1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

39351 Commits

Author SHA1 Message Date
Andreas Schneider
87595140c3 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
0177cd898e s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain
This also removes dcesrv_lsa_CreateTrustedDomain_base() as it is unused with
this commit. We need to do it here or the compiler will complain about an unused
function.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
b957cb34d4 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
1790828bc5 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
6d90397ff2 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
dad8c78edc s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
18af510bd5 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
8b1c0bd718 s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
354f61d868 s4:torture: Use dcerpc_lsa_OpenPolicy3_r()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
8e35e5f567 s4:torture: Use rpc_lsa_encrypt_trustdom_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
dbe9e9a839 s4:torture: Use init_lsa_String() from init_lsa.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:38 +00:00
Andreas Schneider
e32be2ade4 python:tests: Rename createtrustrelax.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-09 22:52:37 +00:00
Stefan Metzmacher
796f33c05a s4:nbt_server: simulate nmbd and provide unexpected handling
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.

This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-05 12:24:42 +00:00
Stefan Metzmacher
bfb10774b6 s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-05 12:24:42 +00:00
Stefan Metzmacher
77f4f1c7db s4:libcli/dgram: make use of socket_address_copy()
This avoids talloc_reference...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-05 12:24:41 +00:00
Stefan Metzmacher
11861bcfc3 s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-05 12:24:41 +00:00
Volker Lendecke
a3126ebfe5 lib: Use struct initialization in imessaging_client_init()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224
2024-03-28 09:13:43 +00:00
Volker Lendecke
2d4aa59994 lib: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-03-28 08:05:35 +00:00
Andrew Bartlett
fc982e550f s4-dsdb: Create KdfParameters at runtime
While this is by definition less efficient, I prefer not to have the magic
buffer of pre-caclulated bytes, we don't create Root Keys very often.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
d316e5f086 s4-dsdb: Indent DH parameters table in gkdi_create_root_key()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
3687bf22aa s4-dsdb: Populate new GKDI root keys from the server configuration object
This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Andrew Bartlett
f379ea8b81 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version
Now that pyldb-util is a private library to Samba, we have no excuses not to
consolidate helper functions like this.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-28 01:50:41 +00:00
Anoop C S
f0a8d83268 s4/torture: Fix misplaced positional arguments for u64 comparison
torture_assert_u64_equal_goto() can only print meaningful error message
for incorrect values if only if the function is invoked with test run
value and expected value respectively as second and thrid arguments.
Otherwise it displays the reversed message causing confusion in overall
test results.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 27 13:00:29 UTC 2024 on atb-devel-224
2024-03-27 13:00:29 +00:00
Noel Power
cd6c075476 Add simple http_client for use in black box tests (in following commits)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-27 01:14:31 +00:00
Volker Lendecke
a3e186b617 lib: Remove timeval_until()
We have the same function in tevent, no need to duplicate code.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-22 05:03:35 +00:00
Jo Sutton
eac2395415 s4:auth: Update error messages
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
cd44f8063b s4:libnet: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
2f25c23b7b s4:auth: Allocate strings on shorter‐lived memory context
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Jo Sutton
55bc523da7 s4:auth: Fix grammar in error message
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-21 03:12:33 +00:00
Andrew Bartlett
682a87fd0a selftest: Run samba.tests.segfault with TALLOC_FREE_FILL
This helps make use-after-free testing reliable.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-20 23:42:34 +00:00
Rob van der Linde
da500249fc tests: gmsa blackbox tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
2024-03-20 04:53:57 +00:00
Andrew Bartlett
97a23e57dc s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
Previously any errors noticed during the main loop would be ignored.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
2024-03-14 23:16:16 +00:00
Andrew Bartlett
9d7a97dc98 samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
Since 87f67d3369 samba-tool domain exportkeytab has
silently unlinked the given target file.  Instead, the administrator now needs
to specify a file that does not exist.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:40 +00:00
Andrew Bartlett
a0867595fb s4-libnet: Prepare for a "rolling update" keytab export
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
7b662a9287 s4-auth/kerberos: Do not add true duplicates to exported keytab
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
014f1b561e s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export
We should never raise RuntimeError if we have a better option.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
0cb1e4dbf8 samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
2f97f6fe48 lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
91c0553610 s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
0490aed716 auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
bd2edecff0 s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
66a9c1daa8 s4-kdc: Prepare for gMSA support by recording it on the entry
This will allow the "samba-tool domain exportkeytab" code to do special gMSA
processing and in the future will allow the KDC to know it needs to check
if the keys in the DB need refreshing.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
4406367473 s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
f34b910b5b s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA
Only gMSA accounts, and only for authoriszed users, can export be exported without
local sam.ldb access.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
d4155f8a99 Make "samba-tool domain exportkeytab" prune old keys
This slowly prepares this to be an update tool, not just a one-off export tool

