IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The previous commits restricted to MIT KDC build to MIT 1.19 and this removes the
#ifdef in the code of what will become untested code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 26 07:05:44 UTC 2021 on sn-devel-184
Sadly krb5_enctype_to_string() fails when des-cbc-crc encyrption
type is removed, leaving a failure the operate rather than
falling back to anything useful.
So fall back to printing 3 in the absense of anything more
useful. A future fix could be to hard-code this mapping
in the smb_krb5_enctype_to_string() wrapper.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Aug 6 05:53:44 UTC 2021 on sn-devel-184
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug 5 10:33:18 UTC 2021 on sn-devel-184
This matches Windows KDCs, which was demonstrated by the
krb5.as_req_tests tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jul 1 18:37:14 UTC 2021 on sn-devel-184
We need to duplicate the string as lp_load() will free the s4_conf_file
pointer and set it again.
Found with AddressSanitizer.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.
Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.
Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for
Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos.
If a service account has msDS-SupportedEncryptionTypes: 31
and DES keys stored in Primary:Kerberos, we'll pass the
DES key to smb_krb5_keyblock_init_contents(), but may get
KRB5_PROG_ETYPE_NOSUPP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Match Windows behavior and allow the forwardable flag to be
set in cross-realm tickets. We used to allow forwardable to
any server, but now that we apply disallow-forwardable policy
in heimdal we need to explicitly allow in the corss-realm case
(and remove the workaround we have for it the MIT plugin).
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184
With MIT library 1.18 the KDC no longer set
KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
us to not canonicalize them (like in Windows / Heimdal).
However, it now breaks the PAC signature verification as it was
wrongly done using canonical client rather than ticket client name.
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Dec 17 09:24:56 UTC 2019 on sn-devel-184
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Tue Dec 10 10:44:01 UTC 2019 on sn-devel-184
We need the target service without realm, but the proxy services with realm.
I have a domain with an w2008r2 server and a samba and now both generate
the same S4U_DELEGATION_INFO.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13133
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Fold the two 32 bit values logon_id_high and logon_id_low into a single
64 bit logon_id in netr_identity_info. This will be used to tie
together winbind and SamLogon requests in audit logging.
Summary of the of the Query and Response from Microsoft on it's usage.
[REG:119013019612095] [MS-NRPC]: NETLOGON_LOGON_IDENTITY_INFO: Does
the Reserved field have LogonId meaning?
Questions:
In NetrLogonSamLogonEx does the Reserved field
(of NETLOGON_LOGON_IDENTITY_INFO) have LogonId meaning?
What is a valid LogonID, and does have any audit usage?
Samba is sending a constant "deadbeef" in hex and would like to
understand any usage of this field.
Response:
The NRPC spec is accurate in defining the field as Reserved, and without
protocol significance. In the header file in our source code, it is
defined as LogonId and commented as such, but it’s effectively not used.
This is probably why the API structure has that field name. It may have
been intended as such but it’s not used.
Samba will send a random value in this field.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This fixes a compile error on sn-devel184.
Signed-off-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Jan 19 15:36:51 CET 2019 on sn-devel-144
Replace kerberos context initialization from
raw krb5_init_context() to smb_krb5_init_context_basic()
which is adding common tracing as well.
Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu Dec 20 01:31:17 CET 2018 on sn-devel-144
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.
Fixes expired passowrd case in samba4.blackbox.kinit test.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This can be triggered with FAST but we don't support this yet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL. Use the name from client entry instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.
This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Restart any pre-fork master or worker process that exits with a non
zero exit code.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Fix fallout from the KDC prefork patchset (99aea42520fc..).
GCC warns when Samba is being built with --with-system-mitkrb5.
Fix this by adapting the signature of mitkdc_task_init() to match
task_init which has been extended to return a status code.
Status codes try to mimick those of kdc-heimdal.c:kdc_task_init()
as closely as possible.
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Pass the instance number to the post_fork hook. This is required to
allow the rpc_server to support the prefork process model.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Modify the kdc to allow it to run in the prefork process model. The
task_init function has been split up and code moved into the post_fork
function.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Add a post fork hook to the service API this will be called:
- standard process model
immediately after the task_init.
- single process model
immediately after the task_init
- prefork process model, inhibit_pre_fork = true
immediately after the task_init
- prefork process model, inhibit_pre_fork = false
after each service worker has forked. It is not run on the service
master process.
The post fork hook is not called in the standard model if a new process
is forked on a new connection. It is instead called immediately after
the task_init.
The task_init hook has been changed to return an error code. This ensures
the post_fork code is only run if the task_init code completed successfully.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Sep 5 16:17:59 CEST 2018 on sn-devel-144
This is not a general purpose profiling solution, but these JSON logs are already being
generated and stored, so this is worth adding.
Some administrators are very keen to know how long authentication
takes, particularly due to long replication transactions in other
processes.
This complements a similar patch set to log the transaction duration.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
