1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

2474 Commits

Author SHA1 Message Date
David Mulder
c887f7a7d2 gpo: Fix unapply failure when multiple extensions run
When multiple Group Policy Extensions are present,
only the last executed extension saves it's
changes to the Group Policy Database, due to the
database being loaded seperately for each
extension.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
7e507dd886 gpo: Test multiple extention unapply
Verify that an unapply of multiple extentions
deletes the script files and policy settings.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
8626910c0e gpo: Sudoers ext should not crash if policy missing
If a user has manually removed a policy, the
extension should not crash in an unapply removing
it.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
87fe86270e gpo: Script ext should not crash if script missing
If a user has manually removed a script, the
extension should not crash in an unapply removing
it.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
7c6969e9c9 gpo: Cleanup sudoers policy test
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
7acbb44040 gpo: Cleanup script policy test
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
0544237ea2 gpo: Avoid using distutils since it will be deprecated
We shouldn't use distutils.spawn.find-executable
here, since its use is discouraged:
https://docs.python.org/3/library/distutils.html

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
0a7e2e3984 gpo: Clarify the contents of deleted_gpo_list in process_group_policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:33 +00:00
David Mulder
bc38d3afe3 gpo: Add rsop output for Sudoers policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:32 +00:00
David Mulder
4148af125b gpo: Test rsop output for Sudoers policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-27 15:59:32 +00:00
David Mulder
4a252f6e0f python compat: remove ConfigParser
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-24 01:46:30 +00:00
Andrew Bartlett
4dbe8d1131 python: Remove remaining references to third_party python libs
For now at least we do not have any in third_party.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Aug 21 00:12:52 UTC 2020 on sn-devel-184
2020-08-21 00:12:51 +00:00
Andrew Bartlett
2420b7c6d2 python: Add checks for some more required python packages
This catches the most important packages we require, but
this may not be the full list.

python-gpg is not listed as we have a big workaround handler
for this in samba-tool.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
2020-08-20 22:49:26 +00:00
Andrew Bartlett
091e11260d Remove pyiso8601 from third_party
The trend has been to remove widely available packages from third_party/

This module is both widely available, and only needed for --enable-selftest

It is, strangely enough, a BuildDependes in the RHEL/Fedora packages
just to stop it being installed in third_party.

