Jo Sutton [Wed, 24 Apr 2024 01:34:27 +0000 (13:34 +1200)]
python:tests: Store keys as bytes rather than as lists of ints
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 24 06:20:58 UTC 2024 on atb-devel-224
Jo Sutton [Wed, 24 Apr 2024 01:37:40 +0000 (13:37 +1200)]
python:tests: Rewrite condition of while loop
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 01:36:28 +0000 (13:36 +1200)]
python:tests: Store keys as bytes rather than as tuples
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 00:42:40 +0000 (12:42 +1200)]
python:gkdi: Add helper methods returning previous and next GKIDs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 02:45:51 +0000 (14:45 +1200)]
s4:kdc: Add helper variable indicating whether we think we are performing a keytab export
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 02:39:45 +0000 (14:39 +1200)]
s4:kdc: Pass ldb context into samba_kdc_message2entry_keys()
This ldb context can be used to query the current gMSA time.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 01:23:15 +0000 (13:23 +1200)]
python: Move get_admin_sid() to SamDB
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 23 Apr 2024 01:13:20 +0000 (13:13 +1200)]
s4:auth: Export AES128 gMSA keys along with AES256 keys by default
This is what an existing test expects.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 21 Apr 2024 22:53:30 +0000 (10:53 +1200)]
tests/krb5: Check that updated NT hashes of gMSAs have the values we expect
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 00:31:36 +0000 (12:31 +1200)]
ldb: Remove unnecessary declaration
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 21 Apr 2024 23:10:00 +0000 (11:10 +1200)]
lib:crypto: Fix Coverity build
The Coverity build is failing with the following errors:
[1936/5164] Compiling lib/crypto/gkdi.c
In file included from /usr/lib64/gcc/x86_64-suse-linux/7/include/stdint.h:9:0,
from /usr/include/inttypes.h:27,
from ../../lib/crypto/../replace/replace.h:64,
from ../../source4/include/includes.h:23,
from ../../lib/crypto/gkdi.c:21:
../../lib/crypto/gkdi.c: In function ‘gkdi_get_key_start_time’:
../../lib/crypto/gkdi.c:197:4: error: initializer element is not constant
UINT64_MAX /
^
../../lib/crypto/gkdi.c:197:4: note: (near initialization for ‘max_gkid.l0_idx’)
../../lib/crypto/gkdi.c:200:4: error: initializer element is not constant
UINT64_MAX /
^
../../lib/crypto/gkdi.c:200:4: note: (near initialization for ‘max_gkid.l1_idx’)
../../lib/crypto/gkdi.c:204:4: error: initializer element is not constant
UINT64_MAX / gkdi_key_cycle_duration %
^
../../lib/crypto/gkdi.c:204:4: note: (near initialization for ‘max_gkid.l2_idx’)
Fix the build by removing the ‘static’ specifier on this constant.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 24 Apr 2024 02:26:20 +0000 (14:26 +1200)]
ctdb: Report errors from getline()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Jo Sutton [Wed, 24 Apr 2024 02:26:35 +0000 (14:26 +1200)]
ctdb: Ensure ‘ret’ is always initialized
This avoids a compilation error:
../../ctdb/protocol/protocol_util.c: In function ‘ctdb_connection_list_read’:
../../ctdb/protocol/protocol_util.c:787:9: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
787 | return ret;
| ^~~
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Stefan Metzmacher [Mon, 4 Mar 2024 18:34:22 +0000 (19:34 +0100)]
WHATSNEW: document ldaps/tls related option changes
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 24 00:59:53 UTC 2024 on atb-devel-224
Stefan Metzmacher [Mon, 4 Mar 2024 18:33:52 +0000 (19:33 +0100)]
smbdotconf: finally remove unused "client use spnego principal" option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 07:54:02 +0000 (08:54 +0100)]
s4:selftest: remove useless 'client use spnego principal' tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 18:31:33 +0000 (19:31 +0100)]
auth/gensec: remove useless client_use_spnego_principal usage
It's off by default and all sane servers use
not_defined_in_RFC4178@please_ignore anyway.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 14:54:36 +0000 (15:54 +0100)]
s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 21:53:29 +0000 (22:53 +0100)]
s3:torture: add ldaps/starttls support to run_tldap()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 14:27:24 +0000 (15:27 +0100)]
s3:torture: add '-T 'option=value' this is similar to '--option='=value'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 14:08:17 +0000 (15:08 +0100)]
blackbox/test_net_ads_search_server: also test ldaps/starttls
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:04:57 +0000 (16:04 +0100)]
s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 24 Jan 2024 09:43:42 +0000 (10:43 +0100)]
s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 08:18:33 +0000 (09:18 +0100)]
s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Review with: git show --patience
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 30 Jan 2024 09:27:58 +0000 (10:27 +0100)]
s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 9 Feb 2024 14:40:00 +0000 (15:40 +0100)]
smbdotconf: add client ldap sasl wrapping = {starttls,ldaps}
In order to use SASL authentitation within a TLS connection
we now provide "client ldap sasl wrapping = starttls" or
"client ldap sasl wrapping = ldaps".
