Andreas Schneider [Tue, 25 Jan 2022 18:35:06 +0000 (19:35 +0100)]
testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported by MIT Kerberos
anyway.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184
Andreas Schneider [Fri, 18 Mar 2022 10:05:23 +0000 (11:05 +0100)]
testprogs: Manually reformat test_pkinit_pac.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 18 Mar 2022 10:04:19 +0000 (11:04 +0100)]
testprogs: Reformat test_pkinit_pac.sh with shfmt
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 17 Mar 2022 13:33:52 +0000 (14:33 +0100)]
testprogs: Rename test_pkinit_pac_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 24 Mar 2022 00:04:54 +0000 (13:04 +1300)]
testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 24 Mar 2022 12:50:49 +0000 (13:50 +0100)]
testprogs: Remove the usage of enctype in test_pkinit_simple.sh
This is not needed anymore and the default is AES in the meantime.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 23 Mar 2022 23:53:28 +0000 (12:53 +1300)]
testprogs: Change from $foo to "${foo}" variable style
This is selected from and to improve the understanding of:
testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Fri, 18 Mar 2022 09:26:46 +0000 (10:26 +0100)]
testprogs: Manually reformat testit commands in test_pkinit_simple.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 18 Mar 2022 09:21:20 +0000 (10:21 +0100)]
testprogs: Fix calculating failed in test_pkinit_simple.sh
We only want to increase it if a test is failing. If something is expected to
fail, we should not count that as failed.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 18 Mar 2022 09:20:27 +0000 (10:20 +0100)]
testprogs: Format test_pkinit_simple.sh with shfmt
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 17 Mar 2022 13:28:26 +0000 (14:28 +0100)]
testprogs: Rename test_pkinit_heimdal.sh
We want one common test which works against Heimdal and MIT Kerberos.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 17 Mar 2022 12:57:21 +0000 (13:57 +0100)]
testprogs: Fix kerberos_kinit with additional options
The additional options need to come before we specify the principal
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 24 Jan 2022 18:47:16 +0000 (19:47 +0100)]
selftest: Setup PKINIT for MIT Kerberos
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 19 Jan 2022 11:49:45 +0000 (12:49 +0100)]
s4:kdc: Add Smart Card and file based PKINIT support
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 25 Jan 2022 18:39:56 +0000 (19:39 +0100)]
s4:tests: Run Heimdal PKINIT tests only against ad_dc env
There is not difference kerberos-wise between those two envs.
This reverts
661e1a229e85f566c5fc5d43ea03fbb29847439a.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 20 Jan 2022 07:46:55 +0000 (08:46 +0100)]
s4:kdc: If we set the kerberos debug level to 10 write a trace file
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 24 Feb 2022 11:18:18 +0000 (12:18 +0100)]
s4:kdc: Remove trailing white spaces in kdc-service-mit.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 18 Jan 2022 08:24:44 +0000 (09:24 +0100)]
s4:kdc: Improve debug message of samba_kdc_fetch_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Thomas Debesse [Wed, 22 Sep 2021 17:09:02 +0000 (19:09 +0200)]
s4: dns: Add customizable dns port option
Signed-off-by: Thomas Debesse <dev@illwieckz.net>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 25 20:25:28 UTC 2022 on sn-devel-184
Ralph Boehme [Thu, 24 Mar 2022 17:31:59 +0000 (18:31 +0100)]
smbd: expand DEBUG statement in smbd_dirptr_get_entry() to include the dir and direntry name
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 25 19:05:06 UTC 2022 on sn-devel-184
Samuel Cabrero [Wed, 9 Mar 2022 11:11:00 +0000 (12:11 +0100)]
examples: Update winbindd.stp and its generator script
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 25 17:57:18 UTC 2022 on sn-devel-184
Samuel Cabrero [Wed, 16 Feb 2022 12:41:05 +0000 (13:41 +0100)]
s3:winbind: Convert Ping parent/child call to NDR
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Samuel Cabrero [Wed, 9 Mar 2022 10:56:33 +0000 (11:56 +0100)]
s3:winbind: Return NTSTATUS from wbint_Ping() RPC function
There are no users of this function but the next commit will convert the
struct-based WINBINDD_PING call to a local RPC wbint_Ping() call.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Samuel Cabrero [Wed, 9 Mar 2022 16:44:17 +0000 (17:44 +0100)]
s3:winbind: Convert wcache_opnum_cacheable() to a whitelist
It avoids having to explicitly blacklist new DCE/RPC calls.