The check for iso8601 being available is moved to python/wscript

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
2020-08-20 22:49:26 +00:00
Andreas Schneider
7e3ceaec44 python:tests: Add test for SMB encrypted DCERPC connection
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Aug 19 17:46:28 UTC 2020 on sn-devel-184
2020-08-19 17:46:28 +00:00
Andreas Schneider
5bff7a061f python: Add a test for SMB encryption
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:42 +00:00
Andreas Schneider
6f552204d4 s3:client: Turn off smb signing for message op
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:42 +00:00
Andreas Schneider
67323b1ffa python:tests: Set smb ipc signing via the creds API
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:42 +00:00
Andreas Schneider
1a74c790bf python:tests: Mark libsmb connection as an IPC connection
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:42 +00:00
Andreas Schneider
946e43f0cc python: Set smb signing via the creds API
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
d55950b840 python: Remove unused sign argument from smb_connection()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
84f1e4683e auth:creds: Add python bindings for cli_credentials_set_conf()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
66c9c68bad auth:creds: Add python bindings for (get|set)_smb_encryption
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
ef12caea07 auth:creds: Add python bindings for (get|set)_smb_ipc_signing
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:41 +00:00
Andreas Schneider
098774b244 auth:creds: Add python bindings for (get|set)_smb_signing
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2020-08-19 16:22:40 +00:00
Stefan Metzmacher
e913503540 auth:creds: Introduce CRED_SMB_CONF
We have several places where we check '> CRED_UNINITIALISED',
so we better don't use CRED_UNINITIALISED for values from
our smb.conf.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-08-19 16:22:40 +00:00
Volker Lendecke
acd8de28ac auth_log_test: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Volker Lendecke
2d29bb42c7 test: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-08-17 19:35:37 +00:00
Douglas Bagnall
f0860de5bb python compat: remove text_type
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
Douglas Bagnall
ace5038031 python compat: remove binary_type
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
Douglas Bagnall
bcaf076d30 python compat: reduce use of 'if PY3:'
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
Douglas Bagnall
4d9d63b000 python compat: remove StringIO
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
Douglas Bagnall
9cc65a552b python compat: remove string_types
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
Douglas Bagnall
323073f4e0 python compat: remove integer_types
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2020-08-11 16:37:35 +00:00
David Mulder
d512b1a4bd gpo: Remove unused gp_ext_setter code
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Thu Aug  6 18:01:49 UTC 2020 on sn-devel-184
2020-08-06 18:01:49 +00:00
David Mulder
627fb5471b gpo: Extract Access policy from Security extension
Rewrite the extension to be easier to understand,
and to remove references to gp_ext_setter.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
8971876128 gpo: Extract Kerberos policy from Security extension
Rewrite the extension to be easier to understand,
and to remove references to gp_ext_setter.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
bf74bf1c4e gpo: Add RSOP output for Scripts Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
1f63103041 gpo: Add RSOP output for Security Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
5361f25800 gpo: Test samba-gpupdate --rsop
Test that the rsop command produces the expected
output.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
f5202c7b55 gpo: Add --rsop option to samba-gpupdate
This command prints the Resultant Set of Policy
for applicable GPOs, for either the Computer or
User policy (depending on the target specified).
Policy specific output must be implemented for
each client side extension.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
0f3066abbb gpo: Properly decode utf-8/16 inf files from bytes
This code was python 2 specific (string handling
has changed dramatically in python 3), and didn't
correctly decode utf-16 in python3. We should
instead read the file as bytes, then attempt a
utf-8 decode (the default), and try utf-16 if
encountering a decode failure.
The existing code actually throws an exception on
the initial file read when the data is utf-16,
since it tries to decode the bytes to a utf-8
string.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
70a38eb548 gpo: Test proper decoding of utf-16 inf files
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
88b6266168 gpo: Apply Group Policy Sudo Rights
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
9679ba9577 gpo: Test Group Policy Sudo Rights
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
e387aa937e gpo: Scripts gpo add warning about generated scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
edf4b6eb12 gpo: Scripts extension use 'gp_' prefix, not 'tmp'
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:36 +00:00
David Mulder
b30a604f73 gpo: Apply Group Policy Weekly Scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:35 +00:00
David Mulder
7e5c842cba gpo: Test gpo weekly scripts apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:35 +00:00
David Mulder
1810e4f10c gpo: Apply Group Policy Monthly Scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:35 +00:00
David Mulder
63703c9a07 gpo: Test gpo monthly scripts apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:35 +00:00
David Mulder
42f043ab51 gpo: Apply Group Policy Hourly Scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:35 +00:00
David Mulder
ae56a07ae7 gpo: Test gpo hourly scripts apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-08-06 16:38:35 +00:00
Douglas Bagnall
14210c248a python tests: drop python 2.6 compatibility functions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-08-03 02:51:35 +00:00
Andrew Bartlett
05228c4e07 dbcheck: Allow a dangling forward link outside our known NCs
If we do not have the NC of the target object we can not be really sure
that the object is redundent and so we want to keep it for now
and not (as happened until now) break the dbcheck run made during the
replication stage of a "samba-tool domain backup rename".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14450

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-29 03:19:02 +00:00
Douglas Bagnall
d05fc858bf python: samba.compat rejects Python 2
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jul 17 08:39:38 UTC 2020 on sn-devel-184
2020-07-17 08:39:37 +00:00
Douglas Bagnall
914226bf52 python: wrap 'import dckeytab' in an explanatory function
The samba.dckeytab module has magic effects on samba.net, but never
appears to be used. That can be confusing, both to people and to
linters. Here we wrap that confusion up into a well-commented
function, so we never again have to wonder why the unused import is
there.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:40 +00:00
Douglas Bagnall
98f6ece5ad python/join: use the provided krbtgt link in cleanup_old_accounts
Before we were putting it in an otherwise unused variable, and
deleting the previous krbtgt_dn, if any.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:40 +00:00
Douglas Bagnall
820b3d82fa python/upgradehelpers: remove unused imports and variables
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:40 +00:00
Douglas Bagnall
78383dd8fc samba-tool ntacl: remove unused imports and variables
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:40 +00:00
Douglas Bagnall
65b49259f5 python/ms_forest_updates_markdown: avoid implicit global variable
out_dict would have been shared across all calls, aggregating values as it went.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:39 +00:00
Douglas Bagnall
5a078bc961 dbcheck: omit unused argument in err_wrong_default_sd
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2020-07-17 07:17:39 +00:00
Noel Power
3dced6a436 selftest: Add basic smbcacls test(s)
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2020-07-07 21:40:33 +00:00
Andrew Bartlett
b232a7bc54 CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2020-07-02 09:01:41 +00:00
Douglas Bagnall
f4b2fd00fe CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.

These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-07-02 09:01:41 +00:00
Andreas Schneider
d308650145 tls: Use NORMAL:-VERS-SSL3.0 as the default configuration
This seems to be really broken in GnuTLS and the documentation is also
not correct.

