IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This makes sure they are run as part of "samba-addc-mit-1".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It also only waits for the required amount of time elapsed. Hopefully
this should avoid running into timeouts.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 6 01:33:05 UTC 2023 on atb-devel-224
This demonstrates that the server did not detect CVE-2023-0922
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
By slowing the filter down more this makes the test reliable on the
autobuild host.
This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
These modifications persist, so should be done at the class level,
not in the test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.
Add or replace operations with no values and no privileges are
disallowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These variables are often used together, and it is useful to have the
setup code in one place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fe.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:
(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>)
which, due to the extra characters, would fail to match anything.
Fix it to be:
(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In extended_dn_fix_filter() we had:
req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.
Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This changes the slow aspect to be the object matching not the filter parsing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Fix size of buffer passed to and always check the value returned
from strftime(), raise PyErr_NoMemory() and return NULL if zero,
or use it with PyUnicode_FromStringAndSize() (thus avoiding extra
internal call to strlen()) otherwise.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Client time cannot be compared to server timestamp, because the clocks
on client and server may not be in sync.
Compare server timestamps, only to previous timestamps read from server.
Signed-off-by: Amir Goldstein <amir@ctera.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Apr 1 06:23:36 UTC 2023 on atb-devel-224
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224
We now create a client claims blob and add it to the PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
have_fast_support is unconditionally set to 1, so this doesn't change
any behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
More of these tests now pass against Windows. They still don't quite all
pass, but that's something to fix for another day.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This gives a more helpful diagnostic message.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
get_claims_for_principal() is a new function that creates a claims blob
for a principal based on attributes in the database.
It's not hooked into the KDC yet, so this entails no change in
behaviour.
Constructed claims and certificate claims are not supported yet.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This looks up a schema attribute by its CN, similar to
dsdb_class_by_cn_ldb_val().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Added delete protected test to known fail as Samba doesn't seem to enforce this yet.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Including
* compressed claims
* plain (uncompressed) claims
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 02:50:30 UTC 2023 on atb-devel-224
DRSUAPI_COMPRESSION_TYPE_XPRESS is not MS-XCA nor is it implemented by
lzexpress_compress(), so disconnect from that algorithm.
This avoids someone fixing lzxpress_compress() to work for DRSUAPI
and breaking claims support.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This give us a building block to test the PAC claims format
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is to adapt to the changed Heimdal KDC plugin API.
When we add support for device claims, we want to be able to verify the
PAC of the armor ticket without modifying or updating it. Previously, we
couldn't do this as the two operations were tightly intertwined. Now the
parts that only perform verification are split out into a new function,
samba_kdc_verify_pac().
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Backlinks which are not allowed by the schema are hidden by default,
so we already set DSDB_RMD_FLAG_HIDDEN_BL on store, so we have a cheap
way to hide the backlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 23 08:19:20 UTC 2023 on atb-devel-224
We now check for DSDB_RMD_FLAG_DELETED, as we'll check for
DSDB_RMD_FLAG_HIDDEN_BL in the next step and it's better to
call dsdb_dn_val_rmd_flags() just once.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This only verifies internals store operations, adding invalid forward
links is already checked in other places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we find that the backlink should not be visible on the given objectClass
by default, we now set DSDB_RMD_FLAG_HIDDEN_BL.
We'll evaluate that in the next commits in order to hide the
backlink by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We first create source_dn as trimmed down copy of bl->forward_dn
and then only use it for debug messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Backlink attributes which are not "allowed" in objectClass 'top'
are always possible, but only visible by default based on the
real objectClass.
In order to avoid pay the cost for finding out if a backlink
should be visible or not, we remember a 'bool bl_maybe_invisible'
both on the forward link as well as the backlink dsdb_attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
msDS-KeyCredentialLink/msDS-KeyCredentialLink-BL are defined as linked attribute pair,
but msDS-KeyCredentialLink-BL is not defined as allowed on any object class definition,
still it's possible to create msDS-KeyCredentialLink attributes.
msDS-KeyPrincipal/msDS-KeyPrincipalBL are also defined as linked attribute pair
and msDS-KeyPrincipalBL is only allowed on object class 'user', but it's possible
to create msDS-KeyPrincipal values pointing to non 'user' objects.
