1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

135726 Commits

Author SHA1 Message Date
Douglas Bagnall
93347aa5af libcli/security: add sddl_decode_err_msg()
This will return an error message, if it can, along with an indicative
position.

For conditional ACEs the message might be accurate, and the position
fine-grained. For example, you might be able to construct the message
like this:

D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title)))
                                    ^
 16: unexpected operator

For non-conditional ACEs, the position typically points to the beginning
of the ACE, like this:

D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU)
                                  ^
 unknown error

Here the error is in the spaces either side of " OICI; ", but the pointer
points to the beginning of the ACE.

The old sddl_decode() function becomes a wrapper around the new function,
which inherits the guts of the old function.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
9b57d5cd5c libcli/security: sddl_conditional_ace: ensure message is talloced
It is simpler for the message to have consistent parentage; it
is easier to drop one message we'll never see than to talloc it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
cc11165ecb libcli/security: sddl: check a talloc_zero
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Douglas Bagnall
5319c5bdac libcli/security: SDDL accepts lowercase "s-" in SIDs
This is what Windows does, and it removes a couple of knownfails.

We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
c75be6c326 librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits
This gives us thirty‐two new LIBNDR_ flags to play with.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
a396b705c8 librpc:ndr: Introduce ‘ndr_flags_type’ type
Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning,
consistently use a newly added type to hold NDR_ flags.

Update the NDR 4.0.0 ABI.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
c4f281e9ae librpc:ndr: Introduce ‘libndr_flags’ type
The LIBNDR_FLAG_ namespace is getting dangerously full, with only a
single flag value (1 << 9) remaining for use. After that flag is put
into use, we won’t be able to add any new flags without increasing the
flag width to 64‐bit.

Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to
store these flags. Introduce a new type, ‘libndr_flags’, to be used
consistently to hold LIBNDR flags. If in the future we find we need to
move to 64‐bit flags, this type gives us an opportunity to do that.

Bump the NDR version to 4.0.0 — an major version increment, for we’re
changing the function ABI and adding the new symbol
ndr_print_libndr_flags.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
4ec7578e79 s4:torture: Make static variables constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
83c6823652 librpc:ndr: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
0071a60fb6 dcerpc.idl: Use simple boolean value instead of flag
One advantage of this is that the type of the switch value is no longer
tied to the type of the NDR flags.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
bea9958b60 s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data()
NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
57c543a1d9 third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
b06751389d s4:auth: Comment about claims in the security token
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ebbba22cfb s4:auth: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
0733ea3663 s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself
samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims
Valid SIDs as appropriate.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
f8bfd607ca tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs
These tests crash Windows, but we can assume reasonable behaviour for
Samba.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
6760dd48ad s4:kdc: Do not add Claims Valid SID twice
samba_kdc_get_user_info_dc() now adds the SID itself.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
54eb175816 tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
66b4597862 tests/krb5: Don’t pass unnecessary parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
2b69e1e7c3 tests/krb5: Use __slots__ to indicate which attributes are used by classes
These should help to catch mistaken attempts to set invalid attributes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
b0da50b5b0 s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
915b40521e s4:auth: Check that the PAC is not NULL before dereferencing it
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
76e27c3ab1 libcli/security: Add sid_attrs_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
69edfd7b11 libcli/security: Make use of sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
04611d9ebc libcli/security: Add sids_contains_sid()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ce3f04dca9 libcli/security: Make use of sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
5ff72d0e04 libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
487e21ec89 s4:dsdb: Make sids_contains_sid() usable by other Samba modules
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
ce9fbceadb libcli/security: Correct function documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
01b8966993 libcli/security: Remove unnecessary return statement
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
12b0c9d043 s4:dsdb: Align integer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
3b936623a4 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
7ba4bb8164 tests/krb5: Add tests to see how SIDs are conveyed from PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
dc1e2b41ca tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
947d3e5932 tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Volker Lendecke
1862561d1a smbd: Open file as REPARSE_POINT in unlink_internals()
In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov  1 19:56:33 UTC 2023 on atb-devel-224
2023-11-01 19:56:33 +00:00
Volker Lendecke
0fc160c667 smbd: Open file as REPARSE_POINT in reply_rmdir()
In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
93f0a36712 smbd: Open file as REPARSE_POINT in rename_internals()
In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
879db14ff6 smbd: Open file as REPARSE_POINT in smb_posix_unlink()
In the future we'll block opening symlinks as such in
SMB_VFS_CREATE_FILE() unless we open as reparse points.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
bdc6d3be4c smbd: Remove unused FAKE_FILE_TYPE_NAMED_PIPE enum
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
92606a46b3 smbd: Move filename_convert_smb1_search_path() to smb1-only code
Just general cleanup.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
ea16870545 smbd: Fix previous_slash()
Untested code is broken code... previous_slash() did not return a
pointer to the slash but after it. This went undetected because so far
we never call symlink_target_path() with "unparsed==0". Once we
started doing that, we would find that the "unparsed==0" case actually
puts parent on the "previous slash", not the character behind it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
170b67b3b0 manpages: Add a missing space
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
45ec0f61fd libcli: SMBntcreateX can return STOPPED_ON_SYMLINK
This does not count as NT_STATUS_IS_ERR, as it starts with 0x8 instead
of 0xC. So we return NT_STATUS_INVALID_NETWORK_RESPONSE, which is
wrong.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
9e5d752591 smbd: "have_proc_fds" can only work for a real fd
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
a181283f5c smbd: Remove code #ifdef'ed out >23years ago
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
ba2bc30785 smbd: Fix some whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
846adcb259 smbd: Save errno around unbecome_root()
Probably not required, but better safe than sorry.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
252d2cc76a smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00
Volker Lendecke
d2afaf21c5 smbd: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-01 18:55:32 +00:00