Rob van der Linde [Tue, 20 Feb 2024 02:19:12 +0000 (15:19 +1300)]
netcmd: models: move MODELS constant to constants.py to avoid import loop
query.py and models.py otherwise cause an import loop, query.py needs to import MODELS
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Thu, 22 Feb 2024 03:04:14 +0000 (16:04 +1300)]
netcmd: models: update docstring of Computer.find method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Thu, 22 Feb 2024 03:03:38 +0000 (16:03 +1300)]
netcmd: models: gmsa move find method to Computer model
The find method is the same as the find method from the User model, with the exception of adding "$".
This means it is actually logic that belongs in the parent class of GroupManagedServiceAccount, which is Computer.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Thu, 22 Feb 2024 02:49:33 +0000 (15:49 +1300)]
netcmd: models: gmsa GroupManagedServiceAccount inherits from Computer
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Thu, 22 Feb 2024 02:47:30 +0000 (15:47 +1300)]
netcmd: models: gmsa move GroupManagedServiceAccount model to gmsa.py
It needs to inherit from the Computer model, the Computer model also inherits from User.
First, moving it to its own file from user.py to gmsa.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Thu, 22 Feb 2024 02:22:45 +0000 (15:22 +1300)]
netcmd: models: gmsa trustees update docstring and incorrect return type
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Mon, 19 Feb 2024 03:09:38 +0000 (16:09 +1300)]
netcmd: models: gmsa trustees property only looks at allowed aces
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Mon, 19 Feb 2024 02:23:47 +0000 (15:23 +1300)]
netcmd: models: make GroupManagedServiceAccount.trustees a property
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Mon, 19 Feb 2024 01:49:43 +0000 (14:49 +1300)]
netcmd: models: avoid fetching each user in trustees method
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Thu, 22 Feb 2024 05:12:04 +0000 (18:12 +1300)]
netcmd: models: Remove unused groups_sddl method from User model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Rob van der Linde [Mon, 19 Feb 2024 01:47:57 +0000 (14:47 +1300)]
netcmd: models: add default SDDL to group_msa_membership
LA can be used for the administrator and Windows will expand that on save, making the group_sddl method redundant.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 18 Feb 2024 22:01:30 +0000 (11:01 +1300)]
WHATSNEW: Add information on LDB no longer available standalone
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 1 03:45:21 UTC 2024 on atb-devel-224
Andrew Bartlett [Tue, 13 Feb 2024 22:54:54 +0000 (11:54 +1300)]
build: Allow --with-ldbmodulesdir to override location of LDB modules
This will allow some packagers to set this to a directory that does
not mention Samba, or to put a version string in to avoid loading
old modules.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Feb 2024 02:00:30 +0000 (15:00 +1300)]
ldb: Unconditionally set LDB_PACKAGE_VERSION
This is only parsed once now and there is no confusion with the main build, so we can set it without checking.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Feb 2024 02:26:14 +0000 (15:26 +1300)]
ldb: Remove "private_library" variable with just one user
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Feb 2024 01:06:12 +0000 (14:06 +1300)]
ldb: Rename VERSION to LDB_VERSION to avoid confusion
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 11 Feb 2024 22:16:28 +0000 (11:16 +1300)]
lib/ldb: Remove duplicate aspects of build system
We no longer need aspects of our build that made sense for the standalone
operation of LDB now that ldb is only provided as part of Samba.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Feb 2024 01:05:17 +0000 (14:05 +1300)]
ldb: Remove remaining components of independent ldb build system
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 11 Feb 2024 23:41:02 +0000 (12:41 +1300)]
lib/ldb: Remove references to conf.env.standalone_ldb
This is not a simple replacement as we are merging the standalone build features with
the main Samba build features.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Feb 2024 20:52:44 +0000 (09:52 +1300)]
lib/ldb: bld.CONFIG_SET(USING_SYSTEM_LDB) is now never set
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Feb 2024 09:32:16 +0000 (22:32 +1300)]
lib/ldb: Adapt pkg-config files to being build from the main build.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Feb 2024 09:33:22 +0000 (22:33 +1300)]
lib/ldb: Always build standalone
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 13 Feb 2024 00:52:41 +0000 (13:52 +1300)]
build: Move --with-ldap/--without-ldap from source3 build to top level
This code impacts on LDB, which is now built from the main build
so we need to combined this with the check that was in lib/ldb
or else we get conflicts.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Feb 2024 09:24:38 +0000 (22:24 +1300)]
ldb: Remove the ability for Samba to compile against a system LDB
Samba will either provide the LDB to the system, or use a
private ldb, we will not use any other LDB from the system.
