1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

296 Commits

Author SHA1 Message Date
Stefan Metzmacher
fc318c63e5 auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

(cherry picked from commit 5b40cdf6e8)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Jun 19 14:07:17 UTC 2024 on atb-devel-224
2024-06-19 14:07:17 +00:00
Stefan Metzmacher
212b014679 auth/credentials: add tests for cli_credentials_get_kerberos_state[_obtained]()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit eeb60574b6)
2024-06-19 13:00:11 +00:00
Stefan Metzmacher
46ebf66fe9 auth/credentials: add cli_credentials_get_kerberos_state_obtained() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c715ac5e49)
2024-06-19 13:00:11 +00:00
Andreas Schneider
a7622bc7db auth:creds: Add cli_credentials_get_domain_and_obtained()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andreas Schneider
1041dae03f auth:creds: Fix cli_credentials_get_password_and_obtained() with callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andreas Schneider
ab4b25964a auth:creds:tests: Add test for password callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andrew Bartlett
40de903365 pycredentials: Properly check type in creds.set_nt_hash() and samr.encrypt_samr_password()
We should not be just doing a talloc type check, we should check the python
type first.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-12-07 04:32:37 +00:00
Andrew Bartlett
c49fd98ed7 s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-11-29 03:11:34 +00:00
Andrew Bartlett
cc2c9b2a1e auth/credentials: Add Python bindings for association of a connection for FAST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-11-29 03:11:34 +00:00
Andrew Bartlett
bed1893a75 auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-11-29 03:11:34 +00:00
Andreas Schneider
9621a3d7a6 Use python.h from libreplace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 15:37:33 +00:00
Samuel Cabrero
65b2110937 auth:credentials: Check if password_obtained > obtained
Fixes reading the password from STDIN or environment vars if it was already
given in the command line:

$ export PASSWD_FD=0
$ ./bin/net offlinejoin composeodj <...> --password=FOO
<Waiting to read password from STDIN>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Sep 11 03:36:28 UTC 2023 on atb-devel-224
2023-09-11 03:36:28 +00:00
Joseph Sutton
e69ba9a0a3 auth: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Joseph Sutton
329bfe47d9 auth: Remove unnecessary casts
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
def62de106 auth: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
50c6ca6942 auth: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Joseph Sutton
aa0d17a79b auth: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Pavel Filipenský
3ef5162dcd auth:credentials: Fix resource leak in cli_credentials_set_from_ccache()
Reported by Red Hat internal covscan
leaked_storage: Variable "princ" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Pavel Filipenský
ec121eb831 auth:credentials: SAFE_FREE() -> krb5_free_string()
Reported by Red Hat internal covscan

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Pavel Filipenský
cd60e3fdef auth:credentials: SAFE_FREE() -> krb5_free_enctypes()
Reported by Red Hat internal covscan

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Joseph Sutton
1a53d3514f auth/credentials: Add set_nt_hash()
This method allows setting the NT hash directly. This is useful in cases
where we don’t know the password, such as with a computer or server
account.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
db889249ab auth/credentials: Fix NULL dereference
We should not pass a NULL pointer to netlogon_creds_session_encrypt().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
34f378f480 auth/credentials: Allow resetting bind DN on Credentials object
Passing None into set_bind_dn() now resets it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Alexander Bokovoy
d5b8b804fe Add ROLE_IPA_DC into two more places
Missed two more places originally when introduced ROLE_IPA_DC.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Tue Apr 25 07:46:36 UTC 2023 on atb-devel-224
2023-04-25 07:46:36 +00:00
Andreas Schneider
61424dd221 auth: Add cli_credentials_is_password_nt_hash()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andreas Schneider
97c0982bad auth: Remove trailing white spaces in credentials_ntlm.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andreas Schneider
96914246d3 auth: Remove trailing white spaces in credentials.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andreas Schneider
98c14205a0 auth: Fix code spelling
Best reviewed with: `git show --word-diff`

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Rowland Penny <rpenny@samba.org>
2023-03-28 09:33:31 +00:00
Joseph Sutton
16e6435b08 auth/credentials: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-03 01:07:36 +00:00
Joseph Sutton
262b40d833 auth/credentials: Fix off-by-one buffer write
If p == pass + 127, assigning to '*++p' writes beyond the array.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-03 01:07:36 +00:00
Pavel Filipenský
2cc5b0745a auth/credentials: Fix unitialized data
Fixing Red Hat internal covscan report:
Field "salt_data.magic" is uninitialized when calling "smb_krb5_create_key_from_string".

