IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
provision_ctdb() was always called with $no_delete_prefix undefined
from setup_ctdb(), so we can just remove the check.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jo Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Jul 23 23:47:43 UTC 2024 on atb-devel-224
There is no longer any meaningful distinction between the two files.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
They are both only for debugging problems.
In normal runs we don't need them and this avoids leaving to many
/tmp/pam.* directories arround.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
The test needs --option="torture:Forest_Trust_Dom2_Binding=..." in order
to be useful, so the skip is correct, but the knownfail entry should
have been removed with e5163dfd57.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
In standalone setups we use the PAM stack to verify
the plaintext authentication, so we need to pass it
down...
There are still production systems out there
(legacy audio/video recording systems...)
using this.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 17 11:17:54 UTC 2024 on atb-devel-224
This allows testing a plaintext password authentication
on a standalone server using the PAM stack to verify it.
There are still production systems out in the wild using this...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.
This allows testing with 'lanman auth = no' and 'lanman auth = yes'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This demonstrates that we currently have problems with
plaintext and lanman authentication. In both domain member
and standalone setups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Note that the LM HASH is only generated for passwords
up to 14 characters...
We use extra_options_before_inject in order to
allow overriding any existing parameter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This allows overriding any existing parameter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
We burn arguments to all unknown options containing "pass" (e.g.
"--passionate=false") in case they are a password option, but is bad
in the case where the unknown option takes no argument but the next
option *is* a password (like "--overpass --password2 barney". In that
case "--password2" would be burnt and not "barney".
The burning behaviour doesn't change with this commit, but users will now
see an error message explaining that the option was unknown. This is not
so much aimed at end users -- for who an invalid option will hopefully
lead to --help like output -- but to developers who add a new "pass"
option.
This also slightly speeds up the processing of known password options,
which is a little bit important because we are in a race to replace the
command line in /proc before an attacker sees it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Wed Jul 10 06:28:08 UTC 2024 on atb-devel-224
This is the long form of -U in samba-tool.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We have more secret arguments, like --client-password, --adminpass,
so we are going to use an allowlist for options containing 'pass', but
we don't want to burn the likes of --group=passionfruit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We weren't treating "--password secret" the same as "--password=secret",
which sometimes led to secrets not being redacted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This lets us match the Windows FAST reply when the password is expired.
Windows clients were upset by the NTSTATUS field in the edata,
apparently interpreting it to mean “insufficient resource”.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Heimdal matches Windows in the no‐FAST case, but produces NTSTATUS codes
when it shouldn’t in the FAST case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We only turn desired into off in the NT4 domain member case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224
This shows that they are ignored for machine accounts as domain member.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
If the configuration is reloaded strings and string lists
in recycle_config_data could become stale pointers
leading to segmentation faults...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Forcing a reload of the smb.conf option values means the pointer learned
in vfs_recycle_connect() become stale.
This will be reverted at the end of the patset again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15659
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
If a client for whatever reason calls FSCTL_SRV_COPYCHUNK[_WRITE] without
FSCTL_SRV_REQUEST_RESUME_KEY, we call vfswrap_offload_write_send
before vfswrap_offload_read_send.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 17 18:02:27 UTC 2024 on atb-devel-224
This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224
This patch also removes known fail for existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 19:31:40 UTC 2024 on atb-devel-224
On master attempting to chdir into a nested dfs link
e.g. cd dfslink (works)
cd dfslink/another_dfslink (fails)
[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
enabled share
Add knownfails for tests 1 and 3
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15662
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 11 17:00:38 UTC 2024 on atb-devel-224
This flexiblity in the tests avoids requiring Samba/Heimdal to omit an NTSTATUS error
return and just be consistent between the different authentication paths.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224
This makes sense as otherwise the user would suddenly not know their password
for use when they do not use their smartcard.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We do this by telling the Domain Functional Level upgrade code that
this is a new install.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This assures us that the new provision sets the value by default.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours. The internet
suggestions of 1 day for this feature should work fine.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it. As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
While the passwords are random and rolled on the server, we can tell
about the expiry by setting pwdLastSet to 0.
Samba now honours the password expiry.
