IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This lets us simulate a ticket of a user from another domain.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Change some of the attributes in TGS-REQ PACs to ensure they are handled
correctly.
Add a test of a PAC containing resource SIDs for a service without
resource SID compression support, ensuring the SIDs are correctly
removed.
Add a Samba 4.17 compatibility test for a service with resource SID
compression support.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
If SID compression support is disabled for a created account,
msDS-SupportedEncryptionTypes will be set to a value that includes the
RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type
bits. Since stricter encryption type handling was introduced to address
CVE-2022-37966, this combination has been interpreted as an expression
of no encryption type support, and trying to make a Kerberos request to
a service with such a combination of bits will fail with
ERR_ETYPE_NOSUPP.
To allow us to make Kerberos requests to test service accounts again, we
must set some actual encryption type bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These aliases are deprecated and have been removed in Python 3.12.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We can now remove our existing decompression implementation in Python.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jan 10 21:18:01 UTC 2023 on sn-devel-184
There are four functions, allowing compression and decompression in
the two formats we support so far. The functions will accept bytes or
unicode strings which are treated as utf-8.
The LZ77+Huffman decompression algorithm requires an exact target
length to decompress, so this is mandatory.
The plain decompression algorithm does not need an exact length, but
you can provide one to help it know how much space to allocate. As
currently written, you can provide a short length and it will often
succeed in decompressing to a different shorter string.
These bindings are intended to make ad-hoc investigation easier, not
for production use. This is reflected in the guesses about output size
that plain_decompress() makes if you don't supply one -- either they
are stupidly wasteful or ridiculously insufficient, depending on
whether or not you were trying to decompress a 20MB string.
>>> a = '12345678'
>>> import compression
>>> b = compression.huffman_compress(a)
>>> b
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #....
>>> len(b)
262
>>> c = compression.huffman_decompress(b, len(a))
>>> c
b'12345678' # note, c is bytes, a is str
>>> a
'12345678'
>>> d = compression.plain_compress(a)
>>> d
b'\xff\xff\xff\x0012345678'
>>> compression.plain_decompress(d) # no size specified, guesses
b'12345678'
>>> compression.plain_decompress(d,5)
b'12345'
>>> compression.plain_decompress(d,0) # 0 for auto
b'12345678'
>>> compression.plain_decompress(d,1)
b'1'
>>> compression.plain_decompress(a,444)
Traceback (most recent call last):
compression.CompressionError: unable to decompress data into a buffer of 444 bytes.
>>> compression.plain_decompress(b,444)
b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 #...
That last one decompresses the Huffman compressed file with the plain
compressor; pretty much any string is valid for plain decompression.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
A bug cropped up in the rsop that was causing a
crash because this wasn't being tested.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This test exercises the gp_file_applier and
ensures that when a policy is modified, no old
policy is left behind.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Currently applied files which are manually
removed do not get re-applied.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Dec 20 01:32:07 UTC 2022 on sn-devel-184
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
A new file will shorlty fail as it is binary input
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
The with statement creates a new variable. I thought it opens a block
where "e" is only valid in that block. But instead it runs the whole
thing, expecting an exception somewhere. Learning python....
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
This happens when a path has an unknown reparse point in the middle
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Compression uses a 3 byte hash remember LZ77 matches in a 14-bit table.
This script runs the hash over all 16M combinations, then again over
all ASCII combinations, counting collisions to find hot-spots.
If you think you have a better hash, you are probably right, but you
should try it here -- alter h() -- before committing to it. This one is
literally the first one I thought of.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
We are going to have all kinds of rubbish there.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This still all fails, but if you run them against Windows they work.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 22 19:25:34 UTC 2022 on sn-devel-184
This still all fails, but if you run them against Windows they work.
How to run:
PYTHONPATH=bin/python \
LOCAL_PATH=/tmp \
SMB1_SHARE=share \
SMB2_SHARE=share \
SHARENAME=share \
SERVER_IP=<server-ip> \
DOMAIN=<your-domain> \
USERNAME=Administrator \
PASSWORD=<your-password> \
SMB_CONF_PATH=/usr/local/samba/etc/smb.conf \
SERVERCONFFILE="$SMB_CONF_PATH" \
python3 -m samba.subunit.run samba.tests.reparsepoints
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
If you want to create symlinks on Windows using reparse points, you
need to authenticate as local administrator, just "administrator" is
not enough. So this is required to run some tests against Windows.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 21 22:05:01 UTC 2022 on sn-devel-184
The file format for storing the sudo rules
changed in samba-tool, but these can still be
added via the GPME. We should still include them
here.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The file format for storing the sudo rules
changed in samba-tool, but these can still be
added via the GPME. We should still include them
here.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 12 01:34:17 UTC 2022 on sn-devel-184
In which we make AS and TGS requests and verify the SIDs we expect are
returned in the PAC.
