1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

4029 Commits

Author SHA1 Message Date
Joseph Sutton
0743e11d46 samba-tool: Fix typo
Found by Rob van der Linde <rob@catalyst.net.nz>.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
49592b80f7 selftest: Assert trust realm is not None
This is consistent with the other tests in this file.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
97a5ee4bbb tests/auth_log: Factor out isRemote()
This makes waitForMessages() easier to read.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Andreas Schneider
1f74f9f366 python:safe_tarfile: Improve safe extract()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
431f7698e4 python:safe_tarfile: Implement safer extractall()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
8c90c66a9a python:safe_tarfile: Set extraction_filter for pythons providing it
It should be available for Python >= 3.11.4 but also has been
backported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
ebaa008162 python:tests: Adopt safe_tarfile for extraction_filter raises
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
c28e719bb0 selftest: Add unit tests of the DC startup FL check/update code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
ae7f2b417b python/tests: Make helpful, stateless methods @classmethod and @staticmethod
This allows them to be used in setUpClass in tests.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
8e895fc5d6 selftest: Split up tests in dsdb.py to avoid creating a user when not required
Creating a user is CPU intensive, particularly when a password is set
so avoid doing so if not required.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
David Mulder
e40c86e970 gp: Fix user apply failure when droping privs
When dropping privileges, gpupdate errored:
gpclass.py:1167: KeyError: "getpwnam(): name not found: <HOSTNAME>
apply_gp was incorrectly passing the hostname
instead of the username.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 10 10:46:28 UTC 2023 on atb-devel-224
2023-06-10 10:46:28 +00:00
Andrew Bartlett
6f30eca3bb sefltest: Improve getdcname test by confirming the _REQUIRED flag behaviours
We do this by checking what the underlying CLDAP netlogon call returns.

This also validates that behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
3c25ddb1ce selftest: Fix remaining incorrect references to 2012 -> 2012R2 FL in GetDCNameEx test
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
49537a4170 selftest: Change self.assertTrue(x is not None) -> self.assertIsNotNone(x)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-05-31 04:02:35 +00:00
Andrew Bartlett
2a0e53374d selftest: Confirm that the flags like DS_DIRECTORY_SERVICE_9_REQUIRED work
We need to confirm this both for forwarded requests, and also for requests
direct to the possible DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon May 29 23:29:50 UTC 2023 on atb-devel-224
2023-05-29 23:29:50 +00:00
Andrew Bartlett
920e1a5bae selftest: Rework samba.tests.getdcname not to use ncalrpc
This test is able to operate over the network, which aids testing against
a comparative windows DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-29 22:32:28 +00:00
Andrew Bartlett
1593c9e658 selftest: Assert that we have a trust in samba.tests.getdcname
We must ensure this test cannot became inoperative because the
environment it was run against has no trust.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-29 22:32:28 +00:00
Joseph Sutton
fb759809f8 python:tests: Ensure that we don’t overwrite tests
If the file iterator returns two entries with the same name, one may
overwrite the other.

