1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

4185 Commits

Author SHA1 Message Date
Douglas Bagnall
bbe217604b libcli/security: tests for conditional ACE integer base persistence
Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62929

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-14 03:31:37 +00:00
Andreas Schneider
1041dae03f auth:creds: Fix cli_credentials_get_password_and_obtained() with callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andreas Schneider
ab4b25964a auth:creds:tests: Add test for password callback
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andreas Schneider
c46769f3f1 s3:tests: Fix smbget test
Time to fix the smget share to not have `guest ok = yes` set. A new
[smbget_guest] will be used for guest only tests. This way we can
correctly test different authentication mechanisms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andreas Schneider
56d0c3a026 selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables
We should start using those in future. So we can distinguish which
privileges we want. Currently DC_USERNAME is the Administrator. Whatever
possible should use DOMIAN_USER instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Andreas Schneider
a2af6946f5 selftest: Remove trailing tabs/white spaces in Samba4.pm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
646046cb58 selftest/knownfail: move more parts to expectedfail.d/ntlm-auth
Here NTLM is disabled, so failure is intended.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
54f95df693 selftest/knownfail: move some parts to expectedfail.d/ntlm-auth
Where NETLOGON is disabled, the failure is intended.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
5af5f9807d selftest/knownfail.d: move encrypted_secrets to expectedfail.d
From the file itself:

> # The fl2000dc environment is provisioned with the --plaintext-secrets option
> # running the ecnrypted secrets tests on it and expecting them to fail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
2497a4afe5 selftest/knownfail.d: move ntlmv1-restrictions to expectedfail.d
These tests have been set up to fail by smb.conf options, partly
in order to test those options.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
bac2559746 selftest/knownfail.d: move samba-4.5-emulation to expectedfail.d
These tests are expected to fail because the handling of GET_ANC has
deliberately been degraded in this environment (in order to test an
upgrade path, long story).

> We now show this is in effect by the fact that tests now fail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
f60d794666 selftest/knownfail.d: move labdc to expectedfail.d
To quote the original commit:

> Note that the rpc.echo tests for the testallowed and testdenied users
> fail, because we don't backup the secrets for these users. So these
> tests failing proves that the lab-DC testenv is correct.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
3ea40efe04 selftest/knownfail.d: remove empty files
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
7a6d9a7217 selftest/knownfail.d: README memntions expectedfail.d
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Douglas Bagnall
04ed120605 selftest: add an expectedfail directory
We have some tests that are not only known to fail, but which are
intended to fail.

For example, to quote selftest/knownfail.d/dns:

> # These tests are expected to fail because we want to ensure that
> # unauthenticated updates are not permitted against the default
> # configuration, nor against an RODC

In contrast to selftest/knownfail.d/uac_objectclass_restrict, which
says:

> # All these tests need to be fixed and the entries here removed

That one should stay in selftest/knownfail.d.

Some files are mixed. For example, there are lines in
selftest/knownfail.d/smb1-tests which were added in *commits* that say

> We also need to add a knownfail (which will not be removed) for the
> new test which will fail in smb1 envs

but it is not clear to me that the whole file is expected to always
fail.

By moving some knownfails here, we allow selftest/knownfail.d to be a
bit more like a TODO list, containing things that actually constitute
failure.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-10 21:24:38 +00:00
Joseph Sutton
60e9e3e01c tests/ndr: Add tests for Group Key Distribution Service blobs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-12-08 02:28:33 +00:00
Andreas Schneider
00034d0228 s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  1 08:06:44 UTC 2023 on atb-devel-224
2023-12-01 08:06:44 +00:00
Andreas Schneider
ad0c0dd071 selftest: Show that 'allow trusted domains = no' firewalls Unix User|Group
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-12-01 07:07:31 +00:00
Joseph Sutton
cd1168a131 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths
View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
5f5b5b75ca lib:crypto: Add tests for samba_gnutls_sp800_108_derive_key()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Joseph Sutton
acb67bd93e selftest: Remove knownfail entries for non‐existent tests
The corresponding tests were removed in commit
938afb8b28.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-30 00:02:33 +00:00
Douglas Bagnall
4f56c70283 libcli/security: claim_v1_to_ace_token(): avoid unnecessary re-sort
If it is a wire claim (which is probably most common), the checking
and sorting has already happened. We don't need to make a copy to
sort and check.

