Ralph Boehme [Fri, 3 Nov 2023 10:09:47 +0000 (11:09 +0100)]
smbtorture3: also check test file and it's attributes in two POSIX tests
Verifies that the correct DOS attribute, FILE_ATTRIBUTE_ARCHIVE in this case,
are returned over SMB1 with UNIX extensions.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:25:38 +0000 (12:25 +0100)]
smbd: allow setting ARCHIVE bit in POSIX context with "store dos attributes"
Cf https://lists.samba.org/archive/samba-technical/2023-October/138504.html
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 09:11:50 +0000 (10:11 +0100)]
smbtorture3: prepare POSIX tests for differentianting between client flavour in the list callback
No change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:28:28 +0000 (12:28 +0100)]
smbtorture3: remove unused initializers
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 09:05:30 +0000 (10:05 +0100)]
smbd: s/FILE_ATTRIBUTES_INVALID/FILE_ATTRIBUTE_INVALID/g
No idea what got me into having an "S" in the define when I added it.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 05:05:25 +0000 (06:05 +0100)]
smbtorture3: reduce indentation in posix_ls_fn()
Prepares for adding more logic in a later commit.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:24:35 +0000 (12:24 +0100)]
smbd: allow POSIX opens for file_set_dosmode() in rename_internals_fsp()
As this check was previously added to file_set_dosmode() this is not yet a
change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:24:12 +0000 (12:24 +0100)]
smbd: allow POSIX opens for file_set_dosmode() in mkdir_internal()
As this check was previously added to file_set_dosmode() this is not yet a
change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:23:44 +0000 (12:23 +0100)]
smbd: allow POSIX opens for file_set_dosmode() in mark_file_modified()
As this check was previously added to file_set_dosmode() this is not yet a
change in behaviour.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:16:59 +0000 (12:16 +0100)]
smbd: move POSIX check from possibly_set_archive() to file_set_dosmode()
No change in behaviour. Move the check to the more low-level function
file_set_dosmode() to ensure all callers use this consistently.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 11:10:17 +0000 (12:10 +0100)]
smbd: in file_set_dosmode() do an early exit if smb_fname->fsp is NULL
No change in behaviour. Simplifies coming changes.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Tue, 31 Oct 2023 09:06:38 +0000 (10:06 +0100)]
smbd: ignore symlinks in file_set_dosmode()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 30 Oct 2023 18:15:53 +0000 (19:15 +0100)]
smbd: add and use helper function possibly_set_archive()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ralph Boehme [Mon, 30 Oct 2023 18:04:56 +0000 (19:04 +0100)]
smbd: remove call to fdos_mode() when setting DOS attrs
This added in
49a754b82d33fb523cda4151a865584ae52a2e2f to work with stored
itime based File-Ids. Since switching back to purely inode based File-Ids we
can remove this call that primed itime from DOS xattr.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Joseph Sutton [Fri, 3 Nov 2023 01:27:52 +0000 (14:27 +1300)]
third_party/heimdal: Import lorikeet-heimdal-
202311030123 (commit
2346a67fe25cbf16128501665db41f6840546e15)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Nov 3 03:53:08 UTC 2023 on atb-devel-224
Joseph Sutton [Tue, 31 Oct 2023 20:33:10 +0000 (09:33 +1300)]
tests/krb5: Fix comments
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 2 20:13:50 UTC 2023 on atb-devel-224
Joseph Sutton [Thu, 2 Nov 2023 01:32:58 +0000 (14:32 +1300)]
tests/krb5: Test RODC‐issued TGTs that already contain device info/claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Nov 2023 01:32:00 +0000 (14:32 +1300)]
tests/krb5: Don’t reuse SID S-1-2-3-4
We’re already using it in ‘client_sids’ to work around a bug in Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 03:59:21 +0000 (16:59 +1300)]
tests/krb5: Test target authentication policies when the TGT already contains device info/claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Nov 2023 02:29:32 +0000 (15:29 +1300)]
tests/krb5: Add tests for PACs containing extraneous buffers
Test that the KDC removes these buffers from RODC‐issued PACs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 2 Nov 2023 02:27:24 +0000 (15:27 +1300)]
tests/krb5: Pass a list of PAC modification functions
This is simpler than chaining functions together.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 00:55:14 +0000 (13:55 +1300)]
tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 21:16:57 +0000 (10:16 +1300)]
tests/krb5: Add support to test framework for existing device info or claims buffers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 00:39:28 +0000 (13:39 +1300)]
tests/krb5: Always expect client claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 00:38:24 +0000 (13:38 +1300)]
tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 00:07:54 +0000 (13:07 +1300)]
tests/krb5: No longer pass two‐component form of TGS principal
