1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

136837 Commits

Author SHA1 Message Date
Douglas Bagnall
60022ed55f py:nt_time: add nt_time_from_string()
This is for samba-tool, which could do with a common understanding of
time strings across various sub-tools.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
bfba074d2f pyldb: try to turn ldb_string_to_time() errors into exceptions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
8892b0cc92 ldb: ldb_string_to_time reports more errors
The underlying function should return -1 and set errno when given invalid
strings, but we were not looking and have decided on 0 for error.

It would be a pain to change this function to return -1. Apart from the
API fuss, it is sometimes used unchecked to set an unsigned number and
an unchecked 0 is better than UINT*_MAX in those contexts.

It is probably not easy to get an -1 from a timegm() -- most
implementations will happily convert overflows for you, so e.g. the
15th month would be March of the next year. But EOVERFLOW is mentioned
in the manpages.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
9beb57892d s4:pydsdb: add not-implemented raising functions to when appropriate
It will be less confusing, I hope.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
ed344bb22f pyldb: catch some talloc failures
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
c68b390e66 pyldb: free some finished requests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
a4c4e3c95f pyldb: free things more often on error
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
cccc994fa0 pyldb: add a macro to free when raising exceptions
We often forget.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
8cf9d4cae1 pytest:audit_log_base: use string_is_guid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
6d087d1d29 pytest:auth_log_base: use string_is_guid()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Douglas Bagnall
0fe263a56d pylibs: add string_is_guid() helper.
In various places we use regular expressions to check for GUID-ness,
though typically we don't match GUIDs with uppercase hex digits when
we really should.

If we centralise the check, we have more chance of getting it right.

Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Feb 29 02:38:07 UTC 2024 on atb-devel-224
2024-02-29 02:38:06 +00:00
Douglas Bagnall
7b089e1206 samba-tool: with --json, error messages are in JSON
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
1f128fee27 samba-tool: instances remember whether --json was requested
All our subcommands are going to learn --json eventually, and they
shouldn't all have to do this individually.

The next commit uses this to automatically format CommandErrors as JSON.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
542ba5cbd5 samba-tool: add self.print_json_status() helper
This is a helper to return JSON for simple messages.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
742fc4d841 samba-tool: avoid mutable Command class values
These values are shared across all instances of the class,
which makes no difference in samba-tool itself, because there
is one instance per process. But in tests we can have many
Command classes at once (due to runcmd()), and if any of them
happened to append to takes_args or takes_options rather than
replacing it, well, the effect would be subtle.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
29abab6a46 samba-tool domain level: avoid using assert
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Douglas Bagnall
8650ba0a18 samba-tool domain claim: use secrets module for token
`binascii.hexlify(os.urandom(8)).decode()` was fine, but `os.urandom`
is OS specific and can theoretically block (says the documentation).

We will let Python's secrets module worry about such details.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
2908a6d67b samba-tool user getpassword: Also return the time a GMSA password is valid until
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
71f7c4a3c5 samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes
To convert a virtual attribute we must understand that it has
been put into "obj" under the name including the ;format= part
and so we must look it back up with that name when looking to
covert it from (say) NTTIME to a unix time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
dfe71c4235 python/samba/tests: Include more detail on invoication in test of "samba-tool user show"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
380c80b4d6 samba-tool user getpassword: Do not show preview of gMSA password
The AD server will send a preview of the next gMSA password, 5mins before
it is expected to be active.

This is useful in a keytab, which needs to be in place before a ticket
could possibly be issued, but is not helpful for authentication, as
the server also accepts passwords for 5mins after the change.

This avoids needing teach all users of this tool how to fall back to
the previous password for a 5min period every 30 days, by default.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-02-29 01:31:31 +00:00
Pavel Filipenský
801e3fd6dd s3:libads: Trace ldap search base/filter/scope
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 01:31:31 +00:00
Andrew Bartlett
2b515b7dcc s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224
2024-02-28 04:45:48 +00:00
Andrew Bartlett
009a4706d2 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-28 03:44:37 +00:00
Andrew Bartlett
724f403d88 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY
This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-28 03:44:37 +00:00
Andrew Bartlett
ea41dccb99 third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-28 03:44:37 +00:00
Jo Sutton
f1a83798f0 third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb 27 02:19:31 UTC 2024 on atb-devel-224
2024-02-27 02:19:31 +00:00
Jo Sutton
beaeeaff50 s4:rpc_server: Make some arrays static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
3b85345c4c lib:util: Fix printing hex‐escaped characters
A signed char, passed to snprintf(), will be promoted to an ‘int’, and
then interpreted (according to the format string) as an ‘unsigned int’.
Any negative values passed in will thus be interpreted as large unsigned
values, too large to be represented in the two characters allocated for
them. In practice, they will always be represented as ‘\xFF’.