This is essentially equilvilant to the patch Debian has used
for Samba 4.17 and later, named "Force-LDB-as-standalone.patch"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 08:21:45 +0000 (21:21 +1300)]
build: Remove duplicated check for -Wl,-no-undefined on OpenBSD
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 07:25:59 +0000 (20:25 +1300)]
build: Call conf.CHECK_XSLTPROC_MANPAGES() directly in wscript
This avoids relying on the indirect call via wscript in lib/{talloc,tdb,ldb}
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 14 Feb 2024 02:38:28 +0000 (15:38 +1300)]
autobuild: Move autobuild to expecting ldb to build as part of Samba
We retain a test to confirm we can build ldb as a public lib in the samba-libs
target.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Feb 2024 09:15:30 +0000 (22:15 +1300)]
ldb: Honour --private-library=!ldb as meaning build as a public library
Likewise, let the SAMBA_LIBRARY code handle being a private library
rather than in the library declaration.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Feb 2024 06:47:11 +0000 (19:47 +1300)]
build: Allow --private-libraries to include a default
This will in the future allow ldb to be declared public in the
build system, and so have all the attributes set for that, but
be actually built as a private Samba library by default.
No change in behavour currently.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 9 Feb 2024 09:10:10 +0000 (22:10 +1300)]
build: Ensure that a forced-private library has no public headers
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 12 Feb 2024 04:11:53 +0000 (17:11 +1300)]
ldb: Make pyldb-util always a private library
Only Samba has ever used these utility functions, other applications can
still use our ldb python bindings, they just can not provide ldb
C bindings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 04:18:10 +0000 (17:18 +1300)]
selftest: Bring ldb test defintions into one place in selftest/tests.py
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 04:01:54 +0000 (17:01 +1300)]
selftest: Always and only run ldb test-tdb test in Samba selftest
This is the last test left in the independent ldb testsuite,
removing this from there allows the test target to be removed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 02:29:51 +0000 (15:29 +1300)]
selftest: Move LDB cmocka based unit tests to Samba testsuite
This allows skip and knownfail entries to be honoured, as well
as enabling the removal of the standalone LDB build system.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 02:28:50 +0000 (15:28 +1300)]
ldb: Prepare ldb tests for subunit output
These tests now print subunit rather than the default output
as this is what the Samba selftest system needs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Mon, 5 Feb 2024 00:08:02 +0000 (13:08 +1300)]
sefltest: Remove duplicate run of ldb.python.crash and ldb.python.repack
These tests are not impacted by the dot-less i issue.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 4 Feb 2024 23:34:42 +0000 (12:34 +1300)]
ldb: Move tests to selftest/tests.py and out of standlone build
Tests that are declared in the tests.py files in the main Samba build
are able to use the common knownfail, flapping and skip systems.
