1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

133518 Commits

Author SHA1 Message Date
Joseph Sutton
b142983069 s4:kdc: Add structure containing authentication policy auditing information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
a2ff8c4e43 s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
a1364c205f s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw
This more clearly indicates that it is the raw TGT lifetime value
straight from the database.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
b3a8565582 auth: Move authn_policy code into auth subsystem
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.

We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
9b0a71bd30 tests/auth_log: Refactor waitForMessages() to use nextMessage()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224
2023-06-14 23:55:42 +00:00
Joseph Sutton
67da91ef16 tests/auth_log: Add method to fetch the next relevant message from the messaging bus
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
7c6dbe3195 tests/krb5: Test authentication with policy restrictions and a wrong password
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
a9534e7be0 tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
94e7a550db tests/krb5: Remove unneeded ‘dn’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
21d1f1ca99 s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
fb260e1f46 tests/krb5: Make use of KerberosCredentials.get_sid()
KerberosCredentials objects now keep track of their account’s SID, which
removes the need to look it up with KDCBaseTest.get_objectSid().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
490c451a79 tests/krb5: Keep track of account SIDs
This prevents having to look them up in the database when tests need
them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
0ec229e7b9 tests/krb5: Fix overlong lines
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
117bba98a1 tests/krb5: Add a couple of authentication policy tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
f1c24f4bc9 tests/krb5: Test authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
9d8ee6a422 tests/krb5: Cache created authentication policies
View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
01643b3527 tests/krb5: Keep track of the type of each created account
This allows us to determine which parts of an authentication policy
apply to a particular account, which will be necessary to test audit
logging.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
359e820404 librpc/idl: Add authentication policy event IDs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
b859b3b67d s4:kdc: Consolidate assignments to r->error_code and final_ret
This makes it clearer that we are assigning a value to both together.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
868e114660 s4:kdc: Don’t log authentication failures as successes
If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
d1fcecd121 tests/auth_log: Properly expect authentication failures
These authentications are actually failing (due to RESPONSE_TOO_BIG
errors), but our authentication logging infrastructure hides this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
11671a743f tests/auth_log: Make samba.tests.auth_log test executable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
efb85e3d6d s4/scripting/bin: Add NT_STATUS_OK to list of definitions
Add NT_STATUS_OK to our pre-generated list of status codes. Ensure it
goes first in the list to ensure that code that previously found this
error code in ‘special_errs’ maintains the same behaviour by falling
back to ‘nt_errs’.

This makes NT_STATUS_OK available to Python code using the ‘ntstatus’
module.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
7c66cd4dfd selftest: Remove duplicate knownfails
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
60f76b9ec8 selftest: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
f8f0ee5354 param: Remove reference to unrecognized parameter ‘directory name cache size’
This parameter was removed in commit
c37d6be2db.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
234be6b0dd samba-tool ou: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
d93e340b80 samba-tool ou: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
0743e11d46 samba-tool: Fix typo
Found by Rob van der Linde <rob@catalyst.net.nz>.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
2eda24663f pyldb: Check for allocation failure in py_ldb_dn_get_parent()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
5905a63307 pyldb: Raise an exception if ldb_dn_get_parent() fails
Such a failure could be caused by situations other than memory errors,
but a simple indication of failure is all that ldb_dn_get_parent() gives
us to work with.

We keep the old behaviour of returning None if the DN has no components,
which an existing test (ldb.python.api.DnTests.test_parent_nonexistent)
expects.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
49592b80f7 selftest: Assert trust realm is not None
This is consistent with the other tests in this file.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
97a5ee4bbb tests/auth_log: Factor out isRemote()
This makes waitForMessages() easier to read.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Andreas Schneider
1f74f9f366 python:safe_tarfile: Improve safe extract()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
431f7698e4 python:safe_tarfile: Implement safer extractall()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
8c90c66a9a python:safe_tarfile: Set extraction_filter for pythons providing it
It should be available for Python >= 3.11.4 but also has been
backported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
ebaa008162 python:tests: Adopt safe_tarfile for extraction_filter raises
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
4952cb88e4 s4-server: Call dsdb_check_and_update_fl() during startup transaction.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
c28e719bb0 selftest: Add unit tests of the DC startup FL check/update code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
ae7f2b417b python/tests: Make helpful, stateless methods @classmethod and @staticmethod
This allows them to be used in setUpClass in tests.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
b8a613b4b1 dsdb: Add routine to check the DB vs lp functional levels
This will be called at server startup (as well as from Python tests)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
4919e8d808 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
8e895fc5d6 selftest: Split up tests in dsdb.py to avoid creating a user when not required
Creating a user is CPU intensive, particularly when a password is set
so avoid doing so if not required.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
f83baa2723 selftest: Specify that DCs prepared with prepare_dc_testenv() to be 2016 capable
This allows the backup/restore process to pass once the DC startup
code confirms what DC level the domain functional level in the DB
is expecting.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Björn Jacke
585e4cdd6c docs-xml: remove completely outdated Samba-Developers-Guide
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 14 12:21:50 UTC 2023 on atb-devel-224
2023-06-14 12:21:50 +00:00
Volker Lendecke
cac38aa387 vfs: Remove vfs telldir/seekdir functions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 14 00:26:55 UTC 2023 on atb-devel-224
2023-06-14 00:26:55 +00:00
Volker Lendecke
e2fbe361ba smbd: Remove the offset argument from ReadDirName()
Nobody does anything with this anymore, we just call ReadDirName() in
sequence or do a RewindDir(). So we don't have to look at offsets as
given by the file system anymore.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-13 23:33:39 +00:00
Volker Lendecke
c37d6be2db smbd: Remove unused dptr_SearchDir() and the dir cache
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-13 23:33:39 +00:00
Volker Lendecke
be3232d12e smbd: Do the "skip to resume name" in call_trans2findnext()
This is SMB1-only logic that can be removed from dir.c

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-13 23:33:39 +00:00
Volker Lendecke
c5dca6d5b7 smbd: Make dptr_ReadDirName() public
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-13 23:33:39 +00:00