Stefan Metzmacher [Wed, 17 Apr 2024 19:02:03 +0000 (21:02 +0200)]
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 19:01:08 +0000 (21:01 +0200)]
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 18:52:30 +0000 (20:52 +0200)]
tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 22 Jan 2024 20:33:05 +0000 (21:33 +0100)]
Fix a few "might be uninitialized" errors
I've seen them with clang
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 23 19:02:10 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 27 Feb 2024 14:32:59 +0000 (15:32 +0100)]
smbd: Slightly simplify notifyd_send_delete()
Call messaging_send_iov() instead of messaging_send_iov_from().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 12 Feb 2024 09:26:28 +0000 (10:26 +0100)]
smbd: Simplify smb_set_file_unix_link()
Avoid a call to parent_pathref, use the dirfsp that already exists
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 11 Feb 2024 12:10:01 +0000 (13:10 +0100)]
smbd: Simplify smb_q_posix_symlink()
Use the dirfsp from call_trans2qpathinfo(), avoid a call to parent_pathref()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Feb 2024 13:26:55 +0000 (14:26 +0100)]
smbd: Simplify call_trans2qpathinfo()
These days filename_convert_dirfsp() always returns a full fsp.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:22:17 +0000 (01:22 +0200)]
s3:rpc_client: implement bind time feature negotiation
This is not strictly needed as we don't use any of the
optional features yet.
But it will make it easier to add bind time features we'll
actually use later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224
Stefan Metzmacher [Thu, 18 Apr 2024 23:17:46 +0000 (01:17 +0200)]
s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.
It's also not needed to require a single array element.
We already checked above that we have at least one.
The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:15:52 +0000 (01:15 +0200)]
s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
This prepares adding bind time feature negotiation in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Oct 2015 13:43:05 +0000 (15:43 +0200)]
dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 13:36:51 +0000 (15:36 +0200)]
s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
Only legacy protocols need a password for share level authentication,
so avoid triggering the password prompt for the common case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224
Stefan Metzmacher [Fri, 8 Mar 2024 13:14:34 +0000 (14:14 +0100)]
python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 11:31:20 +0000 (13:31 +0200)]
lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 11:30:56 +0000 (13:30 +0200)]
lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 23:11:26 +0000 (00:11 +0100)]
s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:22:14 +0000 (16:22 +0100)]
auth/credentials: don't call talloc_free(ccache_name) on callers memory
The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:07:22 +0000 (16:07 +0100)]
auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
A simple krb5_cc_close() doesn't remove it from the global memory list.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 8 Mar 2024 10:39:35 +0000 (11:39 +0100)]
lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
If the ccache doesn't have a intial TGT the shortest lifetime of
service tickets should be returned.
This is needed in order to work with special ccaches used for
things like S2U4Self/S4U2Proxy tickets or other things
where the caller only wants to pass a single service ticket.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Apr 2024 14:00:41 +0000 (16:00 +0200)]
s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Apr 2024 14:35:35 +0000 (16:35 +0200)]
s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Douglas Bagnall [Fri, 19 Apr 2024 21:57:15 +0000 (09:57 +1200)]
ldb:utf8: ldb_ascii_toupper() avoids real toupper()
If a non-lowercase ASCII character has an uppercase counterpart in
some locale, toupper() will convert it to an int codepoint. Probably
that codepoint is too big to fit in our char return type, so we would
truncate it to 8 bit. So it becomes an arbitrary mapping.
It would also behave strangely with a byte with the top bit set, say
0xE2. If char is unsigned on this system, that is 'â', which
uppercases to 'Â', with the codepoint 0xC2. That seems fine in
isolation, but remember this is ldb_utf8.c, and that byte was not a
codepoint but a piece of a long utf-8 encoding. In the more likely
case where char is signed, toupper() is being passed a negative
number, the result of which is undefined.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224
Douglas Bagnall [Thu, 11 Apr 2024 01:46:28 +0000 (13:46 +1200)]
ldb:attrib_handlers: use ldb_ascii_toupper() in first loop
In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.
Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 16 Apr 2024 23:42:30 +0000 (11:42 +1200)]
ldb:pytests: test for Turkic i-dots in ldb_comparison_fold
In tr_TR and some other locales where the letter 'i' uppercases to
'İ', which is not ideal for LDB as we need certain strings like 'guid'
to casefold in the ASCII way.
