IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Introduce a temporary variable instead of assigning the result of
talloc_realloc() directly to samr_RidWithAttributeArray::rids. In this
way we avoid having a structure with a non‐zero ‘count’ but with ‘rids’
set to the NULL pointer.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We must allocate the domain groups on to the correct memory context,
lest they get freed prematurely.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This makes it less likely that we forget to clean up resources.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allocate variables on to a temporary context rather than on to the
potentially long‐lived context passed in by the caller.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.
A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.
Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This is more consistent with the other PAC blob functions, and easier to
reason about.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The lifetime of a blob’s contents should be tied to the lifetime of the
blob itself.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
A wrapper doesn’t add much utility to a function this small. We might as
well join these two into a single function.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We should not pass a NULL pointer into dom_sid_split_rid().
Unlike samdb_result_dom_sid(), samdb_result_dom_sid_buf() produces an
error code on failure and does not require a heap allocation.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This allows us to call them from elsewhere.
Change their names accordingly to start with ‘samba_kdc_’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
smb_krb5_make_data() sets the magic field, which we were previously
ignoring. We should also not set krb5_data::length if krb5_data::data is
NULL.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This flag was set in commit 461dc44e740aacad41bb0df0552560d1eb3c6ea8,
but only in mit_samba_reget_pac(); it was not set in the newer function,
mit_samba_update_pac(), used with MIT Kerberos 1.20 and above.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The oldest version we now support is 1.21. For every supported version
we can be certain that KRB5_KDB_API_VERSION >= 10 and
KRB5_KDB_DAL_MAJOR_VERSION >= 9.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In hdb_samba4_audit(), ERR_GENERIC signals an unexpected situation — if
we encounter that error code while running under selftest, we’ll panic.
In response to an expected event such as the failure of
authsam_logon_success_accounting(), it’s more appropriate to continue to
run.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add a new function, get_claims_set_for_principal(), that returns the
claims as a CLAIMS_SET structure rather than as a blob. To accommodate
this, move the call to encode_claims_set() out of get_all_claims() and
into get_claims_blob_for_principal().
Being able to get the unencoded claims will save us from having to
decode claims that we just needlessly encoded.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 14 05:51:45 UTC 2023 on atb-devel-224
Just to make perfectly clear that it is an out parameter.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This change will simplify things later. Probably.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Also check whether the message is NULL. Passing NULL to vasprintf() is
undefined behaviour.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Wrapping a function this simple doesn’t gain us very much.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
As the server authentication policy will be non-NULL only for entries
looked up as servers, the krbtgt shouldn’t have an authentication policy
anyway. But we might as well be explicit.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This function doesn’t require a heap allocation.
We also check the result of the function, which we weren’t doing before.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This change ultimately won’t make much difference to responses, as
unrecognized codes are mapped to ERR_GENERIC in any case. But it might
provide some help for debugging.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
