1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

1334 Commits

Author SHA1 Message Date
Stefan Metzmacher
0acbbeab4d s4:librpc: provide py_schannel bindings
This will be used in the dcerpc.raw_protocol test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-10-10 14:01:04 +00:00
Volker Lendecke
5a3fd9c0f5 idl: Rename smb3_posix_cc_info.posix_perms to posix_mode
We'll stash the file type in there soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:46 +00:00
Volker Lendecke
bad2646ff0 libsmb: Move UNIX constants to smb3posix.idl
Make them available to python

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:46 +00:00
Volker Lendecke
57e23c92de idl: smb3posix.idl references NTTIME
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-09-26 15:22:46 +00:00
Volker Lendecke
5ad8536ec7 libsecurity: Simplify struct ace_condition_script
We only need the stack temporarily, no reason to put it in the struct

Signed-off-by: Volker Lendecke <vl@samba.org>
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Sep  6 14:23:58 UTC 2024 on atb-devel-224
2024-09-06 14:23:58 +00:00
Volker Lendecke
fab7416a3d idl: dnsp.h references NTTIME
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Aug 27 08:36:11 UTC 2024 on atb-devel-224
2024-08-27 08:36:11 +00:00
Volker Lendecke
50c7373f44 idl: misc.idl references DATA_BLOB
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
9b0fe3e66a idl: Remove unused KRB5_EDATA_NTSTATUS
I think the last user went away with e2028837b9 in 2017

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Volker Lendecke
99e4dc2ee1 idl: security.idl compiles with only secace.h
It does not need all of security.h

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jennifer Sutton <jsutton@samba.org>
2024-08-27 07:19:32 +00:00
Douglas Bagnall
64003d8677 spelling: fix spelling of privilege.ldb in comments
'privileges' is a word, but the ldb referred to is privilege.ldb

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Vinit Agnihotri
644b50b05b messaging: Add new SMBD message
Signed-off-by: Vinit Agnihotri <vagnihotri@ddn.com>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-16 23:51:45 +00:00
Andrew Bartlett
724f403d88 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-28 03:44:37 +00:00
Andrew Bartlett
e6ef2fc224 librpc/idl: Check protocol version number in Kerberos ccache parser
The ccache file format version is checked by the switch in OPTIONAL_HEADER.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
ecaaff57e4 librpc/idl: Add a parser for a FILE: format keytab
This will let us examine keytab entries exported for gMSA accounts and
ensure they are the values we expect.  This will in particular help
test our KDC via the "samba-tool domain exportkeytab" as this is a thin
wrapper around the relevant code.

Additionally, we can use this to test the new client-side keytab generation
in "samba-tool domain exportkeytab" for gMSA accounts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andreas Schneider
e758425869 librpc:idl: Make netlogon_samlogon_response public
This is required that we can use it with ndrdump or in python to decode
a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-26 06:57:31 +00:00
Noel Power
01e901ef86 idl: Add constant for max rows buffer size
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-02-17 16:51:37 +00:00
Jo Sutton
14da75c4e1 librpc:idl: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Jo Sutton
19870248c0 librpc:idl: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Douglas Bagnall
dc08e7924c ndr: make security_ace push manual
This will allow some optimisations; in this commit we just copy the
code.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
1e6a876c2c ndr: shift ndr_pull_security_ace to manual code
This was manual until commit c73034cf7c
(a few months ago).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Noel Power
718c411201 librpc/idl: remove duplicate definitition
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-01-30 16:21:35 +00:00
Noel Power
3d063f212f librpc/idl: fix typo in wsp_csort member
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-01-30 16:21:35 +00:00
Stefan Metzmacher
0744d55be0 messaging.idl: add MSG_RPCD_WITNESS_REGISTRATION_UPDATE
This will be used for rpcd_witness_registration_updateB messages
in 'net witness [client-move,...]' commands later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-01-26 17:00:33 +00:00
Stefan Metzmacher
f21e380064 witness.idl: make witness_interfaceList public to that ndr_print works in python
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-01-26 17:00:32 +00:00
Stefan Metzmacher
87e37e73a9 witness.idl: add flag(NDR_PAHEX) to some hex based enums
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-01-09 10:21:34 +00:00
Stefan Metzmacher
290b0b04ae witness.idl: make some types public in order to be used elsewhere
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-01-09 10:21:34 +00:00
Samuel Cabrero
5beef87816 witness.idl: Set cifs as auth service name for the witness interface
Windows clients use the 'cifs' service name to bind to the witness interface.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-01-09 10:21:34 +00:00
Joseph Sutton
9f16157f10 lib:crypto: Add implementation of GKDI key derivation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-22 05:33:31 +00:00
Joseph Sutton
44f6bfea5a gkdi.idl: Verify magic numbers of pulled GKDI structures
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-21 20:21:34 +00:00
Joseph Sutton
f5ae39548b gkdi.idl: Add ‘additional_info’ field to KeyEnvelope structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-21 20:21:34 +00:00
Joseph Sutton
183fd79c38 gkdi.idl: Comment on domain and forest name fields
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-21 20:21:34 +00:00
Joseph Sutton
c62d17dbe7 security.idl: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
e05c3477fc librpc: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
4846ebbd8a librpc: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
2cb6e37e5b gkdi.idl: Add definitions for the Group Key Distribution Service
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
59b9432524 conditional_ace.idl: Fix undefined shift
If ‘int’ is a 32‐bit type, then 1 << 31 cannot be represented in an
‘int’, and this shift will invoke undefined behaviour.