This is the current list of non cacheable calls:
NDR_WBINT_PING
NDR_WBINT_QUERYSEQUENCENUMBER
NDR_WBINT_ALLOCATEUID
NDR_WBINT_ALLOCATEGID
NDR_WBINT_CHECKMACHINEACCOUNT
NDR_WBINT_CHANGEMACHINEACCOUNT
NDR_WBINT_PINGDC
NDR_WBINT_LISTTRUSTEDDOMAINS
It includes the ListTrustedDomains call recently converted to a local
RPC call.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
David Mulder [Wed, 2 Mar 2022 09:23:51 +0000 (02:23 -0700)]
samba-gpupdate: Implement enhanced logging
This ports the enhanced logging capabilities from
AltLinux gpupdate. It generates log messages such
as:
2022-03-02 11:28:54.872|[E40104]| Failed to set interfaces for zone | {'val': 'work'}
2022-03-02 11:28:55.017|[E40104]| Failed to set interfaces for zone | {'val': 'home'}
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 24 23:40:47 UTC 2022 on sn-devel-184
Jeremy Allison [Fri, 18 Mar 2022 19:30:27 +0000 (12:30 -0700)]
s3: smbd: smbd_smb2_setinfo_send(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
This is the last SMB_VFS_FSTAT that uses fsp->fsp_name->st, so
remove knownfail.d/durable-v2-setinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 24 17:21:29 UTC 2022 on sn-devel-184
Jeremy Allison [Fri, 18 Mar 2022 18:45:50 +0000 (11:45 -0700)]
s3: smbd: smbd_smb2_getinfo_send(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 22:04:34 +0000 (15:04 -0700)]
s3: cmd_vfs: cmd_set_nt_acl(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 22:01:52 +0000 (15:01 -0700)]
s3: cmd_vfs: cmd_open(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 21:57:13 +0000 (14:57 -0700)]
s3: pysmbd.c: init_files_struct(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:27:53 +0000 (12:27 -0700)]
s3: smbd: call_trans2setfilepathinfo(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:26:27 +0000 (12:26 -0700)]
s3: smbd: call_trans2qfilepathinfo(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:24:27 +0000 (12:24 -0700)]
s3: smbd: rename_internals_fsp(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:22:26 +0000 (12:22 -0700)]
s3: smbd: mkdir_internal(). 2 of 2. All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:19:44 +0000 (12:19 -0700)]
s3: smbd: mkdir_internal(). 1 of 2. All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:11:23 +0000 (12:11 -0700)]
s3: smbd: open_file(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:09:43 +0000 (12:09 -0700)]
s3: smbd: non_widelink_open(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:02:35 +0000 (12:02 -0700)]
s3: smbd: open_internal_dirfsp(). All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 19:00:15 +0000 (12:00 -0700)]
s3: smbd: open_internal_dirfsp() add missing file_free() in error path.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 18:56:53 +0000 (11:56 -0700)]
s3: smbd: mdssvc: All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 18:51:00 +0000 (11:51 -0700)]
s3: VFS: vxfs: All calls to SMB_VFS_FSTAT(fsp, &fsp->fsp_name->st) clobber fsp->fsp_name->st.st_ex_iflags.
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 18:41:48 +0000 (11:41 -0700)]
s3: smbd: In set_ea_dos_attribute(), if we've stored btime and set XATTR_DOSINFO_CREATE_TIME successfully, we need to clear ST_EX_IFLAG_CALCULATED_BTIME.
This is no longer a calculated field, every call to fdos_mode() will
set it as non-calculated.
https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 18:40:04 +0000 (11:40 -0700)]
s3: smbd: In set_ea_dos_attribute() cause root fallback code to exit via the same place.
We're going to add another action on success next.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Jeremy Allison [Fri, 18 Mar 2022 21:52:02 +0000 (14:52 -0700)]
s4: torture: Add regression test for re-opening a durable handle after calling SMB2 setinfo (end of file).
This is an implementation of a test written by Apple for their
client. Currently fails to reconnect due to btime being overwritten
incorrectly in the SMB2 setinfo path.