Example command to test against Windows Server 2019 functional level
2016 with FAST enabled:
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 DC_SERVER=ADDC.EXAMPLE.COM \
DOMAIN=EXAMPLE EXPECT_PAC=1 FAST_SUPPORT=1 KRB5_CONFIG=krb5.conf \
PYTHONPATH=bin/python REALM=EXAMPLE.COM SERVER=ADDC.EXAMPLE.COM \
SKIP_INVALID=1 SMB_CONF_PATH=smb.conf STRICT_CHECKING=1 \
TKT_SIG_SUPPORT=1 python3 python/samba/tests/krb5/group_tests.py
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov 8 03:37:37 UTC 2022 on sn-devel-184
We can now verify attributes of SIDs and the PAC locations in which SIDs
are placed. We also gain the ability to assert that no SIDs are present
in the PAC other than the ones we expect.
We lighten somewhat the requirement that no duplicates are present among
the SIDs, as such a situation may arise even with Windows, especially if
group types are changed. For example, if a Universal group containing a
user is changed to a Domain-Local group in between an AS-REQ and a
TGS-REQ, the group's SID will be added to the PAC once for each request.
We only verify that there are no exact duplicates (SID, attributes, and
PAC location all being identical).
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As well as passing in a single 'str', we can now choose to pass a
collection of member DN strings.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This will be useful for testing the handling of Domain-Local groups.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
It's not an encryption type bit, so we should ignore it here.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Heimdal commit c6a46f0c96dde73ef4f3a247a1e904d4cf15aeb2 introduces test data
that triggers our LTR and RTL detection code.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
samba/libsmb.py will become a common file to do the library
initialization for our tests. We already have two copies in
smb3unix.py and libsmb.py, and there might be more soon.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Startup scripts were failing to execute when no
parameters were provided to the script.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15212
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
later gnutls that support GNUTLS_PBKDF2 currently fail,
we need to conditionally switch test data to reflect use of
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
depending on whether GNUTLS_PBKDF2 is supported or not
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Oct 25 10:30:59 UTC 2022 on sn-devel-184
These escapes are meant for the regular expression engine
not the string parser.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
Windows 11 22H2 performs such requests, with year 9999.
The test fails with KDC_ERR_BAD_INTEGRITY on older
Heimdal versions, which are unable to verify a checksum
over the modified request body (due to a re-encoding failure).
REF: https://github.com/heimdal/heimdal/issues/1011
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This function returns a ccache containing a previously obtained ticket.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Previously we would ignore 'client_opts' and always use the same user
and machine accounts for TGS-REQs. Use 'client_opts' and add a new
'armor_opts' parameter for specifying options of the armoring account.
Furthermore, our test-specific ticket caching is no longer of use, for
get_tgt() and get_service_ticket() now implement ticket caching. Remove
it and eliminate the possibility of mistakenly using stale tickets.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
None of these functions can return False now. Instead we must catch the
LdbError if we want to perform further error handling.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Python's tarfile module is not very careful about paths that step out
of the target directory. We can be a bit better at little cost.
This was reported in 2007[1], and has recently been publicised [2, for
example].
We were informed of this bug in December 2021 by Luis Alberto López
Alvar, but decided then that there were no circumstances under which
this was a security concern. That is, if you can alter the backup
files, you can already do worse things. But there is a case to guard
against an administrator being tricked into trying to restore a file
that isn't based on a real backup.
[1] https://nvd.nist.gov/vuln/detail/CVE-2007-4559
[2] https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15185
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 4 03:48:43 UTC 2022 on sn-devel-184
In order not to pass credentials in clear-text directly over command line, this is a patch to store username/password/domain in a file and use it during domain join for example.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15031
Signed-off-by: Nikola Radovanovic <radovanovic.extern@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Added one more unit test to the delete subcommand. This test adds
two ACEs, deletes one of them and checks if the right one was deleted
and the other one stayed the same.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 27 17:46:22 UTC 2022 on sn-devel-184
Added two unit tests for the python functions to compare ACEs and to
export an ACE as SDDL.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Two unit tests for the new samba-tool dsacl delete command have been added.