script_iterator() currently ensures this won’t happen, but it pays to be
safe.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
7390eb1254 python:tests: Make script executable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
d308136a5e python:tests: Initialize global variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
2009166efd python:tests: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
c51bffa8fd python:tests: Exclude Python test directories
Practically all of our Kerberos tests are excluded already. Many of our
tests aren’t marked as executable, and so aren’t being checked anyway.
Rather than having a large list of exclusions which one may easily
forget to update, just exclude the test directories.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
63c228f89f python:tests: Fix f-strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
2641b4a20e samba-tool domain: Handle new NBT_SERVER_* flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
20ba6e487b tests/auth_log: Remove debugging code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
de4ce89e0a tests/auth_log: Add missing call to tearDownClass()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
76e87c6262 tests/audit_log: Add missing call to tearDown()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
a05a9a3e78 tests/auth_log: Remove unnecessary check
This attribute is always truthy.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
6d68ef23b3 tests/audit_log: Remove unnecessary checks
These attributes are always truthy.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
4cb869dce4 tests/auth_log: Call discardMessages() on class
This makes it clearer that discardMessages() operates on the class.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
47a0b9a4cb tests/auth_log: Make discardMessages() more reliable
It can take two or three calls to msg_ctx.loop_once() before a message
comes in. Make sure we get all of the messages.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
5c1ea54cea tests/auth_log: Expect no messages when changing a non-existent user’s password
These log messages come from setUp(), and the fact that we are getting
them is merely a side-effect of the unreliability of discardMessages().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
e1884e8038 tests/audit_log: Make discardMessages() more reliable
It can take two or three calls to msg_ctx.loop_once() before a message
comes in. Make sure we get all of the messages.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
e2e8c86988 tests/auth_log: Correctly get lp_ctx
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
af9d1a3d90 tests/auth_log: Remove unneeded len() call
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
a7ad25a781 tests/audit_log: Remove unneeded len() call
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
40425672fe tests/auth_log: Rename ‘self’ parameter to ‘cls’
This method operates on the class, not on an instance of that class.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
1923abe7e4 tests/auth_log: Rename ‘self’ parameter to ‘cls’
This method operates on the class, not on an instance of that class.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
1c17d56cc5 tests/auth_log: Correctly check for GUID
Pattern.match() only checks the starting portion of the string.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
ffda69f2d9 tests/audit_log: Correctly check for GUID
Pattern.match() only checks the starting portion of the string.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
72d5a5a33b tests/auth_log: Pre-compile GUID regex
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
b1b7d7561a tests/krb5: Don’t cache accounts with an assigned policy or silo
Such accounts are virtually never reused. Not caching them (thus
deleting them early) grants significant time savings.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
dc0d96b058 tests/krb5: Move TestCaseInTempDir to more appropriate place in class hierarchy
KDCBaseTest is the only class that makes use of it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
e77c249dd5 pytest: dcerpc/dnsserver: Call setUpClass() method of base class
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
d2892010e6 pytest: dcerpc/dnsserver: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
715c45da6e tests/auth_log: Simplify isRemote()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
59378dddbf tests/auth_log: Rename ‘self’ parameter to ‘cls’
This method operates on the class, not on an instance of the class.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
ea7b82ad93 tests/auth_log: Call setUpClass() method of base class
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
781990577a tests/auth_log: Don’t silently override remoteAddress
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
b421d2d5cf tests/auth_log_winbind: Expect an empty remote address
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
f89b0cdbbc tests/audit_log: Pre-compile GUID regex
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
David Mulder
f1a204d315 gp: sshd policy correctly sort policy
The sshd_config man page says that key value
pairs 'the first obtained value will be used'.
So we need to sort policies from last to first.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 19 01:23:19 UTC 2023 on atb-devel-224
2023-05-19 01:23:19 +00:00
Joseph Sutton
53c47698f0 tests/krb5: Add tests presenting short-lived ticket in various scenarios
With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
9b1bd267f0 tests/krb5: Rename modify_requester_sid_time() to modify_lifetime()
...now that the requester SID parameter is optional.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
748fa19a26 tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter
This is so callers can modify the lifetime of a ticket without
necessarily changing the requester SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
787b701e68 tests/krb5: Use consistent time between get_KerberosTime() calls
Otherwise get_KerberosTime() calls time.time() itself, the value of
which can change between calls.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
e1109fbfef tests/krb5: Move modify_requester_sid_time() to RawKerberosTest
We shall make use of it in KdcTgsTests.

Also move add_requester_sid(), which this function depends upon.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
d211d700ab tests/krb5: Set expected_status even if expect_status is not true
We might get an NTSTATUS code even if we aren’t explicitly saying that
we expect one.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
4a3f764f7f tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests
Samba currently doesn’t return a status code in these error cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
9d3c3f06ab tests/krb5: Be less particular about expected status codes for S4U tests
Samba doesn’t return a status code for these error cases, so lower our
expectations of getting them.

