1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

5390 Commits

Author SHA1 Message Date
Jo Sutton
e8497f1343 s4:dsdb: Remove duplicate userAccountControl array entry
This entry is identical to the third array entry.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-08 02:48:44 +00:00
Douglas Bagnall
93e6ea4cff perftest:ndr_pack: spin in do_nothing for a while
The idea was to get a less jittery idea of the underlying noise, but
ut is still almost instant. This I suppose is useful in indicating
that this much of the test has very little overhead.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
2f68545087 perftest:ndr_pack: use a valid dummy SID
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
ceb5389260 perftest:ndr_pack_performance: remove irrelevant imports, options
This includes removing the ANCIENT_SAMBA switch for pre-4.3, as
nobody cares anymore and many tests would not run correctly anyway.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
d25fe2447b perftest:ndr_pack: slightly reduce python overhead
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
e802611743 perftest: ndr_pack_performance gets more SD types
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Douglas Bagnall
d5371f6bcd perftest:ndr_pack: rename SD tests with object ACEs
We are looking at an optimisation for non-object ACEs, which
are more common, but these tests are overwhelmed by object
(OA) ACEs.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15574
2024-02-08 02:48:44 +00:00
Joseph Sutton
f30a79d7f2 python: Generate HRESULT definitions automatically
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Jan 15 01:56:53 UTC 2024 on atb-devel-224
2024-01-15 01:56:53 +00:00
Joseph Sutton
b58cd077bc s4:dsdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
64f6627329 s4:dsdb: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
9ebe4de113 s4:dsdb: Use portable integer constant INT64_MAX
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
e1dc284fed s4:dsdb: Use portable integer constant INT64_MAX
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
6eec3ae6a6 s4:dsdb: Use portable integer constant INT64_MIN
Because it is written in hexadecimal, ‘0x8000000000000000LL’ is likely
going to be represented as an ‘unsigned long long int’. Negating it
actually will not change its value at all, so the unary minus achieves
nothing here.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
ccbaaf2606 s4:dsdb: Remove unused includes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Joseph Sutton
e8052ecad0 s4:dsdb: Remove trailing whitespace
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Rob van der Linde
b14ead30da python: move HRES_SEC_* constants to samba module
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 01:05:32 +00:00
Rob van der Linde
1a45e49b5f python: tests: make HRES_SEC_E_* constant an int
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 01:05:32 +00:00
Rob van der Linde
6bcfcacd53 python: PEP275: docstrings should always use double quotes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 01:05:32 +00:00
Andreas Schneider
9621a3d7a6 Use python.h from libreplace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15513

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 15:37:33 +00:00
Joseph Sutton
5ff72d0e04 libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
487e21ec89 s4:dsdb: Make sids_contains_sid() usable by other Samba modules
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
12b0c9d043 s4:dsdb: Align integer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
9a0c5ee4ae s4:kdc: Have smb_krb5_principal_get_comp_string() properly indicate an error
The existing implementation did not differentiate between the case where
the relevant component was not present, and that where talloc_strndup()
failed. To correct this situation, put the result into an out parameter
on success and return an error on failure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-26 01:24:32 +00:00
Joseph Sutton
2944bc1e02 s4:dsdb: Initialize pointers to NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-26 01:24:32 +00:00
Douglas Bagnall
78658eee76 s4/dsdb: try not to leak on access check failure
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-26 01:24:32 +00:00
Joseph Sutton
234b952986 s4:dsdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
ee23952582 s4:dsdb:tests: Remove unnecessary f‐strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
fc7f64baa3 s4:dsdb: Remove reference to non‐existent code
Commit 498542be0b removed the code in
question.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
b7b4c7ca8c s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Stefan Metzmacher
498542be0b CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
This makes the next change easier to understand.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
Joseph Sutton
9e3a858969 s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite()
makeSuite() is deprecated and will be removed in Python 3.13.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
bb77f36f49 s4:dsdb:tests: Fix assertion messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
1513a4592c s4:dsdb:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
079306cf34 s4:dsdb:tests: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
244440d157 s4:dsdb: Don’t overwrite existing error code (CID 1445263)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
b60604b137 s4:dsdb: Log correct ldb error
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
ea561fea6f s4:dsdb: Replace early ‘continue’ with ‘if’ statement (CID 1414738)
A ‘continue’ statement creates the misleading impression that this loop
executes more than once.

This also avoids ‘mem_ctx’ being leaked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
d4042e880f s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1272827)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
b098eb82bf s4:dsdb: Fix unreachable code (CID 1435967)
Commit ede668e8e2 removed this condition
for some unexplained reason, causing the following code to become
unreachable.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
4cf9f43e43 s4:dsdb: Remove unreachable code (CID 1034686)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
7e8c38604a s4:dsdb: Check return code (CID 1444824/1444844)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
61037a85bf s4:dsdb: Permit forward link to be missing in linked_attributes_fix_forward_link()
We don’t care if a forward link is missing from an object being renamed
during the deletion process.