In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved
this problem in many cases, but for unindexed searches where the 'i'
is not the last character in the string. This test shows that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 9 Apr 2024 22:54:41 +0000 (10:54 +1200)]
ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
This isn't supposed to be used for sorting, but it is hard to say it
won't be, so we might as well make it sort properly.
Following long-standing behaviour, we try to sort "FALSE" > "TRUE", by
length, then switch to using strncasecmp().
strncasecmp would sort the other way, so we swap the operands. This is
to make e.g. "TRUE\0" sort the same as "TRUE".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 06:08:54 +0000 (18:08 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
If both DNs are invalid, we can say they are equal.
This means invalid or NULL DNs will sort to the end of the array,
before deleted DNs:
[ valid DNs, sorted | invalid/NULL DNs | deleted DNs, sorted ]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:59:50 +0000 (16:59 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison leaks less
dn1 and dn2 can be invalid but still occupying memory.
(ldb_dn_validate(dn2) does contain a NULL check, but a lot more besides).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:53:03 +0000 (16:53 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects
This changes the behaviour of the DN syntax .comparison_fn when being
used in a search, if the search key is a deleted DN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:26:03 +0000 (16:26 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
these tend to go to the end of the sorted array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:25:02 +0000 (16:25 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
We were always returning -1 for a deleted object, which works for an
equality test, but not a relative comparison.
This sorts deleted DNs toward the end of the list -- except when both
DNs are deleted. What should happen there is yet to be determined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:17:23 +0000 (16:17 +1200)]
ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:15:39 +0000 (16:15 +1200)]
ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 9 Apr 2024 22:54:31 +0000 (10:54 +1200)]
ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
This function compares blobs that might be SID strings or might be SID
structures. Until now, if they were both (seemingly) strings, they were
compared as strings, otherwise if either was a string it was converted to
a structure blob, then the blobs were compared. This had two big problems:
1. There is variety in the way a SID can be stringified. For example,
"s-1-02-3" means the same SID as "S-1-2-3", but those wouldn't compare
equal.
2. SID comparison was crazily non-transitive. Consider the three values
a = "S-1-2-3-4-5",
b = "S-1-9-1",
c = SID("S-1-11-1"), where c is a struct and the others are string.
then we had,
a < b, because the 5th character '2' < '9'.
a > c, because when converted to a structure, the number of sub-auths
is the first varying byte. a has 3, c has 0.
b < c, because after the sub-auth count comes the id_auth value
(big-endian, which doesn't matter in this case).
That made the function unreliable for sorting, AND for simple equality
tests. Also it leaked.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 10 Apr 2024 04:49:07 +0000 (16:49 +1200)]
s4:dsdb: fix spelling in comment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 10 Apr 2024 04:48:39 +0000 (16:48 +1200)]
ldb: comment for ldb_dn_compare_base
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 10:55:50 +0000 (22:55 +1200)]
s4:rpcsrv:samr: improve a comment in compare_msgRid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 10:54:49 +0000 (22:54 +1200)]
s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
Returning 0 on `(name1 == NULL || name2 == NULL)` made NULL equal to
everything, which confuses a sort (consider {A, B, NULL} where A > B,
but A == NULL == B).