Signed-off-by: Christian Merten <christian@merten.dev>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Overwriting the other file was harmless but misleading.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Based on tests originally written by Stefan Metzmacher <metze@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Sep 9 01:11:05 UTC 2022 on sn-devel-184
This is an example/test to show how runsublevelcmd() converts into
runcmd() whilst ensuring it works.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We have had three different functions for resolving samba-tool commands,
depending on whether they are nested 1, 2, or n deep (where n could also
be 1 or 2). This API evolved around a separation of sub-command names and
options, so that the Command that was eventually found could be given the
right outf and errf.
Now we can just use the same outf and errf for all levels, and we can not
care about this distinction.
All these functions are now synonyms, and we keep them all for now for
backward-compatibility.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In this case we are skipping _resolve().
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Not TypeError, which is supposed to be about Python data types. This
way we get to check/see an errno and strerror, and will allow us to
set the filename which will be useful for some errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We want `samba-tool ntacl sysvolreset` and `samba-tool ntacl
sysvolcheck` to fail when the Policies folder is not in place, but not
to produce an inscrutable stacktrace.
https://bugzilla.samba.org/show_bug.cgi?id=14937
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
By convention, 'tty' is a common alias for 'auto', 'always' and
'force' mean 'yes', and 'never' means no. It seems 'never; and
'always' are more common than 'yes' and 'no'.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
As described at https://no-color.org/, the NO_COLOR environment
variable is a widely used defacto-ish standard for asking for no
colour. If someone goes
NO_COLOR=whatever samba-tool ...
we want to assume they want no ANSI colour codes, as if they had used
--color=no. But first we want to test that, so here we are.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
These were the only tests in __init__.py.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
In several places we end a test by deleting a number of files and
directories, but we do it rather haphazardly with unintentionally
differing error handling. For example, in some tests we currently have
something like:
try:
shutil.rmtree(os.path.join(self.tempdir, "a"))
os.remove(os.path.join(self.tempdir, "b"))
shutil.rmtree(os.path.join(self.tempdir, "c"))
except Exception:
pass
where if, for example, the removal of "b" fails, the removal of "c" will
not be attempted. That will result in the tearDown method raising an
exception, and we're no better off. If the above code is replaced with
self.rm_files('b')
self.rm_dirs('a', 'c')
the failure to remove 'b' will cause a test error, *unless* the failure
was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT),
in which case we ignore it, as was probably the original intention.
If on the other hand, we have
self.rm_files('b', must_exist=True)
self.rm_dirs('a', 'c')
then the FileNotFoundError causes a failure (not an error).
We take a little bit of care to stay within self.tempdir, to protect
test authors who accidentally write something like `self.rm_dirs('/')`.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
This is an extension of the create() function allowing smb2 create
contexts to be passed back and forth and also returning the
smb_create_returns. A new function seemed necessary for me because we
need to return not just the fnum. So I chose a 3-tuple, see the test
for an example how to use this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Make sure we do and don't announce posix depending on "smb3 unix
extensions" parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
sid_strings.py used the same OID range as ldap_schema.py, which
occasionally led to test failures when the same OID was generated twice.
Using a different range, and making use of the expected RID if we have
it, should reduce the likelihood of collisions.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Aug 25 13:55:47 UTC 2022 on sn-devel-184
Test that the value is properly validated, and that it can be set
regardless of rights on the account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
We should not be able to use krb@REALM instead of krbtgt@REALM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
This allows us to make use of it in other tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
The environment variable is a string, but we expect an integer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
since 4cc4938a28 do_list seems
to deal with non dfs root path, hence we need to resolve the
path before calling cli_unlink.
Also remove the knownfail
We additionally have to also remove the fallback to remove 'file3'
int the smbcacls_dfs_propagate_inherit.teardown as the deltree
that happens in the baseclass now succeeds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15100
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 17 17:12:07 UTC 2022 on sn-devel-184
There is one knownfail, where it seems an smb.conf like
log file = foo
log level = 2 tdb:2@baa ldb:3
will send the ldb logs to 'baa' instead of 'foo' (i.e., the last
opened log file, rather than the default log file).
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The 'log level' line in smb.conf allows messages from different log
classes to be sent to different places, but we have not tested that
this works. Now we do, somewhat.
