IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Avoid returning an uninitialized st.cached_dos_attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Now we get the error “environment [...] is unknown” rather than “samba
can't start up known environment”.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Samba*::setup_*() may return the string "UNKNOWN".
```
$ ./configure --with-ads ...
...
$ make
...
$ make test
...
Can't use string ("UNKNOWN") as a HASH ref while "strict refs" in use at /.../samba-4.18.2/selftest/target/Samba.pm line 131.
```
Signed-off-by: SATOH Fumiyasu <fumiyas@osstech.co.jp>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224
With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If an NTSTATUS code has been set in the KDC request structure, encode it
as KERB-ERROR-DATA and add it to the KDC reply.
hdb_samba4_set_ntstatus() adds the NTSTATUS code to the request
structure.
hdb_samba4_get_ntstatus() gets that status code back from the request
structure.
hdb_samba4_set_edata_from_ntstatus() encodes the status code and adds it
to the reply.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
This is not yet supported in full, but this makes ad_dc match our full set of available features.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The $$$$$$$ is removed as it does not do what you think it does.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The change to make this independent in fc9845da69
was incorrect, as no distinct name was specified so this would conflict with
the ad_dc_ntvfs environment over the IP and name "localdc".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This will allow fl008dc to become an alias of ad_dc_ntvfs again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue May 9 02:58:45 UTC 2023 on atb-devel-224
prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.
While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)
Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.
adjust
samba4.blackbox.samba-tool_ntacl
samba3.blackbox.large_acl
samba.tests.samba_tool.ntacl
samba.tests.ntacls
samba.tests.posixacl
so various string comparisons of the sddl format now pass
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
numbers, eg 0x001]
value for FA should be 0x001f01ff (instead of 0x00001ff)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The "FA" flag should map to 0x1f01ff, and 0x1f01ff should be converted
back into "FA".
This will be fixed over the next couple of commits.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The tests that were in SddlWindowsFlagsAreDifferent have the behaviour
we want, and as we aim for Samba flags no longer being different, we
shift them to SddlNonCanonical. The tests in SddlSambaDoesItsOwnThing
are removed because they showed Samba's old behaviour around FA.
This will create knownfails, which will be fixed by the commit fixing the
value of "FA".
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
By normal GUID, I mean ones like f30e3bbf-9ff0-11d1-b603-0000f80367c1,
with four hyphens and no curly braces.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It turns out that in accesss flags Windows will allow leading spaces
and spaces separating flags but not trailing spaces.
We choose to follow this in part because we found it happening in the
wild in our tests for upgradeprovision until a few commits ago.
Windows will also allow spaces in some parts of SIDs.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
sddl_decode_sid() will stop at the first non-SID character. Windows
doesn't allow white space here, and nor do we.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Before we just ignored things like negative numbers, because they'd
end up being seen as not-numbers, so treated as flags, then as
not-flags.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Windows converts hex numbers into flags differently, and has different
ideas of what constitutes "FA", and possibly others.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These ones we might want to match. They are understandable behaviours,
like matching lowercase flags and coping with whitespace in some
places. These tests are set up to document the differences without
overwhelming the knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This of course allows for fine-grained knownfails.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The examples in the canonical list are already in the form that
Windows and Samba will use for that SD. We check the round trip.
The examples in the non-canonical list will change in a round trip, so
we also give the string we think they should end up as. These have
been checked on Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The test will fail right now because it makes round trip assertions.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is because in ceetain places we compare strings rather than security
descriptors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't see this happening on Windows.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These occur canonically when the indentifier authority is > 2^32, but
also are accepted by Windows for any number.
There is a tricky case with an "O:" or "G:" SID that is immediately
followed by a "D:" dacl, because the "D" looks like a hex digit. When
we detect this we need to subtract one from the length.
We also need to do look out for trailing garbage. This was not an
issue before because any string caught by the strspn(...,
"-0123456789") would be either rejected or fully comsumed by
dom_sid_parse_talloc(), but with hex digits, a string like
"S-1-1-2x0xabcxxx-X" would be successfully parsed as "S-1-1-2", and
the "x0xabcxxx-X" would be skipped over. That's why we switch to using
dom_sid_parse_endp(), so we can compare the consumed length to the
expected length.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
previously a string could have anything in it, so long as every second
character was ':'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Following Windows, the numbers that would be octal (e.g. "0123") are
converted to decimal by skipping over the zeros.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By using an ldb.Dn as an intermediary, we get to see which SIDs
Samba thinks are OK but Windows thinks are bad.
It is things like "S-0-5-32-579".
