1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

2143 Commits

Author SHA1 Message Date
David Mulder
7db3b63e76 gp: Test modifying centrify crontab user policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
70d3601fc6 gp: Test modifying script user policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
5c2dc0cce4 gp: Test modifying smb.conf policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
c557171800 gp: Test modifying Issue policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
ae752b8c0b gp: Test modifying Messages policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
ef0c54d7c2 gp: Test modifying MOTD policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
32a70df7e4 gp: Test modifying firefox policy enforces changes
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
b49d150db9 gp: Test modifying firewalld policy enforces changes
Ensure that modifying the firewalld policy and
re-applying will enforce the correct policy.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
David Mulder
217beca6e9 gp: Ensure Firewalld tests don't flop
This test was failing depending on the system it
was run on, since the result depends on whether
firewalld python bindings were installed. This
wasn't failing in CI (and so there is no flopping
test marked), but does fail on some local systems.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-31 09:58:30 +00:00
Andrew Bartlett
e36a4149d8 librpc/idl: Remove DCOM and WMI IDL
As hinted in f2416493c0 the DCOM and WMI
IDL is now unused.  These generate code with PIDL, costing a small
amount of build time but more importantly are fuzzed, which costs an
ongoing amount of CPU time as oss-fuzz tries to find parsing issues.

We do not need to continue this waste, and these can be restored
if this effort is ever to start again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Ralph Boehme
724a0518c9 mdssvc: reduce pagesize to 50
Lastest macOS queries additional file metadata per search result, which causes
the mashalled paged result set including metadata to exceed the 64 KB result
fragment buffer.

Lacking fragementation support in mdssvc (it's supported by the protocol), for
now just reduce the maximum number of results per search page.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-07-26 22:43:38 +00:00
Ralph Boehme
7f5e4edf64 tests/mdssvc: match hits:total:value to be the actual amount of entries in hits
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15342

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-07-26 22:43:38 +00:00
Ralph Boehme
94fcbec8af CVE-2023-34968: mdscli: return share relative paths
The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.

So given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full path of

  /foo/bar/dir/file

previously a search that matched this file would returns the absolute
server-side pato of the file, ie

  /foo/bar/dir/file

This will be change to

  /spotlight/dir/file

As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just

  dir/file

in the example above.

The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.

There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be

  /System/Volumes/Data/foo/bar/dir/file

So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.

Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix

  kMDSStorePathScopes + share_path (from mdssvc_open).

eg

  kMDSStorePathScopes = /System/Volumes/Data
  share_path = /foo/bar
  search result = /System/Volumes/Data/foo/bar/dir/file
  relative path returned by mdscli = dir/file

Makes sense? :)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Andrew Bartlett
a53ebc288f samba-tool: Use samba.glue.get_burnt_cmdline rather than regex
This use avoids having two different methods to match on command-line
passwords.  We already have a dependency on the setproctitle python
module, and this does not change as the (C) libbsd setproctitle()
can't be run from within a python module.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-21 05:23:32 +00:00
Rob van der Linde
5e4a6cd75a netcmd: sites: tests for list and view sites and subnet
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-19 03:31:30 +00:00
Joseph Sutton
90b240be08 tests/krb5: Add a test for PK-INIT with a revoked certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
2ab15cf117 tests/krb5: Allow passing a pre-created certificate into _pkinit_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
b73a01eefd tests/krb5: Have the caller of create_certificate() fetch the CA certificate and private key
These are useful to keep around for other purposes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
01196cc741 tests/krb5: Factor out a method to fetch the CA certificate and private key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
ce9786748b tests/krb5: Factor out a method to create a certificate
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9612

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
5bfccbb764 tests/krb5: Test Windows 2000 variant of PK-INIT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
af97579f16 tests/krb5: Add ASN.1 definitions for Windows 2000 PK-INIT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
ecc62bc120 tests/krb5: Add tests for PK-INIT Freshness Extension (RFC 8070)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
f7393da2c0 tests/krb5: Remove unused methods
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
97ead77767 tests/krb5: Check PAC_TYPE_CREDENTIAL_INFO PAC buffer
When PK-INIT is performed, check that the buffer is as expected and
contains the correct NT hash.

The PK-INIT tests now pass against Windows Server 2019.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14985

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
3ea1c55921 tests/krb5: Add PK-INIT testing framework
To run these tests standalone, you will need the certificate and private
key of the Certificate Authority. These can be specified together in the
same file with the environment variable CA_CERT, or the private key may
be specified in its own file with CA_PRIVATE_KEY.

