Andreas Schneider [Wed, 6 Jun 2018 08:07:59 +0000 (10:07 +0200)]
WIP
Andreas Schneider [Mon, 6 Nov 2017 11:15:08 +0000 (12:15 +0100)]
WIP: s4:selftest: Turn on auth_log tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Wed, 25 Oct 2017 07:09:01 +0000 (09:09 +0200)]
mit_kdb: Add support for authentication logging
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Tue, 5 Jun 2018 14:25:59 +0000 (16:25 +0200)]
mit_kdb: Init the messaging client context
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Mon, 6 Nov 2017 07:58:27 +0000 (08:58 +0100)]
krb5_wrap: Add smb_krb5_kaddr_to_sockaddr()
Signed-off-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Fri, 11 Aug 2017 11:42:48 +0000 (13:42 +0200)]
WORKAROUND s4:dns:bind_dlz: Disable the replay cache
samba_dnsupdate --all-names fails with 'Request is a replay' using MIT
Kerberos ...
Signed-off-by: Andreas Schneider <asn@samba.org>
Christof Schmitt [Tue, 2 May 2023 19:17:56 +0000 (12:17 -0700)]
ctdb-recovery: Use correct struct ban_node_state type for state
If this codepath is hit, ctdb aborts with:
ctdb/server/ctdb_recovery_helper.c:2687: Type mismatch: name[struct ban_node_state] expected[struct node_ban_state]")
at ../../lib/talloc/talloc.c:505
Fix this by using the correct type.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 3 08:04:09 UTC 2023 on atb-devel-224
Dmitry Antipov [Thu, 27 Apr 2023 15:37:29 +0000 (18:37 +0300)]
s4:lib:policy: cleanup and handle errors in push_recursive()
Prefer 'char' and 'ssize_t' over 'int' for I/O-related
calls and handle more possible errors in push_recursive().
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Apr 28 14:19:12 UTC 2023 on atb-devel-224
David Mulder [Wed, 19 Apr 2023 20:11:05 +0000 (14:11 -0600)]
gp: Add site-dn fallback when rpc call fails
In testing I noticed that the rpc call for the
site name is failing when joined via SSSD. This
commit adds a fallback to check using the old
style method found in ads_site_dn_for_machine()
(which works, but doesn't obey the Group Policy
spec) if the rpc call fails.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Apr 28 03:14:25 UTC 2023 on atb-devel-224
David Mulder [Wed, 15 Mar 2023 19:46:58 +0000 (13:46 -0600)]
Add a WHATSNEW entry indicating libgpo py deprecation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Tue, 14 Mar 2023 21:35:01 +0000 (15:35 -0600)]
gpo: Group Policy tests require a s3 loadparam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Tue, 14 Mar 2023 18:37:54 +0000 (12:37 -0600)]
gpupdate: Deprecate libgpo.get_gpo_list
This is no longer used by gpupdate.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Tue, 14 Mar 2023 17:21:02 +0000 (11:21 -0600)]
gpupdate: Implement get_gpo_list in python
The ADS code in libgpo is buggy. Rewrite
get_gpo_list in python using SamDB.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 16 Apr 2023 06:13:55 +0000 (18:13 +1200)]
libcli/security/tests: test strings for windows and samba SDDL tests
These are produced by editing `python/samba/test/sddl.py to enable
`test_write_test_strings`, the running `make test TESTS='sddl\\b'`.
The windows executable from the C file added in a recent commit can
run these tests using the `-i` flag.
The Samba sddl.py tests can be induced to use them too, but that is
only useful for showing they are still in sync.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 25 Aug 2022 13:29:09 +0000 (14:29 +0100)]
s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rights
prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.
While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)
Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.
adjust
samba4.blackbox.samba-tool_ntacl
samba3.blackbox.large_acl
samba.tests.samba_tool.ntacl
samba.tests.ntacls
samba.tests.posixacl
so various string comparisons of the sddl format now pass
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
numbers, eg 0x001]
Noel Power [Thu, 25 Aug 2022 12:52:56 +0000 (13:52 +0100)]
s3/utils: value for ace_flags value "FA" is incorrect
value for FA should be 0x001f01ff (instead of 0x00001ff)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 26 Apr 2023 05:00:17 +0000 (17:00 +1200)]
pytest:sddl: show the correct handling of the "FA" SDDL flag
The "FA" flag should map to 0x1f01ff, and 0x1f01ff should be converted
back into "FA".
