Stefan Metzmacher [Thu, 17 Mar 2022 15:42:50 +0000 (16:42 +0100)]
python/samba/tests/krb5/kdc_tgs_tests.py test_s4u2self_rodc_revealed only without RODC first! Would it work against the RODC itself???
Stefan Metzmacher [Fri, 18 Mar 2022 10:43:35 +0000 (11:43 +0100)]
Revert "python/samba/tests/krb5/kdc_tgs_tests.py test_s4u2self_rodc_revealed only without RODC first! Would it work against the RODC itself???"
This reverts commit
00d75b1feb64fa8e20b2e0c3f185f08091d4ac64.
Stefan Metzmacher [Thu, 17 Mar 2022 15:42:50 +0000 (16:42 +0100)]
python/samba/tests/krb5/kdc_tgs_tests.py test_s4u2self_rodc_revealed only without RODC first! Would it work against the RODC itself???
Stefan Metzmacher [Thu, 10 Oct 2019 14:22:35 +0000 (16:22 +0200)]
BROKEN-CHECK s4:kdc: fix samba_kdc_lookup_realm() with krbtgt/OTHER.REALM/OUR.REALM
WAS
85820e0ba8a1fd96afc6d9f271eb2fc12e2ca3c9
Stefan Metzmacher [Thu, 17 Feb 2022 10:00:05 +0000 (11:00 +0100)]
LAST samba_kdc_message2entry_keys debug
Stefan Metzmacher [Thu, 24 Mar 2022 16:44:38 +0000 (17:44 +0100)]
source4/dsdb/samdb/ldb_modules/password_hash.c setup_supplemental_field store with num_packes=0
Stefan Metzmacher [Thu, 24 Mar 2022 16:43:59 +0000 (17:43 +0100)]
source4/rpc_server/drsuapi/getncchanges.c force DRSUAPI_ATTID_instanceType for REPL_SECRET responses
Stefan Metzmacher [Wed, 23 Mar 2022 11:22:53 +0000 (12:22 +0100)]
Revert "KRB5_KTE_FLAG_ACCEPTOR_IGNORE_* in krb5_rd_req_ctx"
This reverts commit
f978d7a78b60c80a8bd8bfd427a8b516d4c1c9a0.
Stefan Metzmacher [Wed, 23 Mar 2022 11:22:53 +0000 (12:22 +0100)]
Revert "KRB5_KTE_FLAG_ACCEPTOR_IGNORE_*"
This reverts commit
177e8a06e46a9cc757b219f90c0ca8e9a4b36c8d.
Stefan Metzmacher [Wed, 23 Mar 2022 11:22:53 +0000 (12:22 +0100)]
Revert "fill_mem_keytab_from_secrets KRB5_KTE_FLAG_ACCEPTOR_IGNORE_TRANSITED..."
This reverts commit
1ab6bcb19eca2b1a2b48143e32685aa21e93c9b6.
Stefan Metzmacher [Mon, 14 Feb 2022 17:17:49 +0000 (18:17 +0100)]
fill_mem_keytab_from_secrets KRB5_KTE_FLAG_ACCEPTOR_IGNORE_TRANSITED...
Stefan Metzmacher [Mon, 7 Feb 2022 17:12:32 +0000 (18:12 +0100)]
KRB5_KTE_FLAG_ACCEPTOR_IGNORE_*
Stefan Metzmacher [Mon, 7 Feb 2022 17:23:36 +0000 (18:23 +0100)]
KRB5_KTE_FLAG_ACCEPTOR_IGNORE_* in krb5_rd_req_ctx
Stefan Metzmacher [Thu, 24 Mar 2022 13:12:12 +0000 (14:12 +0100)]
TODO: s4:kdc: samba_kdc_sort_keys(max_keys)
This can be used in future to limit the number of keys to 1,
in order to expose only the strongest etype.
Stefan Metzmacher [Wed, 3 Jan 2024 16:03:57 +0000 (17:03 +0100)]
Revert "python/samba/tests/krb5/kdc_tgs_tests.py ONLY test_s4u2self_rodc_revealed"
This reverts commit
7ee9b13378c743cb25b7529f464884fab479248c.