We don’t have to add ‘'expect_status': None’ to all these test cases,
but this makes it clear at a glance that ‘expected_status’ isn’t
actually being checked, and gives us the opportunity to change this
aspect of each individual test in the future.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
84a7ae8e0c tests/krb5: Add tests for authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
f9b666297c tests/krb5: Allow specifying whether PA-DATA types are to be checked
Not all tests are intended to test that the correct PA-DATA types are
returned. This parameter allows us to skip checking for cases where we
don’t care.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
53b62429f8 tests/krb5: Allow server and workstation accounts to perform a SamLogon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
c1ab6036bb tests/krb5: Allow specifying machine credentials to _test_samlogon()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
031f1c7632 tests/krb5: Rename ‘server’ to ‘dc_server’
This makes it more clear that this is in fact the DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
3424c6d20f tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data
Certain clients rely on this behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
18b24f9572 tests/krb5: Improve edata checking
Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA
or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA
and fall back to METHOD_DATA if that fails.

The environment variable EXPECT_NT_STATUS indicates that the KDC
supports returning a status code in the e-data field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
3063abbfb0 tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
0d609ee5ed samba-tool domain: Clean up code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
56d98e974c samba-tool domain: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
f1281b80c1 samba-tool domain: Run in interactive mode if no args are supplied
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
8d6e447340 python:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
f9501f2ae4 samba-tool domain: Remove unnecessary variable
It is conciser to use ‘r’ to refer to update_forest_info.entries[i].

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
5a2b187819 samba-tool domain: Use result of setup_local_server() instead of object field
The code is clearer if we consistently refer to the same variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Andrew Bartlett
9f3dcf0e69 samba-tool domain join: Allow "ad dc functional level" to change which
level we claim to be during an AD join

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
Joseph Sutton
f94f174db4 samba-tool domain provision: Use "ad dc functional level" to control max functional level
This allows the DC to self-declare a higher level and so allow a 2016
domain to be created, for testing and controlled implementation purposes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
Andrew Bartlett
5d5fd0129a python: Add function to get the functional level as a python intger from smb.conf
The lp.get() returns the normalised string from the enum handler

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
Andrew Bartlett
7953a9ba71 samba-tool domain provision: Use common functional_level.string_to_level()
This is instead of manually parsing the functional level strings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
Andrew Bartlett
844eb07376 python: Move helper functions for functional levels into a new file
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
David Mulder
1dbdeaa8d7 gp: get_gpo() should re-raise the Exception, not return
If we return from this failure, then `new_gpo` is
set to `None` and we will fail in some obscure
way within a CSE later (since we append `None` to
the GPO list). Instead, re-raise the Exception so
we see that an error happened when fetching the
GPO.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 01:59:32 +00:00
Joseph Sutton
f60249eed5 tests/krb5: Improve _test_samr_change_password() method
Instead of using anonymous credentials, we now connect using the
passed-in credentials.

We now correctly construct nt_password and nt_verifier so as to
successfully change the password, instead of having to distinguish
between a WRONG_PASSWORD error and an error caused by the password
change being disallowed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
e959485550 tests/krb5: Don’t delete silo until all tests have finished
It’s possible that we reuse the same silo across multiple tests. In that
case, we should not delete it until we are sure we have finished with
it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
0e27b297a2 tests/krb5: Add remove_attribute() helper function
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
98e23d7eed tests/krb5: Have set_forced_key() also set the NT hash
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
87f7bd6007 tests/krb5: Make _tgs_req() more configurable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
9d206948c9 tests/krb5: Make use of check_tgs_reply()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
ab8a3e87bb tests/krb5: Allow specifying an encoded security descriptor
If we get a string, we’ll still assume it’s a DN and create a security
descriptor using it.

