IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
There's no need to call it again if the caller already did.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We should can already call this in the 'need_device' branch, then
it can be reused later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Also use samba_kdc_entry_pac_valid_principal() in order to catch
all conditions for a valid device. For principals issued by
trusted domains there's no device.entry pointer!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This simplifies and unifies the callers.
For the MIT kdc we avoid using via kerberos_pac_to_user_info_dc()
directly.
Now both go via samba_kdc_get_user_info_dc() and MIT also
handles the samba_kdc_get_claims_data() path.
For the MIT kdc it means kerberos_pac_to_user_info_dc() is now
called via samba_kdc_get_user_info_dc() ->
samba_kdc_get_user_info_from_pac() and it is followed by
authsam_update_user_info_dc() consistently.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will allow us to make more functions static in the next steps.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This makes the code base less confusing (at least for me).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
It means we port commit b42fbc78395870c3caa33aa1c9636a59fde9e867 also to the
MIT kdc and enforce authentication policy service restrictions when getting a PAC
We should have this logic only once in order to avoid getting out of
sync between heimdal and MIT regarding the core logic.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
samba_kdc_get_pac() will be re-used by mit_samba_get_pac() in
the next step.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Feb 22 17:03:27 UTC 2025 on atb-devel-224
This will be used for sid/name filtering in the following commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will be used by the namespace filtering part of
sid filtering...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This implements MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server cachability validation.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This implements MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation,
requires to pass information about the trust topology to
NTLMv2_RESPONSE_verify_netlogon_creds()...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This will be used in the next commits in order to
implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
See MS-ADTS 3.1.1.6.4 PDC Forest Trust Update
It basically connects to all forest trusts
and searches for crossRef objects with
SYSTEM_FLAG_CR_NTDS_DOMAIN under
CN=Partitions,CN=Configuration.
With this information it add/removes
FOREST_TRUST_SCANNER_INFO records into
the msDS-TrustForestTrustInfo of the local
trustedDomain object.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Note that we don't need to handle a fallback to old servers,
because we only talk to ourself here.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Note for scanner records we need to filter out duplicates,
but binary records may exist multiple times.
Review with: git show -w
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The tricky part is that we also need to upgrade
LSA_FOREST_TRUST_BINARY_DATA records into FOREST_TRUST_SCANNER_INFO records.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This normalizes LSA_FOREST_TRUST_BINARY_DATA in
LSA_FOREST_TRUST_SCANNER_INFO.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We need to convert the [LSA_]FOREST_TRUST_SCANNER_INFO record
into a binary record, but with LSA_FOREST_TRUST_SCANNER_INFO
as type.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The tricky part is that it's all based on the sub_type within
the binary data, if it's FOREST_TRUST_SCANNER_INFO the
record is upgraded to an LSA_FOREST_TRUST_SCANNER_INFO,
otherwise it's downgraded to a LSA_FOREST_TRUST_BINARY_DATA
record.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
We use trust_forest_info_lsa_{1to2,2to1}() where needed.
This will make it possible to support
FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO later.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Note for now these will fail for FOREST_TRUST_BINARY_DATA and
FOREST_TRUST_SCANNER_INFO.
But this will still make the transition from
lsa_ForestTrustInformation to lsa_ForestTrustInformation2
easier.
Support for will FOREST_TRUST_BINARY_DATA and FOREST_TRUST_SCANNER_INFO
will be added before we implement the forest trust background scanner
job and the lsaRSetForestTrustInformation2 function.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
