1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

1577 Commits

Author SHA1 Message Date
Joseph Sutton
18b24f9572 tests/krb5: Improve edata checking
Instead of guessing based on a heuristic whether we have KERB_ERROR_DATA
or METHOD_DATA in the ‘e-data’ field, decode it first as KERB_ERROR_DATA
and fall back to METHOD_DATA if that fails.

The environment variable EXPECT_NT_STATUS indicates that the KDC
supports returning a status code in the e-data field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Andrew Bartlett
8de7d28f3c selftest: Move linked_attributes test to ad_dc selftest environment
The ad_dc_ntvfs environment will be set to use a 2008 schema
(matching the 2008 FL it runs at) and this test needs a 2016 schema.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-16 23:29:32 +00:00
Volker Lendecke
f633389f36 winbind: Test wbinfo -u with more than 1000 users
winbind asks dcerpc_samr_LookupRids in one batch, where samr.idl has

	NTSTATUS samr_LookupRids(
		[in,ref]      policy_handle *domain_handle,
		[in,range(0,1000)] uint32 num_rids,
		[in,size_is(1000),length_is(num_rids)] uint32 rids[],
		[out,ref]     lsa_Strings *names,
		[out,ref]     samr_Ids *types
		);

limiting num_rids to 1000 entries. Test this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15366

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-09 01:59:32 +00:00
Volker Lendecke
8027283dd7 tests: Test ldap whoami exop
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 26 07:20:14 UTC 2023 on atb-devel-224
2023-04-26 07:20:14 +00:00
Joseph Sutton
839ca0cd35 selftest: Only run clusteredmember tests if ctdb is built
Trying to run any of these tests without having built ctdb results in a
failure, as the environment cannot be started.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-12 13:52:32 +00:00
Andreas Schneider
d9a9cb0396 testprogs: Merge export keytab tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
f18ca8a5c8 testprogs: Merge kinit trust tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
de8a0ee020 testprogs: Merge kinit tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
aa2ece8f64 s4:selftest: Move rfc2307_mapping test to ad_dc
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
c042b1fba0 s4:selftest: Reformat samba4.blackbox.rfc2307_mapping
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
f91f042c1d testprogs: Pass configuration to test_kinit_trusts_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
4ea94c8eaa testprogs: Pass configuration to test_kinit_trusts_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
9e7de6dff6 testprogs: Pass configuration to test_password_settings.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
3af471fe45 s4:selftest: Use ad_dc env for samba4.blackbox.password_settings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
7ed669ce90 s4:selftest: Reformat samba4.blackbox.password_settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
41b4a2a252 testprogs: Pass configuration to test_kpasswd_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
9e949bc403 testprogs: Pass configuration to test_kpasswd_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
d2bd1e3409 testprogs: Pass configuration to test_export_keytab_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
ff77e910bc testprogs: Pass configuration to test_export_keytab_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
2ad6b6fe2e s4:selftest: Use ad_dc environment for kinit tests
This makes sure they are run as part of "samba-addc-mit-1".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
4fa89f3aea s4:selftest: Use smbclient3 for kinit tests
smbclient3 has support for SMB2+.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
12d44773b5 s4:tests: Reformat kerberos tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Stefan Metzmacher
3b585f9e8c testprogs/blackbox: add test_net_ads_search_server.sh
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Rob van der Linde
928de1d61c dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection
This demonstrates that the server did not detect CVE-2023-0922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Douglas Bagnall
62cc4302b6 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
9b8dd83fd0 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Joseph Sutton
874e10ef79 s4:kdc: Add support for AD device claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 31 09:30:17 UTC 2023 on atb-devel-224
2023-03-31 09:30:17 +00:00
Joseph Sutton
e446e5816b s4:kdc: Add support for AD client claims
We now create a client claims blob and add it to the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Joseph Sutton
c9ff654200 selftest: Account for have_fast_support in determining whether FAST is supported
have_fast_support is unconditionally set to 1, so this doesn't change
any behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Rob van der Linde
d5a0d7aa8b netcmd: tests for claims client tool
Added delete protected test to known fail as Samba doesn't seem to enforce this yet.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 07:25:32 +00:00
Andrew Bartlett
2cba54ba30 selftest: Add python test that verifies that we can parse a PAC
This give us a building block to test the PAC claims format