Andreas Schneider [Wed, 23 Mar 2022 16:32:53 +0000 (17:32 +0100)]
Revert "python/samba/tests/krb5/kdc_tgs_tests.py test_s4u2self_rodc_revealed only without RODC first! Would it work against the RODC itself???"
This reverts commit
8b03332a85842a5dd58db10e4391c27e6db0d45f.
Signed-off-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 17 Mar 2022 15:42:50 +0000 (16:42 +0100)]
python/samba/tests/krb5/kdc_tgs_tests.py test_s4u2self_rodc_revealed only without RODC first! Would it work against the RODC itself???
Stefan Metzmacher [Thu, 17 Mar 2022 15:41:50 +0000 (16:41 +0100)]
python/samba/tests/krb5/kdc_tgs_tests.py ONLY test_s4u2self_rodc_revealed
Stefan Metzmacher [Tue, 20 Jun 2023 11:32:29 +0000 (13:32 +0200)]
Revert "TESTS TODO windows 2022 fails"
This reverts commit
df3204df851072fc70411f1878d1f2ca9e8179a0.
Stefan Metzmacher [Tue, 12 Apr 2022 09:36:44 +0000 (11:36 +0200)]
TESTS TODO windows 2022 fails
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2022-L7 REALM=W2022-L7.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=
A1b2C3d4 FAST_SUPPORT=1 TKT_SIG_SUPPORT=1 CHECK_PADATA=1 EXPECT_EXTRA_PAC_BUFFERS=1 EXPECT_PAC=1 CHECK_CNAME=1 python/samba/tests/krb5/kdc_tgs_tests.py
WAS
448e9ab0a338d5994d50cd78951fe3924bcfc37a
WAS
f217d6d6943de0092547d8e9640ff35ec31907c2
Stefan Metzmacher [Fri, 30 Dec 2022 23:29:06 +0000 (00:29 +0100)]
HACK sleep on panic
Stefan Metzmacher [Fri, 30 Dec 2022 23:41:03 +0000 (00:41 +0100)]
python/samba/tests/krb5/s4u_tests.py allow_multiple_pacs
Stefan Metzmacher [Fri, 30 Dec 2022 19:50:41 +0000 (20:50 +0100)]
python/samba/tests/krb5/raw_testcase.py allow optional additional PAC elements
Stefan Metzmacher [Fri, 30 Dec 2022 19:49:31 +0000 (20:49 +0100)]
python/samba/tests/krb5/raw_testcase.py assert the PAC is alone in the first AD-IF-RELEVANT element
Stefan Metzmacher [Fri, 30 Dec 2022 23:22:27 +0000 (00:22 +0100)]
fix _kdc_tkt_insert_pac sorting
Stefan Metzmacher [Fri, 10 Mar 2023 14:05:15 +0000 (15:05 +0100)]
source4/rpc_server/lsa/lsa_lookup.c behave like Windows 2022
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Stefan Metzmacher [Fri, 10 Mar 2023 14:05:15 +0000 (15:05 +0100)]
source4/rpc_server/lsa/lsa_lookup.c behave like Windows 2008R2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Stefan Metzmacher [Wed, 12 Aug 2020 15:08:14 +0000 (17:08 +0200)]
libcli/security: let dom_sid_lookup_predefined_sid() behave like Windows 2008R2
Windows (172.31.9.133) returns the following:
#> rpcclient 172.31.9.133 -Uadministrator%
A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
S-1-22-1 *unknown*\*unknown* (8)
S-1-22-1-0 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
While the current Samba (172.31.9.163) returns the following:
#> rpcclient 172.31.9.163 -Uadministrator%
A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
result was NT_STATUS_INVALID_SID
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
S-1-3 *unknown*\*unknown* (8)
With this change also return the same as Windows:
#> rpcclient 172.31.9.163 -Uadministrator%
A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
S-1-22-1 *unknown*\*unknown* (8)
S-1-22-1-0 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
S-1-3-0 \CREATOR OWNER (5)
S-1-3-99 *unknown*\*unknown* (8)
result was NT_STATUS_INVALID_SID
This is a minimal fix in order to avoid crashes in the Windows Explorer.
