IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Primary groups are handled differently from normal groups of which a
user is simply a member. Of particular note is the case where a
domain-local group is made a primary group; a case normally disallowed
by Windows, but not by Samba. Therefore we want tests for it.
Our testing framework must be able to set the user's primary group, and
to clean up afterwards; to set the primary group RID of a PAC; and to
check that the primary group RID is as expected in the PAC returned to
us.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We want to find objects for which the groupType attribute has at least
one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For
this the OR comparator is perfectly suited. It produces a true result if
at least one set bit is shared between both operands.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These constants allow one to tell at a glance what search operation is
being performed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Constant strings can be inserted directly into format strings, reducing
the amount of string substitution to be performed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This macro produces a slightly more useful message if the assertion
fails.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This lets us test what happens in TGS-REQ exchanges to the KDC, when the
flags and resource groups are simply passed through into the new PAC,
regardless of what value the flags hold.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This lets us test what happens when the flags in the PAC, such as
NETLOGON_RESOURCE_GROUPS, are given "interesting" values.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Crucially, in these tests the user's domain and its SID are different
from our domain and its SID. These tests will assert that in such a case
resource groups are added to the PAC and handled correctly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This lets us simulate a ticket of a user from another domain.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change some of the attributes in TGS-REQ PACs to ensure they are handled
correctly.
Add a test of a PAC containing resource SIDs for a service without
resource SID compression support, ensuring the SIDs are correctly
removed.
Add a Samba 4.17 compatibility test for a service with resource SID
compression support.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It's not used anywhere other than this file.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
MS-PAC section 2.5 states that if the resource_groups member is
non-NULL, or resource_groups.groups.count is not zero, the
NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to
process resource groups if the flag is not set.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
'rg' is never NULL, so this codepath is never taken. But if it were, we
would return early and entirely neglect filling in the UPN_DNS_INFO from
the 'pac_upn_dns_info' parameter. So remove the early return.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function is modelled on samdb_result_dom_sid(). It allocates,
rather than a dom_sid, an auth_SidAttr object, which we can pass to
other functions accepting an auth_SidAttr.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This type incorporates, alongside a SID, a group attributes member,
through which attributes from a PAC or the AD database can be conveyed
into the completed PAC. A useful benefit this provides is the ability to
distinguish and exclude domain-local groups, which only belong in
service tickets, from the PAC of a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We've already tested for the existence of these SIDs, and the assumption
that they are always the last element in a PAC is false. We must check
all the SIDs in each array, skipping over ones that were found to be
asserted identity SIDS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This ensures that no members contain garbage data.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If SID compression support is disabled for a created account,
msDS-SupportedEncryptionTypes will be set to a value that includes the
RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type
bits. Since stricter encryption type handling was introduced to address
CVE-2022-37966, this combination has been interpreted as an expression
of no encryption type support, and trying to make a Kerberos request to
a service with such a combination of bits will fail with
ERR_ETYPE_NOSUPP.
To allow us to make Kerberos requests to test service accounts again, we
must set some actual encryption type bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This currently only works with binaries. As there is no shared library for
MSAN it only is statically linked against binaries. This means if we have e.g.
a python script trying to load ldb, it will fail with undefined symbols.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 6 23:49:04 UTC 2023 on atb-devel-224
source3/torture/test_smb1_dfs.c:3264:11: error: variable 'accessmode' set but
not used [-Werror,-Wunused-but-set-variable]
uint16_t accessmode = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/utils/log2pcaphex.c:138:13: error: variable 'i' set but not used
[-Werror,-Wunused-but-set-variable]
static int i = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/lib/netapi/tests/netfile.c:40:22: error: variable 'i2' set but not used
[-Werror,-Wunused-but-set-variable]
struct FILE_INFO_2 *i2 = NULL;
^
source3/lib/netapi/tests/netfile.c:41:22: error: variable 'i3' set but not used
[-Werror,-Wunused-but-set-variable]
struct FILE_INFO_3 *i3 = NULL;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/modules/vfs_glusterfs.c:827:6: error: variable 'glfd' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
if (pglfd == NULL) {
^~~~~~~~~~~~~
source3/modules/vfs_glusterfs.c:853:6: note: uninitialized use occurs here
if (glfd == NULL) {
^~~~
source3/modules/vfs_glusterfs.c:827:2: note: remove the 'if' if its condition is
always true
if (pglfd == NULL) {
^~~~~~~~~~~~~~~~~~~
source3/modules/vfs_glusterfs.c:763:17: note: initialize the variable 'glfd' to
silence this warning
glfs_fd_t *glfd;
^
= NULL
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/modules/vfs_io_uring.c:70:22: error: field 'cqe' with variable sized
type 'struct io_uring_cqe' not at the end of a struct or class is a GNU
extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
struct io_uring_cqe cqe;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/modules/getdate.c:1192:9: error: variable 'yynerrs' set but not used
[-Werror,-Wunused-but-set-variable]
int yynerrs;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/printing/tests/vlp.c:144:19: error: variable 'job_count' set but not
used [-Werror,-Wunused-but-set-variable]
int i, num_jobs, job_count = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
lib/ldb-samba/ldb_ildap.c:482:47: error: implicit conversion from enumeration
type 'enum ldb_scope' to different enumeration type 'enum ldap_scope'
[-Werror,-Wenum-conversion]
msg->r.SearchRequest.scope = req->op.search.scope;
~ ~~~~~~~~~~~~~~~^~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
nsswitch/pam_winbind.c:3360:24: error: cast from 'time_t **' (aka 'long **') to
'const void **' must have all intermediate pointers const qualified to be safe
[-Werror,-Wcast-qual]
(const void **)&pwdlastset_update);
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source4/dsdb/samdb/ldb_modules/acl.c:1646:49: error: variable 'rep_val_cnt' set
but not used [-Werror,-Wunused-but-set-variable]
unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/winbindd/winbindd_ads.c:1399:6: error: variable 'ret_count' set but not
used [-Werror,-Wunused-but-set-variable]
int ret_count;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/rpc_server/eventlog/srv_eventlog_nt.c:634:11: error: variable
'num_records_read' set but not used [-Werror,-Wunused-but-set-variable]
uint32_t num_records_read = 0;
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source3/smbd/msdfs.c:367:14: error: explicitly assigning value of variable of
type 'char *' to itself [-Werror,-Wself-assign]
servicename = servicename;
~~~~~~~~~~~ ^ ~~~~~~~~~~~
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
namecache.c:129:9: error: variable 'i' set but not used
[-Werror,-Wunused-but-set-variable]
size_t i, count;
^
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Fixing Red Hat internal covscan report:
Field "salt_data.magic" is uninitialized when calling "smb_krb5_create_key_from_string".
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