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-03-31 01:48:30 +00:00
Joseph Sutton
0ac800d008 tests/krb5: Add tests for device info
These tests verify that the groups in the device info structure in the
PAC are exactly as expected under various scenarios.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-08 04:39:32 +00:00
Joseph Sutton
f4e4816fcd selftest: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-03 01:07:36 +00:00
Joseph Sutton
8d48ca4698 selftest: Don't use invalid escape sequences
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-03 01:07:36 +00:00
Volker Lendecke
a9301d8f29 tests: Move libsmb-basic to fileserver_smb1 environment
This has the lower-case share, used in the next commit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15313
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-02-24 07:49:39 +00:00
Rob van der Linde
c9535526f0 selftest: source4: fix mutable default arguments
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-02-23 22:32:33 +00:00
Rob van der Linde
3687ab318a selftest: fix flapping samba-tool drs showrepl test
Test should have been using "schema_pair_dc", it was picking this up from the variable env in the loop above it.

However, it was hardcoded to use promoted_dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15316

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-02-23 22:32:32 +00:00
Rob van der Linde
2388db932b selftest: specify env rather than picking it up from loop
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-02-23 22:32:32 +00:00
Rob van der Linde
e9db529767 selftest: Fix some typos in selftest tests.py
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-02-23 22:32:32 +00:00
Douglas Bagnall
41249302a3 lib/compression: add simple python bindings
There are four functions, allowing compression and decompression in
the two formats we support so far. The functions will accept bytes or
unicode strings which are treated as utf-8.

The LZ77+Huffman decompression algorithm requires an exact target
length to decompress, so this is mandatory.

The plain decompression algorithm does not need an exact length, but
you can provide one to help it know how much space to allocate. As
currently written, you can provide a short length and it will often
succeed in decompressing to a different shorter string.

These bindings are intended to make ad-hoc investigation easier, not
for production use. This is reflected in the guesses about output size
that plain_decompress() makes if you don't supply one -- either they
are stupidly wasteful or ridiculously insufficient, depending on
whether or not you were trying to decompress a 20MB string.

>>> a = '12345678'
>>> import compression
>>> b = compression.huffman_compress(a)
>>> b
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00  #....
>>> len(b)
262
>>> c = compression.huffman_decompress(b, len(a))
>>> c
b'12345678'                                   # note, c is bytes, a is str
>>> a
'12345678'
>>> d = compression.plain_compress(a)
>>> d
b'\xff\xff\xff\x0012345678'
>>> compression.plain_decompress(d)           # no size specified, guesses
b'12345678'
>>> compression.plain_decompress(d,5)
b'12345'
>>> compression.plain_decompress(d,0)         # 0 for auto
b'12345678'
>>> compression.plain_decompress(d,1)
b'1'
>>> compression.plain_decompress(a,444)
Traceback (most recent call last):
   compression.CompressionError: unable to decompress data into a buffer of 444 bytes.
>>> compression.plain_decompress(b,444)
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #...

That last one decompresses the Huffman compressed file with the plain
compressor; pretty much any string is valid for plain decompression.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-12-22 19:50:33 +00:00
Joseph Sutton
44802c46b1 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-12-13 13:07:29 +00:00
Joseph Sutton
371d7e63fc CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-12-13 13:07:29 +00:00
Joseph Sutton
a50a2be622 CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-12-13 13:07:29 +00:00
Joseph Sutton
177334c042 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-12-13 13:07:29 +00:00
Joseph Sutton
612eeff270 tests/krb5: Add tests of PAC group handling
In which we make AS and TGS requests and verify the SIDs we expect are
returned in the PAC.

Example command to test against Windows Server 2019 functional level
2016 with FAST enabled:

ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 DC_SERVER=ADDC.EXAMPLE.COM \
DOMAIN=EXAMPLE EXPECT_PAC=1 FAST_SUPPORT=1 KRB5_CONFIG=krb5.conf \
PYTHONPATH=bin/python REALM=EXAMPLE.COM SERVER=ADDC.EXAMPLE.COM \
SKIP_INVALID=1 SMB_CONF_PATH=smb.conf STRICT_CHECKING=1 \
TKT_SIG_SUPPORT=1 python3 python/samba/tests/krb5/group_tests.py