Samba now handles one‐component TGS principals more correctly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 23:05:50 +0000 (12:05 +1300)]
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 18:29:57 +0000 (07:29 +1300)]
selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 1 Nov 2023 14:39:12 +0000 (15:39 +0100)]
tests: Convert the regression test for bug15505 to python
The shell version is flapping, but I can't really figure out
why. Maybe this version is not flapping, and it also shows the failure
if you revert
952d6c2cf48.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 1 Nov 2023 14:38:55 +0000 (15:38 +0100)]
tests: Make clean_file() handle directories
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 1 Nov 2023 13:22:09 +0000 (14:22 +0100)]
tests: Allow to specify share names in smb2symlink tests
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 23:14:27 +0000 (12:14 +1300)]
s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID
1499404)
dcesrv_lsa_CreateTrustedDomain_base() invokes DCESRV_PULL_HANDLE(),
which invokes DCESRV_PULL_HANDLE_RETVAL(), which invokes
DCESRV_CHECK_HANDLE(), which might invoke DCESRV_FAULT(), which accesses
r2.out.result, which is uninitialized — invoking undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 2 04:04:49 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 30 Oct 2023 23:11:37 +0000 (12:11 +1300)]
s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID
1499407)
dcesrv_lsa_CreateTrustedDomain_base() invokes DCESRV_PULL_HANDLE(),
which invokes DCESRV_PULL_HANDLE_RETVAL(), which invokes
DCESRV_CHECK_HANDLE(), which might invoke DCESRV_FAULT(), which accesses
r2.out.result, which is uninitialized — invoking undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 23:21:26 +0000 (12:21 +1300)]
s3:rpc_client: Add missing ‘break’ statement
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:39:09 +0000 (11:39 +1300)]
s3:rpc_client: Align integer types (CID
1548342)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 23:16:15 +0000 (12:16 +1300)]
s3:utils: Initialize flags (CID
1499396)
If ‘got_bcast’ is false and ‘give_flags’ is true, this variable will be
used uninitialized.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:35:25 +0000 (11:35 +1300)]
s3:utils: Avoid integer overflow (CID
1548343)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:33:39 +0000 (11:33 +1300)]
s3:utils: Align integer type
If ‘count’ is larger than INT_MAX, ‘i’ might overflow in the loop and
lead to undefined behaviour.
See also CID
1548342.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:30:27 +0000 (11:30 +1300)]
s3:utils: Remove condition that cannot be true (CID
1548341)
‘limit’ is an unsigned integer, and thus will never be less than zero.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:20:05 +0000 (11:20 +1300)]
s3:utils: Check return value of samba_cmdline_init() (CID
1548345)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:18:15 +0000 (11:18 +1300)]
s3:utils: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 22:17:55 +0000 (11:17 +1300)]
s3:utils: Remove unused‐but‐set variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 01:02:42 +0000 (14:02 +1300)]
s3:smbd: Remove unreachable code (CID 710840)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 23:41:46 +0000 (12:41 +1300)]
tests/krb5: Test conditional ACE expressions with empty composite literals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 23:57:49 +0000 (12:57 +1300)]
selftest: Sort conditional ACE knownfails
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 1 Aug 2023 00:00:33 +0000 (12:00 +1200)]
libcli/security: Allow empty composites and resource attribute lists
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 22:11:17 +0000 (11:11 +1300)]
libcli/security: Remove reference to conditional ACE recursive composites
These have been unsupported since commit
3b6c1f1a9c47d8d76a7cd946468c1c42e4fb097a.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 1 Nov 2023 22:24:35 +0000 (11:24 +1300)]
third_party/heimdal: Import lorikeet-heimdal-
202311012221 (commit
87159bd32148be80a0d9bfc984db481e4a0f2831)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 27 Oct 2023 23:09:04 +0000 (12:09 +1300)]
pytest:samba-tool domain test policy: test SDDL diagnostics
The existing 'bad SDDL' test has SDDL so bad that the diagnostics
are not exercised.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Nov 1 21:12:33 UTC 2023 on atb-devel-224
Douglas Bagnall [Fri, 27 Oct 2023 03:14:04 +0000 (16:14 +1300)]
pytest: samba_tool domain auth policy fix for SDDL err msg
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 27 Oct 2023 00:16:56 +0000 (13:16 +1300)]
samba-tool: try to present diagnostics for SDDL errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 26 Oct 2023 03:31:40 +0000 (16:31 +1300)]
pytest:sddl: assert SDDLValueError values make sense
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 26 Oct 2023 04:46:35 +0000 (17:46 +1300)]
s4/librpc/py_security: use SDDLValueError for better error messages
The aim is to allow samba-tool to tell users where their SDDL went
wrong.
