1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

136085 Commits

Author SHA1 Message Date
Douglas Bagnall
dc60891de9 libcli/security: conditional ACE sid parser no longer expects RA ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
0a2e335e37 libcli/security: parse resource attribute ace SIDs separately
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
79292c8d1e libcli/security/sddl: write RA octet strings the Windows way
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
38e7b4dcbd libcli/security: add a parser for resource attribute ACE byte strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
9ef71399ce libcli/security: sddl_conditional_ace: remove check_resource_attr_type()
This is unneeded, as now all the checks are done in the relevant
parse_* functions.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
059610a62e libcli/security: sddl_conditional_ace: add parse_bool for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
800f770e11 libcli/security: sddl_conditional_ace: add parse_uint for RA aces
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
33caae4381 libcli/security: un-invert parse_resource_attr_list, check type first
We were reusing parse_literal() because it almost does what we need,
but it is different enough that check_resource_attr_type() is large
and complicated, and can't handle all the cases (in particular octet-
strings and SIDs are different in resource ACEs).

This way is better because we know the type in advance, so we can use
that to choose the parser, which will help with octet-strings that are
only digits.

In this commit we're leaving the check there, but it soon won't do
anything that the parse_* functions don't, and we will remove it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cda9371b59 libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests
We are going to parse octet strings like Windows (as opposed to like
Windows docs), so the tests need changing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
4ab9cb1907 libcli/security:sddl_condtional_ace: log compiler errors at some debug levels
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
f18ffd1182 libcli/security: initialise conditional ACE token flags
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
8e3be66a49 pytest: security_descriptors tests get enumerator in name
This will make knownfails easier, given the names contain so many
regular expression metacharacters.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Björn Jacke
5e925f9755 dosmode: prefer capabilities over become_root
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Björn Jacke
1dd81928a2 libgpo: fix wrong lineending in admx files
When changing or reviewing admx file patches, make sure, that those files are
dos fileformat and they need to have the magic ^M at the end of each line ...

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Stefan Metzmacher
f5c76c3c81 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro"
This reverts commit bb370b9381.

We no longer use log level -1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Nov 24 10:34:58 UTC 2023 on atb-devel-224
2023-11-24 10:34:58 +00:00
Stefan Metzmacher
cd8dcff9e9 lib/util: convert DBG_STARTUP_NOTICE() to use debug_set_forced_log_priority(DBGLVL_NOTICE)
Using -1 as log level is not compatible without our infrastructure.

As all backends are initialized with .log_level = -1, which means
they don't log the message, but now they all try to handle the
startup message even if they are not configured.

E.g. is means that systemd's journalctl get the message twice
now, first via the syslog and also the systemd backend.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-24 09:30:38 +00:00
Stefan Metzmacher
bd21a0cdef lib/util: add debug_set_forced_log_priority()
By default the priority for syslog/systemd is derived from
the log level of the debug message.

But for things like startup messages we want to
change the priority temporary, like this:

debug_set_forced_log_priority(DBGLVL_NOTICE);
D_ERR("Startup...\n");
debug_set_forced_log_priority(-1);

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-24 09:30:38 +00:00
Rob van der Linde
83e8971c0f Claims initial black box tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 23 00:32:33 UTC 2023 on atb-devel-224
2023-11-23 00:32:33 +00:00
Rob van der Linde
fad29cd0a6 netcmd: auth policy: add allowed-to-authenticate-from-device-group attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
1b4514712d netcmd: auth policy: fix missing 'by' in help string
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
eaf1bd5623 netcmd: auth policy: add allowed-to-authenticate-to-by-group attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
dbeb424e6c netcmd: auth policy: rename "from silo" to "from device silo"
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
1e00952c34 netcmd: auth policy: document allowed to authenticate from silo and to by silo attributes
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
42de24d73a netcmd: auth policy: add allowed to authenticate to by silo attributes
--user-allowed-to-authenticate-to-by-silo
--service-allowed-to-authenticate-to-by-silo
--computer-allowed-to-authenticate-to-by-silo

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
9fe147a02c netcmd: models: add field test for SIDField
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
96aaa0059f netcmd: models: add a Group model
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
e9b1ac93b5 netcmd: models: make systemFlags and systemOnly fields readonly
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
c1f56feefb netcmd: models: ensure that backlinks are always readonly
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
6255d57ce8 netcmd: models: add readonly attribute on fields to exclude it from save
There was trouble when saving fields like is system object, these need to be excluded on save.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
e256a04d5d netcmd: models: get_base_dn returns default rather than be abstract
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
91cc73352e netcmd: models: add SIDField field
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
0ce9b75325 netcmd: models: use correct SDDL for authentication silos
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
bf07a97931 netcmd: fix typo in groups and computer commands
Everywhere else it is using Group's except for one place which makes it obvious this was incorrect.

Same goes for Computers's vs Computer's

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
6e3491e280 selftest: move planoldpythontestsuite up so it can be used by blackbox tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Rob van der Linde
faf0b784a1 tests: gensec: docstrings in the middle of code should be comments
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-22 23:35:33 +00:00
Volker Lendecke
f955d9aa49 smbd: Fix Coverity ID 1499372 Uninitialized scalar variable
This is real.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 21 18:33:51 UTC 2023 on atb-devel-224
2023-11-21 18:33:51 +00:00
Volker Lendecke
bc0df4fd97 winbind: Fix Coverity ID 1398910
Coverity isn't smart enough for talloc

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
0bc329a343 lsa4: Fix Coverity ID 1499410
It complains about uninitialized access, and I'm not sure it isn't
right. Just initialize the structure.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
a5c2134cc2 samr4: Fix Coverity ID 1499378
Coverity isn't smart enough to see this is initialized. As it's good
practice to initialize vars, just do it.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
66a8a4f02e utils: Fix Coverity ID 240113
Not a leak, but Coverity does not understand talloc well enough.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
2651a7b03d smbd: Fix/remove a comment that became irrelevant
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
7c5380c958 smbd: Fix a comment
See 84cf205ff4

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Volker Lendecke
af69ea73a4 smbd: Convert a void* into the real DIR*
Not sure why this was a void*

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-21 17:34:36 +00:00
Andreas Schneider
8863d84d53 s3:rpc_client: Remove unused rpccli_lsa_open_policy2()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Nov 21 12:21:18 UTC 2023 on atb-devel-224
2023-11-21 12:21:18 +00:00
Andreas Schneider
417c8180c4 s3:winbind: Always close the policy handle we opened
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
05a006fab9 s3:winbind: Use dcerpc_lsa_open_policy_fallback() in winbindd_cm.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
6b6a88cddd s3:utils: Use any_nt_status_not_ok() in rpc_rights_grant_internal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
28e7a754c8 s3:utils: Use goto to close the policy in rpc_rights_grant_internal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
e5abb584b6 s3:utils: Use dcerpc_lsa_open_policy_fallback() in net_rpc_rights.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00
Andreas Schneider
5b3e562006 s3:utils: Use dcerpc_lsa_open_policy_fallback() in net_rpc.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-11-21 11:16:37 +00:00