Nothing yet checks the value returned from this function, so there
should be no change in behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
d0db0ff268 s4:dsdb: Check whether ‘p’ is NULL before dereferencing it (CID 240875)
Commit 6baf7608df added a NULL check in
one place, but not everywhere ‘p’ was dereferenced.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 02:18:31 +00:00
Joseph Sutton
c0ef3b4292 s4:dsdb: Skip allocation of empty device SIDs array
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Volker Lendecke
e2e5ae1eb2 dsdb: Slightly simplify dsdb_trust_get_incoming_passwords()
Use talloc_memdup() instead of a manual copy.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 23:23:40 +00:00
Andrew Bartlett
cfeb9fe50e CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
d3d83a8f2e CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
0a79ed2c0b CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication.  Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
d4a71fbece CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
76b8d3edce CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
b644bb0665 CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
07d2b28fb3 CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
6578a65ed7 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Joseph Sutton
a621e9ab99 s4:dsdb: Add session info flag to indicate authentication with a device
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
c829dd1ba8 s4:dsdb: Add parameters for claims and device SIDs to security_token_create()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
4405e709c0 s4:dsdb: Use Builtin SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Joseph Sutton
dcca6bba2a s4:dsdb: Use NULL SID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-27 02:43:28 +00:00
Andrew Bartlett
e2cc29d132 libcli/security: Pass in claims evaluation state when building any security token
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:35 +00:00
Joseph Sutton
df3816eb71 s4:dsdb: Fix comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
9bb80c2738 s4:dsdb: Switch to using smb_krb5_princ_component()
This function has the handy feature of being able to be called twice in
succession without mysteriously breaking your code. Now, doesn’t that
sound useful?

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
bd05237de4 s4:dsdb: Prefer explicit initialization to ZERO_STRUCT()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
2e8bbaea70 s4:dsdb: Parenthesize macro expression
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-14 21:35:29 +00:00
Joseph Sutton
65c26c0b72 s4:dsdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Andreas Schneider
a420aa919c s4:samdb: Avoid memory leaks in partition_metadata_get_uint64()
==395==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 96 byte(s) in 1 object(s) allocated from:
    #0 0x7f4c5dedc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: b10bafa0ba3304197db35cc24e0024cb0492168a)
    #1 0x7f4c5d252b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f4c5d2543cc in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f4c5d2543cc in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f4c5d2543cc in talloc_named_const ../../lib/talloc/talloc.c:1751
    #5 0x7f4c504acc53 in partition_metadata_get_uint64 ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:50
    #6 0x7f4c504add29 in partition_metadata_sequence_number_increment ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:398
    #7 0x7f4c504a66aa in partition_sequence_number ../../source4/dsdb/samdb/ldb_modules/partition.c:1401
    #8 0x7f4c504a66aa in partition_extended ../../source4/dsdb/samdb/ldb_modules/partition.c:1680
    #9 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #10 0x7f4c503980c8 in replmd_extended ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:8455
    #11 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #12 0x7f4c502fae5c in samldb_extended ../../source4/dsdb/samdb/ldb_modules/samldb.c:5718
    #13 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #14 0x7f4c52f0b94c in acl_extended ../../source4/dsdb/samdb/ldb_modules/acl.c:2854
    #15 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #16 0x7f4c52eb019c in descriptor_extended ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1450
    #17 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #18 0x7f4c52ed8687 in log_extended ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1824
    #19 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #20 0x7f4c505aa337 in unlazy_op ../../source4/dsdb/samdb/ldb_modules/lazy_commit.c:40
    #21 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #22 0x7f4c502d0f82 in schema_load_extended ../../source4/dsdb/samdb/ldb_modules/schema_load.c:593
    #23 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559
    #24 0x7f4c5035a010 in rootdse_extended ../../source4/dsdb/samdb/ldb_modules/rootdse.c:1780
    #25 0x7f4c5c4914ef in ldb_request ../../lib/ldb/common/ldb.c:1244
    #26 0x7f4c5c492a2d in ldb_extended ../../lib/ldb/common/ldb.c:1714
    #27 0x7f4c5c492bdf in ldb_sequence_number ../../lib/ldb/common/ldb.c:1943
    #28 0x7f4c503a9abd in replmd_add ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1316
    #29 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
    #30 0x7f4c50458783 in rdn_name_add ../../lib/ldb/modules/rdn_name.c:206
    #31 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543
    #32 0x7f4c504f4852 in attr_handler ../../source4/dsdb/samdb/ldb_modules/objectclass_attrs.c:334

