Volker Lendecke [Thu, 27 Jan 2022 19:34:28 +0000 (20:34 +0100)]
smbd: Modernize a debug statement
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 27 Jan 2022 20:52:31 +0000 (21:52 +0100)]
torture: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 31 Jan 2022 07:57:41 +0000 (08:57 +0100)]
mdssvc: Align an integer type
In libjansson 2.13.1 json_array_size() returns a size_t
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 22:17:36 +0000 (14:17 -0800)]
s3: smbd: Add two new functions in a new file, smb2_posix.c: smb2_posix_cc_info(), store_smb2_posix_info()
Not yet used.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Feb 1 17:25:45 UTC 2022 on sn-devel-184
Jeremy Allison [Thu, 27 Jan 2022 19:36:19 +0000 (11:36 -0800)]
s3: smbd: smbd_smb2_request_process_negprot() - Allow SMB2 unix extensions to be negotiated. Currently not allowed.
As lp_smb2_unix_extensions() currently always returns false,
this code path cannot be executed. This will change once the
whole client and server fixes are in place and tests are passing.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 17:49:45 +0000 (09:49 -0800)]
s3: smbd: Plumb in POSIX lock requests through SMB2 lock calls if done on a POSIX handle. Currently not allowed.
Note there is currently no way to create a POSIX file
handle in SMB2 so this code can't be accessed.
This will remain so until client and server code are ready to
turn on SMB2 POSIX extensions and the tests are in place.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 18:11:58 +0000 (10:11 -0800)]
s3: smbd: Update widelinks_warning() to cope with SMB1 and SMB2 unix extensions.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 18:07:07 +0000 (10:07 -0800)]
s3: smbd: lp_widelinks(). Turn off widelinks if either SMB1 or SMB2 unix extensions are turned on.
NB. Currently it's impossible to turn on SMB2 unix extensions.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 18:03:36 +0000 (10:03 -0800)]
s3: smbd: Add lp_smb2_unix_extensions() function. Always returns false for now.
For now *always* returns false. This allows me to
add code into smbd contingent on lp_smb2_unix_extensions()
which I know will not be executed until all the parts
are in place. Then the real parameter can be added
(default to off) and testing added.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 22:46:01 +0000 (14:46 -0800)]
s3: smbd: Add the definition for SMB2_FIND_POSIX_INFORMATION info level.
Will be used by smb2_query_directory. Not yet used or available.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 22:43:27 +0000 (14:43 -0800)]
s3: smbd: Add the definition for SMB2_FILE_POSIX_INFORMATION info level.
Will be used by smb2_getinfo. Not yet used or available.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 18:18:32 +0000 (10:18 -0800)]
libcli: Add SMB2 posix negotiate context flag.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Thu, 27 Jan 2022 18:55:18 +0000 (10:55 -0800)]
s3: smbd: Add an SMB2 server flag posix_extensions_negotiated.
This allows the server to only enable smb2 unix open handles if
the smb.conf parameter is set and the client client correctly
negotiated smb2 unix on the connection.
Currently there is no "smb2 unix extensions" parameter so
this can never be set to true.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Wed, 8 Dec 2021 06:19:29 +0000 (22:19 -0800)]
CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT().
We need to take SMB1+POSIX into account here and do an LSTAT if it's
a POSIX name.
Remove knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 31 16:26:26 UTC 2022 on sn-devel-184
Jeremy Allison [Wed, 8 Dec 2021 06:15:46 +0000 (22:15 -0800)]
CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename.
Add a knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 22:39:42 +0000 (14:39 -0800)]
CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert().
If filename_convert() fails to convert the path, we never call
check_name(). This means we can return an incorrect error code
(NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points
outside the share to a non-readable directory. We need to make
sure in this case we always call check_name().
Remove knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 22:33:17 +0000 (14:33 -0800)]
CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks.
NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure.
NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure.
Remove:
samba3.blackbox.test_symlink_traversal.SMB1.posix
samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)
in knownfail.d/symlink_traversal as we now pass these. Only one more fix
remaining to get rid of knownfail.d/symlink_traversal completely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 19:44:09 +0000 (11:44 -0800)]
CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.
Matches the error return from openat_pathref_fsp().
NT_STATUS_OBJECT_PATH_NOT_FOUND is for a bad component in a path, not
a bad terminal symlink.
Remove knownfail.d/simple_posix_open, we now pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Wed, 8 Dec 2021 01:56:35 +0000 (17:56 -0800)]
CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture.