In either case, there is still a copy step to make the conditional ACE
token.

This shuffles around some knownfails because the claim_v1_copy()
function we were using is checking for duplicates, which we don't
always want. That will be fixed soon.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
8074257c3a libcli/security: wire claim conversion uses claim_v1_check_and_sort()
This roughly returns things to where they were a few commits ago, with
the claims being checked for uniqueness.

The difference is the claims will be sorted afterwards, and the
uniqueness check will be far more efficient on large claims.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
1c88dfc6ac libcli/security: wire claims conversion: remove strings uniqueness check
This changes the behaviour when one of the strings is NULL. Previously
a single NULL string would be ignored, and two would cause an error.
That will be restored in the next commit.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
08096fd5b4 libcli/security: int wire claims drop uniqueness check
And we allocate all the values together as an array, because
we might as well.

This and the next couple of commits might look like steps backwards,
and they are, but they allow us to get a run-up to leap over a big
fence.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
a836ad1442 pytest: conditional_ace_claims tests large composite comparisons
Our composite comparisons are currently all wrong.

Soon they will be fixed, but we are going to have an inflection point
where we switch from the naive compare-everything approach to a sort
based comparison, and we want to test both sides. Also, we use these
tests for a little bit of timing, which reveals it is all fast enough.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
fc890742ab libcli/security: add test_claims_conversion
These are unit tests for converting wire claims into sorted claims v1
structures.

These are based from packets derived from the krb5.conditional_ace
tests, and currently don't test more than they do, but they work about
a hundred thousand times quicker.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Douglas Bagnall
da077b8486 libcli/security: test_run_conditional_ace tests more comparisons
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 22:37:32 +00:00
Ralph Boehme
631e6aa0d0 smbd: bring back "smb3 unix extensions" option
This basically reverts commit b3cae8dcf1
with a few important differences:

* SMB3 UNIX extensions are always built, but disabled by default at runtime.

* They are globally enabled in the fileserver test environment.

* It's now a per-share option, so admins can selectively disable them
  on a per-share basis. This allows clients to detect early that a share
  doesn't support user mount requested POSIX and fail appropiately, passing
  the failure to the requesting application (mount command).

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-11-27 18:31:35 +00:00
Douglas Bagnall
19129660df libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs
We had two sets of test vectors (Windows ground-truth for SDDL
compilation) that got mixed up.

The "oversized ACLs" set is ACLs that contain repeated ACEs, like
"D:P(D;;;;;MP)(D;;;;;MP)" -- Windows will assign a size to the ACL
that is greater than the sum of the ACEs, while Samba will not (in
part because we don't actually store a size for the ACL, instead
calculating it on the fly from the size of the ACEs).

The "TX integers" set is for resource attribute ACEs with octet-string
data that contains pure integers (lacking '#' characters) in their
SDDL, like «(RA;;;;;WD;("bar",TX,0x0,0077,00,0077,00))». We used to
think that was weird, and that RA-TX ACEs should contain octet-strings
in the conditional ACE style. But now we have realised it's not weird,
it's normal, and we have fixed our handling of these ACEs.