This will also allow the independent ldb build to be removed without
loss of the tests.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Fri, 16 Feb 2024 03:36:06 +0000 (16:36 +1300)]
pytests: samba-tool domain kds root_key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 1 01:27:30 UTC 2024 on atb-devel-224
Douglas Bagnall [Wed, 28 Feb 2024 04:55:54 +0000 (17:55 +1300)]
samba-tool: add `samba-tool domain kds root_key delete`
For deleting root keys.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 04:55:16 +0000 (17:55 +1300)]
samba-tool: add `samba-tool domain kds root_key create`
For making new root keys.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 04:54:24 +0000 (17:54 +1300)]
samba-tool: add `samba-tool domain kds root_key view`
This is for looking at one root key. There isn't much to know.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 04:34:25 +0000 (17:34 +1300)]
samba-tool: add `samba-tool domain kds root_key list`
This lists root keys, in descending chronological order according to the
use_start_toime attribute. That's becuase you usually only care about
the newest one.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 29 Feb 2024 03:29:30 +0000 (16:29 +1300)]
samba-tool: don't error if there are no sub-commands
This is useful when you commit samba-tool tests before you commit the
samba-tool code, and you want the tests to fail rather than error.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 02:28:22 +0000 (15:28 +1300)]
provision: add a default root key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 02:32:41 +0000 (15:32 +1300)]
pytest:dsdb: check that there is a gkdi root key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 22 Feb 2024 03:17:37 +0000 (16:17 +1300)]
pytest:gkdi: shift create_root_key into a function
This is so the samba-tool domain kds root_key tests can use it as a
function.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 23 Feb 2024 03:24:11 +0000 (16:24 +1300)]
pytest:samba-tool: add a flag to print more in runcmd
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 16 Feb 2024 02:35:06 +0000 (15:35 +1300)]
samba-tool user delete: use account type constant
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 22 Feb 2024 03:16:17 +0000 (16:16 +1300)]
samba-tool domain: add LDB Result to json encoders
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 15 Feb 2024 04:07:34 +0000 (04:07 +0000)]
ldb:pyldb exposes Result type
You perhaps never want to manually create results (as in `x = Result()`)
-- except maybe in tests -- and that would be why we never added it in
the first place (or rather, we never noticed that it ws missing).
But we do want to sometimes go `isinstance(x, ldb.Result)`, and that
is how we noticed it was missing now.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 04:15:44 +0000 (17:15 +1300)]
python:samdb: wrapper for _dsdb_create_gkdi_root_key()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 04:15:09 +0000 (17:15 +1300)]
s4:pydsdb: python bindings for gkdi_new_root_key()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 22 Feb 2024 03:51:42 +0000 (16:51 +1300)]
samba-tool domain kds root_key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 04:29:40 +0000 (17:29 +1300)]
samba-tool domain kds: add root key sub-command
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 22 Feb 2024 03:51:56 +0000 (16:51 +1300)]
samba-tool domain: add kds sub-branch
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 13 Feb 2024 03:09:57 +0000 (16:09 +1300)]
s4:dsdb: Add functions for GKDI root key creation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 18 Feb 2024 21:34:02 +0000 (10:34 +1300)]
lib:crypto: Check for overflow in GKDI rollover interval calculation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Sun, 18 Feb 2024 21:33:41 +0000 (10:33 +1300)]
lib:crypto: Correct GKDI interval start time calculation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 13 Feb 2024 00:04:48 +0000 (13:04 +1300)]
lib:crypto: Add error checking to GKDI key start time calculation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 29 Feb 2024 23:14:58 +0000 (12:14 +1300)]
selftest: Ignore msKds-DomainID in ldapcmp_restoredc.sh and samba.tests.domain_backup_offline
Like serverReferenceBL etc, this will point to a DC that created the object, and
as part of the backup and restore, this DC will be deleted. It is just for
tracking the object creation, so this is fine.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Martin Schwenke [Thu, 29 Feb 2024 02:30:04 +0000 (13:30 +1100)]
ctdb-tests: Limit red-black tree test to 5s of random inserts
rb_test_001.sh runs for 60s even though rb_tree.c is almost never
modified. This generally extends test time by an unreasonable amount
of time.
Add an optional timeout (in seconds) argument to rb_test, defaulting
to 60, and pass 5 from rb_test_001.sh. If anyone ever significantly
updates rb_tree.c then they can run rb_test directly with its default
60s timeout... or for as long as they like.
Reported-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 29 13:20:40 UTC 2024 on atb-devel-224
Andrew Bartlett [Thu, 29 Feb 2024 01:57:40 +0000 (14:57 +1300)]
samba-tool user getpassword: Clarify success wording
It may be the case that there was no password, or read access to the
password was not permitted. The structure of the code and the pattern
in LDIF that missing information is simply returned as missing
attributes makes it hard to detect and communicate a clear
error here, particularly as an error may not be wanted if
(say) pwdLastSet is queried on a gMSA that we can not read.