Trying to open a symlink as a terminal component should return
NT_STATUS_OBJECT_NAME_NOT_FOUND, not NT_STATUS_OBJECT_PATH_NOT_FOUND.
Mark as knownfail.d/simple_posix_open until we fix the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:56:51 +0000 (12:56 -0800)]
CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.
For SMB1/2/3 (minus posix) we need to treat bad symlinks
as though they don't exist.
Add to knwownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:34:38 +0000 (12:34 -0800)]
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix
Add to knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:32:19 +0000 (12:32 -0800)]
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.
Add to knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Jeremy Allison [Tue, 7 Dec 2021 20:28:54 +0000 (12:28 -0800)]
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.
Add to knownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 13 Jan 2022 16:03:02 +0000 (17:03 +0100)]
CVE-2021-44142: libadouble: harden parsing code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 25 Nov 2021 14:04:03 +0000 (15:04 +0100)]
CVE-2021-44142: libadouble: add basic cmocka tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Fri, 26 Nov 2021 06:19:32 +0000 (07:19 +0100)]
CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
buffer out-of-bounds access checks in ad_unpack_xattrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Sat, 20 Nov 2021 15:36:42 +0000 (16:36 +0100)]
CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs
This is an internal xattr that should not be user visible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Thu, 13 Jan 2022 15:48:01 +0000 (16:48 +0100)]
CVE-2021-44142: libadouble: add defines for icon lengths
From https://www.ietf.org/rfc/rfc1740.txt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Joseph Sutton [Mon, 17 Jan 2022 23:02:45 +0000 (12:02 +1300)]
CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
If an added SPN already exists on an object, we still want to check the
rest of the element values for conflicts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Joseph Sutton [Mon, 17 Jan 2022 22:56:38 +0000 (11:56 +1300)]
CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN
This test currently fails, as re-adding an SPN means that later checks
do not run.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andreas Schneider [Wed, 26 Jan 2022 07:44:13 +0000 (08:44 +0100)]
s4:kdc: Translate HDB flags to SDB flags
We used to have a 1 to 1 mapping, but now we have
a conflict with these:
#define SDB_F_FORCE_CANON 16384
#define HDB_F_PRECHECK 16384
We currently don't really care about HDB_F_PRECHECK,
so we can just filter it out.
In the long run we may change the SDB flags space to uint64...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 28 13:33:22 UTC 2022 on sn-devel-184
Andreas Schneider [Wed, 26 Jan 2022 07:43:41 +0000 (08:43 +0100)]
s4:kdc: Remove trailing spaces in hdb-samba4.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andreas Schneider [Wed, 26 Jan 2022 07:39:50 +0000 (08:39 +0100)]
s4:kdc: Add a HDB to SDB mask
For most flags the mapping is 1 to 1, but it's not always
the case anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Thu, 27 Jan 2022 11:06:55 +0000 (12:06 +0100)]
s3/rpc_server: install elasticsearch_mappings.json
This was removed accidentally remvoed by
a7c65958a15149918415b7456d6f20ee8c9669d2 because the original code
only installed the json file if the mdssvc was built as module:
if bld.SAMBA3_IS_ENABLED_MODULE('rpc_mdssvc_module'):
bld.INSTALL_FILES(bld.env.SAMBA_DATADIR,
'mdssvc/elasticsearch_mappings.json')
Installing the json file should just depend on Elasticsearch support
being enabled, regardless of the removed module support.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14961
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Jan 28 10:22:31 UTC 2022 on sn-devel-184
FeRD (Frank Dana) [Tue, 25 Jan 2022 03:14:31 +0000 (22:14 -0500)]
printing/bgqd: Disable systemd notifications
samba-bgqd daemon is started by existing Samba daemons. When running
under systemd, those daemons control systemd notifications and
samba-bgqd messages need to be silenced.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Thu Jan 27 10:53:50 UTC 2022 on sn-devel-184
Douglas Bagnall [Thu, 23 Dec 2021 01:37:29 +0000 (14:37 +1300)]
s4/auth/simple_bind: correctly report TLS state
It went wrong in
366f8cf0903e3583fda42696df62a5337f22131f
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
Douglas Bagnall [Wed, 26 Jan 2022 02:53:45 +0000 (15:53 +1300)]
pytest:auth_log: expect TLS connections when using ldaps
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Douglas Bagnall [Thu, 9 Dec 2021 05:06:15 +0000 (18:06 +1300)]
s3/torture/pdbtest: fix always false condition
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9320
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Pavel Filipenský [Tue, 25 Jan 2022 20:05:26 +0000 (21:05 +0100)]
s4:libnet: Fix uninitialized value "seq_num"
Found by covscan.
