IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.
From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
'privileges' is a word, but the ldb referred to is privilege.ldb
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By default we also export on the old and older passwords...
In order to do a kinit with a keytab it might we useful to
include only the current keys.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This means that 'samba-tool domain exportkeytab' is able to
export them.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This simplifies the logic in samba_kdc_trust_message2entry(),
is very similar to our samba_kdc_fill_user_keys() helper
and will make it trivial to provide the previous keys
in entry->old_keys in the next commit.
Review with: git show -p --patience
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This aligns the logic of samba_kdc_trust_message2entry() with
samba_kdc_message2entry_keys().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We already handle it in samba_kdc_fill_user_keys() mostly for DES keys,
but other encryption types might be from kerberos libraries in future.
And things like FIPS mode may also alter the runtime behaviour.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Let samba_kdc_trust_message2entry() also fill in the salt used
by the key. This is not strictly needed, but it's better to
be consistent.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
NOTE: This commit finally works again!
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224
gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Commit 0a907c2f45 renamed this control to
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
No change at all in the result, just saving lines and branches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Before we had (with a TODO of regret):
if (!a1 || !a2) {
return strcasecmp(e1->name, e2->name);
}
so, given {name:"A", id 2}, {name:"B", NO id}, {name:"C", id 1},
A < B by name
B < C by name
A > C by id
Now the sort order is always A > C > B.
This sort could have caused mysterious crashes in repl_meta_data if
the schema is out of sync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In this comparison function a NULL string is treated as the ancestor
of all names, but you need to look hard to see that.
By pulling the logic for NULLs to the front, hopefully we have to look
less hard.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ldb context can be used to query the current gMSA time.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This operates in a non-async fashion and may block
in the push and pull function.
It will be used to plug into openldap transport
layer, this is needed in order to have access
to the channel bindings. And also use the same
configuration for all our gnutls based tls code.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.
And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is based on GNUTLS_CB_TLS_SERVER_END_POINT
and is the value that is required for channel bindings
in LDAP of active directory domain controllers.
For gnutls versions before 3.7.2 we basically
copied the code from the GNUTLS_CB_TLS_SERVER_END_POINT
implementation as it only uses public gnutls functions
and it was easy to re-implement.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will be able simplify the callers a lot...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is not strictly needed, but it might be useful
for load balancers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Before the handshare or disconnect is over we need to wait until
we delivered the lowlevel messages to the transport/kernel socket.
Otherwise we'll have a problem if another tevent_context is used
after the handshake.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I've seen them with clang
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr 23 19:02:10 UTC 2024 on atb-devel-224
Returning 0 on `(name1 == NULL || name2 == NULL)` made NULL equal to
everything, which confuses a sort (consider {A, B, NULL} where A > B,
but A == NULL == B).
The only caller is dnsserver_enumerate_records() which fails if it
finds a NULL in the sorted list. We make the happen more quickly by
sorting NULLs to the front.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
uint32_cmp (introduced in 0c362597c0
"fixed the sorting of schema attributes") was doing what NUMERIC_CMP
does, but it was adding an extra function call. This results in less
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This should already be the case given the current logic, but let’s make
it explicit.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As dsdb_search_dn() ignores this flag, passing it in doesn’t achieve
anything.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224
Modifications to unicodePwd require an encrypted connection. This change
allows unicodePwd to be modified over an ldapi connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Once we have a gMSA server side the impact of deleting root keys becomes real
and so we must do this in a quiet place where it can not impact on other things.
Likewise, we want the samba.tests.dsdb_quiet_provision_tests tests to run
somewhere that is not doing other things, so we can see what a bare provision
will do. We must not allow test ordering inside the file to cause tests that
create root keys to run before checking if provision created a usable root key.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This shouldn't have been DBG_ERR, and it might as well say something
about the tombstone.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15630
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 12 15:18:05 UTC 2024 on atb-devel-224
expire_time is time_t, which is at least int-sized, so overflow is
possible (if this code ever runs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
dnsp_DnssrvRpcRecord.dwTimeStamp is uint32_t, making overflow possible.
dnsp_DnssrvRpcRecord.wType is an enum, which has the size of an int,
though it may be hard to set it to overflowing values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
SamEntry.idx is uint32_t.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
prec_{1,2} are uint32_t, and if one is not set we are defaulting to
0xffffffff (a.k.a UINT32_MAX), so an overflow when cast to int seems
extremely likely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We need to do this when the dn is on a message from another ldb.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will help avoid use-after-free of the internally cached ldb within
struct ldb_dn by ensuring that it lives as long.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This also removes dcesrv_lsa_CreateTrustedDomain_base() as it is unused with
this commit. We need to do it here or the compiler will complain about an unused
function.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224
While this is by definition less efficient, I prefer not to have the magic
buffer of pre-caclulated bytes, we don't create Root Keys very often.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Now that pyldb-util is a private library to Samba, we have no excuses not to
consolidate helper functions like this.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
torture_assert_u64_equal_goto() can only print meaningful error message
for incorrect values if only if the function is invoked with test run
value and expected value respectively as second and thrid arguments.
Otherwise it displays the reversed message causing confusion in overall
test results.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 27 13:00:29 UTC 2024 on atb-devel-224
We have the same function in tevent, no need to duplicate code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps make use-after-free testing reliable.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
