Stefan Metzmacher [Tue, 23 Jan 2024 13:20:24 +0000 (14:20 +0100)]
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 29 Sep 2023 09:55:45 +0000 (11:55 +0200)]
s3:crypto/gse: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 28 Sep 2023 15:09:37 +0000 (17:09 +0200)]
s4:gensec_gssapi: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 11 Feb 2020 15:07:05 +0000 (16:07 +0100)]
auth/ntlmssp: implement channel binding support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 11 Feb 2020 14:26:07 +0000 (15:26 +0100)]
auth/gensec: add gensec_set_channel_bindings() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 5 Apr 2024 14:07:50 +0000 (16:07 +0200)]
wscript_configure_embedded_heimdal: define HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
See https://github.com/heimdal/heimdal/pull/1234 and
https://github.com/krb5/krb5/pull/1329.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 4 Mar 2024 09:30:55 +0000 (10:30 +0100)]
third_party/heimdal: import lorikeet-heimdal-
202404171655 (commit
28a56d818074e049f0361ef74d7017f2a9391847)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15603
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
See also:
https://github.com/heimdal/heimdal/pull/1234
https://github.com/heimdal/heimdal/pull/1238
https://github.com/heimdal/heimdal/pull/1240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 28 Sep 2023 10:34:35 +0000 (12:34 +0200)]
s4:lib/tls: add tstream_tls_channel_bindings()
This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.
For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it was easy to re-implement.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 5 Mar 2024 08:55:47 +0000 (09:55 +0100)]
lib/crypto: add legacy_gnutls_server_end_point_cb() if needed
gnutls_session_channel_binding(GNUTLS_CB_TLS_SERVER_END_POINT)
is only available with gnutls 3.7.2, but we still want to
support older gnutls versions and that's easily doable...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:53:15 +0000 (16:53 +0100)]
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:52:56 +0000 (16:52 +0100)]
s4:librpc/rpc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:50:23 +0000 (16:50 +0100)]
s3:rpc_server/mdssvc: make use of tstream_tls_params_client_lpcfg()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Feb 2024 15:36:27 +0000 (16:36 +0100)]
s4:lib/tls: add tstream_tls_params_client_lpcfg()
This will be able simplify the callers a lot...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 12 Feb 2024 11:02:13 +0000 (12:02 +0100)]
s4:lib/tls: split out tstream_tls_verify_peer() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Mar 2024 22:24:39 +0000 (23:24 +0100)]
s4:lib/tls: include a TLS server name indication in the client handshake
This is not strictly needed, but it might be useful
for load balancers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 16:16:46 +0000 (18:16 +0200)]
s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS
We require gnutls 3.6.13
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 12 Feb 2024 11:35:02 +0000 (12:35 +0100)]
s4:lib/tls: split out tstream_tls_prepare_gnutls()
Review with: git show --patience
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 14:30:09 +0000 (15:30 +0100)]
s4:lib/tls: assert that event contexts are not mixed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 13:42:40 +0000 (14:42 +0100)]
s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.
Otherwise we'll have a problem if another tevent_context is used
after the handshake.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 13:27:16 +0000 (14:27 +0100)]
s4:lib/tls: remove tstream_tls_push_trigger_write step
At the time of https://bugzilla.samba.org/show_bug.cgi?id=7218,
we tested this versions:
2.4.1 -> broken
2.4.2 -> broken
2.6.0 -> broken
2.8.0 -> broken
2.8.1 -> broken
2.8.2 -> OK
2.8.3 -> OK
2.8.4 -> OK
2.8.5 -> OK
2.8.6 -> OK
2.10.0 -> broken
2.10.1 -> broken
2.10.2 -> OK
These seemed to be the fixes in gnutls upstream.