This partially reverts 53e3a959b9

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul  1 14:56:33 UTC 2020 on sn-devel-184
2020-07-01 14:56:33 +00:00
Andrew Bartlett
2c4ecf002a selftest: Split samba.tests.samba_tool.user_virtualCryptSHA into GPG and not GPG parts
This allows the userPassword (not GPG) part of the test to run on hosts without
python3-gpg (eg RHEL7) while still testing the userPassword handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-07-01 13:34:30 +00:00
David Mulder
ab50d348d9 gpo: Test samba-tool gpo admxload
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Jun 23 17:53:22 UTC 2020 on sn-devel-184
2020-06-23 17:53:21 +00:00
David Mulder
2c1ebd07b1 samba-tool: add command for installing gpo samba admx
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-06-23 16:32:30 +00:00
David Mulder
97a8f99946 gpo: Test gpo scripts apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-06-23 16:32:30 +00:00
David Mulder
a9d1ccc569 gpo: Run Group Policy Scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-06-23 16:32:30 +00:00
David Mulder
cd52a28091 Create Registry.pol group policy extension parser
Create a parent class for parsing Registry.pol
files by group policy extensions.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-06-23 16:32:30 +00:00
Andrew Bartlett
9513d02ef3 python: Correctly re-raise the LdbError if the embedded error is not ldb.ERR_UNWILLING_TO_PERFORM
The current code attempts a SAMR based password set for all errors,
we want to continue on LDAP or local LDB (in the restore case) unless
we really got the specific error given by Windows 2000.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14414

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@suse.com>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Tue Jun 23 05:07:00 UTC 2020 on sn-devel-184
2020-06-23 05:07:00 +00:00
Andreas Schneider
27709178e0 python: Fix get_max_worker_count() to always have two runners
Thanks to Jim Brown.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 19 19:54:04 UTC 2020 on sn-devel-184
2020-06-19 19:54:04 +00:00
Andreas Schneider
e478470f20 python: Run cmdline tools for arbitary docs test in parallel
Running samba.tests.docs on my machine:
before -> (2m6.952s)
after  -> (22.298s)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 19 10:59:30 UTC 2020 on sn-devel-184
2020-06-19 10:59:30 +00:00
Andreas Schneider
a2bc150a31 python: Run cmdline tools for default docs test in parallel
Running samba.tests.docs on my machine:
before -> (3m52.582s)
after  -> (2m6.952s)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-06-19 09:37:36 +00:00
Andreas Schneider
53e3a959b9 s3:lib:tls: Use better priority lists for modern GnuTLS
We should use the default priority list. That is a good practice,
because TLS protocol hardening and phasing out of legacy algorithms,
is easier to co-ordinate when happens at a single place. See crypto
policies of Fedora.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184
2020-06-17 17:42:02 +00:00
Andrew Bartlett
3d1b6ddcd0 docs: Add caution against extending this list
We want correct documentation if at all possible.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 17 15:48:06 UTC 2020 on sn-devel-184
2020-06-17 15:48:06 +00:00
Andrew Bartlett
1054318827 docs: Remove defaults test exception for "mit kdc command"
This ensures the documentation matches the code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-06-17 14:25:28 +00:00
Andrew Bartlett
9464505620 docs: Ensure "use mmap" always has the correct default
We clarify the smb.conf manpage entry for "use mmap" to match the actual behaviour

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-06-17 14:25:28 +00:00
Douglas Bagnall
2323ea6f07 python: do not always import socket_server
This cost around 10ms for every Python script, and was only used in one
test.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-13 05:25:31 +00:00
Douglas Bagnall
5c06ab8338 python: do not always import urllib
Only provision.py wants a function from urllib, but we were importing
it in samba.compat, which is imported by samba, mening that every
python script importing anything from samba took 40ms longer to start
up.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-13 05:25:31 +00:00
Isaac Boukris
9b302a57ff selftest: test forwardable flag in cross-realm tgt tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-12 20:42:38 +00:00
Isaac Boukris
a823cc1e8b selftest: allow EncASRepPart to be encoded as EncTGSRepPart
that's how MIT kdc encodes it, clients accept both.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-06-12 20:42:38 +00:00
Rowland Penny
eae301e120 samba-tool dns query --help: Someone forgot 'PTR' from the list of record types
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Jun 11 04:37:37 UTC 2020 on sn-devel-184
2020-06-11 04:37:37 +00:00
Björn Baumbach
26fd73de7b tests/pysmbd: fill session unix info in ntacl tests
Valid unix info is required.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14400