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov  8 03:37:37 UTC 2022 on sn-devel-184
2022-11-08 03:37:37 +00:00
Volker Lendecke
4638eebae8 tests: Rename python/samba/tests/libsmb.py
samba/libsmb.py will become a common file to do the library
initialization for our tests. We already have two copies in
smb3unix.py and libsmb.py, and there might be more soon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-10-27 18:18:36 +00:00
Noel Power
ce7c418ca4 python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutls
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184
2022-10-25 10:30:59 +00:00
Joseph Sutton
ab7b16428d selftest: Simplify krb5 test environments
We don't need the local configuration here.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-10-05 04:23:32 +00:00
Andrew Bartlett
7ff743d65d selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database
This test, compared with the direct to RPC tests, will succeed, then fail once the
server is changed to emulate Samba 4.5 and and again succeed once the python code
changes to allow skipping the DRSUAPI_DRS_CRITICAL_ONLY step

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-10-04 02:48:37 +00:00
Andrew Bartlett
62b426243f selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT
The chgdcpass environment will emulate older verions of Samba
that fail to implement DRSUAPI_DRS_GET_ANC correctly and
totally fails to support DRSUAPI_DRS_GET_TGT.

This will allow testing of a client-side fallback, allowing migration
from sites that run very old Samba versions over DRSUAPI (currently
the only option is to attempt an in-place upgrade).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-10-04 02:48:37 +00:00
Joseph Sutton
91e2e5616c CVE-2021-20251 tests/krb5: Add tests for password lockout race
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-09-12 23:07:37 +00:00
Joseph Sutton
dadd322388 tests/krb5: Add claims tests
Based on tests originally written by Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Sep  9 01:11:05 UTC 2022 on sn-devel-184
2022-09-09 01:11:05 +00:00
Ralph Boehme
3dcdab86f1 smbtorture: add a test trying to create a stream on share without streams support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-09-02 15:00:36 +00:00
Andreas Schneider
8c1c63aab8 s4:selftest: Fix shellcheck errors in wintest_rpc.sh
source4/selftest/win/wintest_rpc.sh:61:27: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-08-22 20:35:36 +00:00
Andreas Schneider
b7a024e4ef s4:selftest: Fix shellcheck errors in wintest_net.sh
source4/selftest/win/wintest_net.sh:57:27: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Aug 22 15:15:11 UTC 2022 on sn-devel-184
2022-08-22 15:15:11 +00:00
Andreas Schneider
6c2871429f s4:selftest: Fix shellcheck errors in wintest_2k3_dc.sh
source4/selftest/win/wintest_2k3_dc.sh:57:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

source4/selftest/win/wintest_2k3_dc.sh:62:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

source4/selftest/win/wintest_2k3_dc.sh:85:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

source4/selftest/win/wintest_2k3_dc.sh:101:16: error: Use braces when
expanding arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-08-22 14:20:36 +00:00
Andreas Schneider
4b2f418949 s4:selftest: Fix shellcheck errors in test_w2k3.sh
source4/selftest/test_w2k3.sh:40:67: error: Use braces when expanding
arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

source4/selftest/test_w2k3.sh:46:66: error: Use braces when expanding
arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

source4/selftest/test_w2k3.sh:48:66: error: Use braces when expanding
arrays, e.g. ${array[idx]} (or ${var}[.. to quiet). [SC1087]

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-08-22 14:20:36 +00:00
Joseph Sutton
86698b313e CVE-2022-2031 tests/krb5: Add tests for kpasswd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
192d597c2f CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 >= 1.20
With MIT Kerberos >= 1.20, we should not expect a ticket checksum in
tickets to principals such as kpasswd/changepw, as they are encrypted
with the krbtgt's key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
4212037a6a CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Andreas Schneider
9923d50574 s4:torture: Rename rpc.samr.passwords tests
This way it is easier to select them with 'make test'.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-07-15 13:28:37 +00:00
Andreas Schneider
3f63393e51 s4:selftest: Reformat rpc.samr.passwords plansmbtorture4testsuite
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-07-15 13:28:37 +00:00
Andreas Schneider
c7925747dd s4:selftest: Reformat slow_ncacn_np_tests list
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-07-15 13:28:37 +00:00
Andreas Schneider
df29b9ab16 s4:selftest: Reformat shell scripts
shfmt -f source4/selftest/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
2022-07-15 12:08:36 +00:00
Ralph Boehme
f2b6258b68 vfs_acl_xattr: add acl_xattr:security_acl_name option
Pair-Programmed-With: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
2022-06-27 15:50:29 +00:00
Joseph Sutton
68c57d9f78 tests/krb5: Add test for presence of NT hash
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-06-26 22:10:29 +00:00
Samuel Cabrero
b7810f03ff selftests: Convert "net ads dns async" test to python
The current test uses the dig tool from bind9 but this tool has been
rewritten in 9.17.7 to use bind's netmgr functions instead of isc_socket
(commit 94b7988efb0f9b96415dd2966e6070450d960263).

