Joseph Sutton [Wed, 12 Apr 2023 19:47:39 +0000 (07:47 +1200)]
python:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 19 May 2022 04:45:55 +0000 (16:45 +1200)]
auth: Return status code if configuration prohibits NTLM
Currently, we rely on ‘stored_nt’ being NULL to give an
NT_STATUS_WRONG_PASSWORD error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 02:05:38 +0000 (15:05 +1300)]
s4-dsdb:large_ldap: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 02:04:32 +0000 (15:04 +1300)]
s4-dsdb:large_ldap: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:56:56 +0000 (14:56 +1300)]
pytest/password_lockout: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 16 May 2023 00:21:02 +0000 (12:21 +1200)]
pytest/password_lockout: Use correct variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:56:24 +0000 (14:56 +1300)]
pytest/password_lockout: Use more specific assertion methods
These methods produce better error messages if an assertion fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:55:31 +0000 (14:55 +1300)]
pytest/password_lockout: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 13 Feb 2023 01:53:54 +0000 (14:53 +1300)]
samba-tool domain: Remove unnecessary variable
It is conciser to use ‘r’ to refer to update_forest_info.entries[i].
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 4 Apr 2023 04:39:23 +0000 (16:39 +1200)]
samba-tool domain: Use result of setup_local_server() instead of object field
The code is clearer if we consistently refer to the same variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:46:05 +0000 (07:46 +1300)]
s4:dsdb:tests: Refactor security descriptor test
Use more specific unittest methods.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:43:40 +0000 (07:43 +1300)]
s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:39:05 +0000 (07:39 +1300)]
s4:dsdb:tests: Refactor ACL test
Use more specific unittest methods; remove some unused variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Dmitry Antipov [Wed, 3 May 2023 07:39:30 +0000 (10:39 +0300)]
pyglue: use Py_ssize_t in random data generation functions
Prefer 'Py_ssize_t' over 'int' in random data generation functions
to match both Python and (internally used through the library layer)
GnuTLS APIs, and use PyUnicode_FromStringAndSize() where the data
size is known.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed comments to correctly match the
new check for just negative numbers]
Dmitry Antipov [Wed, 3 May 2023 07:32:28 +0000 (10:32 +0300)]
lib:util: prefer size_t for random data generation functions
Prefer 'size_t' over 'int' in generate_random_buffer(),
generate_secret_buffer() and generate_nonce_buffer() to
match an underlying gnutls_rnd() calls.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 11 May 2023 02:25:31 +0000 (14:25 +1200)]
selftest: Change ad_dc environment to be 2016 functional level
This is not yet supported in full, but this makes ad_dc match our full set of available features.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 22:38:20 +0000 (10:38 +1200)]
selftest: Allow provision_ad_dc() to take functional_level as an argument
The $$$$$$$ is removed as it does not do what you think it does.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 21:49:34 +0000 (09:49 +1200)]
selftest: Return fl2008dc to being an alias for ad_dc_ntvfs
The change to make this independent in
fc9845da69cabcc1bf046d7899b2c4aeae743170
was incorrect, as no distinct name was specified so this would conflict with
the ad_dc_ntvfs environment over the IP and name "localdc".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 22:03:30 +0000 (10:03 +1200)]
Use --base-schema=2008_R2 on ad_dc_ntvfs, which opeates at FL2008
This will allow fl008dc to become an alias of ad_dc_ntvfs again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 16 May 2023 05:15:31 +0000 (17:15 +1200)]
selftest: Move linked_attributes test to ad_dc selftest environment
The ad_dc_ntvfs environment will be set to use a 2008 schema
(matching the 2008 FL it runs at) and this test needs a 2016 schema.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 03:54:09 +0000 (15:54 +1200)]
samba-tool domain join: Allow "ad dc functional level" to change which
level we claim to be during an AD join
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Wed, 10 May 2023 03:24:23 +0000 (15:24 +1200)]
samba-tool domain provision: Use "ad dc functional level" to control max functional level
This allows the DC to self-declare a higher level and so allow a 2016
domain to be created, for testing and controlled implementation purposes.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Wed, 10 May 2023 03:46:55 +0000 (15:46 +1200)]
