IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This tests authsam_get_session_info_principal() which tests
sam_get_results_principal() which tests crack_user_principal_name().
sam_get_results_principal() is also used in samba_kdc_lookup_client(),
and we are sort of testing on behalf of that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
signed_attrs is supposed to be a list of key‐value pairs, but we forgot the
values. Because the field was not constructed correctly, the pyasn1 encoder
simply stripped it out.
Also properly separate the signature algorithm and digest algorithms.
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Nov 19 00:32:31 UTC 2025 on atb-devel-224
If we run e.g. fl2008rc2 env before we run this test, we have a trust account
for this domain.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Nov 14 19:23:38 UTC 2025 on atb-devel-224
This test runs relatively late in 'make test'. It finds some accounts which are
neither a computer nor a user account and complains that the overall account
count doesn't match.
Add some debug so we can find out more about the accounts.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We should not work on alice, bob and joe. We should use random user so we can
clean up afterwards. If we don't do this the dbcheck tests will fails with:
UNEXPECTED(failure): samba4.blackbox.dbcheck(ad_dc).dbcheck(ad_dc:local)
REASON: Exception: Exception: Checking 21449 objects
WARNING: target DN is deleted for msDS-AssignedAuthNPolicy in object CN=alice,CN=Users,DC=addom,DC=samba,DC=example,DC=com - <GUID=66bd1f51-084f-4259-a769-efa59adb6e31>;<RMD_ADDTIM
E=134051822550000000>;<RMD_CHANGETIME=134051822550000000>;<RMD_FLAGS=1>;<RMD_INVOCID=b5064b02-c91e-40c0-bc1f-a92a0105a810>;<RMD_LOCAL_USN=14061>;<RMD_ORIGINATING_USN=14061>;<RMD_VE
RSION=2>;CN=User Policy,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
Target GUID points at deleted DN 'CN=User Policy\\0ADEL:66bd1f51-084f-4259-a769-efa59adb6e31,CN=Deleted Objects,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com'
Not removing
WARNING: target DN is deleted for msDS-AssignedAuthNPolicySilo in object CN=alice,CN=Users,DC=addom,DC=samba,DC=example,DC=com - <GUID=287d6c3d-bea8-4c06-bdf8-7d4b579bc0e9>;<RMD_AD
DTIME=134051822560000000>;<RMD_CHANGETIME=134051822560000000>;<RMD_FLAGS=1>;<RMD_INVOCID=b5064b02-c91e-40c0-bc1f-a92a0105a810>;<RMD_LOCAL_USN=14081>;<RMD_ORIGINATING_USN=14081>;<RM
D_VERSION=2>;CN=Developers,CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
Target GUID points at deleted DN 'CN=Developers\\0ADEL:287d6c3d-bea8-4c06-bdf8-7d4b579bc0e9,CN=Deleted Objects,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com'
Not removing
WARNING: target DN is deleted for msDS-AssignedAuthNPolicy in object CN=bob,CN=Users,DC=addom,DC=samba,DC=example,DC=com - <GUID=66bd1f51-084f-4259-a769-efa59adb6e31>;<RMD_ADDTIME=
134051822550000000>;<RMD_CHANGETIME=134051822550000000>;<RMD_FLAGS=1>;<RMD_INVOCID=b5064b02-c91e-40c0-bc1f-a92a0105a810>;<RMD_LOCAL_USN=14065>;<RMD_ORIGINATING_USN=14065>;<RMD_VERS
ION=4>;CN=User Policy,CN=AuthN Policies,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
Target GUID points at deleted DN 'CN=User Policy\\0ADEL:66bd1f51-084f-4259-a769-efa59adb6e31,CN=Deleted Objects,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com'
Not removing
WARNING: target DN is deleted for msDS-AssignedAuthNPolicySilo in object CN=bob,CN=Users,DC=addom,DC=samba,DC=example,DC=com - <GUID=1a1e5cdf-b92e-4a80-bc35-cccad8e9f865>;<RMD_ADDT
IME=134051822560000000>;<RMD_CHANGETIME=134051822560000000>;<RMD_FLAGS=1>;<RMD_INVOCID=b5064b02-c91e-40c0-bc1f-a92a0105a810>;<RMD_LOCAL_USN=14085>;<RMD_ORIGINATING_USN=14085>;<RMD_
VERSION=4>;CN=QA,CN=AuthN Silos,CN=AuthN Policy Configuration,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
Target GUID points at deleted DN 'CN=QA\\0ADEL:1a1e5cdf-b92e-4a80-bc35-cccad8e9f865,CN=Deleted Objects,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com'
Not removing
Checked 21449 objects (4 errors)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Update the tests to check the "kdc always generate pac" configuration and
expect the presence of a PAC accordingly.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
An smb.conf can contain a 'wins hook' parameter, which names a script
to run when a WINS name is changed. The man page says
The second argument is the NetBIOS name. If the name is not a
legal name then the wins hook is not called. Legal names contain
only letters, digits, hyphens, underscores and periods.
