Joseph Sutton [Thu, 5 Oct 2023 22:03:52 +0000 (11:03 +1300)]
s4:auth: Fix resource leak (CID
1107222)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:31:47 +0000 (15:31 +1300)]
s3:utils: Check return value of cli_RNetServiceEnum() (CID
1273313)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:23:05 +0000 (15:23 +1300)]
s3:utils: Avoid integer overflow (CID
1035488)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:46:34 +0000 (15:46 +1300)]
smb2_server: Check status codes (CID
1474441)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 23:49:32 +0000 (12:49 +1300)]
smb2_server: Remove unreachable code (CID
1444981)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 22:55:46 +0000 (11:55 +1300)]
Revert "smbd: Fix CID
1504457 Resource leak"
We cannot free ‘enc’ — it may be a copy of ‘buffer’, in which parameter
both construct_reply_chain() and smb_request_done() pass arrays of
automatic storage duration!
Fixes CID
1505354.
This reverts commit
a395f752f0748751d4ade533c41066903f26c2dd.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:20:35 +0000 (15:20 +1300)]
s3:smbd: Avoid integer overflow (CID
1035487)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:07:24 +0000 (15:07 +1300)]
s3:rpcclient: Do not pass uninitialized pointer to printf() (CID
1476170)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:38:29 +0000 (15:38 +1300)]
s3:nmbd: Remove redundant code (CID
1414756)
‘buf’ is reassigned a few lines down.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 01:58:34 +0000 (14:58 +1300)]
s3:modules: Initialize mask_permset (CID
1435850)
If this code had ever run, sys_acl_clear_perms() would have attempted to
write to some random address in memory. ‘mask_permset’ must be a valid
non‐NULL pointer.
Commit
9b79d5f2a2f8af75ef13bdc41d2dc296e19ba098 seems to have been a
previous attempt to fix this issue.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 23:54:48 +0000 (12:54 +1300)]
s3:modules: Remove unreachable code (CID
1508998)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 23:20:37 +0000 (12:20 +1300)]
s3:libsmb: Fix array traversal (CID
1034683)
Commit
033185e2a1b2892fe8dc74a18a38e5e13e08cb22 changed the sentinel
value to an empty character array, but failed to update the traversal
code to match.
Commit
48a453996ac161d7c7a7cb15a047e57cbdbb1e87 then tried to fix the
situation, but did not do so correctly.
Fix this code by forgetting about sentinel values altogether.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:25:13 +0000 (15:25 +1300)]
s3:libnet: Remove always‐false comparison (CID 241309)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 22:18:10 +0000 (11:18 +1300)]
Revert "s3:libads: Don’t do first loop iteration if ‘attr’ is NULL"
Fixes CID
1547073: Control flow issues (DEADCODE).
This reverts commit
184a48d65772f359bd81f83256daada8c9e500b3.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 00:59:59 +0000 (13:59 +1300)]
s3:lib: Rearrange preprocessor directives to avoid structurally dead code (CID 242032)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 00:25:16 +0000 (13:25 +1300)]
s3:client: Correctly call setgroups() (CID
1449449)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 23:48:40 +0000 (12:48 +1300)]
smbXcli: Remove unreachable code (CID
1444978)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:27:18 +0000 (15:27 +1300)]
lib:util: Remove always‐false comparison (CID 242193)
‘id’ is an unsigned variable, and so it can never be less than zero.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 00:12:05 +0000 (13:12 +1300)]
util: Remove redundant assertion (CID
1497841)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 00:54:02 +0000 (13:54 +1300)]
tdb: Do not pass non–null‐terminated strings to strcmp() (CID
1449485)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 00:49:43 +0000 (13:49 +1300)]
lib:replace: Properly check result of write() and read() (CID
1034925)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:40:23 +0000 (15:40 +1300)]
lib:printer_driver: Check return value of gp_inifile_enum_section() (CID
1444835)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 02:18:41 +0000 (15:18 +1300)]
lib:compression: Correctly fix sign extension of long matches (CID
1517275)
Commit
6b4d94c9877ec59081b9da946c00fa2647cad928 was a previous attempt
to fix this issue.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 05:20:53 +0000 (18:20 +1300)]
s4:kdc: Always regard device info when checking a server authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224
Joseph Sutton [Tue, 10 Oct 2023 03:19:53 +0000 (16:19 +1300)]
s4:dsdb: Skip allocation of empty device SIDs array
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:41:40 +0000 (15:41 +1300)]
s4:kdc: Use claims to evaluate RBCD conditions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:40:13 +0000 (15:40 +1300)]
s4:kdc: Use device info to evaluate RBCD conditions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:38:29 +0000 (15:38 +1300)]
s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:22:28 +0000 (15:22 +1300)]
s4:kdc: Rename ‘user_info_dc’ to ‘client_info’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:19:47 +0000 (15:19 +1300)]
s4:kdc: Call samba_kdc_get_user_info_dc() to get client information
Among other things, this function can deal with RODC‐issued PACs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:16:24 +0000 (15:16 +1300)]
s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:12:30 +0000 (15:12 +1300)]
s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 02:03:22 +0000 (15:03 +1300)]
s4:kdc: Adapt interface to new Heimdal revision
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 12 Oct 2023 22:14:55 +0000 (11:14 +1300)]
third_party/heimdal: import lorikeet-heimdal-
202310092248 (commit
cd12cddd8058d9fe627b5b203e471b8d761dcfbb)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Mon, 9 Oct 2023 22:59:34 +0000 (11:59 +1300)]
third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-
202310092148 (commit
38aa80e35b6b1e16b081fa9c005c03b1e6994204))
The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().