python: Add function to get the functional level as a python intger from smb.conf
The lp.get() returns the normalised string from the enum handler
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 9 May 2023 04:37:37 +0000 (16:37 +1200)]
param: Add new parameter "ad dc functional level"
This allows the new unsupported functional levels to be unlocked, but with an smb.conf
option that is easily seen.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 9 May 2023 04:32:47 +0000 (16:32 +1200)]
samba-tool domain provision: Use common functional_level.string_to_level()
This is instead of manually parsing the functional level strings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Tue, 9 May 2023 03:50:46 +0000 (15:50 +1200)]
python: Move helper functions for functional levels into a new file
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Volker Lendecke [Tue, 18 Apr 2023 10:47:04 +0000 (12:47 +0200)]
rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
Volker Lendecke [Tue, 18 Apr 2023 12:32:20 +0000 (14:32 +0200)]
lib: Add security_token_del_npa_flags() helper function
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:29:34 +0000 (12:29 +0200)]
rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:28:28 +0000 (12:28 +0200)]
rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
More code, but will be more flexible in the future.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:09:45 +0000 (12:09 +0200)]
rpc: Add global_sid_Samba_NPA_Flags SID
This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:04:17 +0000 (12:04 +0200)]
librpc: Simplify dcerpc_is_transport_encrypted()
Simplify logic by using security_token_count_flag_sids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 10:01:02 +0000 (12:01 +0200)]
smbd: Use security_token_count_flag_sids() in open_np_file()
Simpler logic in the caller
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 09:31:16 +0000 (11:31 +0200)]
libcli: Add security_token_count_flag_sids()
To be used in a few places when checking special-case Samba SIDs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Wed, 26 Apr 2023 15:19:29 +0000 (17:19 +0200)]
winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 9 02:58:45 UTC 2023 on atb-devel-224
Volker Lendecke [Thu, 27 Apr 2023 10:25:24 +0000 (12:25 +0200)]
winbind: Test wbinfo -u with more than 1000 users
winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has
NTSTATUS samr_LookupRids(
[in,ref] policy_handle *domain_handle,
[in,range(0,1000)] uint32 num_rids,
[in,size_is(1000),length_is(num_rids)] uint32 rids[],
[out,ref] lsa_Strings *names,
[out,ref] samr_Ids *types
);
limiting num_rids to 1000 entries. Test this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 03:25:31 +0000 (15:25 +1200)]
build:wafsamba: Fix TypeError in read_submodule_status()
parts = l.split(" ")
^^^^^^^^^^^^
TypeError: a bytes-like object is required, not 'str'
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Fri, 28 Apr 2023 13:37:31 +0000 (07:37 -0600)]
gp: get_gpo() should re-raise the Exception, not return
If we return from this failure, then `new_gpo` is
set to `None` and we will fail in some obscure
way within a CSE later (since we append `None` to
the GPO list). Instead, re-raise the Exception so
we see that an error happened when fetching the
GPO.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Dmitry Antipov [Tue, 2 May 2023 10:45:01 +0000 (13:45 +0300)]
s4:ntvfs:posix: avoid parsing empty blob in posix_eadb_add_list()
Strictly speaking, this is not a bug because parsing loop will just skip
an empty ({NULL}, 0) blob. But it's better to avoid this case because
UBSan (as of clang-17 at least) may complain on such a parsing attempt:
source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer
#0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56
#1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178
#2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64
#3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
[... a lot of Python calls skipped...]
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Dmitry Antipov [Tue, 2 May 2023 10:43:54 +0000 (13:43 +0300)]
lib:ldb: do not offset against NULL pointer in ldb_ldif_read()
Fix the following error observed running samba.test.registry
compiled with clang-17 and UBsan:
lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset
137438953440 to null pointer
#0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881
#1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004
#2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113
#3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929
#4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
[... a lot of Python calls skipped...]