If either of these files are encrypted, you can specify the password in
the environment variable CA_PASS.

These tests create a new certificate for the user account, signed with
the private key of the Certificate Authority. We negotiate the reply key
with either of the public-key and Diffie-Hellman PK-INIT variants, and
use the reply key to decrypt the enc-part in the response. We also check
that the KDC’s signatures are valid.

Most of the failures with the Heimdal KDC are due to the wrong nonce
being returned in the reply compared to Windows, which issue is simple
enough to correct.

An example command line for manual testing against Windows:
SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1 GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1 CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36 CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3 python/samba/tests/krb5/pkinit_tests.py

To set up windows for this I first installed an Certificate Authority with an Enterprise CA.
Then I exported the private key and certificate of the CA:

1. go into the Certification Authority snap-in for the relevant computer,
2. right-clicking the CA
3. clicking ‘All Tasks’ → ‘Back up CA...’
4. and exporting the private key and CA certificate.

(I downloaded the resulting file via smbclient).

After setting up an Enterprise CA, I also needed to edit the domain
controller GPO to enable auto-enrollment, otherwise Windows would
refuse to accept as legitimate any certificates provided by the client.

That can be done by first enabling the policy:
 ‘Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client — Auto-Enrollment’,
and then ticking both ‘Renew expired certificates…’ and ‘Update certificates…’)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
699d211084 tests/krb5: Allow KerberosCredentials to have associated RSA private key
This is needed for PK-INIT testing.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
7584e7a3a1 tests/krb5: Add helper methods for PK-INIT testing
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
7f9547fda7 tests/krb5: Refactor encryption type selection
Add and use some methods to calculate the highest supported AES and RC4
encryption types, respectively.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
ef9ffbacb9 tests/krb5: Add PK-INIT ASN1 definitions and include licence
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-19 01:47:33 +00:00
Joseph Sutton
477fbd7bb4 tests/krb5: Add PKINIT pre-authentication types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
8a0bde46a2 tests/krb5: Add PKINIT typed data errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
d818ed644a tests/krb5: Add PKINIT error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
97cde6f97b tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Andreas Schneider
929ed4800c python:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Andreas Schneider
3233fc0335 python:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-07-05 06:34:32 +00:00
Andrew Bartlett
eda1022b59 crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2()
This removes a lot of inline #ifdef and means this feature is always tested.

We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Joseph Sutton
fc33033bac tests/krb5: Adjust authentication policy RBCD tests to expect appropriate failure statuses
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
fcfdb44381 tests/krb5: Be less strict regarding acceptable delegation error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
8b1897f02e tests/krb5: Test that client policies are not enforced with S4U
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
8e32075188 tests/krb5: Fix RBCD comments
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
456373ac19 tests/krb5: Don’t unnecessarily specify ‘id’
In tests where we have multiple accounts of the same type, we use the
‘id’ parameter to ensure that these accounts are all different, as some
restrictions are bypassed if an account authenticates to the selfsame
account. However, this is unnecessary if we already specify (with
‘use_cache=False’) that the cache is not to be used.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
1abc2543cd tests/krb5: Add test for authenticating with disabled account and wrong password
This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
9d7f179493 tests/auth_log_pass_change: Fix flapping test
It appears that discardMessages() is still not entirely reliable. Ensure
that we filter out any messages from the Administrator’s authentication.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
ca9d27ae99 auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
b11ad8b137 python:tests: Fix typos
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
7748e6857c tests/krb5: Test authentication policy audit logging
For each test, we check the authentication logs and ensure the messages
are as we expect.

We only test AS-REQs and TGS-REQs with the Heimdal KDC at the moment,
assuming that MIT doesn’t support logging for those cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
b0d20ce56c tests/krb5: Test more authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
a5770669e1 tests/krb5: Improve authentication policy creation
Don’t require passing in an ID to create an authentication policy.
Instead, have create_authn_policy() generate one for us.

We now return an actual AuthenticationPolicy object rather than just a
DN. This will give the tests more details to work with about the
policies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Rob van der Linde
76ca95db6b netcmd: domain: add error handling to domain auth commands
Where we wre catching LdbError before we now catch ModelError, all
exceptions that are known and handled in the model layer will have a
user-friendly error message.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-06-25 23:29:32 +00:00