1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

132791 Commits

Author SHA1 Message Date
Stefan Metzmacher
0ef53b948e net_ads: fill ads->auth.realm from c->creds
We get the realm we use for authentication needs to
the realm belonging to the username we use.

We derive the username from c->creds, so we need to
do the same for the realm.

Otherwise we try to authenticate as the wrong user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Stefan Metzmacher
3b585f9e8c testprogs/blackbox: add test_net_ads_search_server.sh
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Rob van der Linde
112faff82f dsdb: modify unicodePwd requires encrypted connection
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 01:33:05 UTC 2023 on atb-devel-224
2023-04-06 01:33:05 +00:00
Rob van der Linde
928de1d61c dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection
This demonstrates that the server did not detect CVE-2023-0922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Rob van der Linde
5abda27f0e dsdb: fix spelling in password_hash.c
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Andrew Bartlett
479634e4cd dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test
By slowing the filter down more this makes the test reliable on the
autobuild host.

This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Andrew Bartlett
e1c0c2066c dsdb/tests: Move SD modification on class-created objects to classSetUp
These modifications persist, so should be done at the class level,
not in the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:34 +00:00
Rob van der Linde
b74b9f4b06 CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 03:08:51 UTC 2023 on atb-devel-224
2023-04-05 03:08:51 +00:00
Joseph Sutton
c33e78a27f CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.

Add or replace operations with no values and no privileges are
disallowed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Douglas Bagnall
62cc4302b6 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
8b4e6f7b3f s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
82d2ec786f dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Joseph Sutton
d2bbb47a7c ldb: Use correct member of union
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
dfe7b05730 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
9b8dd83fd0 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
f6e93e2b3d CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
f188b6a978 CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Joseph Sutton
15eac7676b CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
449c2e99e2 CVE-2023-0614 ldb: Filter on search base before redacting message
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
9f31e4139c CVE-2023-0614 ldb: Centralise checking for inaccessible matches
This makes it less likely that we forget to handle a case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
197633cc2a CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
3a70c6464d CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
d5d0e71279 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
748bbbe70d CVE-2023-0614 s4-acl: Split out function to set up access checking variables
These variables are often used together, and it is useful to have the
setup code in one place.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
da8138c50e CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
5c334918a2 CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
fdeb6ea15c CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
f995c3805d CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
16487691c0 CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fe.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
d3fa2cb5dd CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:

(lastKnownParent=<GUID=b'00000000-0000-0000-0000-000000000000'>)

which, due to the extra characters, would fail to match anything.

Fix it to be:

(lastKnownParent=<GUID=00000000-0000-0000-0000-000000000000>)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
f154fad3c1 CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own
In extended_dn_fix_filter() we had:

    req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);

which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.

Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
fffea59001 CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()
Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
f25b1756aa CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place
ldb_filter_attrs() previously did too much. Now its replacement,
ldb_filter_attrs_in_place(), only does the actual filtering, while
taking ownership of each element's values is handled in a separate
function, ldb_msg_elements_take_ownership().

Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName
to the message if it is missing. That is handled in another function,
ldb_msg_add_distinguished_name().

As we're now modifying the original message rather than copying it into
a new one, we no longer need the filtered_msg parameter.

We adapt a test, based on ldb_filter_attrs_test, to exercise the new
function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
131d417604 CVE-2023-0614 ldb: Add function to filter message in place
At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.

The test is a near duplicate of the existing test for
ldb_filter_attrs().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
784a342785 CVE-2023-0614 ldb: Add function to add distinguishedName to message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
721493f4bd CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
b18ed9ae97 CVE-2023-0614 ldb: Add function to take ownership of an ldb message
Many places in Samba depend upon various components of an ldb message
being talloc allocated, and hence able to be used as talloc contexts.
The elements and values of an unpacked ldb message point to unowned data
inside the memory-mapped database, and this function ensures that such
messages have talloc ownership of said elements and values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
294a4f6e28 CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
Add ldb_filter_attrs_test to the list of tests so that it actually gets
run.

Remove a duplicate ldb_msg_test that was accidentally added in commit
5ca90e758a.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
1debb6584e CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
If the value of an ldb message element is not zero-terminated, calling
ldb_msg_find_attr_as_string() will cause the function to read off the
end of the buffer in an attempt to verify that the value is
zero-terminated. This can cause unexpected behaviour and make the test
randomly fail.

To avoid this, we must have a terminating null byte that is *not*
counted as part of the length, and so we must calculate the length with
strlen() rather than sizeof.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
a43977499c CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
ca9c467e41 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
17feef18bf CVE-2023-0614 s4-acl: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
a7222faade CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
6d2d1e7df4 CVE-2023-0614 libcli/security: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:34 +00:00
Andrew Bartlett
5fd0811ffa CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects
This changes the slow aspect to be the object matching not the filter parsing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:34 +00:00
John Mulligan
f5d04a43cf python:join: fix reused variable name in provision func
Recent updates to run adprep during the provision function re-used a
variable name that was already in use as a string. This reassignment
changed the type of the referenced object. This variable name is later
used to setup the mit krb5 kdc conf and expects the var to contain a
string. When executed with default cli options on a mit krb5 based build
samba tool fails with a traceback:
```
INFO 2023-03-23 21:22:50,399 pid:6
/usr/lib64/python3.10/site-packages/samba/provision/__init__.py #2021:
Fixing provision GUIDs
ERROR(<class 'AttributeError'>): uncaught exception - 'DomainUpdate'
object has no attribute 'upper'
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/__init__.py",
line 230, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/domain.py",
line 555, in run
    result = provision(self.logger,
  File
"/usr/lib64/python3.10/site-packages/samba/provision/__init__.py", line
2408, in provision
    create_kdc_conf(paths.kdcconf, realm, domain,
os.path.dirname(lp.get("log file")))
  File
"/usr/lib64/python3.10/site-packages/samba/provision/kerberos.py", line
43, in create_kdc_conf
    domain = domain.upper()
```

This change removes the re-use of the existing var name by chaining
the calls.

Fixes: 4bba26579d
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 02:02:29 UTC 2023 on atb-devel-224
2023-04-05 02:02:29 +00:00
Joseph Sutton
e258ea12b0 s4:kdc: Allocate claim value on values context
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
3b72dde202 tests/krb5: Add tests for constructed (authentication silo) claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
75aecbe620 tests/krb5: Add method to create authentication silo claim
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
dc4c51f353 tests/krb5: Add method to create an authentication silo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00