I.e. number of elements should be checked against zero
before making an attempt to access an element by index.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:58:29 +0000 (12:58 +1300)]
s4/scripting: fix % len(res) was in the wrong place
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 5 05:54:11 UTC 2023 on atb-devel-224
Rob van der Linde [Thu, 23 Feb 2023 23:57:57 +0000 (12:57 +1300)]
s4/dsdb: fix unnecessary backslash
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:54:16 +0000 (12:54 +1300)]
s4/scripting: fix a few trailing semicolons in gen_{hresult,ntstatus,werror}.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:48:23 +0000 (12:48 +1300)]
s4/scripting: fix a few invalid docstring args
One arg "dn" was removed, the others just had a typo.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 23 Feb 2023 23:43:50 +0000 (12:43 +1300)]
dsdb/tests: fix assignment to for loop variable
because the loop variables are all called 'k' and the inner and outer loop both use 'k'.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 1 May 2023 01:04:58 +0000 (13:04 +1200)]
s4:kdc: Don’t call memcpy() with a NULL pointer
Doing so is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 5 03:52:30 UTC 2023 on atb-devel-224
Joseph Sutton [Sun, 30 Apr 2023 23:22:02 +0000 (11:22 +1200)]
lib:addns: Don’t call memcpy() with a NULL pointer
Doing so is undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 30 Apr 2023 21:48:15 +0000 (09:48 +1200)]
tests/krb5: Improve _test_samr_change_password() method
Instead of using anonymous credentials, we now connect using the
passed-in credentials.
We now correctly construct nt_password and nt_verifier so as to
successfully change the password, instead of having to distinguish
between a WRONG_PASSWORD error and an error caused by the password
change being disallowed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 30 Apr 2023 21:45:37 +0000 (09:45 +1200)]
tests/krb5: Don’t delete silo until all tests have finished
It’s possible that we reuse the same silo across multiple tests. In that
case, we should not delete it until we are sure we have finished with
it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 28 Apr 2023 04:25:09 +0000 (16:25 +1200)]
tests/krb5: Add remove_attribute() helper function
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 28 Apr 2023 04:24:31 +0000 (16:24 +1200)]
tests/krb5: Have set_forced_key() also set the NT hash
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 28 Apr 2023 04:22:32 +0000 (16:22 +1200)]
auth/credentials: Add set_nt_hash()
This method allows setting the NT hash directly. This is useful in cases
where we don’t know the password, such as with a computer or server
account.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 21:41:59 +0000 (09:41 +1200)]
s3:lib: Fix typos
These typos were also spotted by a mailing list user:
https://lists.samba.org/archive/samba-technical/2023-April/138190.html
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:25:23 +0000 (16:25 +1200)]
s4:kdc: Remove unused parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:23:36 +0000 (16:23 +1200)]
tests/krb5: Make _tgs_req() more configurable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:22:38 +0000 (16:22 +1200)]
tests/krb5: Make use of check_tgs_reply()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:20:25 +0000 (16:20 +1200)]
tests/krb5: Allow specifying an encoded security descriptor
If we get a string, we’ll still assume it’s a DN and create a security
descriptor using it.