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 6 Feb 2024 11:35:39 +0000 (12:35 +0100)]
s3:libads: call gensec_set_channel_bindings() for tls connections
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 30 Jan 2024 09:27:58 +0000 (10:27 +0100)]
s3:libads: call ldap_set_option(LDAP_OPT_PROTOCOL_VERSION) as soon as possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 30 Jan 2024 09:27:58 +0000 (10:27 +0100)]
s3:libads: add tls_wrapping into openldap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 6 Feb 2024 10:48:41 +0000 (11:48 +0100)]
s4:lib/tls: add tstream_tls_sync_setup()
This operates in a non-async fashion and may block
in the push and pull function.
It will be used to plug into openldap transport
layer, this is needed in order to have access
to the channel bindings. And also use the same
configuration for all our gnutls based tls code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 5 Apr 2024 15:23:54 +0000 (17:23 +0200)]
s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 2 Feb 2024 16:50:03 +0000 (17:50 +0100)]
s3:libads: use the correct struct sockbuf_io_desc type for 'sbiod' pointer
Using 'Sockbuf_IO_Desc' in idl implicitly means pidl will use
'struct Sockbuf_IO_Desc', which doesn't exist!
Using 'struct sockbuf_io_desc' which is used in OpenLDAP to
typedef Sockbuf_IO_Desc, we won't need to cast the assign the
'sbiod' pointer.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 9 Feb 2024 09:50:13 +0000 (10:50 +0100)]
s3:libads: no longer pass "GSS-SPNEGO" to ads_sasl_spnego_gensec_bind()
That's the only thing we use...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 2 Feb 2024 11:35:05 +0000 (12:35 +0100)]
s3:libads: remove dead code in ads_sasl_spnego_{gensec}_bind()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:09:39 +0000 (18:09 +0100)]
s3:libads: directly use kerberos without asking the server
Every AD DC supports kerberos so we can just use it without
asking the server (in an untrusted way) if kerberos is supported.
So remove another useless roundtrip.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:08:55 +0000 (18:08 +0100)]
s3:libads: use GSS-SPNEGO directly without asking for supportedSASLMechanisms
Every AD DC supports 'GSS-SPNEGO' and that's the only one we use anyway,
so remove an unused roundtrip.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 16:21:35 +0000 (17:21 +0100)]
s3:tldap: add support for [START]TLS
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 23:32:51 +0000 (00:32 +0100)]
s3:tldap: make tldap_gensec_bind_send/recv public
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 19:38:21 +0000 (20:38 +0100)]
s3:tldap: add tldap_extended*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 15:00:11 +0000 (16:00 +0100)]
s3:tldap: store plain and gensec tstream
Also allow resetting to plain.
We now have ld->active as the currently active
tstream, which will allow us to add tls support
soon.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 14:41:23 +0000 (15:41 +0100)]
s3:tldap: let tldap_gensec_bind_send/recv use gensec_update_send/recv
We should not use the sync gensec_update() in async code!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 14:30:05 +0000 (15:30 +0100)]
s3:tldap: don't use 'supportedSASLMechanisms' and force 'GSS-SPNEGO' instead
All active directory dcs support 'GSS-SPNEGO'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 15:45:07 +0000 (16:45 +0100)]
s3:tldap: simplify tldap_gensec_bind.h
We don't need any includes...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 13:19:12 +0000 (14:19 +0100)]
s3:tldap: simplify read_ldap_more() by using asn1_peek_full_tag()
An LDAP pdu is at least 7 bytes long, so we read at least 7 bytes,
then it's easy to use asn1_peek_full_tag() in order to find out the
whole length of the pdu on one go.
