IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This demonstrates that we use the correct authtime
when doing constrained delegation.
The actual fix for the problem is already in place via
commit 75ec66c729
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patch is:
006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This demonstrates that we use the correct key for EncAuthorizationData
together with constrained delegation.
The actual fix for the problem is already in place via
commit 75ec66c729
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patches are:
38c47c54f0c78fed5afc1aea9c5f6683e06ec842 kdc: fix memory leak when decryption AuthorizationData
61c0089ea3f5387953818a3ac99fb529244196e6 kdc: decrypt b->enc_authorization_data in tgs_build_reply()
fed5579814108ee90f701ca6bfb5500f7d839bc4 kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it possible to raise the levels without starting
'samba' first, which is very useful for blackbox tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will make it easier to use transactions in the following changes...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This just adds indentation for now, the following changes will
add transactions...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The cookie produced by Windows differs depending on whether FAST was
used.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The new --dns-directory-partition chooses the directory partition for
the new zone - "domain" or "forest". Defaults to the current default
"domain".
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 16 21:23:28 UTC 2023 on atb-devel-224
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224
KerberosCredentials objects now keep track of their account’s SID, which
removes the need to look it up with KDCBaseTest.get_objectSid().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This prevents having to look them up in the database when tests need
them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to determine which parts of an authentication policy
apply to a particular account, which will be necessary to test audit
logging.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These authentications are actually failing (due to RESPONSE_TOO_BIG
errors), but our authentication logging infrastructure hides this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Found by Rob van der Linde <rob@catalyst.net.nz>.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is consistent with the other tests in this file.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes waitForMessages() easier to read.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This also checks for symlinks and hardlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This also checks for symlinks and hardlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
It should be available for Python >= 3.11.4 but also has been
backported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows them to be used in setUpClass in tests.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Creating a user is CPU intensive, particularly when a password is set
so avoid doing so if not required.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
When dropping privileges, gpupdate errored:
gpclass.py:1167: KeyError: "getpwnam(): name not found: <HOSTNAME>
apply_gp was incorrectly passing the hostname
instead of the username.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 10 10:46:28 UTC 2023 on atb-devel-224
We do this by checking what the underlying CLDAP netlogon call returns.
This also validates that behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We need to confirm this both for forwarded requests, and also for requests
direct to the possible DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon May 29 23:29:50 UTC 2023 on atb-devel-224
This test is able to operate over the network, which aids testing against
a comparative windows DC.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
We must ensure this test cannot became inoperative because the
environment it was run against has no trust.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
If the file iterator returns two entries with the same name, one may
overwrite the other.
script_iterator() currently ensures this won’t happen, but it pays to be
safe.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>