This is useful in cases where we don’t have a DN (e.g., the account is
not created yet).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:18:32 +0000 (16:18 +1200)]
tests/krb5: Rename ‘objectclass’ to use correct case
This means that tests can now specify values for ‘objectClass’ in
additional_details which override the default value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:16:44 +0000 (16:16 +1200)]
tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’
Make it clear that this relates to authentication, not authorization.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 03:17:18 +0000 (15:17 +1200)]
s4/scripting/bin: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 03:15:03 +0000 (15:15 +1200)]
s4/scripting/bin: Fix resource leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 01:48:53 +0000 (13:48 +1200)]
s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 26 Apr 2023 22:44:12 +0000 (10:44 +1200)]
tests/krb5: Create account cache key only if needed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 26 Apr 2023 22:43:01 +0000 (10:43 +1200)]
tests/krb5: Delete non-resuable accounts as soon as possible
This helps to mitigate Samba’s slow account deletion.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 26 Apr 2023 00:52:06 +0000 (12:52 +1200)]
s4:kdc: Use correct target principal name in log message
‘tmp’ has already been freed by this point.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 24 Apr 2023 00:53:12 +0000 (12:53 +1200)]
docs-xml: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 23 Apr 2023 23:13:38 +0000 (11:13 +1200)]
auth/credentials: Fix NULL dereference
We should not pass a NULL pointer to netlogon_creds_session_encrypt().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 21 Apr 2023 01:25:58 +0000 (13:25 +1200)]
tests/krb5: Refactor _test_samlogon()
Move logic specific to the Network logon into that branch, so it’s
easier to see what’s going on.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 19 Apr 2023 22:44:41 +0000 (10:44 +1200)]
lib:util: Fix undefined bitshift
runtime error: left shift of 65535 by 16 places cannot be represented in type 'int'
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 19 Apr 2023 21:20:38 +0000 (09:20 +1200)]
param: Fix resource leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 19 Apr 2023 21:03:46 +0000 (09:03 +1200)]
python/samba: Fix invalid escape sequence
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 19 Apr 2023 03:44:11 +0000 (15:44 +1200)]
lib/http: Remove unused structure
This is just a typo of ‘struct loadparm_context’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 19 Apr 2023 01:01:55 +0000 (13:01 +1200)]
tests/krb5: Allow setting a servicePrincipalName on a user account
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 19 Apr 2023 01:00:53 +0000 (13:00 +1200)]
tests/krb5: Fix parameter default
Now that add_dollar is honoured for all account types, we don’t want to
pass add_dollar=True for user accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 18 Apr 2023 22:50:23 +0000 (10:50 +1200)]
tests/krb5: Remove unused parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 13 Apr 2023 23:53:13 +0000 (11:53 +1200)]
tests/krb5: Test that the salt for a managed service account is computed correctly
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 13 Apr 2023 23:51:31 +0000 (11:51 +1200)]
tests/krb5: Allow creating managed service accounts
These will be useful for testing authentication policies.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:13:55 +0000 (16:13 +1200)]
pydsdb: Add Managed Service Accounts GUID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 27 Apr 2023 04:12:30 +0000 (16:12 +1200)]
libds: Add Managed Service Accounts well-known GUID
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 13 Apr 2023 23:49:41 +0000 (11:49 +1200)]
tests/krb5: Always heed the add_dollar parameter
Not just if the account to be created is a computer. This allows us to
create other types of accounts with a trailing dollar.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 13 Apr 2023 02:13:43 +0000 (14:13 +1200)]
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 10 Apr 2023 21:46:37 +0000 (09:46 +1200)]
s4:dsdb: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Apr 2023 23:47:17 +0000 (11:47 +1200)]
tests/krb5: Remove unneeded assertions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 4 Apr 2023 23:21:39 +0000 (11:21 +1200)]
tests/krb5: Allow creating an account with an assigned policy or silo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 2 Apr 2023 23:23:10 +0000 (11:23 +1200)]
tests/krb5: Add method to create an authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 24 May 2022 07:55:03 +0000 (19:55 +1200)]
tests/krb5: Generify protected users test methods
We can reuse them to test accounts restricted authentication in some
form or another.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 24 May 2022 07:11:22 +0000 (19:11 +1200)]
tests/krb5: Handle NT hashes being disabled
If NT hashes are disabled, we should not expect the RC4 enctype to be
available for non-computer accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Apr 2023 23:09:31 +0000 (11:09 +1200)]
tests/krb5: Pass client credentials down into kdc_exchange_dict
These are useful inside the test infrastructure.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 24 May 2022 07:36:30 +0000 (19:36 +1200)]
tests/krb5: Remove test for OemChangePasswordUser2()
We don’t implement this anymore (since commit
0f53bfe7230c5e76f7ceb8baf98a9ef38a35356f).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 May 2022 03:24:21 +0000 (15:24 +1200)]
tests/krb5: Split out functions for testing logons and password changes
This allows their use for testing other forms of restricted accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 28 Apr 2022 23:51:18 +0000 (11:51 +1200)]
auth/credentials: Allow resetting bind DN on Credentials object
Passing None into set_bind_dn() now resets it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 1 May 2023 02:30:31 +0000 (14:30 +1200)]
librpc: Always call ndr_push_compression_state_init() for compression
This allows the push routine to cache the chosen compression algorithm in
the struct ndr_compression_state in ndr->cstate and so, in claims, avoid
calling ndr_size_CLAIMS_SET_NDR() three times per compression (more in the
overall push).