The test involves running a special binary based on a stripped down
source4/samba/server.c that just starts up, parses the command line
and a given smb.conf, then logs messages from multiple classes and
exits.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Windows only requires SEC_ADS_CONTROL_ACCESS for the check to pass.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 14 15:38:23 UTC 2022 on sn-devel-184
This ensures that when an enum value is expected, a magic constant won't
be supplied instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 14 08:18:06 UTC 2022 on sn-devel-184
Tree-wide spellcheck for some common misspellings.
source3/utils/status.c has misspelled local variable (unkown_dialect).
"missmatch" is a known historical misspelling, only the incorrect
misspellings are fixed.
source3/locale/net/de.po has the spelling error (unkown) in two msgids -
it probably should be updated with current source.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
The smbconf library defines an enum of error codes that can be returned
from the C calls. The error codes were getting stored in the python
SMBConfError type but it was not easy to access or obvious what the
integer code represented.
This change makes it easier to get the returned error code: via a
`error_code` attribute on the exception value. It also exposes the
integer constants to the module. Simple tests for a few of the more
obvious error codes check that this new error handling correctly
exposes the error code values.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jun 8 13:13:10 UTC 2022 on sn-devel-184
The current test uses the dig tool from bind9 but this tool has been
rewritten in 9.17.7 to use bind's netmgr functions instead of isc_socket
(commit 94b7988efb0f9b96415dd2966e6070450d960263).
The problem is that these 'netmgr' functions use libuv internally, and, on
systems supporting it, they end up using the sendmmsg() syscall which is not
catched by socket wrapper so the test fails.
This commit converts the test to python and uses the dnspython module
instead of the dig tool. Backtraces follow as reference.
Backtrace from dig v9.16.28 (working):
#0 0x00007ffff778edee in sendmsg () from /lib64/libc.so.6
#1 0x00000000005e5dee in cmsgsend (s=s@entry=12, level=level@entry=0, type=type@entry=1, res=<optimized out>) at net.c:515
#2 0x00000000005e616c in try_dscp_v4 () at net.c:623
#3 try_dscp () at net.c:696
#4 0x00007ffff7708ad7 in __pthread_once_slow () from /lib64/libc.so.6
#5 0x00000000005e66d7 in initialize_dscp () at net.c:702
#6 isc_net_probedscp () at net.c:707
#7 0x00000000005e8460 in socket_create (manager=0x6b49c0, pf=2, type=<optimized out>, socketp=0x7ffff0012b00, dup_socket=0x0) at socket.c:2454
#8 0x000000000043cfcd in send_udp (query=0x7ffff00129a8) at dighost.c:2897
#9 0x000000000043f9c7 in onrun_callback (task=<optimized out>, event=<optimized out>) at dighost.c:4271
#10 0x00000000005dfefe in task_run (task=0x6b5c70) at task.c:851
#11 isc_task_run (task=0x6b5c70) at task.c:944
#12 0x00000000005ca0ce in isc__nm_async_task (worker=0x6b8970, ev0=0x716250) at netmgr.c:873
#13 process_netievent (worker=worker@entry=0x6b8970, ievent=0x716250) at netmgr.c:952
#14 0x00000000005ca2ba in process_queue (worker=worker@entry=0x6b8970, type=type@entry=NETIEVENT_TASK) at netmgr.c:1021
#15 0x00000000005caa43 in process_all_queues (worker=0x6b8970) at netmgr.c:792
#16 async_cb (handle=0x6b8cd0) at netmgr.c:821
#17 0x00007ffff7898a4d in ?? () from /lib64/libuv.so.1
#18 0x00007ffff78b4217 in ?? () from /lib64/libuv.so.1
#19 0x00007ffff789e40a in uv_run () from /lib64/libuv.so.1
#20 0x00000000005ca31e in nm_thread (worker0=0x6b8970) at netmgr.c:727
#21 0x00000000005e2315 in isc__trampoline_run (arg=0x6b7c40) at trampoline.c:198
#22 0x00007ffff7703767 in start_thread () from /lib64/libc.so.6
#23 0x00007ffff778dc10 in clone3 () from /lib64/libc.so.6
Backtrace from dig v9.17.7 (not working):
#0 0x00007ffff7684480 in syscall () from /lib64/libc.so.6
#1 0x00007ffff754aed0 in uv__sendmmsg (vlen=0, mmsg=0x0, fd=10) at src/unix/linux-syscalls.c:163
#2 uv__udp_mmsg_init () at src/unix/udp.c:74
#3 0x00007ffff7606ad7 in __pthread_once_slow () from /lib64/libc.so.6
