1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

3765 Commits

Author SHA1 Message Date
Stefan Metzmacher
53f0a292f8 selftest:Samba3: use the correct NSS_WRAPPER_HOSTNAME
The value of NSS_WRAPPER_HOSTNAME needs to match value
we put into the NSS_WRAPPER_HOSTS file.

We had a mismatch of
idmapridmember.samba.example.com
vs.
idmapridmember.addom.samba.example.com

This causes getaddrinfo() in nss_wrapper to fallback to
the libc version, which talks to a dns server.
It's not clear if recent glibc code will reach resolve/socket wrapper.
So it's not unlikely that idmapridmember.samba.example.com will
be passed via the internet, which causes delays up to 20 seconds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15355

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 12 20:29:05 UTC 2023 on atb-devel-224
2023-04-12 20:29:05 +00:00
Joseph Sutton
2ff55b3da7 selftest: Catch error codes from failing testsuites
Testsuites declared with functions such as plantestsuite() are not run
directly, but are piped through filter-subunit. The overall exit code of
the executed test command is that returned by the last command in the
pipeline (that is, filter-subunit), and thus the actual testsuite return
code is lost.

A real consequence of this is that an error in setUpClass() in a Python
testsuite causes the whole testsuite to be skipped silently.

The --fail-on-empty option partially addressed this, but didn't help if
the testsuite contained multiple test classes, only one of which
contained an error.

We now use bash with the pipefail option, which makes the return code of
the last failing command into the return code of the entire pipeline.
That means that we properly fail if a testsuite returns a non-zero exit
code, but doesn't otherwise exhibit any failures in its output.

This doesn't help for cases where a testsuite has other failing tests
that become xfails due to knownfail entries. In that case, the overall
'testsuite-failure' will be turned into 'testsuite-xfail' by
filter-subunit and the silent failures will remain unheeded. Still, this
is better than the existing situation.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 12 14:57:55 UTC 2023 on atb-devel-224
2023-04-12 14:57:55 +00:00
Joseph Sutton
44d03bf479 lib/torture: Don't overwrite test outcomes
If a test fails an assertion, and later calls torture_skip() to skip
part of the test, the TORTURE_SKIP result will overwrite the
TORTURE_FAIL result, and the overall outcome will be successful.

To avoid this, we now arrange possible outcomes in order of priority,
and ensure we always keep the higher priority one.

This reveals some failing tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
91ed2f3d5d selftest: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Joseph Sutton
8e7c7680f3 s3:selftest: Enable winbindd for maptoguest environment
This is required for the samba3.blackbox.guest test to work. Without it,
the test fails to find a group map.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Ralph Boehme
8b23a4a7ec smbd: Prevent creation of vetoed files
The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.

In order to correctly distinguish between the cases

1) file doesn't exist, we may be creating it, return
2) a vetoed a file

we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr  6 23:03:50 UTC 2023 on atb-devel-224
2023-04-06 23:03:50 +00:00
Ralph Boehme
2e8954d5be CI: add a test creating a vetoed file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-04-06 22:01:29 +00:00
Andrew Bartlett
ca7b7bde39 selftest: Use "debug syslog format = always" in selftest
Some of the most difficult to debug issues in Samba development are around
timing, so this changes our default logging format in the selftest system
to include a high-resolution timestamp to help correlate bad events with
what else is going on at the same time.

This fits in well with the timestamps already logged into st/subunit
and may assist with correlation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr  6 13:44:47 UTC 2023 on atb-devel-224
2023-04-06 13:44:47 +00:00
Andreas Schneider
fa591f5223 s3:tests: Correctly implement tests for forceuser/forcegroup
They used the tmp share ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Stefan Metzmacher
0ef53b948e net_ads: fill ads->auth.realm from c->creds
We get the realm we use for authentication needs to
the realm belonging to the username we use.

We derive the username from c->creds, so we need to
do the same for the realm.