As claims is now the primary use of the libndr compression code, this is
a reasonable tradeoff compared to the other callers who have more static
algorithm selections.
By removing the struct ndr_compression_state **state argument from
ndr_push_compression_state_init() we make clear that the ndr->cstate
belongs to this NDR context, and this context alone.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Mon, 1 May 2023 02:13:15 +0000 (14:13 +1200)]
librpc: Fix talloc hierarchy for ndr_compression_state
The complexity of generic_mszip_free() is not needed, nor is a talloc
destructor required if the memory is correctly created in a tree.
Credit to OSS-Fuzz for showing the use-after-free
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57608
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15349
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Stefan Metzmacher [Mon, 17 Apr 2023 09:22:21 +0000 (09:22 +0000)]
python:descriptor: add missing schema 2019 aces in builtin and dns partition
Note 'samba-tool domain functionalprep' won't fix them in the database,
while a fresh provision will add these.
This is needed in order that 'samba-tool dbcheck --reset-well-known-acls'
won't reset them after a modern provision and will fix them on an old
domain.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 5 Apr 2023 22:00:00 +0000 (10:00 +1200)]
s3:utils: Move error-handling code into more suitable spot (CID
1524680)
The loop above would only exit once ‘c’ was equal to −1, and thus this
code could never be reached.
Also set ‘ok’ to false to indicate failure.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 4 01:29:10 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 1 May 2023 03:36:53 +0000 (15:36 +1200)]
s3:utils: Use ‘int’ for popt parameters
Previously we were handing the addresses of bool parameters to popt for
POPT_ARG_NONE parameters. This is not supported, and popt was returning
POPT_ERROR_BADOPERATION for these parameters (not bundled popt, though,
nor on Debian or Ubuntu). Using integers instead ensures that these
addresses are aligned and sized as popt expects.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Joseph Sutton [Mon, 1 May 2023 02:15:26 +0000 (14:15 +1200)]
s3:utils: Use floating-point arithmetic when result is assigned to a double
This avoids any loss of precision from performing an integer division.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
Christof Schmitt [Tue, 2 May 2023 19:17:56 +0000 (12:17 -0700)]
ctdb-recovery: Use correct struct ban_node_state type for state
If this codepath is hit, ctdb aborts with:
ctdb/server/ctdb_recovery_helper.c:2687: Type mismatch: name[struct ban_node_state] expected[struct node_ban_state]")
at ../../lib/talloc/talloc.c:505
Fix this by using the correct type.
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed May 3 08:04:09 UTC 2023 on atb-devel-224
Dmitry Antipov [Thu, 27 Apr 2023 15:37:29 +0000 (18:37 +0300)]
s4:lib:policy: cleanup and handle errors in push_recursive()
Prefer 'char' and 'ssize_t' over 'int' for I/O-related
calls and handle more possible errors in push_recursive().
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Fri Apr 28 14:19:12 UTC 2023 on atb-devel-224
David Mulder [Wed, 19 Apr 2023 20:11:05 +0000 (14:11 -0600)]
gp: Add site-dn fallback when rpc call fails
In testing I noticed that the rpc call for the
site name is failing when joined via SSSD. This
commit adds a fallback to check using the old
style method found in ads_site_dn_for_machine()
(which works, but doesn't obey the Group Policy
spec) if the rpc call fails.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Apr 28 03:14:25 UTC 2023 on atb-devel-224