1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

3872 Commits

Author SHA1 Message Date
Pavel Filipenský
6f073f258f s3:rpc_server: Fix double blackslash issue in dfs path
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15400

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul  5 20:24:35 UTC 2023 on atb-devel-224
2023-07-05 20:24:35 +00:00
Pavel Filipenský
2af9c65f2a s3:tests: Add rpcclient 'dfsgetinfo' test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15400

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-07-05 19:26:31 +00:00
Andreas Schneider
60b02126a3 selftest: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-05 06:34:32 +00:00
Volker Lendecke
eb2978f55c test: skip the open-eintr test
With 7bb8af3f74 we already had to tune the error_inject VFS object to filter
out the openat-calls coming from filename_convert_dirfsp&friends. With
the next patch openat() will be called from even more places, and I
don't really see a good way to properly deal with EINTR in all the
places where it can happen. The real case where EINTR is something we
need to handle properly I guess is with kernel oplocks active: open()
waits for another process to give up its kernel oplock, which opens
the window for EINTR to become a valid case to properly take care
of. For all other opens I would be willing to live with the fact that
we just return an error message that might be different from Windows.

To detect that kernel oplock case properly, with O_PATH we have to
look at the /proc/self/fd/<n> reopen or the O_EMPTY_PATH FreeBSD
flavor from inside the error_inject module I guess. But then, the
second time we come around the corner we have to let it pass.

Difficult to properly test, disable the test for now.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-06-30 10:42:36 +00:00
Joseph Sutton
e936788712 s4:kdc: Include default groups in security token
This is consistent with the behaviour of the existing function
_authn_policy_access_check() and of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
34760dfc89 s4:kdc: Implement Heimdal hook for resource-based constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
fc33033bac tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
fcfdb44381 tests/krb5: Be less strict regarding acceptable delegation error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Volker Lendecke
de2738fb9a smbd: Don't mask open error if fstatat() fails
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jun 26 16:53:21 UTC 2023 on atb-devel-224
2023-06-26 16:53:21 +00:00
Volker Lendecke
13d199bea0 tests: Show smbd returns wrong error code when creating on r/o fs
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15402
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-06-26 15:53:36 +00:00
Joseph Sutton
3240ac4ebe s4:kdc: Check authentication policy server restrictions
For a constrained delegation request, we need to pass ‘delegated_proxy’
(and the delegated proxy PAC, if one was provided) into
samba_kdc_update_pac() so that we can verify that the delegating server
is allowed to authenticate to the target server.

The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
9a9f479919 s4:kdc: Check authentication policy device restrictions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
8b1897f02e tests/krb5: Test that client policies are not enforced with S4U
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
95c02a9794 third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
1abc2543cd tests/krb5: Add test for authenticating with disabled account and wrong password
This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
26d7d1a5af s4:auth: Log authentication policies for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
7748e6857c tests/krb5: Test authentication policy audit logging
For each test, we check the authentication logs and ensure the messages
are as we expect.

We only test AS-REQs and TGS-REQs with the Heimdal KDC at the moment,
assuming that MIT doesn’t support logging for those cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Rob van der Linde
6056566a18 netcmd: domain: rename claim tests for consistency
The domain_auth tests are also prefixed with domain, it matches the
cli command "samba-tool domain claim".

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-06-25 23:29:32 +00:00
Rob van der Linde
35d04e2463 netcmd: domain: tests for auth silo command line tools
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-06-25 23:29:32 +00:00
Stefan Metzmacher
a75378e354 s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()
It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
2023-06-24 07:18:03 +00:00
Stefan Metzmacher
28cf6c7067 s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:35 +00:00
Joseph Sutton
ad98643fbd s4:kdc: Replace FAST cookie with dummy string
All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224
2023-06-21 13:19:17 +00:00
Joseph Sutton
53caae00b8 tests/krb5: Test that FX-COOKIE matches cookie returned by Windows
The cookie produced by Windows differs depending on whether FAST was
used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-21 12:23:32 +00:00
Volker Lendecke
880eb2bd56 libsmb: Test smb1 mknod
Requires O_PATH to work correctly