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Tue, 25 Jan 2022 20:09:54 +0000 (21:09 +0100)]
s4:libnet: Fix trailing whitespace in libnet_vampire.c
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Jeremy Allison [Fri, 21 Jan 2022 22:49:11 +0000 (14:49 -0800)]
s3: smbd: Rename "unix extensions" -> "smb1 unix extensions".
Make 'unix extensions' a synonym for "smb1 unix extensions".
This will allow us to have a separate "smb2 unix extensions"
parameter that we can examine separately.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 25 21:43:59 UTC 2022 on sn-devel-184
Jeremy Allison [Tue, 25 Jan 2022 00:29:27 +0000 (16:29 -0800)]
s3: smbd: Cleanup - In smbd_do_query_security_desc() we don't need a talloc frame.
Just free the marshalled sd before returning.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Jeremy Allison [Thu, 20 Jan 2022 18:58:45 +0000 (10:58 -0800)]
s3: smbd: Cleanup - Split out smbd_marshall_security_desc() from smbd_do_query_security_desc().
This is part two of a cleanup to split this up into a fetch()/marshal()
pair. Allows easy modification of the sd before returning if we need
to add the SMB2+unix mode information here on a SMB2 posix handle.
Also makes the code much clearer.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Jeremy Allison [Thu, 20 Jan 2022 18:05:51 +0000 (10:05 -0800)]
s3: smbd: Cleanup - Split out smbd_fetch_security_desc() from smbd_do_query_security_desc().
This is part one of a cleanup to split this up into a fetch()/marshal()
pair. Allows easy modification of the sd before returning if we need
to add the SMB2+unix mode information here on a SMB2 posix handle.
Also makes the code much clearer.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Stefan Metzmacher [Fri, 21 Jan 2022 19:42:45 +0000 (20:42 +0100)]
blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.
This is fixed now and we no longer expect ndrdump to exit with 1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 3 Nov 2021 12:57:50 +0000 (13:57 +0100)]
librpc/ndr: let ndr_push_string() let s_len == 0 result in d_len = 0
convert_string_talloc_handle() tries to play an the safe side
and always returns a null terminated array.
But for NDR we need to be correct on the wire...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 21 Jan 2022 00:09:23 +0000 (01:09 +0100)]
s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong
convert_string_talloc() never returns a string with len=0 and always
implies zero termination byte(s).
For ndr_push_string this is unexpected as we need to be compatible on
the wire and push 0 bytes for an empty string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 21 Jan 2022 19:28:59 +0000 (20:28 +0100)]
blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Nov 2021 12:32:48 +0000 (13:32 +0100)]
ndrdump: make use of dump_data_file_diff() in order to show differences
This makes it much easier to detect differences in the given and
generated buffers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Nov 2021 10:40:13 +0000 (11:40 +0100)]
lib/util: add dump_data_diff*() helpers
That will make it easy to see the difference
between two memory buffers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 21 Jan 2022 19:06:40 +0000 (20:06 +0100)]
blackbox.ndrdump: adjust example files to changed dump_data() output.
The cleanup using dump_data_block16() fixed the space handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Nov 2021 10:05:52 +0000 (11:05 +0100)]
lib/util: split out a dump_data_block16() helper
This simplifies the logic a lot for me.
It also fixes some corner cases regarding whitespaces in the
output, that's why we have to mark a few tests as knownfail,
they will be fixed in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Sat, 22 Jan 2022 00:08:26 +0000 (01:08 +0100)]
dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.
Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.
This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Mon, 24 Jan 2022 14:57:50 +0000 (15:57 +0100)]
WHATSNEW: Start release notes for Samba 4.17.0pre1.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 24 Jan 2022 10:57:15 +0000 (11:57 +0100)]
ldb: bump version to 2.6.0 for Samba 4.17.x releases
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Jan 24 12:15:09 UTC 2022 on sn-devel-184
Jule Anger [Mon, 24 Jan 2022 10:51:04 +0000 (11:51 +0100)]
VERSION: Bump version up to 4.17.0pre1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Mon, 24 Jan 2022 10:46:26 +0000 (11:46 +0100)]
VERSION: Disable GIT_SNAPSHOT for the Samba 4.16.0rc1 release.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Mon, 24 Jan 2022 10:45:43 +0000 (11:45 +0100)]
WHATSNEW: Up to Samba 4.16.0rc1.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Mon, 24 Jan 2022 10:56:00 +0000 (11:56 +0100)]
tdb: version 1.4.6
* Use atomic operations for tdb_[increment|get]_seqnum
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jule Anger <janger@samba.org>
Björn Jacke [Sun, 23 Jan 2022 11:35:22 +0000 (12:35 +0100)]
s4:librpc: raise log level for failed connection attempts
this keeps the log files silent when other DCs are currently not running. We
saw frequent NT_STATUS_HOST_UNREACHABLE messages at log level 0 for now.
