1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

137898 Commits

Author SHA1 Message Date
Stefan Metzmacher
d1efc396de s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP
We already handle it in samba_kdc_fill_user_keys() mostly for DES keys,
but other encryption types might be from kerberos libraries in future.
And things like FIPS mode may also alter the runtime behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
8cfebc36ed s4:kdc: split out samba_kdc_fill_trust_keys() helper
Let samba_kdc_trust_message2entry() also fill in the salt used
by the key. This is not strictly needed, but it's better to
be consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
83f03513fd s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
888a785f47 s3:libnet: add support for trusted domains in libnet_dssync_keytab.c
It means that keytabs generated via 'net rpc vampire keytab' are
able to decrypt cross-realm tickets in wireshark.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
2b2cc54472 s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c
This way we can easily re-use the logic in the next commits...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
feff15fc88 s3:libnet: split out parse_user() in libnet_dssync_keytab.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
52df406387 s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash
It happens in setups with 'nt hash store = never'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Jo Sutton
01849ab1bc s4:kdc: Implement KDC plugin hardware authentication policy
NOTE: This commit finally works again!

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224
2024-05-16 03:14:47 +00:00
Jo Sutton
0582cf6077 s4:kdc: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
09bcd48f79 third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
d36bfbf632 tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs
A lot of these tests are going to start failing, so skip them until
we’ve implemented the corresponding behaviour for the KDC.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
f3ff4915ad s4:kdc: Initialize local variable just in case (CID 1596759)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
3b90753b55 s4:kdc: Free target principal string to avoid memory leak (CID 1596760)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
7e7bb259a6 s4:kdc: Initialize pointer variable just in case (CID 1596762)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
e1460c9e34 s4:dsdb: Make map containing default attribute values static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
927c672faf s4:dsdb: Do not set lockoutTime for trust accounts
This matches the behaviour of Windows.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
4c759c2675 s4:dsdb: Make use of userAccountControl helper function
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
1b8b8550aa s4:dsdb: Add userAccountControl helper function
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
0e93456a66 s4:dsdb: Remove redundant user flags macro
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
32199b9bcf s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change
gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
fbdeb4b0b4 lib:crypto: Add constant denoting maximum GKDI clock skew in minutes
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
c167ac5301 s4:libnet: Remove unnecessary declarations
This declaration is a hold‐over from the Python 2 module initialization
pattern.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
33ed55ce8f s4:libnet: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
5c4f2623c5 tests/krb5: Add more tests for gMSAs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
6f09418010 tests/krb5: Test viewing gMSA passwords after performing simple binds
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
f9cbda9cf0 tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
336a58473a tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter
We just want to test whether a gMSA can use netlogon.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
ad0740751e tests/krb5: Test performing NTLMSSP logons at different times
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e5357c75a6 s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
92d010af2d s4:dsdb: Let dsdb gMSA time influence pwdLastSet
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
9fac9b776e tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
aa4347ff23 tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon()
View with ‘git show -b’.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
41e71406a1 tests/krb5: Make use of gmsa_series_for_account() method
This allows us to replace a call to
expected_current_gmsa_password_blob() with one to
expected_gmsa_password_blob(), a method which allows us to specify the
exact key we expect.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
577aa79042 tests/krb5: Add quantized_time() method
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
65fe09007f tests/krb5: Read current time from correct SamDB
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
fdaa294369 python:tests: Pass ServerPasswordSet2() parameters in correct order
‘account_name’ and ‘server_name’ are passed in the wrong order. While
Samba ignores the account name parameter and doesn’t have a problem with
it missing its trailing dollar, Windows checks it and requires the
trailing dollar to be present.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
cb357a011b python:tests: Remove unnecessary ‘pass’ statement
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e875193c1c python:tests: Remove unused netlogon connection parameter
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
170dd47eae s4:libcli: Add more controls to our list of known controls
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
526652d162 s4:libcli: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e4045cd5b1 s4:setup: Update name of dsdb password change control
Commit 0a907c2f45 renamed this control to
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
f5cbe49789 s4:dsdb: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
cbebffd56d s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
359b3b6321 lib:fuzzing: Fix undefined shift
../../lib/fuzzing/fuzz_stable_sort_r_unstable.c:47:22: runtime error: left shift of negative value -34

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
be076b3097 lib:fuzzing: Remove unused variable
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
7b02221c4f auth:credentials: Check for NT hash being NULL
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Volker Lendecke
2b495c44a2 smbd: Fix a typo in a few places
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 15 17:56:24 UTC 2024 on atb-devel-224
2024-05-15 17:56:24 +00:00
Volker Lendecke
a99f2f3ae3 smbd: Modernize a few DEBUGs
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00
Volker Lendecke
df75ae65e6 g_lock: Fix buffer length check in g_lock_parse()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00
Volker Lendecke
aca70be782 smbd: Simplify check_parent_access_fsp()
We don't need to explicitly call fetch_share_mode_unlocked,
get_file_infos does it for us behind the scenes

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-05-15 16:51:39 +00:00