Andrew Bartlett [Fri, 22 Mar 2024 03:58:40 +0000 (16:58 +1300)]
s4-dsdb: Create KdfParameters at runtime
While this is by definition less efficient, I prefer not to have the magic
buffer of pre-caclulated bytes, we don't create Root Keys very often.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 22 Mar 2024 03:43:38 +0000 (16:43 +1300)]
s4-dsdb: Indent DH parameters table in gkdi_create_root_key()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 22 Mar 2024 01:08:22 +0000 (14:08 +1300)]
s4-dsdb: Populate new GKDI root keys from the server configuration object
This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 24 Mar 2024 23:44:29 +0000 (12:44 +1300)]
pyldb: Improve search for error string in PyErr_SetLdbError
We allow a fallback to ldb_strerror() even if there was an LDB context,
allowing failing functions to reset a previous error string but not
set a new one.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 25 Mar 2024 21:28:38 +0000 (10:28 +1300)]
dsdb: Add API tests for new_gkdi_root_key()
These show that the new root key should be based on the server
configuration object, not just hardcoded defaults.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 24 Mar 2024 23:36:35 +0000 (12:36 +1300)]
pyldb: Consolidate PyErr_SetLdbError() using the pyldb version
Now that pyldb-util is a private library to Samba, we have no excuses not to
consolidate helper functions like this.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 25 Mar 2024 09:33:02 +0000 (22:33 +1300)]
plydb: Keep talloc_reference() to the DN in PyDict_AsMessage
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 25 Mar 2024 09:30:29 +0000 (22:30 +1300)]
pyldb: Fix documentation comment on Message.from_dict() method
This method does not take keyword arguments.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Anoop C S [Wed, 27 Mar 2024 05:15:08 +0000 (10:45 +0530)]
s4/torture: Fix misplaced positional arguments for u64 comparison
torture_assert_u64_equal_goto() can only print meaningful error message
for incorrect values if only if the function is invoked with test run
value and expected value respectively as second and thrid arguments.
Otherwise it displays the reversed message causing confusion in overall
test results.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 27 13:00:29 UTC 2024 on atb-devel-224
Björn Jacke [Wed, 24 Jan 2024 23:46:38 +0000 (00:46 +0100)]
Revert "token_util.c: prefer capabilities over become_root"
This reverts commit
944cb51506a94084d7ab52ee044fe6f66e1aaeb9.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 27 10:47:23 UTC 2024 on atb-devel-224
Björn Jacke [Mon, 25 Mar 2024 16:04:45 +0000 (17:04 +0100)]
Revert "dosmode.c: prefer use of capabilities at two places over become_root"
This reverts commit
c1e2fbb1b9a7551becf5caa0f08d434edf9ad862.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:04:23 +0000 (17:04 +0100)]
Revert "nfs4_acls.c: prefer capabilities over become_root"
This reverts commit
06e5c1e32ea7907523cc19f021225e7541e2075f.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:04:17 +0000 (17:04 +0100)]
Revert "vfs_acl_common.c: prefer capabilities over become_root"
This reverts commit
12734848dc9901b932644139aaa7e3f78e55c8dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:03:57 +0000 (17:03 +0100)]
Revert "vfs_default.c: prefer capabilities over become_root"
This reverts commit
62464bd2db2a95b1253364f4493bbb6770b73193.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:03:50 +0000 (17:03 +0100)]
Revert "vfs_posix_eadb.c: prefer capabilities over become_root"
This reverts commit
92278418dc885ed411f545e73c800ce93f858090.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:03:44 +0000 (17:03 +0100)]
Revert "vfs_recycle.c: prefer capabilities over become_root"
This reverts commit
4227b011f6ada97a4cd72a440ed887ffdb3f219e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:03:35 +0000 (17:03 +0100)]
Revert "open.c: prefer capabilities over become_root"
This reverts commit