Otherwise we try to authenticate as the wrong user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Stefan Metzmacher
3b585f9e8c testprogs/blackbox: add test_net_ads_search_server.sh
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Rob van der Linde
112faff82f dsdb: modify unicodePwd requires encrypted connection
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 01:33:05 UTC 2023 on atb-devel-224
2023-04-06 01:33:05 +00:00
Rob van der Linde
928de1d61c dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection
This demonstrates that the server did not detect CVE-2023-0922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Joseph Sutton
c33e78a27f CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.

Add or replace operations with no values and no privileges are
disallowed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Douglas Bagnall
62cc4302b6 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
d5d0e71279 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.

Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.

Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.

As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
f995c3805d CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
3b72dde202 tests/krb5: Add tests for constructed (authentication silo) claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andreas Schneider
0e07d0ac22 s3:utils: Add support for parsing domain/UPN in username for smbget
The smbget utility doesn't use the common command line parser, so it
doesn't support paring of DOMAIN/user or user@realm.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andreas Schneider
1f3f88603a s3:tests: Add smbget msdfs link test with domain and UPN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Andreas Schneider
acf259c7e0 s3:selftest: Move the smbget share to the provision function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Volker Lendecke
bea154c9c1 lib: Fix tdb_validate() for incorrect tdb entries
We should not overwrite the "rc=1" initialization with the tdb_check
retval. This will lead to tdb_validate_child() returning 0 even when
validate_fn() found invalid entries.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14789
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-04-01 05:25:28 +00:00
Volker Lendecke
12c8b67ef6 torture3: Add tdb-validate test
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14789
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-04-01 05:25:28 +00:00
Jeremy Allison
1d220e3170 s3: smbd: Correctly process SMB3 POSIX paths in create.
Remove knownfail for  posix path handling of case/reserved char

Signed-off-by: David Mulder <dmulder@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-31 20:22:38 +00:00
Joseph Sutton
874e10ef79 s4:kdc: Add support for AD device claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224
2023-03-31 09:30:17 +00:00
Joseph Sutton
e446e5816b s4:kdc: Add support for AD client claims
We now create a client claims blob and add it to the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Joseph Sutton
2f53dd59a2 s4-dsdb: Account for Claims Valid SID in tokenGroups
More of these tests now pass against Windows. They still don't quite all
pass, but that's something to fix for another day.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Rob van der Linde
d5a0d7aa8b netcmd: tests for claims client tool
Added delete protected test to known fail as Samba doesn't seem to enforce this yet.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Jeremy Allison
360b739464 s3: smbd: Fix dumb typos that meant smb1.SMB1-DFS-* tests were running against an SMB2-only fileserver.
Remove knownfail on SMB1-DFS-SEARCH-PATHS, as we now
pass it with the new SMB1 remove DFS paths before pathname processing
changes.

Note, we still fail:

smb1.SMB1-DFS-PATHS.smbtorture\(fileserver_smb1\)
smb1.SMB1-DFS-OPERATIONS.smbtorture\(fileserver_smb1\)

even with the new SMB1 remove DFS paths before pathname
processing as those tests test *very* specific Windows behaviors. We now
pass many more of the individual internal tests, but
in order to pass them all completely I need to add
specific --with-sambaserver checks to avoid some
of the Windows DFS SMB1 insanity (error messages).

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 31 06:07:01 UTC 2023 on atb-devel-224
2023-03-31 06:07:01 +00:00
Jeremy Allison
2c40e28908 s3: smbd: Remove all DFS path prefixes before passing to check_path_syntax_smb2().
In smb2, smb1req->flags2 now never uses FLAGS2_DFS_PATHNAMES,
ucf_flags never has UCF_DFS_PATHNAME, and all calls to check_path_syntax_smb2()
pass "false" in this is_dfs parameter.

Remove all knownfails for smb2.SMB2-DFS* tests.

Now I can clean up check_path_syntax_smb2() and add
an assertion into filename_convert_dirfsp_nosymlink() that
UCF_DFS_PATHNAME is *NEVER* set in the ucf_flags for an
SMB2 connection.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-31 05:12:32 +00:00
Jeremy Allison
bb92df7c9e s3: smbd: Cleanup - don't set the FLAGS2_DFS_PATHNAMES in flags2 in the glue struct if it's not a DFS server or share.
Even if the client claims it's a DFS pathname. Matches what Windows does if it gets
a DFS pathname on a non-DFS share.