Add knownfail.d/durable-v2-setinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Andrew Bartlett [Tue, 8 Mar 2022 09:49:31 +0000 (22:49 +1300)]
s4:kdc: Expose samba_kdc_message2entry_keys()
This allows the KDC to share the supplementalCredentials parsing code
with other parts of Samba that could use it.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184
Andrew Bartlett [Wed, 23 Mar 2022 00:07:29 +0000 (13:07 +1300)]
s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 22 Mar 2022 21:13:54 +0000 (10:13 +1300)]
s4:kdc: Pull auth_sam_trigger_repl_secret() up one layer to samba_kdc_message2entry()
This avoids making a call out in samba_kdc_message2entry_keys() and allows
for potential reuse of the key parsing code.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 8 Mar 2022 09:48:50 +0000 (22:48 +1300)]
s4:kdc: Add const to "msg" parameter in samba_kdc_message2entry_keys()
This will help with a future caller.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 22 Mar 2022 20:47:53 +0000 (09:47 +1300)]
s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys()
We should not supprise the callers by returning more keys than we asked to
filter by and avoids duplicating the protected_users logic within
samba_kdc_set_fixed_keys().
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Andrew Bartlett [Tue, 22 Mar 2022 20:47:53 +0000 (09:47 +1300)]
s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys()
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 20:42:06 +0000 (21:42 +0100)]
s4:kdc: teach samba_kdc_message2entry_keys() to handle old and older keys too
We return the requested kvno if given, otherwise we include the
old and older keys for CLIENT|FOR_AS_REQ or SDB_F_ADMIN_DATA lookups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 23:41:13 +0000 (00:41 +0100)]
s4:kdc: add old and older keys to sdb_entry
This is the first step to return the password history
in order to avoid badPwdCount updates for failing
pre-authentication with passwords from the recent history.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 19 Jul 2019 11:22:48 +0000 (13:22 +0200)]
s4:kdc: pass flags and kvno down to samba_kdc_message2entry_keys()
We need a ways to ask for a specific kvno if SDB_F_KVNO_SPECIFIED
is requested. And also include the old and older keys from
the password history in the next commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:29:20 +0000 (04:29 +0100)]
s4:kdc: finally remove unused 'struct sdb_entry_ex'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:kdc: avoid using sdb_entry_ex in hdb_samba4_{first,next}key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:kdc: avoid using sdb_entry_ex in hdb_samba4_fetch_kvno()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:kdc: avoid using sdb_entry_ex in netr_samlogon_generic_logon()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:kdc: avoid using sdb_entry_ex in mit_samba_get_{first,next}key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:kdc: avoid using sdb_entry_ex in mit_samba_get_principal()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:kdc: avoid using sdb_entry_ex in samba_wdc_reget_pac()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:17:01 +0000 (04:17 +0100)]
s4:libnet: avoid using sdb_entry_ex and use sdb_entry directly
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_{first,next}key() only need sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_fetch() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:00:09 +0000 (04:00 +0100)]
s4:kdc: remove unused sdb_entry_ex_to_kdb_entry_ex()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:57:38 +0000 (03:57 +0100)]
s4:kdc: use sdb_entry_to_krb5_db_entry() directly
We should avoid sdb_entry_ex, as it will be removed soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 03:00:09 +0000 (04:00 +0100)]
s4:kdc: remove unused sdb_entry_ex_to_hdb_entry_ex()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:57:38 +0000 (03:57 +0100)]
s4:kdc: use sdb_entry_to_hdb_entry() directly
We should avoid sdb_entry_ex, as it will be removed soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:52:43 +0000 (03:52 +0100)]
s4:kdc: hdb_samba4_fetch_fast_cookie() don't need sdb_entry_ex
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_seq() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_fetch_server() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_fetch_krbtgt() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_fetch_client() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:43:25 +0000 (03:43 +0100)]
s4:kdc: samba_kdc_lookup_realm() only needs sdb_entry
sdb_entry_ex will be removed shortly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:36:31 +0000 (03:36 +0100)]
s4:kdc: only pass sdb_entry to samba_kdc_message2entry()
It no longer needs sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:36:31 +0000 (03:36 +0100)]
s4:kdc: only pass sdb_entry to samba_kdc_trust_message2entry()
It no longer needs sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:29:21 +0000 (03:29 +0100)]
s4:kdc: only ZERO and free sdb_entry in samba_kdc_trust_message2entry()
sdb_entry_ex only contains sdb_entry, so this is still doing
the same, but we want to remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:25:12 +0000 (03:25 +0100)]