Change 2.8.1 -> 2.8.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=
28fb34099edaf62e5472cc6e5e2749fed369ea01
Change 2.10.1 -> 2.10.2:
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=
0d07d8432d57805a8354ebd6c1e7829f3ab159cb
This shouldn't be a problem with recent (>= 3.6) versions of gnutls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:04:57 +0000 (18:04 +0100)]
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl()
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 17:07:53 +0000 (18:07 +0100)]
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 19:02:03 +0000 (21:02 +0200)]
ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid
Without a valid loadparm_context we can't connect.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 19:01:08 +0000 (21:01 +0200)]
s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx
Otherwise we'll crash in a lot of places later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 17 Apr 2024 18:52:30 +0000 (20:52 +0200)]
tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Mon, 22 Jan 2024 20:33:05 +0000 (21:33 +0100)]
Fix a few "might be uninitialized" errors
I've seen them with clang
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 23 19:02:10 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 27 Feb 2024 14:32:59 +0000 (15:32 +0100)]
smbd: Slightly simplify notifyd_send_delete()
Call messaging_send_iov() instead of messaging_send_iov_from().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 12 Feb 2024 09:26:28 +0000 (10:26 +0100)]
smbd: Simplify smb_set_file_unix_link()
Avoid a call to parent_pathref, use the dirfsp that already exists
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sun, 11 Feb 2024 12:10:01 +0000 (13:10 +0100)]
smbd: Simplify smb_q_posix_symlink()
Use the dirfsp from call_trans2qpathinfo(), avoid a call to parent_pathref()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Sat, 10 Feb 2024 13:26:55 +0000 (14:26 +0100)]
smbd: Simplify call_trans2qpathinfo()
These days filename_convert_dirfsp() always returns a full fsp.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:22:17 +0000 (01:22 +0200)]
s3:rpc_client: implement bind time feature negotiation
This is not strictly needed as we don't use any of the
optional features yet.
But it will make it easier to add bind time features we'll
actually use later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 17:29:55 UTC 2024 on atb-devel-224
Stefan Metzmacher [Thu, 18 Apr 2024 23:17:46 +0000 (01:17 +0200)]
s3:rpc_client: require DCERPC_BIND_ACK_RESULT_ACCEPTANCE for the negotiated presentation context
We should fail if we didn't get DCERPC_BIND_ACK_RESULT_ACCEPTANCE.
It's also not needed to require a single array element.
We already checked above that we have at least one.
The next patch will all bind time feature negotiation
and that means we'll have 2 array elements...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 18 Apr 2024 23:15:52 +0000 (01:15 +0200)]
s3:rpc_client: pass struct rpc_pipe_client to check_bind_response()
This prepares adding bind time feature negotiation in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Tue, 13 Oct 2015 13:43:05 +0000 (15:43 +0200)]
dcesrv_reply: we don't need to call dcerpc_set_frag_length() in dcesrv_fault_with_flags()
dcerpc_ncacn_push_auth() already calls dcerpc_set_frag_length().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 13:36:51 +0000 (15:36 +0200)]
s3:libsmb: let cli_tree_connect_creds() only call cli_credentials_get_password() if needed
Only legacy protocols need a password for share level authentication,
so avoid triggering the password prompt for the common case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Apr 23 15:21:38 UTC 2024 on atb-devel-224
Stefan Metzmacher [Fri, 8 Mar 2024 13:14:34 +0000 (14:14 +0100)]
python/samba/getopt: don't prompt for a password for --use-krb5-ccache=...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 11:31:20 +0000 (13:31 +0200)]
lib/cmdline: only call cli_credentials_get_password_and_obtained if needed
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Thu, 14 Apr 2022 11:30:56 +0000 (13:30 +0200)]
lib/cmdline: move cli_credentials_set_cmdline_callbacks to the end of POPT_CALLBACK_REASON_POST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15018
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 6 Mar 2024 23:11:26 +0000 (00:11 +0100)]
s3:auth_generic: fix talloc_unlink() in auth_generic_set_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:22:14 +0000 (16:22 +0100)]
auth/credentials: don't call talloc_free(ccache_name) on callers memory
The internally allocated ccache_name has ccc as parent,
so we don't need to cleanup explicitly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Tue, 27 Feb 2024 15:07:22 +0000 (16:07 +0100)]
auth/credentials: a temporary MEMORY ccache needs krb5_cc_destroy()
A simple krb5_cc_close() doesn't remove it from the global memory list.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Fri, 8 Mar 2024 10:39:35 +0000 (11:39 +0100)]
lib/krb5_wrap: let smb_krb5_cc_get_lifetime() behave more like the heimdal krb5_cc_get_lifetime
If the ccache doesn't have a intial TGT the shortest lifetime of
service tickets should be returned.
