IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This works as long as both tickets are issued by the same RODC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This method removes the PAC_CLIENT_CLAIMS_INFO buffer *and* makes it
appear as if a ticket were issued by an RODC. Because that's more
efficient than decrypting and modifying the ticket twice.
View with 'git show -b'.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This can be used to modify a service ticket to appear as if it were
signed by an RODC krbtgt.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In Python, maps are not hashable and hence cannot be used as cache keys.
To get around this, we were converting the account details map to a
tuple of (key, value) pairs with the following expression:
((k, v) for k, v in details.items())
However, this was actually creating a lazily-evaluated generator object.
The hash of this object was based on its address in memory, not on its
contents, which meant that account options with the same details could
have different hash values if the generators occupied different memory
addresses, or (less likely) that account options with different details
could hash to the same value if the second generator happened to inhabit
the same memory address as the first one. The result was that account
caching didn't work as intended.
Attempt to fix that by using a frozenset instead of a generator object,
and making sure that all our values are tuples (and thus hashable).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
At lower levels we should not expect these bits to be present.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We call get_keys() a lot, and it's more efficient if we aren't creating
a new connection for every new account we create.
To allow us to maintain a single cached connection, remove the samdb
parameter from get_keys() and get_secrets(). No-one was using it anyway.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This matches the use of make_rodc_zeroed_checksum() in the preceeding
loop, and means that RODC-signed service tickets no longer fail to
decrypt.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If 'object' happened to be a tuple, we would get one of the following
errors:
TypeError: not enough arguments for format string
TypeError: not all arguments converted during string formatting
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is a change in cmocka to avoid hiding possible errors.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 07:53:54 UTC 2023 on atb-devel-224
This reduces the elapsed time to 6m from 20m on my laptop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224
The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
ERROR(<class 'TypeError'>): uncaught exception - replace() argument 1 must be
str, not bytes
File "bin/python/samba/netcmd/__init__.py", line 230, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "bin/python/samba/netcmd/ldapcmp.py", line 966, in run
if b1.diff(b2):
^^^^^^^^^^^
File "bin/python/samba/netcmd/ldapcmp.py", line 790, in diff
if object1 == object2:
^^^^^^^^^^^^^^^^^^
File "bin/python/samba/netcmd/ldapcmp.py", line 557, in __eq__
return self.cmp_attrs(other)
^^^^^^^^^^^^^^^^^^^^^
File "bin/python/samba/netcmd/ldapcmp.py", line 656, in cmp_attrs
p = [self.fix_domain_netbios(j) for j in m]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "bin/python/samba/netcmd/ldapcmp.py", line 656, in <listcomp>
p = [self.fix_domain_netbios(j) for j in m]
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "bin/python/samba/netcmd/ldapcmp.py", line 542, in fix_domain_netbios
res = res.replace(self.con.domain_netbios.lower(), self.con.domain_netbios.upper())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
BUGS: https://bugzilla.samba.org/show_bug.cgi?id=15330
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.
When deferring the writing out to the DB of link replication to the very end, there
is a greater opportunity for the deletion of an object to have been sent with the
other objects, and have the link applied later.
This tells the repl_meta_data code to behave as if GET_TGT had been sent at the
time the link was returned, allowing a link to a deleted object to be silently
discarded.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
"samba-tool domain join" uses the replication API in a strange way, perhaps no longer
required, except that we often still have folks upgrading from very old Samba versions.
By deferring the writing out to the DB of link replication to the very end, we have a
better chance that all the objects required are present, however the situation may
have changed during the cycle, and a link could still be sent, pointing to a deleted
object.
We currently fail in this situation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15329
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Often, on rackspace GitLab CI runners, we get:
UNEXPECTED(failure): samba.unittests.tsocket_tstream.test_tstream_more_tcp_user_timeout_spin(none)
REASON: Exception: Exception: 0xf == 0xf
../../lib/tsocket/tests/test_tstream.c:405: error: Failure!
This allows us more spins before we fail the test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15328
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This change means that idmap_hash_id_to_sid() can return mappings
for new domains learned in idmap_hash_sid_to_id().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 10 11:35:06 UTC 2023 on atb-devel-224
If we are going to return ID_UNMAPPED later anyway, there's no need to
defer that decision by returning ID_REQUIRE_TYPE first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
It's always the first function that's called from idmap_methods.
This also demonstrates that we currently always return NT_STATUS_OK,
even if we haven't mapped all map entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
id_map_ptrs_init() is used in the callers in order to
set everything up as expected.
Other backends also just trust the caller.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
While sids_to_unixids returns ID_TYPE_BOTH mappings,
unixids_to_sids() returns the callers asked for, which
fills gencache with the non ID_TYPE_BOTH mappings.
As a result also the sids_to_unixids fast path via
gencache won't return ID_TYPE_BOTH mappings.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
When we see a trusted domain SID for the first time,
idmap_autorid returns ID_REQUIRE_TYPE only for the first sid
and leaves the others with ID_TYPE_NOT_SPECIFIED.
It means the winbindd parent only retries the first sid.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15318
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Most idmap backends don't need access to the domain controllers.
And the related code is not needed for the backends.
Commit 17c86a2c5a changed
the logic of set_domain_online_request() completely!
Instead of triggering a dc probe in the background,
it is now doing a blocking connection.
And doing this in the idmap child is completely useless.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15317
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Functions like `add_lock_to_json` and `add_profile_item_to_json` pass
some values to `json_add_int` with `intmax_t` types. This may cause
arithmetic overflow when the value grows very fast, such as the
read_bytes profiling data.
Use `json_add_int` instead of `int` to avoid the overflow.
RN: Make json output show intmax_t value properly
Signed-off-by: Li Yuxuan <liyuxuan.darfux@bytedance.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 9 21:33:43 UTC 2023 on atb-devel-224
Show that `json_add_int` can't handle value larger than int32 due to
overflow.
Add knownfail.
Signed-off-by: Li Yuxuan <liyuxuan.darfux@bytedance.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Prefer mallinfo2() with 'size_t' fields over deprecated
mallinfo() (with 'int' fields which may wrap around zero
and so be inaccurate on a 64-bit system) and move relevant
checks to lib/util/wscript_configure because mallinfo()
is not used beyond 'samba-util'.
Suggested-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Return the first IPv4 and the first IPv6 address found for each DC.
This is slightly inelegant, but resolves an issue where IPv6-only
systems were unable to run "net ads join" against domain controllers
that have both A and AAAA records in DNS.
While this impacts performance due to the additional LDAP ping attempts,
in practice an attempt to connect to an IPv6 address on an IPv4-only
system (or vice versa) will fail immediately with
NT_STATUS_NETWORK_UNREACHABLE, and thus the performance impact should be
negligible.
The alternative approach, using an smb.conf setting to control whether
the logic prefers a single address of one family or the other ends up
being a bit awkward, as it pushes the problem onto admins and tools such
as "realm join" that want to dynamically synthesize an smb.conf on the
fly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15325
Signed-off-by: Nathaniel W. Turner <nturner@exagrid.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 9 19:12:15 UTC 2023 on atb-devel-224
It's unusual these days to pass output arguments in the _send
function, instead save the result in the _state struct
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
A case statement only references const strings, pointers in an array
need to be relocated at exec() time.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
A case statement only references const strings, pointers in an array
need to be relocated at exec() time.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>