So we just make the string to indicate, as I think it was meant,
that the tool ran to compleation.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 29 05:07:45 UTC 2024 on atb-devel-224
Douglas Bagnall [Fri, 23 Feb 2024 03:23:03 +0000 (16:23 +1300)]
python/nt_time: have a go at using 1_000_000 number separators.
I noticed these are available in Python 3.6+, which is what we support,
and they're arguably nicer than using exponentiation.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:52:12 +0000 (16:52 +1300)]
python:nt_time: add a nt_now() function
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:51:41 +0000 (16:51 +1300)]
python:nt_time: add string_from_nt_time
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Feb 2024 01:31:35 +0000 (14:31 +1300)]
py:nt_time: add nt_time_from_string()
This is for samba-tool, which could do with a common understanding of
time strings across various sub-tools.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Feb 2024 01:22:53 +0000 (14:22 +1300)]
pyldb: try to turn ldb_string_to_time() errors into exceptions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Feb 2024 01:20:28 +0000 (14:20 +1300)]
ldb: ldb_string_to_time reports more errors
The underlying function should return -1 and set errno when given invalid
strings, but we were not looking and have decided on 0 for error.
It would be a pain to change this function to return -1. Apart from the
API fuss, it is sometimes used unchecked to set an unsigned number and
an unchecked 0 is better than UINT*_MAX in those contexts.
It is probably not easy to get an -1 from a timegm() -- most
implementations will happily convert overflows for you, so e.g. the
15th month would be March of the next year. But EOVERFLOW is mentioned
in the manpages.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 21 Feb 2024 10:13:51 +0000 (23:13 +1300)]
s4:pydsdb: add not-implemented raising functions to when appropriate
It will be less confusing, I hope.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:30:29 +0000 (16:30 +1300)]
pyldb: catch some talloc failures
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:27:59 +0000 (16:27 +1300)]
pyldb: free some finished requests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 21 Feb 2024 23:57:19 +0000 (12:57 +1300)]
pyldb: free things more often on error
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 21 Feb 2024 22:19:30 +0000 (11:19 +1300)]
pyldb: add a macro to free when raising exceptions
We often forget.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:19:59 +0000 (16:19 +1300)]
pytest:audit_log_base: use string_is_guid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:19:38 +0000 (16:19 +1300)]
pytest:auth_log_base: use string_is_guid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Thu, 15 Feb 2024 21:20:24 +0000 (21:20 +0000)]
pylibs: add string_is_guid() helper.
In various places we use regular expressions to check for GUID-ness,
though typically we don't match GUIDs with uppercase hex digits when
we really should.
If we centralise the check, we have more chance of getting it right.
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 29 02:38:07 UTC 2024 on atb-devel-224
Douglas Bagnall [Wed, 28 Feb 2024 03:14:24 +0000 (16:14 +1300)]
samba-tool: with --json, error messages are in JSON
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 28 Feb 2024 03:13:15 +0000 (16:13 +1300)]
samba-tool: instances remember whether --json was requested
All our subcommands are going to learn --json eventually, and they
shouldn't all have to do this individually.
The next commit uses this to automatically format CommandErrors as JSON.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 16 Feb 2024 00:59:25 +0000 (00:59 +0000)]
samba-tool: add self.print_json_status() helper
This is a helper to return JSON for simple messages.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 23 Feb 2024 03:19:02 +0000 (16:19 +1300)]
samba-tool: avoid mutable Command class values
These values are shared across all instances of the class,
which makes no difference in samba-tool itself, because there
is one instance per process. But in tests we can have many
Command classes at once (due to runcmd()), and if any of them
happened to append to takes_args or takes_options rather than
replacing it, well, the effect would be subtle.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Wed, 14 Feb 2024 05:09:30 +0000 (05:09 +0000)]
samba-tool domain level: avoid using assert
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Douglas Bagnall [Fri, 2 Feb 2024 01:23:38 +0000 (14:23 +1300)]
samba-tool domain claim: use secrets module for token
`binascii.hexlify(os.urandom(8)).decode()` was fine, but `os.urandom`
is OS specific and can theoretically block (says the documentation).
