1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

39577 Commits

Author SHA1 Message Date
Alexander Bokovoy
3d98048a5a kdc: warn if DES-only keys enforced on the account
With MIT Kerberos 1.21+ DES is not available by default and will be
refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
in a likely authentication falure (unless allow_des=true is set in
krb5.conf).

Warn about such cases to give admins yet another chance to detect an
error in setting userAccountFlags.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224
2024-08-17 11:59:01 +00:00
Stefan Metzmacher
f6009aa73b s4:torture/smb2: let smb2.session.expire2* also check compound requests
This shows that all compound related requests should get
NT_STATUS_NETWORK_SESSION_EXPIRED.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15696

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-08-13 21:13:33 +00:00
Jo Sutton
18b078a8b9 dsdb periodic: Produce a debugging message if kccsrv_samba_kcc() fails
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-04 00:32:39 +00:00
Jo Sutton
7b02049223 s4-kcc: Remove nonfunctional fallback code
The following line in the pre‐2003 attributes fallback code:

attrs = post_2003_attrs;

presumably should have read

attrs = pre_2003_attrs;

As it is this fallback, added in commit
2fc233b78f and subsequently modified in
commit 783ff68628, does not do what it was
intended to do.

Besides, attempting a failed search again, just with different
attributes, will presumably not yield any more of a result.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-04 00:32:39 +00:00
Jo Sutton
1616a640dd s4:dsdb: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-04 00:32:39 +00:00
Jo Sutton
7485d4d588 s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-04 00:32:39 +00:00
Andreas Schneider
48963251fb s4:torture: Fix memory leak
Direct leak of 102 byte(s) in 1 object(s) allocated from:
    #0 0x7f35322fc7d7 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f3531e43bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f3531e45034 in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f3531e45034 in __talloc_strlendup ../../lib/talloc/talloc.c:2454
    #4 0x7f3531e45034 in talloc_strdup ../../lib/talloc/talloc.c:2470
    #5 0x7f352f90264b in smbcli_parse_unc ../../source4/libcli/cliconnect.c:269
    #6 0x55fbf83aa207 in torture_parse_target ../../source4/torture/smbtorture.c:192
    #7 0x55fbf83ae031 in main ../../source4/torture/smbtorture.c:744
    #8 0x7f352ca2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Aug  1 16:55:43 UTC 2024 on atb-devel-224
2024-08-01 16:55:43 +00:00
Andreas Schneider
a105595697 s4:torture: Remove trailing spaces from smbtorture.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-08-01 15:47:30 +00:00
Stefan Metzmacher
7dc19dd94c s4:torture/smb2: add 'smb2.bench.session-setup'
This test loops over session-setup/logoff as fast as possible,
for nprocs * qdepth loops.

It was created to demonstrate the krb5 replay cache problem
(at least with MIT kerberos before 1.18, I've tested with
1.15 only).

This forces kerberos with the machine account:

time smbtorture //fileserver.example.com/ipc\$ \
        smb2.bench.session-setup \
        --option="torture:timelimit=600" \
        --option="torture:nprocs=50" \
        --option="torture:qdepth=1" \
        --machine-pass \
        --use-kerberos=required

This forces ntlmssp with the machine account:

time smbtorture //fileserver.example.com/ipc\$ \
        smb2.bench.session-setup \
        --option="torture:timelimit=600" \
        --option="torture:nprocs=50" \
        --option="torture:qdepth=1" \
        --machine-pass \
        --use-kerberos=off

This forces anonymous ntlmssp (without depending
on the DC performance):

time smbtorture //fileserver.example.com/ipc\$ \
        smb2.bench.session-setup \
        --option="torture:timelimit=600" \
        --option="torture:nprocs=50" \
        --option="torture:qdepth=1" \
        -U% \
        --use-kerberos=off