b250f25fe407f9a6269b804382de4854501f2d86.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:03:28 +0000 (17:03 +0100)]
Revert "posix_acls.c: prefer capabilities over become_root"
This reverts commit
1edf9ecaf56f3312e199e633bff0804243042e33.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Björn Jacke [Mon, 25 Mar 2024 16:03:14 +0000 (17:03 +0100)]
Revert "dosmode: prefer capabilities over become_root"
This reverts commit
5e925f9755fad180863861157aa7548d83dd3fde.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15583
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
David Mulder [Mon, 11 Mar 2024 13:36:58 +0000 (07:36 -0600)]
winbind: Log NOT_IMPLEMENTED as debug
This message happens frequently when running a
PDC/NT4 mode w/out winbind.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 27 02:15:31 UTC 2024 on atb-devel-224
Noel Power [Mon, 25 Mar 2024 19:44:10 +0000 (19:44 +0000)]
libcli/http: Handle http chunked transfer encoding
Also removes the knownfail for the chunked transfer test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Noel Power [Thu, 23 Sep 2021 11:18:22 +0000 (12:18 +0100)]
tests: add test for chunked encoding with http cli library
Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest
also adds a knownfail for the test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Noel Power [Fri, 22 Mar 2024 08:55:49 +0000 (08:55 +0000)]
libcli/http: Optimise reading for content-length
Instead of reading byte-by-byte we know the content length we
want to read so lets use it.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Noel Power [Mon, 25 Mar 2024 16:25:55 +0000 (16:25 +0000)]
selftest: Add basic content-lenght http tests
very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Mon, 25 Mar 2024 19:21:54 +0000 (19:21 +0000)]
Add simple http_client for use in black box tests (in following commits)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 22 Mar 2024 19:27:41 +0000 (08:27 +1300)]
ndr: always attempt ACE coda pull if ACE type suggests a coda
We were skipping the pull in cases where the coda size was calculated
to be zero. This has the right result for empty conditional ACEs, but
not for Resource Attribute ACEs where the
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised.
The situation is made a bit worse, because the function that
calculates the coda size (ndr_subcontext_size_of_ace_coda()) can
return zero in conditions that are not exactly errors, but in which
the would-be calculated value makes so little sense that zero is
thought to be a safer default.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224
Volker Lendecke [Wed, 13 Mar 2024 15:19:48 +0000 (16:19 +0100)]
lib: Remove timeval_set()
We have the same function in tevent, no need to duplicate code. More lines just
due to clang-format.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 22 06:07:42 UTC 2024 on atb-devel-224
Volker Lendecke [Wed, 13 Mar 2024 15:07:00 +0000 (16:07 +0100)]
lib: Remove timeval_until()
We have the same function in tevent, no need to duplicate code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 21 Mar 2024 01:48:34 +0000 (14:48 +1300)]
fuzz:fuzz_ndr_X: don't skip printing on push error
push should not have changed the struct, so it is valid to
try to print it also.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 27 Dec 2023 23:45:41 +0000 (12:45 +1300)]
ldb-samba: matching rules: notify of search failure in transitive filter
It can be very hard to known where transitive checks fail, and this
will help.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15515
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 28 Dec 2023 00:46:48 +0000 (13:46 +1300)]
fuzz:_conditional_ace_blob discards a const
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 20 Mar 2024 04:29:52 +0000 (17:29 +1300)]
fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail
This can legitimately fail, due to e.g. integers being interpreted as
local attributes due to their position (the original data is complete
nonsense, bravely decompiled by sddl_from_conditional_ace).