The result is that 'user' objects have a visible msDS-KeyPrincipalBL, but
the others don't have msDS-KeyPrincipalBL visible, by default.
The backlinks are always visible if the backlink attributes are
explicitly requested.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The tests don't require an organizationalUnit as parent object
and it makes it possible to create msDS-KeyCredential objects
within the container in the next step.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
With the default of base_schema=2019 we'll adprep to 2016.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have Domain-Wide-Updates.md and Read-Only-Domain-Controller-Updates.md only
for completeness, they are not parsed/used yet, so we added .unused in
order to avoid confusion in future.
Initially I tried to go with an ms_domain_updates_markdown.py,
but it is easier to add the current updates by hand to
domain_update.py, which will follow in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
'changetype: delete' is used to delete a whole object!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These demonstrate how inherited aces are constructed and applies
per objectclass, with and without the NO_PROPAGATE_INHERIT flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need SEC_STD_DELETE in order to run the test twice against the same server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Otherwise we impact other unrelated tests, e.g. 'blackbox.dbcheck'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
All other tests use the same logic and run before, which means the ACE
is already there and is implicitly required.
As we want to cleanup the ACE after each test in the next step,
as the tests should not have side effects for other tests, e.g.
'blackbox.dbcheck'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 22 19:36:28 UTC 2023 on atb-devel-224
Instead of having one large function that returns every PAC blob, we now
have a more manageable assortment of smaller functions that each return
one blob.
That gives us more fine-grained handling of PAC blobs, with callers now
able to procure only the specific blobs that they need.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will not be the only claims blob. Later there will also be a
device_claims_blob.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_pac_blobs() passes a pointer to a user_info_dc structure
obtained from samba_kdc_get_user_info_from_db() into
samba_add_asserted_identity(). The latter function modifies the SIDs of
the user_info_dc structure in order to add the Asserted Identity SID,
but samba_kdc_get_user_info_from_db() actually caches that structure
internally, meaning that subsequent calls will return the modified
structure.
We should not modify cached SIDs, so have
samba_kdc_get_user_info_from_db() return a pointer to constant data, and
copy the returned array of SIDs before adding the Asserted Identity SID.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Windows only consults the PAC-OPTIONS claims bit to find out whether or
not to add claims to the PAC if the ClaimsCompIdFASTSupport option is
set to 1. If this option is set to 2 or 3, the bit is ignored and claims
are always added.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These will be used later when we add support for compound
authentication.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We weren't doing anything with the passed-in 'el' afterwards, so this
was just confusing.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This means that encoding an ACE in string form will now match Windows.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 21 01:19:16 UTC 2023 on atb-devel-224
Until we support claims we just return an empty blob,
that matches what Windows is doing without defined claims.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 20 01:25:07 UTC 2023 on atb-devel-224
It's getting unwieldy adding new PAC buffer types when each one has to
have its own handling. It also makes the possibility of mistakes more
likely.
Add a new container, 'struct pac_blobs', containing the types of PAC
buffers in a given PAC, with an index for quick access to the types we
support specifically. We can add new blobs (overriding existing ones) by
calling pac_blobs_add_blob(), and override certain blobs that must be
present with pac_blobs_replace_existing().
This removes the need to have a complicated 'switch' statement with
different logic for each PAC buffer type, or a dozen index variables.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
krb5_pac_add_buffer() makes its own copy of the data we pass in. We
don't need to make yet another copy.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heimdal contains an assertion that the data pointer is not NULL. We need
to pass in a pointer to some dummy data instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As these parameters are not assigned to, make them const.
Const specifiers for non-pointer types, such as in 'const
krb5_principal', don't do anything in function declarations. Remove
them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Make it clear what these parameters actually are.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A double negative is just confusing and prone to error.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This reduces the elapsed time to 6m from 20m on my laptop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.
When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.
This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.
By deferring the writing out to the DB of link replication to the very end, we have a
better chance that all the objects required are present, however the situation may
have changed during the cycle, and a link could still be sent, pointing to a deleted
object.
