Joseph Sutton [Wed, 10 May 2023 22:40:27 +0000 (10:40 +1200)]
auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 10 May 2023 01:00:08 +0000 (13:00 +1200)]
auth: Correct parameter order in header
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:28:22 +0000 (16:28 +1200)]
s4:kdc: Fix diagnostic messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:26:35 +0000 (16:26 +1200)]
s4:kdc: Fix error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:23:17 +0000 (16:23 +1200)]
s4:kdc: Check ldb_dn_new() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:21:51 +0000 (16:21 +1200)]
s4:kdc: Remove double-free
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:59:54 +0000 (14:59 +1200)]
s4:kdc: Remove double-free
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:53:33 +0000 (14:53 +1200)]
s4:kdc: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:41:30 +0000 (14:41 +1200)]
s4:kdc: Make use of auth_generate_security_token()
We don’t need the whole session info structure to perform an access
check.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:06:23 +0000 (14:06 +1200)]
s4:auth: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:30:40 +0000 (14:30 +1200)]
s4:auth: Split out new function to generate a security token
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:11:42 +0000 (14:11 +1200)]
auth: Remove unnecessary return statements
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 02:09:19 +0000 (14:09 +1200)]
s3:utils: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 00:42:54 +0000 (12:42 +1200)]
s4:kdc: Fix debugging strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 00:07:35 +0000 (12:07 +1200)]
s4:kdc: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 23:57:09 +0000 (11:57 +1200)]
s4:kdc: Factor out PAC blob functions into new source file
pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 01:30:40 +0000 (13:30 +1200)]
s4:kdc: Add missing includes and declarations
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 01:25:34 +0000 (13:25 +1200)]
libcli: Add missing include
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 01:16:10 +0000 (13:16 +1200)]
s4:kdc: Include missing headers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 8 May 2023 00:58:46 +0000 (12:58 +1200)]
s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 01:53:06 +0000 (13:53 +1200)]
tests/krb5: Add tests for authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:44:11 +0000 (14:44 +1200)]
tests/krb5: Allow specifying whether PA-DATA types are to be checked
Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:41:00 +0000 (14:41 +1200)]
tests/krb5: Allow server and workstation accounts to perform a SamLogon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:40:21 +0000 (14:40 +1200)]
tests/krb5: Allow specifying machine credentials to _test_samlogon()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 01:55:31 +0000 (13:55 +1200)]
tests/krb5: Rename ‘server’ to ‘dc_server’
This makes it more clear that this is in fact the DC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 2 May 2023 02:48:25 +0000 (14:48 +1200)]
netlogon:schannel: Fix NULL pointer dereference
We should not pass a NULL pointer into netlogon_creds_client_init().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 1 Dec 2022 02:35:56 +0000 (15:35 +1300)]
tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data
Certain clients rely on this behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 02:55:36 +0000 (14:55 +1200)]
tests/krb5: Improve edata checking
Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA
or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA
and fall back to METHOD_DATA if that fails.
The environment variable EXPECT_NT_STATUS indicates that the KDC
supports returning a status code in the e-data field.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:22:38 +0000 (16:22 +1200)]
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:53:42 +0000 (14:53 +1300)]
samba-tool domain: Clean up code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:53:19 +0000 (14:53 +1300)]
samba-tool domain: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 16 May 2023 11:09:23 +0000 (13:09 +0200)]
librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms
We should not limit the possible encryption algorithms to the currently
known ones.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224
Joseph Sutton [Wed, 10 May 2023 01:06:18 +0000 (13:06 +1200)]
s4:torture: Replace calls to deprecated function
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 17 00:24:38 UTC 2023 on atb-devel-224
Joseph Sutton [Tue, 9 May 2023 04:12:03 +0000 (16:12 +1200)]
s4:dsdb: Check return value of allocation functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:11:37 +0000 (16:11 +1200)]
s4:dsdb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 04:10:59 +0000 (16:10 +1200)]
s4:dsdb: Check ldb_binary_encode_string() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 9 May 2023 03:51:06 +0000 (15:51 +1200)]
s4:auth: Check ldb_binary_encode_string() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 2 May 2023 00:59:22 +0000 (12:59 +1200)]
s4-auth: Log correct function name
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 2 May 2023 00:51:52 +0000 (12:51 +1200)]
netlogon:schannel: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 25 Apr 2023 22:31:51 +0000 (10:31 +1200)]
samba-tool domain: Run in interactive mode if no args are supplied
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 23 Apr 2023 22:42:39 +0000 (10:42 +1200)]
python: Safely clear structure members
Using Py_CLEAR() ensures that these structures are observed in a
consistent state by any Python code that may run during deconstruction.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 12 Apr 2023 19:47:39 +0000 (07:47 +1200)]
python:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 19 May 2022 04:45:55 +0000 (16:45 +1200)]
auth: Return status code if configuration prohibits NTLM
Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 02:05:38 +0000 (15:05 +1300)]
s4-dsdb:large_ldap: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 02:04:32 +0000 (15:04 +1300)]
s4-dsdb:large_ldap: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:56:56 +0000 (14:56 +1300)]
pytest/password_lockout: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 May 2023 00:21:02 +0000 (12:21 +1200)]
pytest/password_lockout: Use correct variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:56:24 +0000 (14:56 +1300)]
pytest/password_lockout: Use more specific assertion methods
These methods produce better error messages if an assertion fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:55:31 +0000 (14:55 +1300)]
pytest/password_lockout: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:53:54 +0000 (14:53 +1300)]
samba-tool domain: Remove unnecessary variable
It is conciser to use ‘r’ to refer to update_forest_info.entries[i].