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As a way of testing the interpretation of a SID string in a remote
server, we search on the base DN "<SID=x>" where x is a non-existent
or malformed SID.
On Windows some or all malformed SIDs are detected before the search
begins, resulting in a complaint about DN syntax rather than one about
missing objects.
From this we can get a picture of what Windows considers to be
a proper SID in this context.
Samba does not make a distinction here, always returning NO_SUCH_OBJECT.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The Samba side is aspirational -- what we actually do is generally
worse. However the Windows behaviour in these cases seems more
surprising still, and seems to be neither documented nor used.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The reason the existing tests send the SID over the wire as SDDL for
defaultSecurityDescriptor is it is one of the few ways to force the
server to reckon with a SID-string as a SID. At least, that's the case
with Windows. In Samba we make no effort to decode the SDDL until it
comes to the time of creating an object, at which point we don't notice
the difference between bad SDDL and missing SDDL.
So here we add a set of dynamic tests that push the strings through our
SDDL parsing code. This doesn't tell us very much more, but it is very
quick and sort of confirms that the other tests are on the right track.
To run against Windows without also running the internal Samba tests,
add `SAMBA_SID_STRINGS_SKIP_LOCAL=1` to your environment variables.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We are mostly testing edge cases around the handling of numeric
limits.
These tests are based on ground truth established by running them
against Windows.
Many fail against Samba, because the defaulSecurityDescriptor
attribute is not validated at the time it is set while on Windows it
is.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We don't care about the exact time of the test, just that we
disambiguate between different runs (each run leaves an immutable scar
on the target server).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This fixes setting veto files to '.*' to not list hidden files and
directories starting with a dot.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15360
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 19 22:30:19 UTC 2023 on atb-devel-224
streams_depot hands us absolute paths with : filename components
instead of having set smb_fname_in->stream_name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15358
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Apr 17 18:11:07 UTC 2023 on atb-devel-224
See the next patch, we assert in shadow_copy2_openat() over paths
passed in from shadow_copy2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15358
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The value of NSS_WRAPPER_HOSTNAME needs to match value
we put into the NSS_WRAPPER_HOSTS file.
We had a mismatch of
idmapridmember.samba.example.com
vs.
idmapridmember.addom.samba.example.com
This causes getaddrinfo() in nss_wrapper to fallback to
the libc version, which talks to a dns server.
It's not clear if recent glibc code will reach resolve/socket wrapper.
So it's not unlikely that idmapridmember.samba.example.com will
be passed via the internet, which causes delays up to 20 seconds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15355
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Apr 12 20:29:05 UTC 2023 on atb-devel-224
Testsuites declared with functions such as plantestsuite() are not run
directly, but are piped through filter-subunit. The overall exit code of
the executed test command is that returned by the last command in the
pipeline (that is, filter-subunit), and thus the actual testsuite return
code is lost.
A real consequence of this is that an error in setUpClass() in a Python
testsuite causes the whole testsuite to be skipped silently.
The --fail-on-empty option partially addressed this, but didn't help if
the testsuite contained multiple test classes, only one of which
contained an error.
We now use bash with the pipefail option, which makes the return code of
the last failing command into the return code of the entire pipeline.
That means that we properly fail if a testsuite returns a non-zero exit
code, but doesn't otherwise exhibit any failures in its output.
This doesn't help for cases where a testsuite has other failing tests
that become xfails due to knownfail entries. In that case, the overall
'testsuite-failure' will be turned into 'testsuite-xfail' by
filter-subunit and the silent failures will remain unheeded. Still, this
is better than the existing situation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 12 14:57:55 UTC 2023 on atb-devel-224
If a test fails an assertion, and later calls torture_skip() to skip
part of the test, the TORTURE_SKIP result will overwrite the
TORTURE_FAIL result, and the overall outcome will be successful.
To avoid this, we now arrange possible outcomes in order of priority,
and ensure we always keep the higher priority one.
This reveals some failing tests.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This is required for the samba3.blackbox.guest test to work. Without it,
the test fails to find a group map.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
The problem is when checking for vetoed names on the last path component in
openat_pathref_fsp_case_insensitive() we return
NT_STATUS_OBJECT_NAME_NOT_FOUND. The in the caller
filename_convert_dirfsp_nosymlink() this is treated as the "file creation case"
causing filename_convert_dirfsp_nosymlink() to return NT_STATUS_OK.