We currently fail in this situation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
A case statement only references const strings, pointers in an array
need to be relocated at exec() time.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
A case statement only references const strings, pointers in an array
need to be relocated at exec() time.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 8 05:37:08 UTC 2023 on atb-devel-224
Calling cmd._run() directly would fail due to the 'command_name'
attribute being absent, so these tests would fail to run. Fix this by
using the samba.netcmd.main.samba_tool helper function.
Check the return code as well for good measure.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests verify that the groups in the device info structure in the
PAC are exactly as expected under various scenarios.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Maybe the following IDL files are now unused:
librpc/idl/oxidresolver.idl
librpc/idl/remact.idl
librpc/idl/dcom.idl
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
UNEXPECTED(failure): samba4.rpc.backupkey with seal.backupkey.server_wrap_decrypt_wrong_r2(ad_dc_default)
REASON: Exception: Exception: ../../source4/torture/rpc/backupkey.c:2219: r.out.result was WERR_INVALID_ACCESS, expected WERR_INVALID_PARAMETER: decrypt should fail with WERR_INVALID_PARAMETER
As commit 664bde19bf states:
"The use of the wrong key can still create structures that parse as a
SID, therefore we can sometimes get an unusual error, which becomes a
flapping test".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12107
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We later use this variable as part of a string substitution, and if we
leave it as bytes we will end up with b' ' quotes surrounding it, which
we do not want. Fix this by converting it to a string.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View with 'git show -b'.
The seek(0) call is unnecessary.
Closing a file removes the lock held on it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The test sets an mtime with non zero nsec and verifies that
the timestamp of pre-close matches the timestamp after close-open.
This is a regression test for
https://bugzilla.samba.org/show_bug.cgi?id=6529
The bug speaks of loosing the milliseconds part of the timestamp,
but the test uses a value of 103*100ns for the sub-second part.
Meaning that if the backing filesystem has only milliseconds
granularity, the test practically checks that a value of
0 milliseconds is preserved, which will not have actually
caught the bug.
Also, with the default 'smbd getinfo ask sharemode = yes'
the test will fail if the filesystem truncates the sub-second part
to milliseconds granularity.
Use a non-zero milliseconds value with zero microseconds in the test
to support backing filesystems with milliseconds granularity.
Signed-off-by: Amir Goldstein <amir@ctera.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 1 20:55:47 UTC 2023 on atb-devel-224
The macros were ignoring the finfo argument.
Signed-off-by: Amir Goldstein <amir@ctera.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This has the lower-case share, used in the next commit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Test should have been using "schema_pair_dc", it was picking this up from the variable env in the loop above it.
However, it was hardcoded to use promoted_dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
We don't use this and will never use this.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
It is up to the caller to choose if it wants to clean up the user_info_dc
memory early, we do so only in the KDC as was allocated on a context
provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses
a locally managed tevent state as the memory context.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 8 01:05:47 UTC 2023 on atb-devel-224
Windows also disallows this. Note that changing a primary group to a
domain-local group is allowed by both Windows and Samba.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.
The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This test will thereby continue to pass when we correct the handling of
primary groups.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This assertion is one we will be breaking shortly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We want to find objects for which the groupType attribute has at least
one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For
this the OR comparator is perfectly suited. It produces a true result if
at least one set bit is shared between both operands.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These constants allow one to tell at a glance what search operation is
being performed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Constant strings can be inserted directly into format strings, reducing
the amount of string substitution to be performed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This macro produces a slightly more useful message if the assertion
fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It's not used anywhere other than this file.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is modelled on samdb_result_dom_sid(). It allocates,
rather than a dom_sid, an auth_SidAttr object, which we can pass to
other functions accepting an auth_SidAttr.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We've already tested for the existence of these SIDs, and the assumption
that they are always the last element in a PAC is false. We must check
all the SIDs in each array, skipping over ones that were found to be
asserted identity SIDS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ensures that no members contain garbage data.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4/dsdb/samdb/ldb_modules/acl.c:1646:49: error: variable 'rep_val_cnt' set
but not used [-Werror,-Wunused-but-set-variable]
unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 31 13:43:54 UTC 2023 on atb-devel-224
This allows our new tests to pass as these need to be checked first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We need to find the RODC per the destination_dsa_guid to mark the secrets as
having been replicated, and by using samdb_get_ntds_obj_by_guid() we are stricter
in the checks, as the RODC has to be the right objectClass (nTDSDSA) and under
the CN=Configuration partition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This should avoid a user being able to specify the GUID of a different
type of object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This will allow the logic here to be tighened up and shared
in the next few commits.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We want to totally ignore the string DN if there is a GUID,
as clients like "Microsoft Azure AD connect cloud sync" will
set a literal "DummyDN" string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This make this funciton the gatekeeper between the wire format and the
internal struct ldb_dn, checking if the DN exists and which NC
it belongs to along the way, and presenting only a DB-returned
DN for internal processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This reuses the search done for dsdb_find_nc_root() to normalise the DN.