This is needed in order to work with special ccaches used for
things like S2U4Self/S4U2Proxy tickets or other things
where the caller only wants to pass a single service ticket.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Apr 2024 14:00:41 +0000 (16:00 +0200)]
s3:libads: don't dump securityIdentifier and msDS-TrustForestTrustInfo as strings
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Stefan Metzmacher [Wed, 3 Apr 2024 14:35:35 +0000 (16:35 +0200)]
s3:notify: don't log user_can_stat_name_under_fsp with level 0 for OBJECT_NAME_NOT_FOUND
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Douglas Bagnall [Fri, 19 Apr 2024 21:57:15 +0000 (09:57 +1200)]
ldb:utf8: ldb_ascii_toupper() avoids real toupper()
If a non-lowercase ASCII character has an uppercase counterpart in
some locale, toupper() will convert it to an int codepoint. Probably
that codepoint is too big to fit in our char return type, so we would
truncate it to 8 bit. So it becomes an arbitrary mapping.
It would also behave strangely with a byte with the top bit set, say
0xE2. If char is unsigned on this system, that is 'â', which
uppercases to 'Â', with the codepoint 0xC2. That seems fine in
isolation, but remember this is ldb_utf8.c, and that byte was not a
codepoint but a piece of a long utf-8 encoding. In the more likely
case where char is signed, toupper() is being passed a negative
number, the result of which is undefined.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224
Douglas Bagnall [Thu, 11 Apr 2024 01:46:28 +0000 (13:46 +1200)]
ldb:attrib_handlers: use ldb_ascii_toupper() in first loop
In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.
Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 16 Apr 2024 23:42:30 +0000 (11:42 +1200)]
ldb:pytests: test for Turkic i-dots in ldb_comparison_fold
In tr_TR and some other locales where the letter 'i' uppercases to
'İ', which is not ideal for LDB as we need certain strings like 'guid'
to casefold in the ASCII way.
In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved
this problem in many cases, but for unindexed searches where the 'i'
is not the last character in the string. This test shows that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 9 Apr 2024 22:54:41 +0000 (10:54 +1200)]
ldb:attrib_handlers: make ldb_comparison_Boolean more consistent
This isn't supposed to be used for sorting, but it is hard to say it
won't be, so we might as well make it sort properly.
Following long-standing behaviour, we try to sort "FALSE" > "TRUE", by
length, then switch to using strncasecmp().
strncasecmp would sort the other way, so we swap the operands. This is
to make e.g. "TRUE\0" sort the same as "TRUE".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 06:08:54 +0000 (18:08 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs
If both DNs are invalid, we can say they are equal.
This means invalid or NULL DNs will sort to the end of the array,
before deleted DNs:
[ valid DNs, sorted | invalid/NULL DNs | deleted DNs, sorted ]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:59:50 +0000 (16:59 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison leaks less
dn1 and dn2 can be invalid but still occupying memory.
(ldb_dn_validate(dn2) does contain a NULL check, but a lot more besides).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:53:03 +0000 (16:53 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects
This changes the behaviour of the DN syntax .comparison_fn when being
used in a search, if the search key is a deleted DN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:26:03 +0000 (16:26 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs
these tend to go to the end of the sorted array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:25:02 +0000 (16:25 +1200)]
ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects
We were always returning -1 for a deleted object, which works for an
equality test, but not a relative comparison.
