IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This also removes dcesrv_lsa_CreateTrustedDomain_base() as it is unused with
this commit. We need to do it here or the compiler will complain about an unused
function.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224
While this is by definition less efficient, I prefer not to have the magic
buffer of pre-caclulated bytes, we don't create Root Keys very often.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Now that pyldb-util is a private library to Samba, we have no excuses not to
consolidate helper functions like this.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
torture_assert_u64_equal_goto() can only print meaningful error message
for incorrect values if only if the function is invoked with test run
value and expected value respectively as second and thrid arguments.
Otherwise it displays the reversed message causing confusion in overall
test results.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 27 13:00:29 UTC 2024 on atb-devel-224
We have the same function in tevent, no need to duplicate code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps make use-after-free testing reliable.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224
Previously any errors noticed during the main loop would be ignored.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
Since 87f67d3369 samba-tool domain exportkeytab has
silently unlinked the given target file. Instead, the administrator now needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We should never raise RuntimeError if we have a better option.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This will allow the "samba-tool domain exportkeytab" code to do special gMSA
processing and in the future will allow the KDC to know it needs to check
if the keys in the DB need refreshing.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Only gMSA accounts, and only for authoriszed users, can export be exported without
local sam.ldb access.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This slowly prepares this to be an update tool, not just a one-off export tool
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This allows us to mask out RC4 and insist on the modern AES types
where that makes sense.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We need to allow a samdb to be passed from the python to support
using a specific DB or remote server for gMSA passwords.
The gMSA passwords will not use this code, but we need to be
consistant.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Replace a call to dbwrap_fetch_locked() with the higherlevel
dbwrap_delete().
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The whole point of struct GUID_ndr_buf is that this never fails.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This routine will shortly be removed, it is now replaced by an
improved ldb.set_opaque()
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
We need to change the internal types assumed in Samba for the opaque
integers to "unsigned long long" as this is what ldb.set_opaque() will
create, and we want to move to this interface rather than have a
duplicate.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
While these style of macros are against our coding style, it is still better
to have them in a single place, and while pyldb.h is technically public
Samba is the only user of the C bindings.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This prepares to move this macro into pyldb.h
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This prepares to move this macro into pyldb.h
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This prepares to move this macro into pyldb.h
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This macro already checks the type, so we do not need to call
py_check_dcerpc_type() and prepares to move this macro into pyldb.h
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is the last test left in the independent ldb testsuite,
removing this from there allows the test target to be removed.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 1 01:27:30 UTC 2024 on atb-devel-224
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224
basic.maximum_allowed and smb2.maximum_allowed attempt to unlink the
files created by those tests. But the restrictive SD with which they
were created prohibits the deletion inside shares where vfs_acl_xattr
is configured including "ignore system acls". The very same file will
otherwise cause problems while progressing with remaining sub tests.
SEC_STD_DELETE could be the minimum required additional access mask
to successfully delete the file under the said configuration using
vfs_acl_xattr and "ignore system acls" option without loosing the
integrity of the overall test.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Feb 26 18:35:43 UTC 2024 on atb-devel-224
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Feb 16 03:47:12 UTC 2024 on atb-devel-224
dsdb_have_system_access() takes into account the AS_SYSTEM control as
well as the result of dsdb_module_am_system().
This change means that we can reset the password of an account without
being SYSTEM by means of the AS_SYSTEM control. This is essential for
ldapsrv_SearchRequest() to be able to process the automatic password
changes of Group Managed Service Accounts.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This takes into account the dsdb session info, as well as the presence
or absence of an AS_SYSTEM control.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This works like dsdb_module_werror(), but does not require an ldb module
to work.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The NT hash should live at least as long as the message to which it is
added.
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>