (I first thought that it could be useful for ACL checking
but obviously it wasn't).
|
|
enables/disables the two "userPassword" behaviours
- Enabled: "userPassword" password change behaviour (will later be linked to the
"dSHeuristics")
- Disabled: "userPassword" plain attribute behaviour (default)
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov 8 15:28:06 UTC 2010 on sn-devel-104
|
|
complicated
|
|
- don't crash when no values where specified
- return ERR_CONSTRAINT_VIOLATION on malformed messages
- only check for flags when we are involved in a LDB modify operation
|
|
attributes isn't possible
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Nov 5 12:31:28 UTC 2010 on sn-devel-104
|
|
|
|
|
|
"samdb_result_uint64" and "samdb_result_string"
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
password change control
|
|
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
|
|
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
important failure cases
|
|
|
|
on password change operations
This is to match the SAMR password change behaviour.
|
|
|
|
passwords
Sooner or later this module should take over all password change actions.
|
|
To match the passwords.py test
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
|
|
metze
|
|
metze
|
|
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
|
|
hash
Previously, only the conversion from cleartext to the LM hash was deactivated,
and not when the user specified it directly through "dBCSPwd".
|
|
|