but it turns out the legality check is not performed if the WINS
server in question is the source4 nbt one. It is not expected that
people will run this server, but they can. This is bad because the
name is passed unescaped into a shell command line, allowing command
injection.
For this test we don't care whether the WINS server is returning an
error code, just whether it is running the wins hook. The tests show
it often runs the hook it shouldn't, though some characters are
incidentally blocked because the name has to fit in a DN before it
gets to the hook, and DNs have a few syntactic restrictions (e.g.,
blocking '<', '>', and ';').
The source3 WINS server that is used by Samba when not run as a DC is
not affected and not here tested.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15903
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Tests for pkinit with "strong certificate binding enforcement"
See: https://support.microsoft.com/en-us/topic/
kb5014754-certificate-based-authentication-changes-on-windows-domain
-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
KB5014754: Certificate-based authentication changes on Windows
domain controllers
Test environment configuration:
ad_dc none
ad_dc_ntcfs compatibility
ad_dc_smb1 full
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Add altSecurityIdentities to the User domain model so that it can be used by
the key certificate binding enforcement tests.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Change the action logged for authentication information changes from
"Public key change" to "Auth info change". To reflect that it's not just
changes to public keys that get logged.
This doesn't require a JSON log format version change, because the
version was recently bumped in c9e752ab18
and there hasn't been a Samba release in the meantime.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add tests for the logging of changes to altSecurityIdentities, dnsHostName,
servicePrincipalName and msDS-AdditionalDnsHostNames
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Refactor python/samba/tests/audit_log_pass_change.py to make it easier add tests
for the logging of changes to alternateSecurityIdentities, dNSHostName,
servicePrincipleName
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
After recent upstream Python fixes for various path escape and symlink
CVEs in tarfile, in particular this commit:
commit 3612d8f51741b11f36f8fb0494d79086bac9390a
Author: Łukasz Langa <lukasz@langa.pl>
Date: Tue Jun 3 12:42:11 2025 +0200
gh-135034: Normalize link targets in tarfile, add `os.path.realpath(strict='allow_missing')` (#135037)
Addresses CVEs 2024-12718, 2025-4138, 2025-4330, and 2025-4517.