This sorts deleted DNs toward the end of the list -- except when both
DNs are deleted. What should happen there is yet to be determined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:17:23 +0000 (16:17 +1200)]
ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 11 Apr 2024 04:15:39 +0000 (16:15 +1200)]
ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 9 Apr 2024 22:54:31 +0000 (10:54 +1200)]
ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate
This function compares blobs that might be SID strings or might be SID
structures. Until now, if they were both (seemingly) strings, they were
compared as strings, otherwise if either was a string it was converted to
a structure blob, then the blobs were compared. This had two big problems:
1. There is variety in the way a SID can be stringified. For example,
"s-1-02-3" means the same SID as "S-1-2-3", but those wouldn't compare
equal.
2. SID comparison was crazily non-transitive. Consider the three values
a = "S-1-2-3-4-5",
b = "S-1-9-1",
c = SID("S-1-11-1"), where c is a struct and the others are string.
then we had,
a < b, because the 5th character '2' < '9'.
a > c, because when converted to a structure, the number of sub-auths
is the first varying byte. a has 3, c has 0.
b < c, because after the sub-auth count comes the id_auth value
(big-endian, which doesn't matter in this case).
That made the function unreliable for sorting, AND for simple equality
tests. Also it leaked.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 10 Apr 2024 04:49:07 +0000 (16:49 +1200)]
s4:dsdb: fix spelling in comment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 10 Apr 2024 04:48:39 +0000 (16:48 +1200)]
ldb: comment for ldb_dn_compare_base
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 10:55:50 +0000 (22:55 +1200)]
s4:rpcsrv:samr: improve a comment in compare_msgRid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 10:54:49 +0000 (22:54 +1200)]
s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs
Returning 0 on `(name1 == NULL || name2 == NULL)` made NULL equal to
everything, which confuses a sort (consider {A, B, NULL} where A > B,
but A == NULL == B).
The only caller is dnsserver_enumerate_records() which fails if it
finds a NULL in the sorted list. We make the happen more quickly by
sorting NULLs to the front.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 05:08:03 +0000 (17:08 +1200)]
s3:libsmb:nmblib: use NUMERIC_CMP in status_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Mon, 8 Apr 2024 05:06:57 +0000 (17:06 +1200)]
lib/socket: rearrange iface_comp() to use NUMERIC_CMP
We rearrange rather than just replacing the subtraction, because that
would call ntohl() more than necessary, and I think the flow is a bit
clearer this way.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:54:02 +0000 (15:54 +1200)]
gensec: sort_gensec uses NUMERIC_CMP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:47:12 +0000 (15:47 +1200)]
s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP
usr->login_time is time_t, which is often bigger than int.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:36:06 +0000 (15:36 +1200)]
dsdb:schema: use NUMERIC_CMP in place of uint32_cmp
uint32_cmp (introduced in
0c362597c0f933b3612bb17328c0a13b73d72e43
"fixed the sorting of schema attributes") was doing what NUMERIC_CMP
does, but it was adding an extra function call. This results in less
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:17:22 +0000 (15:17 +1200)]
s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:12:56 +0000 (15:12 +1200)]
s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare
The first subtraction was between uint16_t, so is safe with 32 bit
int, but the second compared uint32_t, so was not safe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:07:20 +0000 (15:07 +1200)]
s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 03:04:43 +0000 (15:04 +1200)]
ldb:dn: make ldb_dn_compare() self-consistent
We were returning -1 in all these cases:
ldb_dn_compare(dn, NULL);
ldb_dn_compare(NULL, dn);
ldb_dn_compare(NULL, NULL);
which would give strange results in sort, where this is often used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 02:58:48 +0000 (14:58 +1200)]
ldb:sort: generalise both-NULL check to equality check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 02:55:27 +0000 (14:55 +1200)]
ldb:sort: check that elements have values
We assume no values is unlikely, since we have been dereferencing
->values[0] forever, with no known reports of trouble.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 7 Apr 2024 02:54:34 +0000 (14:54 +1200)]
