IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Windows, unlike Samba, requires the service principal name to be set
when requesting a ticket to that service.
Additionally, default_realm from the libdefaults section of krb5.conf
should be set so that the correct realm is used.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through SMB.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through RPC.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service using the normal
credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This
will allow us to validate the output of the MIT/Heimdal libraries in the
future.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is a FILE: format credentials cache readable by the MIT/Heimdal
Kerberos libraries. This allows us to glue the Python ASN1 Kerberos
system to the MIT/Heimdal one.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is the format used by the FILE: credentials cache type.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This essentially reverts commit
b84c0a9ed6, but the datapath is now in the
source4 directory.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Now we catch errors for unknown sections or parameters and turn them
into CommandErrors.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14143
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pass the correct parameters into LoadparmService.dump() so that
--section-name works properly.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14143
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is important, since having the incorrect
name will prevent policies from removing
correctly on an unapply, or when the policy
is deleted from AD.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Apr 29 22:27:20 UTC 2021 on sn-devel-184
We should use long options in tests to make clear what we are trying to
do.
Also the -s short option will be removed for --configfile later.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This made '//' and '/' in Python 2 behave as in Python 3.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This made Python 2's print behave like Python 3's print().
In some cases, where we had:
from __future__ import print_function
"""Intended module documentation..."""
this will have the side effect of making the intended module documentation
work as the actual module documentation (i.e. becoming __doc__), because
it is once again the first statement in the module.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Otherwise for example contacts wouldn't be listed when the
--hide-expired option is used. Contacts typically do not have the
accountExpires attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14692
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Rowland penny <rpenny@samba.org>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Mon Apr 26 13:21:43 UTC 2021 on sn-devel-184
The s4 member join code has been broken for some
time. Modify samba-tool to instead use the
working s3 member join code.
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Wed Apr 21 21:40:13 UTC 2021 on sn-devel-184
This adds a subcommand for altering zone parameters.
At the moment the only options are related to record aging (a.k.a
scavenging). The code is structured to make it easy to add more
integer or boolean options, but it is not clear that this would be
useful; many other parameters are not used or would only have
deleterious effects.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr 21 10:04:14 UTC 2021 on sn-devel-184
We have to look at all available mappings for parsing sddl for each
special flag set. "GW" and "FX" come from two different tables, but
the previous code settled on one table and then expected both "GW" and
"FX" to come from that same table. Change the code to look at all
tables per special flag set.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 21 00:04:36 UTC 2021 on sn-devel-184
Reopening the existing config file fails because
we fail to open to write bytes.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
This kind of test is better hosted in python than in C. More lines,
but the ones in source4/libcli/security/tests/sddl.c were preeetty
long...
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Tests should not create files in the build nor the source directory!
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Tests of [MS-KILE]: Kerberos Protocol Extensions
section 3.3.5.6.1 Client Principal Lookup
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Apr 8 23:03:52 UTC 2021 on sn-devel-184
not netcmd.dns.data_to_dns_record, which is a UI function.
The only practical difference is it will raise DNSParseError, not CommandError.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Not through samba-tool, which should not be used as a library.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
The logic to parse DNS value strings (e.g. "example.com 10" for an MX,
which needs to be split on the space) is repeated at least in
samba-tool dns and tests/dcerpc/dnsserver.py. Here we bring it
together so we can do it once.
The sep= keyword allows callers to separate on all runs of
whitespace (the default, as samba-tool dns does) or, using sep='', to
separate on true spaces only.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
We used to do something wrong with the refcounts, but we don't anymore,
so we don't need this confusing nonsense.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
The replaced comment was about a long fixed Python reference counting bug.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Everything else is TXTRecord, SRVRrcord, SOARecord.
Making CNAME the same allows easier lookups.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The current length of 128-255 UTF-16 characters currently causes
generation of crypt() passwords to typically fail. This commit
decreases the length to 120 UTF-16 characters, which is the same as
that used by Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
with improved diagnostics on bad arguments
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
These give a more detailed message than assertTrue(x in y).