Signed-off-by: Łukasz Langa <lukasz@langa.pl>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Co-authored-by: Petr Viktorin <encukou@gmail.com>
Co-authored-by: Seth Michael Larson <seth@python.org>
Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
our ../../ test that looks for a tarfile.OutsideDestinationError now
meets a NotADirectoryError in recent Python versions (this from 3.13,
Fedora 42):
UNEXPECTED(error): samba.tests.safe_tarfile.samba.tests.safe_tarfile.SafeTarFileTestCase.test_dots(none)
REASON: Exception: Exception: Traceback (most recent call last):
File "/tmp/samba-testbase/b1/samba-o3/bin/python/samba/tests/safe_tarfile.py", line 48, in test_dots
self.assertRaises(tarfile.OutsideDestinationError,
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
stf.extractall,
^^^^^^^^^^^^^^^
tarname)
^^^^^^^^
File "/usr/lib64/python3.13/unittest/case.py", line 795, in assertRaises
return context.handle('assertRaises', args, kwargs)
~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/unittest/case.py", line 238, in handle
callable_obj(*args, **kwargs)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/tarfile.py", line 2343, in extractall
tarinfo, unfiltered = self._get_extract_tarinfo(
~~~~~~~~~~~~~~~~~~~~~~~~~^
member, filter_function, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib64/python3.13/tarfile.py", line 2432, in _get_extract_tarinfo
self._handle_fatal_error(e)
~~~~~~~~~~~~~~~~~~~~~~~~^^^
File "/usr/lib64/python3.13/tarfile.py", line 2430, in _get_extract_tarinfo
filtered = filter_function(unfiltered, path)
File "/usr/lib64/python3.13/tarfile.py", line 842, in tar_filter
new_attrs = _get_filtered_attrs(member, dest_path, False)
File "/usr/lib64/python3.13/tarfile.py", line 783, in _get_filtered_attrs
target_path = os.path.realpath(os.path.join(dest_path, name),
strict=os.path.ALLOW_MISSING)
File "<frozen posixpath>", line 457, in realpath
NotADirectoryError: [Errno 20] Not a directory: '/tmp/samba-testbase/b1/samba-o3/bin/ab/tmp/tmpbn6e69ci/tar.tar'
In this commit, we say that a NotADirectoryError is OK.
When we started safe_tarfile we were acting in advance of upstream
Python, but now they are well ahead of us. If we trust their work in
recent versions and accept the error conditions they choose, we can
more easily get rid of our safe_tarfile when the time is right.
For the moment we still support as far back as Python 3.6 for some old
enterprise distros, and it is for those that we continue to maintain
safe_tarfile. In versions before 3.11 we will see
tarfile.ExtractError, and the test for that is unaffected by this
change.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
A non-32 bit int will (if the compiler allows it) result in code
where we write into memory adjacent to a target uint32_t value in
many python bindings using the python arg-parsing API. The more
correct thing to do would be to always parse into an unsigned long
long and error if it is greater than UINT32_MAX, but we do this in
so many places that there is reason to believe we'll just keep
adding more.
Note, we already check in lib/replace/wscript that int is at least
32 bits; here we are effectively just checking that it is not more.
There was apparently a version of 64 bit Solaris in the 1990s that
had 64 bit ints.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
This is exactly a copy of user/keytrust.py to computer_keytrust.py
with a title-case-preserving `s/user/computer/`.
It works. The Computer model differs from the User model in that it
appends a '$' to the end of account names if it senses the lack,
otherwise these commands are using the same code paths.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This allows manipulation of key credential links for users.
See `man -l bin/default/docs-xml/manpages/samba-tool.8` for
documentation.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This will be used in `samba-tool user keytrust delete` and `samba-tool
computer keytrust delete` and is mainly to deduplicate that code.
Potentially it could also be used in `keytrust view`.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This compares the key material and DN of a KeyCredentialLinkDn with a
list of others, which is a different sense of equality than the
default (which considers GUIDs and binary equality).
This will be used by samba-tool to check whether a link is in fact a
duplicate even if it seems not to be due to some insignificant field
being non-identical.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
These tests use the samba.key_credential_link module and a real samdb.
The existing key_credential_link tests address the IDL generated
structures more directly.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
In samba-tool we are going to want a KeyCredentialLinkDn to be able
to describe itself. We're adding the methods here because
`samba-tool user` and `samba-tool computer` will both want to use
them.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This ensures that model.save works when a field has the many flag set,
but the object has no attribute of that name, and the caller appends
to the attribute list, like this:
user.key_credential_link.append(link)
When we get to save, and are doing this:
value = getattr(self, attr)
old_value = getattr(existing_obj, attr)
if value != old_value:
# commit the change
the .append() will have added the item to both value and old_value
because they are the same list. But not any more.
This was a problem because the Field instance is attached to the
model class, not the model instance.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Often we [think we] know that all exceptions of a certain type should
be formatted as CommandErrors (i.e., the traceback is suppressed, and
the message is assumed intelligible). Rather than riddling .run() with
try...except blocks to do this, we can
@exception_to_command_error(ModelError)
def run(...)
which makes any ModelError into a CommandError in that samba-tool command.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