As a result of this mix-up, some of the tests labelled as "oversized
ACLs" started passing when we fixed the TX integer problem, and that
was confusing. All of the removed tests are already on the TX integer
set -- the removed ones were duplicates.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
79292c8d1e libcli/security/sddl: write RA octet strings the Windows way
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
38e7b4dcbd libcli/security: add a parser for resource attribute ACE byte strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Douglas Bagnall
cda9371b59 libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests
We are going to parse octet strings like Windows (as opposed to like
Windows docs), so the tests need changing.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-27 01:12:40 +00:00
Rob van der Linde
83e8971c0f Claims initial black box tests
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Thu Nov 23 00:32:33 UTC 2023 on atb-devel-224
2023-11-23 00:32:33 +00:00
Joseph Sutton
c0e6fe0bff tests/ndr: Add tests for GMSA Managed Password blobs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 21:50:32 +00:00
Joseph Sutton
21a3f60cfc python:tests: Move NDR tests to their own directory
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 21:50:32 +00:00
Günther Deschner
5119d5540d s4-winreg: fix dcesrv_winreg_EnumValue behavior
When returning WERR_MORE_DATA the winreg server needs to indicate the
required buffer size.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 20 04:50:00 UTC 2023 on atb-devel-224
2023-11-20 04:50:00 +00:00
Günther Deschner
1fd0689f0e s3-winreg: fix _winreg_EnumValue behavior
When returning WERR_MORE_DATA the winreg server needs to indicate the
required buffer size.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 03:52:33 +00:00
Günther Deschner
43a8a03767 s4-torture: add test to check for Windows behavior of EnumValue call
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-20 03:52:33 +00:00
Andrew Bartlett
79ef40b026 s4-scripting/devel: Fix repl_cleartext_pwd to use built-in RC4
This allows the usage test to pass on our CI hosts without
python-crypto and not uxsuccess on hosts with it.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-11-16 01:51:39 +00:00
Douglas Bagnall
01f8b61035 libcli/security:sddl_decode_ace: fix ';' count message
The wrong number of semicolons is usually one less than count (which
counts sections separated by semicolons), except when count is zero.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Douglas Bagnall
23a83d37df pytest:samba-tool domain auth policy: expect error message detail
The knownfail will stay around for a few commits, because the message
we get is slightly wrong.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 22:07:35 +00:00
Noel Power
d9c230ff80 python/samba/tests: Add smbcacl tests for save/restore
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-15 04:05:34 +00:00
Ralph Boehme
9544332084 smbd: fix has_other_nonposix_opens_fn()
Given two opens on a file:

1. Windows open with delete-on-close
2. POSIX open with delete-on-close set

When handle 1 is closed processing in has_other_nonposix_opens_fn() will not
delete the file as (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) is false, so
has_other_nonposix_opens() will return true which is wrong.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15517

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 13 19:34:29 UTC 2023 on atb-devel-224
2023-11-13 19:34:29 +00:00
Ralph Boehme
8ccc809f93 CI/smb3unix: add test_delete_on_close
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15517

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-11-13 18:35:32 +00:00
Joseph Sutton
fb867873d8 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Nov  9 09:01:25 UTC 2023 on atb-devel-224
2023-11-09 09:01:25 +00:00
Joseph Sutton
a08a724a28 netcmd:tests: Test authentication policies containing device‐specific attributes and operators
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
d0ca1bcd98 third_party/heimdal: Import lorikeet-heimdal-202311082119 (commit 844610f06bac2b7b2a208cbabc7414bde23abac7)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
5ebd1b8dae tests/krb5: Test Kerberos principal names containing non–BMP Unicode characters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Günther Deschner
fd319adcc1 s4-torture: add test for svcctl_ControlServiceExW()
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Günther Deschner
80b4893aa1 s4-torture: add test for svcctl_QueryServiceConfigEx
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-09 08:00:30 +00:00
Joseph Sutton
091af82f75 s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC
Such buffers are not to be trusted.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Nov  7 22:54:42 UTC 2023 on atb-devel-224
2023-11-07 22:54:42 +00:00
Joseph Sutton
62373eeef0 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 19:14:37 +00:00
Joseph Sutton
224408f959 tests/krb5: Test target authentication policies when the TGT already contains device info/claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 19:14:37 +00:00
Joseph Sutton
622ac53f22 tests/krb5: Add tests for PACs containing extraneous buffers
Test that the KDC removes these buffers from RODC‐issued PACs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 19:14:37 +00:00
Joseph Sutton
6e999eab1c tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 19:14:37 +00:00
Joseph Sutton
b0a09a69cc selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 19:14:37 +00:00
Joseph Sutton
5f865bd14d tests/krb5: Test conditional ACE expressions with empty composite literals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Joseph Sutton
ff1d00e079 selftest: Sort conditional ACE knownfails
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-02 03:08:37 +00:00
Douglas Bagnall
d915443ab0 pytest: samba_tool domain auth policy fix for SDDL err msg
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
cc2498f35b samba-tool: try to present diagnostics for SDDL errors.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:46 +00:00
Douglas Bagnall
5319c5bdac libcli/security: SDDL accepts lowercase "s-" in SIDs
This is what Windows does, and it removes a couple of knownfails.