This will allow a GUID-input DN to be compared safely with a RID Manager DN
or Naming Context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reuse the search done for dsdb_find_nc_root() to normalise the DN.
This will allow a GUID-input DN to be compared safely with a RID Manager DN
or Naming Context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows lookup of a DN with a GUID only or GUID and string,
possibly not yet in the database, yet still getting the correct result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This avoids needing to anticipate errors that the rename might give
while allowing the dsdb_find_nc_root() routine to become stricter.
The problem is that dsdb_find_nc_root() will soon do a real search and
so fail more often, but these failures will give "wrong" error codes.
We do not need to do this work if the operation fails, so put this in
the callback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Using a random base is a useful start, even if the better solution also includes a self.AddCleanup()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is not comprehensive, but makes some manual test runs easier by
avoiding the need for DNS names to resolve.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This avoids a talloc_strdup() and so a failure path.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
These aliases are deprecated and have been removed in Python 3.12.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
One of changes is somewhat interesting, it is "tfork waiter proces"
process title in tfork.c. I wonder why no one noticed this before.
There's another similar process title in there, "tfork waiter process(%d)".
Hopefully no one does grep for "proces$" (and there's no reason to).
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jan 26 20:46:11 UTC 2023 on atb-devel-224
This function already exists in bind9 but takes different arguments, so when
the DLZ is loaded and this function is called bind crashes:
named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0
named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0
named[1523]: client @0x7f26caa90f68 192.168.101.118#58223/key DESKTOP-8BUKMBK\$\@AFOREST.AD: updating zone '101.168.192.in-addr.arpa/NONE': deleting rrset at '118.101.168.192.in-addr.ar
named[1523]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace
Backtrace:
#0 0x00007f2716c957ec in __pthread_kill_implementation () from /lib64/libc.so.6
#1 0x00007f2716c42816 in raise () from /lib64/libc.so.6
#2 0x00007f2716c2b81c in abort () from /lib64/libc.so.6
#3 0x000055d4de847995 in assertion_failed (file=<optimized out>, line=<optimized out>,
type=<optimized out>, cond=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/main.c:237
#4 0x00007f27176388fc in isc_assertion_failed (file=file@entry=0x7f27173b0df6 "name.c",
line=line@entry=664, type=type@entry=isc_assertiontype_require,
cond=cond@entry=0x7f27173b0268 "((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))")
at /usr/src/debug/bind-9.18.10/lib/isc/assertions.c:48
#5 0x00007f27172946f9 in dns_name_equal (name1=<optimized out>, name2=<optimized out>)
at /usr/src/debug/bind-9.18.10/lib/dns/name.c:664
**** Here bind's dns_name_equal() is called instead of samba's dns_name_equal() ****
#6 0x00007f27077ad6f2 in dns_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10)
at ../../source4/dns_server/dnsserver_common.c:1346
#7 0x00007f271404732c in b9_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10)
at ../../source4/dns_server/dlz_bind9.c:1830
#8 0x00007f2714047daa in dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa",
rdatastr=0x7f26c9c10000 "118.101.168.192.in-addr.arpa.\t1200\tIN\tPTR\tDESKTOP-8BUKMBK.aforest.ad.",
dbdata=0x7f271003d300, version=0x7f26f8044b20) at ../../source4/dns_server/dlz_bind9.c:2077
#9 0x000055d4de84afb4 in dlopen_dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa",