Cast these characters to ‘unsigned char’, and use the appropriate length
modifier for that type.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
7e855f8d89 lib:util: Correctly determine whether a character needs to be escaped
The condition ‘c > 0x1F’ is clearly meant to test whether a character is
a control code or not. While it works for ASCII characters, when ‘char’
is signed it fails for codepoints above 0x7f, which get represented as
negative values. Make this calculation work as it was (presumably)
intended by casting to ‘unsigned char’.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
18208dbef7 s4:rpc_server: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
4b0f3f3d10 python: Fail the test if we don’t receive an NTSTATUSError
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
3e342e2d37 tests/krb5: Move assertLocalSamDB() into RawKerberosTest
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
df475fbc2f tests/krb5: type hinting
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
69c3044a72 python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
a1d7af2485 python/tests: Convert dckeytab test to use new NDR keytab parser
This is much nicer than reading strings out of the binary file.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
2e230f728e python/tests: Add test for new krb5 keytab parser
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
e6ef2fc224 librpc/idl: Check protocol version number in Kerberos ccache parser
The ccache file format version is checked by the switch in OPTIONAL_HEADER.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
ecaaff57e4 librpc/idl: Add a parser for a FILE: format keytab
This will let us examine keytab entries exported for gMSA accounts and
ensure they are the values we expect.  This will in particular help
test our KDC via the "samba-tool domain exportkeytab" as this is a thin
wrapper around the relevant code.

Additionally, we can use this to test the new client-side keytab generation
in "samba-tool domain exportkeytab" for gMSA accounts.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
9a5cc12042 python/samba/samdb: Only do caching of well known DNs in dbcheck
The fact that get_wellknown_dn() returned a cached DN that could
not be modified safely was unexpected, particularly given that
other similar routines did not do that.

The use case given at the time this was written by
Matthieu Patou in 6122acad0f
was dbcheck, so move the cache there, and name it clearly.

dbcheck is the only case that uses this rotuine in an inner
loop.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Anoop C S
5a0fce5865 source4/torture: Add SEC_STD_DELETE to enable proper cleanup
basic.maximum_allowed and smb2.maximum_allowed attempt to unlink the
files created by those tests. But the restrictive SD with which they
were created prohibits the deletion inside shares where vfs_acl_xattr
is configured including "ignore system acls". The very same file will
otherwise cause problems while progressing with remaining sub tests.
SEC_STD_DELETE could be the minimum required additional access mask
to successfully delete the file under the said configuration using
vfs_acl_xattr and "ignore system acls" option without loosing the
integrity of the overall test.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 26 18:35:43 UTC 2024 on atb-devel-224
2024-02-26 18:35:43 +00:00
Andreas Schneider
e4c3c61302 python:gp: Implement client site lookup in site_dn_for_machine()
This is [MS-GPOL] 3.2.5.1.4 Site Search.

The netr_DsRGetSiteName() needs to run over local rpc, however we do not
have the call implemented in our rpc_server. What netr_DsRGetSiteName()
actually does is an ldap query to get the sitename, we can just do the
same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 26 08:06:08 UTC 2024 on atb-devel-224
2024-02-26 08:06:08 +00:00
Andreas Schneider
e758425869 librpc:idl: Make netlogon_samlogon_response public
This is required that we can use it with ndrdump or in python to decode
a NETLOGON_SAM_LOGON_RESPONSE_EX ldap response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15588

Signed-off-by: Andreas Schneider <asn@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-26 06:57:31 +00:00
Shaleen Bathla
bdd739c1ad s3: winbindd: assign rangenum member after NULL check
if we are doing NULL check for range, then we should assign its member
after the NULL check.

Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Feb 22 10:57:38 UTC 2024 on atb-devel-224
2024-02-22 10:57:38 +00:00
Shaleen Bathla
205866a195 s3: winbindd: reduce scope of a variable
reduce scope of variable as a best practice

Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-02-22 09:47:44 +00:00
Shaleen Bathla
cde71074e0 s3: winbindd: remove double initialization
remove re-initialization of entry variable in for loop

Signed-off-by: Shaleen Bathla <shaleen.bathla@oracle.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-02-22 09:47:44 +00:00
Martin Schwenke
dd9b11acbc ctdb-protocol: Add missing push support for new controls
CTDB_CONTROL_TCP_CLIENT_DISCONNECTED and
CTDB_CONTROL_TCP_CLIENT_PASSED were added in commits
c6602b686b and
037e8e449d.  They were missing test
support for the packet push/pull.  While adding the testing (for
completeness, before adding another new control) I noticed that the
push functionality was absent.  This adds that, along with the test
support.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15580

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 19 10:21:48 UTC 2024 on atb-devel-224
2024-02-19 10:21:48 +00:00
Noel Power
885850b6aa s3/rpc_client: Fix array offset check
Previous to this commit we were modifying the offset before
the array offset check. This was causing a spurious debug
message indicating the offset was out of bounds. An second
problem is that upon detecting the error we don't exit the loop.
A third problem was that when reading the offset the check
didn't cater for the size of the integer address about to be read.

This commit moves the offset check to before the first read,
additionally when an error is detected now we actually exit the loop
and the offset have been corrected to include the size of the
integer to be read

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Feb 17 17:58:43 UTC 2024 on atb-devel-224
2024-02-17 17:58:43 +00:00
Noel Power
f487211706 s3/rpc_client: Ensure max possible row buffer size is not exceeded
The max buf size of rows buffer should not exceed 0x00004000.
Ensuring this value is within limits means we can safely use
uint32_t offsets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-02-17 16:51:37 +00:00
Noel Power
01e901ef86 idl: Add constant for max rows buffer size
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15579
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-02-17 16:51:37 +00:00