The real fix needs more work and additional tests, as the behavior seems
to be different in newer Windows releases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 9 Jun 2023 13:17:14 +0000 (15:17 +0200)]
Revert "HACK testprogs/blackbox/test_kpasswd_heimdal.sh v2"
This reverts commit
bfcb6fd788f6d5196b8ada832df5d003300949a4.
Stefan Metzmacher [Fri, 9 Jun 2023 12:47:51 +0000 (14:47 +0200)]
HACK testprogs/blackbox/test_kpasswd_heimdal.sh v2
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "DEBUG krb5 ..."
This reverts commit
18d6fd747430e84b21f38e71a12c7a76d9094a91.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "krb5_set_debug_dest(context, getprogname(), "0-1FILE=/tmp/debug.gssapi-krb5.context");"
This reverts commit
59f9f2f2a562c1fa0883d02a51399d3651a15542.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "0-/EFILE:/tmp/debug.gssapi-krb5.context 'umask 0000;touch /tmp/debug.gssapi-krb5.context'"
This reverts commit
30daa8bf9ff6663dcd27b8797ed235723e28c7fe.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "debug _gsskrb5_init"
This reverts commit
efa184b3eaf632db44d3540c698f3c157eff32df.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "more debug"
This reverts commit
60528a6b5be41ef0180d60609b5ec221fadd51c7.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "more debug"
This reverts commit
3025282723a1ecd6a5c0b7dd39a27c5ed756978c.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "debug pid of each message"
This reverts commit
ec4c5680072d944cabb5153f50a18e657798c7ce.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "debug reset_context"
This reverts commit
9a822e87c6f432e44cff02eeedeb6f6d732d08d6.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "rd_party/heimdal/lib/base/"
This reverts commit
b1272fc4b92fb58ff4c15c6439a244640cb1e4c2.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "base2json HEIM_TID_MEMORY:"
This reverts commit
12fab901758cba3eeee76f2aa8eb4452c65401d4.
Stefan Metzmacher [Wed, 3 Jan 2024 15:57:35 +0000 (16:57 +0100)]
Revert "debug reset_context ref_cnt json"
This reverts commit
3d114d59695ac86438cce736153a9ce8f15974f7.
Stefan Metzmacher [Wed, 21 Dec 2022 13:30:08 +0000 (14:30 +0100)]
debug reset_context ref_cnt json
Stefan Metzmacher [Wed, 21 Dec 2022 13:29:54 +0000 (14:29 +0100)]
base2json HEIM_TID_MEMORY:
Stefan Metzmacher [Wed, 21 Dec 2022 13:08:35 +0000 (14:08 +0100)]
rd_party/heimdal/lib/base/
third_party/heimdal/lib/base/ heim_ref_cnt...
Stefan Metzmacher [Wed, 21 Dec 2022 12:22:46 +0000 (13:22 +0100)]
debug reset_context
Stefan Metzmacher [Wed, 21 Dec 2022 12:17:24 +0000 (13:17 +0100)]
debug pid of each message
Stefan Metzmacher [Wed, 21 Dec 2022 12:11:21 +0000 (13:11 +0100)]
more debug
Stefan Metzmacher [Wed, 21 Dec 2022 11:57:10 +0000 (12:57 +0100)]
more debug
Stefan Metzmacher [Wed, 21 Dec 2022 11:44:53 +0000 (12:44 +0100)]
debug _gsskrb5_init
Stefan Metzmacher [Wed, 21 Dec 2022 11:16:29 +0000 (12:16 +0100)]
0-/EFILE:/tmp/debug.gssapi-krb5.context 'umask 0000;touch /tmp/debug.gssapi-krb5.context'
Stefan Metzmacher [Wed, 21 Dec 2022 11:02:11 +0000 (12:02 +0100)]
krb5_set_debug_dest(context, getprogname(), "0-1FILE=/tmp/debug.gssapi-krb5.context");
Stefan Metzmacher [Wed, 21 Dec 2022 10:20:20 +0000 (11:20 +0100)]
DEBUG krb5 ...
Stefan Metzmacher [Wed, 11 Oct 2023 14:14:19 +0000 (16:14 +0200)]
Revert "python/samba/tests/krb5/kdc_base_test.py only_des_key use_aes_keys"
This reverts commit
0ab25289b511ad18c42f3cd90f262e39956f3dc9.
