sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-09-10 05:44:20 +03:00
Code Activity
131,250 Commits 64 Branches 1,170 Tags
v4-17-stable
Commit Graph

3418 Commits

Author SHA1 Message Date
Stefan Metzmacher
22904d2b9d CVE-2023-4154 python/samba/ndr: add ndr_deepcopy() helper 
This uses ndr_pack/unpack in order to create a deep copy
of the given object.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

(cherry picked from commit 4627997dda)
 2023-10-08 22:06:22 +02:00
Stefan Metzmacher
10c4b6ea09 CVE-2023-4154 python:sd_utils: add dacl_{prepend,append,delete}_aces() helpers 
They better represent what they are doing, we keep dacl_add_ace()
as wrapper of dacl_prepend_aces() in order to let existing callers
work as before.

In future it would be good to have a dacl_insert_aces() that
would canonicalize the ace order before storing, but that a task
for another day.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

(cherry picked from commit a1109a9bf1)
 2023-10-08 22:06:22 +02:00
Stefan Metzmacher
b4849183a6 CVE-2023-4154 python:sd_utils: introduce update_aces_in_dacl() helper 
This is a more generic api that can be re-used in other places
as well in future. It operates on a security descriptor object instead of
SDDL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

(cherry picked from commit 8411e6d302)
 2023-10-08 22:06:22 +02:00
Ralph Boehme
e7eb228621 mdssvc: reduce pagesize to 50 
Lastest macOS queries additional file metadata per search result, which causes
the mashalled paged result set including metadata to exceed the 64 KB result
fragment buffer.

Lacking fragementation support in mdssvc (it's supported by the protocol), for
now just reduce the maximum number of results per search page.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 724a0518c9)
 2023-07-31 08:08:13 +00:00
Ralph Boehme
31a6264f8c tests/mdssvc: match hits:total:value to be the actual amount of entries in hits 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 7f5e4edf64)
 2023-07-31 08:08:13 +00:00
Ralph Boehme
a5c570e262 CVE-2023-34968: mdscli: return share relative paths 
The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.

So given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full path of

  /foo/bar/dir/file

previously a search that matched this file would returns the absolute
server-side pato of the file, ie

  /foo/bar/dir/file

This will be change to

  /spotlight/dir/file

As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just

  dir/file

in the example above.

The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.

There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be

  /System/Volumes/Data/foo/bar/dir/file

So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.

Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix

  kMDSStorePathScopes + share_path (from mdssvc_open).

eg

  kMDSStorePathScopes = /System/Volumes/Data
  share_path = /foo/bar
  search result = /System/Volumes/Data/foo/bar/dir/file
  relative path returned by mdscli = dir/file

Makes sense? :)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2023-07-14 15:15:01 +02:00
Andrew Bartlett
e2df45934a dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join 
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.

When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.

This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit bfc33b47bb)

Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Thu Mar 30 16:10:35 UTC 2023 on sn-devel-184
 2023-03-30 16:10:35 +00:00
Rob van der Linde
04e5a7eb03 CVE-2023-0922 set default ldap client sasl wrapping to seal 
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
 2023-03-20 10:05:01 +01:00
Andrew Bartlett
00d1f6223f s4-dsdb: Add tests of SamDB.get_nc_root() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2c7bb58703)
 2023-02-03 09:35:08 +00:00
Stefan Metzmacher
5048d63c92 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports 
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184

(similar to commit 987cba9057)

Autobuild-User(v4-17-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-17-test): Wed Dec 14 12:40:42 UTC 2022 on sn-devel-184
 2022-12-14 12:40:42 +00:00
Stefan Metzmacher
701c98858c CVE-2022-37966 samba-tool: add 'domain trust modify' command 
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit d1999c152a)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
428aa9b001 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default 
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa64f8fa8d)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
8273935239 CVE-2022-37966 python:tests/krb5: test much more etype combinations 
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1dfa91682e)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
c642bd9f2e CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c7c5762089)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
afc05bec7e CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest 
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 77bd3258f1)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
d1b65794c8 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f434a30ee7)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
0f63356c8b CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d8fd6a22b6)
 2022-12-14 11:39:17 +00:00
Stefan Metzmacher
6a4531ad9f CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 
I'm using the following options:

SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1

in order to run these:

python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e0f89b7bc8)
 2022-12-14 11:39:17 +00:00
Joseph Sutton
3d85ff9dd5 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC 
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 44802c46b1)
 2022-12-14 11:39:17 +00:00
Joseph Sutton
64bfe0ef78 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added 
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit 371d7e63fc)
[jsutton@samba.org Removed unneeded fast_tests.py change, added
 non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
 tests.py]
 2022-12-14 11:39:17 +00:00
Joseph Sutton
123b3c056a CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group 
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a7a0b9ad07)
 2022-12-14 11:39:17 +00:00
Joseph Sutton
d8cef2fa34 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects 
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 086646865e)
 2022-12-14 11:39:17 +00:00
Joseph Sutton
42150ff93b CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation 
This option does the opposite of what the documentation claims.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6b155b22e6)
 2022-12-14 11:39:17 +00:00
Joseph Sutton
25918f9c16 CVE-2022-37967 Add new PAC checksum 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