This is only enabled for domain functional level 2016 and when
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set to TRUE.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This is because the smartcard reset now generates all the keys
on Windows, so we want to match Windows 2022 as at April 2024
behaviour.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
The tests of passwords that will expire in the TGT lifetime fail against
windows, we do not see the rotation in that case.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This demonstrates behaviour against a server presumed to be in FL 2016
what the impact of the msDS-ExpirePasswordsOnSmartCardOnlyAccounts
attribute is.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Windows 2022 at April 2024 has change and now includes the
AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert
part of the change in b2fe1ea1c6.
(This is an improvement to Windows security).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We have had confirmed from MS that this behaviour is both deliberate
and required. Possession of the credential is (by the returned PAC
containing the NT hash) possession of the password, and it must be
possible to change the password to a known value otherwise DPAPI
(local keychain) secured by this value can fail on the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15045
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.
Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This demonstrates that access_denied is only generated if the client
really generates a change in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Also test using the additional record in the answers section.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Failed DNS updates just echo the request flaged as response,
all other elements are unchanged.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun 4 17:39:21 UTC 2024 on atb-devel-224
With the source3/ based clilist.c, we can't test all infolevels where
this matters (see callers of get_dirent_ea_size()). But porting the
source4 based all-infolevel search code into source3/libsmb or doing
this one the reparse point test in the source4 infrastructure to me
seems like a lot of effort for moderate gain.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG
This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
I have captures where a client tries smb3 encryption on an anonymous session,
we used to allow that before commit da7dcc443f
was released with samba-4.15.0rc1.
Testing against Windows Server 2022 revealed that anonymous signing is always
allowed (with the session key derived from 16 zero bytes) and
anonymous encryption is allowed after one authenticated session setup on
the tcp connection.
https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This means ldb-samba/dsdb comparisons will be case-insensitive for
non-ASCII UTF-8 characters (within the bounds of the 16-bit casefold
table). And they will remain transitive.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The default is ASCII only, which is used by SSSD and OpenChange.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Currently this fails like this:
test_ldb_comparison_fold_default_common: 118 errors out of 256
test_ldb_comparison_fold_default_ascii: 32 errors out of 100
test_ldb_comparison_fold_utf8_common: 40 errors out of 256
test_ldb_comparison_fold_utf8: 28 errors out of 100
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 05:26:48 UTC 2024 on atb-devel-224
By default we also export on the old and older passwords...
In order to do a kinit with a keytab it might we useful to
include only the current keys.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A lot of these tests are going to start failing, so skip them until
we’ve implemented the corresponding behaviour for the KDC.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 14 23:29:46 UTC 2024 on atb-devel-224
This expects PermissionError: [Errno 1] Operation not permitted,
but it seems that setxattr() for security.NTACL works on gitlab
runners without being root.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will allow the reading of SIDs that start with "s-", which
Windows allows, and we allow elsewhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We were mistakenly asserting something that did not happen with
Windows, because Samba already won't parse the DN string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
9 hex-digit subauths like '0xABCDef123' will not fit in 32 bits, so
should be rejected on parsing.
In other situations, such as defaultSecurityDescriptor, overflowing
SID subauths on Windows will saturate to 0xffffffff, resulting in a
valid but probably meaningless SID. It is possible that in previous
testing we saw that here, but it is more likely I got confused. In any
case, now I see them being rejected, and that is good.
The saturating defaultSecurityDescriptor case is tested in
SidStringBehavioursThatWindowsAllows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
And so should we.
Right now, these tests won't pass against Windows because they rely on
ldb pre-parsing of the SIDs, so they fail before Windows gets to see
them. Running them against Windows looks something like this, BTW:
SAMBA_SID_STRINGS_SKIP_LOCAL=1 \
SMB_CONF_PATH=st/ad_dc/etc/smb.conf \
PYTHONPATH=bin/default/python \
DC_SERVER=192.168.122.126 \
DC_USERNAME=Administrator DC_PASSWORD='xxx' \
python3 python/samba/tests/sid_strings.py
When things are right, the only failing tests should be from the
SidStringBehavioursThatSambaPrefers suite.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It seems as if the well-known SID S-1-5-32-579
(DOMAIN_ALIAS_RID_ACCESS_CONTROL_ASSISTANCE_OPS) is
not always present -- specifically, it was not there on the
Windows machine used to develop these tests, but it is there on
the one I am now using.
