1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

139630 Commits

Author SHA1 Message Date
Björn Jacke
b9755f8840 samba-tool/backup: set the right permissions on our root dir
Since processes can run under the UID of the logged in user, it's required
to make sure that the users have the permissions here.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Björn Baumbach <bbaumbach@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Tue Dec 10 11:40:27 UTC 2024 on atb-devel-224
2024-12-10 11:40:27 +00:00
Pavel Filipenský
69c5f5c2dd docs-xml: Change 'DEBUGLEVEL' -> 'level' to match the option description
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Dec  6 13:33:38 UTC 2024 on atb-devel-224
2024-12-06 13:33:38 +00:00
Pavel Filipenský
0a9a8905eb docs-xml: Fix manpage section generated by cmdline.common.debug.server
man winbinbdd.8 is wrongly mixing two options:

before fix:
       -d|--debuglevel=DEBUGLEVEL, --debug-stdout
...

after fix:
       -d|--debuglevel=DEBUGLEVEL
...
       --debug-stdout

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-06 12:30:37 +00:00
Stefan Metzmacher
531a33b9c9 s4:rpc_server/netlogon: fix error codes in dcesrv_netr_NetrLogonSendToSam
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec  5 17:46:49 UTC 2024 on atb-devel-224
2024-12-05 17:46:49 +00:00
Stefan Metzmacher
a382636fc2 s4:rpc_server/netlogon: implement dcesrv_netr_ServerPasswordGet()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
350db61bef s4:selftest: run samba.tests.krb5.netlogon
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
6f52ffab82 python:tests/krb5: add netlogon.py
This adds tests for the application layer encryption used
based on the secure channel session key.

This will get tests for netr_ServerAuthenticateKerberos()
in order to explore its details.

This runs against Windows 2022 as well as Windows 2025 (preview)
using something like this:

SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
STRICT_CHECKING=0 \python/samba/tests/krb5/netlogon.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
4030a62b2d python:tests/krb5: avoid some problems when running against w2025 (preview) with STRICT_CHECKING=0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
db0e7dfc41 python:tests/krb5: remember the objectGUID of created accounts
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
04da20c813 pycredentials: add credentials.netlogon_creds_*() functions via py_module_methods
This makes it possible to explore the functions arround
netlogon_creds_CredentialState via python.

This allows us to write tests in order to explore
the details of netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
bd76d0460b pycredentials: add creds.[g|s]et_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
01758da131 pycredentials: remove unused module methods
It's not useful to use the PyCredentials methods
also as module methods...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
018a3ced1c pyrpc_util: fix error Exception message in py_check_dcerpc_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
567d4e356a s4:rpc_server/netlogon: let dcesrv_netr_LogonSamLogon_base_reply handle encryption errors
This might be the better option when we implement
netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a4105f94f9 libcli/auth: let netlogon_creds_crypt_samlogon_validation handle generic info
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
18a62ea23f tests/krb5: make use of conn.auth_info() in _test_samlogon()
In future we'll have KRB5 instead of SCHANNEL...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
cbd990b2b6 s4:pyrpc: add conn.auth_info()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
ec6892bd1f gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
f59b8ac136 s3:cli_pipe: pass target_service to cli_rpc_pipe_open_with_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
4dbbfcb004 s3:libads: add kerberos_kinit_passwords_ext() helper
This can check more than one password and is designed to
support getting a TGT for our machine account also falling
back to older passwords...

If we don't have a plaintext password it falls back to an nt_hash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
017e6e1cb1 s3:libads: split out kerberos_kinit_generic_once()
This can be used to kinit with a keyblock later
and also a loop over multiple password generations will
be possible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
32dd400f9e s3:libads: remove unused time_offset from kerberos_kinit_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
890fd84486 s3:libads: let kerberos_kinit_password_ext() always initialize *ntstatus
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
e470d33194 s3:libads: fix compiler warning in trust_pw_change()
../../source3/libads/trusts_util.c: In function ‘trust_pw_change’:
../../source3/libads/trusts_util.c:302:45: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
  302 |                                    (void **)&new_trust_pw_blob.data,

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
b6123197d1 s3:rpc_client: remember the local/remote ipv4 or ipv6 addresses
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
d6aa886ce2 s3:winbindd: remove useless lines in add_trusted_domains_dc()
add_trusted_domain() above already sets this...

