IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
‘tm’ must be initialized prior to calling strptime().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
strptime() will fail to parse the LDAP ‘whenCreated’ time string,
because the format string is wrong: it will expect to get a time like
“20230920043849Z”, but the time string seems to be actually formatted
“20230920043849.0Z” — like a GeneralizedTime.
Fix this by delegating to ldb_val_to_time().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
‘tm’ must be initialized prior to calling strptime().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For non-testing callers of auth_generate_session_info(), passing
lp_ctx will allow us to correctly set a flag indicating if claims
should be evaluated.
For testing applications, the default will allow safe operation
inspecting the SID list.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
If we pass an empty string as the ‘whoami’ parameter, MIT’s logging
facilities will prepend a mysterious colon to the message. Printing
“mitkdc: ” ought at least to be more sensible, and perhaps more closely
to match our behaviour prior to commit
dd8138236b.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
winsdb_message() stores this element as hexadecimal, which format
ldb_msg_find_attr_as_uint() cannot cope with. Permit this element to be
in either decimal or hexadecimal format.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is a near‐duplicate of smb_krb5_principal_is_tgs().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implementation is no longer called: using a variable of static
storage duration as a conduit for return values is only asking for
trouble.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function has the handy feature of being able to be called twice in
succession without mysteriously breaking your code. Now, doesn’t that
sound useful?
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This implementation doesn’t rely on a variable of static storage
duration being used as a conduit for the return value.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For now this function is a mere wrapper round krb5_princ_component(),
but one whose interface allows for a more sensible implementation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Create a temporary memory context on which to allocate things.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
To do so is to invoke undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it clearer what these variables are used for, and avoids
confusion with the similarly‐named ‘nt_status’ variables — also used in
these functions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Having pac_blobs::type_blobs be managed both by talloc and by the
‘pac_blobs’ structure itself (with pac_blobs_destroy()) is very prone to
error. So is the current situation of having the other ‘pac_blobs’
functions each take in a memory context.
Improve these circumstances by requiring ‘pac_blobs’ to be managed by
talloc. Now the other functions can dispense with their ‘mem_ctx’
parameters, being instead able to allocate on to the ‘pac_blobs’
structure itself. pac_blobs_init() no longer must be a separate
function; inline it into pac_blobs_from_krb5_pac(). pac_blobs_destroy(),
being no longer of use, can go too.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps to make error‐checking and cleanup more systematic.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This avoids allocating working structures on to a potentially long‐lived
context.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Introduce a temporary memory context and allocate working structures on
to it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Introduce a temporary variable instead of assigning the result of
talloc_realloc() directly to samr_RidWithAttributeArray::rids. In this
way we avoid having a structure with a non‐zero ‘count’ but with ‘rids’
set to the NULL pointer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We must allocate the domain groups on to the correct memory context,
lest they get freed prematurely.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it less likely that we forget to clean up resources.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allocate variables on to a temporary context rather than on to the
potentially long‐lived context passed in by the caller.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.
A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.
Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is more consistent with the other PAC blob functions, and easier to
reason about.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The lifetime of a blob’s contents should be tied to the lifetime of the
blob itself.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should not pass a NULL pointer into dom_sid_split_rid().
Unlike samdb_result_dom_sid(), samdb_result_dom_sid_buf() produces an
error code on failure and does not require a heap allocation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to call them from elsewhere.
Change their names accordingly to start with ‘samba_kdc_’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Avoid unnecessary credentials allocation and initialization by passing the
net's cmdline creds to libnetapi_net_init() directly.
Fixes the problem of running cli_credentials_guess() (which runs password
callbacks) twice, one for the net's cmdline creds and a second time for the
creds initialized in libnetapi_net_init(), just to override them immediately
after.
Example:
$ export PASSWD_FD=0
$ ./bin/net offlinejoin composeodj <...>
foo
bar
Password is read from STDIN twice.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The net's tool cmdline lp_ctx can be reused, no need to init a new one except
for external library users.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
==395==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 96 byte(s) in 1 object(s) allocated from:
#0 0x7f4c5dedc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: b10bafa0ba3304197db35cc24e0024cb0492168a)
#1 0x7f4c5d252b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f4c5d2543cc in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f4c5d2543cc in _talloc_named_const ../../lib/talloc/talloc.c:982
#4 0x7f4c5d2543cc in talloc_named_const ../../lib/talloc/talloc.c:1751
#5 0x7f4c504acc53 in partition_metadata_get_uint64 ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:50
#6 0x7f4c504add29 in partition_metadata_sequence_number_increment ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:398
#7 0x7f4c504a66aa in partition_sequence_number ../../source4/dsdb/samdb/ldb_modules/partition.c:1401
#8 0x7f4c504a66aa in partition_extended ../../source4/dsdb/samdb/ldb_modules/partition.c:1680
#9 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#10 0x7f4c503980c8 in replmd_extended ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:8455
#11 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#12 0x7f4c502fae5c in samldb_extended ../../source4/dsdb/samdb/ldb_modules/samldb.c:5718
#13 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#14 0x7f4c52f0b94c in acl_extended ../../source4/dsdb/samdb/ldb_modules/acl.c:2854
#15 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#16 0x7f4c52eb019c in descriptor_extended ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1450
#17 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#18 0x7f4c52ed8687 in log_extended ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1824
#19 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#20 0x7f4c505aa337 in unlazy_op ../../source4/dsdb/samdb/ldb_modules/lazy_commit.c:40
#21 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#22 0x7f4c502d0f82 in schema_load_extended ../../source4/dsdb/samdb/ldb_modules/schema_load.c:593
#23 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
#24 0x7f4c5035a010 in rootdse_extended ../../source4/dsdb/samdb/ldb_modules/rootdse.c:1780
#25 0x7f4c5c4914ef in ldb_request ../../lib/ldb/common/ldb.c:1244
#26 0x7f4c5c492a2d in ldb_extended ../../lib/ldb/common/ldb.c:1714
#27 0x7f4c5c492bdf in ldb_sequence_number ../../lib/ldb/common/ldb.c:1943
#28 0x7f4c503a9abd in replmd_add ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1316
#29 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
#30 0x7f4c50458783 in rdn_name_add ../../lib/ldb/modules/rdn_name.c:206
#31 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
#32 0x7f4c504f4852 in attr_handler ../../source4/dsdb/samdb/ldb_modules/objectclass_attrs.c:334
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 24 03:47:08 UTC 2023 on atb-devel-224
Can Samba understand Windows security descriptors? Does it parse SDDL
the same way?
Here we test on over 7000 SDDL/descriptor pairs and find the answer
is pleasing. In later commits we will add more tests using different
classes of ACE.
The test cases are derived from fuzz seeds, exported to Windows via
the script in the last commit, with the Windows descriptor bytes found
using libcli/security/tests/windows/windows-sddl-test.py.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
