1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

138474 Commits

Author SHA1 Message Date
Pavel Filipenský
be29fe50ad selftest: setup clusteredmember with kerberos, change dependency to "ad_dc"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
c76727b3c7 selftest: Rename nt4_dc_vars -> dcvars in setup_clusteredmember
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
fb0c2774ca script: clustered samba: Build samba-ctdb with ad-dc support
samba-tool requires addc support

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
bf13d9b3ef s3:script: clustered samba: Add script updatekeytab.sh
Admin should use this script in smb.conf parameter 'sync machine
password script' in clustered samba

TODO: onnode will update the keytab on all connected nodes, so the
update will happen on the triggering node twice. This can be improved in
the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
1fcaf066f4 ctdb:events: Add 46.update-keytabs.script for 'recovered' event
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
e08b2963d9 s3:libads: Call 'sync machine password script' when machine password is updated
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
f819ad2502 s3:utils: Remove from "net ads keytab": "add", "delete" and "add_update_ads"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
c10c49b3f0 s3:libads: Remove ads_keytab_create_default & friends
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
ad6a91ba74 testprogs: Remove alias test from test_net_ads.sh
"net ads keytab create" no longer reads msDS-AdditionalDnsHostName from AD

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
abbf926067 testprogs: Remove dnshostname related test from test_net_ads.sh
"net ads keytab create" no longer reads dNSHostName from AD

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
2304d96db3 testprogs: Use "HOST' instead of 'host' in test_net_ads.sh
"net ads keytab create" will uses the same value as in AD,
modifications to lower case are no longer done

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
18aedcc84c testprogs: Remove upn related test from test_net_ads.sh
"net ads keytab create" will no longer read "userPrincipalName" from AD

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
d18babd1d7 testprogs: Remove "keytab add", "keytab delete" and "keytab add_apdate_ads" related tests from test_net_ads.sh
"net ads" will no longer support "keytab add", "keytab delete" and "keytab add_apdate_ads"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
90ec8adf1f selftest: Add tests for keytab update
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
aff928268a selftest: Add "sync machine password to keytab" to env. ad_member_idmap_nss
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
253625dabf s3:utils: Change net_ads_keytab_create() to call sync_pw2keytabs()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
eeb79875c6 s3:libnet: Sync keytab during libnet_join_create_keytab()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
683f6eec40 s3: Sync machine account password in secrets_{prepare,finish}_password_change
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
7c65aa8c7b s3:ads: Remove 'kerberos method' warning for 'net ads keytab' functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
49d0990689 s3:ads: Do not update system keytab from "net ads changetrustpw"
It will be done in secrets_{prepare,finish}_password_change

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
da622ccc16 s3:lib: Sync machine password to keytab: helper functions
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
f3ff687119 s3:libads: Request "msDS-KeyVersionNumber" from ads_find_machine_acct()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
b007fb89d5 s3:libads: Use the TRACE SUPPORT for keys operations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
1185b03b27 krb5_wrap: Add TRACE SUPPORT for keys operations
The trace looks like below. Useful is the last filed - hex dump of the
data - allows to search for all manipulations.

KEYTAB_TRACE sync_pw2keytabs_process_keytab:622 add ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM 14 17 C66D244CB26005C7D6FF9FC00FCBBE4A

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
27ca58f9bf s3:testparm: Add check for "sync machine password to keytab" to testparm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
09c3029958 docs:smbdotconf: Add parameter 'sync machine password script'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
731a25b5c8 docs:smbdotconf: Add parameter 'sync machine password to keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Pavel Filipenský
3de8d29415 s3:lib: Merge library trusts_util into library ads
Function trust_pw_change() originally from library trustis_util was updated
to call functionality from ads library. This would introduce circular
dependency between the two libraries. To avoid it, trusts_util is merged
into ads.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Ralph Boehme
07c0afe91d WHATSNEW.txt: document "veto files" and "hide files"
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jul 26 11:10:42 UTC 2024 on atb-devel-224
2024-07-26 11:10:42 +00:00
Ralph Boehme
607d2c1e3e s3/lib: return error from set_namearray()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
02ae847b45 smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.