rdatastr=<optimized out>, driverarg=<optimized out>, dbdata=0x7f270430f680, version=<optimized out>)
at /usr/src/debug/bind-9.18.10/bin/named/dlz_dlopen_driver.c:483
#10 0x00007f271738e734 in modrdataset.constprop.0 (db=0x7f2704291740, node=0x7f26c9c006e0,
version=0x7f26f8044b20, rdataset=0x7f2706ff8830,
mod_function=0x55d4de84af80 <dlopen_dlz_subrdataset>, options=<optimized out>)
at /usr/src/debug/bind-9.18.10/lib/dns/sdlz.c:1107
#11 0x00007f2717251855 in diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740,
ver=ver@entry=0x7f26f8044b20, warn=warn@entry=true) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:370
#12 0x00007f2717251c8a in dns_diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740,
ver=ver@entry=0x7f26f8044b20) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:465
#13 0x00007f2717d105aa in do_one_tuple (tuple=tuple@entry=0x7f2706ff8e50, db=db@entry=0x7f2704291740,
ver=ver@entry=0x7f26f8044b20, diff=diff@entry=0x7f2706ff9400)
at /usr/src/debug/bind-9.18.10/lib/ns/update.c:454
#14 0x00007f2717d10fff in update_one_rr (rdata=0x7f2706ff8ee8, ttl=<optimized out>,
name=<optimized out>, op=DNS_DIFFOP_DEL, diff=0x7f2706ff9400, ver=0x7f26f8044b20, db=0x7f2704291740)
at /usr/src/debug/bind-9.18.10/lib/ns/update.c:505
#15 delete_if_action (data=<optimized out>, rr=0x7f2706ff8ee0)
at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1427
#16 0x00007f2717d10ccd in foreach_rr (db=0x7f2704291740, ver=<optimized out>, name=0x7f26caa61d00,
type=<optimized out>, covers=<optimized out>,
rr_action=rr_action@entry=0x7f2717d10f60 <delete_if_action>, rr_action_data=0x7f2706ff9280)
at /usr/src/debug/bind-9.18.10/lib/ns/update.c:736
#17 0x00007f2717d10e76 in delete_if (predicate=predicate@entry=0x7f2717d0fb10 <true_p>,
db=<optimized out>, ver=<optimized out>, name=<optimized out>, type=<optimized out>,
covers=<optimized out>, update_rr=0x7f2706ff94b0, diff=0x7f2706ff9400)
at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1454
#18 0x00007f2717d1bccd in update_action (task=<optimized out>, event=<optimized out>)
at /usr/src/debug/bind-9.18.10/lib/ns/update.c:3299
#19 0x00007f271765eb4c in task_run (task=0x7f27155ccf00)
at /usr/src/debug/bind-9.18.10/lib/isc/task.c:823
#20 isc_task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:904
#21 0x00007f271762cb12 in isc__nm_async_task (worker=0x7f2716236560, ev0=0x7f26caa07000)
at netmgr/netmgr.c:840
#22 process_netievent (worker=worker@entry=0x7f2716236560, ievent=0x7f26caa07000) at netmgr/netmgr.c:918
#23 0x00007f271762d197 in process_queue (worker=worker@entry=0x7f2716236560,
type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:1011
#24 0x00007f271762d3b3 in process_all_queues (worker=0x7f2716236560) at netmgr/netmgr.c:765
#25 async_cb (handle=0x7f27162368c0) at netmgr/netmgr.c:794
#26 0x00007f2717c4cb0d in uv__async_io (loop=0x7f2716236570, w=<optimized out>, events=<optimized out>)
at src/unix/async.c:163
#27 0x00007f2717c6825d in uv__io_poll (loop=0x7f2716236570, timeout=<optimized out>)
at src/unix/epoll.c:374
#28 0x00007f2717c5247a in uv__io_poll (timeout=<optimized out>, loop=0x7f2716236570)
at src/unix/udp.c:122
#29 uv_run (loop=loop@entry=0x7f2716236570, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:406
#30 0x00007f271762d834 in nm_thread (worker0=0x7f2716236560) at netmgr/netmgr.c:696
#31 0x00007f27176627f5 in isc__trampoline_run (arg=0x55d4dfe3ad70)
at /usr/src/debug/bind-9.18.10/lib/isc/trampoline.c:189
#32 0x00007f2716c9398d in start_thread () from /lib64/libc.so.6
#33 0x00007f2716d19344 in clone () from /lib64/libc.so.6
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14030
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Samuel Cabrero <scabrero@samba.org>
Autobuild-Date(master): Thu Jan 19 10:20:27 UTC 2023 on atb-devel-224
FreeBSD has ENOATTR but not ENODATA, Linux has ENODATA but not ENOATTR for
returning "attr does not exist". With 2eb899de6a we settled on ENOATTR to
handle this case.