ldb:mod:sort: rearrange NULL checks
There are further changes coming here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 02:16:03 +0000 (14:16 +1200)]
tests/krb5: Test retrieving a denied gMSA password over an unsealed connection
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jo Sutton <jsutton@samba.org>
Autobuild-Date(master): Sun Apr 21 23:17:53 UTC 2024 on atb-devel-224
Jo Sutton [Mon, 15 Apr 2024 03:13:45 +0000 (15:13 +1200)]
s4:ldap_server: Update gMSA keys when DSDB_CONTROL_GMSA_UPDATE_OID control is specified
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 01:21:10 +0000 (13:21 +1200)]
s4:dsdb:tests: Make use of ‘ldb’ parameter
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 15 Apr 2024 00:19:12 +0000 (12:19 +1200)]
lib:crypto: Add more unit tests for GKDI functions
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 14 Apr 2024 23:42:50 +0000 (11:42 +1200)]
s4:dsdb: Make use of DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 04:24:43 +0000 (16:24 +1200)]
s4:dsdb: Implement DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS search flag
View with ‘git show -b’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 05:17:54 +0000 (17:17 +1200)]
s4:kdc: Correctly extract older NT hash
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 04:01:44 +0000 (16:01 +1200)]
tests/krb5: Note that lockout tests use password checks
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 04:31:51 +0000 (16:31 +1200)]
tests/krb5: Fix malapropism
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 10 Apr 2024 00:01:09 +0000 (12:01 +1200)]
s4:kdc: Remove unnecessary cast
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 23:53:43 +0000 (11:53 +1200)]
pyglue: Remove unnecessary declaration
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 03:07:23 +0000 (15:07 +1200)]
s4:kdc: Fix grammar
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 9 Apr 2024 02:31:11 +0000 (14:31 +1200)]
auth:credentials: Remove unnecessary declaration
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 8 Apr 2024 05:29:40 +0000 (17:29 +1200)]
auth:credentials: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:33:33 +0000 (12:33 +1300)]
python: Reformat code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 5 Mar 2024 03:18:34 +0000 (16:18 +1300)]
s4-gmsa: Do not attempt password set on remote LDAP connections
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 13 Feb 2024 03:09:57 +0000 (16:09 +1300)]
s4:dsdb: Add dsdb_update_gmsa_keys()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 17 Apr 2024 01:27:19 +0000 (13:27 +1200)]
s4:dsdb: Move the responsibility for determining whether an account is a gMSA out of gmsa_recalculate_managed_pwd()
and into its callers.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 11 Apr 2024 08:15:07 +0000 (20:15 +1200)]
s4:dsdb: Indicate to the LDAP server physical passwords that need to be refreshed
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:03:36 +0000 (14:03 +1200)]
s4:dsdb: Store found managed password ID as part of gMSA update structure
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:03:05 +0000 (14:03 +1200)]
s4:dsdb: Store account DN as part of gMSA update structure
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 02:00:44 +0000 (14:00 +1200)]
s4:dsdb: Only reuse the current password ID as the previous password ID when appropriate
This should already be the case given the current logic, but let’s make
it explicit.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 01:58:15 +0000 (13:58 +1200)]
s4:dsdb: Add a note that administrators should not set the clock too far in the future
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 01:49:04 +0000 (13:49 +1200)]
s4:dsdb: No longer pass DSDB_SEARCH_ONE_ONLY flag to dsdb_search_dn()
As dsdb_search_dn() ignores this flag, passing it in doesn’t achieve
anything.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 16 Apr 2024 04:28:55 +0000 (16:28 +1200)]
s4:dsdb: Explicitly return success error code
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Wed, 17 Apr 2024 22:13:04 +0000 (10:13 +1200)]
tests/krb5: Add tests that gMSA keys are updated in the database when appropriate
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:59:52 +0000 (12:59 +1200)]
tests/krb5: Import MAX_CLOCK_SKEW more directly
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 19 Apr 2024 00:58:36 +0000 (12:58 +1200)]
tests/krb5: Extract method to unpack supplementalCredentials blob
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>