In the example found the original begins like
00000000 61 72 74 78 02 00 00 00 00 00 00 00 00 03 01 02 |artx............|
00000010 f7 ff ff ff ff ff ff ff 03 01 a1 02 00 3b 00 00 |.............;..|
00000020 00 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 |.........;......|
00000030 03 01 02 a5 ff ff ff ff ff ff ff 03 01 a1 02 78 |...............x|
00000040 00 00 00 00 00 00 00 03 01 85 02 00 3b 00 00 00 |............;...|
00000050 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 03 |........;.......|
00000060 01 02 a5 00 00 00 00 00 00 00 03 01 81 02 00 00 |................|
00000070 00 00 00 00 00 00 03 01 81 02 00 3b 00 00 00 00 |...........;....|
while the SDDL cycled version looks like
00000000 61 72 74 78 f8 04 00 00 00 30 00 30 00 f8 2e 00 |artx.....0.0....|
00000010 00 00 30 00 31 00 37 00 37 00 37 00 37 00 37 00 |..0.1.7.7.7.7.7.|
00000020 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 |7.7.7.7.7.7.7.7.|
00000030 37 00 37 00 37 00 37 00 37 00 37 00 36 00 37 00 |7.7.7.7.7.7.6.7.|
00000040 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 30 00 |......0.3.5.4.0.|
00000050 30 00 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 |0.......0.3.5.4.|
00000060 30 00 30 00 f8 2e 00 00 00 30 00 31 00 37 00 37 |0.0......0.1.7.7|
00000070 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 |.7.7.7.7.7.7.7.7|
and this new interpretation ends up being more than 10000 bytes long,
so the conversion fails.
The SDDL ends up looking like this:
(((((((((((00) || (
01777777777777777777767)) || (035400)) || \
(((((((((((((((((((((((((((((((((((035400) || (
01777777777777777777645)) \
>= 0170) || (035400)) || (((((((((((((((((((((((((((((((035400 != 0245)
[...]
where all the octal digits on the left hand side of operators are
UTF-16 strings.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65322
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 3 Jan 2024 22:06:46 +0000 (11:06 +1300)]
fuzzing: fuzz_ndr_X ndr_print does printing
By printing into a buffer, we might notice some errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 2 May 2023 03:42:24 +0000 (15:42 +1200)]
tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224
Jo Sutton [Mon, 11 Mar 2024 22:08:30 +0000 (11:08 +1300)]
s4:auth: Update error messages
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 11 Mar 2024 22:08:14 +0000 (11:08 +1300)]
auth:credentials: Remove unused include
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 11 Mar 2024 22:07:56 +0000 (11:07 +1300)]
auth:credentials: Remove trailing line
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 8 Mar 2024 03:34:49 +0000 (16:34 +1300)]
tests/krb5: Allow specifying SamDB to use when creating an account
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 00:38:10 +0000 (13:38 +1300)]
python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew
This is just too error‐prone.
current_gkid() will still continue to return the next GKID if it’s
within clock skew.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 7 Mar 2024 04:14:24 +0000 (17:14 +1300)]
python: Correct time conversion function name
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:37:11 +0000 (12:37 +1300)]
s4:libnet: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:32:16 +0000 (12:32 +1300)]
python: Type ‘format’ parameter as optional
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 23:31:27 +0000 (12:31 +1300)]
python: Correctly qualify strptime()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 4 Mar 2024 00:38:29 +0000 (13:38 +1300)]
python:tests: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 14 Mar 2024 02:14:55 +0000 (15:14 +1300)]
s4:auth: Allocate strings on shorter‐lived memory context
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 12 Mar 2024 21:12:33 +0000 (10:12 +1300)]
python:tests: Simplify expression
‘not keytab_bytes’ is shorter and equivalent.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 12 Mar 2024 03:24:59 +0000 (16:24 +1300)]
python:tests: Use Managed Service Accounts well‐known GUID
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 12 Mar 2024 03:02:45 +0000 (16:02 +1300)]
s4:auth: Fix grammar in error message
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Tue, 19 Mar 2024 21:00:11 +0000 (22:00 +0100)]
pidl: add "return ENOTSUP" for int return type in s3 template
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 00:45:29 UTC 2024 on atb-devel-224
Günther Deschner [Tue, 19 Mar 2024 17:24:13 +0000 (18:24 +0100)]
pidl: fix trailing double-quote on last line of s3 server stubs
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Günther Deschner [Thu, 14 Mar 2024 14:22:25 +0000 (15:22 +0100)]
s3-librpc: merge two PIDL lists