This will be fixed over the next couple of commits.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 26 Apr 2023 04:27:38 +0000 (16:27 +1200)]
pytest:sddl Samba had the wrong value for FA, now fix the tests
The tests that were in SddlWindowsFlagsAreDifferent have the behaviour
we want, and as we aim for Samba flags no longer being different, we
shift them to SddlNonCanonical. The tests in SddlSambaDoesItsOwnThing
are removed because they showed Samba's old behaviour around FA.
This will create knownfails, which will be fixed by the commit fixing the
value of "FA".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Tue, 25 Apr 2023 22:24:25 +0000 (10:24 +1200)]
libcli:security:sddl: accept only 8-4-4-4-12 GUIDs
Before we would take strings in a variety of lengths and formats,
which is not what Windows does or [MS-DTYP] says.
This was found by looking at evolved fuzz seeds. Note the 16 and 32
byte sequences in GUID position below:
$ hd $(ls -t seeds/fuzz_sddl_parse/* | head -1)| head
00000000 44 3a 41 52 50 50 50 50 50 28 4f 4c 3b 3b 46 57 |D:ARPPPPP(OL;;FW|
00000010 3b 30 7e ff ff ff ff ff ff ff 2d 31 38 f5 ff ff |;0~.......-18...|
00000020 fb 3b 3b 52 43 29 28 4f 44 3b 3b 46 57 3b 3b 3b |.;;RC)(OD;;FW;;;|
00000030 52 43 29 28 4f 44 3b 3b 46 57 3b 30 30 ff ff ff |RC)(OD;;FW;00...|
00000040 fb 30 e9 9b 3c cf e6 f5 ff ff fb 3b 3b 52 43 29 |.0..<......;;RC)|
00000050 28 4f 44 3b 3b 46 57 43 52 3b 3b 3b 52 43 29 28 |(OD;;FWCR;;;RC)(|
00000060 4f 44 3b 3b 46 58 47 52 3b 3b 33 43 43 35 38 37 |OD;;FXGR;;3CC587|
00000070 32 35 44 44 44 44 44 44 44 44 44 44 44 44 44 44 |
25DDDDDDDDDDDDDD|
00000080 44 44 44 44 44 44 44 44 44 44 3b 52 43 29 28 4f |
DDDDDDDDDD;RC)(O|
00000090 44 3b 3b 46 58 3b 3b 3b 52 43 29 28 4f 44 3b 3b |D;;FX;;;RC)(OD;;|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 26 Apr 2023 00:40:22 +0000 (12:40 +1200)]
pytest:large_ldap: use a valid ACE
Real ACEs don't have {} around their GUIDs. This will soon be banned.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 25 Apr 2023 22:33:12 +0000 (10:33 +1200)]
pytest:sddl: test we only accept normal GUIDs
By normal GUID, I mean ones like
f30e3bbf-9ff0-11d1-b603-
0000f80367c1,
with four hyphens and no curly braces.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 23 Apr 2023 00:36:35 +0000 (12:36 +1200)]
libcli:security:sddl_decode_access allows spaces between flags
because Windows does.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 22 Apr 2023 20:52:42 +0000 (08:52 +1200)]
pytest:sddl: tests around spaces in access flags and SIDs
It turns out that in accesss flags Windows will allow leading spaces
and spaces separating flags but not trailing spaces.
We choose to follow this in part because we found it happening in the
wild in our tests for upgradeprovision until a few commits ago.
Windows will also allow spaces in some parts of SIDs.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Apr 2023 12:48:30 +0000 (00:48 +1200)]
pytest:sddl debugging: should_fail test says how it failed
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Apr 2023 12:47:16 +0000 (00:47 +1200)]
libcli:security: sddl_decode_ace: don't allow junk after SID
sddl_decode_sid() will stop at the first non-SID character. Windows
doesn't allow white space here, and nor do we.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Apr 2023 03:47:32 +0000 (15:47 +1200)]
libcli/security: sddl_decode_access rejects trailing rubbish
Before we just ignored things like negative numbers, because they'd
end up being seen as not-numbers, so treated as flags, then as
not-flags.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Apr 2023 03:47:10 +0000 (15:47 +1200)]
libcli:security: sddl_map_flags rejects trailing nonsense
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 19 Apr 2023 05:08:02 +0000 (17:08 +1200)]
s3:torture: sid2unixid2: DEBUG blames the right function
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 19 Apr 2023 04:37:53 +0000 (16:37 +1200)]
s3:torture:LOCAL-IDMAP-TDB-COMMON: avoid talloc stacktrace
The short version is:
Running LOCAL-IDMAP-TDB-COMMON
test_getnewid1: PASSED!
test_setmap1: PASSED!
test_unixid2sid1: PASSED!
test_sid2unixid1: could not create uid map!