#4 0x00007ffff7541bd9 in uv_once (guard=<optimized out>, callback=<optimized out>) at src/unix/thread.c:440
#5 0x00007ffff7539e9b in uv__udp_sendmsg (handle=0x7ffff50535b8) at src/unix/udp.c:415
#6 uv__udp_send (send_cb=0x7ffff7a41db0 <udp_send_cb>, addrlen=<optimized out>, addr=<optimized out>, nbufs=1, bufs=0x7ffff506c720, handle=0x7ffff50535b8, req=0x7ffff506c878) at src/unix/udp.c:773
#7 uv_udp_send (req=req@entry=0x7ffff506c878, handle=handle@entry=0x7ffff50535b8, bufs=bufs@entry=0x7ffff506c720, nbufs=nbufs@entry=1, addr=<optimized out>, send_cb=send_cb@entry=0x7ffff7a41db0 <udp_send_cb>) at src/uv-common.c:464
#8 0x00007ffff7a42308 in udp_send_direct (peer=0x7ffff5dfa988, req=0x7ffff506c700, sock=0x7ffff5053000) at netmgr/udp.c:839
#9 isc__nm_async_udpsend (worker=<optimized out>, ev0=0x7ffff5dfa950) at netmgr/udp.c:780
#10 0x00007ffff7a47de7 in isc__nm_udp_send (handle=<optimized out>, region=0x7ffff5dfaa90, cb=0x555555566250 <send_done>, cbarg=<optimized out>) at netmgr/udp.c:749
#11 0x0000555555562ac2 in send_udp (query=0x7ffff502a000) at /usr/src/debug/bind-9.18.2-1.1.x86_64/bin/dig/dighost.c:2899
#12 udp_ready (handle=0x7ffff5026180, eresult=ISC_R_SUCCESS, arg=<optimized out>) at /usr/src/debug/bind-9.18.2-1.1.x86_64/bin/dig/dighost.c:2974
#13 0x00007ffff7a37d34 in isc__nm_async_connectcb (worker=worker@entry=0x7ffff622f000, ev0=ev0@entry=0x7ffff5026480) at netmgr/netmgr.c:2704
#14 0x00007ffff7a3ca20 in process_netievent (worker=worker@entry=0x7ffff622f000, ievent=0x7ffff5026480) at netmgr/netmgr.c:940
#15 0x00007ffff7a3d027 in process_queue (worker=worker@entry=0x7ffff622f000, type=type@entry=NETIEVENT_NORMAL) at netmgr/netmgr.c:977
#16 0x00007ffff7a3d203 in process_all_queues (worker=0x7ffff622f000) at netmgr/netmgr.c:733
#17 async_cb (handle=0x7ffff622f360) at netmgr/netmgr.c:762
#18 0x00007ffff7531a4d in uv__async_io (loop=0x7ffff622f010, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163
#19 0x00007ffff754d217 in uv__io_poll (loop=0x7ffff622f010, timeout=<optimized out>) at src/unix/epoll.c:374
#20 0x00007ffff753740a in uv__io_poll (timeout=<optimized out>, loop=0x7ffff622f010) at src/unix/udp.c:122
#21 uv_run (loop=loop@entry=0x7ffff622f010, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:391
#22 0x00007ffff7a3d624 in nm_thread (worker0=0x7ffff622f000) at netmgr/netmgr.c:664
#23 0x00007ffff7a6c915 in isc__trampoline_run (arg=0x555555599210) at /usr/src/debug/bind-9.18.2-1.1.x86_64/lib/isc/trampoline.c:187
#24 0x00007ffff7601767 in start_thread () from /lib64/libc.so.6
#25 0x00007ffff768bc10 in clone3 () from /lib64/libc.so.6
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Jun 4 00:27:29 UTC 2022 on sn-devel-184
Moves the Group Policy extensions and supporting
code within the existing python/samba/gp directory.
Meant to clean up the clutter that's accumulating
in python/samba.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue May 31 20:15:45 UTC 2022 on sn-devel-184
Certificate Auto Enrollment currently depends on
sscep to retrieve the root certificate chain.
This isn't necessary, since this can be
accomplished with a simple GET.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
The user account should not exist if account creation failed.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ensure that we do not end up with half-created accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ensure that the commands to create and delete the user execute
successfully.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Adding accounts over LDAP means transactions cannot be used, potentially
leading to problems.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The randomly-generated password for the user account may be too weak,
causing account creation to fail. This leads to further problems, as the
result of the command is not checked, and connecting over LDAP means
transactions cannot be used, leading to a half-created account and
failing tests.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The smbconf API supports transactions. This changes adds wrapper
functions transaction_start, transaction_commit, and transaction_cancel.