S-1-5-32-545 (DOMAIN_ALIAS_RID_USERS) is surely going to exist,
so we use that instead.
That changes some of the assertions, making some NO_SUCH_OBJECTs
into successes.
For these tests we are only interested in the parsing of the SIDs, not
their meaning, so it's OK to change it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
the less/greater conparisons were not case-sensitive, which made the whole
function non-transitive.
I think codepoint_cmpi() is currently only used for equality tests, so
nothing will change.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
is codepoint_cmpi as case-insensitive as it claims when it comes to
inequalities? (no, it is not!).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 6 21:55:03 UTC 2024 on atb-devel-224
Inherit-only flag applies only to the container it was set to and it
shouldn't be automatically propagated to children.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636
Signed-off-by: Anna Popova <popova.anna235@gmail.com>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Apr 29 10:56:48 UTC 2024 on atb-devel-224
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15636
Signed-off-by: Anna Popova <popova.anna235@gmail.com>
Reviewed-by: Noel Power <noel.power@suse.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In a dotless-I locale, we might meet an 'i' before we meet a byte with
the high bit set, in which case we still want the ldb casefold
comparison.
Many ldb operations will do some case-folding before getting here, so
hitting this might be quite rare even in those locales.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In tr_TR and some other locales where the letter 'i' uppercases to
'İ', which is not ideal for LDB as we need certain strings like 'guid'
to casefold in the ASCII way.
In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved
this problem in many cases, but for unindexed searches where the 'i'
is not the last character in the string. This test shows that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224
The call to $self->setup_namespaces() was allways in error, as the design
is to have the in the state that it was backed up in, but before commit
08be28241b the error return was not
checked and so this was harmless.
The customdc environment is not tested in selftest currently, as
it is intended to be used for manual testing of domains from backup
files not as an automatically constructed environment.
This makes:
BACKUP_FILE=samba-backup-2024-04-11T14-10-20.437096.tar.bz2 SELFTEST_TESTENV=customdc make testenv
work again.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We have changed strcasecmp_m() to return -1 in a place where it used
to return -3. This upset a test, but it shouldn't have: the exact
value of the negative int is not guaranteed by the function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
strncasecmp_m is supposed to return a negative, zero, or positive
number, not necessarily the difference between the codepoints in
the first character that differs, which we have been asserting up to
now.
This fixes a knownfail on 32 bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
strcasecmp_m is supposed to return a negative, zero, or positive
number, depending on whether the first argument is less than, equal to,
or greater than the second argument (respectively).
We have been asserting that it returns exactly the difference between
the codepoints in the first character that differs.
This fixes a knownfail on 32 bit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224
for self->dn only. The other dn is a different story, next commit.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will help avoid use-after-free of the internally cached ldb within
struct ldb_dn by ensuring that it lives as long.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Also removes knownfail for test that now passes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
And add a known fail because there is a bug :-(
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These show that the new root key should be based on the server
configuration object, not just hardcoded defaults.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Also removes the knownfail for the chunked transfer test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Adds http test client to excercise the http client library
and a blackbox test to run the client. This client is built
only with selftest
also adds a knownfail for the test
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
very simple test of basic http request/response plus some checks to
ensure http response doesn't exceed the response max length set by
the client call.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224
In the best case, this would have leaked.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We call 'thread apply all bt full' in case there are interesting
things going on in other threads, but often there are no other threads
and it only serves to repeat the original trace (and very slowly, for
some reason).
The $_inferior_thread_count convenience variable is new in gdb 13.1
(2022-ish) so we init-if-undefined it to default to the old behaviour.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If a program happens to have 'PyList_New' defined but is not a python
script, gdb will print
> Undefined command: "py-bt". Try "help".
and probably stop. This happens after the C backtraces have been
printed, so nothing is lost.
The traceback is printed twice -- once in conventional Python style
for clarity, and once with extra "full" information.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
Since 87f67d3369 samba-tool domain exportkeytab has
silently unlinked the given target file. Instead, the administrator now needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
