1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

3910 Commits

Author SHA1 Message Date
Stefan Metzmacher
4ca5b78f5b samba-tool/ntacl: let changedomsid ignore symlinks
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 23:24:37 +00:00
Björn Baumbach
0e9f1eec5a samba-tool: print default (domain) for --dns-directory-partition option in help message
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 23:24:37 +00:00
Stefan Metzmacher
b26dcfba10 tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime
This demonstrates that we use the correct authtime
when doing constrained delegation.

The actual fix for the problem is already in place via
commit 75ec66c729
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)

The related patch is:
006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 23:24:37 +00:00
Stefan Metzmacher
489cdefa6a tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey()
This demonstrates that we use the correct key for EncAuthorizationData
together with constrained delegation.

The actual fix for the problem is already in place via
commit 75ec66c729
third_party/heimdal: Import lorikeet-heimdal-202306091507 (commit 7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)

The related patches are:
38c47c54f0c78fed5afc1aea9c5f6683e06ec842 kdc: fix memory leak when decryption AuthorizationData
61c0089ea3f5387953818a3ac99fb529244196e6 kdc: decrypt b->enc_authorization_data in tgs_build_reply()
fed5579814108ee90f701ca6bfb5500f7d839bc4 kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 23:24:37 +00:00
Stefan Metzmacher
205ee77c2f samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction
This makes it possible to raise the levels without starting
'samba' first, which is very useful for blackbox tests.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 19:08:37 +00:00
Stefan Metzmacher
3724ae3e10 samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions
This will make it easier to use transactions in the following changes...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 19:08:37 +00:00
Stefan Metzmacher
e92988ec94 samba-tool: move some parts of 'domain level [show|raise]' in to try/except
This just adds indentation for now, the following changes will
add transactions...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 19:08:37 +00:00
Stefan Metzmacher
ea2712336b samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn
We should not rely on lp.get('workgroup')...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 19:08:37 +00:00
Stefan Metzmacher
f9f9771a55 samba-tool: check for invalid 'domain level' subcommands first
This will simplify further changes...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 19:08:37 +00:00
Andrew Bartlett
1b1895a0d8 samba-tool: Fix missing import for "domain level raise --forest-level=2016"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-21 19:08:37 +00:00
Joseph Sutton
53caae00b8 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows
The cookie produced by Windows differs depending on whether FAST was
used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-21 12:23:32 +00:00
Björn Baumbach
6640cf5e32 samba-tool: add new --dns-directory-partition option to dns zonecreate command
The new --dns-directory-partition chooses the directory partition for
the new zone - "domain" or "forest". Defaults to the current default
"domain".

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 16 21:23:28 UTC 2023 on atb-devel-224
2023-06-16 21:23:28 +00:00
Volker Lendecke
880eb2bd56 libsmb: Test smb1 mknod
Requires O_PATH to work correctly

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-16 16:14:31 +00:00
Joseph Sutton
ba2e54d5c5 tests/auth_log: Ensure tests continue to pass when new log types are added
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
7f77107053 tests/auth_log: Add support for new ‘KDC Authorization’ log type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
9b0a71bd30 tests/auth_log: Refactor waitForMessages() to use nextMessage()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224
2023-06-14 23:55:42 +00:00
Joseph Sutton
67da91ef16 tests/auth_log: Add method to fetch the next relevant message from the messaging bus
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
7c6dbe3195 tests/krb5: Test authentication with policy restrictions and a wrong password
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
a9534e7be0 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
94e7a550db tests/krb5: Remove unneeded ‘dn’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
fb260e1f46 tests/krb5: Make use of KerberosCredentials.get_sid()
KerberosCredentials objects now keep track of their account’s SID, which
removes the need to look it up with KDCBaseTest.get_objectSid().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
490c451a79 tests/krb5: Keep track of account SIDs
This prevents having to look them up in the database when tests need
them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
0ec229e7b9 tests/krb5: Fix overlong lines
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
117bba98a1 tests/krb5: Add a couple of authentication policy tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
f1c24f4bc9 tests/krb5: Test authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
9d8ee6a422 tests/krb5: Cache created authentication policies
View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
01643b3527 tests/krb5: Keep track of the type of each created account
This allows us to determine which parts of an authentication policy
apply to a particular account, which will be necessary to test audit
logging.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
d1fcecd121 tests/auth_log: Properly expect authentication failures
These authentications are actually failing (due to RESPONSE_TOO_BIG
errors), but our authentication logging infrastructure hides this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
11671a743f tests/auth_log: Make samba.tests.auth_log test executable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
234be6b0dd samba-tool ou: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
d93e340b80 samba-tool ou: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
0743e11d46 samba-tool: Fix typo
Found by Rob van der Linde <rob@catalyst.net.nz>.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
49592b80f7 selftest: Assert trust realm is not None
This is consistent with the other tests in this file.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
97a5ee4bbb tests/auth_log: Factor out isRemote()
This makes waitForMessages() easier to read.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Andreas Schneider
1f74f9f366 python:safe_tarfile: Improve safe extract()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
431f7698e4 python:safe_tarfile: Implement safer extractall()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
8c90c66a9a python:safe_tarfile: Set extraction_filter for pythons providing it
It should be available for Python >= 3.11.4 but also has been
backported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
ebaa008162 python:tests: Adopt safe_tarfile for extraction_filter raises
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
c28e719bb0 selftest: Add unit tests of the DC startup FL check/update code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
ae7f2b417b python/tests: Make helpful, stateless methods @classmethod and @staticmethod
This allows them to be used in setUpClass in tests.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
8e895fc5d6 selftest: Split up tests in dsdb.py to avoid creating a user when not required
Creating a user is CPU intensive, particularly when a password is set
so avoid doing so if not required.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
David Mulder
e40c86e970 gp: Fix user apply failure when droping privs
When dropping privileges, gpupdate errored:
gpclass.py:1167: KeyError: "getpwnam(): name not found: <HOSTNAME>
apply_gp was incorrectly passing the hostname
instead of the username.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 10 10:46:28 UTC 2023 on atb-devel-224
2023-06-10 10:46:28 +00:00
Andrew Bartlett
6f30eca3bb sefltest: Improve getdcname test by confirming the _REQUIRED flag behaviours
We do this by checking what the underlying CLDAP netlogon call returns.

This also validates that behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
3c25ddb1ce selftest: Fix remaining incorrect references to 2012 -> 2012R2 FL in GetDCNameEx test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
49537a4170 selftest: Change self.assertTrue(x is not None) -> self.assertIsNotNone(x)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
2a0e53374d selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work
We need to confirm this both for forwarded requests, and also for requests
direct to the possible DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon May 29 23:29:50 UTC 2023 on atb-devel-224
2023-05-29 23:29:50 +00:00
Andrew Bartlett
920e1a5bae selftest: Rework samba.tests.getdcname not to use ncalrpc
This test is able to operate over the network, which aids testing against
a comparative windows DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-29 22:32:28 +00:00
Andrew Bartlett
1593c9e658 selftest: Assert that we have a trust in samba.tests.getdcname
We must ensure this test cannot became inoperative because the
environment it was run against has no trust.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-29 22:32:28 +00:00
Joseph Sutton
fb759809f8 python:tests: Ensure that we don’t overwrite tests
If the file iterator returns two entries with the same name, one may
overwrite the other.

script_iterator() currently ensures this won’t happen, but it pays to be
safe.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
7390eb1254 python:tests: Make script executable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00