1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

709 Commits

Author SHA1 Message Date
Andreas Schneider
5a751ea55e auth:creds:tests: Add test for cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Andreas Schneider
521f77c667 auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Douglas Bagnall
aecb2b779b python: remove all 'from __future__ import print_function'
This made Python 2's print behave like Python 3's print().

In some cases, where we had:

   from __future__ import print_function
   """Intended module documentation..."""

this will have the side effect of making the intended module documentation
work as the actual module documentation (i.e. becoming __doc__), because
it is once again the first statement in the module.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-04-28 03:43:34 +00:00
Volker Lendecke
ad7628b2cb gensec: Slightly simplify gensec_generate_session_info_pac()
Reduce indentation by an early error return and by introducing a
helper variable.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-04-27 13:24:35 +00:00
Joseph Sutton
2f0ef147f9 auth/credentials: Remove unneeded try/except syntax
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  7 10:24:17 UTC 2021 on sn-devel-184
2021-04-07 10:24:17 +00:00
Joseph Sutton
7c2b26a431 auth/credentials: Add test for binding with an extended canonical name
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Joseph Sutton
7679995b95 auth/credentials: Add test for binding with a canonical name
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Joseph Sutton
3e531bb885 auth/credentials: Add test for binding with a domain SID
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10319

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-07 09:18:30 +00:00
Volker Lendecke
69a3d0fa4b gensec: Remove gensec_security_all(), it was only used internally
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-06 22:29:34 +00:00
Andreas Schneider
bf1c294adb auth:creds: Free the uname pointer in cli_credentials_parse_string()
The data is duplicated and we don't need it anymore.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 24 03:13:05 UTC 2021 on sn-devel-184
2021-03-24 03:13:05 +00:00
Andreas Schneider
aa34799600 auth:creds: Don't include credentials_internal.h twice
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-24 02:08:54 +00:00
Andreas Schneider
4e82150dc1 auth:creds: Use our own cli_credentials_set_cmdline_callbacks()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2021-03-24 00:55:32 +00:00
Andreas Schneider
9e5ac70a7e auth:creds: Add command line function for standard password callback
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2021-03-24 00:55:32 +00:00
Andreas Schneider
ca57356b78 s4:lib:cmdline: Rename cli_credentials_set_cmdline_callbacks()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2021-03-24 00:55:32 +00:00
Andreas Schneider
93c576dae4 auth:creds: Add cli_credentials_dump()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Dec 16 13:56:49 UTC 2020 on sn-devel-184
2020-12-16 13:56:49 +00:00
Volker Lendecke
daa9d98cf8 auth: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-11-10 19:49:33 +00:00
Alexander Bokovoy
5d80b179a1 Revert "cli_credentials: add a helper to parse user or group names"
This reverts commit 00f4262ed0.
2020-11-05 06:30:31 +00:00
Alexander Bokovoy
49efe0ca0b Revert "cli_credentials_parse_string: fix parsing of principals"
This reverts commit eb0474d27b.
2020-11-05 06:30:31 +00:00
Alexander Bokovoy
00f4262ed0 cli_credentials: add a helper to parse user or group names
cli_credentials_parse_string() parses a string specified for -U option
in command line tools. It has a side-effect that '%' character is always
considered to be a separator after which a password is specified.

Active Directory does allow to create user or group objects with '%' in
the name. It means cli_credentials_parse_string() will not be able to
properly parse such name.

Introduce cli_credentials_parse_name() for the cases when a password is
not expected in the name and call to cli_credentials_parse_name() from
cli_credentials_parse_string().

Test cli_credentials_parse_name() with its intended use in lookup_name()
refactoring.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-11-04 14:59:34 +00:00
Alexander Bokovoy
eb0474d27b cli_credentials_parse_string: fix parsing of principals
When parsing a principal-like name, user name was left with full
principal instead of taking only the left part before '@' sign.