Stefan Metzmacher [Thu, 24 Mar 2022 13:13:52 +0000 (14:13 +0100)]
python/samba/tests/krb5/kdc_base_test.py only_des_key use_aes_keys
Stefan Metzmacher [Wed, 30 Nov 2022 10:09:28 +0000 (11:09 +0100)]
Revert "MASTER/4.18?: kerberos encryption types = strong"
This reverts commit
ffad22fc1594d7aad1db75d24d3804f204a171d9.
Stefan Metzmacher [Wed, 30 Nov 2022 10:09:28 +0000 (11:09 +0100)]
Revert "MASTER/4.18?: selftest/target/Samba3.pm kerberos encryption types = all samba.tests.pam_winbind.trust_e_both"
This reverts commit
d3def474ba39036c712422040b0716a94219296e.
Stefan Metzmacher [Wed, 30 Nov 2022 10:09:28 +0000 (11:09 +0100)]
Revert "MASTER/4.18?: ad_member_oneway kerberos encryption types = all samba3.wbinfo_simple.trust"
This reverts commit
fc19d2e63e75cf78088c7d7ed725730c7c7f1095.
Stefan Metzmacher [Mon, 28 Nov 2022 16:58:14 +0000 (17:58 +0100)]
MASTER/4.18?: ad_member_oneway kerberos encryption types = all samba3.wbinfo_simple.trust
Stefan Metzmacher [Mon, 28 Nov 2022 16:01:16 +0000 (17:01 +0100)]
MASTER/4.18?: selftest/target/Samba3.pm kerberos encryption types = all samba.tests.pam_winbind.trust_e_both
Stefan Metzmacher [Fri, 25 Nov 2022 15:47:25 +0000 (16:47 +0100)]
MASTER/4.18?: kerberos encryption types = strong
Stefan Metzmacher [Wed, 21 Jun 2023 11:23:40 +0000 (13:23 +0200)]
Revert "TODO-LATER, extra audit field??? s4:kdc: Also audit the used KVNO if available"
This reverts commit
934f7669c6d9ddda196d4699087f9c9ebf66855a.
Stefan Metzmacher [Tue, 20 Jun 2023 13:47:47 +0000 (15:47 +0200)]
TODO-LATER, extra audit field??? s4:kdc: Also audit the used KVNO if available
Stefan Metzmacher [Tue, 20 Jun 2023 14:15:22 +0000 (16:15 +0200)]
Revert "HACK auth/auth_log.c audit auth at level 0"
This reverts commit
517ff2c68f60e22714e2f73c18db616e1b89a6c4.
Stefan Metzmacher [Tue, 20 Jun 2023 14:15:05 +0000 (16:15 +0200)]
HACK auth/auth_log.c audit auth at level 0
Stefan Metzmacher [Thu, 1 Feb 2024 12:57:56 +0000 (13:57 +0100)]
HEIMDAL: lib/krb5: don't ignore krb5_init_creds_get_creds() result in krb5_get_init_creds_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Stefan Metzmacher [Thu, 1 Feb 2024 12:58:32 +0000 (13:58 +0100)]
HEIMDAL: lib/krb5: work around AIX fwrite() caching bug in stdio_store()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Stefan Metzmacher [Thu, 1 Feb 2024 12:58:32 +0000 (13:58 +0100)]
krb5_wrap: don't ignore krb5_kt_start_seq_get() errors
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:25:30 +0000 (17:25 +0000)]
auth/credentials_krb5: make use of smb_gss_krb5_prepare_acceptor_cred()
We should check all keys in our in memory keytab
and skip the transited checks unless we're
in standalone/MIT-realm mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:25:09 +0000 (17:25 +0000)]
auth/credentials_krb5: let cli_credentials_get_server_gss_creds() use an early return
This will simplify the next commits.
