lib: Make GUID_to_ndr_buf() return void The whole point of struct GUID_ndr_buf is that this never fails. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY This allows an ACL level check (rather than only an all-or-nothing KDC configuration) that PKINIT freshness was used during the AS-REQ. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
librpc/idl: Add a parser for a FILE: format keytab This will let us examine keytab entries exported for gMSA accounts and ensure they are the values we expect. This will in particular help test our KDC via the "samba-tool domain exportkeytab" as this is a thin wrapper around the relevant code. Additionally, we can use this to test the new client-side keytab generation in "samba-tool domain exportkeytab" for gMSA accounts. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
librpc:idl: Make netlogon_samlogon_response public This is required that we can use it with ndrdump or in python to decode a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588 Signed-off-by: Andreas Schneider <asn@samba.org> Pair-Programmed-With: Guenther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ndr: ignore trailing bytes in ndr_pull_security_ace() This returns the behaviour with ordinary ACEs to where it was with 4.19. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: avoid object ACE pull overhead for non-object ACE When an ACE is not an object ACE, which is common, setting the switch value and attempting the object ACE GUID pull is just going to do nothing, and we know that ahead of time. By noticing that we can save a bit of time on a common operation. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: do not push ACE->coda.ignored blob From 1e80221b2340de5ef5e2a17f10511bbc2c041163 (2008) until c73034cf7c4392f5d3505319948bc84634c20fa5 (conditional ACEs, etc, 2023) we had a manual ndr_pull_security_ace() that would discard trailing bytes, which are those bytes that we now call the coda. The ACE types that we handled then are those that end up with a coda.ignored data blob. With this we effectively restore the long-standing behaviour in the event that we push and pull an ACE -- though now we discard the ignored bytes on push rather than pull. This change is not because the trailing bytes caused any problems (as far as is known), but because it is much faster to not do the push. It may be that such ACEs no longer occur. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: mark invalid pull ndr_flags as unlikely This might have little effect, but sometimes we see primatives like ndr_pull_uint32() taking a few percent of the CPU time, and this is in all those functions. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: ACE push avoids no-op coda pushes We don't expect an ordinary ACE to have a non-empty coda, and we don't really want to push it if it does, but for this patch we still will. This will not change the data on the wire. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: make security_ace push manual This will allow some optimisations; in this commit we just copy the code. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: short-circuit ace coda if no bytes left The overwhelmingly common case is that there are no bytes left, and regardless of the ACE type we want to store an empty blob. We know the blob will be empty if there are no bytes, so we don't need to allocate a sub-ndr and tokens list and so forth. This can save almost half the time of a security descriptor pull. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
ndr: shift ndr_pull_security_ace to manual code This was manual until commit c73034cf7c4392f5d3505319948bc84634c20fa5 (a few months ago). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574