They were new in Python 3.1, so we avoided them until recently.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
We are always setting zone to the same thing which we already know,
and we can reduce cognative stress by mentioning it less and not doing
that weird pop thing.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
GNUstep as an mdfind binary, and both should be co-instalable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14431
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Mar 29 16:18:54 UTC 2021 on sn-devel-184
We had the test in the Samba Python segfault suite because
a) the signal catching infrastructure was there, and
b) the ldb tests lack Samba's knownfail mechanism, which allowed us to
assert the failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
When opening the backed-up SamDB database, open the top-level database
without loading any modules so the backend database files aren't
unnecessarily opened. The domain SID is now fetched from the original
database rather than from the backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
The LMDB change "ITS#9278 fix robust mutex cleanup for FreeBSD" released
in version 0.9.26 makes samba-tool domain backup offline to fail with
the following error:
Failed to connect to 'mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb' with backend 'mdb': Unable to load ltdb cache records for backend 'ldb_mdb backend'
module samba_dsdb initialization failed : Operations error
Unable to load modules for /tmp/foo/private/sam.ldb.bak-offline: Unable to load ltdb cache records for backend 'ldb_mdb backend'
ERROR(ldb): uncaught exception - Unable to load ltdb cache records for backend 'ldb_mdb backend'
File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 1147, in run
session_info=system_session(), lp=lp)
File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", line 72, in __init__
options=options)
File "/usr/local/samba/lib64/python3.6/site-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", line 87, in connect
options=options)
The error occurs opening the backed ldb to write the backup date and the
next SID, a call to pthread_mutex_lock in mdb_txn_renew0 (frame 8) returns
EINVAL:
#0 0x00007ff63c2f1bea in wait4 () from /lib64/libc.so.6
#1 0x00007ff63c26f3a3 in do_system () from /lib64/libc.so.6
#2 0x00007ff63bc71e94 in smb_panic_default (why=0x7ffed481b7d0 "Signal 6: Aborted") at ../../lib/util/fault.c:153
#3 0x00007ff63bc72168 in smb_panic (why=0x7ffed481b7d0 "Signal 6: Aborted") at ../../lib/util/fault.c:200
#4 0x00007ff63bc71c82 in fault_report (sig=6) at ../../lib/util/fault.c:81
#5 0x00007ff63bc71c97 in sig_fault (sig=6) at ../../lib/util/fault.c:92
#6 <signal handler called>
#7 0x00007ff63c2178b5 in raise () from /lib64/libpthread.so.0
#8 0x00007ff637602e65 in mdb_txn_renew0 (txn=txn@entry=0x55d6f97fb800) at mdb.c:2710
#9 0x00007ff637603ae8 in mdb_txn_begin (env=0x55d6f85dfa80, parent=0x0, flags=131072, ret=0x55d6f89c0928)
at mdb.c:2912
#10 0x00007ff6376236cc in lmdb_lock_read (module=0x55d6f8c5f4b0) at ../../lib/ldb/ldb_mdb/ldb_mdb.c:585
#11 0x00007ff637641de6 in ldb_kv_cache_load (module=0x55d6f8c5f4b0) at ../../lib/ldb/ldb_key_value/ldb_kv_cache.c:450
#12 0x00007ff637638792 in ldb_kv_init_store (ldb_kv=0x55d6f8af2a80, name=0x7ff637625675 "ldb_mdb backend",
ldb=0x55d6f8cd22b0, options=0x0, _module=0x7ffed481c248) at ../../lib/ldb/ldb_key_value/ldb_kv.c:2166
#13 0x00007ff6376247ba in lmdb_connect (ldb=0x55d6f8cd22b0,
url=0x55d6f85d41f0 "mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb", flags=64,
options=0x0, _module=0x7ffed481c248) at ../../lib/ldb/ldb_mdb/ldb_mdb.c:1143
#14 0x00007ff63bd94d2f in ldb_module_connect_backend (ldb=0x55d6f8cd22b0,
url=0x55d6f85d41f0 "mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb",
options=0x0, backend_module=0x7ffed481c248) at ../../lib/ldb/common/ldb_modules.c:221
#15 0x00007ff6375a4baf in new_partition_from_dn (ldb=0x55d6f8cd22b0, data=0x55d6f858bed0, mem_ctx=0x55d6f8a03cd0,
dn=0x55d6f9865450, filename=0x55d6f860b6da "sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb",
backend_db_store=0x55d6f9d378e0 "mdb", partition=0x7ffed481c308)