s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_trust_message2entry()
We should avoid using entry_ex->entry as sdb_entry_ex will be removed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:29:21 +0000 (03:29 +0100)]
s4:kdc: only ZERO and free sdb_entry in samba_kdc_message2entry()
sdb_entry_ex only contains sdb_entry, so this is still doing
the same, but we want to remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:25:12 +0000 (03:25 +0100)]
s4:kdc: s/entry_ex->entry\./entry->/g in samba_kdc_message2entry()
We should avoid using entry_ex->entry as sdb_entry_ex will be removed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 02:16:32 +0000 (03:16 +0100)]
s4:kdc: only pass sdb_entry to samba_kdc_message2entry_keys()
sdb_entry_ex will be removed as it just contains sdb_entry.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:12:02 +0000 (14:12 +0100)]
s4:kdc: remove unused principal argument to samba_kdc_trust_message2entry()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 20:46:28 +0000 (21:46 +0100)]
s4:kdc: split out a samba_kdc_fill_user_keys() helper function
This will simplify further changes, e.g. asking for a specific kvno
or returning the password history in order to prevent
badPwdCount updates with passwords in the history.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 8 Feb 2022 13:25:53 +0000 (14:25 +0100)]
s4:kdc: remove Primary:Kerberos usage from samba_kdc_message2entry_keys()
Most likely the kerberos libraries don't support DES anymore, so
there's no point in exposing them at all.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 17:11:44 +0000 (18:11 +0100)]
s4:kdc: only pass keys to samba_kdc_set_random_keys()
This prepares the removal of sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 17:09:33 +0000 (18:09 +0100)]
s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys()
This prepares the removal of sdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 8 Feb 2022 14:08:57 +0000 (15:08 +0100)]
s4:kdc: add a samba_kdc_sort_keys() function using TYPESAFE_QSORT()
This is better than calloc/free each time.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 16:59:19 +0000 (17:59 +0100)]
s4:kdc: expose a sdb_entry_free() function
We'll remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 16:55:54 +0000 (17:55 +0100)]
s4:kdc: expose sdb_entry_to_hdb_entry() function
We'll remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 16:55:54 +0000 (17:55 +0100)]
s4:kdc: expose a sdb_entry_to_krb5_db_entry() function
We'll remove sdb_entry_ex soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 16:04:22 +0000 (17:04 +0100)]
s4:kdc: let samba_kdc_entry take references to sdb_entry and kdc_entry
kdc_entry can be hdb_entry or krb5_db_entry.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 8 Feb 2022 15:50:14 +0000 (16:50 +0100)]
s4:kdc: make the logic between ZERO_STRUCTP(entry_ex) and sdb_free_entry(entry_ex) clearer
samba_kdc_[trust_]message2entry() always starts with
ZERO_STRUCTP(entry_ex) and cleans up on error with
sdb_free_entry(entry_ex), leaving a cleared structure again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 15:35:58 +0000 (16:35 +0100)]
s4:kdc: let sdb_entry have a typed samba_kdc_entry pointer
Both layers are owned by us so there's no need for an void
pointer.
This simplifies the code a lot and allows further cleanups.
Eventually we can remove sdb_entry_ex and only use sdb_entry,
as Heimdal also removed hdb_entry_ex.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 15:57:57 +0000 (16:57 +0100)]
s4:kdc: remove unused samba_kdc_entry->entry_ex
It will only ever point to an sdb_entry_ex
and becomes a stale pointer fast, as
sdb_free_entry() called before any talloc_free()
can happen (with a destructor still set).
Note the talloc parent of samba_kdc_entry
is the samba_kdc_db_context longterm context.
The next commits will fill samba_kdc_entry_destructor
with logic again, but for now remove the unused code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 20:04:44 +0000 (21:04 +0100)]
s4:kdc: split out a sdb_keys_free() helper function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 20:04:44 +0000 (21:04 +0100)]
s4:kdc: rename free_sdb_key() as public sdb_key_free() function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 19:58:03 +0000 (20:58 +0100)]
s4:kdc: make free_sdb_entry() static
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 19:55:25 +0000 (20:55 +0100)]
s4:kdc: let samba_kdc_entry_destructor() call sdb_free_entry()
It's basically the same as free_sdb_entry(), but the next
step will make free_sdb_entry() private.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 20:13:24 +0000 (21:13 +0100)]
s4:kdc: don't leak salt in free_sdb_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 11 Feb 2022 19:56:17 +0000 (20:56 +0100)]
s4:kdc: call krb5_free_keyblock_contents() in free_sdb_key()
This is much clearer than doing it in sdb_free_entry() already.
It also simplifies the next cleanups.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 22 Mar 2022 12:59:58 +0000 (13:59 +0100)]
s4:kdc: remove unused sdb_entry_ex->free_entry()
It seems we need to take a closer look at the
memory hierachy of the sdb_entry related code.
I'll check that during the next commits,
but for now just remove use the unused hook.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>