This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.
Additionally, the allocation was not free()ed, resulting in a memory
leak. This means that a user could trigger ongoing memory allocation
in the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 06:35:10 +0000 (19:35 +1300)]
s4:kdc: Use claims and device info to evaluate server authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 06:37:08 +0000 (19:37 +1300)]
s4:kdc: Make samba_kdc_get_user_info_dc() non‐static
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 06:32:24 +0000 (19:32 +1300)]
s4:kdc: Use ‘claims_data’ functions to create client claims blob
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 06:27:59 +0000 (19:27 +1300)]
s4:kdc: Use device claims to evaluate client authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 06:00:09 +0000 (19:00 +1300)]
s4:kdc: Use claims and device info to evaluate server authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 05:19:36 +0000 (18:19 +1300)]
s4:kdc: Have samba_kdc_allowed_to_authenticate_to() take claims and device info
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 02:50:19 +0000 (15:50 +1300)]
s4:kdc: Fetch device claims for server restrictions
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 01:19:13 +0000 (14:19 +1300)]
s4:kdc: Do not perform compound authentication for services without Compound Identity support
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 01:08:43 +0000 (14:08 +1300)]
tests/krb5: Correctly test services that do not support Compound Identity
These two tests now pass against Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 02:24:57 +0000 (15:24 +1300)]
s4:kdc: Make samba_kdc_add_compounded_auth() static
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 02:24:06 +0000 (15:24 +1300)]
s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_add_compounded_auth()
It’s only ever equal to SAMBA_COMPOUNDED_AUTH_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 11 Oct 2023 04:25:48 +0000 (17:25 +1300)]
s4:kdc: Change the type of ‘compounded_auth’ to boolean
View with ‘git show -b’.
This allows us to make the call to authsam_shallow_copy_user_info_dc()
and samba_kdc_add_compounded_auth() only if required.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 02:19:01 +0000 (15:19 +1300)]
s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_add_claims_valid()
It’s only ever equal to SAMBA_CLAIMS_VALID_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 9 Oct 2023 00:41:59 +0000 (13:41 +1300)]
s4:kdc: Introduce helper variable ‘server_restrictions_present’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 03:39:47 +0000 (16:39 +1300)]
s4:kdc: Simplify creation of device claims blob
Let samba_kdc_get_claims_data() and claims_data_encoded_claims_set()
handle the work for us.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 03:35:52 +0000 (16:35 +1300)]
s4:kdc: Note use of parent memory context
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 03:11:57 +0000 (16:11 +1300)]
s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc()
The latter function accomplishes most of what we were doing ourselves.
No intended change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 03:07:55 +0000 (16:07 +1300)]
s4:kdc: Create the Requester SID blob only if we actually need it
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 02:34:55 +0000 (15:34 +1300)]
s4:kdc: Remove unused function get_claims_blob_for_principal()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 02:34:41 +0000 (15:34 +1300)]
s4:kdc: Modify samba_kdc_get_claims_blob() to use claims_data functions
The chief advantage of these functions is that the claims got from the
database are retained in the ‘samba_kdc_entry’ object, allowing them to
be reused should they be needed later during the same request.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 02:33:42 +0000 (15:33 +1300)]
s4:kdc: Add functions to fetch claims from the DB or from the PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 00:43:54 +0000 (13:43 +1300)]
s4:auth: Explicitly initialize claims structures
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 5 Oct 2023 02:11:42 +0000 (15:11 +1300)]
s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims
Having the lifetime of the encoded claims be tied in a predictable
fashion to a caller‐controlled memory context is less prone to error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 4 Oct 2023 22:07:48 +0000 (11:07 +1300)]
s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 2 Oct 2023 23:57:45 +0000 (12:57 +1300)]
s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 4 Oct 2023 04:19:31 +0000 (17:19 +1300)]
s4:kdc: Cache user info and resource groups from PACs
When authentication policies are implemented, we shall need to fetch
SIDs (and claims) from the PACs of users and devices repeatedly — not
just when first looking up a user, but every time a policy needs to be
evaluated.