Alternatively we could
#define ENODATA ENOATTR
on FreeBSD...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: douglas.bagnall@catalyst.net.nz
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jan 19 09:24:15 UTC 2023 on atb-devel-224
This is no real change, but it makes sure we only have to
change samba_tevent_context_init() in future in order to
distribute the change to all places.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Without FLAGS2_REPARSE_PATH a path containing an @GMT token can be used to
create a file including the @GMT token in the name and a directory list will
also return the file as result. Verified against Windows. Samba behaves exactly
the same.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 13 01:13:01 UTC 2023 on sn-devel-184
Ensuring pointers are always initialised simplifies the code and avoids
compilation errors with FORTIFY_SOURCE=2.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
No need to recompile the world when only a few files need this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
To be used in smbXsrv_open.c, for this we need a lower bound.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Will be used later by s3 netlogon server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 1 00:24:02 UTC 2023 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec 23 15:31:31 UTC 2022 on sn-devel-184
There are four functions, allowing compression and decompression in
the two formats we support so far. The functions will accept bytes or
unicode strings which are treated as utf-8.
The LZ77+Huffman decompression algorithm requires an exact target
length to decompress, so this is mandatory.
The plain decompression algorithm does not need an exact length, but
you can provide one to help it know how much space to allocate. As
currently written, you can provide a short length and it will often
succeed in decompressing to a different shorter string.
These bindings are intended to make ad-hoc investigation easier, not
for production use. This is reflected in the guesses about output size
that plain_decompress() makes if you don't supply one -- either they
are stupidly wasteful or ridiculously insufficient, depending on
whether or not you were trying to decompress a 20MB string.
>>> a = '12345678'
>>> import compression
>>> b = compression.huffman_compress(a)
>>> b
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #....
>>> len(b)
262
>>> c = compression.huffman_decompress(b, len(a))
>>> c
b'12345678' # note, c is bytes, a is str
>>> a
'12345678'
>>> d = compression.plain_compress(a)
>>> d
b'\xff\xff\xff\x0012345678'
>>> compression.plain_decompress(d) # no size specified, guesses
b'12345678'
>>> compression.plain_decompress(d,5)
b'12345'
>>> compression.plain_decompress(d,0) # 0 for auto
b'12345678'
>>> compression.plain_decompress(d,1)
b'1'
>>> compression.plain_decompress(a,444)
Traceback (most recent call last):
compression.CompressionError: unable to decompress data into a buffer of 444 bytes.
>>> compression.plain_decompress(b,444)
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #...