The problem is that these 'netmgr' functions use libuv internally, and, on
systems supporting it, they end up using the sendmmsg() syscall which is not
catched by socket wrapper so the test fails.

This commit converts the test to python and uses the dnspython module
instead of the dig tool. Backtraces follow as reference.

Backtrace from dig v9.16.28 (working):

 #0  0x00007ffff778edee in sendmsg () from /lib64/libc.so.6
 #1  0x00000000005e5dee in cmsgsend (s=s@entry=12, level=level@entry=0, type=type@entry=1, res=<optimized out>) at net.c:515
 #2  0x00000000005e616c in try_dscp_v4 () at net.c:623
 #3  try_dscp () at net.c:696
 #4  0x00007ffff7708ad7 in __pthread_once_slow () from /lib64/libc.so.6
 #5  0x00000000005e66d7 in initialize_dscp () at net.c:702
 #6  isc_net_probedscp () at net.c:707
 #7  0x00000000005e8460 in socket_create (manager=0x6b49c0, pf=2, type=<optimized out>, socketp=0x7ffff0012b00, dup_socket=0x0) at socket.c:2454
 #8  0x000000000043cfcd in send_udp (query=0x7ffff00129a8) at dighost.c:2897
 #9  0x000000000043f9c7 in onrun_callback (task=<optimized out>, event=<optimized out>) at dighost.c:4271
 #10 0x00000000005dfefe in task_run (task=0x6b5c70) at task.c:851
 #11 isc_task_run (task=0x6b5c70) at task.c:944
 #12 0x00000000005ca0ce in isc__nm_async_task (worker=0x6b8970, ev0=0x716250) at netmgr.c:873
 #13 process_netievent (worker=worker@entry=0x6b8970, ievent=0x716250) at netmgr.c:952
 #14 0x00000000005ca2ba in process_queue (worker=worker@entry=0x6b8970, type=type@entry=NETIEVENT_TASK) at netmgr.c:1021
 #15 0x00000000005caa43 in process_all_queues (worker=0x6b8970) at netmgr.c:792
 #16 async_cb (handle=0x6b8cd0) at netmgr.c:821
 #17 0x00007ffff7898a4d in ?? () from /lib64/libuv.so.1
 #18 0x00007ffff78b4217 in ?? () from /lib64/libuv.so.1
 #19 0x00007ffff789e40a in uv_run () from /lib64/libuv.so.1
 #20 0x00000000005ca31e in nm_thread (worker0=0x6b8970) at netmgr.c:727
 #21 0x00000000005e2315 in isc__trampoline_run (arg=0x6b7c40) at trampoline.c:198
 #22 0x00007ffff7703767 in start_thread () from /lib64/libc.so.6
 #23 0x00007ffff778dc10 in clone3 () from /lib64/libc.so.6

Backtrace from dig v9.17.7 (not working):

