git.samba.org - mdw/samba.git/log

s4:sam.py - "servicePrincipalName" - test for case-insensitiveness

After the LDB TDB changes regarding the use of schema comparison
functions rather than bitwise checks this finally works as it should.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8929

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ldb: switch ldb_kv + ldb_sqlite3 to schema-based attribute comparison

Based on an earlier patch by Andrew Bartlett <abartlet@samba.org>

This is necessary to perform correct schema enforcement, because we
must enforce uniqueness based on the schema matching rules.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7485
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8929

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>

ldb:tests/ldb_msg.c - fix attribute schema parameters on ldb_msg_find_duplicate_val() + ldb_msg_find_common_values()

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>

ldb:ldb_msg.c - fix the LDB value qsorts to use the schema-based comparison calls

Convert all TYPESAFE_QSORT calls into LDB_TYPESAFE_QSORT ones. This allows
us to pass an additional opaque parameter consisting of a user-defined
structure formed by the LDB context and the attribute syntax pointers.

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>

ldb:ldb_msg.c - introduce schema on ldb_msg_find_duplicate_val() + ldb_msg_find_common_values()

The two functions ldb_msg_find_duplicate_val() and ldb_msg_find_common_values() are called
by the LDB backends to perform the duplicate value checks. The simplest possibility is to
do a memcmp() by assuming case-sensitive values.

Unfortunately this is not always the case, for instance DN attributes may be written in
different ways. This commit adds the schema parameter to the two calls, which gets passed
in the following commits.

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>

ldb: add schema based ldb_val comparison and ldb_msg_element search routines

Based on an earlier patch by Matthias Dieter Wallnöfer <mdw@samba.org>

This is necessary to perform correct schema enforcement, because we
must enforce uniquiness based on the schema matching rules.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=7485
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8929

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ldb:ldb_attributes.c - handle special attributes (@...) always in the default syntax

This is a requirement for correct schema syntax comparison.

"lib/ldb/tests/test-tdb-features.sh" demostrates this when adding index
entries and the default syntax is set to INTEGER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8929

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

ldb:ldb_attributes.c - make "ldb_attribute_by_name()" work with a NULL LDB context

This change is required by the LDB message tests (tests/ldb_msg.c).

Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>

lib/ldb:paged_results module - align counters to unsigned

auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts

We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos

This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

testprogs/blackbox: let test_trust_token.sh check for S-1-18-1 with kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

vfs_recycle: remember resolved config->repository in vfs_recycle_connect()

This should not change during the lifetime of the tcon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Revert "TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()"

This was only added to demonstrate the problem more reliable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_recycle: fix memory hierarchy

If the configuration is reloaded strings and string lists
in recycle_config_data could become stale pointers
leading to segmentation faults...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_recycle: use the correct return in SMB_VFS_HANDLE_GET_DATA()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_recycle: use a talloc_stackframe() in recycle_unlink_internal()

That makes the cleanup more clear...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_recycle: directly allocate smb_fname_final->base_name

We can use talloc_asprintf() instead of asprintf() followed
by talloc_strdup().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_recycle: don't unlink on allocation failure

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

TMP-REPRODUCE: vfs_recycle: demonstrate memory corruption in recycle_unlink_internal()

Forcing a reload of the smb.conf option values means the pointer learned
in vfs_recycle_connect() become stale.

This will be reverted at the end of the patset again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

test_recycle.sh: make sure we don't see panics on the log files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

vfs_default: also call vfs_offload_token_ctx_init in vfswrap_offload_write_send

If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224

s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

ctdb/docs: Include ceph rados namespace support in man page

Document the new optional argument to specify the namespace to be
associated with RADOS objects in a pool.

Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Fri Jun 14 07:42:25 UTC 2024 on atb-devel-224

ctdb/ceph: Add optional namespace support for mutex helper

RADOS objects within a pool can be associated to a namespace for
logical separation. librados already provides an API to configure
such a namespace with respect to a context. Make use of it as an
optional argument to the helper binary.

