1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

134746 Commits

Author SHA1 Message Date
Joseph Sutton
8d61d3f8e0 buildtools: Prefer ‘x not in y’ to ‘not x in y’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
6df81630af buildtools: Use ‘is’ to compare with singletons
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
94f46f0cbb buildtools: Fix comments and documentation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
6668d213e7 pyldb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
5e9187baf9 pyldb: Check return values of Python functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
e5794b8c8a pyldb: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Joseph Sutton
93d37f8bfc pyldb: Check whether Python object is a list
If we’re going to call PyList_Size() on an object, we should be sure
that it is a list first.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:28 +00:00
Gabriel Nagy
7dc181757c gp: Send list of keys instead of dict to remove
`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224
2023-08-28 03:01:22 +00:00
Gabriel Nagy
ee814f7707 gp: Test disabled enrollment unapplies policy
For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
2a6ae997f2 gp: Template changes should invalidate cache
If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
taken into account.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
2d6943a864 gp: Test adding new cert templates enforces changes
Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
157335ee93 gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:

'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

We found a fix to be encoding the certificate to base64 when
constructing the CA list.

Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
1ef722cf66 gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
bce3a89204 gp: Change root cert extension suffix
On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
fa80d1d864 gp: Support update-ca-trust helper
This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Gabriel Nagy
a1b285e485 gp: Support more global trust directories
In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).

To determine the correct directory to use, we iterate over the variants
and stop at the first which is a directory.

In case none is found, fallback to the first option which will produce a
warning as it did previously.

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
2023-08-28 02:04:36 +00:00
Joseph Sutton
776597bce9 samba-tool: Allow LDB URL to be None
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15458

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-28 02:04:36 +00:00
Andreas Schneider
8e7a62b6ff waf: Build nmbd with -Wno-error=stringop-overflow
We use strlcpy() which has been added to glibc recently. This means we
also get fortification for strlcpy() now:

source3/nmbd/nmbd_browsesync.c: In function ‘find_domain_master_name_query_success’:
source3/nmbd/nmbd_browsesync.c:337:9: warning: ‘strlcpy’ writing 257 bytes into a
region of size 16 overflows the destination [-Wstringop-overflow=]
  337 |         strlcpy(userdata->data, work->work_group, size - sizeof(*userdata));
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We allocate memory for the userdata struct + fstring. However the data
pointer we use only is 16 bytes. Also nowadays you would use offsetof()
for the allocation calculation, but it only works correctly on newer
compilers like gcc > 7. We could make use of it in future after CentOS 7
is gone.

As we don't want to touch nmbd anymore, just silence the warnings.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-28 02:04:36 +00:00
Martin Schwenke
c767277912 util: Avoid logging to multiple backends for stdout/stderr
Commit 83fe7a0316 converted the
stdout/stderr logging  types to DEBUG_FILE to get a header when using
DEBUG_SYSLOG_FORMAT_ALWAYS.  However, this causes all configured
backends to be invoked.  When syslog is one of those backends then
this is almost certainly not what is intended.

Instead, call debug_file_log() directly in that special case and
revert the parts of the above commit that convert to file logging.

Most of the changes to debughdrclass() still seem necessary, since
they handle the change of debug_syslog_format from a bool to an enum.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15460

Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Aug 28 01:21:07 UTC 2023 on atb-devel-224
2023-08-28 01:21:07 +00:00
Douglas Bagnall
18f44f3ba4 selftest:ndrdump: adjust xattr_NTACL test for ACE coda
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Aug 24 03:47:08 UTC 2023 on atb-devel-224
2023-08-24 03:47:08 +00:00
Douglas Bagnall
909a2af954 libcli/security: rm unused sec_ace_copy()
Unused since 2014.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
882ad16138 pytest: compare Samba vs Windows SDDL security descriptors
Can Samba understand Windows security descriptors? Does it parse SDDL
the same way?

Here we test on over 7000 SDDL/descriptor pairs and find the answer
is pleasing. In later commits we will add more tests using different
classes of ACE.

The test cases are derived from fuzz seeds, exported to Windows via
the script in the last commit, with the Windows descriptor bytes found
using libcli/security/tests/windows/windows-sddl-test.py.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
741ab485b0 libcli/security: test helper script extracts fuzz SDDL
This allows us to try the fuzz seeds as SDDL on Windows, then test
that Samba matches Windows' security descriptors in the cases where
the SDDL compiles. This will find SDDL edge cases that might otherwise
be missed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
536b9a0c92 libcli/security: move Windows test script to windows subdir
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
641981c4ad libcli/security: rewrite SDDL tests for running on Windows
This script never worked well because it had to shell out to
Powershell, which never worked well due to syntax conflicts and
Powershell's specialness. The attempted ctypes version did not work,
due to the difficulty in expressing things like "relative
PSECURITY_DESCRIPTOR" in ctypes.

It turns out that pywin32 is easy to install and use, and we can
extract the NDR bytes which is far more useful than just testing if
the SDDL parses.

On Windows:

1. install Python from python.org
2. run `pip install pywin32`
3. copy e.g. libcli/security/tests/data/conditional-aces.txt to Windows
4. run `python windows-sddl-tests.py conditional-aces.txt`
5. add `--help` to see how to export descriptor bytes.