 #0  0x00007ffff7684480 in syscall () from /lib64/libc.so.6
 #1  0x00007ffff754aed0 in uv__sendmmsg (vlen=0, mmsg=0x0, fd=10) at src/unix/linux-syscalls.c:163
 #2  uv__udp_mmsg_init () at src/unix/udp.c:74
 #3  0x00007ffff7606ad7 in __pthread_once_slow () from /lib64/libc.so.6
 #4  0x00007ffff7541bd9 in uv_once (guard=<optimized out>, callback=<optimized out>) at src/unix/thread.c:440
 #5  0x00007ffff7539e9b in uv__udp_sendmsg (handle=0x7ffff50535b8) at src/unix/udp.c:415
 #6  uv__udp_send (send_cb=0x7ffff7a41db0 <udp_send_cb>, addrlen=<optimized out>, addr=<optimized out>, nbufs=1, bufs=0x7ffff506c720, handle=0x7ffff50535b8, req=0x7ffff506c878) at src/unix/udp.c:773
 #7  uv_udp_send (req=req@entry=0x7ffff506c878, handle=handle@entry=0x7ffff50535b8, bufs=bufs@entry=0x7ffff506c720, nbufs=nbufs@entry=1, addr=<optimized out>, send_cb=send_cb@entry=0x7ffff7a41db0 <udp_send_cb>) at src/uv-common.c:464
 #8  0x00007ffff7a42308 in udp_send_direct (peer=0x7ffff5dfa988, req=0x7ffff506c700, sock=0x7ffff5053000) at netmgr/udp.c:839
 #9  isc__nm_async_udpsend (worker=<optimized out>, ev0=0x7ffff5dfa950) at netmgr/udp.c:780
 #10 0x00007ffff7a47de7 in isc__nm_udp_send (handle=<optimized out>, region=0x7ffff5dfaa90, cb=0x555555566250 <send_done>, cbarg=<optimized out>) at netmgr/udp.c:749
 #11 0x0000555555562ac2 in send_udp (query=0x7ffff502a000) at /usr/src/debug/bind-9.18.2-1.1.x86_64/bin/dig/dighost.c:2899
 #12 udp_ready (handle=0x7ffff5026180, eresult=ISC_R_SUCCESS, arg=<optimized out>) at /usr/src/debug/bind-9.18.2-1.1.x86_64/bin/dig/dighost.c:2974
 #13 0x00007ffff7a37d34 in isc__nm_async_connectcb (worker=worker@entry=0x7ffff622f000, ev0=ev0@entry=0x7ffff5026480) at netmgr/netmgr.c:2704
 #14 0x00007ffff7a3ca20 in process_netievent (worker=worker@entry=0x7ffff622f000, ievent=0x7ffff5026480) at netmgr/netmgr.c:940
 #15 0x00007ffff7a3d027 in process_queue (worker=worker@entry=0x7ffff622f000, type=type@entry=NETIEVENT_NORMAL) at netmgr/netmgr.c:977
 #16 0x00007ffff7a3d203 in process_all_queues (worker=0x7ffff622f000) at netmgr/netmgr.c:733
 #17 async_cb (handle=0x7ffff622f360) at netmgr/netmgr.c:762
 #18 0x00007ffff7531a4d in uv__async_io (loop=0x7ffff622f010, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163
 #19 0x00007ffff754d217 in uv__io_poll (loop=0x7ffff622f010, timeout=<optimized out>) at src/unix/epoll.c:374
 #20 0x00007ffff753740a in uv__io_poll (timeout=<optimized out>, loop=0x7ffff622f010) at src/unix/udp.c:122
 #21 uv_run (loop=loop@entry=0x7ffff622f010, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:391
 #22 0x00007ffff7a3d624 in nm_thread (worker0=0x7ffff622f000) at netmgr/netmgr.c:664
 #23 0x00007ffff7a6c915 in isc__trampoline_run (arg=0x555555599210) at /usr/src/debug/bind-9.18.2-1.1.x86_64/lib/isc/trampoline.c:187
 #24 0x00007ffff7601767 in start_thread () from /lib64/libc.so.6
 #25 0x00007ffff768bc10 in clone3 () from /lib64/libc.so.6

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun  4 00:27:29 UTC 2022 on sn-devel-184
2022-06-04 00:27:29 +00:00
Andrew Bartlett
127fe361b8 selftest: Run some tests in the ad_dc_no_ntlm environment to show expected behaviour
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-05-05 00:27:33 +00:00
Andreas Schneider
a14acd0c07 s4:selftest: Do not print the env twice
This makes it easier to write knownfail rules

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-04-13 12:59:30 +00:00
Ralph Boehme
8532d7b38c CI: consolidate SMB2-FILEID and SMB2-FILEID-UNIQUE torture test suites
We don't need seperate test suites here, all tests are related to
File-Ids.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-03-31 23:01:37 +00:00
Ralph Boehme
f734e960eb CI: avoid smb2.twrp being run by plansmbtorture4testsuite() directly
This should only be run by a blackbox test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15035

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-03-31 17:53:29 +00:00
Stefan Metzmacher
0be4f56723 s4:selftest/provisions: make use of 'make testenv' and avoid direct waf
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-29 22:32:32 +00:00
Andreas Schneider
bd1fd3de5c s4:selftest: Remove ad_dc_ntvfs env from several tests
It doesn't make sense to run tests against ad_dc and ad_dc_ntvfs in
those cases.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-28 02:17:37 +00:00
Andreas Schneider
67294a23b9 testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported by MIT Kerberos
anyway.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184
2022-03-25 21:54:11 +00:00
Andreas Schneider
f0f47eedf7 testprogs: Rename test_pkinit_pac_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-25 20:58:33 +00:00
Andreas Schneider
6a125b0ac9 testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-25 20:58:33 +00:00
Andreas Schneider
9baac4a817 testprogs: Rename test_pkinit_heimdal.sh
We want one common test which works against Heimdal and MIT Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-25 20:58:33 +00:00
Andreas Schneider
e2b9df1cbc s4:tests: Run Heimdal PKINIT tests only against ad_dc env
There is not difference kerberos-wise between those two envs.