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 4 Apr 2023 04:39:23 +0000 (16:39 +1200)]
samba-tool domain: Use result of setup_local_server() instead of object field
The code is clearer if we consistently refer to the same variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:46:05 +0000 (07:46 +1300)]
s4:dsdb:tests: Refactor security descriptor test
Use more specific unittest methods.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:43:40 +0000 (07:43 +1300)]
s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:39:05 +0000 (07:39 +1300)]
s4:dsdb:tests: Refactor ACL test
Use more specific unittest methods; remove some unused variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Dmitry Antipov [Wed, 3 May 2023 07:39:30 +0000 (10:39 +0300)]
pyglue: use Py_ssize_t in random data generation functions
Prefer 'Py_ssize_t' over 'int' in random data generation functions
to match both Python and (internally used through the library layer)
GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data
size is known.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed comments to correctly match the
new check for just negative numbers]
Dmitry Antipov [Wed, 3 May 2023 07:32:28 +0000 (10:32 +0300)]
lib:util: prefer size_t for random data generation functions
Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 11 May 2023 02:25:31 +0000 (14:25 +1200)]
selftest: Change ad_dc environment to be 2016 functional level
This is not yet supported in full, but this makes ad_dc match our full set of available features.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 22:38:20 +0000 (10:38 +1200)]
selftest: Allow provision_ad_dc() to take functional_level as an argument
The $$$$$$$ is removed as it does not do what you think it does.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 21:49:34 +0000 (09:49 +1200)]
selftest: Return fl2008dc to being an alias for ad_dc_ntvfs
The change to make this independent in
fc9845da69cabcc1bf046d7899b2c4aeae743170
was incorrect, as no distinct name was specified so this would conflict with
the ad_dc_ntvfs environment over the IP and name "localdc".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 22:03:30 +0000 (10:03 +1200)]
Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008
This will allow fl008dc to become an alias of ad_dc_ntvfs again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 16 May 2023 05:15:31 +0000 (17:15 +1200)]
selftest: Move linked_attributes test to ad_dc selftest environment
The ad_dc_ntvfs environment will be set to use a 2008 schema
(matching the 2008 FL it runs at) and this test needs a 2016 schema.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 03:54:09 +0000 (15:54 +1200)]
samba-tool domain join: Allow "ad dc functional level" to change which
level we claim to be during an AD join
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 10 May 2023 03:24:23 +0000 (15:24 +1200)]
samba-tool domain provision: Use "ad dc functional level" to control max functional level
This allows the DC to self-declare a higher level and so allow a 2016
domain to be created, for testing and controlled implementation purposes.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 03:46:55 +0000 (15:46 +1200)]
python: Add function to get the functional level as a python intger from smb.conf
The lp.get() returns the normalised string from the enum handler
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 9 May 2023 04:37:37 +0000 (16:37 +1200)]
param: Add new parameter "ad dc functional level"
This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 9 May 2023 04:32:47 +0000 (16:32 +1200)]
samba-tool domain provision: Use common functional_level.string_to_level()
This is instead of manually parsing the functional level strings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 9 May 2023 03:50:46 +0000 (15:50 +1200)]
python: Move helper functions for functional levels into a new file
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Volker Lendecke [Tue, 18 Apr 2023 10:47:04 +0000 (12:47 +0200)]
rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
Volker Lendecke [Tue, 18 Apr 2023 12:32:20 +0000 (14:32 +0200)]
lib: Add security_token_del_npa_flags() helper function
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:29:34 +0000 (12:29 +0200)]
rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:28:28 +0000 (12:28 +0200)]
rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
More code, but will be more flexible in the future.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:09:45 +0000 (12:09 +0200)]
rpc: Add global_sid_Samba_NPA_Flags SID
This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:04:17 +0000 (12:04 +0200)]
librpc: Simplify dcerpc_is_transport_encrypted()
Simplify logic by using security_token_count_flag_sids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:01:02 +0000 (12:01 +0200)]
smbd: Use security_token_count_flag_sids() in open_np_file()
Simpler logic in the caller
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 09:31:16 +0000 (11:31 +0200)]
libcli: Add security_token_count_flag_sids()
To be used in a few places when checking special-case Samba SIDs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 26 Apr 2023 15:19:29 +0000 (17:19 +0200)]
winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 9 02:58:45 UTC 2023 on atb-devel-224
Volker Lendecke [Thu, 27 Apr 2023 10:25:24 +0000 (12:25 +0200)]
winbind: Test wbinfo -u with more than 1000 users
winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has
NTSTATUS samr_LookupRids(
[in,ref] policy_handle *domain_handle,
[in,range(0,1000)] uint32 num_rids,
[in,size_is(1000),length_is(num_rids)] uint32 rids[],
[out,ref] lsa_Strings *names,
[out,ref] samr_Ids *types
);
limiting num_rids to 1000 entries. Test this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 03:25:31 +0000 (15:25 +1200)]
build:wafsamba: Fix TypeError in read_submodule_status()
parts = l.split(" ")
^^^^^^^^^^^^
TypeError: a bytes-like object is required, not 'str'
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Fri, 28 Apr 2023 13:37:31 +0000 (07:37 -0600)]
gp: get_gpo() should re-raise the Exception, not return
If we return from this failure, then `new_gpo` is
set to `None` and we will fail in some obscure
way within a CSE later (since we append `None` to
the GPO list). Instead, re-raise the Exception so
we see that an error happened when fetching the
GPO.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Dmitry Antipov [Tue, 2 May 2023 10:45:01 +0000 (13:45 +0300)]
s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list()
Strictly speaking, this is not a bug because parsing loop will just skip
an empty ({NULL}, 0) blob. But it's better to avoid this case because
UBSan (as of clang-17 at least) may complain on such a parsing attempt:
source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer
#0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56
#1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178
#2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64
#3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
[... a lot of Python calls skipped...]