We can change it here cheaply without affecting the core dom_sid code,
which is good because there seem to be other places where we need the
uppercase S (for example in ldap search <SID=> queries).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
0733ea3663 s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself
samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims
Valid SIDs as appropriate.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
f8bfd607ca tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs
These tests crash Windows, but we can assume reasonable behaviour for
Samba.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
b0da50b5b0 s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
3b936623a4 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
7ba4bb8164 tests/krb5: Add tests to see how SIDs are conveyed from PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
dc1e2b41ca tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Joseph Sutton
947d3e5932 tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-11-01 20:10:45 +00:00
Volker Lendecke
952d6c2cf4 smbd: Fix read_symlink_reparse()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 27 21:19:35 UTC 2023 on atb-devel-224
2023-10-27 21:19:35 +00:00
Volker Lendecke
cc1657c585 tests: Get a file through an absolute symlink within a subdirectory
This shows that read_symlink_reparse() is broken when trying to
replace an absolute with a relative filename within a
share.

read_symlink_reparse() is used only in openat_pathref_fsp_nosymlink()
so far to chase symlinks for non-lcomp path components. Chasing lcomp
symlinks is done through non_widelink_open(), which gets it right.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15505

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-27 20:14:30 +00:00
Gabriel Nagy
d5d96bed02 gp_pol: Allow null data for REG_MULTI_SZ
The parser is able to convert data from binary to XML (it generates an
empty <Value> tag) but not the other way around. This is a common
occurrence for empty multitext fields.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-10-27 13:47:31 +00:00
Gabriel Nagy
9c5a924428 gp_pol: Test empty multi_sz roundtrip
Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-10-27 13:47:30 +00:00
Rob van der Linde
3e9f74a680 netcmd: claims: rename claims and silo tests
Rename test function names that were starting to get very long.

They were all prefixed with the test name, stop doing that and use double underscore for better separation.

e.g. AuthPolicyCmdTestCase.test_authentication_policy_list_json

becomes AuthPolicyCmdTestCase.test_list__json

The claim types and value types test cases have been split into two testcases.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-26 23:32:34 +00:00
Joseph Sutton
ddef0e5e1f s4:kdc: Consider a single‐component krbtgt principal to be the TGS
This matches the behaviour of Windows.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-26 01:24:32 +00:00
Joseph Sutton
3917a1995c tests/krb5: Add tests for single‐component krbtgt principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-26 01:24:32 +00:00
Noel Power
86d4342180 libcli/wsp: Test AQS parser
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:38 +00:00
Joseph Sutton
910467204f s4:kdc: Add device to Authenticated Users for RBCD conditions evaluation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
f48afb2ba7 s4:kdc: Add device to default groups for RBCD conditions evaluation
This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.

It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.

Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
5f0ebf08c7 tests/krb5: Add tests for group membership with RBCD
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
49dca84731 tests/krb5: Add more tests of the device belonging to certain groups
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Joseph Sutton
2543bc0453 selftest: Remove ubsan suppressions
These instances of undefined behaviour ought now to be fixed.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-25 22:23:37 +00:00
Ralph Boehme
7c8dea14da smbtorture: add test for fruit:validate_afpinfo option
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Oct 24 22:30:06 UTC 2023 on atb-devel-224
2023-10-24 22:30:06 +00:00
Joseph Sutton
63aeb64504 s4:kdc: Add device to Authenticated Users for authentication policy evaluation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224
2023-10-24 01:59:32 +00:00
Joseph Sutton
c91d1618e3 s4:kdc: Add device to default groups for authentication policy evaluation
This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.

It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.

Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 00:54:31 +00:00
Joseph Sutton
eb21ac8777 tests/krb5: Test whether the device belongs to some default groups
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 00:54:31 +00:00
Joseph Sutton
0f5033a1e7 tests/krb5: Work around Samba’s incorrect krbtgt principal handling
These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-24 00:54:31 +00:00
Joseph Sutton
4c291514a9 s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224
2023-10-19 22:39:19 +00:00
Joseph Sutton
4e83dfb676 s4:kdc: Always regard device info when the client performs RBCD
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
11835ed5bb tests/krb5: Update method names to be consistent with other tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-19 21:37:36 +00:00
Joseph Sutton
a8a186868e tests/krb5: Fix tests that crash Windows
Expect an actual error code or an outcome, not CRASHES_WINDOWS.

I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Joseph Sutton
52ea480543 tests/krb5: Expect a status code with policy errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Joseph Sutton
b5b8b16a50 tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD
If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?

A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-17 03:19:38 +00:00
Stefan Metzmacher
bf79979f84 s4:kdc: fix user2user tgs-requests for normal user accounts
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.

In addition User2User also asserts that client and server
are the same account (cecked based on the sid).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
2023-10-16 15:38:12 +00:00
Stefan Metzmacher
c99fe118fd tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
Stefan Metzmacher
7f8b15faa7 CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 14:39:33 +00:00
David Mulder
b76e184c07 gpdupate: Implement Drive Maps Client Side Extension
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 00:59:32 +00:00
David Mulder
42d03da306 gpupdate: Test Drive Maps Client Side Extension
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-16 00:59:32 +00:00
Joseph Sutton
3f70da665b selftest: Use now() instead of utcnow()
utcnow() is deprecated and will be removed in a future version of Python.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-13 03:50:31 +00:00
Joseph Sutton
a2d96f5e29 s4:kdc: Always regard device info when checking a server authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224
2023-10-13 00:11:08 +00:00
Joseph Sutton
608c8d493c s4:kdc: Use device claims to evaluate client authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
7336fbb2ec s4:kdc: Use claims and device info to evaluate server authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
407a979b98 s4:kdc: Do not perform compound authentication for services without Compound Identity support
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Joseph Sutton
43cce1d190 tests/krb5: Correctly test services that do not support Compound Identity
These two tests now pass against Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-12 23:13:32 +00:00
Andrew Bartlett
3cf1beed5d CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
cfeb9fe50e CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.

Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.

The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access.  Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).

Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.

The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
d3d83a8f2e CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
76b8d3edce CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Andrew Bartlett
6578a65ed7 CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.

We rename tests that would otherwise have duplicate names

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 14:49:39 +00:00
Ralph Boehme
b70f4f8681 CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-10-10 14:49:39 +00:00
Ralph Boehme
b1fd656941 CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-10-10 14:49:39 +00:00
Jeremy Allison
5ed25efb07 CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).

Remove knowfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
2023-10-10 14:49:39 +00:00
Jeremy Allison
c39f90a124 CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <jra@samba.org>
2023-10-10 14:49:39 +00:00
Ralph Boehme
633a3ee689 s3: smbd: Ignore fstat() error on deleted stream in fd_close().
In the fd_close() fsp->fsp_flags.fstat_before_close code path.

