IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Let PIDL take care of encoding SMB2_FILE_POSIX_INFORMATION. This way
we also get parsing.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
With embedded Heimdal, we can mark a PAC as being trusted (i.e. not
issued by an RODC). This is convenient, as it saves us needing to carry
that information in flags, hoping it isn’t inadvertently lost.
System Heimdal and MIT Kerberos, however, don’t provide a way to mark a
PAC trusted. So we add a new wrapper type, ‘samba_kdc_entry_pac’, that
contains this extra information if ‘krb5_const_pac’ doesn’t contain it
already. As it also stores a pointer to the client entry, the
structure’s lifetime must therefore be carefully managed. Finally, it
keeps track of whether the PAC came across a trust, to know which is
useful in some circumstances.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In the first place, this check was only applicable to the Heimdal KDC,
the MIT KDC not having support for compounded authentication. Secondly,
it was redundant, because _kdc_fast_check_armor_pac() would have already
been called to verify the armor ticket; a second round of validation
achieved nothing. And finally, the check was flawed: it checked only
*explicitly* armored PACs, and so would have done nothing for an armored
*AS‐REQ*.
In short, this check was useless; remove it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.
By extracting the call to samba_kdc_add_asserted_identity() into the
former function’s callers, we’ll be able to remove the
‘asserted_identity’ parameter in the next commit, reducing the
function’s complexity.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_user_info_dc() does too much. It should be responsible
only for getting account information, not for adding extra SIDs.
By extracting the call to samba_kdc_add_claims_valid() into the former
function’s callers, we’ll be able to remove the ‘claims_valid’ parameter
in the next commit, reducing the function’s complexity.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These structures have been zero‐initialized already.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is a test using conditional ACEs and claims to confirm that we understand
the full end-to-end network behaviour of these all the way from the PAC to the
application in the access check of the KDC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224
The new ‘claims_data’ structure can store claims in three different
representations — as an encoded blob, as a CLAIMS_SET structure, or as a
series of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 claims. Given a set of
claims, the accompanying functions provide a way to convert them into
the desired format.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Some functions in the auth_session subsystem will need to be able to
call encode_claims_set(). Moving said function lets them do that whilst
avoiding circular dependencies and additional public dependencies.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Future callers will rely on resource_groups_out being talloc‐allocated.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
‘tm’ must be initialized prior to calling strptime().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
strptime() will fail to parse the LDAP ‘whenCreated’ time string,
because the format string is wrong: it will expect to get a time like
“20230920043849Z”, but the time string seems to be actually formatted
“20230920043849.0Z” — like a GeneralizedTime.
Fix this by delegating to ldb_val_to_time().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
‘tm’ must be initialized prior to calling strptime().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>