at ../../source4/dsdb/samdb/ldb_modules/partition_init.c:257
#16 0x00007ff6375a57b9 in partition_reload_if_required (module=0x55d6f8972d10, data=0x55d6f858bed0, parent=0x0)
at ../../source4/dsdb/samdb/ldb_modules/partition_init.c:513
#17 0x00007ff6375a3b04 in partition_read_lock (module=0x55d6f8972d10)
at ../../source4/dsdb/samdb/ldb_modules/partition.c:1492
#18 0x00007ff63bd9631e in ldb_next_read_lock (module=0x55d6f8972d10) at ../../lib/ldb/common/ldb_modules.c:662
#19 0x00007ff637484857 in schema_read_lock (module=0x55d6f9377e40)
at ../../source4/dsdb/samdb/ldb_modules/schema_load.c:614
#20 0x00007ff63bd9631e in ldb_next_read_lock (module=0x55d6f9377e40) at ../../lib/ldb/common/ldb_modules.c:662
#21 0x00007ff6374b5402 in samba_dsdb_init (module=0x55d6f91c3cd0)
at ../../source4/dsdb/samdb/ldb_modules/samba_dsdb.c:483
#22 0x00007ff63bd95283 in ldb_module_init_chain (ldb=0x55d6f8cd22b0, module=0x55d6f91c3cd0)
at ../../lib/ldb/common/ldb_modules.c:363
#23 0x00007ff63bd95645 in ldb_load_modules (ldb=0x55d6f8cd22b0, options=0x0)
at ../../lib/ldb/common/ldb_modules.c:445
#24 0x00007ff63bd90663 in ldb_connect (ldb=0x55d6f8cd22b0,
url=0x7ff6377d98f8 "/tmp/foo/private/sam.ldb.bak-offline", flags=64, options=0x0)
at ../../lib/ldb/common/ldb.c:274
#25 0x00007ff63bddb32f in py_ldb_connect (self=0x7ff63778afc0, args=(), Python Exception <class 'gdb.error'> There is no member named ma_keys.:
kwargs=) at ../../lib/ldb/pyldb.c:1235
Deleting the previous samdb instance by setting it to None before opening the
backed ldb workaround the problem until we find the real problem here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 24 00:46:31 UTC 2021 on sn-devel-184
If backup dirs contain hardlinks, the backup process could previously
attempt to open an LMDB database already opened during the backup,
causing it to be recreated as a new TDB database. This commit ensures
that new database files are not created during this operation, and that
the main SamDB database is not modified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
The old behaviour attempted to check for and remove files with duplicate
names, but did not do so due to a bug, and would have left undetermined
which files were given priority when duplicate filenames were present.
Now when hardlinks are present, only one instance of each file is
chosen, with files in the private directory having priority. If one
backup dir is nested inside another, the files contained in the nested
directory are only added once. Additionally, the BIND DNS database is
omitted from the backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
This test verifies that when performing an offline backup of a domain
where one of the directories to be backed up is nested inside another,
the contained files are only included once in the backup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
This test verifies that when performing an offline backup of a domain
where the directories to be backed up contain hardlinks, only one
instance of each file is backed up, and that files in the private
directory take precedence.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14027
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 18 20:02:50 UTC 2021 on sn-devel-184
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 17 18:23:04 UTC 2021 on sn-devel-184
Sometimes people assume `samba-tool domain tombstones expunge` will
expunge tombstones, but in the general case it won't because it only
affects those that have reached the tombstone lifetime, but these are
likely to have already been deleted by the regularly scheduled task.
You need to set the tombstone lifetime to have much effect.
This patch doesn't change the behaviour, but it does warn the user
that they are probably doing nothing of significance.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
This won't have worked for some time, but nobody has complained,
because nobody uses DS_NTDSSETTINGS_OPT_IS_RAND_BH_SELECTION_DISABLED
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
The only caller is source4/param/provision.c, which doesn't supply these arguments,
and they aren't used inside the function.
