IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It's not used anywhere other than this file.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
MS-PAC section 2.5 states that if the resource_groups member is
non-NULL, or resource_groups.groups.count is not zero, the
NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to
process resource groups if the flag is not set.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
'rg' is never NULL, so this codepath is never taken. But if it were, we
would return early and entirely neglect filling in the UPN_DNS_INFO from
the 'pac_upn_dns_info' parameter. So remove the early return.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is modelled on samdb_result_dom_sid(). It allocates,
rather than a dom_sid, an auth_SidAttr object, which we can pass to
other functions accepting an auth_SidAttr.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This type incorporates, alongside a SID, a group attributes member,
through which attributes from a PAC or the AD database can be conveyed
into the completed PAC. A useful benefit this provides is the ability to
distinguish and exclude domain-local groups, which only belong in
service tickets, from the PAC of a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We've already tested for the existence of these SIDs, and the assumption
that they are always the last element in a PAC is false. We must check
all the SIDs in each array, skipping over ones that were found to be
asserted identity SIDS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ensures that no members contain garbage data.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If SID compression support is disabled for a created account,
msDS-SupportedEncryptionTypes will be set to a value that includes the
RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type
bits. Since stricter encryption type handling was introduced to address
CVE-2022-37966, this combination has been interpreted as an expression
of no encryption type support, and trying to make a Kerberos request to
a service with such a combination of bits will fail with
ERR_ETYPE_NOSUPP.
To allow us to make Kerberos requests to test service accounts again, we
must set some actual encryption type bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This currently only works with binaries. As there is no shared library for
MSAN it only is statically linked against binaries. This means if we have e.g.
a python script trying to load ldb, it will fail with undefined symbols.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 6 23:49:04 UTC 2023 on atb-devel-224
source3/torture/test_smb1_dfs.c:3264:11: error: variable 'accessmode' set but
not used [-Werror,-Wunused-but-set-variable]
uint16_t accessmode = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/utils/log2pcaphex.c:138:13: error: variable 'i' set but not used
[-Werror,-Wunused-but-set-variable]
static int i = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/lib/netapi/tests/netfile.c:40:22: error: variable 'i2' set but not used
[-Werror,-Wunused-but-set-variable]
struct FILE_INFO_2 *i2 = NULL;
^
source3/lib/netapi/tests/netfile.c:41:22: error: variable 'i3' set but not used
[-Werror,-Wunused-but-set-variable]
struct FILE_INFO_3 *i3 = NULL;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/modules/vfs_glusterfs.c:827:6: error: variable 'glfd' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
if (pglfd == NULL) {
^~~~~~~~~~~~~
source3/modules/vfs_glusterfs.c:853:6: note: uninitialized use occurs here
if (glfd == NULL) {
^~~~
source3/modules/vfs_glusterfs.c:827:2: note: remove the 'if' if its condition is
always true
if (pglfd == NULL) {
^~~~~~~~~~~~~~~~~~~
source3/modules/vfs_glusterfs.c:763:17: note: initialize the variable 'glfd' to
silence this warning
glfs_fd_t *glfd;
^
= NULL
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/modules/vfs_io_uring.c:70:22: error: field 'cqe' with variable sized
type 'struct io_uring_cqe' not at the end of a struct or class is a GNU
extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
struct io_uring_cqe cqe;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/modules/getdate.c:1192:9: error: variable 'yynerrs' set but not used
[-Werror,-Wunused-but-set-variable]
int yynerrs;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/printing/tests/vlp.c:144:19: error: variable 'job_count' set but not
used [-Werror,-Wunused-but-set-variable]
int i, num_jobs, job_count = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lib/ldb-samba/ldb_ildap.c:482:47: error: implicit conversion from enumeration
type 'enum ldb_scope' to different enumeration type 'enum ldap_scope'
[-Werror,-Wenum-conversion]
msg->r.SearchRequest.scope = req->op.search.scope;
~ ~~~~~~~~~~~~~~~^~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
nsswitch/pam_winbind.c:3360:24: error: cast from 'time_t **' (aka 'long **') to
'const void **' must have all intermediate pointers const qualified to be safe
[-Werror,-Wcast-qual]
(const void **)&pwdlastset_update);
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source4/dsdb/samdb/ldb_modules/acl.c:1646:49: error: variable 'rep_val_cnt' set
but not used [-Werror,-Wunused-but-set-variable]
unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/winbindd/winbindd_ads.c:1399:6: error: variable 'ret_count' set but not
used [-Werror,-Wunused-but-set-variable]
int ret_count;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/rpc_server/eventlog/srv_eventlog_nt.c:634:11: error: variable
'num_records_read' set but not used [-Werror,-Wunused-but-set-variable]
uint32_t num_records_read = 0;
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/smbd/msdfs.c:367:14: error: explicitly assigning value of variable of
type 'char *' to itself [-Werror,-Wself-assign]
servicename = servicename;
~~~~~~~~~~~ ^ ~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
namecache.c:129:9: error: variable 'i' set but not used
[-Werror,-Wunused-but-set-variable]
size_t i, count;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Fixing Red Hat internal covscan report:
Field "salt_data.magic" is uninitialized when calling "smb_krb5_create_key_from_string".
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We get these warnings-as-errors:
librpc/gen_ndr/py_netlogon.c:61903:53: error: stray ‘\’ in program
61903 | PyErr_Format(PyExc_TypeError, "Expected type %s",\ //<PIDL> Parse::Pidl::Samba4::Python::ConvertObjectFromPythonData lib/Parse/Pidl/Samba4/Python.pm:2005
but the '\' is unnecessary and unconventional anyway, since we're in a
function argument list.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 3 03:27:54 UTC 2023 on atb-devel-224
This already would not compile with Python 2, because Py_TPFLAGS_HAVE_ITER
is not defined
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add samba-tool commands for managing registration
of Client Side Extensions.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Removes:
* waf pydoctor
* waf wafdocs
* make pydoctor
There is no "make wafdocs" it only appears to be in wscript.
The reasoning being is these are broken and appear to not have been run for some time.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 2 21:15:54 UTC 2023 on atb-devel-224
In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams"
request has changed from
string: kMDScopeArray
sl_array_t(#1): {
string: /foo/bar
}
to:
string: kMDScopeArray
sl_array_t(#1): {
sl_array_t(#1): {
string: /foo/bar
}
}
With this patch we check both encodings. Bug fixed according to user feedback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299
RN: Spotlight doesn't work with latest macOS Ventura
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
- Build fix for GNU/Hurd
- Build fix for Solaris, after removal
of ports backend (bug #15298)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 2 18:27:08 UTC 2023 on atb-devel-224
There is no hardcoded PIPE_BUF pipe limitation on GNU/Hurd, but POSIX
provides a minimum value that we can use.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