TEST LOCAL-IDMAP-TDB-COMMON FAILED!
LOCAL-IDMAP-TDB-COMMON took 0.029819 secs
Freed frame ../../source3/torture/torture.c:15748, expected ../../source3/torture/test_idmap_tdb_common.c:986.
===============================================================
INTERNAL ERROR: Frame not freed in order. in pid
3692106 (4.19.0pre1-DEVELOPERBUILD)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid
3692106): Frame not freed in order. in 4.19.0pre1-DEVELOPERBUILD
BACKTRACE: 11 stack frames:
#0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x32) [0x7f2f39b430ba]
#1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x1dd) [0x7f2f39b43037]
#2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x1c) [0x7f2f39b43056]
#3 bin/shared/libsamba-util.so.0(+0x75309) [0x7f2f3a659309]
#4 bin/shared/private/libtalloc-samba4.so(+0x5cc6) [0x7f2f3a758cc6]
#5 bin/shared/private/libtalloc-samba4.so(+0x6173) [0x7f2f3a759173]
#6 bin/shared/private/libtalloc-samba4.so(_talloc_free+0x10c) [0x7f2f3a75a54b]
#7 /data/samba/samba-review/bin/smbtorture3(main+0xa97) [0x55cb3dc8cedc]
#8 /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7f2f396d4d90]
#9 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7f2f396d4e40]
#10 /data/samba/samba-review/bin/smbtorture3(_start+0x25) [0x55cb3dc59895]
smb_panic(): calling panic action [/data/samba/samba-review/selftest/gdb_backtrace
3692106]
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 02:46:52 +0000 (14:46 +1200)]
pytest:sddl: add tests for long DACLs, differing flag interpretations
Windows converts hex numbers into flags differently, and has different
ideas of what constitutes "FA", and possibly others.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 16 Apr 2023 06:43:40 +0000 (18:43 +1200)]
pytest:sddl: let hex numbers differ in case (0xa == 0xA)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 15 Apr 2023 08:29:53 +0000 (20:29 +1200)]
pytest:sddl: helpers to exchange SDDL strings with Windows testprogram
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 22 Mar 2023 02:49:26 +0000 (15:49 +1300)]
libcli/security: SDDL parse tests to run on Windows
The C version tests the public SDDL API on Windows which seems to follow
Active Directory closely, though case in hex numbers is reversed vis-a-vis
defaultSecurityDescriptor.
The python version is less refined and tests powershell functions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 15 Apr 2023 08:32:30 +0000 (20:32 +1200)]
pytest:sddl: SDDL strings where Windows behaviour differs
These ones we might want to match. They are understandable behaviours,
like matching lowercase flags and coping with whitespace in some
places. These tests are set up to document the differences without
overwhelming the knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 15 Apr 2023 08:24:24 +0000 (20:24 +1200)]
pytest:sddl: Add negative tests of unparseable strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 15 Apr 2023 08:42:12 +0000 (20:42 +1200)]
pytest:sddl: allow tests to make negative assertions
If the subclass has `should_succeed = False`, all the cases
in that class will be tested to ensure they can't be
successfully parsed.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 03:59:32 +0000 (15:59 +1200)]
pytest:sddl: split each string into it's own test
This of course allows for fine-grained knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 22 Apr 2023 06:11:49 +0000 (18:11 +1200)]
pytest:sddl: tweak some test strings
Adding, diversifying, and disambiguating. The leading portion of the
test stirngs will soon be used in the test name, and strings that
don't differ in the first hundred characters will cause naming
clashes. There is no good reason for them all to test the same flags
in the same order.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 10:18:21 +0000 (22:18 +1200)]
pytest/sddl: split tests into canonical and non-canonical
The examples in the canonical list are already in the form that
Windows and Samba will use for that SD. We check the round trip.