This will likely be more efficient if we can cache this information,
removing the need to derive it more than once.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 11 Oct 2023 04:07:02 +0000 (17:07 +1300)]
s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc()
We have the duplicated shallow copy in each caller so that the caller is
clear on what memory can be changed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 4 Oct 2023 04:10:35 +0000 (17:10 +1300)]
s4:kdc: Always fetch resource groups
No behaviour change, and if the caller doesn’t need the resource groups
after all, the cost incurred is little more than the allocation of a
couple of dozen bytes of memory.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 4 Oct 2023 03:38:28 +0000 (16:38 +1300)]
s4:kdc: Label ‘resource_groups_out’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 4 Oct 2023 03:31:41 +0000 (16:31 +1300)]
s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc()
It could be equal only to AUTH_EXCLUDE_RESOURCE_GROUPS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 4 Oct 2023 03:23:12 +0000 (16:23 +1300)]
s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc()
As the ‘group_inclusion’ parameter has an effect only if the
‘resource_groups_out’ parameter is non‐NULL, this does not result in a
change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 21:35:14 +0000 (10:35 +1300)]
s4:kdc: Pass resource groups parameter only if we are creating a TGT
No change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 07:08:03 +0000 (20:08 +1300)]
s4:kdc: Make ‘resource_groups_out’ parameter const
The caller shouldn’t need to modify this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 07:06:29 +0000 (20:06 +1300)]
s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 07:04:44 +0000 (20:04 +1300)]
s4:kdc: Simplify memory management with talloc stackframe
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 06:27:20 +0000 (19:27 +1300)]
s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 05:45:17 +0000 (18:45 +1300)]
s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc()
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 06:44:41 +0000 (19:44 +1300)]
s4:kdc: Rename variable ‘user_info_dc’ to ‘info’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 06:43:21 +0000 (19:43 +1300)]
s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 05:45:14 +0000 (18:45 +1300)]
s4:kdc: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 05:41:59 +0000 (18:41 +1300)]
s4:kdc: Introduce intermediate variable ‘resource_groups’
No change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 04:01:07 +0000 (17:01 +1300)]
s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 04:00:43 +0000 (17:00 +1300)]
s4:kdc: Check parameters of samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 02:35:27 +0000 (15:35 +1300)]
s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 01:53:17 +0000 (14:53 +1300)]
s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 01:58:52 +0000 (14:58 +1300)]
s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 01:58:10 +0000 (14:58 +1300)]
s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 01:33:48 +0000 (14:33 +1300)]
s4:kdc: Make boolean members into bit‐fields
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 00:39:48 +0000 (13:39 +1300)]
s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code
instead of an NT status code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 00:48:11 +0000 (13:48 +1300)]
s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob()
We shall need it in order to produce an error string.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 2 Oct 2023 23:33:25 +0000 (12:33 +1300)]
s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 2 Oct 2023 23:32:13 +0000 (12:32 +1300)]
s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 2 Oct 2023 23:28:58 +0000 (12:28 +1300)]
s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 2 Oct 2023 22:58:05 +0000 (11:58 +1300)]
s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc()
The latter function behaves identically, except that it makes a shallow
copy of the returned structure, thus avoiding lifetime issues.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 2 Oct 2023 22:14:30 +0000 (11:14 +1300)]
s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc()
We want to call this function from more places. But some potential
callers, found in db-glue.c, have only a partially‐initialized
‘samba_kdc_entry’ structure, without the crucial ‘msg’ member. These
callers need to be able to pass in the ldb message as a separate
parameter.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 02:07:55 +0000 (15:07 +1300)]
s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 02:07:18 +0000 (15:07 +1300)]
s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 02:05:08 +0000 (15:05 +1300)]
s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 3 Oct 2023 02:03:23 +0000 (15:03 +1300)]
s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 10 Oct 2023 01:35:07 +0000 (14:35 +1300)]
libcli/security: Initialize conditional ACE token
If the ‘flags’ member is not initialized, we invoke undefined behaviour
when trying to push or evaluate the parsed conditional ACE.
One way this issue can manifest is in the mysterious failure of Unicode
comparisons owing to the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE
flag being set when it shouldn’t.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 30 Jun 2023 21:21:13 +0000 (23:21 +0200)]
libsmb: Use cli_smb2_qpathinfo_send() for SMB_QUERY_FILE_ALT_NAME_INFO
Remove one sync-only wrapper
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Oct 12 17:51:44 UTC 2023 on atb-devel-224
Volker Lendecke [Thu, 14 Sep 2023 11:45:04 +0000 (13:45 +0200)]
examples: Enable posix for teststat
Show that we can properly detect non-regular files created by the
Windows NFS server. Tested manually against Windows 2022.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 23 Aug 2023 14:04:00 +0000 (16:04 +0200)]
libsmbclient: Read the file type from the server with posix enabled
This does not really request posix extensions, but it depends on them
being activated because it changes behaviour.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 16 Aug 2023 07:13:50 +0000 (09:13 +0200)]
libsmbclient: Add smbc_[gs]etOptionPosixExtensions()
This is an obvious part of MR2888, not used anywhere yet. It will
eventually result in us requesting SMB311 posix semantics, but for now
it will just allow to change behaviour of libsmbclient that could
break unsuspecting applications.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 2 Jan 2023 13:28:44 +0000 (14:28 +0100)]
libsmb: Parse reparse tag in query_directory response
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>