Stefan Metzmacher [Mon, 3 Jul 2023 13:14:38 +0000 (15:14 +0200)]
s3:utils: let smbstatus report anonymous signing/encryption explicitly
We should mark sessions/tcons with anonymous encryption or signing
in a special way, as the value of it is void, all based on a
session key with 16 zero bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu May 23 13:37:09 UTC 2024 on atb-devel-224
Stefan Metzmacher [Fri, 30 Jun 2023 16:05:51 +0000 (18:05 +0200)]
s3:smbd: allow anonymous encryption after one authenticated session setup
I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit
da7dcc443f45d07d9963df9daae458fbdd991a47
was released with samba-4.15.0rc1.
Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:12:38 +0000 (15:12 +0200)]
s3:utils: let smbstatus also report partial tcon signing/encryption
We already do that for sessions and also for the json output,
but it was missing in the non-json output for tcons.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:12:38 +0000 (15:12 +0200)]
s3:utils: let smbstatus also report AES-256 encryption types for tcons
We already do that for sessions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:10:08 +0000 (15:10 +0200)]
s3:utils: let connections_forall_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:08:31 +0000 (15:08 +0200)]
s3:lib: let sessionid_traverse_read() report if the session was authenticated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Mon, 3 Jul 2023 13:05:59 +0000 (15:05 +0200)]
s3:utils: remove unused signing_flags in connections_forall()
We never use the signing flags from the session, as the tcon
has its own signing flags.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 15 May 2024 08:02:00 +0000 (10:02 +0200)]
s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Wed, 15 May 2024 08:51:42 +0000 (10:51 +0200)]
s4:libcli/smb2: add hack to test anonymous signing and encryption
This will be used in torture tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Stefan Metzmacher [Tue, 14 May 2024 16:21:33 +0000 (18:21 +0200)]
smbXcli_base: add hacks to test anonymous signing and encryption
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Douglas Bagnall [Wed, 22 May 2024 21:40:00 +0000 (09:40 +1200)]
ldb: move struct ldb_debug_ops to ldb_private.h
Only accessed through struct ldb_context -> debug_ops, which is already private.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224
Douglas Bagnall [Wed, 22 May 2024 21:36:57 +0000 (09:36 +1200)]
ldb: move struct ldb_utf8_fns to ldb_private.h
It is only accessed via ldb functions that find it on the already-private
struct ldb_context.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 12 May 2024 23:08:35 +0000 (11:08 +1200)]
s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.
This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 12 May 2024 22:39:44 +0000 (10:39 +1200)]
lib/fuzzing: add fuzz_strncasecmp_ldb
As well as checking for the usual overflows, this asserts that
strncasecmp_ldb is always transitive, by splitting the input into 3
pieces and comparing all pairs.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 23:38:10 +0000 (11:38 +1200)]
ldb: don't cast to unsigned for ldb_ascii_toupper()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 20 May 2024 22:55:53 +0000 (10:55 +1200)]
ldb: ldb_set_utf8_functions follows README.Coding
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 23:35:01 +0000 (11:35 +1200)]
ldb: deprecate ldb_set_utf8_fns
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 10 May 2024 03:43:36 +0000 (15:43 +1200)]
ldb: remove old ldb_comparison_fold_utf8_broken()
There are no callers.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 05:01:10 +0000 (17:01 +1200)]
ldb: ldb_comparison_fold always uses the casecmp function
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 02:09:46 +0000 (14:09 +1200)]
ldb-samba: use ldb_comparison_fold_utf8()
This means ldb-samba/dsdb comparisons will be case-insensitive for
non-ASCII UTF-8 characters (within the bounds of the 16-bit casefold
table). And they will remain transitive.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 10 May 2024 03:42:46 +0000 (15:42 +1200)]
ldb-samba: add ldb_comparison_fold_utf8, wrapping strncasecmp_ldb
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 14 May 2024 09:33:16 +0000 (21:33 +1200)]
util:charset: strncasecmp_ldb avoids iconv for ASCII
This is a common case, and we can save a bit of work.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 12 May 2024 23:32:26 +0000 (11:32 +1200)]
util:charset: strncasecmp_ldb degrades to ASCII strncasecmp
If strncasecmp_ldb() encounters invalid utf-8 bytes, it compares those
as greater than any valid bytes (that is, it sorts them to the end of
the list).
If an invalid sequence is encountered in both strings at once, the
rest of the strings are now compared using the default ldb_comparison_fold
rules, as implemented in ldb_comparison_fold_ascii(). That is, each
byte is compared individually, [a-z] are translated to [A-Z], and runs of
spaces are collapsed into single spaces.
