1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

39437 Commits

Author SHA1 Message Date
Jo Sutton
5eac95652a s4:dsdb: Use talloc_get_type_abort()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Noel Power
a27525e555 s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function
Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG

This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Noel Power
1297c7ca65 s4/torture: Prepare to handle Level 4 check with unknown func code
A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).

Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
  s3 server returns WERR_NOT_SUPPORTED and
  s4 server returns WERR_INVALID_PARAMETER.

For level 3 both return WERR_NOT_SUPPORTED.

MS-NRPC doesn't seem to specifically indicate the required response in
this case.

this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Stefan Metzmacher
6c5781b5f1 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
6a89615d78 s4:libcli/smb2: add hack to test anonymous signing and encryption
This will be used in torture tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Douglas Bagnall
a00c0ebd09 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.

This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 23:12:32 +00:00
Douglas Bagnall
edabb9f4cb ldb-samba: use ldb_comparison_fold_utf8()
This means ldb-samba/dsdb comparisons will be case-insensitive for
non-ASCII UTF-8 characters (within the bounds of the 16-bit casefold
table). And they will remain transitive.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 23:12:32 +00:00
Jo Sutton
589a9ea676 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224
2024-05-22 21:33:14 +00:00
Jo Sutton
d8302e9532 s4:kdc: Merge current and previous gMSA keys during period when both are valid
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
5ea0782465 s4:libnet: Allow simulating AS‐REQ flags combination for keytab export
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
71899ceb40 s4:libnet: Update export_keytab() docstring
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
048de3da01 s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry()
This will allow us to specify whether to specify this flag for a keytab
export.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
26fd78040e s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
ad9198bb86 s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
6bd56a2c19 s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
cb9ff7b4c5 s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
8ae565a14b s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Stefan Metzmacher
8303078028 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Douglas Bagnall
99d2622131 spelling: comments: synthax -> syntax
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Douglas Bagnall
64003d8677 spelling: fix spelling of privilege.ldb in comments
'privileges' is a word, but the ldb referred to is privilege.ldb

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Stefan Metzmacher
e2a5fbf5cf s4:libnet_export_keytab: add only_current_keys option
By default we also export on the old and older passwords...

In order to do a kinit with a keytab it might we useful to
include only the current keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
7f1e89488a s4:kdc: also provide cross-realm keys via samba_kdc_seq()
This means that 'samba-tool domain exportkeytab' is able to
export them.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
37292f8a60 s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
6ecc607ede s4:kdc: split out samba_kdc_fill_trust_keys() helper
This simplifies the logic in samba_kdc_trust_message2entry(),
is very similar to our samba_kdc_fill_user_keys() helper
and will make it trivial to provide the previous keys
in entry->old_keys in the next commit.

Review with: git show -p --patience

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
f5c8c212dc s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry()
This aligns the logic of samba_kdc_trust_message2entry() with
samba_kdc_message2entry_keys().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
f48699641c s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry()
This will simplifiy further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
d1efc396de s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP
We already handle it in samba_kdc_fill_user_keys() mostly for DES keys,
but other encryption types might be from kerberos libraries in future.
And things like FIPS mode may also alter the runtime behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
8cfebc36ed s4:kdc: split out samba_kdc_fill_trust_keys() helper
Let samba_kdc_trust_message2entry() also fill in the salt used
by the key. This is not strictly needed, but it's better to
be consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Jo Sutton
01849ab1bc s4:kdc: Implement KDC plugin hardware authentication policy
NOTE: This commit finally works again!

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224
2024-05-16 03:14:47 +00:00
Jo Sutton
0582cf6077 s4:kdc: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
f3ff4915ad s4:kdc: Initialize local variable just in case (CID 1596759)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
3b90753b55 s4:kdc: Free target principal string to avoid memory leak (CID 1596760)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
7e7bb259a6 s4:kdc: Initialize pointer variable just in case (CID 1596762)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
e1460c9e34 s4:dsdb: Make map containing default attribute values static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
927c672faf s4:dsdb: Do not set lockoutTime for trust accounts
This matches the behaviour of Windows.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
4c759c2675 s4:dsdb: Make use of userAccountControl helper function
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
1b8b8550aa s4:dsdb: Add userAccountControl helper function
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
0e93456a66 s4:dsdb: Remove redundant user flags macro
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
32199b9bcf s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change
gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
c167ac5301 s4:libnet: Remove unnecessary declarations
This declaration is a hold‐over from the Python 2 module initialization
pattern.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
33ed55ce8f s4:libnet: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e5357c75a6 s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
92d010af2d s4:dsdb: Let dsdb gMSA time influence pwdLastSet
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
170dd47eae s4:libcli: Add more controls to our list of known controls
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
526652d162 s4:libcli: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e4045cd5b1 s4:setup: Update name of dsdb password change control
Commit 0a907c2f45 renamed this control to
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
f5cbe49789 s4:dsdb: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
cbebffd56d s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Douglas Bagnall
827b0c39ed s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
No change at all in the result, just saving lines and branches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Douglas Bagnall
c5c29f59fa s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00