This is useful in cases where we don’t have a DN (e.g., the account is
not created yet).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
9d84f3384e tests/krb5: Rename ‘objectclass’ to use correct case
This means that tests can now specify values for ‘objectClass’ in
additional_details which override the default value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
0a7cbe1e95 tests/krb5: Rename ‘auth_silo’ to ‘authn_silo’
Make it clear that this relates to authentication, not authorization.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
3ae3499b70 tests/krb5: Create account cache key only if needed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
4dc9abc777 tests/krb5: Delete non-resuable accounts as soon as possible
This helps to mitigate Samba’s slow account deletion.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
bd9eb63450 tests/krb5: Refactor _test_samlogon()
Move logic specific to the Network logon into that branch, so it’s
easier to see what’s going on.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
d497829bf1 python/samba: Fix invalid escape sequence
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
c6f29f0039 tests/krb5: Allow setting a servicePrincipalName on a user account
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
4ae9fe48aa tests/krb5: Fix parameter default
Now that add_dollar is honoured for all account types, we don’t want to
pass add_dollar=True for user accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
57d73b24b2 tests/krb5: Remove unused parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
1a90a94ff1 tests/krb5: Test that the salt for a managed service account is computed correctly
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
762e184216 tests/krb5: Allow creating managed service accounts
These will be useful for testing authentication policies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
8a3dacd39e tests/krb5: Always heed the add_dollar parameter
Not just if the account to be created is a computer. This allows us to
create other types of accounts with a trailing dollar.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
1ba0953d65 tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
722bbf0544 tests/krb5: Remove unneeded assertions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
eb4b46d326 tests/krb5: Allow creating an account with an assigned policy or silo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
e7b2cd7d83 tests/krb5: Add method to create an authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Joseph Sutton
c497227222 tests/krb5: Generify protected users test methods
We can reuse them to test accounts restricted authentication in some
form or another.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Joseph Sutton
6f3b7f95f3 tests/krb5: Handle NT hashes being disabled
If NT hashes are disabled, we should not expect the RC4 enctype to be
available for non-computer accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Joseph Sutton
e4ec3d6f3d tests/krb5: Pass client credentials down into kdc_exchange_dict
These are useful inside the test infrastructure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Joseph Sutton
c07ac15462 tests/krb5: Remove test for OemChangePasswordUser2()
We don’t implement this anymore (since commit
0f53bfe723).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Joseph Sutton
58bf53c973 tests/krb5: Split out functions for testing logons and password changes
This allows their use for testing other forms of restricted accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
Stefan Metzmacher
7dab9edca8 python:descriptor: add missing schema 2019 aces in builtin and dns partition
Note 'samba-tool domain functionalprep' won't fix them in the database,
while a fresh provision will add these.

This is needed in order that 'samba-tool dbcheck --reset-well-known-acls'
won't reset them after a modern provision and will fix them on an old
domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:30 +00:00
David Mulder
4486d686f5 gp: Add site-dn fallback when rpc call fails
In testing I noticed that the rpc call for the
site name is failing when joined via SSSD. This
commit adds a fallback to check using the old
style method found in ads_site_dn_for_machine()
(which works, but doesn't obey the Group Policy
spec) if the rpc call fails.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Apr 28 03:14:25 UTC 2023 on atb-devel-224
2023-04-28 03:14:25 +00:00
David Mulder
ee04bafc25 gpo: Group Policy tests require a s3 loadparam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
David Mulder
ac4726106c gpupdate: Deprecate libgpo.get_gpo_list
This is no longer used by gpupdate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
David Mulder
a8bad5d5b8 gpupdate: Implement get_gpo_list in python
The ADS code in libgpo is buggy. Rewrite
get_gpo_list in python using SamDB.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15225

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Noel Power
d36bab52d0 s3/utils: when encoding ace string use "FA", "FR", "FW", "FX" string rights
prior to this patch rights matching "FA", "FR", "FW", "FX" were
outputted as the hex string representing the bit value.

While outputting the hex string is perfectly fine, it makes it harder
to compare icacls output (which always uses the special string values)

Additionally adjust various tests to deal with use of shortcut access masks
as sddl format now uses FA, FR, FW & FX strings (like icalcs does) instead
of hex representation of the bit mask.

adjust
  samba4.blackbox.samba-tool_ntacl
  samba3.blackbox.large_acl
  samba.tests.samba_tool.ntacl
  samba.tests.ntacls
  samba.tests.posixacl

so various string comparisons of the sddl format now pass

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

[abartlet@samba.org Adapted to new stricter SDDL behaviour around leading zeros in hex
 numbers, eg 0x001]
2023-04-28 02:15:36 +00:00
Andrew Bartlett
9fc6062bd3 pytest:sddl: show the correct handling of the "FA" SDDL flag
The "FA" flag should map to 0x1f01ff, and 0x1f01ff should be converted
back into "FA".