There is no perfect answer in this case, but this solution is stable,
fine-grained, and probably close to what is expected. This
byte-by-byte comparison is equivalent to a utf-8 comparison without
case-folding of multibyte codes.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 30 Apr 2024 00:41:43 +0000 (12:41 +1200)]
util:charset: add strncasecmp_ldb()
This is a function for comparing strings in a way that suits a
case-insenstive syntaxes in LDB.
We have it here, rahter than in LDB itself, because it needs the
upcase table. By default uses ASCII-only comparisons. SSSD and
OpenChange use it in that configuration, but Samba replaces the
comparison and casefold functions with Unicode aware versions.
Until now Samba has done that in a bad way; this will allow it to do
better.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 23:37:18 +0000 (11:37 +1200)]
ldb: ldb_set_utf8_default() sets comparison function
The default is ASCII only, which is used by SSSD and OpenChange.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 May 2024 05:21:29 +0000 (17:21 +1200)]
ldb: ldb_comparison_fold_ascii sorts unsigned
Typically in 8-bit character sets, those with the 0x80 bit set are
seen as 288-255, not negative numbers. This will sort them after 'Z',
not before 'A'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 15 May 2024 08:51:08 +0000 (20:51 +1200)]
ldb: add ldb_comparison_fold_ascii() for default comparisons
This function is made from the ASCII-only bits of the old
ldb_comparison_fold() -- that is, what you get if you never follow a
`goto utf8str` jump. It comparse the bytes, but collapses spaces and
maps [a-z] to [A-Z].
This does exactly what ldb_comparison_fold_utf8_broken() would do in
situations where ldb_casfold() calls ldb_casefold_default(). That
means SSSD.
The comparison is probably using signed char, so high bytes are
actually low bytes.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 19 May 2024 03:09:26 +0000 (15:09 +1200)]
ldb: ldb_comparison_fold uses the utf-8 casecmp function
But only if it is set, which it never is (so far).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 23:34:35 +0000 (11:34 +1200)]
ldb: add ldb_set_utf8_functions() for setting casefold functions
This replaces ldb_set_utf8_fns(), which will be deprecated really soon.
The reason for this, as shown in surrounding commits, is that without
an explicit case-insensitive comparison we need to rely on the casefold,
and if the casefold can fail (because, e.g. bad utf-8) the comparison
ends up being a bit chaotic. The strings being compared are generally
user controlled, and a malicious user might find ways of hiding values
or perhaps fooling a binary search.
A case-insensitive comparisons that works gradually through the string
without an all-at-once casefold is better placed to deal with problems
where they happen, and we are able to separately specialise for the
ASCII case (used by SSSD) and the UTF-8 case (Samba).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 May 2024 02:10:06 +0000 (14:10 +1200)]
ldb: move ldb_comparison_fold guts into a separate function
We're going to make this use a configurable pointer.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 9 May 2024 04:52:53 +0000 (16:52 +1200)]
ldb: add a utf-8 comparison fold callback
This isn't used yet, but it will allow library users to select a
case-insensitive comparison function that matches their chosen casefold.
This will allow the comparisons to be consistent when the strings are bad,
whereas currently we kind of guess.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 1 May 2024 03:32:03 +0000 (15:32 +1200)]
lib/util/charset: be explicit about INVALID_CODEPOINT value
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 19 May 2024 23:15:47 +0000 (11:15 +1200)]
ldb: add test_ldb_comparison_fold
Currently this fails like this:
test_ldb_comparison_fold_default_common: 118 errors out of 256
test_ldb_comparison_fold_default_ascii: 32 errors out of 100
test_ldb_comparison_fold_utf8_common: 40 errors out of 256
test_ldb_comparison_fold_utf8: 28 errors out of 100
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 9 May 2024 01:16:50 +0000 (13:16 +1200)]
s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224
Jo Sutton [Mon, 15 Apr 2024 02:46:47 +0000 (14:46 +1200)]
s4:kdc: Merge current and previous gMSA keys during period when both are valid
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 26 Apr 2024 01:43:57 +0000 (13:43 +1200)]