That last one decompresses the Huffman compressed file with the plain
compressor; pretty much any string is valid for plain decompression.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
==17828==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc37790230 at pc 0x7fc37e2a3a11 bp 0x7ffc3778fec0 sp 0x7ffc3778feb8
READ of size 16 at 0x7ffc37790230 thread T0
#0 0x7fc37e2a3a10 in ndr_push_spoolss_GetPrinter librpc/gen_ndr/ndr_spoolss.c:27123
#1 0x7fc380629b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416
#2 0x7fc38062a132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553
#3 0x7fc37ed113c9 in dcerpc_spoolss_GetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1947
#4 0x5570ba6c4d03 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2249
#5 0x5570ba6e61ea in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2384
#6 0x5570ba6e61ea in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2488
#7 0x5570ba6e61ea in test_printer_dm ../../source4/torture/rpc/spoolss.c:9082
#8 0x7fc37fc7b67d in wrap_test_with_simple_test ../../lib/torture/torture.c:808
#9 0x7fc37fc7d40b in internal_torture_run_test ../../lib/torture/torture.c:516
#10 0x7fc37fc7d87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581
#11 0x7fc37fc7deb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435
#12 0x5570ba89a65d in run_matching ../../source4/torture/smbtorture.c:95
#13 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105
#14 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105
#15 0x5570ba89b3e4 in torture_run_named_tests ../../source4/torture/smbtorture.c:172
#16 0x5570ba89f3e0 in main ../../source4/torture/smbtorture.c:750
#17 0x7fc37c62c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#18 0x7fc37c62c678 in __libc_start_main_impl ../csu/libc-start.c:381
#19 0x5570ba49e824 in _start ../sysdeps/x86_64/start.S:115
Address 0x7ffc37790230 is located in stack of thread T0 at offset 160 in frame
#0 0x5570ba6c4562 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2186
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 20 06:55:45 UTC 2022 on sn-devel-184
==12122==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fff494dd900 at pc 0x7fdaebea71e3 bp 0x7fff494dd430 sp 0x7fff494dd428
READ of size 4 at 0x7fff494dd900 thread T0
#0 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo8 librpc/gen_ndr/ndr_spoolss.c:8618
#1 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo librpc/gen_ndr/ndr_spoolss.c:8796
#2 0x7fdaebea7482 in ndr_push_spoolss_SetPrinterInfoCtr librpc/gen_ndr/ndr_spoolss.c:9163
#3 0x7fdaebea7580 in ndr_push_spoolss_SetPrinter librpc/gen_ndr/ndr_spoolss.c:27000
#4 0x7fdaee3e1b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416
#5 0x7fdaee3e2132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553
#6 0x7fdaecb103fd in dcerpc_spoolss_SetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1722
#7 0x559a7294c2f1 in test_SetPrinter ../../source4/torture/rpc/spoolss.c:1293
#8 0x559a7297b4d4 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2126
#9 0x559a7299cfa1 in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2344
#10 0x559a7299cfa1 in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2489
#11 0x559a7299cfa1 in test_printer_dm ../../source4/torture/rpc/spoolss.c:9083
#12 0x7fdaeda9867d in wrap_test_with_simple_test ../../lib/torture/torture.c:808
#13 0x7fdaeda9a40b in internal_torture_run_test ../../lib/torture/torture.c:516
#14 0x7fdaeda9a87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581
#15 0x7fdaeda9aeb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435
#16 0x559a72b51668 in run_matching ../../source4/torture/smbtorture.c:95
#17 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105
#18 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105
#19 0x559a72b523ef in torture_run_named_tests ../../source4/torture/smbtorture.c:172
#20 0x559a72b563eb in main ../../source4/torture/smbtorture.c:750
#21 0x7fdaea42c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#22 0x7fdaea42c678 in __libc_start_main_impl ../csu/libc-start.c:381
#23 0x559a72755824 in _start ../sysdeps/x86_64/start.S:115
Address 0x7fff494dd900 is located in stack of thread T0 at offset 32 in frame
#0 0x559a7297b111 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2090
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Dec 16 21:35:45 UTC 2022 on sn-devel-184
We should not ignore the error nor should we map
GNUTLS_E_UNWANTED_ALGORITHM to NT_STATUS_WRONG_PASSWORD,
instead we use NT_STATUS_CRYPTO_SYSTEM_INVALID as in most other places
in the same file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Dec 14 13:35:20 UTC 2022 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This was spawned by https://bugzilla.samba.org/show_bug.cgi?id=13472 back
then. Samba implement this correctly, just add this test found in the attic.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 10 00:07:09 UTC 2022 on sn-devel-184
This one renames one file per iteration and can also be used to torture any
directory caching the server may employ.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This is used by performance tests that don't want to measure network latency but
fileserver IO latency.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
- create file with ARCHIVE
- open file with ARCHIVE+HIDDEN+...