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-02-06 22:51:31 +00:00
Pavel Filipenský
7f123bbd4e auth/credentials: Fix trailing whitespaces
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-02-06 22:51:31 +00:00
Björn Baumbach
86fde91621 auth/creds: fix a typo in a comment
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-01-17 17:21:38 +00:00
Joseph Sutton
f33aa94c9e auth/credentials: Add get_aes256_key()
This makes it possible to generate AES256 keys in Python from a given
password and salt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-26 22:10:29 +00:00
Joseph Sutton
0d9835e1e4 auth/credentials: Add cli_credentials_get_aes256_key()
This allows us to generate AES256 keys from a given password and salt.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-26 22:10:29 +00:00
Pavel Filipenský
3960af99e5 auth: Covscan: unchecked return value for cli_credentials_set_smb_encryption()
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-05-14 03:49:32 +00:00
Pavel Filipenský
ccda9c162c auth: Fix trailing whitespace in pycredentials.c
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-05-14 03:49:32 +00:00
Joseph Sutton
eba1a9d964 auth/credentials: Add encrypt_samr_password()
This method encrypts a samr_Password structure with the current session
key, which allows for interactive SamLogon from Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Stefan Metzmacher
0ef1254f44 auth/credentials: cli_credentials_set_ntlm_response() pass session_keys
Otherwise cli_credentials_get_ntlm_response() will return session keys
with a 0 length, which leads to errors in the NTLMSSP code.

This wasn't noticed as cli_credentials_set_ntlm_response() has no
callers yet, but that will change in the next commits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-04 20:07:28 +00:00
Stefan Metzmacher
1bacf26d30 auth/credentials: Fix cli_credentials_shallow_ccache error case
Avoid dangling values if something fails...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-09 13:22:36 +00:00
Stefan Metzmacher
ce293eb861 auth/credentials: Handle ENOENT when obtaining ccache lifetime
The new Heimdal may return ENOENT instead of KRB5_CC_END.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-09 13:22:36 +00:00
Andreas Schneider
c28be40674 auth:creds: Guess the username first via getpwuid(my_id)
If we have a container, we often don't have USER or LOGNAME set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14883

Tested-by: Anoop C S <anoopcs@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 10 19:11:53 UTC 2021 on sn-devel-184
2021-11-10 19:11:53 +00:00
Andreas Schneider
711d01ff20 auth:creds: Remove trailing spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-11-10 18:19:32 +00:00
Andrew Bartlett
0d804cfd07 CVE-2020-25722 selftest: allow for future failures in BindTests.test_virtual_email_account_style_bind
This allows for any failures here to be handled via the knownfail system.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-09 19:45:32 +00:00
Andrew Bartlett
5eeb441b77 dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
2021-10-20 12:54:54 +00:00
Joseph Sutton
b59fc43523 python: Fix usage strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-04 00:10:37 +00:00
Andreas Schneider
0c94e48c64 auth:creds: Remove unused simple.c file
This code is tested by the cmocka unit test:
auth/credentials/tests/test_creds.c

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-08 09:30:40 +00:00
Stefan Metzmacher
1f413b2b29 auth/credentials: allow credentials.Credentials to act as base class
In tests it's useful to add more details.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Andreas Schneider
304cb910bd auth:creds: Check return code of cli_credentials_guess()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00
Andreas Schneider
9f786df2a2 auth:creds: Return bool for cli_credentials_guess()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-29 02:19:35 +00:00