IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
With MIT Kerberos 1.21+ DES is not available by default and will be
refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
in a likely authentication falure (unless allow_des=true is set in
krb5.conf).
Warn about such cases to give admins yet another chance to detect an
error in setting userAccountFlags.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224
This shows that all compound related requests should get
NT_STATUS_NETWORK_SESSION_EXPIRED.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15696
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The following line in the pre‐2003 attributes fallback code:
attrs = post_2003_attrs;
presumably should have read
attrs = pre_2003_attrs;
As it is this fallback, added in commit
2fc233b78f and subsequently modified in
commit 783ff68628, does not do what it was
intended to do.
Besides, attempting a failed search again, just with different
attributes, will presumably not yield any more of a result.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Direct leak of 102 byte(s) in 1 object(s) allocated from:
#0 0x7f35322fc7d7 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f3531e43bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
#2 0x7f3531e45034 in __talloc ../../lib/talloc/talloc.c:825
#3 0x7f3531e45034 in __talloc_strlendup ../../lib/talloc/talloc.c:2454
#4 0x7f3531e45034 in talloc_strdup ../../lib/talloc/talloc.c:2470
#5 0x7f352f90264b in smbcli_parse_unc ../../source4/libcli/cliconnect.c:269
#6 0x55fbf83aa207 in torture_parse_target ../../source4/torture/smbtorture.c:192
#7 0x55fbf83ae031 in main ../../source4/torture/smbtorture.c:744
#8 0x7f352ca2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Aug 1 16:55:43 UTC 2024 on atb-devel-224
This test loops over session-setup/logoff as fast as possible,
for nprocs * qdepth loops.
It was created to demonstrate the krb5 replay cache problem
(at least with MIT kerberos before 1.18, I've tested with
1.15 only).
This forces kerberos with the machine account:
time smbtorture //fileserver.example.com/ipc\$ \
smb2.bench.session-setup \
--option="torture:timelimit=600" \
--option="torture:nprocs=50" \
--option="torture:qdepth=1" \
--machine-pass \
--use-kerberos=required
This forces ntlmssp with the machine account:
time smbtorture //fileserver.example.com/ipc\$ \
smb2.bench.session-setup \
--option="torture:timelimit=600" \
--option="torture:nprocs=50" \
--option="torture:qdepth=1" \
--machine-pass \
--use-kerberos=off
This forces anonymous ntlmssp (without depending
on the DC performance):
time smbtorture //fileserver.example.com/ipc\$ \
smb2.bench.session-setup \
--option="torture:timelimit=600" \
--option="torture:nprocs=50" \
--option="torture:qdepth=1" \
-U% \
--use-kerberos=off
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Jul 30 15:18:42 UTC 2024 on atb-devel-224
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 12:36:25 UTC 2024 on atb-devel-224
`sr.in.info = info` is correctly set later after we called
dcerpc_lsa_QueryTrustedDomainInfoByName_r() which filling the info
pointer with data.
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:211: var_decl: Declaring variable ""info"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:248: uninit_use: Using uninitialized value ""info"".
246| sr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
247| sr.in.trusted_domain->string = name;
248|-> sr.in.info = info;
249|
250| for (c = 0; il[c].info_level != -1; c++) {"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul 16 12:42:39 UTC 2024 on atb-devel-224
Patch updated for recent samba versions in merge request #3295 by kvvloten
Initial patch created by Jeremy Allison (https://www.spinics.net/lists/samba/msg161128.html) to log LDAP server queries/functions in a separate file
Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul 9 08:37:22 UTC 2024 on atb-devel-224
Since we have ensured that val->length >= sizeof(hash->hash),
MIN(val->length, sizeof(hash->hash)) will here always be equal to
sizeof(hash->hash).
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:1244: var_decl: Declaring variable ""wins_name1"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4835: assign: Assigning: ""wins_name_r1"" = ""&wins_name1"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4905: uninit_use_in_call: Using uninitialized value ""*wins_name_r1"". Field ""wins_name_r1->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
4903|
4904| /* now apply R1 */
4905|-> ret &= test_wrepl_update_one(tctx, ctx, records[i].r1.owner, wins_name_r1);
4906| ret &= test_wrepl_is_applied(tctx, ctx, records[i].r1.owner,
4907| wins_name_r1, records[i].r1.apply_expected);"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 28 12:44:31 UTC 2024 on atb-devel-224
Found by Covscan.
"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:403: tainted_data_argument: The check ""i < new_len"" contains the tainted expression ""i"" which causes ""new_len"" to be considered tainted.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""new_len - i"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""(new_len - i) * 8UL"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow_sink: ""(new_len - i) * 8UL"", which might have underflowed, is passed to ""memmove(val1, val2, (new_len - i) * 8UL)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
405| const char **val2 = &attr_list[i];
406| if (ldb_attr_cmp(*val1, *val2) == 0) {
407|-> memmove(val1, val2, (new_len - i) * sizeof( *attr_list));
408| attr_list[new_len-1] = NULL;
409| new_len--;"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Found by Covscan.
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:5040: var_decl: Declaring variable ""wins_name_"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:5041: assign: Assigning: ""wins_name"" = ""&wins_name_"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6680: uninit_use_in_call: Using uninitialized value ""*wins_name"". Field ""wins_name->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
6678| wins_name->unknown = ""255.255.255.255"";
6679|
6680|-> ret &= test_wrepl_update_one(tctx, ctx, &ctx->b, wins_name);
6681| ret &= test_wrepl_is_applied(tctx, ctx, &ctx->b, wins_name, true);
6682| } else {"
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
This shows that they are ignored for machine accounts as domain member.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
On master attempting to chdir into a nested dfs link
e.g. cd dfslink (works)
cd dfslink/another_dfslink (fails)
[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
enabled share
Add knownfails for tests 1 and 3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224
In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours. The internet
suggestions of 1 day for this feature should work fine.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This is to gracefully deal with races and to avoid additional password
rollover in situations where the TGT lifetime is longer than the
maximum password lifetime. This is not a sensible combination, so
we just avoid the extra DB write, and update it only once per AS-REQ
in this case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it. As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts. By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
The MIT KDC has a fallback to a consistent time per fetch call, and
both implementations then follow the time in each 'struct
samba_kdc_entry'.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This will ensure that the time which will be is passed in an opaque is
not used by other parts of Samba
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Instead, make this query after we open the DB in common with the MIT code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This both allows the time to be overriden in some future unit tests
(which is incredibly helpful in testing) and gets a full NTTIME
rather than just a time_t based time, so we do not need to wait
an extra second for the NTTIME to change.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
While the passwords are random and rolled on the server, we can tell
about the expiry by setting pwdLastSet to 0.
Samba now honours the password expiry.
This is only enabled for domain functional level 2016 and when
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set to TRUE.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This is because the smartcard reset now generates all the keys
on Windows, so we want to match Windows 2022 as at April 2024
behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This centralises the check rather than checking the time in
multiple spots.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Other functions in this file are TALLOC_CTX, struct ldb_context *, not
the other way around.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.
Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is a normal C library, used by python but does not use
any python itself (nor by dependencies any longer).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG
This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).
Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
s3 server returns WERR_NOT_SUPPORTED and
s4 server returns WERR_INVALID_PARAMETER.
For level 3 both return WERR_NOT_SUPPORTED.
MS-NRPC doesn't seem to specifically indicate the required response in
this case.
this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This will be used in torture tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.
This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This means ldb-samba/dsdb comparisons will be case-insensitive for
non-ASCII UTF-8 characters (within the bounds of the 16-bit casefold
table). And they will remain transitive.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224