- check DOS attrs are still only ARCHIVE from the initial create
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
commit 55b2f247f9 already remove a few of these,
but a few remained.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Mainly so I can go
make bin/test_lzxpress_plain && bin/test_lzxpress_plain
valgrind bin/test_lzxpress_plain
rr bin/test_lzxpress_plain
rr replay
in a tight loop.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
We are going to add more tests for lib/compression, and they can't all
be called "testsuite.c".
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The protocol allows the last read in a related compound to be split
off and possibly go async (and smbd soon will do this). If the
last read is split off, then the padding is different. By sending
3 reads and checking the padding on the 2nd read, we cope with
the smbd change and are still correctly checking the padding
on a compound related read.
Do this for the stream filename compound padding test.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The protocol allows the last read in a related compound to be split
off and possibly go async (and smbd soon will do this). If the
last read is split off, then the padding is different. By sending
3 reads and checking the padding on the 2nd read, we cope with
the smbd change and are still correctly checking the padding
on a compound related read.
Do this for the base filename compound padding test.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The timer for the timeout_cb() handler was created on a memory context
which doesn't get freed, so the timer was still valid when running
the next test and fired there. It was then writing into random memory
leading to segfaults.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec 1 15:03:19 UTC 2022 on sn-devel-184
We pass the stack variable 'req' to dcerpc_winbind_SendToSam_r_send(),
so we need to make sure the runtime of the subreq in not longer
than the stack variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15253
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_FLUSH
compound if we immediately close the file afterward.
Internally the flushes go async and we free the req, then
we process the close. When the flushes complete they try to access
already freed data.
Extra test which will allow me to test when the final
component (flush) of the compound goes async and returns
NT_STATUS_PENDING.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_CLOSE
compound. Internally the flush goes async and
we free the req, then we process the close.
When the flush completes it tries to access
already freed data.
Found using the Apple MacOSX client at SNIA SDC 2022.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
tls_tstream can't properly handle 'New Session Ticket' messages
sent 'after' the client sends the 'Finished' message.
This is needed because some servers (at least elasticsearch) wait till
they get 'Finished' messgage from the client before sending the
"New Ticket" message.
Without this patch what typcially happens is when the application code
sends data it then tries to read the response, but, instead of the
response to the request it actually recieves the "New Session Ticket"
instead. The "New Session Ticket" message gets processed by the upper layer
logic e.g.
tstream_tls_readv_send
->tstream_tls_readv_crypt_next
->tstream_tls_retry_read
->gnutls_record_recv
instead of the core gnutls routines.
This results in the response processing failing due to the
currently 'unexpected' New Ticket message.
In order to avoid this scenario we can ensure the client doesn't
negotiate resumption with session tickets.
Signed-off-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184
The target may only be available over IPv6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15226
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 9 20:34:07 UTC 2022 on sn-devel-184
In which we make AS and TGS requests and verify the SIDs we expect are
returned in the PAC.
Example command to test against Windows Server 2019 functional level
2016 with FAST enabled:
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 DC_SERVER=ADDC.EXAMPLE.COM \
DOMAIN=EXAMPLE EXPECT_PAC=1 FAST_SUPPORT=1 KRB5_CONFIG=krb5.conf \
PYTHONPATH=bin/python REALM=EXAMPLE.COM SERVER=ADDC.EXAMPLE.COM \
SKIP_INVALID=1 SMB_CONF_PATH=smb.conf STRICT_CHECKING=1 \
TKT_SIG_SUPPORT=1 python3 python/samba/tests/krb5/group_tests.py
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 8 03:37:37 UTC 2022 on sn-devel-184
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The blob will be empty until we properly support claims.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to add claims blobs to the PAC once we have the ability
to create them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These functions have no need to modify the PACs passed in, and this
change permits us to operate on const PACs in the KDC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't need to include these any more, and removing them allows us to
simplify the build system for system Heimdal builds.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add torture test to show smbc_getxattr() should return -1 on
failure, 0 on success.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
samba/libsmb.py will become a common file to do the library
initialization for our tests. We already have two copies in
smb3unix.py and libsmb.py, and there might be more soon.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184