1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

139725 Commits

Author SHA1 Message Date
Stefan Metzmacher
350db61bef s4:selftest: run samba.tests.krb5.netlogon
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
6f52ffab82 python:tests/krb5: add netlogon.py
This adds tests for the application layer encryption used
based on the secure channel session key.

This will get tests for netr_ServerAuthenticateKerberos()
in order to explore its details.

This runs against Windows 2022 as well as Windows 2025 (preview)
using something like this:

SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
STRICT_CHECKING=0 \python/samba/tests/krb5/netlogon.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
4030a62b2d python:tests/krb5: avoid some problems when running against w2025 (preview) with STRICT_CHECKING=0
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
db0e7dfc41 python:tests/krb5: remember the objectGUID of created accounts
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
04da20c813 pycredentials: add credentials.netlogon_creds_*() functions via py_module_methods
This makes it possible to explore the functions arround
netlogon_creds_CredentialState via python.

This allows us to write tests in order to explore
the details of netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
bd76d0460b pycredentials: add creds.[g|s]et_netlogon_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
01758da131 pycredentials: remove unused module methods
It's not useful to use the PyCredentials methods
also as module methods...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
018a3ced1c pyrpc_util: fix error Exception message in py_check_dcerpc_type()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:38 +00:00
Stefan Metzmacher
567d4e356a s4:rpc_server/netlogon: let dcesrv_netr_LogonSamLogon_base_reply handle encryption errors
This might be the better option when we implement
netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a4105f94f9 libcli/auth: let netlogon_creds_crypt_samlogon_validation handle generic info
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
18a62ea23f tests/krb5: make use of conn.auth_info() in _test_samlogon()
In future we'll have KRB5 instead of SCHANNEL...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
cbd990b2b6 s4:pyrpc: add conn.auth_info()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
ec6892bd1f gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
f59b8ac136 s3:cli_pipe: pass target_service to cli_rpc_pipe_open_with_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
4dbbfcb004 s3:libads: add kerberos_kinit_passwords_ext() helper
This can check more than one password and is designed to
support getting a TGT for our machine account also falling
back to older passwords...

If we don't have a plaintext password it falls back to an nt_hash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
017e6e1cb1 s3:libads: split out kerberos_kinit_generic_once()
This can be used to kinit with a keyblock later
and also a loop over multiple password generations will
be possible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
32dd400f9e s3:libads: remove unused time_offset from kerberos_kinit_password()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
890fd84486 s3:libads: let kerberos_kinit_password_ext() always initialize *ntstatus
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
e470d33194 s3:libads: fix compiler warning in trust_pw_change()
../../source3/libads/trusts_util.c: In function ‘trust_pw_change’:
../../source3/libads/trusts_util.c:302:45: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
  302 |                                    (void **)&new_trust_pw_blob.data,

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
b6123197d1 s3:rpc_client: remember the local/remote ipv4 or ipv6 addresses
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
d6aa886ce2 s3:winbindd: remove useless lines in add_trusted_domains_dc()
add_trusted_domain() above already sets this...

Review with: git show -U15

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
fa04464316 s3:winbindd: make use of samba_sockaddr in set_remote_addresses() to avoid warnings
../../source3/winbindd/winbindd_dual_ndr.c: In function ‘set_remote_addresses’:
../../source3/winbindd/winbindd_dual_ndr.c:467:51: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
  467 |         struct sockaddr *sar = (struct sockaddr *)&st;

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
0de93c34db s3:winbindd: make use of samba_sockaddr add_one_dc_unique() to avoid warnings
../../source3/winbindd/winbindd_cm.c: In function ‘add_one_dc_unique’:
../../source3/winbindd/winbindd_cm.c:1172:48: warning: dereferencing type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
 1172 |                             (struct sockaddr *)(void *)&(*dcs)[i].ss,

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
6cc8dfea6e s3:winbindd: let wb_dsgetdcname* normalize to dns names on an ad_dc
wb_dsgetdcname() is typically used by dcerpc_wbint_DsGetDcName_send()
from netr_DsRGetDCName* in the netlogon server, when domain members
try to ask for domain controllers of a trusted domain.