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Dmitry Antipov [Tue, 2 May 2023 10:43:54 +0000 (13:43 +0300)]
lib:ldb: do not offset against NULL pointer in ldb_ldif_read()
Fix the following error observed running samba.test.registry
compiled with clang-17 and UBsan:
lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset
137438953440 to null pointer
#0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881
#1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004
#2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113
#3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929
#4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
[... a lot of Python calls skipped...]
I.e. number of elements should be checked against zero
before making an attempt to access an element by index.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:58:29 +0000 (12:58 +1300)]
s4/scripting: fix % len(res) was in the wrong place
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 5 05:54:11 UTC 2023 on atb-devel-224
Rob van der Linde [Thu, 23 Feb 2023 23:57:57 +0000 (12:57 +1300)]
s4/dsdb: fix unnecessary backslash
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:54:16 +0000 (12:54 +1300)]
s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:48:23 +0000 (12:48 +1300)]
s4/scripting: fix a few invalid docstring args
One arg "dn" was removed, the others just had a typo.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:43:50 +0000 (12:43 +1300)]
dsdb/tests: fix assignment to for loop variable
because the loop variables are all called 'k' and the inner and outer loop both use 'k'.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 1 May 2023 01:04:58 +0000 (13:04 +1200)]
s4:kdc: Don’t call memcpy() with a NULL pointer
Doing so is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 5 03:52:30 UTC 2023 on atb-devel-224
Joseph Sutton [Sun, 30 Apr 2023 23:22:02 +0000 (11:22 +1200)]
lib:addns: Don’t call memcpy() with a NULL pointer
Doing so is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 30 Apr 2023 21:48:15 +0000 (09:48 +1200)]
tests/krb5: Improve _test_samr_change_password() method
Instead of using anonymous credentials, we now connect using the
passed-in credentials.
We now correctly construct nt_password and nt_verifier so as to
successfully change the password, instead of having to distinguish
between a WRONG_PASSWORD error and an error caused by the password
change being disallowed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 30 Apr 2023 21:45:37 +0000 (09:45 +1200)]
tests/krb5: Don’t delete silo until all tests have finished
It’s possible that we reuse the same silo across multiple tests. In that
case, we should not delete it until we are sure we have finished with
it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 28 Apr 2023 04:25:09 +0000 (16:25 +1200)]
tests/krb5: Add remove_attribute() helper function
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 28 Apr 2023 04:24:31 +0000 (16:24 +1200)]
tests/krb5: Have set_forced_key() also set the NT hash
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 28 Apr 2023 04:22:32 +0000 (16:22 +1200)]
auth/credentials: Add set_nt_hash()
This method allows setting the NT hash directly. This is useful in cases
where we don’t know the password, such as with a computer or server
account.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 21:41:59 +0000 (09:41 +1200)]
s3:lib: Fix typos
These typos were also spotted by a mailing list user:
https://lists.samba.org/archive/samba-technical/2023-April/138190.html
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:25:23 +0000 (16:25 +1200)]
s4:kdc: Remove unused parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:23:36 +0000 (16:23 +1200)]
tests/krb5: Make _tgs_req() more configurable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:22:38 +0000 (16:22 +1200)]
tests/krb5: Make use of check_tgs_reply()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:20:25 +0000 (16:20 +1200)]
tests/krb5: Allow specifying an encoded security descriptor
If we get a string, we’ll still assume it’s a DN and create a security
descriptor using it.
This is useful in cases where we don’t have a DN (e.g., the account is
not created yet).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:18:32 +0000 (16:18 +1200)]
tests/krb5: Rename ‘objectclass’ to use correct case
This means that tests can now specify values for ‘objectClass’ in
additional_details which override the default value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:16:44 +0000 (16:16 +1200)]
tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’
Make it clear that this relates to authentication, not authorization.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>