https://bugzilla.samba.org/show_bug.cgi?id=11537
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 23 12:51:44 UTC 2022 on sn-devel-184
Pavel Filipenský [Fri, 21 Jan 2022 11:01:33 +0000 (12:01 +0100)]
s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
Pavel Filipenský [Tue, 18 Jan 2022 18:44:54 +0000 (19:44 +0100)]
s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Tue, 18 Jan 2022 18:47:38 +0000 (19:47 +0100)]
s3:winbindd: Remove trailing spaces from winbindd_ads.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Tue, 4 Jan 2022 11:00:20 +0000 (12:00 +0100)]
s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Mon, 3 Jan 2022 14:33:46 +0000 (15:33 +0100)]
tests: Add test for disabling NTLMSSP for ldap client connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Mon, 3 Jan 2022 10:13:06 +0000 (11:13 +0100)]
s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Fri, 7 Jan 2022 09:31:19 +0000 (10:31 +0100)]
s3:libads: Improve debug messages for SASL bind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Thu, 9 Dec 2021 12:43:08 +0000 (13:43 +0100)]
s3:libads: Disable NTLMSSP for FIPS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Wed, 8 Dec 2021 15:05:17 +0000 (16:05 +0100)]
s3:libads: Remove trailing spaces from sasl.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Pavel Filipenský [Fri, 10 Dec 2021 15:08:04 +0000 (16:08 +0100)]
s3:utils: set ads->auth.flags using krb5_state
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 21 Jan 2022 16:06:15 +0000 (17:06 +0100)]
wafsamba: Add our own implmentation to generate the clangdb
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 21 Jan 2022 16:05:57 +0000 (17:05 +0100)]
wafsamba: Remove clangdb code which doesn't work
This generates an incomplete database where defines and includes are missing.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Mon, 17 Jan 2022 09:49:13 +0000 (10:49 +0100)]
build: Without getrandom() require gnutls 3.7.2
gnutls before 3.7.2 and without getrandom() will open /dev/urandom at library
initialization time before main() is run. We use closefrom(3) in samba-bgqd and
samba-dcerpd, which closes /dev/urandom, which then breaks gnutls. On system
with getrandom(), no file descriptor is opened and gnutls 3.7.2+ will open and
close /dev/urandom whenever it needs to access it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 21 21:42:08 UTC 2022 on sn-devel-184
Stefan Metzmacher [Thu, 20 Jan 2022 11:05:35 +0000 (12:05 +0100)]
bootstrap: use compat-gnutls37-devel for centos7
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 20 Jan 2022 11:23:43 +0000 (12:23 +0100)]
libcli/dns: Fix TCP fallback
A customer has come across a DNS server that really just cuts a SRV
reply if it's too long. This makes the packet invalid according to
ndr_pull and according to wireshark. DNS_FLAG_TRUNCATION is however
set. As this seems to be legal according to the DNS RFCs, we need to
hand-parse the first two uint16's and look whether DNS_FLAG_TRUNCATION
is set.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 20 18:01:41 UTC 2022 on sn-devel-184
Andreas Schneider [Thu, 20 Jan 2022 10:17:29 +0000 (11:17 +0100)]
autobuild: Fix path for libwbclient ldd checks
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 14:19:02 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 19 Jan 2022 14:57:08 +0000 (15:57 +0100)]
s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
Stefan Metzmacher [Wed, 19 Jan 2022 14:57:08 +0000 (15:57 +0100)]
s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.
We also should not call ldb_module_done() if paged_results()
fails, as it was already called.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Stefan Metzmacher [Wed, 19 Jan 2022 12:15:45 +0000 (13:15 +0100)]
HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
Joseph Sutton [Thu, 6 Jan 2022 03:42:33 +0000 (16:42 +1300)]
s4:torture: Adapt KDC canon test to Heimdal upstream changes
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Thu, 9 Dec 2021 00:19:27 +0000 (13:19 +1300)]
s4:torture: Remove PAC-REQUEST check for RESPONSE_TOO_BIG
Needed by the Heimdal upgrade...