Pair-Programmed-With: Anoop C S <anoopcs@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

gitlab-ci: Update image to Fedora 40

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 13 13:29:48 UTC 2024 on atb-devel-224

gitlab-ci: Add CentOS 9 Stream

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Remove CentOS7 which is EOL

See
https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Set NSS_WRAPPER_HOSTS for smbclient

This is calling getaddrinfo()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest: Create the cmd outside of the loop

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

s4:torture: Add missing NULL checks in spoolss.c

source4/torture/rpc/spoolss.c: In function
  ‘check_printer_driver_file.isra’:
source4/torture/rpc/spoolss.c:10850:58: error: ‘%s’ directive argument
  is null [-Werror=format-overflow=]
10850 |         const char *remote_name = talloc_asprintf(tctx, "%s\\%d\\%s",
      |                                                          ^~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:util: Fix size of tmp array

lib/util/util.c: In function ‘dump_data_block16’:
lib/util/util.c:503:40: error: ‘%04zX’ directive output may be truncated
writing between 4 and 16 bytes into a region of size 15
[-Werror=format-truncation=]
503 | snprintf(tmp, sizeof(tmp), "%s[%04zX]", prefix, idx);
| ^~~~~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

lib:util: Remove tailing spaces in util.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

third_party: Update socket_wrapper to version 1.4.3

This fixes issues with bind compiled with jemalloc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 13 08:41:39 UTC 2024 on atb-devel-224

third_party: Update uid_wrapper to version 1.3.1

This fixes issues with bind compiled with jemalloc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

gitlab-ci: Set git safe.directory for devel repo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

bootstrap: Fix building CentOS 8 Stream container images

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

bootstrap: Set git safe.directory

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

bootstrap: Fix runner tags

See https://docs.gitlab.com/ee/ci/runners/hosted_runners/linux.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS

This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224

python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expired on NTLM

8944a10b145e99eb6372cace8225e4c5e9d6160e broke password expiry
checking on NTLM, but that is fixed after CID 1603594 triggered
815d696d4471f1b3a4267eb774eb80b07576031b. In the past we could
not have password expiry times small enough to test expiry
(unlike "must change now"), but having no test was not good.

As we are already doing the sleep() here, add a test to the
password rotation test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

python: remove string_to_byte_array()

This was a useful function during the Python 2 -> 3 migration, but it
is not used any more. In all the cases it was used, we knew we already
had a bytes object, and this was just an inefficient way of confirming
that.

In cases where we actually want to cast a string into a mutable list
of byte-sized ints, the builtin bytearray() function will do a better
job than this, because it will encode high unicode characters as utf-8
bytes, rather than adding them as out-of-range values in the list.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 12 09:16:39 UTC 2024 on atb-devel-224

samba-tool ldapcmp: remove a dodgy unused method

We have bindings for stringifying GUIDs, so I intended to replace this
rather complicated code with that, but it turns out that this method
has been unused since 5d42260eecfd4f26cc82637ce1bc989083c9eb9d in 2013.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: simplify and fix HEXDUMP_FILTER used in hexdumps

The old test

x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.')

went through some contortions to see if the character was printable, and
it got it slightly wrong. The idea was that `repr(chr(97)` is "'a'",
while `repr(chr(167)` is "'\xa7'", which we can distinguish using the
length. But that miscategorised the backslash character, which is
represented as "'\\'", a string of length 4, so it was show as '.'
instead.

Instead we notice that the characters we want to print in a hexdump
are exactly those between 32 and 126, inclusive.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

samba-tool domain trust: avoid useless use of string_to_byte_array

`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:lsa_utils: avoid useless use of py2-compat string_to_byte_array

`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python:join: avoid useless use of py2-compat string_to_byte_array

This was a workaround for the migration to Python 3, but is now just
extra work for the computer and cognitive load for us.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

py:emulate: remove py2 str/bytes workaround in traffic_packets

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

py:emulate: remove py2 str/bytes workaround in traffic

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: remove py2 str/bytes workaround in auth_log_samlogon

It is likely not necessary to cast to list() in most cases.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: remove py2 str/bytes workaround in samr_change_password

It is likely not necessary to cast to list().

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: remove py2 str/bytes workaround in lsa_utils

It is likely not necessary to cast to list() in most cases.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: remove py2 str/bytes workaround in dns_base

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

pytest: remove py2 str/bytes workaround in py_credentials

It is likely not necessary to cast to list() in most cases.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/pytest: remove py2 str/bytes workaround in getnc_exop

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share

This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224

selftest: Add a python blackbox test for some misc (widelink) DFS tests

On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224

s3/torture: Add test for widelink case insensitivity on a MSDFS share.

Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

samba-tool user readpasswords: avoid `assert` for validation

`assert` can be optimised away if python is run with `-O`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224

s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)

We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:dsdb: Remove trailing whitespace

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Add temporary memory context to authsam_reread_user_logon_data()

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4:auth: Add common out path to authsam_reread_user_logon_data()

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

ldb: Attach appropriate ldb context to returned result

This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

s4/torture: Remove already existing test_dir

In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224

s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL

In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal

This flexiblity in the tests avoids requiring Samba/Heimdal to omit an NTSTATUS error
return and just be consistent between the different authentication paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224

python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done

This makes sense as otherwise the user would suddenly not know their password
for use when they do not use their smartcard.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default

We do this by telling the Domain Functional Level upgrade code that
this is a new install.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set

This assures us that the new provision sets the value by default.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

kdc: Rotate smart-card only underlying password in 2nd half of lifetime

This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours. The internet
suggestions of 1 day for this feature should work fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts

This is to gracefully deal with races and to avoid additional password
rollover in situations where the TGT lifetime is longer than the
maximum password lifetime. This is not a sensible combination, so
we just avoid the extra DB write, and update it only once per AS-REQ
in this case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords

This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it. As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth: Use consistant externally-supplied time in auth stack

This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts. By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

kdc: Use a consistent, stable time throughout the Heimdal KDC

The MIT KDC has a fallback to a consistent time per fetch call, and
both implementations then follow the time in each 'struct
samba_kdc_entry'.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

kdc: Mark KDC sam.ldb as not to use ldb_wrap cache

This will ensure that the time which will be is passed in an opaque is
not used by other parts of Samba

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

ldb_wrap: Provide a way to avoid Samba using ldb_wrap()

ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

kdc: Remove confusing duplicate open of sam.ldb to find RODC status

Instead, make this query after we open the DB in common with the MIT code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

dsdb: Prepare to handle smartcard password rollover

We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed

This both allows the time to be overriden in some future unit tests
(which is incredibly helpful in testing) and gets a full NTTIME
rather than just a time_t based time, so we do not need to wait
an extra second for the NTTIME to change.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured!

While the passwords are random and rolled on the server, we can tell
about the expiry by setting pwdLastSet to 0.

Samba now honours the password expiry.

This is only enabled for domain functional level 2016 and when
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set to TRUE.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

dsdb: Reduce minimum maxPwdAge from 1 day to nil

This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode

This is because the smartcard reset now generates all the keys
on Windows, so we want to match Windows 2022 as at April 2024
behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/samba/tests/krb5: PKINIT tests of passwords that are naturally expired

The tests of passwords that will expire in the TGT lifetime fail against
windows, we do not see the rotation in that case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/test/krb5: Use assertAlmostEqual in check_ticket_times()

This allows Windows behaviour with clock skew to be allowed for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/tests/krb5: Move check_ticket_times() to kdc_base_test.py

This will allow other parts of the testsuite to use this helpful function.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED accounts

This demonstrates behaviour against a server presumed to be in FL 2016
what the impact of the msDS-ExpirePasswordsOnSmartCardOnlyAccounts
attribute is.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/tests/krb5: Remove unused utf16pw variable

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED

Windows 2022 at April 2024 has change and now includes the
AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert
part of the change in b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee.

(This is an improvement to Windows security).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works

We have had confirmed from MS that this behaviour is both deliberate
and required. Possession of the credential is (by the returned PAC
containing the NT hash) possession of the password, and it must be
possible to change the password to a known value otherwise DPAPI
(local keychain) secured by this value can fail on the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15045

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to allow broader use

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check

This centralises the check rather than checking the time in
multiple spots.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

s4-auth: Update comment to mention 60mins in the NTLM grace period

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

dsdb: Make argument order of dsdb_update_gmsa_{entry_,}keys() consistant with other uses

Other functions in this file are TALLOC_CTX, struct ldb_context *, not
the other way around.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

smbd: Ensure we grant owner sid in check_parent_access_fsp()

Grant owner sid to check for owner rights.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15648

Signed-off-by: MikeLiu <mikeliu@qnap.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 7 18:30:34 UTC 2024 on atb-devel-224