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2023-09-07 04:53:41 +00:00
Joseph Sutton
3c7ef6d041 s4:dsdb:tests: Fix usage lines
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
fec8d228ad s4:dsdb:tests: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
6e20afeb42 s4:dsdb:tests: Fix spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
365455b6a1 s4:dsdb: Check for overflow in security_token_create()
Overflow is unlikely ever to occur, but you never know.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
479ebdd041 s4:dsdb: Make ‘sids’ parameter const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
37c8c34328 s4:dsdb: Use uint32_t for ‘num_sids’
This matches the use of uint32_t for security_token::num_sids.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
0a202264d3 s4:dsdb: Access correct member of union
Accessing the wrong member of a union invokes undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Joseph Sutton
3e076b374b s4:dsdb: Remove unnecessary casts
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-14 04:57:34 +00:00
Andrew Bartlett
63843a22c8 s4-dsdb: Improve logging for drs_ObjectIdentifier_to_dn_and_nc_root()
At this layer we can make a reasonable assumption about being able
to read ldb_errstring() to print that for extra useful debugging.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15401

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-13 21:59:29 +00:00
Joseph Sutton
178a7ed8a9 s4:dsdb:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
5a19ea9bce s4:dsdb:tests: Use control that was (presumably) intended
Otherwise ‘control4’ goes unused.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
68388153c0 s4:dsdb: Do not dereference a NULL pointer
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
4fad62d953 s4:dsdb: Check result of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
c850ffdec7 s4:dsdb: Correct error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
d4db9a2793 s4:dsdb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
54714b3580 s4:dsdb: Remove unnecessary parentheses
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
cb2053ee17 s4:dsdb: Improve grammar
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
79cc9adf3c s4:dsdb: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
0c868428eb s4:dsdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
57969727b3 s4:dsdb: Move comment to more appropriate place
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
abcfaa79d0 s4:dsdb: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Andreas Schneider
b29793ffde s4:dsdb:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
bedc978c81 s4:dsdb:schema: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
969bcc2862 s4:dsdb:schema: Fix trailing white spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
f34ef1ef50 s4:dsdb:samdb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
3ebe11cd43 s4:dsdb:repl: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
e331979580 s4:dsdb:kcc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
2304ec4397 s4:dsdb:common: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andrew Bartlett
0031625598 dsdb: Make a shallow copy of ldb_parse_tree in operational module
We should not be making modifications to caller memory.  In
particular, this causes problems for logging of requests if the
original request becomes modified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Aug  2 12:10:20 UTC 2023 on atb-devel-224
2023-08-02 12:10:19 +00:00
Andrew Bartlett
3b51091c20 dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results
We should not be stealing caller memory like this, and while a
talloc_reference() is not much better, this combined with a
shallow copy should be a little better in terms of polite
memory management.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-02 11:16:41 +00:00
Stefan Metzmacher
1b68bd977a paged_results: add no memory checks in paged_search()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Arvid Requate <requate@univention.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org combination of two patches by the above authors]
2023-08-02 11:16:41 +00:00
Andrew Bartlett
c67534fe3f selftest: Add test for combination of anr and paged_results
This combination was known to cause a segfault in Samba 4.13, fixed by
5f0590362c in later versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14970

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-02 11:16:41 +00:00
Andrew Bartlett
d23dd3e26c dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v()
The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 31 11:49:19 UTC 2023 on atb-devel-224
2023-07-31 11:49:19 +00:00
Andrew Bartlett
78669a0458 dsdb: Add tracing to dsdb_search() similar to gendb_search_v()
The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Andrew Bartlett
acf6d89c3e dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c
This will be useful when adding debugging to other routines.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Andrew Bartlett
4250d07e4d dsdb: Use samdb_system_container_dn() in dsdb_trust_*()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
3669caa97f dsdb: Use samdb_get_system_container_dn() to get Password Settings Container
By doing this we use the common samdb_get_system_container_dn() routine and we
avoid doing a linerize and parse step on the main DN, instead using the
already stored parse of the DN.  This is more hygenic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
97b682e0eb dsdb: Use samdb_system_container_dn() in samldb.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
25b0e1102e dsdb: Add new function samdb_system_container_dn()
This will replace many calls crafting or searching for this DN
elsewhere in the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Stefan Metzmacher
9a79bed41e s4:pydsdb: add dc_operatingSystemVersion() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Stefan Metzmacher
b058b39f38 s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