(similar to commit a50a2be622)
[jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
 2022-12-14 11:39:17 +00:00
Joseph Sutton
15835e21e8 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types 
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit 177334c042)
[jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py]
 2022-12-14 11:39:17 +00:00
Joseph Sutton
649854b0fa CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req() 
This lets us select the encryption types we claim to support in the
request body.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit e0a91dddc4)
[jsutton@samba.org Adapted to 4.17 version of function taking different
 parameters]
 2022-12-14 11:39:17 +00:00
Joseph Sutton
4870b9c8e5 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class 
We will use it for testing our handling of encryption types.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit 50e075d2db)
[jsutton@samba.org Adapted to 4.17 version of function]
 2022-12-14 11:39:17 +00:00
Andrew Bartlett
91dcb8d044 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string 
This makes it easier to test against a server that is not accessible via DNS.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c7cd688917)
 2022-12-14 11:39:17 +00:00
Joseph Sutton
fea5bde53c CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038 
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184

(cherry picked from commit 50cbdecf2e)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
 2022-12-14 11:39:17 +00:00
Andrew Bartlett
7b90f5c829 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test 
A new file will shorlty fail as it is binary input

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5a02915913)
 2022-12-06 15:06:10 +00:00
Noel Power
057f60cc71 python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls 
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ce7c418ca4)

Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Mon Oct 31 10:08:34 UTC 2022 on sn-devel-184
 2022-10-31 10:08:34 +00:00
Andrew Bartlett
bac9532f0a python-drs: Add client-side debug and fallback for GET_ANC 
Samba 4.5 and earlier will fail to do GET_ANC correctly and will not
replicate non-critical parents of objects with isCriticalSystemObject=TRUE
when DRSUAPI_DRS_CRITICAL_ONLY is set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit bff2bc9c7d)
 2022-10-07 08:48:17 +00:00
Douglas Bagnall
6cc1ac327a pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 251360d6e5)
 2022-10-07 08:48:17 +00:00
Douglas Bagnall
ad768b1cca pytest/join: use TestCaseInTempDir.rm_files/dirs 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 7455c53fa4)
 2022-10-07 08:48:17 +00:00
Douglas Bagnall
79b5156ec8 pytest/samdb_api: use TestCaseInTempDir.rm_files 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 4e3dabad0b)
 2022-10-07 08:48:17 +00:00
Douglas Bagnall
4486028b86 pytest/downgradedatabase: use TestCaseInTempDir.rm_files 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 85bc1552e3)
 2022-10-07 08:48:17 +00:00
Douglas Bagnall
02ededec93 pytest: add file removal helpers for TestCaseInTempDir 
In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:

        try:
            shutil.rmtree(os.path.join(self.tempdir, "a"))
            os.remove(os.path.join(self.tempdir, "b"))
            shutil.rmtree(os.path.join(self.tempdir, "c"))
        except Exception:
            pass

where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with

        self.rm_files('b')
        self.rm_dirs('a', 'c')

the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.

If on the other hand, we have

        self.rm_files('b', must_exist=True)
        self.rm_dirs('a', 'c')

then the FileNotFoundError causes a failure (not an error).

We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit 2359741b28)
 2022-10-07 08:48:17 +00:00
Joseph Sutton
b82543978d CVE-2021-20251 tests/krb5: Add tests for password lockout race 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 91e2e5616c)

[jsutton@samba.org Fixed conflicts in usage.py, knownfails, and tests.py
 due to not having claims tests]
 2022-09-19 04:02:12 +00:00
Douglas Bagnall
0fdd7e16a1 samba-tool gpo: clean up tmpdir after create 
'fetch' and 'backup' might also leave files in /tmp, but in those cases
we want the files.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15006

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@suse.com>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Sat Aug  6 01:42:09 UTC 2022 on sn-devel-184
 2022-08-06 01:42:09 +00:00
Douglas Bagnall
5750d7a1d0 samba-tool: allow testparm to dump global section only 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15070

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@suse.com>
 2022-08-06 00:45:35 +00:00
Douglas Bagnall
e0d96197fd pytest/netcmd: test samba-tool testparm global section 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@suse.com>
 2022-08-06 00:45:35 +00:00
Joseph Sutton
b41691d0e5 CVE-2022-32743 tests/py_credentials: Add tests for setting dNSHostName with LogonGetDomainInfo() 
Test that the value is properly validated, and that it can be set
regardless of rights on the account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2022-07-28 22:47:37 +00:00
Douglas Bagnall
ffa84f2e5d py/uptodateness: more details in missing dn report 
This does not fix bug 15127, but it improves reporting.

https://bugzilla.samba.org/show_bug.cgi?id=15127

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 28 06:18:43 UTC 2022 on sn-devel-184
 2022-07-28 06:18:43 +00:00
Joseph Sutton
fc03cf9f45 CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd 
The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00
Joseph Sutton
be239c7168 CVE-2022-2031 tests/krb5: Test truncated forms of server principals 
We should not be able to use krb@REALM instead of krbtgt@REALM.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00
Joseph Sutton
86698b313e CVE-2022-2031 tests/krb5: Add tests for kpasswd service 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00
Joseph Sutton
192d597c2f CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20 
With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
tickets to principals such as kpasswd/changepw, as they are encrypted
with the krbtgt's key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00
Joseph Sutton
6a2ec50bfd CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method 
Now we can test the kpasswd service from Python.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00
Joseph Sutton
332fd6032a CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realm 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00
Joseph Sutton
1e80767c1d tests/krb5: Add option for creating accounts with expired passwords 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2022-07-27 10:52:36 +00:00