1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

138115 Commits

Author SHA1 Message Date
Douglas Bagnall
6347b0c373 pytest: simplify and fix HEXDUMP_FILTER used in hexdumps
The old test

   x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.')

went through some contortions to see if the character was printable, and
it got it slightly wrong. The idea was that `repr(chr(97)` is "'a'",
while `repr(chr(167)` is "'\xa7'", which we can distinguish using the
length. But that miscategorised the backslash character, which is
represented as "'\\'", a string of length 4, so it was show as '.'
instead.

Instead we notice that the characters we want to print in a hexdump
are exactly those between 32 and 126, inclusive.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
300bb809ab samba-tool domain trust: avoid useless use of string_to_byte_array
`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
f8fb9f19bc python:lsa_utils: avoid useless use of py2-compat string_to_byte_array
`pw.encode('utf-16-le')` is always bytes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
3b349c29b5 python:join: avoid useless use of py2-compat string_to_byte_array
This was a workaround for the migration to Python 3, but is now just
extra work for the computer and cognitive load for us.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
46933bc25d py:emulate: remove py2 str/bytes workaround in traffic_packets
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
25e6d7c6a3 py:emulate: remove py2 str/bytes workaround in traffic
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
f0cf187968 pytest: remove py2 str/bytes workaround in auth_log_samlogon
It is likely not necessary to cast to list() in most cases.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
bd3792005b pytest: remove py2 str/bytes workaround in samr_change_password
It is likely not necessary to cast to list().

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
2dc111b4c1 pytest: remove py2 str/bytes workaround in lsa_utils
It is likely not necessary to cast to list() in most cases.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
b253b4e0ed pytest: remove py2 str/bytes workaround in dns_base
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
5d2ea6908b pytest: remove py2 str/bytes workaround in py_credentials
It is likely not necessary to cast to list() in most cases.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Douglas Bagnall
de19f4d675 s4/pytest: remove py2 str/bytes workaround in getnc_exop
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Noel Power
788ef8f07c s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share
This patch also removes known fail for existing test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224
2024-06-11 19:31:40 +00:00
Noel Power
7f1de90f72 selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
     cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
2024-06-11 18:28:34 +00:00
Jeremy Allison
e535bcc698 s3: vfs_widelinks: Allow case insensitivity to work on DFS widelinks shares.
Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224
2024-06-11 17:00:38 +00:00
Jeremy Allison
e37e4f4749 s3/torture: Add test for widelink case insensitivity on a MSDFS share.
Add knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2024-06-11 15:53:38 +00:00
Douglas Bagnall
db342d86a9 samba-tool user readpasswords: avoid assert for validation
`assert` can be optimised away if python is run with `-O`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224
2024-06-11 05:32:28 +00:00
Jo Sutton
b42c489180 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)
We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
facb418c99 s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
5ffa768329 s4:auth: Add temporary memory context to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
7ae10eb25f s4:auth: Add common out path to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
4e8ca6140a ldb: Attach appropriate ldb context to returned result
This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Anoop C S
225e6aeafc s4/torture: Remove already existing test_dir
In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224
2024-06-10 13:17:58 +00:00
Anoop C S
3b230769b0 s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-10 12:16:32 +00:00
Andrew Bartlett
469b22b849 python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal
This flexiblity in the tests avoids requiring Samba/Heimdal to omit an NTSTATUS error
return and just be consistent between the different authentication paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224
2024-06-10 05:32:54 +00:00
Andrew Bartlett
15686fec98 python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done
This makes sense as otherwise the user would suddenly not know their password
for use when they do not use their smartcard.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
f3528808ab WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
2854ef29b8 provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default
We do this by telling the Domain Functional Level upgrade code that
this is a new install.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
dee3c7be58 selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set
This assures us that the new provision sets the value by default.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
491b79d445 kdc: Rotate smart-card only underlying password in 2nd half of lifetime
This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours.  The internet
suggestions of 1 day for this feature should work fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
8afe27058b kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts
This is to gracefully deal with races and to avoid additional password
rollover in situations where the TGT lifetime is longer than the
maximum password lifetime.  This is not a sensible combination, so
we just avoid the extra DB write, and update it only once per AS-REQ
in this case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
1e1c80656f kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it.  As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
d03b3faeb8 s4-auth: Use consistant externally-supplied time in auth stack
This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts.  By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
1dcd8be8f0 kdc: Use a consistent, stable time throughout the Heimdal KDC
The MIT KDC has a fallback to a consistent time per fetch call, and
both implementations then follow the time in each 'struct
samba_kdc_entry'.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
fe61009002 kdc: Mark KDC sam.ldb as not to use ldb_wrap cache
This will ensure that the time which will be is passed in an opaque is
not used by other parts of Samba

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
e178f6b0e9 ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
9ba5ebf4af kdc: Remove confusing duplicate open of sam.ldb to find RODC status
Instead, make this query after we open the DB in common with the MIT code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
09ae48b415 dsdb: Prepare to handle smartcard password rollover
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
1bcc9f0015 dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed
This both allows the time to be overriden in some future unit tests
(which is incredibly helpful in testing) and gets a full NTTIME
rather than just a time_t based time, so we do not need to wait
an extra second for the NTTIME to change.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
cc3ea4ed57 dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured!
While the passwords are random and rolled on the server, we can tell
about the expiry by setting pwdLastSet to 0.

Samba now honours the password expiry.

This is only enabled for domain functional level 2016 and when
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set to TRUE.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
3669479f22 dsdb: Reduce minimum maxPwdAge from 1 day to nil
This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
302619f66f dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode
This is because the smartcard reset now generates all the keys
on Windows, so we want to match Windows 2022 as at April 2024
behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
7c79abbab4 python/samba/tests/krb5: PKINIT tests of passwords that are naturally expired
The tests of passwords that will expire in the TGT lifetime fail against
windows, we do not see the rotation in that case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
044cc53860 python/test/krb5: Use assertAlmostEqual in check_ticket_times()
This allows Windows behaviour with clock skew to be allowed for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
68fa90754f python/tests/krb5: Move check_ticket_times() to kdc_base_test.py
This will allow other parts of the testsuite to use this helpful function.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
48bff4b95f python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED accounts
This demonstrates behaviour against a server presumed to be in FL 2016
what the impact of the msDS-ExpirePasswordsOnSmartCardOnlyAccounts
attribute is.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
a85f4c661b python/tests/krb5: Remove unused utf16pw variable
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
504a47ecfd python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED
Windows 2022 at April 2024 has change and now includes the
AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert
part of the change in b2fe1ea1c6.

(This is an improvement to Windows security).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
dc6c4b215e python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works
We have had confirmed from MS that this behaviour is both deliberate
and required.  Possession of the credential is (by the returned PAC
containing the NT hash) possession of the password, and it must be
possible to change the password to a known value otherwise DPAPI
(local keychain) secured by this value can fail on the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15045

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
4ec24a2076 python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to allow broader use
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00