The only caller is dnsserver_enumerate_records() which fails if it
finds a NULL in the sorted list. We make the happen more quickly by
sorting NULLs to the front.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 05:08:03 +0000 (17:08 +1200)]
s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 05:06:57 +0000 (17:06 +1200)]
lib/socket: rearrange iface_comp() to use NUMERIC_CMP
We rearrange rather than just replacing the subtraction, because that
would call ntohl() more than necessary, and I think the flow is a bit
clearer this way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:54:02 +0000 (15:54 +1200)]
gensec: sort_gensec uses NUMERIC_CMP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:47:12 +0000 (15:47 +1200)]
s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
usr->login_time is time_t, which is often bigger than int.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:36:06 +0000 (15:36 +1200)]
dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
uint32_cmp (introduced in
0c362597c0f933b3612bb17328c0a13b73d72e43
"fixed the sorting of schema attributes") was doing what NUMERIC_CMP
does, but it was adding an extra function call. This results in less
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:17:22 +0000 (15:17 +1200)]
s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:12:56 +0000 (15:12 +1200)]
s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
The first subtraction was between uint16_t, so is safe with 32 bit
int, but the second compared uint32_t, so was not safe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:07:20 +0000 (15:07 +1200)]
s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:04:43 +0000 (15:04 +1200)]
ldb:dn: make ldb_dn_compare() self-consistent
We were returning -1 in all these cases:
ldb_dn_compare(dn, NULL);
ldb_dn_compare(NULL, dn);
ldb_dn_compare(NULL, NULL);
which would give strange results in sort, where this is often used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 02:58:48 +0000 (14:58 +1200)]
ldb:sort: generalise both-NULL check to equality check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 02:55:27 +0000 (14:55 +1200)]
ldb:sort: check that elements have values
We assume no values is unlikely, since we have been dereferencing
->values[0] forever, with no known reports of trouble.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 02:54:34 +0000 (14:54 +1200)]
ldb:mod:sort: rearrange NULL checks
There are further changes coming here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 02:16:03 +0000 (14:16 +1200)]
tests/krb5: Test retrieving a denied gMSA password over an unsealed connection
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jo Sutton <jsutton@samba.org>
Autobuild-Date(master): Sun Apr 21 23:17:53 UTC 2024 on atb-devel-224
Jo Sutton [Mon, 15 Apr 2024 03:13:45 +0000 (15:13 +1200)]
s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 01:21:10 +0000 (13:21 +1200)]
s4:dsdb:tests: Make use of ‘ldb’ parameter
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 00:19:12 +0000 (12:19 +1200)]
lib:crypto: Add more unit tests for GKDI functions
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 14 Apr 2024 23:42:50 +0000 (11:42 +1200)]
s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 04:24:43 +0000 (16:24 +1200)]
s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
View with ‘git show -b’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 05:17:54 +0000 (17:17 +1200)]
s4:kdc: Correctly extract older NT hash
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 04:01:44 +0000 (16:01 +1200)]
tests/krb5: Note that lockout tests use password checks
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 04:31:51 +0000 (16:31 +1200)]
tests/krb5: Fix malapropism
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 10 Apr 2024 00:01:09 +0000 (12:01 +1200)]
s4:kdc: Remove unnecessary cast
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 23:53:43 +0000 (11:53 +1200)]
pyglue: Remove unnecessary declaration
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 03:07:23 +0000 (15:07 +1200)]
s4:kdc: Fix grammar
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 02:31:11 +0000 (14:31 +1200)]
auth:credentials: Remove unnecessary declaration
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 8 Apr 2024 05:29:40 +0000 (17:29 +1200)]
auth:credentials: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:33:33 +0000 (12:33 +1300)]
python: Reformat code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 5 Mar 2024 03:18:34 +0000 (16:18 +1300)]
s4-gmsa: Do not attempt password set on remote LDAP connections
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 13 Feb 2024 03:09:57 +0000 (16:09 +1300)]
s4:dsdb: Add dsdb_update_gmsa_keys()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 17 Apr 2024 01:27:19 +0000 (13:27 +1200)]
s4:dsdb: Move the responsibility for determining whether an account is a gMSA out of gmsa_recalculate_managed_pwd()
and into its callers.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 08:15:07 +0000 (20:15 +1200)]
s4:dsdb: Indicate to the LDAP server physical passwords that need to be refreshed
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:03:36 +0000 (14:03 +1200)]
s4:dsdb: Store found managed password ID as part of gMSA update structure
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:03:05 +0000 (14:03 +1200)]
s4:dsdb: Store account DN as part of gMSA update structure
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:00:44 +0000 (14:00 +1200)]
s4:dsdb: Only reuse the current password ID as the previous password ID when appropriate
This should already be the case given the current logic, but let’s make
it explicit.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 01:58:15 +0000 (13:58 +1200)]
s4:dsdb: Add a note that administrators should not set the clock too far in the future
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 01:49:04 +0000 (13:49 +1200)]
s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to dsdb_search_dn()
As dsdb_search_dn() ignores this flag, passing it in doesn’t achieve
anything.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 04:28:55 +0000 (16:28 +1200)]
s4:dsdb: Explicitly return success error code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 17 Apr 2024 22:13:04 +0000 (10:13 +1200)]
tests/krb5: Add tests that gMSA keys are updated in the database when appropriate
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:59:52 +0000 (12:59 +1200)]
tests/krb5: Import MAX_CLOCK_SKEW more directly
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:58:36 +0000 (12:58 +1200)]
tests/krb5: Extract method to unpack supplementalCredentials blob
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:57:50 +0000 (12:57 +1200)]
tests/krb5: Skip loop iteration if attribute has no values
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 18 Apr 2024 00:47:28 +0000 (12:47 +1200)]
ldb: Check result of py_ldb_msg_keys()
Passing NULL into PyObject_GetIter() can cause a segmentation fault.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Martin Schwenke [Thu, 18 Apr 2024 04:13:11 +0000 (14:13 +1000)]
ctdb-scripts: Do not de-duplicate the interfaces list
Using xargs with sort -u to de-duplicate this list was my idea and
causes a couple of things to go wrong. The use of xargs causes
double-quotes to be lost. The resulting $public_ifaces value also
contains newlines. The newlines could be removed with an additional
xargs at the end of the pipeline... but that would add an extra level
of quote stripping.
