IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 27 21:19:35 UTC 2023 on atb-devel-224
This shows that read_symlink_reparse() is broken when trying to
replace an absolute with a relative filename within a
share.
read_symlink_reparse() is used only in openat_pathref_fsp_nosymlink()
so far to chase symlinks for non-lcomp path components. Chasing lcomp
symlinks is done through non_widelink_open(), which gets it right.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The parser is able to convert data from binary to XML (it generates an
empty <Value> tag) but not the other way around. This is a common
occurrence for empty multitext fields.
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Rename test function names that were starting to get very long.
They were all prefixed with the test name, stop doing that and use double underscore for better separation.
e.g. AuthPolicyCmdTestCase.test_authentication_policy_list_json
becomes AuthPolicyCmdTestCase.test_list__json
The claim types and value types test cases have been split into two testcases.
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This matches the behaviour of Windows.
NOTE: This commit finally works again!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.
It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.
Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These instances of undefined behaviour ought now to be fixed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 24 22:30:06 UTC 2023 on atb-devel-224
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224
This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.
It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.
Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224
Expect an actual error code or an outcome, not CRASHES_WINDOWS.
I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?
A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.
In addition User2User also asserts that client and server
are the same account (cecked based on the sid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
utcnow() is deprecated and will be removed in a future version of Python.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224
These two tests now pass against Windows.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
In the fd_close() fsp->fsp_flags.fstat_before_close code path.
If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.
Remove knownfail.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224