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
6b3ce044d2 s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
2c33862b9e s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES
This allows us to mask out RC4 and insist on the modern AES types
where that makes sense.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
a2ed51df7c s4-auth/kerberos: Remove unused paremters to create_keytab()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
9246ee4804 samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Andrew Bartlett
b6cffcb3fb libnet: Prepare to allow "samba-tool domain exportkeytab to support -H
We need to allow a samdb to be passed from the python to support
using a specific DB or remote server for gMSA passwords.

The gMSA passwords will not use this code, but we need to be
consistant.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-14 22:06:39 +00:00
Volker Lendecke
d393fd4693 auth: Simplify smb_krb5_send_to_kdc_state_destructor()
Replace a call to dbwrap_fetch_locked() with the higherlevel
dbwrap_delete().

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-12 13:31:31 +00:00
Volker Lendecke
7c68d88cef lib: Make GUID_to_ndr_buf() return void
The whole point of struct GUID_ndr_buf is that this never fails.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-12 13:31:31 +00:00
Jule Anger
0e40506d21 selftest: add tests for "samba-tool user list --locked-only"
Signed-off-by: Jule Anger <janger@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jule Anger <janger@samba.org>
Autobuild-Date(master): Tue Mar 12 10:54:49 UTC 2024 on atb-devel-224
2024-03-12 10:54:49 +00:00
Andrew Bartlett
d73c92a35d dsdb: Remove calls to ldb.set_opaque_integer()
This routine will shortly be removed, it is now replaced by an
improved ldb.set_opaque()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-05 02:54:36 +00:00
Andrew Bartlett
416b6c5a03 lib/ldb-samba: Align py_ldb_set_opaque_integer() with pyldb_set_opaque() and use "unsigned long long"
We need to change the internal types assumed in Samba for the opaque
integers to "unsigned long long" as this is what ldb.set_opaque() will
create, and we want to move to this interface rather than have a
duplicate.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-03-05 02:54:36 +00:00
Andrew Bartlett
8b0d00a8e3 pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h
While these style of macros are against our coding style, it is still better
to have them in a single place, and while pyldb.h is technically public
Samba is the only user of the C bindings.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-03 22:33:35 +00:00
Andrew Bartlett
6c3ca9e496 dns: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE()
This prepares to move this macro into pyldb.h

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-03 22:33:35 +00:00
Andrew Bartlett
0839999c94 dns: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE()
This prepares to move this macro into pyldb.h

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-03 22:33:35 +00:00
Andrew Bartlett
2ba8e656da dsdb: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE()
This prepares to move this macro into pyldb.h

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-03 22:33:35 +00:00
Andrew Bartlett
da63ee78b3 dsdb: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE()
This macro already checks the type, so we do not need to call
py_check_dcerpc_type() and prepares to move this macro into pyldb.h