Review with: git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
fa04464316 s3:winbindd: make use of samba_sockaddr in set_remote_addresses() to avoid warnings
../../source3/winbindd/winbindd_dual_ndr.c: In function ‘set_remote_addresses’:
../../source3/winbindd/winbindd_dual_ndr.c:467:51: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
  467 |         struct sockaddr *sar = (struct sockaddr *)&st;

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
0de93c34db s3:winbindd: make use of samba_sockaddr add_one_dc_unique() to avoid warnings
../../source3/winbindd/winbindd_cm.c: In function ‘add_one_dc_unique’:
../../source3/winbindd/winbindd_cm.c:1172:48: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
 1172 |                             (struct sockaddr *)(void *)&(*dcs)[i].ss,

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
6cc8dfea6e s3:winbindd: let wb_dsgetdcname* normalize to dns names on an ad_dc
wb_dsgetdcname() is typically used by dcerpc_wbint_DsGetDcName_send()
from netr_DsRGetDCName* in the netlogon server, when domain members
try to ask for domain controllers of a trusted domain.

The domain might disabled netbios support, so we better try the
already dns name if available.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
0a31a5d20e s3:utils: let net_rpc_testjoin() work for ad domains and no ipv4 address
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
e47ce1d10b s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND
We may get NT_STATUS_NOT_FOUND when the name can't be resolved
and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4
addresses...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
ed6a9ccef6 libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags changed
This will be important when we add support for netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
84703cb1fd s4:torture/rpc: make use of creds->client_requested_flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
07b51a12c0 s4:librpc/rpc: make use of creds_state->client_requested_flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a2b6a68b80 schannel.idl: change netlogon_creds_CredentialState layout for 4.22
This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.

It also prepares support for netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
52b94f3f0f Revert "libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy"
This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16.

We break the compat of the netlogon_creds_cli.tdb records compared to
4.21 with the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
aea024779f libcli/auth: don't loose server_dns_domain in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
544838ac5b netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogon
I have basic tests, which have shown that the payload is not
encrypted at application level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
61a5151af5 librpc/ndr: let ndr_print_bitmap_flag work for bitmap64bit values
Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
14128289a3 python/ndr: allow print_secrets=True for ndr_print*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
377db59ce9 pidl/Python: allow ndr_print(print_secrets=True)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a69310eeab librpc/ndr: add ndr_print_{struct,union,function}_secret_string()
Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
705f774863 librpr/ndr: split out ndr_print_generic_string()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
d9b0aed547 netlogon.idl: use authservice("netlogon")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
9ede82167b netlogon.idl: mark some structs as public so that ndr.ndr_deepcopy() works in python
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
dbe3308cba samr/netlogon.idl: add [flag(NDR_SECRET)] in some more places
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Pavel Filipenský
eb02776cf4 s3:tests: Adapt winbind_call_depth_trace to depth=3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Dec  5 15:54:57 UTC 2024 on atb-devel-224
2024-12-05 15:54:57 +00:00
Pavel Filipenský
26cb20fb7e s3:tests: Make winbind_call_depth_trace to use global_inject.conf
To get the expected traces we need:

debug syslog format = no
log level = 10

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 14:57:33 +00:00
Volker Lendecke
a2d47e989e libcli: Speed up sddl_decode_ace()
Factor out talloc-less sddl_transition_decode_sid()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec  3 09:03:01 UTC 2024 on atb-devel-224
2024-12-03 09:03:01 +00:00
Volker Lendecke
b65a4b9c90 libcli: Remove a special case
dom_sid_parse_endp does accept the lowercase "s" in "s-1-1-0".

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-03 08:01:30 +00:00