Manually tested with smbclient with the following hack in winbindd:

---8<---
  $ git di
   source3/winbindd/winbindd_cache.c | 7 +++++++
   1 file changed, 7 insertions(+)

  diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
  index c889489dbbbc..8ccf0a28e11a 100644
  --- a/source3/winbindd/winbindd_cache.c
  +++ b/source3/winbindd/winbindd_cache.c
  @@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
          ZERO_STRUCTP(sid);
          *type = SID_NAME_UNKNOWN;

  +       if (strequal(name, "unknown")) {
  +               return NT_STATUS_OK;
  +       }
  +       if (strequal(name, "iotimeout")) {
  +               return NT_STATUS_IO_TIMEOUT;
  +       }
  +
          status = wcache_name_to_sid(domain, domain_name, name, sid, type);
          if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
                  return status;
---8<---

  veto files = ../unknown/file1/../slow/file2

  $ bin/smbclient -U slow%x //localhost/test -c quit
  $

In the log:

  [2024/03/04 15:21:33.659356,  1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
    token_contains_name: lookup_name 'unknown' failed

  veto files = ../iotimeout/file1/../slow/file2

  $ bin/smbclient -U slow%x //localhost/test -c quit
  tree connect failed: NT_STATUS_LOGON_FAILURE
  $

  [2024/03/04 15:22:15.655811,  0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
    token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
  [2024/03/04 15:22:15.655846,  1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
    change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
  [2024/03/04 15:22:15.655855,  0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
    make_connection_snum: Can't become connected user!

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
0f27c52144 s3/lib: use lookup_name_smbconf_ex() in token_contains_name()
No change in behaviour as we still ignore lookup erros as well as a not-found
result.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
8364db8a3c s3/passdb: add lookup_name_smbconf_ex() using lookup_name_internal()
Returns NTSTATUS instead of bool. lookup_name_smbconf() becomes a thin
wrapper around lookup_name_smbconf_ex().

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
01b0b85621 s3/passdb: factor out lookup_name_internal()
lookup_name() becomes a thin wrapper around lookup_name_internal(). Prepares for
adding more callers to lookup_name_internal() that are interested in the
NTSTATUS return value to distinguish between NAME_NOT_FOUND lookup results and
real errors.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
1d6feea677 s3/passdb: use winbind_lookup_name_ex() in lookup_name() instead of winbind_lookup_name()
No change in behaviour, prepares for returning NTSTATUS instead of bool from
lookup_name().

Review-with: git show -w

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
3a13b90cee s3/passdb: add winbind_lookup_name_ex()
Differs from winbind_lookup_name() by

- returning NTSTATUS instead of bool, so callers can distinguish between
STATUS_NAME_NOT_FOUND lookup results and real errors.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
5d3c6dbf61 s3-errormap: add WBC_ERR_NOT_MAPPED -> NT_STATUS_NONE_MAPPED
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
1b63d503fc s3-errormap: move map_nt_error_from_wbcErr() back into errormap.c
This basically reverts commit 313db81ad3.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
02da9704a0 s3/rpc_client: fix handling of NT_STATUS_SOME_NOT_MAPPED
In this case names that couldn't be resolved will be have a NULL sid pointer
which would trigger a crash in sid_copy().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
148a102800 winbindd: let LookupNames return NT_STATUS_OK and SID_NAME_UNKNOWN for unmapped names
Previously LookupNames would fail if a name could not be translated, so winbindd
clients like libwbclient couldn't differentiate between not being able to talk
to a DC and just an unkown name.

As a visible change this alters

  $ bin/wbinfo -n Idontexist
  failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
  Could not lookup name Idontexist

to

  $ bin/wbinfo -n Idontexist
  failed to call wbcLookupName: WBC_ERR_SOME_NOT_MAPPED
  Could not lookup name Idontexist

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
12c5adb49a libwbclient: prepare wbcCtxLookupName() for dealing with WBC_SID_NAME_UNKNOWN
This changes the wbcErr from WBC_ERR_DOMAIN_NOT_FOUND to WBC_ERR_NOT_MAPPED.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
315ee3801b libwbclient: add error WBC_ERR_NOT_MAPPED
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
21b9eb5b8c winbindd: properly initialize sid and type in wb_cache_name_to_sid()
No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
cbd4aee50b winbindd: collapse two if expressions
No change in behaviour.

After calling set_domain_offline() domain->offline will be set to false, iow
everytime

  if (!domain->internal && was_online)

is true,

  if (!domain->internal &&
      !domain->online &&
      was_online)

will also true, so we can drop the second if expression.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
6baf9547e5 winbindd: reformatting
No change in behaviour.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
dc95763757 winbindd: rename variable old_status to was_online in wb_cache_name_to_sid()
A lot easier to make sense of the complex logic when using this name.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
89a26b50f4 CI: add a test for per-user (and per-group) veto files
Not adding a specific test for per-user hide files as that uses the exact same
mechanism as the per-user veto files.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
7e835339da CI: fix test file cleanup
Test files are stored beneath "$SHAREPATH/dir1", not "$SHAREPATH/dir_1".

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
b8b2f21835 s3/lib: add per-user support to set_namearray()
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00
Ralph Boehme
02e7c70ab3 smbd: move token_contains_name() to util_namearray.c and make it public
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 10:06:31 +00:00