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-03 22:33:35 +00:00
Rob van der Linde
85ca9e7cba netcmd: tests: add tests for service-account commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 04:45:36 +00:00
Andrew Bartlett
a4afb2eead selftest: Bring ldb test defintions into one place in selftest/tests.py
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 02:41:36 +00:00
Andrew Bartlett
05ce3810e3 selftest: Always and only run ldb test-tdb test in Samba selftest
This is the last test left in the independent ldb testsuite,
removing this from there allows the test target to be removed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-03-01 02:41:36 +00:00
Douglas Bagnall
d6bfd26049 pytests: samba-tool domain kds root_key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar  1 01:27:30 UTC 2024 on atb-devel-224
2024-03-01 01:27:30 +00:00
Douglas Bagnall
53bf56c62b pytest:dsdb: check that there is a gkdi root key
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
a7c955dc7f s4:pydsdb: python bindings for gkdi_new_root_key()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Jo Sutton
d46daab2ae s4:dsdb: Add functions for GKDI root key creation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-03-01 00:19:45 +00:00
Douglas Bagnall
9beb57892d s4:pydsdb: add not-implemented raising functions to when appropriate
It will be less confusing, I hope.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-29 04:01:40 +00:00
Andrew Bartlett
2b515b7dcc s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224
2024-02-28 04:45:48 +00:00
Jo Sutton
beaeeaff50 s4:rpc_server: Make some arrays static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Jo Sutton
18208dbef7 s4:rpc_server: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-27 01:11:37 +00:00
Andrew Bartlett
2e230f728e python/tests: Add test for new krb5 keytab parser
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-02-27 01:11:37 +00:00
Anoop C S
5a0fce5865 source4/torture: Add SEC_STD_DELETE to enable proper cleanup
basic.maximum_allowed and smb2.maximum_allowed attempt to unlink the
files created by those tests. But the restrictive SD with which they
were created prohibits the deletion inside shares where vfs_acl_xattr
is configured including "ignore system acls". The very same file will
otherwise cause problems while progressing with remaining sub tests.
SEC_STD_DELETE could be the minimum required additional access mask
to successfully delete the file under the said configuration using
vfs_acl_xattr and "ignore system acls" option without loosing the
integrity of the overall test.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 26 18:35:43 UTC 2024 on atb-devel-224
2024-02-26 18:35:43 +00:00
Jo Sutton
4698cf0f33 s4:dsdb: Fix grammar
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 16 03:47:12 UTC 2024 on atb-devel-224
2024-02-16 03:47:12 +00:00
Jo Sutton
8c970eaa2e s4:ldap_server: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
b0b9e03c99 s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password
dsdb_have_system_access() takes into account the AS_SYSTEM control as
well as the result of dsdb_module_am_system().

This change means that we can reset the password of an account without
being SYSTEM by means of the AS_SYSTEM control. This is essential for
ldapsrv_SearchRequest() to be able to process the automatic password
changes of Group Managed Service Accounts.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
eece2e8a9c s4:dsdb: Make use of dsdb_have_system_access()
There should not be any change in behaviour.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
1ad9b93dbf s4:dsdb: Add function to determine whether we have system access
This takes into account the dsdb session info, as well as the presence
or absence of an AS_SYSTEM control.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
e0e2126fac s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
91fdd43164 s4:dsdb: Remove redundant include
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
324d0fbc06 s4:dsdb: Add function to create a GMSA password update request
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
d55c281c53 s4:dsdb: Remove unused includes
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
e1d27ba545 s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
002e01963d s4:dsdb: Add dsdb_werror() macro
This works like dsdb_module_werror(), but does not require an ldb module
to work.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
447467f77e s4:dsdb: Add search flag indicating that gMSA passwords are to be updated
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
eeadffc91c s4:dsdb: Include missing headers
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
424882452f s4:dsdb: Add dsdb control indicating that gMSA passwords are to be updated
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
78565c5ee3 s4:setup: Remove empty line
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
03e4de449d s4:dsdb: Fix code formatting
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
4e01e2bfc3 s4:dsdb: Add ‘ares’ parameter to operational attribute constructor functions
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
24552b0200 s4:dsdb: Make array static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
f439bd3943 s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
c0f9c177d0 s4:dsdb: Remove duplicate word
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
ed37c6f23b s4:dsdb: Remove unused ‘domain_dn’ parameter
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
470a9838e1 s4:dsdb: Remove reference to now‐gone lmNewHash parameter
This parameter was removed in commit
75c54d54ad.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
43cc1a9973 s4:dsdb: Split out function to create a ‘password set’ ldb request
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
7214225300 s4:dsdb: Allocate NT hash on to more appropriate memory context
The NT hash should live at least as long as the message to which it is
added.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
e1e28d4298 s4:dsdb: Undefine helper macro
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
c3ac22a4cb s4:dsdb: Check return value of talloc_new()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00
Jo Sutton
2489ffbe00 s4:kdc: Remove ‘attrs’ parameter from samba_kdc_lookup_server()
It is always equal to ‘server_attrs’.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-02-16 02:41:36 +00:00