sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-04-07 10:50:24 +03:00
Code
140,501 Commits 62 Branches 1,157 Tags
Commit Graph

140501 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stefan Metzmacher
72cb5fcbed winbindd: let update_trusted_domains_dc() also call pdb_filter_hints() 
On an AD DC we need to update sam_domain->fti, so that
find_routing_from_namespace_noinit() uses the correct
uPNSuffixes and msDS-SPNSuffixes values for the local forest.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Apr  3 10:35:10 UTC 2025 on atb-devel-224
 2025-04-03 10:35:10 +00:00
Stefan Metzmacher
e1ff389173 winbindd: add find_local_sam_domain() helper 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
d0788faae5 winbindd: pass for_netlogon to winbind_dual_SamLogon to avoid caching 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
fd21c3685a s4:auth/ntlm: let auth_winbind pass WB_SAMLOGON_FOR_NETLOGON 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
74d44f5029 s4:auth: let auth_context_create_for_netlogon() remember for_netlogon = true; 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
04968ead5f s3:auth: let auth_winbind pass WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON if needed 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
0733cfc636 s3:auth: remember make_auth3_context_for_netlogon() was used 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
6919a381a9 winbind.idl: add WB_SAMLOGON_FOR_NETLOGON 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
fb891b4387 libwbclient: add WBC_AUTH_PARAM_FLAGS_FOR_NETLOGON to pass WBFLAG_PAM_FOR_NETLOGON 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
22893198cb winbind_struct_protocol.h: add WBFLAG_PAM_FOR_NETLOGON 
This will be used when auth_winbind is used with
make_auth3_context_for_netlogon().

This will allow winbindd to use different rules
for LogonSamLogon requests compared to
local authentications for smbd.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
9acb34f1c3 s4:librpc/idl: remove unused legacy copy of winbind.idl 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
b16fecbd92 auth: let make_user_info_dc_pac() cross check PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID 
If there's a mismatch someone doing strange things...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
f143306dd8 python:tests/krb5: let _{get,modify}_tgt() also change the objectsid in UPN_DNS_INFO 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
163a39334c python:tests/krb5: allow set_pac_sids() to take upn_dns_sid 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
7b4b9ae0ea python:tests/krb5: let check_device_info() allow an empty rid array 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
f569dfe16e python:tests/krb5: allow create_account_opts() to take selective_auth_allowed_sid 
This will add a GUID_DRS_ALLOWED_TO_AUTHENTICATE ace with CONTROL_ACCESS
to the created account.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
22a66b1a5e python:tests/krb5: allow tgs_exchange_dict() to take expected_[device_]duplicated_groups 
This allows us to expect duplicated sids in the PAC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
82ecf6e31e python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SID 
device info does not really have RESOURCE_SID,
so we need to map RESOURCE_SID as well as EXTRA_SID (with a S-1-5-21-
prefix) to EXTRA_DOMAIN_SID.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
f7bcaa2377 python:tests/krb5: create_account_opts() can't handle self.AccountType.TRUST 
create_trust() is used for that...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
1af0ccb873 python:tests/krb5: add KDC_ERR_PATH_NOT_ACCEPTED 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
9a06e014b5 s4:kdc: samba_kdc_add_compounded_auth() should add Compounded_Authentication again if it's already there 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
08bf34c721 s4:kdc: only use compound authentication with an explicit FAST armor 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
e6506c2cf8 s4:kdc: samba_kdc_update_pac() doesn't need explicit delegated_proxy_principal 
It comes along as delegated_proxy.pac_princ now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
6892988fbd s4:kdc: store pac_princ in struct samba_kdc_entry_pac 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
225fa436bf s4:kdc: pass pac_princ to samba_kdc_entry_pac() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
08608dc08e s4:kdc: pass pac_princ to samba_kdc_entry_pac_from_trusted() 
For mit_samba_update_pac() we can only pass it optionally.
This should be fixed in future, but it requires changes
in MIT Kerberos.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
c87f66ebac s4:kdc: let samba_kdc_entry_pac[_from_trusted]() assert krbtgt is valid if pac is valid 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
b0f12b05a8 s4:kdc: let hdb_samba4_check_rbcd() fill device_pac_entry() without device_entry 
If we have a device_pac we also have device_server/krbtgt_entry, while
device_entry is optional.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
291a662f3f s4:kdc: let samba_wdc_get_pac() use samba_kdc_get_device_pac() 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
18a28c15c4 s4:kdc: let samba_kdc_get_device_pac() always extract device_krbtgt_skdc_entry 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
996d7786c7 s4:kdc: let samba_wdc_reget_pac() use krbtgt_skdc_entry as delegated_proxy_krbtgt_entry 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
9f21b0e10a s4:kdc: let mit_samba_check_allowed_to_delegate_from() fetch krbtgt_entry 
samba_kdc_entry_pac_from_trusted() will soon assert that
it has a valid krbtgt_entry.