This will be fixed over the next couple of commits.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-04-28 02:15:36 +00:00
Andrew Bartlett
334afc7157 pytest:sddl Samba had the wrong value for FA, now fix the tests
The tests that were in SddlWindowsFlagsAreDifferent have the behaviour
we want, and as we aim for Samba flags no longer being different, we
shift them to SddlNonCanonical. The tests in SddlSambaDoesItsOwnThing
are removed because they showed Samba's old behaviour around FA.

This will create knownfails, which will be fixed by the commit fixing the
value of "FA".

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
2e90ba7ec6 pytest:sddl: test we only accept normal GUIDs
By normal GUID, I mean ones like f30e3bbf-9ff0-11d1-b603-0000f80367c1,
with four hyphens and no curly braces.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
ec2d2f8ea8 pytest:sddl: tests around spaces in access flags and SIDs
It turns out that in accesss flags Windows will allow leading spaces
and spaces separating flags but not trailing spaces.

We choose to follow this in part because we found it happening in the
wild in our tests for upgradeprovision until a few commits ago.

Windows will also allow spaces in some parts of SIDs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
0528da54b8 pytest:sddl debugging: should_fail test says how it failed
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
1d9712283b pytest:sddl: add tests for long DACLs, differing flag interpretations
Windows converts hex numbers into flags differently, and has different
ideas of what constitutes "FA", and possibly others.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
de6d470063 pytest:sddl: let hex numbers differ in case (0xa == 0xA)
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
030ce22f52 pytest:sddl: helpers to exchange SDDL strings with Windows testprogram
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
97353c0091 pytest:sddl: SDDL strings where Windows behaviour differs
These ones we might want to match. They are understandable behaviours,
like matching lowercase flags and coping with whitespace in some
places. These tests are set up to document the differences without
overwhelming the knownfails.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
fb588d768b pytest:sddl: Add negative tests of unparseable strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
a2009b56b5 pytest:sddl: allow tests to make negative assertions
If the subclass has `should_succeed = False`, all the cases
in that class will be tested to ensure they can't be
successfully parsed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
ba6f401340 pytest:sddl: split each string into it's own test
This of course allows for fine-grained knownfails.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
eac400b4db pytest:sddl: tweak some test strings
Adding, diversifying, and disambiguating. The leading portion of the
test stirngs will soon be used in the test name, and strings that
don't differ in the first hundred characters will cause naming
clashes. There is no good reason for them all to test the same flags
in the same order.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
4652d2766a pytest/sddl: split tests into canonical and non-canonical
The examples in the canonical list are already in the form that
Windows and Samba will use for that SD. We check the round trip.

The examples in the non-canonical list will change in a round trip, so
we also give the string we think they should end up as. These have
been checked on Windows.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
1107952c2b pytest/sddl: remove unused imports
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
ec85c1fdff pytest/sddl: rework to allow multiple lists, no early stop
The test will fail right now because it makes round trip assertions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
4a24c52056 pytest/sddl: assert sddl string equality
It's not that I think our SD equality check will miss anything, but we
are here to test things like that.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
f87f63997f pytest/sddl: remove duplicate test case
The other copy is on line 102.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
298821a8ed pytest/sddl: give test more of a name
I think it worked, but the convention is that tests have a test_ prefix,
and it woudn't be surpoising if something somewhere decides to depend on
that.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
35bf8ff4f4 pytests/sddl: clarify boundaries between sddl cases
It is now easier to see where one SD ends and another starts.

Best looked at with -b or --word-diff.


Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
67500da148 pytest:posixacl: expect canonical ACE flag format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
c08959d135 pytest:samba-tool ntacl: expect canonical ACE flag format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
a655e7e496 py:provision: use canonical representation of ACE flags
This is because in ceetain places we compare strings rather than security
descriptors.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
e521b0a26a pytest:ntacls: adapt for canonical flag format
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
7c97df1786 pytest:sddl: test empty DACL with flags
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
fe8ce9e34e pytest:sid_strings: Do bad SIDs fail differently in simple-bind?
No.