It also adds tests for the functions, one of which demonstrates a
semi-pythonic way to use said functions.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri May 6 18:14:30 UTC 2022 on sn-devel-184
Add a delete_global_parameter method wrapping smbconf_delete_global_parameter.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a delete_parameter method wrapping smbconf_delete_parameter.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add the create_set_share method wrapping smbconf_create_set_share.
This method is one of the most complex as it must "unpack" the list
of key-value pairs from python and convert that to a `struct
smbconf_service` for the smbconfig C API.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a delete_share method wrapping smbconf_delete_share.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a set_global_parameter method wrapping smbconf_set_global_parameter.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a set_parameter method wrapping smbconf_set_parameter.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a drop method wrapping smbconf_drop.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Add a create_share method wrapping smbconf_create_share.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
A previous change added smbconf initialization functions that allow
access to the registry back-end. Add some simple tests cases that
exercise these new functions.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Adds advanced configuration to the testing of
certificate auto enrollment. Currently fails.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Add an initial suite of tests for the smbconf python bindings.
Currently only simple read-only methods are available.
Signed-off-by: John Mulligan <jmulligan@redhat.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
Reviewed-by: David Mulder <dmulder@suse.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 21 15:33:38 UTC 2022 on sn-devel-184
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Those will be needed earlier in the next commit.
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This test also verifies the KRB5CCNAME environment variable is set after
a successful PAM authentication with Kerberos.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Certificate Auto Enrollment uses Kerberos to
authenticate to AD. If someone configures their
cepces.conf to use a different default
authentication, then samba-gpupdate fails. Force
Kerberos auth from samba-gpupdate.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
This ports the enhanced logging capabilities from
AltLinux gpupdate. It generates log messages such
as:
2022-03-02 11:28:54.872|[E40104]| Failed to set interfaces for zone | {'val': 'work'}
2022-03-02 11:28:55.017|[E40104]| Failed to set interfaces for zone | {'val': 'home'}
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 24 23:40:47 UTC 2022 on sn-devel-184
This ensures accounts are still cleaned up if a test fails before adding
it to the cleanup list.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This prevents problems if accounts are added as children of other
accounts.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This code can be made part of the previous 'else' branch.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184
Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the
RODC has been created, so we don't try to use a mock RODC that failed to
create.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This allows a knownfail entry to be written for this test.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This fixes a lot of tests with Python 3.8. Stacktrace example:
File "python/samba/tests/krb5/as_req_tests.py", line 249, in test_as_req_enc_timestamp_rc4_dummy
self._run_as_req_enc_timestamp(
File "python/samba/tests/krb5/as_req_tests.py", line 129, in _run_as_req_enc_timestamp
as_rep, kdc_exchange_dict = self._test_as_exchange(
File "python/samba/tests/krb5/raw_testcase.py", line 3982, in _test_as_exchange
rep = self._generic_kdc_exchange(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2029, in _generic_kdc_exchange
return check_rep_fn(kdc_exchange_dict, callback_dict, rep)
File "python/samba/tests/krb5/raw_testcase.py", line 2328, in generic_check_kdc_rep
self.check_reply_padata(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2998, in check_reply_padata
got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
TypeError: 'NoneType' object is not iterable
This adds additional checks for rep_padata.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
This also addresses CVE-2020-17049.
MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It
will be released in autumn 2022. We need to support MIT Kerberos 1.19 till
enough distributions have been released with MIT Kerberos 1.20.
Pair-Programmed-With: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This test currently fails, as re-adding an SPN means that later checks
do not run.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.
This is fixed now and we no longer expect ndrdump to exit with 1.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184
The cleanup using dump_data_block16() fixed the space handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
Heimdal matches Windows in this respect
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
With NO_SUCH_USER we don't know if any pre-authentication was requested,
so with the new Heimdal code we now used use "AS-REQ" instead of
assuming ENC-TS Pre-authentication.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This helps to avoid problems with account creation due to UPN uniqueness
constraints.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Dec 20 08:26:45 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 7 08:32:42 UTC 2021 on sn-devel-184
Heimdal does not check FAST options when no preauth data is supplied, so
the original test could not pass against Heimdal.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This flag should be ignored and the FAST armor key used instead.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is not necessary for testing FAST, and was causing some of the
tests to fail.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is currently not checked in several places due to STRICT_CHECKING
being set to 0.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to ensure that the correct name makes it through to the
PAC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