I have unsuccessfully tried to find an alternative, but still elegant,
command pipeline that de-duplicates the list, while maintaining
quoting.
So, just drop the de-duplication.
This might make interface_ifindex_exists_with_options() slightly less
efficient. However, that function walks the whole list, only
terminating early when a match is found on both interface and options,
so at least it will be correct.
Include an extra testcase.
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Apr 18 09:08:34 UTC 2024 on atb-devel-224
Andreas Schneider [Mon, 15 Apr 2024 05:32:02 +0000 (07:32 +0200)]
python: Fix NtVer check for site_dn_for_machine()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15633
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 17 19:32:11 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 12 Mar 2024 14:06:33 +0000 (15:06 +0100)]
lib: Remove an obsolete comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 09:01:34 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 13 Feb 2024 12:05:42 +0000 (13:05 +0100)]
smbd: Remove sconn->using_smb2
We have the same information available via conn_using_smb2()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Tue, 13 Feb 2024 11:28:06 +0000 (12:28 +0100)]
smbd: Add conn_using_smb2()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Tue, 13 Feb 2024 11:56:17 +0000 (12:56 +0100)]
smbd: Change protocol selection to not use "sconn->using_smb2"
To me this is pretty confusing, it seems to overload this struct
element.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Thu, 29 Feb 2024 15:11:16 +0000 (16:11 +0100)]
ctdb: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Wed Apr 17 00:54:55 UTC 2024 on atb-devel-224
Volker Lendecke [Fri, 1 Mar 2024 20:19:51 +0000 (21:19 +0100)]
ctdb: Remove common/line.[ch]
This was an implementation of getline(3), use that instead.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Fri, 1 Mar 2024 20:16:57 +0000 (21:16 +0100)]
ctdb: Use stdio's getline() in ctdb_connection_list_read()
This is the only user of common/line.[ch], which can go next.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:11:11 +0000 (13:11 +0200)]
lib: Use fdopen_keepfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:08:06 +0000 (13:08 +0200)]
rpc_server3: Use fdopen_keepfd()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:07:56 +0000 (13:07 +0200)]
lib: Add fdopen_keepfd()
Capture the dup/fdopen pattern
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Volker Lendecke [Wed, 10 Apr 2024 11:02:39 +0000 (13:02 +0200)]
lib: Give lib/util/util_file.c its own header file
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Vinit Agnihotri [Tue, 30 Jan 2024 09:50:20 +0000 (01:50 -0800)]
ctdb-scripts: Add options to generate smb.conf interfaces include file
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 30 Jan 2024 09:25:37 +0000 (01:25 -0800)]
ctdb-scripts: Rename and relocate function get_all_interfaces()
get_all_interfaces() functions gets all names for all public interfaces.
However name is misleading. Thus renamed it to get_public_ifaces() and
moved it under functions.
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 11:03:25 +0000 (03:03 -0800)]
smbd-server: Process ip add/drop events for options:dynamic only
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:32:23 +0000 (02:32 -0800)]
lib-interface: Change API for interface 'options'
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:15:11 +0000 (02:15 -0800)]
lib-interface: Add parsing for interface 'options'
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 10:27:04 +0000 (02:27 -0800)]
lib-interface: Add extra parameter 'options' to interface definition
Signed-off-by: Vinit Agnihotri<vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Vinit Agnihotri [Tue, 5 Mar 2024 11:16:49 +0000 (03:16 -0800)]
param: Add additional key 'options' for interfaces
The key 'options' specifies if server should spawn/kill listning sockets
in event of add/dropped ip addresses on specified interface.
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>