We will let Python's secrets module worry about such details.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Thu, 8 Feb 2024 22:44:33 +0000 (11:44 +1300)]
samba-tool user getpassword: Also return the time a GMSA password is valid until
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 28 Feb 2024 04:27:31 +0000 (17:27 +1300)]
samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes
To convert a virtual attribute we must understand that it has
been put into "obj" under the name including the ;format= part
and so we must look it back up with that name when looking to
covert it from (say) NTTIME to a unix time.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Wed, 28 Feb 2024 21:38:38 +0000 (10:38 +1300)]
python/samba/tests: Include more detail on invoication in test of "samba-tool user show"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Fri, 2 Feb 2024 03:10:06 +0000 (16:10 +1300)]
samba-tool user getpassword: Do not show preview of gMSA password
The AD server will send a preview of the next gMSA password, 5mins before
it is expected to be active.
This is useful in a keytab, which needs to be in place before a ticket
could possibly be issued, but is not helpful for authentication, as
the server also accepts passwords for 5mins after the change.
This avoids needing teach all users of this tool how to fall back to
the previous password for a 5min period every 30 days, by default.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Pavel Filipenský [Mon, 26 Feb 2024 07:31:24 +0000 (08:31 +0100)]
s3:libads: Trace ldap search base/filter/scope
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 26 Feb 2024 22:23:03 +0000 (11:23 +1300)]
s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224
Andrew Bartlett [Mon, 26 Feb 2024 22:55:33 +0000 (11:55 +1300)]
python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Mon, 26 Feb 2024 22:09:38 +0000 (11:09 +1300)]
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 27 Feb 2024 01:55:27 +0000 (14:55 +1300)]
third_party/heimdal: import lorikeet-heimdal-
202402270140 (commit
e78a9d974c680d775650fb51f617ca7bf9d6727d)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Tue, 13 Feb 2024 20:37:13 +0000 (09:37 +1300)]
third_party/heimdal: Import lorikeet-heimdal-
202402132018 (commit
66d4c120376f60ce0d02f4c23956df8e4d6007f2)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 27 02:19:31 UTC 2024 on atb-devel-224
Jo Sutton [Tue, 20 Feb 2024 03:46:07 +0000 (16:46 +1300)]
s4:rpc_server: Make some arrays static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 20 Feb 2024 03:35:43 +0000 (16:35 +1300)]
lib:util: Fix printing hex‐escaped characters
A signed char, passed to snprintf(), will be promoted to an ‘int’, and
then interpreted (according to the format string) as an ‘unsigned int’.
Any negative values passed in will thus be interpreted as large unsigned
values, too large to be represented in the two characters allocated for
them. In practice, they will always be represented as ‘\xFF’.
Cast these characters to ‘unsigned char’, and use the appropriate length
modifier for that type.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 20 Feb 2024 03:30:15 +0000 (16:30 +1300)]
lib:util: Correctly determine whether a character needs to be escaped
The condition ‘c > 0x1F’ is clearly meant to test whether a character is
a control code or not. While it works for ASCII characters, when ‘char’
is signed it fails for codepoints above 0x7f, which get represented as
negative values. Make this calculation work as it was (presumably)
intended by casting to ‘unsigned char’.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Tue, 20 Feb 2024 01:43:33 +0000 (14:43 +1300)]
s4:rpc_server: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Mon, 19 Feb 2024 23:27:36 +0000 (12:27 +1300)]
python: Fail the test if we don’t receive an NTSTATUSError
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Thu, 15 Feb 2024 00:45:10 +0000 (13:45 +1300)]
tests/krb5: Move assertLocalSamDB() into RawKerberosTest
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jo Sutton [Fri, 8 Dec 2023 01:05:45 +0000 (14:05 +1300)]
tests/krb5: type hinting
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 21 Feb 2024 01:29:44 +0000 (14:29 +1300)]
python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>