This reverts 661e1a229e.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-25 20:58:33 +00:00
Joseph Sutton
3e0c94a345 tests/krb5: Add tests for the Protected Users group
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
e729606631 selftest: Simplify krb5 test environments
It's not necessary to repeat the required environment variables for
every test.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-03-17 23:11:37 +00:00
Joseph Sutton
c26ee3ba96 python:tests: Add tests for SDDL SID strings
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Andrew Bartlett
9cec421d4d selftest: run s4member tests less
The s4member test environment is a historical artifact, provisioned like an
AD DC using sam.ldb and joined using the historical S4 join code.

Once running however it is nothing particualr special in winbindd, so
there is no need to run the tests against ad_member and s4member.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Stefan Metzmacher
f1a71e2486 selftest: use 'kdc enable fast = no' for fl2000 fl2003
This makes sure we still run tests against KDCs without FAST support
and it already found a few regressions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-03-11 17:10:29 +00:00
Andreas Schneider
f1ca16f309 s4:mitkdc: Add support for MIT Kerberos 1.20
This also addresses CVE-2020-17049.

MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It
will be released in autumn 2022. We need to support MIT Kerberos 1.19 till
enough distributions have been released with MIT Kerberos 1.20.

Pair-Programmed-With: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Ralph Boehme
ffdb1c3e00 CI: add test "smb2.async_dosmode"
Verifies async-dosmode sync fallback works with shadow_copy2 which returns
ENOSYS for SMB_VFS_GET_DOS_ATTRIBUTES_SEND().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-28 20:01:36 +00:00
Pavel Filipenský
9624e60e8c s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Joseph Sutton
0b9c8b9e12 selftest: Expect FAST support for both MIT and Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
64e539bb7f tests/krb5: Add option to check reply padata
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Jeremy Allison
30fea0d311 tests: Add 2 tests for unique fileid's with top bit set (generated from itime) for files and directories.
smb2.fileid_unique.fileid_unique
smb2.fileid_unique.fileid_unique-dir

Create 100 files or directories as fast as we can
against a "normal" share, then read info on them
and ensure (a) top bit is set (generated from itime)
and (b) uniqueness across all generated objects
(checks poor timestamp resolution doesn't create
duplicate fileids).

This shows that even on ext4, this is enough to
cause duplicate fileids to be returned.

Add knownfail.d/fileid-unique

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14928

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
2022-01-08 05:43:32 +00:00
Stefan Metzmacher
0a808f6b53 s4:selftest: run libsmbclient.noanon_list against maptoguest
This demonstrates the problem with guest access being rejected
by default.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14935

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-12-27 15:45:36 +00:00
Joseph Sutton
7dfcbc4e38 tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
ff6d325e38 tests/krb5: Check ticket cname for Heimdal
This is currently not checked in several places due to STRICT_CHECKING
being set to 0.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-06 22:08:32 +00:00
David Mulder
528e5efc17 samba-tool: Test DNS record creation on member join
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-06 22:08:31 +00:00
Andreas Schneider
492fd5b00f testprogs: Add rpcclient schannel tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-02 13:59:31 +00:00
Stefan Metzmacher
66e90b7391 nsswitch: reduce dependecies to private libraries and link static/builtin if possible
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Joseph Sutton
ee4aa21c48 selftest: Properly check extra PAC buffers with Heimdal
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
ebc9137cee tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
494bf7de6f CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org removed unused tests for a feature that
 was removed before merging]
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-15 18:10:28 +00:00
Joseph Sutton
8a9f2aa2c1 CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss
In reality environments without 'nss_winbind' make use of 'idmap_nss'.

For testing, DOMAIN/bob is mapped to the local 'bob',
while DOMAIN/jane gets the uid based on the local 'jane'
vis idmap_nss.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org avoid to create a new ad_member_idmap_nss environment
and merge it with ad_member_no_nss_wb instead]
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-15 18:10:28 +00:00
Andrew Bartlett
433092d617 CVE-2020-25719 selftest: Always expect a PAC in TGS replies with Heimdal
This is tested in other places already, but this ensures a global
check that a TGS-REP has a PAC, regardless.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00