tests/krb5: Test that previous keys are counted as current keys following a gMSA key rollover
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 26 Apr 2024 01:54:42 +0000 (13:54 +1200)]
s4:libnet: Allow simulating AS‐REQ flags combination for keytab export
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 05:11:03 +0000 (17:11 +1200)]
s4:libnet: Update export_keytab() docstring
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 01:45:08 +0000 (13:45 +1200)]
s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry()
This will allow us to specify whether to specify this flag for a keytab
export.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 00:48:53 +0000 (12:48 +1200)]
python:tests: Extract keytab_as_set() function to be usable by other tests
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 01:38:53 +0000 (13:38 +1200)]
python:tests: Manually raise AssertionError
This removes the last dependency on ‘self’ in this method.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 00:45:27 +0000 (12:45 +1200)]
python:tests: Rename ‘keytab_as_set’ variable to be distinct from keytab_as_set() method
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 22 May 2024 04:07:17 +0000 (16:07 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202405220400 (commit
8276d6311146b8ab5d57d092bc5d5fa28282a900)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Mar 2024 15:02:02 +0000 (16:02 +0100)]
WHATSNEW: Add 'dns hostname'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 05:41:06 +0000 (07:41 +0200)]
auth:ntlmssp: Use lpcfg_dns_hostname()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 06:17:04 +0000 (08:17 +0200)]
auth:ntlmssp: Remove trailing spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 06:16:33 +0000 (08:16 +0200)]
s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 06:13:04 +0000 (08:13 +0200)]
s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 05:37:09 +0000 (07:37 +0200)]
s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 05:34:54 +0000 (07:34 +0200)]
s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 4 Apr 2024 09:28:39 +0000 (11:28 +0200)]
s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 4 Apr 2024 09:31:06 +0000 (11:31 +0200)]
s4:dfs_server: Use lpcfg_dns_hostname() in dfs_server_ad.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 06:19:25 +0000 (08:19 +0200)]
s3:rpc_server: Use lpcfg_dns_hostname() in srv_witness_nt.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 17:15:36 +0000 (19:15 +0200)]
python:tests: Ignore case for group_name comparison
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 06:23:23 +0000 (08:23 +0200)]
s3:utils: Use lp_dnsdomain() in net_ads.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 12 Apr 2024 06:33:06 +0000 (08:33 +0200)]
s3:libnet: Convert myalias to lower case
This will be more consistent as it is a dnsname.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 4 Apr 2024 09:24:13 +0000 (11:24 +0200)]
s3:libnet: Use lp_dns_hostname() in libnet_join.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Mar 2024 15:00:47 +0000 (16:00 +0100)]
s3:lib: Remove obsolete name_to_fqdn()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Mar 2024 14:59:14 +0000 (15:59 +0100)]
s3:librpc: Use lp_dns_hostname() for creating the fqdn
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 6 Mar 2024 14:53:17 +0000 (15:53 +0100)]
s3:utils: Use lp_dns_hostname() for 'net' dns updates
name_to_fqdn() requires /etc/hosts to be set up in a special way to find
out the fqdn for dns updates. They are not set up by default and the
DNS update fails. Normally the fqdn is just <lp_netbios_name>.<realm>
and we should just use that. However if it is different, you can set
it to the special value in the smb.conf now.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 9 Jan 2024 14:47:48 +0000 (15:47 +0100)]
docs-xml: Add smb.conf option 'dns hostname'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 14 May 2024 14:55:58 +0000 (16:55 +0200)]
selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env variables
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 05:26:48 UTC 2024 on atb-devel-224
Stefan Metzmacher [Tue, 6 Feb 2024 20:09:58 +0000 (21:09 +0100)]
s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.
From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 21 May 2024 08:20:36 +0000 (20:20 +1200)]
s3:smbcacls: fix ace_compare
We got this wrong in commit
31101a9fa1503be9d8137e42466f57d85136a156.