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 30 15:18:42 UTC 2024 on atb-devel-224
2024-07-30 15:18:42 +00:00
Pavel Filipenský
be29fe50ad selftest: setup clusteredmember with kerberos, change dependency to "ad_dc"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Andreas Schneider
7bb59168e9 s4:torture: Initialize struct cldap_netlogon
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/ldap/cldapbench.c:40: var_decl: Declaring variable ""io"" without initializer.
samba-4.20.0rc2/source4/torture/ldap/cldapbench.c:45: uninit_use_in_call: Using uninitialized value ""io.in.map_response"" when calling ""cldap_netlogon_recv"".
   43|   	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
   44|   	io.in.version = 6;
   45|-> 	status = cldap_netlogon_recv(req, tmp_ctx, &io);
   46|   	talloc_free(req);
   47|   	if (NT_STATUS_IS_OK(status)) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 13:48:03 UTC 2024 on atb-devel-224
2024-07-18 13:48:03 +00:00
Andreas Schneider
bd298f2612 s4:torture: Remove trailing spaces from cldapbench.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Andreas Schneider
125c5a93bb s4:torture: Initialize struct netr_LogonSamLogonEx
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/schannel.c:49: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/schannel.c:152: uninit_use_in_call: Using uninitialized value ""r.in.validation_level"" when calling ""torture_comment"".
  150|   			""LogonSamLogonEx failed"");
  151|   	} else {
  152|-> 		torture_comment(tctx,
  153|   				""Skip auth_level[%u] Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n"",
  154|   				auth_level, ninfo.identity_info.account_name.string, crypto_alg,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Andreas Schneider
d64242f676 s4:torture: Initialize union spoolss_KeyNames
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/spoolss.c:7835: var_decl: Declaring variable ""key_buffer"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/spoolss.c:7906: uninit_use: Using uninitialized value ""key_buffer.string_array"".
 7904|
 7905|   	if (array) {
 7906|-> 		*array = key_buffer.string_array;
 7907|   	}
 7908|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Andreas Schneider
2e1ac4bbf5 s4:torture: Initialize pointer with NULL
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1447: var_decl: Declaring variable ""tree2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1492: uninit_use_in_call: Using uninitialized value ""tree2"" when calling ""smb2_util_unlink"".
 1490|   		}
 1491|
 1492|-> 		smb2_util_unlink(tree2, fname);
 1493|
 1494|   		talloc_free(tree);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:29 +00:00
Andreas Schneider
f7229d61ed s4:torture: Add new LSA test_query_forest_trust_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 12:36:25 UTC 2024 on atb-devel-224
2024-07-18 12:36:25 +00:00
Andreas Schneider
14a5d9e626 s4:torture: Split out a new LSA test_set_forest_trust_info() function
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-18 11:27:38 +00:00
Pavel Filipenský
471163e512 libnet: Fix debug text
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-17 07:48:31 +00:00
Andreas Schneider
85d80240ec s4:torture: Do not set sr.in.info to info be we queried the info
`sr.in.info = info` is correctly set later after we called
dcerpc_lsa_QueryTrustedDomainInfoByName_r() which filling the info
pointer with data.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:211: var_decl: Declaring variable ""info"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:248: uninit_use: Using uninitialized value ""info"".
  246|   	sr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
  247|   	sr.in.trusted_domain->string = name;
  248|-> 	sr.in.info = info;
  249|
  250|   	for (c = 0; il[c].info_level != -1; c++) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul 16 12:42:39 UTC 2024 on atb-devel-224
2024-07-16 12:42:39 +00:00
Andreas Schneider
bd5e095e27 s4:torture: Remove tailing spaces in forest_trust.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
03283dfae2 s4:torture: Initialize struct smb_nttrans
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/basic/scanner.c:368: var_decl: Declaring variable ""parms"" without initializer.
samba-4.20.0rc2/source4/torture/basic/scanner.c:388: uninit_use_in_call: Using uninitialized value ""parms.in.setup"" when calling ""smb_raw_nttrans"".
  386|   	parms.in.data = ntdata_blob;
  387|
  388|-> 	status = smb_raw_nttrans(cli->tree, mem_ctx, &parms);
  389|
  390|   	if (NT_STATUS_IS_ERR(status)) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
7723353dae s4:torture: Remove tailing spaces in scanner.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
d003a17191 s4:torture: Initialize struct smb2_create
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/sharemode.c:639: var_decl: Declaring variable ""cr3"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/sharemode.c:736: uninit_use_in_call: Using uninitialized value ""cr3.out.file.handle"" when calling ""smb2_util_close"".
  734|   	smb2_util_close(tree, cr1.out.file.handle);
  735|   	smb2_util_close(tree, cr2.out.file.handle);
  736|-> 	smb2_util_close(tree, cr3.out.file.handle);
  737|   	smb2_util_unlink(tree, fname);
  738|   	return ret;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
ae47ec172f s4:torture: Initialize union smb_open
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/raw/open.c:1136: var_decl: Declaring variable ""io1"" without initializer.
samba-4.20.0rc2/source4/torture/raw/open.c:1198: uninit_use_in_call: Using uninitialized value ""io1.ntcreatex.out.file.fnum"" when calling ""smbcli_close"".
 1196|    done:
 1197|   	smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
 1198|-> 	smbcli_close(cli->tree, io1.ntcreatex.out.file.fnum);
 1199|   	smbcli_deltree(cli->tree, BASEDIR);
 1200|   	return ret;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
3aa6aa02a8 s4:torture: Initialize struct netr_IdentityInfo
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samr.c:3601: var_decl: Declaring variable ""identity"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samr.c:3650: uninit_use: Using uninitialized value ""identity"". Field ""identity.domain_name.length"" is uninitialized.
 3648|   		}
 3649|
 3650|-> 		pinfo.identity_info = identity;
 3651|   		logon.password = &pinfo;
 3652|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andréas Leroux
2c1a4a516f ldap_server: Add a ldapsrv debug class to log LDAP queries
Patch updated for recent samba versions in merge request #3295 by kvvloten
Initial patch created by Jeremy Allison (https://www.spinics.net/lists/samba/msg161128.html) to log LDAP server queries/functions in a separate file

Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul  9 08:37:22 UTC 2024 on atb-devel-224
2024-07-09 08:37:22 +00:00
Andreas Schneider
742e5b48ae s4:torture: Initialize pointer with NULL
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samsync.c:342: var_decl: Declaring variable ""dom_sid"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samsync.c:385: uninit_use_in_call: Using uninitialized value ""dom_sid"" when calling ""dom_sid_dup"".
  383|   	}
  384|   	if (samsync_state->domain_handle[database_id]) {
  385|-> 		samsync_state->sid[database_id] = dom_sid_dup(samsync_state, dom_sid);
  386|   	}
  387|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:33 +00:00
Pavel Filipenský
f434524b47 s4:torture: Initialize struct smb2_handle consistently in lease.c
Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:567: var_decl: Declaring variable "h" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:642: uninit_use_in_call: Using uninitialized value "h" when calling "smb2_util_close".
  640|
  641|    done:
  642|->         smb2_util_close(tree, h);
  643|           smb2_util_close(tree, h2);
  644|

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-05 07:45:32 +00:00
Jo Sutton
e50a69334e s4:dsdb: Remove unnecessary MIN()
Since we have ensured that val->length >= sizeof(hash->hash),
MIN(val->length, sizeof(hash->hash)) will here always be equal to
sizeof(hash->hash).