Some tests would turn into errors (not knownfail-able failures)
if they were not changed at the same time, so they are changed too.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 27 Oct 2023 22:39:17 +0000 (11:39 +1300)]
pytest:sddl: handle SDDLValueError
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 27 Oct 2023 00:21:24 +0000 (13:21 +1300)]
pytest:security_descriptors: handle SDDLValueError
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 27 Oct 2023 00:20:33 +0000 (13:20 +1300)]
pytest: sid_strings: handle SDDLValueError
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 25 Oct 2023 02:56:30 +0000 (15:56 +1300)]
s4/librpc/py_security: add SDDLValueError
This will soon be raised for SDDL parsing errors.
It would have been nice to have it as a subclass of
ValueError, meaning that all existing callers would
continue to catch this error as before, but it turns
out that that is quite difficult.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 27 Oct 2023 00:19:47 +0000 (13:19 +1300)]
ndr/py_security: mod patch reports errors
We can, so we might as well.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 25 Oct 2023 00:18:34 +0000 (13:18 +1300)]
lib/ldb: pyldb search iterator avoids exception leak
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 25 Oct 2023 00:15:36 +0000 (13:15 +1300)]
lib/ldb: py LDBError avoids leak and checks for alloc failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 31 Oct 2023 21:46:20 +0000 (10:46 +1300)]
libcli/security: conditional ace err messages don't hardcode offset
Usually the conditions are embedded in part of some SDDL, and the
offset from the beginning of the condtions is a bit useless and
confusing. Callers of sddl_decode_err_msg get the offset from the
beginning of the SDDL which is a different and more useful number.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 26 Oct 2023 04:28:44 +0000 (17:28 +1300)]
libcli/security: sddl: guard against inconsistent msg pointers
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 26 Oct 2023 04:25:43 +0000 (17:25 +1300)]
libcli/security: sddl: remove unreachable debug
As it stands, ace_conditions_compile_sddl() won't produce a message when
it succeeds (i.e. return non-NULL), so this debug is just clutter.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 26 Oct 2023 04:20:49 +0000 (17:20 +1300)]
libcli/security: sddl_decode_ace/acl pass through messages
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 26 Oct 2023 03:55:33 +0000 (16:55 +1300)]
libcli/security: add sddl_decode_err_msg()
This will return an error message, if it can, along with an indicative
position.
For conditional ACEs the message might be accurate, and the position
fine-grained. For example, you might be able to construct the message
like this:
D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title)))
^
16: unexpected operator
For non-conditional ACEs, the position typically points to the beginning
of the ACE, like this:
D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU)
^
unknown error
Here the error is in the spaces either side of " OICI; ", but the pointer
points to the beginning of the ACE.
The old sddl_decode() function becomes a wrapper around the new function,
which inherits the guts of the old function.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 20 Oct 2023 23:56:24 +0000 (12:56 +1300)]
libcli/security: sddl_conditional_ace: ensure message is talloced
It is simpler for the message to have consistent parentage; it
is easier to drop one message we'll never see than to talloc it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 20 Oct 2023 23:56:54 +0000 (12:56 +1300)]
libcli/security: sddl: check a talloc_zero
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 20 Oct 2023 23:47:33 +0000 (12:47 +1300)]
libcli/security: SDDL accepts lowercase "s-" in SIDs
This is what Windows does, and it removes a couple of knownfails.