Check with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 17:13:41 +0000 (17:13 +0000)]
s3:gse: let gse_init_server() use smb_gss_krb5_prepare_acceptor_cred()
We should check all keys in our in memory keytab
and skip the transited checks unless we're in
standalone/MIT-realm mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:52:15 +0000 (16:52 +0000)]
krb5_wrap: add smb_gss_krb5_prepare_acceptor_cred()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:09:47 +0000 (16:09 +0000)]
configure_mitkrb5: check for GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 16:09:47 +0000 (16:09 +0000)]
s4:heimdal_build: define HAVE_GSS_KRB5_CRED_{SKIP_TRANSIT_CHECK,ITERATE_ACCEPTOR_KEYTAB}_X
We can only do that for our own copy of heimdal, see
https://github.com/heimdal/heimdal/pull/656
In future we may want to use
source4/heimdal_build/wscript_configure only for
our in tree copy of heimdal and do real configure
checks for the system heimdal build.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 22 Aug 2019 08:30:01 +0000 (10:30 +0200)]
HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X
This allows krb5_rd_req_in_set_iterate_keytab() to be used via the
gssapi layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 20 Jul 2019 10:15:04 +0000 (10:15 +0000)]
HEIMDAL:lib/krb5: add krb5_rd_req_in_set_iterate_keytab()
A caller might not know the kvno maintained by the KDC.
And most often there's need to know it.
So this function makes it possible to force the keytab
iteration in order to get a consistent behavior.
Otherwise it's possible to get a different behavior
if the guessed kvno in the keytab accidentally matches
the kvno of the ticket and we'll give up if the
key is not able to decrypt the ticket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Sat, 20 Jul 2019 10:15:04 +0000 (10:15 +0000)]
HEIMDAL:lib/krb5: let krb5_rd_req_ctx() fallback only on KRB5KRB_AP_ERR_BAD_INTEGRITY
This avoids hidding a real error like KRB5KRB_AP_ERR_ILL_CR_TKT.
We only want to retry with the next key if the decryption
failed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/gssapi/krb5: add GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
This allows KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK (on the acceptor)
to be controlled via the gssapi layer.
Members of Active Directory domains should just rely on there
KDCs (domain controllers) to do SID-Filtering (and name checking)
on trust boundaries, I have verified this with a modified Samba KDC
and a Windows 2012R2 DC. The Windows DC rejects invalid cross-realm tickets
with KRB5KDC_ERR_POLICY, before generating a new (service or referral)
ticket. So any service ticket is already policy checked by the KDC
even if this does not result in setting the transited_policy_checked in the ticket.
This means an accepting service can tell gss_accept_sec_context()
to skip any transited checking, as the trust topoligy is only
fully known to the KDC anyway.
The detailed background for this can be found in the bug report
and the mailing list:
https://lists.samba.org/archive/samba-technical/2019-September/thread.html#134285
https://lists.samba.org/archive/samba-technical/2019-November/thread.html#134553
http://mailman.mit.edu/pipermail/krbdev/ should also have references.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/krb5: add [libdefaults] acceptor_skip_transit_check and KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK
In active directory a domain member replies on (trusts) the [K]DCs
of the domain. It's the job of the [K]DCs to only generate useful
tickets as they know about the trust topology.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2017 13:33:17 +0000 (15:33 +0200)]
HEIMDAL:lib/krb5: add krb5_rd_req_in_set_verify_ap_req_flags()
In the next commits we want to be able to pass down
things like KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Aug 2021 15:35:27 +0000 (17:35 +0200)]
schema_samba4.ldif: allocate GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X from our OID space
This will be in (at least our own copy of) Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 17 Aug 2021 15:35:27 +0000 (17:35 +0200)]
samba.schema: allocate GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X from our OID space
This will be used in MIT kerberos and (at least our own copy of) Heimdal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Tue, 1 Aug 2023 12:40:33 +0000 (14:40 +0200)]
HEIMDAL: make-proto.pl make JSON:PP optional
Stefan Metzmacher [Thu, 3 Feb 2022 17:27:19 +0000 (18:27 +0100)]
s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 17:27:19 +0000 (18:27 +0100)]
s3:libnet: add support for trusted domains in libnet_dssync_keytab.c
It means that keytabs generated via 'net rpc vampire keytab' are
able to decrypt cross-realm tickets in wireshark.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:48:03 +0000 (14:48 +0100)]
s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c
This way we can easily re-use the logic in the next commits...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:48:03 +0000 (14:48 +0100)]
s3:libnet: split out parse_user() in libnet_dssync_keytab.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:48:03 +0000 (14:48 +0100)]
s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash
It happens in setups with 'nt hash store = never'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Thu, 3 Feb 2022 13:14:06 +0000 (14:14 +0100)]
s4:kdc: also provide cross-realm keys via samba_kdc_seq()
This means that 'samba-tool domain exportkeytab' is able to
export them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Noel Power [Wed, 10 Jan 2024 14:43:58 +0000 (14:43 +0000)]
s3/rpc_client: cleanup unmarshalling of variant types from row columns
Prior to this change fn 'extract_variant_addresses' actually returns offsets
to the variant stored not the addresses, additionally the param in the
signature of the method is named offset where the param in reality is a
base address.
