1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

3334 Commits

Author SHA1 Message Date
Stefan Metzmacher
7055827b8f HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
2022-01-19 21:41:59 +00:00
Stefan Metzmacher
2232d8408e selftest: set [libdefaults] fcache_strict_checking = false
We're using uid_wrapper so the checks will fail.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-01-19 20:50:35 +00:00
Andrew Bartlett
71685966c2 selftest: knownfail updates after Heimdal Upgrade
The Heimdal upgrade brings the new feature of FAST, allowing more tests to pass.

However it causes a regression in FL2003 for the returned salt format in
the AS-REP, but FL 2003 has not been the default since Samba 4.2 as AES
keys are much stronger and should be preferred.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
775bfc7250 tests/krb5: Add AS-REQ PAC tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
f94bdb41fc tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
48362a706f tests/krb5: Add FAST enc-pa-rep tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Stefan Metzmacher
8115fb03b6 dsdb/schema: fix Object(OR-Name) syntax definition
This is a strange one, it uses DN_BINARY in the drsuapi
representation, while the binary part must be 0 bytes.
and the LDAP/ldb representation is a plain DN (without 'B:').

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-12 02:20:27 +00:00
Stefan Metzmacher
e16d29f719 dsdb/schema/tests: let samba4.local.dsdb.syntax call the validate_dn() hook
This demonstrates that our OR-Name syntax is wrong,
which wasn't noticed yet as it's not used in the AD-Schema.

I noticed it by installing the Exchange-Schema on a Samba DC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-12 02:20:27 +00:00
Stefan Metzmacher
1243f52f7a s4:rpc_server/netlogon: let CSDVersion="" wipe operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 11 22:03:03 UTC 2022 on sn-devel-184
2022-01-11 22:03:03 +00:00
Stefan Metzmacher
4a0a0d2fc9 s4:torture/rpc: test how CSDVersion="" wipes operatingSystemServicePack
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14936

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-11 21:13:37 +00:00
Volker Lendecke
b5e56a30df rpcclient: Fix ncacn_ip_tcp:<ip-address>
inet_pton expects "struct in_addr" or "struct in6_addr" as destination
pointer. It does not fill in a struct
sockaddr_storage. interpret_string_addr() takes care of this.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Jan 10 11:47:34 UTC 2022 on sn-devel-184
2022-01-10 11:47:34 +00:00
Volker Lendecke
03734be1d6 test: Test rpcclient ncacn_ip_tcp:<ip-address>
Right now connecting to an IP address is broken.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-10 10:59:36 +00:00
Jeremy Allison
23fbf0bad0 s3: smbd: Create and use a common function for generating a fileid - create_clock_itime().
This first gets the clock_gettime_mono() value, converts to an NTTIME (as
this is what is stored in the dos attribute EA), then mixes in 8 bits of
randomness shifted up by 55 bits to cope with poor resolution clocks to
avoid duplicate inodes.

Using 8 bits of randomness on top of an NTTIME gives us around 114
years headroom. We can now guarentee returning a itime-based
fileid in a normal share (storing dos attributes in an EA).

Remove knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jan  8 06:35:22 UTC 2022 on sn-devel-184
2022-01-08 06:35:22 +00:00
Jeremy Allison
30fea0d311 tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.
smb2.fileid_unique.fileid_unique
smb2.fileid_unique.fileid_unique-dir

Create 100 files or directories as fast as we can
against a "normal" share, then read info on them
and ensure (a) top bit is set (generated from itime)
and (b) uniqueness across all generated objects
(checks poor timestamp resolution doesn't create
duplicate fileids).

This shows that even on ext4, this is enough to
cause duplicate fileids to be returned.

Add knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2022-01-08 05:43:32 +00:00
Jeremy Allison
099c62a654 s3: smbclient: In do_host_query(), if we need SMB1, ensure we select NT1 as the client max protocol" before continuing.
Remove knownfail: selftest/knownfail.d/list_servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14939

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Jan  6 11:50:32 UTC 2022 on sn-devel-184
2022-01-06 11:50:32 +00:00
Jeremy Allison
0d9d1546a7 s3: selftest: Add two tests that show we try and send an SMB1 request over an SMB2 connection to list servers if "-mSMB3" is selected.
Add knownfail: knownfail.d/list_servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14939

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2022-01-06 10:57:30 +00:00
Stefan Metzmacher
dd98861005 auth/ntlmssp: make sure we return INVALID_PARAMETER for NTLMv2_RESPONSE parsing errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan  4 20:57:41 UTC 2022 on sn-devel-184
2022-01-04 20:57:41 +00:00
Stefan Metzmacher
e0b705d26f s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test
This demonstrates that an invalid av_pair in NTLMv2_CLIENT_CHALLENGE
should result in NT_STATUS_INVALID_PARAMETER at the NTLMSSP layer.

This is different from the netr_LogonSamLogon*() case, where it is
ignored instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-04 20:07:28 +00:00
Stefan Metzmacher
f123c1a171 libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds ignore BUFFER_TOO_SMALL
Windows doesn't complain about invalid av_pair blobs,
we need to do the same.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-04 20:07:28 +00:00
Stefan Metzmacher
e7e521fe9b s4:torture/rpc: add test for invalid av_pair content in LogonSamLogonEx
A netapp diag tool uses a NTLMv2_CLIENT_CHALLENGE with invalid bytes
as av_pair blob. Which is supposed to be ignored by DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-01-04 20:07:28 +00:00
Stefan Metzmacher
9d2bf01537 s3:libsmb: fix signing regression SMBC_server_internal()
commit d0062d312c introduced
SMBC_ENCRYPTLEVEL_DEFAULT as default, but the logic to enforce
signing wasn't adjusted, so we required smb signing by default.