In fact, we should probably not reorder the inherited ACLs, but that
is for another patch series.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 14 May 2024 02:58:51 +0000 (14:58 +1200)]
lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 10 Apr 2024 09:25:12 +0000 (21:25 +1200)]
spelling: comments: synthax -> syntax
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 10 Apr 2024 09:22:57 +0000 (21:22 +1200)]
spelling: fix spelling of privilege.ldb in comments
'privileges' is a word, but the ldb referred to is privilege.ldb
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Tue, 21 May 2024 09:21:03 +0000 (11:21 +0200)]
libsmb: Remove file_info->[ug]id
These fields were never assigned
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Tue, 21 May 2024 06:38:19 +0000 (08:38 +0200)]
smbd: Simplify request_timed_out
timeval_expired does what we need here
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Tue, 21 May 2024 06:31:45 +0000 (08:31 +0200)]
lib: Use struct initialization
Make sure everything is initialized
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 20 May 2024 13:19:06 +0000 (15:19 +0200)]
libsmb: Remove a talloc_strdup()
We're directly overwriting state->mask without actually using it for
anything real.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 20 May 2024 08:38:47 +0000 (10:38 +0200)]
libsmb: Remove an unneeded NULL check
We have dereferenced p_last_name_raw before in the call to
data_blob_free, our only caller does give us a pointer
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 20 May 2024 08:06:46 +0000 (10:06 +0200)]
libsmb: Remove unused cli_list_trans()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 17 May 2024 10:32:20 +0000 (12:32 +0200)]
libsmb: Use SMB2_0_INFO_ constants instead of magic numbers
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 17 May 2024 14:05:19 +0000 (16:05 +0200)]
libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 17 May 2024 14:07:44 +0000 (16:07 +0200)]
lib: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 17 May 2024 10:28:53 +0000 (12:28 +0200)]
libsmb: Avoid pointless intermediate variables
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 17 May 2024 10:23:19 +0000 (12:23 +0200)]
libsmb: Use the direct FSCC_ infolevels
Could have done this as part of
1776918c5bf already.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 16 May 2024 10:59:28 +0000 (12:59 +0200)]
smbd: Remove an unused function parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 16 May 2024 10:49:17 +0000 (12:49 +0200)]
smbd: Remove an unnecessary else
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 16 May 2024 10:05:38 +0000 (12:05 +0200)]
smbd: Remove a no-op call to init_strict_lock_struct
"lock" is a variable on the stack, and initializing it is all that
init_strict_lock_struct does. We've done the corresponding checks
already in smbd_smb2_read_send
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 16 May 2024 10:04:23 +0000 (12:04 +0200)]
smbd: Remove an unnecessary else branch
We return in the if branch, review with "git show -w"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Tue, 21 May 2024 08:12:22 +0000 (10:12 +0200)]
smbd: Return correct error for fallback sendfile
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 16 May 2024 10:03:46 +0000 (12:03 +0200)]
smbd: Use direct struct initialization
Make sure all fields in the target struct are initialized
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 15 May 2024 15:26:27 +0000 (17:26 +0200)]
smbd: Remove the ZERO_ZERO define
This code went in with
e8e98c9ea06 in 2001 without any mention in the
commit message.
I don't remember all details, but there was some discussion around the
offset=0,length=0 lock being somehow special. These days [MS-FSA]
defines the required behaviour (don't conflict) and we implement that
behaviour.
If someone still remembers why this code is in and thinks it's
worthwhile, that's what version control is for.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 15 May 2024 15:14:55 +0000 (17:14 +0200)]
smbd: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 16 May 2024 13:27:05 +0000 (15:27 +0200)]
smbd: Move a DBG_DEBUG up
Make it line up with the other branches
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 15 May 2024 15:10:24 +0000 (17:10 +0200)]
smbd: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 14:15:17 +0000 (16:15 +0200)]
test_kinit_export_keytab: reset pw of the test account and test --only-current-keys
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 04:07:02 UTC 2024 on atb-devel-224
Stefan Metzmacher [Fri, 15 Mar 2024 15:14:18 +0000 (16:14 +0100)]
samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 15:31:22 +0000 (16:31 +0100)]
samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep()
This tests that only_current_keys=True works.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 15:11:10 +0000 (16:11 +0100)]
s4:libnet_export_keytab: add only_current_keys option
By default we also export on the old and older passwords...
In order to do a kinit with a keytab it might we useful to
include only the current keys.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:14:06 +0000 (14:14 +0100)]
s4:kdc: also provide cross-realm keys via samba_kdc_seq()
This means that 'samba-tool domain exportkeytab' is able to
export them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 18:23:46 +0000 (19:23 +0100)]
s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 18:19:20 +0000 (19:19 +0100)]
s4:kdc: split out samba_kdc_fill_trust_keys() helper
This simplifies the logic in samba_kdc_trust_message2entry(),
is very similar to our samba_kdc_fill_user_keys() helper
and will make it trivial to provide the previous keys
in entry->old_keys in the next commit.
Review with: git show -p --patience
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 18:19:20 +0000 (19:19 +0100)]
s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry()
This aligns the logic of samba_kdc_trust_message2entry() with
samba_kdc_message2entry_keys().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 18:19:20 +0000 (19:19 +0100)]
s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry()
This will simplifiy further changes.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 18:19:20 +0000 (19:19 +0100)]
s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP
We already handle it in samba_kdc_fill_user_keys() mostly for DES keys,
but other encryption types might be from kerberos libraries in future.
And things like FIPS mode may also alter the runtime behaviour.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 18:19:20 +0000 (19:19 +0100)]
s4:kdc: split out samba_kdc_fill_trust_keys() helper
Let samba_kdc_trust_message2entry() also fill in the salt used
by the key. This is not strictly needed, but it's better to
be consistent.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 17:27:19 +0000 (18:27 +0100)]
s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>