IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Advanced configuration for Certifcate Auto
Enrollment is stored on the sysvol, and needs
to be parsed/used when provided.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 3 21:48:57 UTC 2022 on sn-devel-184
Adds advanced configuration to the testing of
certificate auto enrollment. Currently fails.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15042
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr 29 15:50:21 UTC 2022 on sn-devel-184
Passes against Windows. Shows that Windows allows a durable handle
on a leased open for READ_ATTRUBUTES only (a stat open).
Mark as knownfail for now.
NB. Not sure why we are testing smb2.durable-open against ad_dc
as that provisioning has "smb2 leases = no" which precludes
granting durable handles. Not changing for this bug but this
should be looked at in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15042
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Add an initial suite of tests for the smbconf python bindings.
Currently only simple read-only methods are available.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 21 15:33:38 UTC 2022 on sn-devel-184
Because the KDC does not limit protocol transition (S4U2Self), two new
well-known SIDs are available to give this control to the resource
administrator. These SIDs identify whether protocol transition (S4U2Self) has
occurred, and can be used with standard access control lists to grant or limit
access as needed.
See
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 13 13:54:27 UTC 2022 on sn-devel-184
We should make sure that we use NTLMSSP or Kerberos consistently
for the tests and don't mix them.
We're also much stricter and symmetric_difference() to
check if the sets are actually the same.
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Tested also against Windows Server 2022.
Details:
https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Using /tmp directly can lead to errors if multiple autobuilds are
running at the same time. Using tempfile.gettempdir() will look for
$TMPDIR environment variable.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Using /tmp directly can lead to errors if multiple autobuilds are
running at the same time. Using tempfile.gettempdir() will look for
$TMPDIR environment variable.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This test also verifies the KRB5CCNAME environment variable is set after
a successful PAM authentication with Kerberos.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
Only for environment ad_member_idmap_nss.
* !jacknompapper = \@jackthemappergroup
jackthemaper from group jackthemappergroup is mapped to jacknompapper
* !root = jacknomappergroup
since there is no '@' or '+' prefix, it is not an UNIX group mapping
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Apr 1 11:20:35 UTC 2022 on sn-devel-184
RN: shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15035
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 31 18:47:42 UTC 2022 on sn-devel-184
There is no need to specify the enctype and it isn't supported by MIT Kerberos
anyway.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If doing an SMB_VFS_FSTAT() returning onto the stat struct stored in the fsp,
we must call vfs_stat_fsp() as this preserves the iflags.
This is the last SMB_VFS_FSTAT that uses fsp->fsp_name->st, so
remove knownfail.d/durable-v2-setinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 24 17:21:29 UTC 2022 on sn-devel-184
This is an implementation of a test written by Apple for their
client. Currently fails to reconnect due to btime being overwritten
incorrectly in the SMB2 setinfo path.
Add knownfail.d/durable-v2-setinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15022
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15023
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 22 17:48:25 UTC 2022 on sn-devel-184
We currently allow setting the delete on close bit for
a directory containing only explicitly hidden/vetoed files
in the case where "delete veto files = yes" *and*
"delete veto files = no". For the "delete veto files = no"
case we should be denying setting the delete on close bit
when the client tries to set it (that's the only time Windows
looks at the bit and returns an error to the user). We
already do the in the dangling symlink case, we just
missed it in the !is_visible_fsp() case.
Mark SMB2-DEL-ON-CLOSE-NONWRITE-DELETE-NO as knownfail
for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15023
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
This allows default security groups that have been added since Windows
Server 2008 R2, such as Protected Users, to be created in pre-existing
domains. An error message is generated if a group already exists with
the same name, DN, or SID.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Test that we can add the special Protected Users group, and that we get
an appropriate error message when attempting to add it a second time.
We add these tests here so that we can make use of an old provision that
does not already have the Protected Users group added.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We also move the authentication to after checking whether the user is
protected, so that if a user in the Protected Users group tries to
authenticate with a wrong password, the bag password count is not
incremented and the account is not locked out. This does not match
MS-APDS, but matches the behaviour of Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Accounts in the Protected Users group acting as clients lack support for
the RC4 encryption type. TGTs issued to such accounts have a lifetime
restricted to four hours, and are unable to be proxied or forwarded.
To determine at lookup time whether a client account is a member of
Protected Users, we now also create an auth_user_info_dc structure when
creating the database entry for an AS-REQ, rather than only when
creating a PAC for a TGT, or when recreating the PAC from an RODC-issued
TGT.
This means that the user's groups are now expanded even for AS-REQs that
result in an error (such as a PREAUTH_REQUIRED error), but this is
required to be able to correctly determine the account's available
encryption types, which are needed soon after fetching the user account.
Currently, the TGT lifetime may exceed four hours (for Heimdal
specifically). This may happen if PKINIT is used, and either the
pkinit_max_life_from_cert_extension option is TRUE and
pkinit_max_life_bound is greater than four hours, or
pkinit_max_life_from_cert is greater than four hours.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We want to disable SAMR password changes for Protected Users, but need
to ensure that other methods of changing the password still work.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Test that NTLM and SAMR password changes cannot be used for Protected
Users, and that lockouts are not triggered for attempting to use them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Change the values to match those used by Windows.
Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This is simple, explainable and secure.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 17 02:47:13 UTC 2022 on sn-devel-184
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This fixes the rpc.samr test because we no longer specify an LM hash
to the DSDB layer only to have it rejected by password_hash.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The removal of LM hash storage changes the expected metadata.
We do not need to track these values exactly to prove the
behaviour here.
This is not due to the changes in password_hash directly, which in
update_final_msg() sets DSDB_FLAG_INTERNAL_FORCE_META_DATA to force
a push out of the removed attribute to the replication state.
However at the stage of a subsequent LDAP Delete there is no longer
a lmPwdHistory nor dBCSPwd attribute, in the directory, so there is
no subsequent version bump to remove them when building a tombstone.
Samba's behaviour is different to that seen by Metze on windows 2022,
where he sees dBCSPwd removed (for the no LM store case) but
lmPwdHistory kept. We in Samba choose to differ, not storing an
ambiguous LM hsitory (of "" values likely), so allowing any version
for these two attributes is the sensible choice.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