In the long run this should be passed from the caller...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
c21918fe6e s4:kdc: add some checks for SDB_F_S4U2{SELF,PROXY}_PRINCIPAL 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
12a1f504dc s4:kdc: let SDB_F_CROSS_REALM_PRINCIPAL result in SDB_ERR_NOT_FOUND_HERE 
It means the client is remote and the kdc logic has to live without
an sdb_entry.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
d587593b93 s4:kdc: pass HDB_F_{CROSS_REALM,S4U2SELF,S4U2PROXY}_PRINCIPAL as SDB_F_* 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
7664b7a873 s4:kdc: adjust to HDB_INTERFACE_VERSION=12 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
6b0b52399c third_party/heimdal: Import lorikeet-heimdal-202503211313 (commit f5c091eff46b975ede09860066239aee5f563bdf) 
This is a rebase on Heimdal master as well as
some patches to prepare sid-filtering support in Samba.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
7af09c5fcb third_party/heimdal: Import lorikeet-heimdal-202503211047 (commit 752fd2fc0d7e48791df91dd2b45899e64ef65a7a) 
kdc: Constrained delegation requires a local delegating server

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15837
MR: https://github.com/heimdal/heimdal/pull/1274

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
19ae5c2b52 s4:kdc: specify SDB_F_ values as hex 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
c7a89d62fb lib/ldb-samba: allow ldb_get_opaque(ldb, "backend_no_debug_connect") 
We don't want expected connect/bind failures in the log output...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
2331bf5607 lib/ldb: allow ldb_get_opaque(ldb, "backend_no_debug_connect") 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Stefan Metzmacher
2e52c4e8a5 libcli/security: split trust_forest_info_* functions into samba-security-trusts 
This will avoid dependency loops in following commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
 2025-04-03 09:36:31 +00:00
Ralph Boehme
0e4cab78cd s3/locking: add a comment to share_mode_data_ltdb_store() 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Apr  2 19:03:50 UTC 2025 on atb-devel-224
 2025-04-02 19:03:50 +00:00
Ralph Boehme
b096214794 s3/locking: add a comment to put_share_mode_lock_internal() 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00
Ralph Boehme
c826af38b0 s3/locking: simplify get_static_share_mode_data_fn() 
One if less and tighter coupling of logic. No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00
Ralph Boehme
6a41de3ecd s3/locking: locking_tdb_data_get() -> locking_tdb_data_parse() 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00
Ralph Boehme
f12f0d1d94 s3/locking: parse_share_modes() -> parse_share_mode_data() 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00
Ralph Boehme
c36cc2b672 s3:rpc_server/srvsvc: use brl_get_locks_readonly() instead of brl_get_locks() 
No need to keep the record locked longer then needed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00
Ralph Boehme
dc03a06ffc smbd: use share_mode_do_locked_brl() in vfs_default_durable_reconnect() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00
Ralph Boehme
393379fc9c smbd: use share_mode_do_locked_brl() in vfs_default_durable_disconnect() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15767

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-04-02 18:05:48 +00:00