That broke guest authentication for libsmbclient using applications.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Dec 27 16:38:11 UTC 2021 on sn-devel-184
2021-12-27 16:38:11 +00:00
Stefan Metzmacher
0a808f6b53 s4:selftest: run libsmbclient.noanon_list against maptoguest
This demonstrates the problem with guest access being rejected
by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-12-27 15:45:36 +00:00
Stefan Metzmacher
648b476dcd selftest/Samba3: enable SMB1 for maptoguest
guest authentication is an old school concept,
so we should make sure it also works with SMB1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-12-27 15:45:36 +00:00
Joseph Sutton
0f4eca775a tests/krb5: Add tests for AS-REQ to self with FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
2021-12-15 04:33:11 +00:00
Joseph Sutton
bba30095ca kdc: Pad UPN_DNS_INFO PAC buffer
Padding this buffer to a multiple of 8 bytes allows the PAC buffer
padding to match Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
31f3e81579 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
This alignment should be done on the Samba side instead.

This reverts commit 28a5a586c8.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
7dfcbc4e38 tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Andreas Schneider
e95fb04c5d s4:mitkdc: Add support for pac_attrs and requester_sid
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Jeremy Allison
b5e7e7b65a s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
This must be done before doing POSIX calls on a connection.

Remove the final entry in knownfail.d/posix_infolevel_fails

    samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)

And remove the file knownfail.d/posix_infolevel_fails itself.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Sat Dec 11 12:03:36 UTC 2021 on sn-devel-184
2021-12-11 12:03:36 +00:00
Jeremy Allison
89f284af61 s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entries in knownfail.d/posix_infolevel_fails.

    samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
    samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
    samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
e7f2cfb544 s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entry in knownfail.d/posix_infolevel_fails.

	samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
6453e5aac4 s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
Cope with the minor difference in wildcard search return when
we're actually using SMB1+POSIX on the server (SMB1+POSIX treats
all directory search paths as wildcards).

Remove the following entries in knownfail.d/posix_infolevel_fails.

	samba3.unix.info2.info2\(nt4_dc_smb1\)
        samba3.unix.info2.info2\(ad_dc_smb1\)

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
397cc7599b s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
Remove the following entry in knownfail.d/posix_infolevel_fails.

	^samba3.raw.search.one\ file\ search.*

from knownfail.d/posix_infolevel_fails

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Jeremy Allison
59fa3806c9 s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
Add knownfail file

	knownfail.d/posix_infolevel_fails

for tests that don't currently negotiate
SMB1+POSIX before using SMB1+POSIX calls.

These are:

samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
samba3.raw.search.one\ file\ search.*

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-11 11:14:31 +00:00
Volker Lendecke
730f7dfd61 s3:rpc_server: Delete unused code and doc references
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
a7c65958a1 s3:rpc_server: Activate samba-dcerpcd
This is the big switch to use samba-dcerpcd for the RPC services in
source3/. It is a pretty big and unordered patch, but I don't see a
good way to split this up into more manageable pieces without
sacrificing bisectability even more. Probably I could cut out a few
small ones, but a major architechtural switch like this will always be
messy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
d522a8cce1 s3:rpc_server: Add samba-dcerpcd helper programs
These are rpcd_* binaries.

rpcd_classic collects everything that's not specific

Changes the epmapper to read the epmdb.tdb, which will make the
epmapper tests non-bisectable until the switch is done.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
a0075a1fd0 unittest: Remove test_sambafs_srv_pipe
is_known_pipename() will be removed soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Jeremy Allison
d2aae105c6 s3: torture: Remove the wildcard unlink test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-12-09 18:06:35 +00:00
Joseph Sutton
7d14aedd3d tests/krb5: Add test for FAST with invalid ticket checksum
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-07 07:40:33 +00:00
Joseph Sutton
6bf3610c5d tests/krb5: Make edata checking less strict
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-07 07:40:33 +00:00
Joseph Sutton
dfe6ef6f3e tests/krb5: Add tests for FAST with use-session-key flag and armor ticket
This flag should be ignored and the FAST armor key used instead.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-07 07:40:33 +00:00
Joseph Sutton
1eb1049d2b tests/krb5: Don't request renewable tickets
This is not necessary for testing FAST, and was causing some of the
tests to fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-07 07:40:33 +00:00
Joseph Sutton
f8e55b3670 tests/krb5: Adjust expected error codes for FAST tests
This allows more of the tests to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-07 07:40:33 +00:00
Joseph Sutton
8bd7b316bd kdc: Canonicalize realm for enterprise principals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  7 04:54:35 UTC 2021 on sn-devel-184
2021-12-07 04:54:35 +00:00
Joseph Sutton
860065a3c9 tests/krb5: Add tests for AS-REQ with an SPN
Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-06 22:08:32 +00:00
Joseph Sutton
31900a0a58 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-06 22:08:32 +00:00
David Mulder
528e5efc17 samba-tool: Test DNS record creation on member join
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-06 22:08:31 +00:00
Andreas Schneider
d1ea9c5aab libcli:auth: Allow to connect to netlogon server offering only AES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Dec  2 14:49:35 UTC 2021 on sn-devel-184
2021-12-02 14:49:35 +00:00
Günther Deschner
6bf3a39b11 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-02 13:59:31 +00:00