That's good and expected because a failure here should fall back to the
next thing in the simple bind pecking order (canonical names).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
a4bbd944ee pytest:sid_strings: do bad SIDS work in search filters?
Yes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
866069172b pytest:sid_strings: test SID DNs with ldb parsing
By using an ldb.Dn as an intermediary, we get to see which SIDs
Samba thinks are OK but Windows thinks are bad.
It is things like "S-0-5-32-579".

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
953ad43f15 pytest:sid_strings: test SIDs as search base
As a way of testing the interpretation of a SID string in a remote
server, we search on the base DN "<SID=x>" where x is a non-existent
or malformed SID.

On Windows some or all malformed SIDs are detected before the search
begins, resulting in a complaint about DN syntax rather than one about
missing objects.

From this we can get a picture of what Windows considers to be
a proper SID in this context.

Samba does not make a distinction here, always returning NO_SUCH_OBJECT.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
f66b0f8688 pytest:sid_strings: Windows and Samba divergent tests
The Samba side is aspirational -- what we actually do is generally
worse. However the Windows behaviour in these cases seems more
surprising still, and seems to be neither documented nor used.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
2d75daa9c4 pytest:sid_strings: test the strings with local parsing
The reason the existing tests send the SID over the wire as SDDL for
defaultSecurityDescriptor is it is one of the few ways to force the
server to reckon with a SID-string as a SID. At least, that's the case
with Windows. In Samba we make no effort to decode the SDDL until it
comes to the time of creating an object, at which point we don't notice
the difference between bad SDDL and missing SDDL.

So here we add a set of dynamic tests that push the strings through our
SDDL parsing code. This doesn't tell us very much more, but it is very
quick and sort of confirms that the other tests are on the right track.

To run against Windows without also running the internal Samba tests,
add `SAMBA_SID_STRINGS_SKIP_LOCAL=1` to your environment variables.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
fa04c38740 pytest:sid_strings: separate out expected_sid formatting
This is going to be useful for another test, soon.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
cb356a8d90 pytest:sid_strings: add explicit S-1-* sid tests
We are mostly testing edge cases around the handling of numeric
limits.

These tests are based on ground truth established by running them
against Windows.

Many fail against Samba, because the defaulSecurityDescriptor
attribute is not validated at the time it is set while on Windows it
is.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
4380b4694f pytest:sid_strings: allow other errors to be specified
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
5805dcf3eb pytest:sid_strings: add a superclass, allowing for derivatives
This will allow e.g. a suite of tests that assert Windows behaviour that
we might not choose to follow.

Because @DynamicTestCase will mangle the class as it finds it, we can't
use SidStringTests itself as a superclass for others.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
5c4f4dc9ea pytest:sid_strings: use hashed instead of random unique numbers
This removes the slim chance of flapping failures, and makes tracking
the created class back to the SID string theoretically possible.

To maintain uniqueness of the governs-id, we in chuck some of the
timestamp.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
708d9896aa pytest:sid_strings: same timestamp for all tests in the run
We don't care about the exact time of the test, just that we
disambiguate between different runs (each run leaves an immutable scar
on the target server).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
aa378b4bd5 pytest:upgradeprovision: don't use misleading SDDL in tests
The ACE string "(A;CI;RP LCLORC;;;AU)", with a space after "RP", is
currently not parsed well by Samba.

At the moment we parse only the "RP" and ignore the " LCLORC". What
Windows would do is parse it as if it said "RPLCLORC", without the
space, thus using all the flags. It seems very likely we thought this
was happening with Samba.

Soon Samba will have Windows' behaviour here and it will be tested in
python/samba/tests/sddl.py. That means this test can relax and focus
on whatever it was trying to do with upgradeprovision. We thank it for
finding this discrepency.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Douglas Bagnall
9abdd67565 librpc/ndr/pysecurity: use better exceptions
The wrong string is the wrong value but the right type.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Volker Lendecke
8027283dd7 tests: Test ldap whoami exop
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 26 07:20:14 UTC 2023 on atb-devel-224
2023-04-26 07:20:14 +00:00
Andreas Schneider
24dd45613a python:tests: Skip the source_chars test if not a git dir
This test doesn't work in release tarballs. Skip it if git fails.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Apr 21 13:59:29 UTC 2023 on atb-devel-224
2023-04-21 13:59:29 +00:00
David Mulder
6e525d55d9 gp: Fix NameError: free variable 'cron_dir' in Crontab CSE
An apply reports the error "NameError: free
variable 'cron_dir' referenced before assignment
in enclosing scope". This only happens when no
policy is defined for this CSE, because existing
policy causes the variable to be defined.