While we also fixed operatingSystem[Version] at provision time,
we do it also in dsdb_check_and_update_fl() in order to
handle old provisions and systems joined to an existing domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Björn Jacke
405e9ba551 garbage_collect_tombstone.c: use DBG* macros instead of static numeric log levels
Some log levels changed slightly because the macros don't cover all the
previously used levels.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-02 16:50:36 +00:00
Björn Jacke
e4bb8b3d0d garbage_collect_tombstones.c: move info log message to appropriate level
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-02 16:50:36 +00:00
Joseph Sutton
ca9d27ae99 auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Stefan Metzmacher
d4007b0ef9 s4:dsdb/tests: also verify too old, older password interaction with badPwdCount
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:36 +00:00
Stefan Metzmacher
28cf6c7067 s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:35 +00:00
Andrew Bartlett
b8a613b4b1 dsdb: Add routine to check the DB vs lp functional levels
This will be called at server startup (as well as from Python tests)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
4919e8d808 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Joseph Sutton
22d0aa53bf s4-dsdb:large_ldap: Call setUpClass() method of base class
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
200117f5ed audit_tests: Check return value of json_new_array()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
ce176425f8 s4:dsdb: Check return value of allocation functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
92ad2c7b9b s4:dsdb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
2d9a2c3138 s4:dsdb: Check ldb_binary_encode_string() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
23a67d59c8 s4-dsdb:large_ldap: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
db5ef4e2ba s4-dsdb:large_ldap: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
2d1d3b7314 pytest/password_lockout: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
2b598a4b2e pytest/password_lockout: Use correct variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
b5ff085952 pytest/password_lockout: Use more specific assertion methods
These methods produce better error messages if an assertion fails.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
2236daa7ca pytest/password_lockout: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
3eb95c8791 s4:dsdb:tests: Refactor security descriptor test
Use more specific unittest methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
2e5d08c908 s4:dsdb:tests: Refactor confidential attributes test
Use more specific unittest methods, and remove unused code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Joseph Sutton
76b15ec145 s4:dsdb:tests: Refactor ACL test
Use more specific unittest methods; remove some unused variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-16 23:29:32 +00:00
Rob van der Linde
3eccaf5d1e s4/dsdb: fix unnecessary backslash
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 04:58:30 +00:00
Rob van der Linde
bb34d93277 dsdb/tests: fix assignment to for loop variable
because the loop variables are all called 'k' and the inner and outer loop both use 'k'.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 04:58:30 +00:00
Joseph Sutton
c7295b1dc5 pydsdb: Add Managed Service Accounts GUID constant
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Joseph Sutton
07f3dbbf38 s4:dsdb: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-05 02:54:31 +00:00
Douglas Bagnall
4c1d9e92e1 pytest:large_ldap: use a valid ACE
Real ACEs don't have {} around their GUIDs. This will soon be banned.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-28 02:15:36 +00:00
Joseph Sutton
03bd1b8ee9 s4-dsdb: Handle allocation failure
If a talloc function returns NULL, indicating failure, the failure could
be masked by the next talloc call allocating on the NULL context.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
12d990ac9f s4-acl: Make parameter const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
047214be29 s4/dsdb/cracknames: Remove unneeded attribute
The cracknames code never uses this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
dc7911e76b s4-dsdb: Check correct ldb opaque variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
0ec0a04dc1 s4-dsdb: Remove is_attr_in_list()
ldb_attr_in_list() already exists and does essentially the same thing.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
6f2bccf1f4 s4/dsdb/util: Make some arrays static
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
52e626a8d0 pytest/acl: Remove unused remnants of source4/dsdb/tests/python/acl.py
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
7cb9620fc4 s4-dsdb:large_ldap: Note that we don't check that an error was raised
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
ec069f1b3d s4-dsdb:large_ldap: Assert that we got all the entries
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
5f24d0adc7 s4-dsdb:large_ldap: Fix disabled test
This test was silently skipped due to setUpClass() throwing a NameError.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
1cf1e6889e s4-dsdb:large_ldap: Correctly increment count variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Joseph Sutton
911f607ecd s4-dsdb:large_ldap: Fix typos in variable names
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:31 +00:00
Rob van der Linde
112faff82f dsdb: modify unicodePwd requires encrypted connection
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 01:33:05 UTC 2023 on atb-devel-224
2023-04-06 01:33:05 +00:00
Rob van der Linde
928de1d61c dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection
This demonstrates that the server did not detect CVE-2023-0922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Rob van der Linde
5abda27f0e dsdb: fix spelling in password_hash.c
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Andrew Bartlett
479634e4cd dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test
By slowing the filter down more this makes the test reliable on the
autobuild host.

This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Andrew Bartlett
e1c0c2066c dsdb/tests: Move SD modification on class-created objects to classSetUp
These modifications persist, so should be done at the class level,
not in the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:34 +00:00
Joseph Sutton
c33e78a27f CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.

Add or replace operations with no values and no privileges are
disallowed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Douglas Bagnall
62cc4302b6 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00