The default output is a whole lot of multi-coloured text, indicating
what failed and what didn't.

With --export-json it writes a JSON file mapping SDDL strings to NDR
byte sequences, which can be used to compare with Samba's attempts. If
you are only interested in --export-json, you might also like --quiet.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
f58372cca5 python/colour: add a colour diff helper
Sometimes colour can help show what is different between two strings.

This is roughly the same as

`git diff --no-index --color-words=. <a> <b>`.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
a24ba4ea22 libcli/security: add some test more Windows SDDL test strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
3c30079095 libcli/security: script to turn token/descriptor pairs into sddl
We fuzz security descriptors in a couple of different ways, and this
maps seeds from one form into the other. The SDDL examples can also be
used in Windows tests.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
55cc6b52c0 libcli/security: remove unused tmp_ctx in calculate_inherited_from_parent()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
c1621d3492 libcli/security: avoid leak in calculate_inherited_from_parent()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
26722348b9 libcli/security: used sec_ace_object() in sddl encoding
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
c73034cf7c librpc/security.idl: adjust size calculations for upcoming ace types
Soon we will get Conditional ACEs and Resource Attribute ACES, each of
which have trailing bytes at the end of the ACE. Here's a diagram:

              ____      The ACE size field may indicate a size bigger
  .type      /    |     than the known parts, even when you take
  .flags    /     |     rounding to a multiple of four into account.
  .size  --'      |     This extra data is meaningful in some ACEs.
  .access_mask    |
  .trustee (sid) _|  <- known data ends here.
                  :
   "coda"      ___:  <- the trailing part, Zero size unless the size
                        field points beyond the end of the known data.
			Probably empty for ordinary ACE types.

Until now we have thrown away these extra bytes, because they have no
meaning in the ACE types we recognise. But with conditional and
resource attribute ACEs we need to catch and process these bytes, so
we add an extra field for that.

Thus we can drop the manually written ndr_pull_security_ace() that
discarded the trailing bytes, because we just allow it to be pulled
into an unused blob. In the very common case, the blob will be empty.

Microsoft does not use a common name across different ACE types to
describe this end-data -- "coda" is a Samba term.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
47edd41bc9 libcli/security: sddl ACL decode avoids early splitting on parenthesis
Soon we will have Conditional ACEs and Resource Attribute ACEs. It is
expected --indeed mandatory-- that the SDDL representations of these
ACEs will contain parentheses, so we can't use '(' and ')' to decide
where ACEs stop and start.

This means shifting where we make a mutable copy of the SDDL string
from per-ACE to per-ACL, and allowing sddl_decode_ace() to decide when
its ACE is finished.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:31 +00:00
Douglas Bagnall
5a45a434c7 s4/ntfvfs/pvfs_acl: initialise ACEs to zeroes
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
31dadff39a s4/torture: initialise ACE structs to zero
Because soon these structs will have more members, which are typically
going to be zero.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
4a1848a1f5 pytest/sddl: tests for more invalid or weird cases
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
a8a0ae89c5 pytest/sddl: add option for case-insensitive tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
5b9f42b391 pytest/sddl: environment option for exporting as fuzz seeds
We want realistic examples for sddl fuzzing seeds, and we want
realistic examples for sddl tests, so hopefully we only need to get
it right once.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
7796727453 pytest/sddl: replace/export tests based on environment vars
We had a stupid system involving test functions with side-effects,
that needed to be enabled by editing the file. Now you get the same
effects by setting environment variables, the names of which you can
only learn by reading the file closely.

This works better because some stuff needs to happen at class-time
rather than instance-time.

Also the environment variables specify the import and export locations.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
59a2d74107 pytests: add helper to grab a directory from environment
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
43e017d3b4 libcli/security/pysecurity: use NULL to mean NULL in C
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Douglas Bagnall
4504324ea4 lib/util: strhex_to_data_blob checks talloc
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-24 02:53:30 +00:00
Jeremy Allison
86f67f59ea s3: libsmb: Add a missing return statement in the timeout case.
Obvious fix (needs a malicious server to recreate).

Found by Robert Morris <rtm@lcs.mit.edu>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15426

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Aug 23 09:29:51 UTC 2023 on atb-devel-224
2023-08-23 09:29:51 +00:00
Pavel Kalugin
1502ef29bf s3:utils: Use lpcfg_set_cmdline() in vfstest
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00
Pavel Kalugin
b37269e032 s3:utils: Use lpcfg_set_cmdline() in testparm
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00
Pavel Kalugin
91e5859b50 s3:utils: Use lpcfg_set_cmdline() in smbstatus
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00
Pavel Kalugin
8f2a9f836f s3:utils: Remove trailing spaces in smbcquotas; no changes
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00
Pavel Kalugin
16a4c8c871 s3:utils: Use lpcfg_set_cmdline() in smbcquotas
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00
Pavel Kalugin
9ef3586986 s3:utils: Remove trailing spaces in smbcontrol; no changes
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00
Pavel Kalugin
7a4cb09a12 s3:utils: Use lpcfg_set_cmdline() in smbcontrol
Signed-off-by: Pavel Kalugin <pkalugin@inno.tech>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-23 08:27:30 +00:00