Moved the 'cron_dir' varilable to the correct
scope.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Wed Apr 19 21:21:10 UTC 2023 on atb-devel-224
2023-04-19 21:21:10 +00:00
Volker Lendecke
0327334c89 tests: Show that streams_depot and shadow_copy2 don't play together
See the next patch, we assert in shadow_copy2_openat() over paths
passed in from shadow_copy2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15358

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-04-17 17:14:37 +00:00
Joseph Sutton
e4b81f7f6d samba-tool domain: Initialise variables before attempting to use them
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
45ff5a81e5 tests/krb5: Fix comment indentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
91e1898f99 tests/krb5: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Andreas Schneider
c50cde0cd5 python:tests: Correctly skip some GPO tests in release tarball
These tests require provision data we do not ship in release tarballs.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr  6 15:42:12 UTC 2023 on atb-devel-224
2023-04-06 15:42:12 +00:00
Rob van der Linde
b74b9f4b06 CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 03:08:51 UTC 2023 on atb-devel-224
2023-04-05 03:08:51 +00:00
John Mulligan
f5d04a43cf python:join: fix reused variable name in provision func
Recent updates to run adprep during the provision function re-used a
variable name that was already in use as a string. This reassignment
changed the type of the referenced object. This variable name is later
used to setup the mit krb5 kdc conf and expects the var to contain a
string. When executed with default cli options on a mit krb5 based build
samba tool fails with a traceback:
```
INFO 2023-03-23 21:22:50,399 pid:6
/usr/lib64/python3.10/site-packages/samba/provision/__init__.py #2021:
Fixing provision GUIDs
ERROR(<class 'AttributeError'>): uncaught exception - 'DomainUpdate'
object has no attribute 'upper'
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/__init__.py",
line 230, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.10/site-packages/samba/netcmd/domain.py",
line 555, in run
    result = provision(self.logger,
  File
"/usr/lib64/python3.10/site-packages/samba/provision/__init__.py", line
2408, in provision
    create_kdc_conf(paths.kdcconf, realm, domain,
os.path.dirname(lp.get("log file")))
  File
"/usr/lib64/python3.10/site-packages/samba/provision/kerberos.py", line
43, in create_kdc_conf
    domain = domain.upper()
```

This change removes the re-use of the existing var name by chaining
the calls.

Fixes: 4bba26579d
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 02:02:29 UTC 2023 on atb-devel-224
2023-04-05 02:02:29 +00:00
Joseph Sutton
3b72dde202 tests/krb5: Add tests for constructed (authentication silo) claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
75aecbe620 tests/krb5: Add method to create authentication silo claim
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
dc4c51f353 tests/krb5: Add method to create an authentication silo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
8855b525ce tests/krb5: Add methods to get authentication policy DNs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
9b96855f37 tests/krb5: Check only for the canonical representation of a security descriptor
As of commit be1aae77b7, Samba only
produces the canonical form of a security descriptor.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 01:06:29 +00:00
Joseph Sutton
58f9327190 tests/krb5: Don't expect client claims to be missing
For this particular test, we don't care whether they're present or not.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Rob van der Linde
d5a0d7aa8b netcmd: tests for claims client tool
Added delete protected test to known fail as Samba doesn't seem to enforce this yet.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
cf0a3a8c60 netcmd: add claim sub-commands to samba-tool domain
Claim Type:

 * samba-tool domain claim claim-type list
 * samba-tool domain claim claim-type create
 * samba-tool domain claim claim-type delete
 * samba-tool domain claim claim-type modify
 * samba-tool domain claim claim-type view

Claim Value Type:

 * samba-tool domain claim value-type list
 * samba-tool domain claim value-type view

To add a claim type use the attribute name, it will look up the attribute in the attribute schema and use that data type and description.