This change makes fn 'extract_variant_addresses' actually return addresses
instead of offsets and also changes the name of the incoming param. The
resulting changes are propaged to callers which hopefully makes what the
code is actually doing a little clearer
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jan 30 17:22:37 UTC 2024 on atb-devel-224
Noel Power [Mon, 8 Jan 2024 15:56:38 +0000 (15:56 +0000)]
s3/utils: use full 64 bit address for getrows (with 64bit offsets)
if 64bit offsets are used the hi 32-bits of address are stored in
the ulreserved2 member of the message header field and the low 32-bits
are stored in the ulclientbase member of the cpmgetrows message
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Wed, 10 Jan 2024 10:59:23 +0000 (10:59 +0000)]
s3/rpc_client: Remove stray unnecessary comment
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Mon, 8 Jan 2024 15:12:35 +0000 (15:12 +0000)]
s3/rpc_client: change type of offset to uint64_t
Offset can be a 32 or 64 bit address depending on the indexing addressing
mode negotiated by the client
With a 32 bit param we can only specify a 32 bit base address. This change
alone doesn't affect anything as it is the client itself that choses and
passes the base address offset and wspsearch is the only current user of
this code.
In this case even with 64bit addressing negotiated the address passed
represents only the lower 32-bits part of the address.
However, for coverage purposes it would be better for the client to use an
address that covers the full 64bit range of the address (when 64 bit
addressing is negotiated).
This change will alow the wspsearch client in a future commit to pass a
base address value with both the hi and low 32 bits values set to make up
the full 64 bit address.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Tue, 19 Dec 2023 11:35:58 +0000 (11:35 +0000)]
librpc/idl: remove duplicate definitition
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 16 Nov 2023 09:22:56 +0000 (09:22 +0000)]
librpc/idl: fix typo in wsp_csort member
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Mon, 18 Dec 2023 11:37:38 +0000 (11:37 +0000)]
librpc/wsp: Unknown property used in 'current directory' searches
This property seems to be used instead of 'Scope' when the windows
search UI has selected current dir
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Anoop C S [Tue, 30 Jan 2024 09:03:07 +0000 (14:33 +0530)]
docs-xml: Build and install man page for wspsearch
Commit
49b6137f7c2244aeb3cf9b65fc9d46fcf0b8dc55 switched the default
to install `wspsearch` client from False to True but missed to build
and install the corresponding man page. Therefore adding wspsearch.1
to the list of man pages to be built and installed by default.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Tue Jan 30 14:38:58 UTC 2024 on atb-devel-224
Andreas Schneider [Mon, 29 Jan 2024 16:46:30 +0000 (17:46 +0100)]
python:gp: Fix logging with gp
This allows enable INFO level logging with: `samba-gpupdate -d3`
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jan 30 07:18:05 UTC 2024 on atb-devel-224
Jule Anger [Mon, 29 Jan 2024 14:34:26 +0000 (15:34 +0100)]
ldb: change the version to 2.10.0 for Samba 4.21
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Mon Jan 29 15:43:45 UTC 2024 on atb-devel-224
Jule Anger [Mon, 29 Jan 2024 14:32:15 +0000 (15:32 +0100)]
WHATSNEW: Start release notes for Samba 4.21.0pre1.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Mon, 29 Jan 2024 14:29:43 +0000 (15:29 +0100)]
VERSION: Bump version up to 4.21.0pre1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
git.samba.org / metze / samba / wip.git / log