If this is a stream and delete-on-close was set, the
backing object (an xattr from streams_xattr) might
already be deleted so fstat() fails with
NT_STATUS_NOT_FOUND. So if fsp refers to a stream we
ignore the error and only bail for normal files where
an fstat() should still work. NB. We cannot use
fsp_is_alternate_stream(fsp) for this as the base_fsp
has already been closed at this point and so the value
fsp_is_alternate_stream() checks for is already NULL.

Remove knownfail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Oct 10 09:39:27 UTC 2023 on atb-devel-224
2023-10-10 09:39:27 +00:00
Volker Lendecke
23deb79a28 tests: Add reproducer for bug 15487
Show that smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15487

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-10-10 08:19:29 +00:00
Joseph Sutton
7b6c17359b tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Sun Oct  1 23:46:44 UTC 2023 on atb-devel-224
2023-10-01 23:46:44 +00:00
Joseph Sutton
46c08652f8 tests/krb5: Add Device Restriction tests for silos and authentication policies in the KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
989fb00985 tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-01 22:45:38 +00:00
Joseph Sutton
08b9d5c7b9 tests/krb5: Add samba.tests.krb5.conditional_ace_tests
This is a test using conditional ACEs and claims to confirm that we understand
the full end-to-end network behaviour of these all the way from the PAC to the
application in the access check of the KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224
2023-09-28 04:35:05 +00:00
Douglas Bagnall
588a339df7 libcli/security: adjust tests for evaluate_claims flag
Most tests were prepared in advance, but we left these ones to test
the change.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:36 +00:00
Andrew Bartlett
e3f28c2ecf libcli/security: Hook in ability to disable conditional ACE evaluation
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-09-26 23:45:36 +00:00
Douglas Bagnall
b7bd1f438b libcli/security: conditional ace access checks for file server
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
30e6249d22 pytest: tests for conditional ACEs with security tokens
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
b7ae4304b1 libcli/security: cmocka test for running conditional ACEs
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
901f77c543 pytest: security descriptors: test some conditional and RA ACEs
We have two sets of tests: one that will succeed, and one that is going
to remain a knownfail. The latter involves Resource Attribute ACEs that
have the TX type, meaning "byte string".

In MS-DTYP, a bytestring is defined like "#6869210a", with a hash,
followed by an even number of hex digits. In other places on the web, it
is mentioned that zeroes in the string can be replaced by hashes, like so
"#686921#a". We discover via indirect fuzzing that a TX RA ACE can also
take bare integers, like "6869210a" or "2023". As it would be tricky to
support this, and there is no evidence of this occurring in the wild, we
will probably leave this as a knownfail.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
7b9462faf0 pytest: security_descriptors: tests without revision number hack
ACL revision 4 (SECURITY_ACL_REVISION_ADS) is effectively a superset
of revision 2 (SECURITY_ACL_REVISION_NT4), so any revision 2
ACL can be called revision 4 without any problem. But not vice versa:
a revision 4 ACL can contain ACE types that a revision 2 ACL can't. The
extra ACE types relate to objects.

Samba currently simplifies things by calling all its ACLs revision 4,
even if (as is commonly the case) the ACLs contain only revision 2 ACEs.
On the other hand, Windows will use revision 2 whenever it can. In other
tests we skip past this by forcing Windows ACLs to v4 before comparison.
This test is to remind us of the incompatibility.

It would not be hard to fix.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
63be840120 pytest: security_descriptors test for repetitive ACLs
If there are multiple identical ACEs in an SDDL ACL, Windows will decode
them all and put extra trailing zeroes at the end of the ACL.

In contrast, Samba will decode the ACEs and not put extra zeroes at the
end.

The problem comes when Samba tries to read a binary ACL from Windows that
has the extra zeroes, because Samba's ACL size calculation is based on
the size of its constituent ACEs, not the ACL size field.