Claim types can be protected from accidental deletion just like Windows, use --protect

To delete protected claim types use --force.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
5a4f4b3948 sd_utils: fix typo in get_sd_as_sddl docstring
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
01c6bc55c7 netcmd: simplify boolean check
Should use "is" for checking booleans rather than "==" in Python, however these can also be simplified.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
44f881fd34 netcmd: domain: move trust command to domain/trust.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
2a71bade84 netcmd: domain: move tombstones command to domain/tombstones.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
75e7935b50 netcmd: domain: move schemaupgrade command to domain/schemaupgrade.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
dff87f051f netcmd: domain: move samba3upgrade command to domain/samba3upgrade.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
5986937d12 netcmd: domain: move provision command to domain/provision.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
49bc6a478b netcmd: domain: move paswordsettings command to domain/passwordsettings.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
8d4f6761b2 netcmd: domain: move level command to domain/level.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
e7ad2364a5 netcmd: domain: move leave command to domain/leave.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
12d5ea7f58 netcmd: domain: move keytab command to domain/keytab.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
8001e07746 netcmd: domain: move join command to domain/join.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
fefa5e74d1 netcmd: domain: move info command to domain/info.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
908f7ff553 netcmd: domain: move functional_prep command to domain/functional_prep.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
c22b8dc1c5 netcmd: domain: move demote command to domain/demote.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
72f6f7a79c netcmd: domain: move dcpromo command to domain/dcpromo.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
d26054d7da netcmd: domain: move classicupgrade command to domain/classicupgrade.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
6cecd7d08b netcmd: domain: move domain_backup.py to domain/backup.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
4d6a2b0167 netcmd: domain: fix unused imports
Fix existing unused imports first, before splitting the file.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Rob van der Linde
2534aba94d netcmd: domain: turn domain.py into a module
The domain.py file has become quite large at over 5000 lines, splitting it now before adding more sub commands.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Andrew Bartlett
ea4be00361 selftest: Add test parsing krb5 PAC claims via ndrdump
Including
* compressed claims
* plain (uncompressed) claims

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 02:50:30 UTC 2023 on atb-devel-224
2023-03-31 02:50:30 +00:00
Andrew Bartlett
f951c3b35d sefltest: Extend python NDR parsing tests to compressed and uncompressed claims
This confirms that the compression is transparent and that the
values from a PAC with claims provided by MS Windows are parsed
correctly.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
2d2f68236e librpc/ndr: Use libndr compression for claims
This ensures our python layer and C layer (in the KDC, when implementated)
use the same compression logic and so allows us to test the production
compression via the IDL-generated interfaces.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
327c84cf87 librpc/ndr: Implement lzxpress_huffman() compression in libndr for Kerberos Claims
Rather than just pick the next value we re-arrange compression values
in libndr to be memnonic to values in MS Windows ntifs.h

This helps avoid confusing developers who compare these
algorithms with local the MS Windows interface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
937bf4b836 librpc/ndr: Unimplement DRSUAPI_COMPRESSION_TYPE_XPRESS and rename
DRSUAPI_COMPRESSION_TYPE_XPRESS is not MS-XCA nor is it implemented by
lzexpress_compress(), so disconnect from that algorithm.

This avoids someone fixing lzxpress_compress() to work for DRSUAPI
and breaking claims support.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Andrew Bartlett
2cba54ba30 selftest: Add python test that verifies that we can parse a PAC
This give us a building block to test the PAC claims format

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Stefan Metzmacher
86b6353644 python:join: run domain adprep as part of join_provision_own_domain()
This is currently unused as we don't support more than one
domain per forest, but it will help it future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 22 23:05:39 UTC 2023 on atb-devel-224
2023-03-22 23:05:39 +00:00
Stefan Metzmacher
4bba26579d python:provision: run adprep as part of provision
With the default of base_schema=2019 we'll adprep to 2016.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-22 22:10:32 +00:00
Stefan Metzmacher
f6d9f3760f samba-tool: let 'domain provision' to use the 2019 schema by default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-22 22:10:32 +00:00