The examples in the non-canonical list will change in a round trip, so
we also give the string we think they should end up as. These have
been checked on Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 11:18:04 +0000 (23:18 +1200)]
pytest/sddl: remove unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 13:00:18 +0000 (01:00 +1200)]
pytest/sddl: rework to allow multiple lists, no early stop
The test will fail right now because it makes round trip assertions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 22 Mar 2023 03:31:10 +0000 (16:31 +1300)]
pytest/sddl: assert sddl string equality
It's not that I think our SD equality check will miss anything, but we
are here to test things like that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 21 Mar 2023 00:10:52 +0000 (13:10 +1300)]
pytest/sddl: remove duplicate test case
The other copy is on line 102.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 21 Mar 2023 00:05:55 +0000 (13:05 +1300)]
pytest/sddl: give test more of a name
I think it worked, but the convention is that tests have a test_ prefix,
and it woudn't be surpoising if something somewhere decides to depend on
that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 21 Mar 2023 00:02:13 +0000 (13:02 +1300)]
pytests/sddl: clarify boundaries between sddl cases
It is now easier to see where one SD ends and another starts.
Best looked at with -b or --word-diff.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 23:50:23 +0000 (11:50 +1200)]
pytest:posixacl: expect canonical ACE flag format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 23:44:04 +0000 (11:44 +1200)]
pytest:samba-tool ntacl: expect canonical ACE flag format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 23:42:57 +0000 (11:42 +1200)]
py:provision: use canonical representation of ACE flags
This is because in ceetain places we compare strings rather than security
descriptors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 23:16:03 +0000 (11:16 +1200)]
pytest:ntacls: adapt for canonical flag format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 23:52:29 +0000 (11:52 +1200)]
s3:test_larg_acl: adapt for the canonical ACE flags format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 17 Apr 2023 02:48:41 +0000 (14:48 +1200)]
test:bb/samba-tool ntacl: let return acl flag lack hex padding
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 24 Mar 2023 01:21:14 +0000 (14:21 +1300)]
libcli/security: do not pad sddl flags with zeros
We don't see this happening on Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 24 Mar 2023 03:18:44 +0000 (16:18 +1300)]
libcli/security: ace type is not enum not flags
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 11 Apr 2023 22:46:30 +0000 (10:46 +1200)]
libcli/security: disallow sddl access masks greater than 32 bits
Our previous behaviour (at least with glibc) was to clip off the extra
bits, so that 0x123456789 would become 0x23456789. That's kind of the
obvious thing, but is not what Windows does, which is to saturate the
value, rounding to 0xffffffff. The effect of this is to turn on all
the flags, which quite possibly not what you meant.
Now we just return an error.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 23 Mar 2023 21:28:09 +0000 (21:28 +0000)]
libcli/security: allow decimal/octal numbers in SDDL access mask
This follows Windows and [MS-DTYP].
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 08:17:56 +0000 (21:17 +1300)]
lib/sec/sddl: allow empty non-trailing ACL with flags
The string "S:D:P" is parsed by us and Windows into a valid struct,
which has an empty DACL with the PROTECTED flag, and an empty SACL.
This is reconstructed in canonical order as "D:PS:", which Windows
will correctly parse, but Samba has assumed the "S" is a bad DACL
flag. Now we don't make that assumption.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 23:19:00 +0000 (12:19 +1300)]
pytest:sddl: test empty DACL with flags
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 02:46:08 +0000 (15:46 +1300)]
libcli/sec/sddl decode: allow hex numbers in SIDs
These occur canonically when the indentifier authority is > 2^32, but
also are accepted by Windows for any number.
There is a tricky case with an "O:" or "G:" SID that is immediately
followed by a "D:" dacl, because the "D" looks like a hex digit. When
we detect this we need to subtract one from the length.
We also need to do look out for trailing garbage. This was not an
issue before because any string caught by the strspn(...,
"-
0123456789") would be either rejected or fully comsumed by
dom_sid_parse_talloc(), but with hex digits, a string like
"S-1-1-2x0xabcxxx-X" would be successfully parsed as "S-1-1-2", and
the "x0xabcxxx-X" would be skipped over. That's why we switch to using
dom_sid_parse_endp(), so we can compare the consumed length to the
expected length.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 02:44:11 +0000 (15:44 +1300)]
libcli/sec/sddl decode: don't ignore random junk.