In order to correctly distinguish between the cases
1) file doesn't exist, we may be creating it, return
2) a vetoed a file
we need 2) to return a more specific error to
filename_convert_dirfsp_nosymlink(). I've chosen NT_STATUS_OBJECT_NAME_INVALID
which gets mapped to the appropriate errror NT_STATUS_OBJECT_PATH_NOT_FOUND or
NT_STATUS_OBJECT_NAME_NOT_FOUND depending on which path component was vetoed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15143
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 6 23:03:50 UTC 2023 on atb-devel-224
Some of the most difficult to debug issues in Samba development are around
timing, so this changes our default logging format in the selftest system
to include a high-resolution timestamp to help correlate bad events with
what else is going on at the same time.
This fits in well with the timestamps already logged into st/subunit
and may assist with correlation.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr 6 13:44:47 UTC 2023 on atb-devel-224
We get the realm we use for authentication needs to
the realm belonging to the username we use.
We derive the username from c->creds, so we need to
do the same for the realm.
Otherwise we try to authenticate as the wrong user.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 6 01:33:05 UTC 2023 on atb-devel-224
This demonstrates that the server did not detect CVE-2023-0922
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.
Add or replace operations with no values and no privileges are
disallowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The smbget utility doesn't use the common command line parser, so it
doesn't support paring of DOMAIN/user or user@realm.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15345
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should not overwrite the "rc=1" initialization with the tdb_check
retval. This will lead to tdb_validate_child() returning 0 even when
validate_fn() found invalid entries.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14789
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Remove knownfail for posix path handling of case/reserved char
Signed-off-by: David Mulder <dmulder@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224
We now create a client claims blob and add it to the PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
More of these tests now pass against Windows. They still don't quite all
pass, but that's something to fix for another day.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Added delete protected test to known fail as Samba doesn't seem to enforce this yet.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Remove knownfail on SMB1-DFS-SEARCH-PATHS, as we now
pass it with the new SMB1 remove DFS paths before pathname processing
changes.
Note, we still fail:
smb1.SMB1-DFS-PATHS.smbtorture\(fileserver_smb1\)
smb1.SMB1-DFS-OPERATIONS.smbtorture\(fileserver_smb1\)
even with the new SMB1 remove DFS paths before pathname
processing as those tests test *very* specific Windows behaviors. We now
pass many more of the individual internal tests, but
in order to pass them all completely I need to add
specific --with-sambaserver checks to avoid some
of the Windows DFS SMB1 insanity (error messages).
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 31 06:07:01 UTC 2023 on atb-devel-224
In smb2, smb1req->flags2 now never uses FLAGS2_DFS_PATHNAMES,
ucf_flags never has UCF_DFS_PATHNAME, and all calls to check_path_syntax_smb2()
pass "false" in this is_dfs parameter.
Remove all knownfails for smb2.SMB2-DFS* tests.
Now I can clean up check_path_syntax_smb2() and add
an assertion into filename_convert_dirfsp_nosymlink() that
UCF_DFS_PATHNAME is *NEVER* set in the ucf_flags for an
SMB2 connection.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Even if the client claims it's a DFS pathname. Matches what Windows does if it gets
a DFS pathname on a non-DFS share.
Remove samba3.smbtorture_s3.smb2.SMB2-NON-DFS-SHARE.smbtorture\(fileserver\)
test knownfail.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
There's nothing we can do to such a server (this
now matches the behavior for SMB1).
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 29 18:58:33 UTC 2023 on atb-devel-224
smbclient crashes when smbd has "smb2 max read = 0"
in the [global] section of smb.conf.
We should fail the protocol negotiation with
NT_STATUS_INVALID_NETWORK_RESPONSE in this case.
Adds knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15306
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Not a comprehensive test for all possible combinations, but it shows
the basic functionality, and it found a bug in the initial
implementation :-)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Backlinks which are not allowed by the schema are hidden by default,
so we already set DSDB_RMD_FLAG_HIDDEN_BL on store, so we have a cheap
way to hide the backlinks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 23 08:19:20 UTC 2023 on atb-devel-224
msDS-KeyCredentialLink/msDS-KeyCredentialLink-BL are defined as linked attribute pair,
but msDS-KeyCredentialLink-BL is not defined as allowed on any object class definition,
still it's possible to create msDS-KeyCredentialLink attributes.
msDS-KeyPrincipal/msDS-KeyPrincipalBL are also defined as linked attribute pair
and msDS-KeyPrincipalBL is only allowed on object class 'user', but it's possible
to create msDS-KeyPrincipal values pointing to non 'user' objects.
The result is that 'user' objects have a visible msDS-KeyPrincipalBL, but
the others don't have msDS-KeyPrincipalBL visible, by default.