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
66928d858f s4:auth: Correct order of parameters in documentation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
939481329e perftest:ndr_pack_performance: Remove obselete comment
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
4844b1c34c perftest:ndr_pack_performance: Remove unused import
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
c4728578de s4:dsdb: Use appropriate type for userAccountControl flags
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
3dffd0fa67 s4:auth: Use appropriate type for userAccountControl flags
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Andreas Schneider
6d3cfb4b1c s4:torture: Initialize param arrays
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/gentest.c:2690: var_decl: Declaring variable ""parm"" without initializer.
samba-4.20.0rc2/source4/torture/gentest.c:2711: uninit_use: Using uninitialized value ""parm[0]"". Field ""parm[0].out"" is uninitialized.
 2709|   	}
 2710|
 2711|-> 	GEN_COPY_PARM;
 2712|   	GEN_SET_FNUM_SMB2(in.file.handle);
 2713|   	GEN_CALL_SMB2(smb2_lock(tree, &parm[i]));"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Jul  1 00:23:08 UTC 2024 on atb-devel-224
2024-07-01 00:23:08 +00:00
Andreas Schneider
f52e7fd3c0 s4:torture: Remove trailing spaces from gentest.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:34 +00:00
Andreas Schneider
57001527ae s4:torture: Initialize pointers
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1518: var_decl: Declaring variable ""tree2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1584: uninit_use_in_call: Using uninitialized value ""tree2"" when calling ""smb2_util_close"".
 1582|   	if (tree != NULL) {
 1583|   		if (h != NULL) {
 1584|-> 			smb2_util_close(tree2, *h);
 1585|   		}
 1586|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
1d38f6ee92 s4:torture: Initialize struct smb2_handle
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:452: var_decl: Declaring variable ""h"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:516: uninit_use_in_call: Using uninitialized value ""h"" when calling ""smb2_util_close"".
  514|
  515|    done:
  516|-> 	smb2_util_close(tree, h);
  517|   	smb2_util_close(tree, hnew);
  518|   	smb2_util_close(tree, h2);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
b6d66e55ad s4:torture: Initialize struct netr_LogonSamLogonEx
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/schannel.c:250: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/schannel.c:357: uninit_use_in_call: Using uninitialized value ""r.in.validation_level"" when calling ""torture_comment"".
  355|   			""LogonSamLogonEx failed"");
  356|   	} else {
  357|-> 		torture_comment(tctx,
  358|   				""Skip auth_level[%u] Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n"",
  359|   				auth_level, ninfo.identity_info.account_name.string, crypto_alg,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
9ec0f8bd60 s4:torture: Make sure struct smb2_handle is initialized
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:1223: var_decl: Declaring variable ""h2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:1328: uninit_use_in_call: Using uninitialized value ""h2"" when calling ""smb2_util_close"".
 1326|    done:
 1327|   	smb2_util_close(tree, h);
 1328|-> 	smb2_util_close(tree, h2);
 1329|
 1330|   	smb2_util_unlink(tree, fname);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
a77cffaa25 s4:torture: Initialize struct wrepl_wins_name
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:1244: var_decl: Declaring variable ""wins_name1"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4835: assign: Assigning: ""wins_name_r1"" = ""&wins_name1"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4905: uninit_use_in_call: Using uninitialized value ""*wins_name_r1"". Field ""wins_name_r1->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
 4903|
 4904|   		/* now apply R1 */
 4905|-> 		ret &= test_wrepl_update_one(tctx, ctx, records[i].r1.owner, wins_name_r1);
 4906|   		ret &= test_wrepl_is_applied(tctx, ctx, records[i].r1.owner,
 4907|   					     wins_name_r1, records[i].r1.apply_expected);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 28 12:44:31 UTC 2024 on atb-devel-224
2024-06-28 12:44:31 +00:00
Andreas Schneider
54ce370f7d s4:torture: Fully initialize struct samr_OpenUser
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samr.c:7381: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samr.c:7428: uninit_use: Using uninitialized value ""r.out.result.v"".
 7426|   		torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &q),
 7427|   			""QueryUserInfo failed"");
 7428|-> 		if (!NT_STATUS_IS_OK(r.out.result)) {
 7429|   			torture_result(tctx, TORTURE_FAIL, ""QueryUserInfo(%u) failed - %s\n"", r.in.rid, nt_errstr(r.out.result));
 7430|   			return false;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
7990a2ba08 s4:torture: Initialize struct wrepl_wins_name
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6759: var_decl: Declaring variable ""wins_name_"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6760: assign: Assigning: ""wins_name"" = ""&wins_name_"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:9455: uninit_use_in_call: Using uninitialized value ""*wins_name"". Field ""wins_name->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
 9453|   		wins_name->unknown	= ""255.255.255.255"";
 9454|
 9455|-> 		ret &= test_wrepl_update_one(tctx, ctx, &ctx->b, wins_name);
 9456|
 9457|   		/*"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
09d731470e s4:torture: Initialize struct smb2_handle
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:336: var_decl: Declaring variable ""hnew"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:377: uninit_use_in_call: Using uninitialized value ""hnew"" when calling ""smb2_util_close"".
  375|    done:
  376|   	smb2_util_close(tree, h);
  377|-> 	smb2_util_close(tree, hnew);
  378|
  379|   	smb2_util_unlink(tree, fname);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
4777464946 s4:torture: Initialize struct nbt_name_query
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/query.c:53: var_decl: Declaring variable ""io"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/query.c:76: uninit_use_in_call: Using uninitialized value ""io.in.retries"" when calling ""nbt_name_query_send"".
   74|   		while (num_sent - (result->num_pass+result->num_fail) < 10) {
   75|   			struct nbt_name_request *req;
   76|-> 			req = nbt_name_query_send(nbtsock, &io);
   77|   			torture_assert(tctx, req != NULL, ""Failed to setup request!"");
   78|   			req->async.fn = increment_handler;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
deced5eaae s3:torture: Remove trailing spaces in query.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Volker Lendecke
8a7aad7fe0 torture4: Fix some whitespace
Review with "git show -w"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Andreas Schneider
3cb4073cd0 s4:dsdb: Avoid possible underflows with new_len
Found by Covscan.