previously a string could have anything in it, so long as every second
character was ':'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 21 Apr 2023 03:32:01 +0000 (15:32 +1200)]
libcli/security/dom_sid: use (unsigned char) in isdigit()
The man page notes:
The standards require that the argument c for these functions
is either EOF or a value that is representable in the type
unsigned char. If the argument c is of type char, it must be
cast to unsigned char, as in the following example:
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 16 Apr 2023 00:21:16 +0000 (12:21 +1200)]
libcli/security/dom_sid: hex but not octal is OK for sub-auth
Following Windows, the numbers that would be octal (e.g. "0123") are
converted to decimal by skipping over the zeros.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 11 Apr 2023 23:39:25 +0000 (11:39 +1200)]
libcli/security: avoid overflow in subauths
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 11 Apr 2023 23:38:24 +0000 (11:38 +1200)]
libcli/security: stricter identauth parsing
We don't want octal numbers or overflows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 02:42:52 +0000 (15:42 +1300)]
libcli/security: avoid overflow in revision number
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 16 Mar 2023 02:39:05 +0000 (15:39 +1300)]
libcli/security/dom_sid: remove a couple of lost comments
The second one came with code obsoleting the "BIG NOTE" about 10 years
ago, but that code later wandered off somewhere else.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 00:17:28 +0000 (12:17 +1200)]
pytest:sid_strings: Do bad SIDs fail differently in simple-bind?
No.
That's good and expected because a failure here should fall back to the
next thing in the simple bind pecking order (canonical names).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 00:13:26 +0000 (12:13 +1200)]
pytest:sid_strings: do bad SIDS work in search filters?
Yes.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 13 Apr 2023 00:11:48 +0000 (12:11 +1200)]
pytest:sid_strings: test SID DNs with ldb parsing
By using an ldb.Dn as an intermediary, we get to see which SIDs
Samba thinks are OK but Windows thinks are bad.
It is things like "S-0-5-32-579".
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 23:21:38 +0000 (11:21 +1200)]
pytest:sid_strings: test SIDs as search base
As a way of testing the interpretation of a SID string in a remote
server, we search on the base DN "<SID=x>" where x is a non-existent
or malformed SID.
On Windows some or all malformed SIDs are detected before the search
begins, resulting in a complaint about DN syntax rather than one about
missing objects.
From this we can get a picture of what Windows considers to be
a proper SID in this context.
Samba does not make a distinction here, always returning NO_SUCH_OBJECT.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 01:31:40 +0000 (13:31 +1200)]
pytest:sid_strings: Windows and Samba divergent tests
The Samba side is aspirational -- what we actually do is generally
worse. However the Windows behaviour in these cases seems more
surprising still, and seems to be neither documented nor used.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 23:47:19 +0000 (11:47 +1200)]
pytest:sid_strings: test the strings with local parsing
The reason the existing tests send the SID over the wire as SDDL for
defaultSecurityDescriptor is it is one of the few ways to force the
server to reckon with a SID-string as a SID. At least, that's the case
with Windows. In Samba we make no effort to decode the SDDL until it
comes to the time of creating an object, at which point we don't notice
the difference between bad SDDL and missing SDDL.
So here we add a set of dynamic tests that push the strings through our
SDDL parsing code. This doesn't tell us very much more, but it is very
quick and sort of confirms that the other tests are on the right track.
To run against Windows without also running the internal Samba tests,
add `SAMBA_SID_STRINGS_SKIP_LOCAL=1` to your environment variables.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 23:30:26 +0000 (11:30 +1200)]
pytest:sid_strings: separate out expected_sid formatting
This is going to be useful for another test, soon.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 5 Apr 2023 03:39:24 +0000 (15:39 +1200)]
pytest:sid_strings: add explicit S-1-* sid tests
We are mostly testing edge cases around the handling of numeric
limits.
These tests are based on ground truth established by running them
against Windows.
Many fail against Samba, because the defaulSecurityDescriptor
attribute is not validated at the time it is set while on Windows it
is.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 5 Apr 2023 04:05:59 +0000 (16:05 +1200)]
pytest:sid_strings: allow other errors to be specified
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 5 Apr 2023 05:20:46 +0000 (17:20 +1200)]
pytest:sid_strings: add a superclass, allowing for derivatives
This will allow e.g. a suite of tests that assert Windows behaviour that
we might not choose to follow.
Because @DynamicTestCase will mangle the class as it finds it, we can't
use SidStringTests itself as a superclass for others.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 5 Apr 2023 03:20:57 +0000 (15:20 +1200)]
pytest:sid_strings: use hashed instead of random unique numbers
This removes the slim chance of flapping failures, and makes tracking
the created class back to the SID string theoretically possible.