The domain might disabled netbios support, so we better try the
already dns name if available.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
0a31a5d20e s3:utils: let net_rpc_testjoin() work for ad domains and no ipv4 address
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
e47ce1d10b s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND
We may get NT_STATUS_NOT_FOUND when the name can't be resolved
and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4
addresses...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
ed6a9ccef6 libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags changed
This will be important when we add support for netr_ServerAuthenticateKerberos().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
84703cb1fd s4:torture/rpc: make use of creds->client_requested_flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
07b51a12c0 s4:librpc/rpc: make use of creds_state->client_requested_flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a2b6a68b80 schannel.idl: change netlogon_creds_CredentialState layout for 4.22
This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.

It also prepares support for netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
52b94f3f0f Revert "libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy"
This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16.

We break the compat of the netlogon_creds_cli.tdb records compared to
4.21 with the next commits.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
aea024779f libcli/auth: don't loose server_dns_domain in netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
544838ac5b netlogon.idl: add NetlogonTicketLogonInformation/NetlogonValidationTicketLogon
I have basic tests, which have shown that the payload is not
encrypted at application level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
61a5151af5 librpc/ndr: let ndr_print_bitmap_flag work for bitmap64bit values
Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
14128289a3 python/ndr: allow print_secrets=True for ndr_print*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
377db59ce9 pidl/Python: allow ndr_print(print_secrets=True)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
a69310eeab librpc/ndr: add ndr_print_{struct,union,function}_secret_string()
Keep libndr at 6.0.0, this has not been released yet.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
705f774863 librpr/ndr: split out ndr_print_generic_string()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
d9b0aed547 netlogon.idl: use authservice("netlogon")
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
9ede82167b netlogon.idl: mark some structs as public so that ndr.ndr_deepcopy() works in python
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Stefan Metzmacher
dbe3308cba samr/netlogon.idl: add [flag(NDR_SECRET)] in some more places
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 16:46:37 +00:00
Pavel Filipenský
eb02776cf4 s3:tests: Adapt winbind_call_depth_trace to depth=3
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Thu Dec  5 15:54:57 UTC 2024 on atb-devel-224
2024-12-05 15:54:57 +00:00
Pavel Filipenský
26cb20fb7e s3:tests: Make winbind_call_depth_trace to use global_inject.conf
To get the expected traces we need:

debug syslog format = no
log level = 10

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05 14:57:33 +00:00
Volker Lendecke
a2d47e989e libcli: Speed up sddl_decode_ace()
Factor out talloc-less sddl_transition_decode_sid()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Dec  3 09:03:01 UTC 2024 on atb-devel-224
2024-12-03 09:03:01 +00:00
Volker Lendecke
b65a4b9c90 libcli: Remove a special case
dom_sid_parse_endp does accept the lowercase "s" in "s-1-1-0".

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-03 08:01:30 +00:00
Volker Lendecke
37e7203b0d libcli: Simplify sddl_decode_err_msg()
We have security_descriptor_initialise() for this

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-03 08:01:30 +00:00
Volker Lendecke
4def2a698d libcli: README.Coding for dom_sid routines
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-03 08:01:30 +00:00
Volker Lendecke
e4f57feed0 lib: Simplify security_descriptor_initialise() with a struct init
Rely no the default NULL init.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-12-03 08:01:30 +00:00
Volker Lendecke
963d54c8ee libcli: Fix a signed/unsigned comparison warning
With this we compare pointers, not numbers

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Dec  2 05:52:56 UTC 2024 on atb-devel-224
2024-12-02 05:52:56 +00:00
Volker Lendecke
0045975c9e libcli: Use dom_sid_dup() instead of talloc_memdup()
We have specialized code for this, why not use it...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-12-02 04:53:33 +00:00