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 10:29:34 +0000 (23:29 +1300)]
ldb_dn: make LDB_FREE, TALLOC_FREE
This LDB_FREE() seems to predate TALLOC_FREE(), and was identical
until TALLOC_FREE was optimised to avoid calling talloc_free(NULL) in
b9fcfc6399eab750880ee0b9806311dd351a8ff6.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 02:47:55 +0000 (15:47 +1300)]
pyldb: ldb_msg_richcmp: avoid one intransitive compare
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 15 Mar 2024 02:03:44 +0000 (15:03 +1300)]
ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare()
The comparison we make is unconventional, and makes no difference in
normal usage, where we just want to know whether two DNs are the same
or not. But with over 100 callers, it is possible that something
somewhere is attempting a sort.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 14 Mar 2024 03:36:07 +0000 (16:36 +1300)]
pyldb: add a FIXME for a non-transitive compare
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 14 Mar 2024 23:12:26 +0000 (12:12 +1300)]
pyldb_utils: pyldb_Object_AsDn() sets TypeError more often
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 09:29:10 +0000 (22:29 +1300)]
ldb:pyldb.h: include some headers that are used
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 19 Mar 2024 23:18:12 +0000 (12:18 +1300)]
lib/ldb: don't allow repeated connections
In the best case, this would have leaked.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:09:39 +0000 (11:09 +1300)]
ldb:pytests: test duplicate connections fail
(they don't yet).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:07:20 +0000 (11:07 +1300)]
ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is unset
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 5 Mar 2024 23:57:15 +0000 (23:57 +0000)]
pyldb: py_ldb_init() uses py_ldb_connect() for connecting
To avoid all the same logic, subtly different.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 22:02:23 +0000 (11:02 +1300)]
pyldb: catch errors in ldb_db_get_casefold
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 14 Mar 2024 01:48:23 +0000 (14:48 +1300)]
pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 6 Mar 2024 22:05:55 +0000 (11:05 +1300)]
pytest:segfault: prevent @no_gdb_backtrace smearing on exception
It is OK for one of these tests to raise an exception -- that is often
the only reasonable thing to do when you'd otherwise crash -- but the
@no_gdb_backtrace decorator would not clean up in that case, leading to
no gdb backtraces for all subsequent tests.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Sun, 3 Dec 2023 21:34:57 +0000 (10:34 +1300)]
selftest: Run samba.tests.segfault with TALLOC_FREE_FILL
This helps make use-after-free testing reliable.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Thu, 14 Mar 2024 01:15:47 +0000 (14:15 +1300)]
py:samdb: make SamDB.__str__ show the URL and ID
Getting the right samdb is going to matter more, so it is useful for
debugging to see which is which.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Tue, 12 Mar 2024 23:25:40 +0000 (12:25 +1300)]
selftest/gdb_backtrace: print `info threads` and some signpost headers
Search for '###'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 10:13:56 +0000 (23:13 +1300)]
selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread
We call 'thread apply all bt full' in case there are interesting
things going on in other threads, but often there are no other threads
and it only serves to repeat the original trace (and very slowly, for
some reason).
The $_inferior_thread_count convenience variable is new in gdb 13.1
(2022-ish) so we init-if-undefined it to default to the old behaviour.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 7 Mar 2024 09:30:24 +0000 (22:30 +1300)]
selftest/gdb_backtrace: print python traceback if available
If a program happens to have 'PyList_New' defined but is not a python
script, gdb will print
> Undefined command: "py-bt". Try "help".
and probably stop. This happens after the C backtraces have been
printed, so nothing is lost.
The traceback is printed twice -- once in conventional Python style
for clarity, and once with extra "full" information.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 29 Feb 2024 22:22:03 +0000 (11:22 +1300)]
tests: gmsa blackbox tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
Rob van der Linde [Wed, 6 Mar 2024 03:52:53 +0000 (16:52 +1300)]
tests: models: test additional Computer constructor cases
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 6 Mar 2024 03:49:21 +0000 (16:49 +1300)]
tests: models: fix username should be account_name
The reason this didn't fail, is because it doesn't save the Computers.