>>> from samba import credentials
>>> t = credentials.Credentials()
>>> t.parse_string('admin@realm.test', credentials.SPECIFIED)
>>> t.get_username()
'admin@realm.test'

The issue is that cli_credentials_set_username() does a talloc_strdup()
of the argument, so we need to change order of assignment to allow
talloc_strdup() to copy the right part of the string.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-11-04 14:59:34 +00:00
Andreas Schneider
1a92994a95 auth:creds:tests: Migrate test to a cmocka unit test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Andreas Schneider
1298280a22 auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Andreas Schneider
2c00bea2ae auth:creds: Add cli_credentials_init_server()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-09-07 12:02:15 +00:00
Stefan Metzmacher
515cffb1f2 auth:gensec: If Kerberos is required, keep schannel for machine account auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
2020-09-07 12:02:15 +00:00
Stefan Metzmacher
a33a40bbc8 auth:gensec: Pass use_kerberos and keep_schannel to gensec_use_kerberos_mechs()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-09-07 12:02:15 +00:00
Stefan Metzmacher
2186d4131a auth:gensec: Make gensec_use_kerberos_mechs() a static function
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-09-07 12:02:15 +00:00
Stefan Metzmacher
b34e8dc898 auth:gensec: Add gensec_security_sasl_names()
Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2020-09-07 12:02:15 +00:00
Matthew DeVore
232054c09b lib/util: remove extra safe_string.h file
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.

Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.

Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
2020-08-28 02:18:40 +00:00
Andreas Schneider
0188885a49 auth:creds: Bump library version
We added new functions so bump the version.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
84f1e4683e auth:creds: Add python bindings for cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
66c9c68bad auth:creds: Add python bindings for (get|set)_smb_encryption
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
836c5e01e6 auth:creds: Add cli_credentials_(get|set)_smb_encryption()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
ef12caea07 auth:creds: Add python bindings for (get|set)_smb_ipc_signing
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
71d65278e1 auth:creds: Add cli_credentials_(get|set)_smb_ipc_signing()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
098774b244 auth:creds: Add python bindings for (get|set)_smb_signing
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
58e0abc58f auth:creds: Add cli_credentials_(get|set)_smb_signing()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Andreas Schneider
59a1272a6c auth:creds: Remove unused credentials autoproto header
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Stefan Metzmacher
e913503540 auth:creds: Introduce CRED_SMB_CONF
We have several places where we check '> CRED_UNINITIALISED',
so we better don't use CRED_UNINITIALISED for values from
our smb.conf.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-19 16:22:40 +00:00
Volker Lendecke
546a0f99e8 auth: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 17 20:59:51 UTC 2020 on sn-devel-184
2020-08-17 20:59:51 +00:00
Volker Lendecke
af34a411b9 gensec: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Gary Lockyer
f467727db5 CVE-2020-10704: lib util asn1: Add ASN.1 max tree depth
Add maximum parse tree depth to the call to asn1_init, which will be
used to limit the depth of the ASN.1 parse tree.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:31 +00:00
Andrew Bartlett
5c1867ba45 py3: Remove #define PyInt_FromLong PyLong_FromLong
This allows us to end the use of Python 2/3 compatability macros.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power
2020-03-23 19:12:43 +00:00
Andreas Schneider
32f83be8f6 auth:ntlmssp: Mark as weak_crypto
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-19 20:46:41 +00:00
Andreas Schneider
6ada071d62 gensec: Add a check if a gensec module implements weak crypto
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-03-19 20:46:41 +00:00
Andrew Bartlett
8fbdff5c3d auth/credentials: Test connecting to LDAP with a "virtual user" style account
This type of account is often used by e-mail hosting platforms
that do not wish to create an AD domain for each DNS domain that
they host mail for.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13598

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-02-14 15:47:41 +00:00
Stefan Metzmacher
98d2d5a403 auth/gensec: map NT_STATUS_{INVALID_ACCOUNT_NAME,NO_SUCH_DOMAIN} to NT_STATUS_NO_SUCH_USER
This means nt_status_squash() will map NT_STATUS_NO_SUCH_USER to
LOGON_FAILURE later.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
28d9493d23 gensec/spnego: fallback on INVALID_{ACCOUNT,COMPUTER}_NAME and NO_SUCH_DOMAIN
I think it's better to handle them in spnego.c, instead of squashing
them already in the gssapi/gse modules. This is related to
KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN and KRB5_REALM_UNKNOWN.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:37 +00:00
Stefan Metzmacher
f8e7c3d382 auth/kerberos: add auth4_context_{for,get}_PAC_DATA_CTR() helpers
This adds a generic way to get to the raw (verified) PAC
and will be used in multiple places in future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-02-10 16:32:36 +00:00
Douglas Bagnall
c247afbda0 pytests: heed assertEquals deprecation warning en-masse
TestCase.assertEquals() is an alias for TestCase.assertEqual() and
has been deprecated since Python 2.7.

When we run our tests with in python developer mode (`PYTHONDEVMODE=1
make test`) we get 580 DeprecationWarnings about this.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-02-07 10:37:37 +00:00