There is no good reason for an ACL to have repeated ACEs, but they could
be added accidentally.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Douglas Bagnall
e4865a3ba1 libcli/security: test SDDL compilation in cmocka
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-26 23:45:35 +00:00
Volker Lendecke
3481bbfede smbd: Fix BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224
2023-09-20 22:42:48 +00:00
Volker Lendecke
56df75d447 tests: Add reproducer for BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-20 21:48:36 +00:00
Jeremy Allison
11280f1705 s3: smbd: Ensure we remove any pending aio values for named pipes on forced shutdown.
Matches file and directory closes.

Remove knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Sep 20 02:43:18 UTC 2023 on atb-devel-224
2023-09-20 02:43:18 +00:00
Jeremy Allison
66398dd03c s3: torture: Add a new SMB2 test: SMB2-PIPE-READ-ASYNC-DISCONNECT
Shows the server crashes if we open a named pipe, do an async read
and then disconnect.

Adds knownfail:

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-09-20 01:49:35 +00:00
Stefan Metzmacher
5b7f9840f7 selftest: add some basic testing for the io_uring vfs module
We're now able to build it on all linux systems and
the ci runners have at least a 5.4 kernel. That's
all the current vfs_io_uring requires.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Sep 17 18:04:18 UTC 2023 on atb-devel-224
2023-09-17 18:04:18 +00:00
Stefan Metzmacher
91b30a7261 nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key
If nss_winbind is loaded into a process that uses fork multiple times
without any further calls into nss_winbind, wb_atfork_child handler
was using a wb_global_ctx.key that was no longer registered in the
pthread library, so we operated on a slot that was potentially
reused by other libraries or the main application. Which is likely
to cause memory corruption.

So we better don't call pthread_key_delete() in wb_atfork_child().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-14 17:56:30 +00:00
Stefan Metzmacher
62af25d44e nsswitch: add test for pthread_key_delete missuse (bug 15464)
This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
written by Krzysztof Piotr Oledzki <ole@ans.pl>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-14 17:56:30 +00:00
Joseph Sutton
26fd734d56 selftest: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Volker Lendecke
ebb6eb9c2f libsmb: Fix parsing symlink reparse points
Untested code is broken code. For symlinks we need to hand over the
full reparse buffer into symlink_reparse_buffer_parse(), as this is
also used for the smb2 error response handling. For that, the
"reserved" field in [MS-FSCC] 2.1.2.4 Symbolic Link Reparse Data
Buffer is used for the "unparsed" field.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Sep  8 17:24:19 UTC 2023 on atb-devel-224
2023-09-08 17:24:19 +00:00
Volker Lendecke
c9a000be41 tests: Add test_symlink_reparse_data_buffer_parse
The blob was taken from a smbclient allinfo command for a Windows
symlink. Show that reparse_data_buffer_parse() is broken.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-08 16:27:39 +00:00
Volker Lendecke
03ce770e8d tests: Create symlinks using posix extensions
This way we can run the tests and more easily put them into knownfail
individually. Before this, everything went into the error category,
which was not so easy to catch in something like knownfail.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-09-08 16:27:39 +00:00
Joseph Sutton
0898329b8d selftest: Don’t use invalid escape sequences
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
0fe4a12b3f selftest: Remove star imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
6db02afab8 selftest: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Joseph Sutton
e390e674ec tests/krb5: Remove test of pre-1.20 MIT Kerberos behaviour
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Gabriel Nagy
7dc181757c gp: Send list of keys instead of dict to remove
`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224
2023-08-28 03:01:22 +00:00
Gabriel Nagy
ee814f7707 gp: Test disabled enrollment unapplies policy
For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
2a6ae997f2 gp: Template changes should invalidate cache
If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
taken into account.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
2d6943a864 gp: Test adding new cert templates enforces changes
Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
157335ee93 gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:

'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

We found a fix to be encoding the certificate to base64 when
constructing the CA list.

Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
1ef722cf66 gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Douglas Bagnall
18f44f3ba4 selftest:ndrdump: adjust xattr_NTACL test for ACE coda
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 24 03:47:08 UTC 2023 on atb-devel-224
2023-08-24 03:47:08 +00:00