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:403: tainted_data_argument: The check ""i < new_len"" contains the tainted expression ""i"" which causes ""new_len"" to be considered tainted.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""new_len - i"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""(new_len - i) * 8UL"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow_sink: ""(new_len - i) * 8UL"", which might have underflowed, is passed to ""memmove(val1, val2, (new_len - i) * 8UL)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  405|   			const char **val2 = &attr_list[i];
  406|   			if (ldb_attr_cmp(*val1, *val2) == 0) {
  407|-> 				memmove(val1, val2, (new_len - i) * sizeof( *attr_list));
  408|   				attr_list[new_len-1] = NULL;
  409|   				new_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
44db391ae1 s4:dsdb: Remove trailing spaces in schema_query.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
94c06dd189 s4:torture: Initialize struct wrepl_wins_name
Found by Covscan.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:5040: var_decl: Declaring variable ""wins_name_"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:5041: assign: Assigning: ""wins_name"" = ""&wins_name_"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6680: uninit_use_in_call: Using uninitialized value ""*wins_name"". Field ""wins_name->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
 6678|   			wins_name->unknown	= ""255.255.255.255"";
 6679|
 6680|-> 			ret &= test_wrepl_update_one(tctx, ctx, &ctx->b, wins_name);
 6681|   			ret &= test_wrepl_is_applied(tctx, ctx, &ctx->b, wins_name, true);
 6682|   		} else {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
5d568f6e61 s4:torture: Remove trailing spaces in winsreplication.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Stefan Metzmacher
db2c576f32 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
372476aeb0 s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2024-06-17 16:54:29 +00:00
Andreas Schneider
4a48148a7d s4:torture: Add missing NULL checks in spoolss.c
source4/torture/rpc/spoolss.c: In function
  ‘check_printer_driver_file.isra’:
source4/torture/rpc/spoolss.c:10850:58: error: ‘%s’ directive argument
  is null [-Werror=format-overflow=]
10850 |         const char *remote_name = talloc_asprintf(tctx, "%s\\%d\\%s",
      |                                                          ^~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-06-13 12:25:37 +00:00
Douglas Bagnall
de19f4d675 s4/pytest: remove py2 str/bytes workaround in getnc_exop
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Noel Power
7f1de90f72 selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
     cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
2024-06-11 18:28:34 +00:00
Jo Sutton
b42c489180 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)
We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
facb418c99 s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
5ffa768329 s4:auth: Add temporary memory context to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
7ae10eb25f s4:auth: Add common out path to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Anoop C S
225e6aeafc s4/torture: Remove already existing test_dir
In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224
2024-06-10 13:17:58 +00:00
Anoop C S
3b230769b0 s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-10 12:16:32 +00:00
Andrew Bartlett
491b79d445 kdc: Rotate smart-card only underlying password in 2nd half of lifetime
This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours.  The internet
suggestions of 1 day for this feature should work fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
8afe27058b kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts
This is to gracefully deal with races and to avoid additional password
rollover in situations where the TGT lifetime is longer than the
maximum password lifetime.  This is not a sensible combination, so
we just avoid the extra DB write, and update it only once per AS-REQ
in this case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
1e1c80656f kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it.  As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
d03b3faeb8 s4-auth: Use consistant externally-supplied time in auth stack
This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts.  By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
1dcd8be8f0 kdc: Use a consistent, stable time throughout the Heimdal KDC
The MIT KDC has a fallback to a consistent time per fetch call, and
both implementations then follow the time in each 'struct
samba_kdc_entry'.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
fe61009002 kdc: Mark KDC sam.ldb as not to use ldb_wrap cache
This will ensure that the time which will be is passed in an opaque is
not used by other parts of Samba