This gets fixed in the next commit.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 5 Mar 2024 03:39:33 +0000 (16:39 +1300)]
tests: user: create gmsa with models
It was fetching the GMSA with the models straight after creating it anyway.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 5 Mar 2024 03:20:52 +0000 (16:20 +1300)]
tests: user: fix PEP8 spacing around operator
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 4 Mar 2024 23:14:06 +0000 (12:14 +1300)]
tests: user: gmsa dNSHostName is a required field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 28 Feb 2024 04:00:24 +0000 (17:00 +1300)]
tests: samdb: Make use of the domain_sid property
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 19 Mar 2024 20:50:49 +0000 (09:50 +1300)]
python: fix json encoder should handle Exception
This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used.
This happens in the print_json_status method.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 13 Mar 2024 10:07:52 +0000 (23:07 +1300)]
python: models: add Container model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 13 Mar 2024 09:20:39 +0000 (22:20 +1300)]
python: models: add kwargs to __json__ and as_dict methods
Allows passing arguments through
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 13 Mar 2024 07:59:27 +0000 (20:59 +1300)]
python: pep8: fix import sorting after move
Only touch files where samba.domain.models import was moved
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 12 Mar 2024 03:47:58 +0000 (16:47 +1300)]
python: move models out of the netcmd package
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 12 Mar 2024 03:28:07 +0000 (16:28 +1300)]
python: create domain module to move models into
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 12 Mar 2024 00:06:31 +0000 (13:06 +1300)]
netcmd: gmsa: show viewers also works if SID is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:40:12 +0000 (12:40 +1300)]
netcmd: gmsa: add and remove don't fetch trustee if it is a SID
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:38:13 +0000 (12:38 +1300)]
netcmd: gmsa: add_trustee and remove_trustee change argument to sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:33:30 +0000 (12:33 +1300)]
netcmd: gmsa: fix typo if trustee is not found
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 4 Mar 2024 23:04:49 +0000 (12:04 +1300)]
netcmd: gmsa: create should allow custom SDDL
gMSA update already supported it but not create
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 6 Mar 2024 03:47:29 +0000 (16:47 +1300)]
netcmd: models: improve Computer constructor adding "$" handling
In some cases the previous code would end up creating computers where the account name ended on double "$"
Rewrote constructor to handle more cases, for example only an account name is provided, only a name is provided, or both.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:13:09 +0000 (12:13 +1300)]
netcmd: models: allow scope to be overridden in query
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Mon, 11 Mar 2024 23:23:36 +0000 (12:23 +1300)]
netcmd: models: add User.get_sid_for_principal helper
Unlike User.find, this will not fetch the User if an SID is provided.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Tue, 5 Mar 2024 02:30:47 +0000 (15:30 +1300)]
netcmd: models: User.find also tries object_sid
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 28 Feb 2024 03:59:06 +0000 (16:59 +1300)]
python: samdb: Make connecting_user_sid a property
This is following the same design as other similar properties like samdb.domain_sid, only it doesn't need a setter.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 28 Feb 2024 03:57:40 +0000 (16:57 +1300)]
python: samdb: Move get_connecting_user_sid to samdb
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Sun, 17 Mar 2024 10:08:23 +0000 (23:08 +1300)]
libcli/security: check again for NULL values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224
Douglas Bagnall [Sun, 17 Mar 2024 10:07:17 +0000 (23:07 +1300)]
libcli/security: claims_conversions: check for NULL in claims array
If by mistake we end up with a NULL in our array of claims pointers,
it is better to return an error than crash.
There can be NULLs in the array if a resource attribute ACE has a
claim that uses 0 as a relative data pointer. Samba assumes this means
a NULL pointer, rather than a zero offset.
Credit to OSS-Fuzz.
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 14 Mar 2024 03:55:19 +0000 (16:55 +1300)]
s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
Previously any errors noticed during the main loop would be ignored.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
Andrew Bartlett [Thu, 7 Mar 2024 01:53:53 +0000 (14:53 +1300)]
samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
Since
87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has
silently unlinked the given target file. Instead, the administrator now needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:48:09 +0000 (17:48 +1300)]
s4-libnet: Prepare for a "rolling update" keytab export
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 6 Mar 2024 04:43:47 +0000 (17:43 +1300)]
s4-auth/kerberos: Do not add true duplicates to exported keytab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Fri, 8 Mar 2024 03:23:01 +0000 (16:23 +1300)]
selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>