IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton@samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Previously, this algorithm was preferring RC4 over AES for machine
accounts in the preauth case. This is because AES keys for machine
accounts in Active Directory use a non-default salt, while RC4 keys do
not use a salt. To avoid this behaviour, only prefer keys with default
salt for the des-cbc-crc enctype.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Make this available as a shared structure for both source3 and source4
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This changes most of the simple pattern with self.samdb.modify()
to use the wrapper. Some other calls still need to be converted, while
the complex decision tree tests should remain as-is for now.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Oct 4 21:55:43 UTC 2021 on sn-devel-184
This is easier to reason with regarding which cases should work
and which cases should fail, avoiding issues where more success
than expected would be OK because a self.fail() was missed in a
try: block.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This should prevent any long pauses in the calling process, as we get a callback
for the restart after X seconds. To make the code flow more understandable,
always go through a timer event even if the wait time is zero. This
has the same effect as an immediate event as it will call the callback
function as soon as we go back into the event loop.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Oct 2 01:38:43 UTC 2021 on sn-devel-184
It is possible that the randomly chosen RODC number will be one
that is already in use. The samldb_krbtgtnumber_available()
function was meant to prevent that, but due to a typo did not.
There is no other race here as the whole thing is inside a transaction,
and we have duplicate protection on samAccountName, so the failure
looked like this:
...
Adding CN=krbtgt_TESTRODCDRS5320202,CN=Users,DC=samba,DC=example,DC=com
UNEXPECTED(error): samba4.drs.repl_rodc.python(ad_dc_ntvfs).repl_rodc.DrsRodcTestCase.test_msDSRevealedUsers_admin(ad_dc_ntvfs)
REASON: Exception: Exception: Traceback (most recent call last):
File "/m/abartlet/aMASTER/b1635147/samba-def-build/source4/torture/drs/python/repl_rodc.py", line 111, in setUp
self._create_rodc(self.rodc_ctx)
File "/m/abartlet/aMASTER/b1635147/samba-def-build/source4/torture/drs/python/repl_rodc.py", line 693, in _create_rodc
ctx.join_add_objects()
File "bin/python/samba/join.py", line 641, in join_add_objects
ctx.add_krbtgt_account()
File "bin/python/samba/join.py", line 429, in add_krbtgt_account
ctx.samdb.add(rec, ["rodc_join:1:1"])
_ldb.LdbError: (68, "LDAP error 68 LDAP_ENTRY_ALREADY_EXISTS - <00002071: samldb: samAccountName krbtgt_4405 already in use!> <>")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14854
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 1 20:50:37 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
For detailed knownfail on subtests we need torture_assert() calls
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This gets us closer to passing against Windows 2019, without
making major changes to what was tested. More tests are needed,
but it is important to get what was being tested tested again.
Account types (eg UF_NORMAL_ACCOUNT, UF_WORKSTATION_TRUST_ACCOUNT)
are now required on all objects, this can't be omitted any more.
Also for UF_NORMAL_ACCOUNT for these accounts without a password
set |UF_PASSWD_NOTREQD must be included.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 15 08:49:11 UTC 2021 on sn-devel-184
This file was incorrectly added in 6a27fbbfc4,
was never referenced on our build system and should have been
removed with c51c15144e at least.
That script had a bug and did not remove this filename if
the particular version of lex generated it, and so it
likely was added to git as a result.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Mon Sep 13 05:41:30 UTC 2021 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Sep 10 16:02:10 UTC 2021 on sn-devel-184