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
e178f6b0e9 ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
9ba5ebf4af kdc: Remove confusing duplicate open of sam.ldb to find RODC status
Instead, make this query after we open the DB in common with the MIT code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
09ae48b415 dsdb: Prepare to handle smartcard password rollover
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
1bcc9f0015 dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed
This both allows the time to be overriden in some future unit tests
(which is incredibly helpful in testing) and gets a full NTTIME
rather than just a time_t based time, so we do not need to wait
an extra second for the NTTIME to change.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
cc3ea4ed57 dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured!
While the passwords are random and rolled on the server, we can tell
about the expiry by setting pwdLastSet to 0.

Samba now honours the password expiry.

This is only enabled for domain functional level 2016 and when
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set to TRUE.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
3669479f22 dsdb: Reduce minimum maxPwdAge from 1 day to nil
This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
302619f66f dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode
This is because the smartcard reset now generates all the keys
on Windows, so we want to match Windows 2022 as at April 2024
behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
b664392208 s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check
This centralises the check rather than checking the time in
multiple spots.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
737f241406 s4-auth: Update comment to mention 60mins in the NTLM grace period
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
e04eb9bb17 dsdb: Make argument order of dsdb_update_gmsa_{entry_,}keys() consistant with other uses
Other functions in this file are TALLOC_CTX, struct ldb_context *, not
the other way around.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Stefan Metzmacher
ed61c57e02 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224
2024-06-06 03:18:16 +00:00
Stefan Metzmacher
76fec2668e s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
db350bc573 s4:dns_server: dns_verify_tsig should return REFUSED on error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
5906ed94f2 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
ae7538af04 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
bd0235cd51 s4:dns_server: use the client provided algorithm for the fake TSIG structure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
3467d14914 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
fa0f23e69e s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
a56627b0d1 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
753428a3b6 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Andrew Bartlett
d11b281aef build: Remove incorrect pyembed=True from samba-policy
This is a normal C library, used by python but does not use
any python itself (nor by dependencies any longer).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-06-05 20:42:34 +00:00
Andrew Bartlett
829b52f99d s4-libnet: Split up samba-net into samba-net and samba-net-join
samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-06-05 20:42:34 +00:00
Jo Sutton
5eac95652a s4:dsdb: Use talloc_get_type_abort()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Noel Power
a27525e555 s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function
Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG

This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Noel Power
1297c7ca65 s4/torture: Prepare to handle Level 4 check with unknown func code
A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).

Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
  s3 server returns WERR_NOT_SUPPORTED and
  s4 server returns WERR_INVALID_PARAMETER.

For level 3 both return WERR_NOT_SUPPORTED.

MS-NRPC doesn't seem to specifically indicate the required response in
this case.

this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Stefan Metzmacher
6c5781b5f1 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
6a89615d78 s4:libcli/smb2: add hack to test anonymous signing and encryption
This will be used in torture tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Douglas Bagnall
a00c0ebd09 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.

This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 23:12:32 +00:00
Douglas Bagnall
edabb9f4cb ldb-samba: use ldb_comparison_fold_utf8()
This means ldb-samba/dsdb comparisons will be case-insensitive for
non-ASCII UTF-8 characters (within the bounds of the 16-bit casefold
table). And they will remain transitive.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 23:12:32 +00:00
Jo Sutton
589a9ea676 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224
2024-05-22 21:33:14 +00:00
Jo Sutton
d8302e9532 s4:kdc: Merge current and previous gMSA keys during period when both are valid
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
5ea0782465 s4:libnet: Allow simulating AS‐REQ flags combination for keytab export
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00