This makes it just slightly less overwhelming
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: David Mulder <dmulder@suse.com>
Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar 11 21:41:04 UTC 2021 on sn-devel-184
If we don't anticipate a missing principal name,
samba-tool crashes. Also, principal names could
be in dispersed listelements.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Björn Baumbach <bb@sernet.de>
dsdb._dsdb_garbage_collect_tombstones isn't
built without the addc, so ignore calls to it
in samdb.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Mar 8 20:57:50 UTC 2021 on sn-devel-184
If we don't anticipate a missing principal name,
the extension crashes. Also, principal names could
be in dispersed listelements.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
We should create the /etc/ssh/sshd_config.d dir
if it doesn't exist.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Use the CSE name based on the class name, not the
module name. Also ignore the Local Policy gpo.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Running samba-gpupdate on a client is causing an
error in gp_access_ext, due to it attempting to
access sam.ldb before detecting whether we are on
an ad-dc.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is useful to convert various time values to other formats.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
These are useful to convert various time values to other formats.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We'll extent GetPasswordCommand.get_password_attributes() to handle
more virtual formats in future. It'll be much easier to
to maintain a list of attributes we need to filter out again.
sAMAccountName and userPrincipalName are always implicitly
requested in order to keep the existing code sane.
supplementalCredentials and unicodePwd are requested by default
when generating virtual password attributes.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The float value is what the native python time.time()
returns, it's basically a struct timespec converted to
double/float.
Pair-Programmed-With: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Required, when running get_account_attributes() against a remote samdb.
avoid:
ERROR(<class 'AttributeError'>): uncaught exception - 'NoneType' object has no attribute 'get'
File "bin/python/samba/netcmd/__init__.py", line 186, in _run
return self.run(*args, **kwargs)
File "bin/python/samba/netcmd/user.py", line 2769, in run
obj = self.get_account_attributes(samdb, username,
File "bin/python/samba/netcmd/user.py", line 1250, in get_account_attributes
realm = self.lp.get("realm")
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Feb 24 22:01:08 UTC 2021 on sn-devel-184
We know that test_net_replicate_init__3() segfaults. It is a knownfail
and we don't need to see the gdb backtrace every time.
This saves nearly two minutes on `make test TESTS=segfault`.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@suse.com>
Replace it with the VGP command for removing
sudoers entries from an xml file.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Feb 14 00:53:41 UTC 2021 on sn-devel-184
Replace it with the VGP command for adding
sudoers entries in an xml file.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Replace it with the VGP command for listing
sudoers entries in an xml file.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
The rsop should only list the policies from
that extension, not from all policies in the
same file.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 11 18:28:09 UTC 2021 on sn-devel-184
Failing to remove the empty section causes tests
to fail, and is also just bad practice.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Ensure that empty sections are removed when
calling samba-tool gpo manage security set.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14624
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb 10 15:06:49 UTC 2021 on sn-devel-184
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Feb 9 21:24:14 UTC 2021 on sn-devel-184
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Feb 8 23:36:57 UTC 2021 on sn-devel-184
These reports (about recently deleted objects)
create concern about a perfectly normal part of DB operation.
We must not operate on objects that are expired or we might reanimate them,
but we must fix "Deleted Objects" if it is wrong (mostly it is set as being
deleted in 9999, but in alpha19 we got this wrong).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14593
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Feb 3 05:29:11 UTC 2021 on sn-devel-184
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jan 27 07:32:03 UTC 2021 on sn-devel-184
This adds a Group Policy extension which applies
symlink policies set by Vintela Group Policy in the
SYSVOL.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
--hide-expired Do not list expired group members
--hide-disabled Do not list disabled group members
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Fri Jan 15 16:34:11 UTC 2021 on sn-devel-184
--hide-expired Do not list expired user accounts
--hide-disabled Do not list disabled user accounts
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>
Fix all the PEP8 warnings in samba/tests/krb5. With the exception of
rfc4120_pyasn1.py, which is generated from rfc4120.asn1.
As these tests are new, it makes sense to ensure that they conform to
PEP8. And set an aspirational goal for the rest of our python code.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184
This adds a Group Policy extension which applies
Sudo rights set by Vintela Group Policy in the
SYSVOL.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 19 08:11:50 UTC 2020 on sn-devel-184
This adds an extension parser for parsing xml
files in the sysvol.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
The easiest way to run this against Windows was to use a domain
controller and configure an enforce group policy and grant the
"Bypass Traverse Checking" only to the "BUILTIN\Administrators" group.
(Note that "LOCAL SERVICE" and "NETWORK SERVICE" are always added in
the local security policy.
The test runs like this:
SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.188 \
TARGET_HOSTNAME=w2012r2-188.w2012r2-l6.base \
USERNAME=administrator \
PASSWORD=A1b2C3d4 \
NOTIFY_SHARE=torture \
USERNAME_UNPRIV=ldaptestuser \
PASSWORD_UNPRIV=a1B2c3D4 \
python/samba/tests/smb-notify.py -v -f SMBNotifyTests
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Now that self.smb_conn.get_acl() has sane default values for secinfo and
access_mask we can remove any additional logic in SMBHelper.