We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 29 Oct 2023 22:08:49 +0000 (11:08 +1300)]
librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits
This gives us thirty‐two new LIBNDR_ flags to play with.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 27 Oct 2023 01:41:17 +0000 (14:41 +1300)]
librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.
Update the NDR 4.0.0 ABI.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 10 Jul 2023 03:47:03 +0000 (15:47 +1200)]
librpc:ndr: Introduce ‘libndr_flags’ type
The LIBNDR_FLAG_ namespace is getting dangerously full, with only a
single flag value (1 << 9) remaining for use. After that flag is put
into use, we won’t be able to add any new flags without increasing the
flag width to 64‐bit.
Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to
store these flags. Introduce a new type, ‘libndr_flags’, to be used
consistently to hold LIBNDR flags. If in the future we find we need to
move to 64‐bit flags, this type gives us an opportunity to do that.
Bump the NDR version to 4.0.0 — an major version increment, for we’re
changing the function ABI and adding the new symbol
ndr_print_libndr_flags.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 29 Oct 2023 22:04:58 +0000 (11:04 +1300)]
s4:torture: Make static variables constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 27 Oct 2023 00:00:42 +0000 (13:00 +1300)]
librpc:ndr: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 11 Jul 2023 00:00:24 +0000 (12:00 +1200)]
dcerpc.idl: Use simple boolean value instead of flag
One advantage of this is that the type of the switch value is no longer
tied to the type of the NDR flags.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 11 Oct 2023 03:31:13 +0000 (16:31 +1300)]
s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data()
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 00:22:05 +0000 (13:22 +1300)]
third_party/heimdal: Import lorikeet-heimdal-
202310310018 (commit
3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID
1544591, CID
1544617)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 03:18:35 +0000 (16:18 +1300)]
s4:auth: Comment about claims in the security token
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 19 Oct 2023 06:45:17 +0000 (19:45 +1300)]
s4:auth: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 03:14:26 +0000 (16:14 +1300)]
s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself
samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims
Valid SIDs as appropriate.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 03:08:41 +0000 (16:08 +1300)]
tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs
These tests crash Windows, but we can assume reasonable behaviour for
Samba.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 01:50:12 +0000 (14:50 +1300)]
s4:kdc: Do not add Claims Valid SID twice
samba_kdc_get_user_info_dc() now adds the SID itself.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 31 Oct 2023 00:49:09 +0000 (13:49 +1300)]
tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 21:52:03 +0000 (10:52 +1300)]
tests/krb5: Don’t pass unnecessary parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:05:17 +0000 (14:05 +1300)]
tests/krb5: Use __slots__ to indicate which attributes are used by classes
These should help to catch mistaken attempts to set invalid attributes.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 02:12:34 +0000 (15:12 +1300)]
s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 02:09:28 +0000 (15:09 +1300)]
s4:auth: Check that the PAC is not NULL before dereferencing it
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 02:03:04 +0000 (15:03 +1300)]
libcli/security: Add sid_attrs_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:52:42 +0000 (14:52 +1300)]
libcli/security: Make use of sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:51:17 +0000 (14:51 +1300)]
libcli/security: Add sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:35:12 +0000 (14:35 +1300)]
libcli/security: Make use of sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:48:23 +0000 (14:48 +1300)]
libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:33:00 +0000 (14:33 +1300)]
s4:dsdb: Make sids_contains_sid() usable by other Samba modules
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:32:09 +0000 (14:32 +1300)]
libcli/security: Correct function documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:21:42 +0000 (14:21 +1300)]
libcli/security: Remove unnecessary return statement
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 01:17:31 +0000 (14:17 +1300)]
s4:dsdb: Align integer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 00:40:37 +0000 (13:40 +1300)]
s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 25 Oct 2023 03:38:57 +0000 (16:38 +1300)]
tests/krb5: Add tests to see how SIDs are conveyed from PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 03:12:36 +0000 (16:12 +1300)]
tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 30 Oct 2023 02:20:59 +0000 (15:20 +1300)]
tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Wed, 25 Oct 2023 07:50:23 +0000 (09:50 +0200)]
smbd: Open file as REPARSE_POINT in unlink_internals()
In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 1 19:56:33 UTC 2023 on atb-devel-224