We have got away with this so far because of a Pidl bug that changed the
expression to ‘(uint32_t)1 << 31’, which is valid. But that bug is about
to be fixed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Douglas Bagnall
e81e070638 librpc/idl:security: add claims flag indicating orderly and unique members
The same flag will be used in conditional ACE composites, and on
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures derived from wire
claims and resource attribute ACEs, when we know we have checked the
claim has no duplicate values.

Resource Attribute ACEs contain CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1
at rest, but we are not going to set the flag there on the off chance
that the ACE could fly off to another application and have another
application specific meaning there. We will only check for uniqueness
and set the flag on ephemeral copies of resource claims during access
check operations.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
a8f83fe8a2 librpc/idl:security: add a couple of claims flags
We don't use these.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:31 +00:00
Douglas Bagnall
f4ea27b84a librpc/idl:condtional_ace: shift CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR to last bit
This region is "available for application-specific data" in the
CLAIM_SECURITY_ATTRIBUTE_ space, according to [MS-DTYP] 2.4.10.1,
so it nicer to use that, even though we are not actually setting the
flag on the V1 claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:31 +00:00
Douglas Bagnall
6aa6ef4b7c librpc/idl:conditional_ace: make a flags field 32 bit
This allows it to align with
CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1.flags, with which it shares
values and will soon share more.

It was 16 bit because we needed few flags, and at one point .type was
8 bit, so 16 bits packed nicely into a smaller struct.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:31 +00:00
Stefan Metzmacher
f5275ae3dc lsa.idl: Backport changes from wireshark
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-11-21 11:16:37 +00:00
Stefan Metzmacher
5c72df15a8 lsa.idl: Add new functions and types
[MS-LSAD] got new functions in order to use AES encryption
and other security related features.

For our servers we still pretent we don't
know about the new functions and return DCERPC_FAULT_OP_RNG_ERROR.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-11-21 11:16:37 +00:00
Joseph Sutton
35611f2ba0 gmsa.idl: Add definition for MANAGEDPASSWORD_BLOB
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 21:50:32 +00:00
Andrew Bartlett
29bb93d03a libcli/security: conditional aces: don't allow U+0000 in unicode
Allowing this broke a round-trip decode-encode fuzz test. Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62742

(Comments are from an earlier commit by Douglas Bagnall <douglas.bagnall@catalyst.net.nz>)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 13 02:30:23 UTC 2023 on atb-devel-224
2023-11-13 02:30:23 +00:00
Andrew Bartlett
4decb074d8 librpc/ndr: Add support for LIBNDR_FLAG_STR_NO_EMBEDDED_NUL
This requires that, other than termination, no NUL (\0) codepoints
exist in the input string, because bytes beyon that will be lost
in the output string.

This in turn causes trouble for round-trip testing, so it is easiest
to reject it upfront (on an opt-in basis).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-11-13 01:28:36 +00:00
Joseph Sutton
935f4edd81 libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Günther Deschner
05ffdaeec7 librpc: add missing service control defines
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Günther Deschner
51c21f72af librpc: add svcctl_ServiceStopReason enums
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Günther Deschner
cfedb32258 librpc: use SERVICE_CONTROL enum in ControlService calls
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Günther Deschner
7292e37878 librpc: add various new commands and types to SVCCTL IDL.
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00