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 10 Dec 2021 00:17:53 +0000 (13:17 +1300)]
s4:torture: Fix Orpheus' Lyre tests
The enc-pa-rep request protection allows these tests to now pass as
expected.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Sun, 5 Dec 2021 22:10:01 +0000 (11:10 +1300)]
s4:torture: Adapt LSA tests to newer Heimdal version
The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Isaac Boukris [Thu, 8 Nov 2018 22:20:06 +0000 (00:20 +0200)]
s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED
This is an alternative to
978bc8681e74ffa17f96fd5d4355094c4a26691c
which got overriten by the upgrade merge.
One difference however, is that we don't return ENC_TIMESTAMP like
in PREAUTH_REQUIRED but only ETYPE_INFO2 same as Windows.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Thu, 30 Dec 2021 04:07:10 +0000 (17:07 +1300)]
selftest: Expect FAST support for both MIT and Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 2 Feb 2016 14:40:43 +0000 (15:40 +0100)]
selftest: set [libdefaults] fcache_strict_checking = false
We're using uid_wrapper so the checks will fail.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 8 Dec 2021 01:56:39 +0000 (14:56 +1300)]
selftest: knownfail updates after Heimdal Upgrade
The Heimdal upgrade brings the new feature of FAST, allowing more tests to pass.
However it causes a regression in FL2003 for the returned salt format in
the AS-REP, but FL 2003 has not been the default since Samba 4.2 as AES
keys are much stronger and should be preferred.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Fri, 18 Jun 2021 07:41:10 +0000 (19:41 +1200)]
selftest: Update SimpleKerberosTests now that Samba supports FAST
Heimdal matches Windows in this respect
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 29 Nov 2021 20:47:32 +0000 (09:47 +1300)]
tests/krb5: Add option to check reply padata
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 24 Dec 2021 03:59:42 +0000 (16:59 +1300)]
s4:kdc: Return PA-SUPPORTED-ENCTYPES
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Fri, 24 Dec 2021 03:59:12 +0000 (16:59 +1300)]
s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 22 Dec 2021 04:08:43 +0000 (17:08 +1300)]
s4:kdc: Add PAC_ATTRIBUTES integration for Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 14 Dec 2021 23:30:28 +0000 (12:30 +1300)]
s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 17 Jun 2021 09:27:06 +0000 (21:27 +1200)]
s4:kdc/heimdal: Always include the salt in the PA-ETYPE-INFO[2]
This matches Windows and is detected by our samba.tests.krb5.as_canonicalization_tests
test as this always expects the salt, which Windows always provides.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Gary Lockyer [Thu, 21 Sep 2017 22:10:02 +0000 (10:10 +1200)]
s4:kdc: cope with upstream rename of configuration parameters.
This copes with the upstream commit:
commit
c757eb7fb04a9b0ca883ddb72c1bc75bf5d814f3
Author: Nicolas Williams <nico@cryptonector.com>
Date: Fri Nov 25 17:21:04 2011 -0600
Rename and fix as/tgs-use-strongest-key config parameters
Different ticket session key enctype selection options should
distinguish between target principal type (krbtgt vs. not), not
between KDC request types.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
[abartlet@samba.org Researched and updated the commit message]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 18 Sep 2018 01:50:55 +0000 (18:50 -0700)]
s4:kdc: Move calls using the samba4 name to be right after each other
These all need to be in sync
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 18 Sep 2018 01:06:35 +0000 (18:06 -0700)]
s4:kdc: Adapt KDC to new Heimdal to load samba4 HDB plugin for keytab
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Thu, 20 Sep 2018 02:24:11 +0000 (19:24 -0700)]
s4:kdc/hdb: Store and retrieve a FX-COOKIE value
Note Windows uses the string "MICROSOFT" as cookie,
so it's wrong to have a per DC cookie, but we need to
adjust the Heimdal logic to support that.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 22 Jun 2021 23:35:01 +0000 (11:35 +1200)]
s4:kdc: Set entry.flags.force_canonicalize to override the new Heimdal behaviour
This is needed to give hdb_samba4 the full control over the returned
principal, rather than the new code in the Heimdal KDC.
Including changes selected from code by Stefan Metzmacher <metze@samba.org>
in his Heimdal upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 3 Feb 2016 13:58:47 +0000 (14:58 +0100)]
s4:kerberos: adapt the heimdal send_to_kdc hooks to the send_to_kdc/realm plugin interface
With the recent heimdal upgrade we better try to use the send_to_realm()
hooks as it allows us to handle the KDC lookup as well as only getting
each logical request just once in the testing code, which makes it
let dependend on the heimdal internal kdc lookup logic.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>