IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts. By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224
Such buffers are not to be trusted.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 7 22:54:42 UTC 2023 on atb-devel-224
samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims
Valid SIDs as appropriate.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
samba_kdc_get_user_info_dc() now adds the SID itself.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224
It’s only ever equal to SAMBA_COMPOUNDED_AUTH_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
View with ‘git show -b’.
This allows us to make the call to authsam_shallow_copy_user_info_dc()
and samba_kdc_add_compounded_auth() only if required.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It’s only ever equal to SAMBA_CLAIMS_VALID_INCLUDE.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Let samba_kdc_get_claims_data() and claims_data_encoded_claims_set()
handle the work for us.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The latter function accomplishes most of what we were doing ourselves.
No intended change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The chief advantage of these functions is that the claims got from the
database are retained in the ‘samba_kdc_entry’ object, allowing them to
be reused should they be needed later during the same request.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When authentication policies are implemented, we shall need to fetch
SIDs (and claims) from the PACs of users and devices repeatedly — not
just when first looking up a user, but every time a policy needs to be
evaluated.
This will likely be more efficient if we can cache this information,
removing the need to derive it more than once.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have the duplicated shallow copy in each caller so that the caller is
clear on what memory can be changed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
No behaviour change, and if the caller doesn’t need the resource groups
after all, the cost incurred is little more than the allocation of a
couple of dozen bytes of memory.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It could be equal only to AUTH_EXCLUDE_RESOURCE_GROUPS.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As the ‘group_inclusion’ parameter has an effect only if the
‘resource_groups_out’ parameter is non‐NULL, this does not result in a
change in behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The caller shouldn’t need to modify this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>