The resulting values are the same.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
SEC_FLAG_MAXIMUM_ALLOWED will never result in SEC_FLAG_SYSTEM_SECURITY
being granted. As SECINFO_SACL is part of the default secinfo value
(SECINFO_DEFAULT_FLAGS), {g,s}et_acl() will always return
NT_STATUS_ACCESS_DENIED by default.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
We want to get the default behavior.
It's also pointless to set PROTECTED and UNPROTECTED at the same time.
These are defined in MS-DTYP 2.4.7 SECURITY_INFORMATION with a brief
description, but they aren't referenced in anywhere in MS-DTYP itself,
nor in MS-FSA are any other document.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Add a base class for the KDC tests to reduce the amount of code
duplication in the tests.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add constants for the Authorization Data Type values.
RFC 4120 7.5.4. Authorization Data Types
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We had too many things called 'attrs'; now we have just one, but we
don't want it to look like it is *the* one.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
The construct `'name' in map(str.lower, attrs)` is doubly inefficient,
because not only is it running the lower() function too often, it is
searching linearly in a temporary iterator for membership.
So we make a set, and use that.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Yes, it looks inefficient, but that's because it is just trying to fit
in. Very soon we will fix it it properly.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Dec 9 17:04:23 UTC 2020 on sn-devel-184
This was introduced in db15993401
but not actually referenced then or since.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
dump_attr_values already turns it into a comma separated list.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
The only caller of this was `samba-tool domain demote` which stopped
using it in 2015 with commit f121173cbf.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Other tools use identical functions, and they too can use common.py
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Add tests that set the server name to the client name for the machine
account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF
test phase in source4/torture/krb5/kdc-canon-heimdal.c.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14575
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Nov 26 21:15:40 UTC 2020 on sn-devel-184
This fix makes sure the password is removed from the proctitle
of samba-tool so it cannot be exposed by e.g. ps(1).
- Moved code to python/samba/getopt.py as suggested by David Mulder
- Except ModuleNotFoundError when trying to load setproctitle module
- Improved code to keep option separator (space or equal sign) while
removing password from proctitle.
Signed-off-by: Heiko Baumann <heibau@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
Otherwise the administrator might only find there is a problem once they
attempt to restore the domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14575
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
They do nothing except confuse users.
Signed-off-by: Rowland Penny <rpenny@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 19 00:36:58 UTC 2020 on sn-devel-184
This is much shorter. There's also another aspect: I'm working on
improving cli_list() to not collect all files before starting to call
the callback function. This means that the cli_list cb will be called
from within tevent_loop_once(). In pylibsmb.c's deltree code this
would create a nested event loop. By moving the deltree code into the
python world this nested event loop is avoided. Now the python code
will first collect everything and then start to delete, avoiding the
nesting. A future development should make listing directories a
generator or something like that.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Right now this is empty, but it is the basis for moving complexity out
or pylibsmb.c into python code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected,
Heimdal does not.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184
Refactor to aid the adding of tests for the inclusion of a salt when
ARCFOUR_HMAC_MD5 encryption selected
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
TORTURE_KRB5_TEST_CHANGE_SERVER_IN
TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes
the check that a salt is not returned. A test for the difference
between MIT and Heimdal will be added in the subsequent commits.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Extract the constants used in the tests into a separate module.
To reduce code duplication
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This gives a much higher chance to see the actual problem
without having them filtered by various 'filter-subunit' invocations.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This is documented in MS-KILE.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184
This takes the realm from the LDAP base DN and so avoids one
easy mistake to make. So far the NT4 domain name is not
auto-detected, so much be read from the smb.conf.
By using .guess() the smb.conf is read for the unspecified
parts (eg workstation for an NTLM login to the LDAP server if
the target server is an IP address).
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This naturally does not change the test, but reduces developer
confusion.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This test passed against Samba but failed against Windows when
an enterprise principal (user@domain.com@REALM) was encoded as
NT_PRINCIPAL.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Originally copied from 'source4/scripting/devel/createtrust'
(had to drop the TRUST_AUTH_TYPE_VERSION part though, as it
fails against samba DC).
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>