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-06-05 10:32:31 +00:00
Björn Baumbach
efea16f367 python/samba/provision: set unix session info for user session, used for sysvol acl reset
The unix session info is required and expected by e.g. many vfs
modules. Missing unix session info leads to samba panic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14400

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-06-05 10:32:31 +00:00
Björn Baumbach
824fa5f45c python: fix slow's mail address
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-06-05 10:32:30 +00:00
Isaac Boukris
8b5e764413 selftest: add python S4U2Self tests including unkeyed checksums
To test the CRC32 I reverted the unkeyed-checksum fix (43958af1)
and the weak-crypto fix (389d1b97). Note that the unkeyed-md5
still worked even with weak-crypto disabled, and that the
unkeyed-sha1 never worked but I left it anyway.

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184
2020-05-15 12:25:40 +00:00
Andrew Bartlett
6eb2a48f5a selftest: Add test for handling of "short" dnsProperty records
These have been known to be given by Windows DCs that share the same domain
as while invalid, they are not format-checked inbound when set by the DNS
Manager MMC applet over the dnsserver pipe to Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-05-15 06:05:30 +00:00
Andrew Bartlett
87bf1d687f librpc/idl: Add dnsp_DnsProperty_short
This will be used by a test and the DNS server code to parse short dnsProperty
records which come from Windows servers.

This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2020-05-15 06:05:30 +00:00
Gary Lockyer
80d9ea1386 s4 cldap server tests: request size limit tests
Add tests for packet size limits.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-10 21:45:38 +00:00
Gary Lockyer
aa7cc50ae2 s4 ldap server tests: request size limit tests
Extra tests for ldap maximum request size limits.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-10 21:45:38 +00:00
Gary Lockyer
13a2f70a4d Fix clang 9 missing-field-initializer warnings
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-08 09:31:31 +00:00
Gary Lockyer
5d6bcef4b4 CVE-2020-10704: ldapserver tests: Limit search request sizes
Add tests to ensure that overly long (> 256000 bytes) LDAP search
requests are rejected.

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-05-04 02:59:32 +00:00
Björn Baumbach
dc280f88be samba-tool: fetch "no such subcommand" error and print error message
This patch especially improves the case where extra arguments are used.

Without this patch just the attributes are mentioned as invalid, if
samba-tool is called with an invalid/unknown subcommand.

Example without this patch:
  # samba-tool sites list --all
  Usage: samba-tool sites <subcommand>

  samba-tool sites: error: no such option: --all

This can be deceptive for users. Is looks like the "list" command
does not provide a "--all" option.

Example with this patch:
  # samba-tool sites list --all
  samba-tool sites: no such subcommand: list

  Usage: samba-tool sites <subcommand>
  (...)

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 29 08:08:21 UTC 2020 on sn-devel-184
2020-04-29 08:08:21 +00:00
David Disseldorp
1f97aeac6b traffic_packets: fix SyntaxWarning: "is" with a literal
Python 3.8 adds this warning via https://bugs.python.org/issue34850:
  the "is" and "is not" operator sometimes is used with string and
  numerical literals. This code "works" on CPython by accident, because
  of caching on different levels (small integers and strings caches,
  interned strings, deduplicating constants at compile time). But it
  shouldn't work on other implementations, and can not work even on
  early or future CPython versions.

Reported-by: L. van Belle <belle@samba.org>
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Mon Apr 27 12:19:59 UTC 2020 on sn-devel-184
2020-04-27 12:19:58 +00:00
Andrew Bartlett
54a3560498 provision: Remove final code for the LDAP backend
The LDAP backend for the Samba AD DC, aiming to store the AD DC in
an existing LDAP server was largely removed many years aga, but the
other parts were removed in 2b0fc74a09.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr 23 06:12:20 UTC 2020 on sn-devel-184
2020-04-23 06:12:20 +00:00
Rowland Penny
84c130a655 samba-tool group show: only shows global security groups, this patch makes it show all groups.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14335

Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Björn Baumbach <bb@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Apr  2 15:27:53 UTC 2020 on sn-devel-184
2020-04-02 15:27:53 +00:00
Stefan Metzmacher
4f6d26609a python/tests/krb5: add simple_tests.py with the first simple test
This just demonstrates that the infrastructure works:-)

I'm running this as:

  SERVER=172.31.9.188 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE \
  USERNAME=administrator PASSWORD=A1b2C3d4 SERVICE_USERNAME="w2012r2-188" \
  python/samba/tests/krb5/simple_tests.py

Pair-Programmed-With: Isaac Boukris <iboukris@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2020-03-27 18:17:35 +00:00