As a side effect it's now possible that wireshark can reassemble
the fragments in a socket_wrapper generated pcap file.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 9 Feb 2024 10:31:30 +0000 (11:31 +0100)]
s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 16:42:41 +0000 (17:42 +0100)]
docs-xml: add 'tls trust system cas' and 'tls ca directories' options
This will make it easier to support trusting more than one CA.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:49:24 +0000 (16:49 +0100)]
s4:ldap_server: remove unused include of gensec_internal.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 25 Apr 2022 12:49:33 +0000 (14:49 +0200)]
s3:libads: remove unused ADS_AUTH_SIMPLE_BIND code
We have other code to test simple binds.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:49:24 +0000 (16:49 +0100)]
s3:libads: remove unused include of gensec_internal.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:09:59 +0000 (18:09 +0100)]
s3:libsmb: libcli/auth/spnego.h is not needed in cliconnect.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 18:34:22 +0000 (19:34 +0100)]
WHATSNEW: document ldap_server ldaps/tls channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 14:50:14 +0000 (15:50 +0100)]
s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 14:50:14 +0000 (15:50 +0100)]
selftest: split out selftest/expectedfail.d/samba4.ldb.simple.ldap-tls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 28 Sep 2023 15:11:03 +0000 (17:11 +0200)]
s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.
And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 23 Jan 2024 13:20:24 +0000 (14:20 +0100)]
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 29 Sep 2023 09:55:45 +0000 (11:55 +0200)]
s3:crypto/gse: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 28 Sep 2023 15:09:37 +0000 (17:09 +0200)]
s4:gensec_gssapi: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 11 Feb 2020 15:07:05 +0000 (16:07 +0100)]
auth/ntlmssp: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 11 Feb 2020 14:26:07 +0000 (15:26 +0100)]
auth/gensec: add gensec_set_channel_bindings() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 5 Apr 2024 14:07:50 +0000 (16:07 +0200)]
wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
See https://github.com/heimdal/heimdal/pull/1234 and
https://github.com/krb5/krb5/pull/1329.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 09:30:55 +0000 (10:30 +0100)]
third_party/heimdal: import lorikeet-heimdal-
202404171655 (commit
28a56d818074e049f0361ef74d7017f2a9391847)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
See also:
https://github.com/heimdal/heimdal/pull/1234
https://github.com/heimdal/heimdal/pull/1238
https://github.com/heimdal/heimdal/pull/1240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 28 Sep 2023 10:34:35 +0000 (12:34 +0200)]
s4:lib/tls: add tstream_tls_channel_bindings()
This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.
For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it was easy to re-implement.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 08:55:47 +0000 (09:55 +0100)]
lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
is only available with gnutls 3.7.2, but we still want to
support older gnutls versions and that's easily doable...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:53:15 +0000 (16:53 +0100)]
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:52:56 +0000 (16:52 +0100)]
s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:50:23 +0000 (16:50 +0100)]
s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:36:27 +0000 (16:36 +0100)]
s4:lib/tls: add tstream_tls_params_client_lpcfg()
This will be able simplify the callers a lot...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 12 Feb 2024 11:02:13 +0000 (12:02 +0100)]
s4:lib/tls: split out tstream_tls_verify_peer() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 22:24:39 +0000 (23:24 +0100)]
s4:lib/tls: include a TLS server name indication in the client handshake
This is not strictly needed, but it might be useful
for load balancers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 16:16:46 +0000 (18:16 +0200)]
s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
We require gnutls 3.6.13
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 12 Feb 2024 11:35:02 +0000 (12:35 +0100)]
s4:lib/tls: split out tstream_tls_prepare_gnutls()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 14:30:09 +0000 (15:30 +0100)]
s4:lib/tls: assert that event contexts are not mixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 13:42:40 +0000 (14:42 +0100)]
s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.
Otherwise we'll have a problem if another tevent_context is used
after the handshake.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 13:27:16 +0000 (14:27 +0100)]
s4:lib/tls: remove tstream_tls_push_trigger_write step
At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
2.4.1 -> broken
2.4.2 -> broken
2.6.0 -> broken
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK
These seemed to be the fixes in gnutls upstream.
Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=
28fb34099edaf62e5472cc6e5e2749fed369ea01
Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=
0d07d8432d57805a8354ebd6c1e7829f3ab159cb
This shouldn't be a problem with recent (>= 3.6) versions of gnutls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:04:57 +0000 (18:04 +0100)]
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:07:53 +0000 (18:07 +0100)]
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 19:02:03 +0000 (21:02 +0200)]
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 19:01:08 +0000 (21:01 +0200)]
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 18:52:30 +0000 (20:52 +0200)]
tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 22 Jan 2024 20:33:05 +0000 (21:33 +0100)]
Fix a few "might be uninitialized" errors
I've seen them with clang
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 23 19:02:10 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 27 Feb 2024 14:32:59 +0000 (15:32 +0100)]
smbd: Slightly simplify notifyd_send_delete()
Call messaging_send_iov() instead of messaging_send_iov_from().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 12 Feb 2024 09:26:28 +0000 (10:26 +0100)]
smbd: Simplify smb_set_file_unix_link()
Avoid a call to parent_pathref, use the dirfsp that already exists
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 11 Feb 2024 12:10:01 +0000 (13:10 +0100)]
smbd: Simplify smb_q_posix_symlink()
Use the dirfsp from call_trans2qpathinfo(), avoid a call to parent_pathref()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Feb 2024 13:26:55 +0000 (14:26 +0100)]
smbd: Simplify call_trans2qpathinfo()
These days filename_convert_dirfsp() always returns a full fsp.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:22:17 +0000 (01:22 +0200)]
s3:rpc_client: implement bind time feature negotiation
This is not strictly needed as we don't use any of the
optional features yet.
But it will make it easier to add bind time features we'll
actually use later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224
Stefan Metzmacher [Thu, 18 Apr 2024 23:17:46 +0000 (01:17 +0200)]
s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.
It's also not needed to require a single array element.
We already checked above that we have at least one.
The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:15:52 +0000 (01:15 +0200)]
s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
This prepares adding bind time feature negotiation in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Oct 2015 13:43:05 +0000 (15:43 +0200)]
dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 13:36:51 +0000 (15:36 +0200)]
s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
Only legacy protocols need a password for share level authentication,
so avoid triggering the password prompt for the common case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224
Stefan Metzmacher [Fri, 8 Mar 2024 13:14:34 +0000 (14:14 +0100)]
python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 11:31:20 +0000 (13:31 +0200)]
lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 11:30:56 +0000 (13:30 +0200)]
lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 23:11:26 +0000 (00:11 +0100)]
s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:22:14 +0000 (16:22 +0100)]
auth/credentials: don't call talloc_free(ccache_name) on callers memory
The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:07:22 +0000 (16:07 +0100)]
auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
A simple krb5_cc_close() doesn't remove it from the global memory list.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 8 Mar 2024 10:39:35 +0000 (11:39 +0100)]
lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
If the ccache doesn't have a intial TGT the shortest lifetime of
service tickets should be returned.
This is needed in order to work with special ccaches used for
things like S2U4Self/S4U2Proxy tickets or other things
where the caller only wants to pass a single service ticket.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Apr 2024 14:00:41 +0000 (16:00 +0200)]
s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Apr 2024 14:35:35 +0000 (16:35 +0200)]
s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Douglas Bagnall [Fri, 19 Apr 2024 21:57:15 +0000 (09:57 +1200)]
ldb:utf8: ldb_ascii_toupper() avoids real toupper()
If a non-lowercase ASCII character has an uppercase counterpart in
some locale, toupper() will convert it to an int codepoint. Probably
that codepoint is too big to fit in our char return type, so we would
truncate it to 8 bit. So it becomes an arbitrary mapping.
It would also behave strangely with a byte with the top bit set, say
0xE2. If char is unsigned on this system, that is 'â', which
uppercases to 'Â', with the codepoint 0xC2. That seems fine in
isolation, but remember this is ldb_utf8.c, and that byte was not a
codepoint but a piece of a long utf-8 encoding. In the more likely
case where char is signed, toupper() is being passed a negative
number, the result of which is undefined.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224
Douglas Bagnall [Thu, 11 Apr 2024 01:46:28 +0000 (13:46 +1200)]
ldb:attrib_handlers: use ldb_ascii_toupper() in first loop
In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.
Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
git.samba.org / samba.git / log