To maintain uniqueness of the governs-id, we in chuck some of the
timestamp.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 5 Apr 2023 03:16:21 +0000 (15:16 +1200)]
pytest:sid_strings: same timestamp for all tests in the run
We don't care about the exact time of the test, just that we
disambiguate between different runs (each run leaves an immutable scar
on the target server).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 09:34:47 +0000 (21:34 +1200)]
librpc/py_security: exception message blames the bad SID
It can be useful to know what you're looking for.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sat, 22 Apr 2023 20:41:23 +0000 (08:41 +1200)]
pytest:upgradeprovision: don't use misleading SDDL in tests
The ACE string "(A;CI;RP LCLORC;;;AU)", with a space after "RP", is
currently not parsed well by Samba.
At the moment we parse only the "RP" and ignore the " LCLORC". What
Windows would do is parse it as if it said "RPLCLORC", without the
space, thus using all the flags. It seems very likely we thought this
was happening with Samba.
Soon Samba will have Windows' behaviour here and it will be tested in
python/samba/tests/sddl.py. That means this test can relax and focus
on whatever it was trying to do with upgradeprovision. We thank it for
finding this discrepency.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 12 Apr 2023 05:34:35 +0000 (17:34 +1200)]
librpc/ndr/pysecurity: use better exceptions
The wrong string is the wrong value but the right type.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 18 Dec 2020 04:58:56 +0000 (17:58 +1300)]
lib/fuzzing: add fuzzer for sddl_parse
Apart from catching crashes in the actual parsing, we abort if the SD
we end up with will not round trip back through SDDL to an identical
SD.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 27 Apr 2023 13:58:18 +0000 (15:58 +0200)]
libcli:smb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Apr 27 15:27:21 UTC 2023 on atb-devel-224
Andreas Schneider [Thu, 27 Apr 2023 13:56:42 +0000 (15:56 +0200)]
libcli:security: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Thu, 27 Apr 2023 13:54:54 +0000 (15:54 +0200)]
libcli:ldap: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Thu, 27 Apr 2023 13:54:15 +0000 (15:54 +0200)]
libcli:drsuapi: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Thu, 27 Apr 2023 13:53:25 +0000 (15:53 +0200)]
libcli:auth: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Andreas Schneider [Wed, 26 Apr 2023 06:40:29 +0000 (08:40 +0200)]
s3:lib: Give better warnings about corrupted AppleDobule files
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 27 09:25:50 UTC 2023 on atb-devel-224
Andreas Schneider [Wed, 26 Apr 2023 06:30:38 +0000 (08:30 +0200)]
s3:lib: Move ad_unpack() debug message to notice level
We should give a good warning message one level above.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 20 Apr 2023 06:25:31 +0000 (08:25 +0200)]
gitlab-ci: Update Fedora to version 38
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Apr 27 08:22:58 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 25 Apr 2023 05:50:55 +0000 (07:50 +0200)]
selftest:knownfail: Update S4U knownfail for MIT KRB5 1.20
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Alexander Bokovoy [Mon, 24 Apr 2023 12:29:49 +0000 (14:29 +0200)]
wafsamba: Normalize strings in gdb output when comparing ABI
This fixes an issue with gdb >= 13:
libndr.so: symbol ndr_transfer_syntax_ndr64 has changed
old_signature: uuid = {
time_low =
1903232307,
time_mid = 48826,
time_hi_and_version = 18743,
clock_seq = "\203\031",
node = "\265\333\357\234\314\066"
}, if_version = 1
new_signature: uuid = {
time_low =
1903232307,
time_mid = 48826,
time_hi_and_version = 18743,
clock_seq = "\203\031",
node = "\265\333\357\234\3146"
}, if_version = 1
\314\066 and \3146 are the same as \066 translates into the char '6'. In order
to address this we should do byte comparison in python.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Alexander Bokovoy <ab@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 20 Apr 2023 11:29:27 +0000 (13:29 +0200)]
s3:torture: Fix possible array out of bounds access
In function ‘test_one’,
inlined from ‘retest’ at source3/torture/locktest2.c:401:8:
source3/torture/locktest2.c:331:37: error: array subscript 2 is above array bounds of ‘int[2][2][2]’ [-Werror=array-bounds=]
331 | fnum[server][fstype][conn][f] = try_open(cli[server][conn], nfs[server], fstype, FILENAME,
| ~~~~~~~~~~~~^~~~~~~~
source3/torture/locktest2.c: In function ‘retest’:
source3/torture/locktest2.c:390:23: note: while referencing ‘fnum’
390 | int fnum[NSERVERS][NUMFSTYPES][NCONNECTIONS][NFILES],
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘test_one’,
inlined from ‘retest’ at source3/torture/locktest2.c:401:8:
source3/torture/locktest2.c:316:62: error: array subscript 2 is above array bounds of ‘int[2][2][2]’ [-Werror=array-bounds=]
316 | fnum[server][fstype][conn][f],
| ~~~~~~~~~~~~^~~~~~~~
source3/torture/locktest2.c: In function ‘retest’:
source3/torture/locktest2.c:390:23: note: while referencing ‘fnum’
390 | int fnum[NSERVERS][NUMFSTYPES][NCONNECTIONS][NFILES],
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘test_one’,
inlined from ‘retest’ at source3/torture/locktest2.c:401:8:
source3/torture/locktest2.c:300:60: error: array subscript 2 is above array bounds of ‘int[2][2][2]’ [-Werror=array-bounds=]
300 | fnum[server][fstype][conn][f],
| ~~~~~~~~~~~~^~~~~~~~
source3/torture/locktest2.c: In function ‘retest’:
source3/torture/locktest2.c:390:23: note: while referencing ‘fnum’
390 | int fnum[NSERVERS][NUMFSTYPES][NCONNECTIONS][NFILES],
| ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 20 Apr 2023 11:28:59 +0000 (13:28 +0200)]
s3:torture: Remove trailing white spaces in locktest2.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 20 Apr 2023 11:09:26 +0000 (13:09 +0200)]
dfs_server: Fix debug statement if searched_site is NULL
In file included from source4/include/includes.h:61,
from dfs_server/dfs_server_ad.c:21:
dfs_server/dfs_server_ad.c: In function ‘get_dcs.constprop’:
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
200 | && (dbgtext body) )
| ~^~~~~~~~~~~~~
dfs_server/dfs_server_ad.c:462:25: note: in expansion of macro ‘DEBUG’
462 | DEBUG(2,(__location__ ": Site: %s %s\n",
| ^~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 20 Apr 2023 08:42:54 +0000 (10:42 +0200)]
lib:krb5_wrap: Fix debug statements when princ_s is NULL
In file included from source4/include/includes.h:61,
from lib/krb5_wrap/krb5_samba.c:23:
lib/krb5_wrap/krb5_samba.c: In function ‘smb_krb5_kt_seek_and_delete_old_entries’:
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
200 | && (dbgtext body) )
| ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1753:25: note: in expansion of macro ‘DEBUG’
1753 | DEBUG(5, (__location__ ": Saving previous (kvno %d) "
| ^~~~~
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
200 | && (dbgtext body) )
| ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1763:25: note: in expansion of macro ‘DEBUG’
1763 | DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
| ^~~~~
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
200 | && (dbgtext body) )
| ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1769:17: note: in expansion of macro ‘DEBUG’
1769 | DEBUG(5, (__location__ ": Found old entry for principal: %s "
| ^~~~~
lib/util/debug.h:200:12: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
200 | && (dbgtext body) )
| ~^~~~~~~~~~~~~
lib/krb5_wrap/krb5_samba.c:1787:17: note: in expansion of macro ‘DEBUG’
1787 | DEBUG(5, (__location__ ": removed old entry for principal: "
| ^~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 21 Apr 2023 14:04:30 +0000 (16:04 +0200)]
tests: Test ldap whoami exop
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 26 07:20:14 UTC 2023 on atb-devel-224
Volker Lendecke [Wed, 3 Nov 2021 15:35:00 +0000 (16:35 +0100)]
ldap_server: Implement the rfc4532 whoami exop
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 24 Mar 2023 10:49:02 +0000 (11:49 +0100)]
ldb: Implement ldap_whoami in pyldb
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 24 Mar 2023 10:48:31 +0000 (11:48 +0100)]
ldb: Allow extended operations through ildap
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 10 Nov 2021 15:29:59 +0000 (16:29 +0100)]
ldb: Add the RFC4532 LDB_EXTENDED_WHOAMI_OID definition
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>