Remove samba3.smbtorture_s3.smb2.SMB2-NON-DFS-SHARE.smbtorture\(fileserver\)
test knownfail.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-31 05:12:32 +00:00
Jeremy Allison
76573d6d8f s3: libcli: Refuse to connect to any server with zero values for max_trans_size, max_read_size, max_write_size.
There's nothing we can do to such a server (this
now matches the behavior for SMB1).

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 29 18:58:33 UTC 2023 on atb-devel-224
2023-03-29 18:58:33 +00:00
Jeremy Allison
006fe80678 tests: Add samba3.blackbox.zero_readsize test.
smbclient crashes when smbd has "smb2 max read = 0"
in the [global] section of smb.conf.

We should fail the protocol negotiation with
NT_STATUS_INVALID_NETWORK_RESPONSE in this case.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:51 +00:00
Volker Lendecke
b755b81d66 test: Add a test for "deny ous"
Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-03-29 17:55:51 +00:00
Stefan Metzmacher
e7ef43cead s4:dsdb/extended_dn_out: hide backlinks with DSDB_RMD_FLAG_HIDDEN_BL by default
Backlinks which are not allowed by the schema are hidden by default,
so we already set DSDB_RMD_FLAG_HIDDEN_BL on store, so we have a cheap
way to hide the backlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 23 08:19:20 UTC 2023 on atb-devel-224
2023-03-23 08:19:20 +00:00
Stefan Metzmacher
21f4317acb s4:dsdb/tests: let a test to demonstrate the behavior of invisible backlinks
msDS-KeyCredentialLink/msDS-KeyCredentialLink-BL are defined as linked attribute pair,
but msDS-KeyCredentialLink-BL is not defined as allowed on any object class definition,
still it's possible to create msDS-KeyCredentialLink attributes.

msDS-KeyPrincipal/msDS-KeyPrincipalBL are also defined as linked attribute pair
and msDS-KeyPrincipalBL is only allowed on object class 'user', but it's possible
to create msDS-KeyPrincipal values pointing to non 'user' objects.

The result is that 'user' objects have a visible msDS-KeyPrincipalBL, but
the others don't have msDS-KeyPrincipalBL visible, by default.
The backlinks are always visible if the backlink attributes are
explicitly requested.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-23 07:16:34 +00:00
Stefan Metzmacher
bb09c06d6d libcli/security: rewrite calculate_inherited_from_parent()
This allows us to pass the new tests we just added.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-22 22:10:32 +00:00
Stefan Metzmacher
a0217c50e9 s4:dsdb/tests: add more detailed tests to sec_descriptor.py
These demonstrate how inherited aces are constructed and applies
per objectclass, with and without the NO_PROPAGATE_INHERIT flag.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-22 22:10:32 +00:00
David Mulder
35380fa6a5 gpupdate: Use winbind separator in PAM Access Policies
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar 20 20:20:41 UTC 2023 on atb-devel-224
2023-03-20 20:20:41 +00:00
David Mulder
893cfefa9e gpupdate: Test that PAM Access uses winbind separator
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-03-20 19:23:32 +00:00
Joseph Sutton
0f244bd114 selftest: Clean up socket when finished
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
dfe759c1fd selftest: Don't use invalid escape sequences
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
5c8fbeb61e tests/krb5: Test that denied attributes are still issued in claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
a85d26fd74 tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
223ef8b785 tests/krb5: Test that RODC-issued device groups are regenerated
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
e1a573a659 tests/krb5: Test that RODC-issued claims are regenerated
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
9d75947292 tests/krb5: Add tests for RODC-issued armor tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
ee43e004e9 tests/krb5: Add tests for constrained delegation with RODC-issued tickets
This works as long as both tickets are issued by the same RODC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Joseph Sutton
9a2f6cdc00 tests/krb5: Add simple resource-based constrained delegation test
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-20 00:22:32 +00:00
Andrew Bartlett
bfc33b47bb dsdb: Avoid ERROR(ldb): uncaught exception - Deleted target CN=NTDS Settings... in join
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.

When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.

This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-03-14 06:16:30 +00:00