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-16 16:14:31 +00:00
Joseph Sutton
6c9c7c5b69 s4:auth: Enforce machine authentication policy for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
7a7dbdb773 s4:auth: Enforce device restrictions for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
7c6dbe3195 tests/krb5: Test authentication with policy restrictions and a wrong password
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
a9534e7be0 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
117bba98a1 tests/krb5: Add a couple of authentication policy tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
868e114660 s4:kdc: Don’t log authentication failures as successes
If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
d1fcecd121 tests/auth_log: Properly expect authentication failures
These authentications are actually failing (due to RESPONSE_TOO_BIG
errors), but our authentication logging infrastructure hides this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
7c66cd4dfd selftest: Remove duplicate knownfails
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
60f76b9ec8 selftest: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Andrew Bartlett
f83baa2723 selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable
This allows the backup/restore process to pass once the DC startup
code confirms what DC level the domain functional level in the DB
is expecting.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Pavel Filipenský
99d42ed865 selftest: set 'winbind expand groups = 10' for ad_member_idmap_rid
This is for alias members tests.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Stefan Metzmacher
666a78a41f selftest: run tests with LANGUAGE=en_US
This is important in order to run /usr/bin/kpasswd from MIT...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-10 09:51:38 +00:00
Volker Lendecke
f30f5793ad libsmb: Fix directory listing against old servers
cli_list_trans_recv() can be called multiple times. When it's done, it
return NT_STATUS_OK and set *finfo to NULL. cli_list_old_recv() did
not do the NULL part, so smbclient would endlessly loop.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15382

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun  1 21:54:42 UTC 2023 on atb-devel-224
2023-06-01 21:54:41 +00:00
Volker Lendecke
e86234f3d6 tests: Show that we 100% loop in cli_list_old_recv()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15382

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-01 21:00:36 +00:00
Volker Lendecke
4804d6b89a tests: Make timelimit available to test scripts
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15382

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-01 21:00:36 +00:00
Andrew Bartlett
9aa440d52d s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly
Otherwise, punt to winbindd to see if another DC has this capability.

This allows a FL2008-emulating DC to forward a request to a
2012R2-emlating DC, particularly in another domain.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 31 04:59:01 UTC 2023 on atb-devel-224
2023-05-31 04:59:01 +00:00
Andrew Bartlett
0f3abb291f s3-libads: Also handle the DS_WEB_SERVICE_REQUIRED flag in check_cldap_reply_required_flags()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:36 +00:00
Andrew Bartlett
63e2db8206 s4-libads: Confirm newer functional levels in check_cldap_reply_required_flags()
This will allow us to require that the target DC has FL 2008,
2012, 2012R2 or 2016.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:36 +00:00
Andrew Bartlett
ff310caabd librpc: No longer consider the DS_DIRECTORY_SERVICE_{8,9,10}_REQUIRED bits as invalid
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
6f30eca3bb sefltest: Improve getdcname test by confirming the _REQUIRED flag behaviours
We do this by checking what the underlying CLDAP netlogon call returns.

This also validates that behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
2a0e53374d selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work
We need to confirm this both for forwarded requests, and also for requests
direct to the possible DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon May 29 23:29:50 UTC 2023 on atb-devel-224
2023-05-29 23:29:50 +00:00
Joseph Sutton
47a0b9a4cb tests/auth_log: Make discardMessages() more reliable
It can take two or three calls to msg_ctx.loop_once() before a message
comes in. Make sure we get all of the messages.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
5c1ea54cea tests/auth_log: Expect no messages when changing a non-existent user’s password
These log messages come from setUp(), and the fact that we are getting
them is merely a side-effect of the unreliability of discardMessages().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Ralph Boehme
55bd104564 libadouble: allow FILE_SHARE_DELETE in ad_convert_xattr()
Not specifying FILE_SHARE_DELETE wasn't done intentionally. Not setting the flag
triggers the following problem:

* client sends a CREATE with delete access

* this triggers a call to open_streams_for_delete() where we check for
conflicting opens on any of the streams of the file or directory

* if the file (or directory) has a stream like ":com.apple.quarantine" the
stream is opened with DELETE_ACCESS and kept open when the next step might:

* if the file (or directory) has a Mac specific :AFP_AfpInfo stream, the
ad_convert() routine in fruit_create_file() is triggered

* ad_convert() checks if the file (or ...) has a sidecar ._ AppleDouble file, if
it has:

* in ad_convert_xattr() we unpack any set of xattrs encoded in the AppleDouble
file and recreate them as streams with the VFS. Now, if any of these xattrs
happens to be converted to a stream that we still have open in
open_streams_for_delete() (see above) we get a NT_STATUS_SHARING_VIOLATION

This error gets passed up the stack back to open_streams_for_delete() so the
client CREATE request fails and the client is unhappy.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-05-25 23:59:33 +00:00
Ralph Boehme
59eadfe21a CI: add a test for fruit AppleDouble conversion when deletion triggers conversion
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-05-25 23:59:33 +00:00
Ralph Boehme
0391120079 smbd: zero intialize SMB_STRUCT_STAT in vfswrap_readdir()
Avoid returning an uninitialized st.cached_dos_attributes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15375

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-05-24 20:41:38 +00:00