The backlinks are always visible if the backlink attributes are
explicitly requested.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12967
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to pass the new tests we just added.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These demonstrate how inherited aces are constructed and applies
per objectclass, with and without the NO_PROPAGATE_INHERIT flag.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15338
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar 20 20:20:41 UTC 2023 on atb-devel-224
This works as long as both tickets are issued by the same RODC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.
When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.
This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.
By deferring the writing out to the DB of link replication to the very end, we have a
better chance that all the objects required are present, however the situation may
have changed during the cycle, and a link could still be sent, pointing to a deleted
object.
We currently fail in this situation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Functions like `add_lock_to_json` and `add_profile_item_to_json` pass
some values to `json_add_int` with `intmax_t` types. This may cause
arithmetic overflow when the value grows very fast, such as the
read_bytes profiling data.
Use `json_add_int` instead of `int` to avoid the overflow.
RN: Make json output show intmax_t value properly
Signed-off-by: Li Yuxuan <liyuxuan.darfux@bytedance.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 9 21:33:43 UTC 2023 on atb-devel-224
Show that `json_add_int` can't handle value larger than int32 due to
overflow.
Add knownfail.
Signed-off-by: Li Yuxuan <liyuxuan.darfux@bytedance.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When we modify a GPO, we must increment the
version number in the GPT.INI, otherwise client
machines won't process the update.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15327
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
They have been made superfluous by newer declarative tests in
claims_tests.py and device_tests.py.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These test the interaction between claims and groups in the PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests verify that the groups in the device info structure in the
PAC are exactly as expected under various scenarios.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Create a claim large enough to cause it to be compressed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Windows erroneously shifts integer syntax claim values four bytes to the
right, resulting in incorrect values (if only one claim is present) or
corrupt claims data that cannot be unpacked (if other claims are
present). There's no reason to emulate such broken behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When open_stream_pathref_fsp() returns
NT_STATUS_OBJECT_NAME_NOT_FOUND, smb_fname_rel->fsp
has been set to NULL, so we must free base_fsp separately
to prevent fd-leaks when opening a stream that doesn't
exist.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Mar 3 16:37:27 UTC 2023 on atb-devel-224
Shows we are leaking an fsp/fd if we request a non-existent stream on a file.
This then causes rename of a directory containing the file to be denied, as
it thinks we have an existing open file below it.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
The bug we're testing for needs "strict rename = no" (the default),
but the existing streams_xattr share uses "strict rename = yes" from
the [global] section.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15314
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This has the lower-case share, used in the next commit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
The 'etype' field in a Kerberos request is ordered. Make this fact
clearer by using a tuple or an array to represent etypes rather than a
set.
get_default_enctypes() now returns encryption types in order of
strength. As a consequence, the encryption type chosen by the MIT KDC
matches up with that chosen by Windows, and more tests begin to pass.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Levels NetlogonValidationSamInfo2 and NetlogonValidationSamInfo4 behave
as might be expected, so we pass those tests. NetlogonValidationSamInfo
returns no resource groups and doesn't set the NETLOGON_EXTRA_SIDS flag,
and we fail its test.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Windows also disallows this. Note that changing a primary group to a
domain-local group is allowed by both Windows and Samba.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.
The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Primary groups are handled differently from normal groups of which a
user is simply a member. Of particular note is the case where a
domain-local group is made a primary group; a case normally disallowed
by Windows, but not by Samba. Therefore we want tests for it.
Our testing framework must be able to set the user's primary group, and
to clean up afterwards; to set the primary group RID of a PAC; and to
check that the primary group RID is as expected in the PAC returned to
us.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This lets us test what happens in TGS-REQ exchanges to the KDC, when the
flags and resource groups are simply passed through into the new PAC,
regardless of what value the flags hold.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Crucially, in these tests the user's domain and its SID are different
from our domain and its SID. These tests will assert that in such a case
resource groups are added to the PAC and handled correctly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change some of the attributes in TGS-REQ PACs to ensure they are handled
correctly.
Add a test of a PAC containing resource SIDs for a service without
resource SID compression support, ensuring the SIDs are correctly
removed.
Add a Samba 4.17 compatibility test for a service with resource SID
compression support.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan 31 13:43:54 UTC 2023 on atb-devel-224
This allows our new tests to pass as these need to be checked first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We want to totally ignore the string DN if there is a GUID,
as clients like "Microsoft Azure AD connect cloud sync" will
set a literal "DummyDN" string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This make this funciton the gatekeeper between the wire format and the
internal struct ldb_dn, checking if the DN exists and which NC
it belongs to along the way, and presenting only a DB-returned
DN for internal processing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows lookup of a DN with a GUID only or GUID and string,
possibly not yet in the database, yet still getting the correct result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
