1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

38812 Commits

Author SHA1 Message Date
Stefan Metzmacher
ade663ee6c s4:torture/smb2: let torture_smb2_con_sopt() use smb2_connect()
There's no need for smb2_connect_ext().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15346

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-08-08 12:57:29 +00:00
Stefan Metzmacher
c37adb7626 s4:torture/ndr: add tests for DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED
The PDUs were generated by Windows clients.

And we fail to parse them currently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-08-08 08:02:40 +00:00
Joseph Sutton
43b44827d6 s4:torture: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
3ec0c61c4d s4:smb_server: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
d61c3684c5 s4:smb_server: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
6386306671 s4:samba: Add missing newline to logging message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
56561fd045 s4:rpc_server: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
29c927054d s4:rpc_server: Remove unnecessary parentheses
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
2e1adcfc2d s4:rpc_server/backupkey: Fix leaks
Allocate these objects on a shorter-lived memory context.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
68bf480b9c s4:rpc_server: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
5b2e60588a s4:policy: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
36bbfe62fa s4:param: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
c4d055ded2 s4:ntvfs: Add missing newline to logging message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
90a9f78afe s4:librpc: Add missing newline to logging message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
45abe2853f s4:libnet: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
b07dd255a4 s4:lib: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
fd6c3e6b7c s4:ldap_server: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
178a7ed8a9 s4:dsdb:tests: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
5a19ea9bce s4:dsdb:tests: Use control that was (presumably) intended
Otherwise ‘control4’ goes unused.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
68388153c0 s4:dsdb: Do not dereference a NULL pointer
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
4fad62d953 s4:dsdb: Check result of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
c850ffdec7 s4:dsdb: Correct error messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
d4db9a2793 s4:dsdb: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
54714b3580 s4:dsdb: Remove unnecessary parentheses
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
cb2053ee17 s4:dsdb: Improve grammar
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
79cc9adf3c s4:dsdb: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
1e753542aa s4:dns_server: Add missing newline to logging message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
ffbd69ed71 s4:client: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
3076bb6cb9 s4:cldap_server: Add missing newline to logging message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
e663c1d96b s4:auth: Correct condition and remove redundant check
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
c590d8d3a3 s4:auth: Check return value of talloc_reference()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
703978c776 s4:auth: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:38 +00:00
Joseph Sutton
f47aef7743 python: Use correct function signatures
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
ebfa5ff6a1 s4:rpc_server/backupkey: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
13a04d6791 s4:rpc_server: Add missing newlines to debugging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
9c880e868d s4:librpc: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
936c9ae143 s4:libcli/smb_composite: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
1dc8cb3e27 s4:libcli/ldap: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
85beb883b1 s4:kdc: Avoid operator precedence issues
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
4bc1dd32b5 s4:kdc: Fix comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
1713f25538 s4:kdc: Inline some variables
IMO, this code is easier to read if the reader can tell at a glance what
the values of these enumerations are, rather than having to think about
where the values come from.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
0182ddf97d s4:kdc: Use newer debugging macros
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
54c38cf9d9 s4:kdc: Use portable format specifiers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
b86cd80f29 s4:kdc: Remove casts in debug messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
1286b952ac s4:kdc: Remove redundant comment
We don’t need two copies of the same comment.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
8648c9f65b s4:kdc: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
dfad7f876e s4:kdc: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
119067e489 s4:kdc: Check that client and server are not NULL (CID 1534695)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
f4d73ee892 s4:kdc: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
0c868428eb s4:dsdb: Fix code spelling
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
57969727b3 s4:dsdb: Move comment to more appropriate place
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
abcfaa79d0 s4:dsdb: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:37 +00:00
Joseph Sutton
b25a6b12a9 librpc/py_security: Don’t pass a NULL pointer to PyUnicode_FromString()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Joseph Sutton
731e233aca s4:auth: Add missing newlines to logging messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-08 04:39:36 +00:00
Andreas Schneider
85c8222bdb s4:kdc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Aug  3 15:25:01 UTC 2023 on atb-devel-224
2023-08-03 15:25:01 +00:00
Andreas Schneider
b29793ffde s4:dsdb:tests: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
bedc978c81 s4:dsdb:schema: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
969bcc2862 s4:dsdb:schema: Fix trailing white spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
f34ef1ef50 s4:dsdb:samdb: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
3ebe11cd43 s4:dsdb:repl: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
e331979580 s4:dsdb:kcc: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
2304ec4397 s4:dsdb:common: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
ed3c1fcb87 s4:dns_server: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
dbb1fbe866 s4:client: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
694980224a s4:cldap_server: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andreas Schneider
795e464cfa s4:auth: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-08-03 14:31:34 +00:00
Andrew Bartlett
0031625598 dsdb: Make a shallow copy of ldb_parse_tree in operational module
We should not be making modifications to caller memory.  In
particular, this causes problems for logging of requests if the
original request becomes modified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Aug  2 12:10:20 UTC 2023 on atb-devel-224
2023-08-02 12:10:19 +00:00
Andrew Bartlett
3b51091c20 dsdb: Replace talloc_steal() with a shallow copy and reference in dsdb_paged_results
We should not be stealing caller memory like this, and while a
talloc_reference() is not much better, this combined with a
shallow copy should be a little better in terms of polite
memory management.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-02 11:16:41 +00:00
Stefan Metzmacher
1b68bd977a paged_results: add no memory checks in paged_search()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15442

Signed-off-by: Arvid Requate <requate@univention.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org combination of two patches by the above authors]
2023-08-02 11:16:41 +00:00
Andrew Bartlett
c67534fe3f selftest: Add test for combination of anr and paged_results
This combination was known to cause a segfault in Samba 4.13, fixed by
5f0590362c in later versions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14970

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-08-02 11:16:41 +00:00
Andrew Bartlett
d23dd3e26c dsdb: Add tracing to dsdb_search_dn() similar to gendb_search_v()
The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 31 11:49:19 UTC 2023 on atb-devel-224
2023-07-31 11:49:19 +00:00
Andrew Bartlett
78669a0458 dsdb: Add tracing to dsdb_search() similar to gendb_search_v()
The aim of this tracing is to make it simple to follow the
requests made from the RPC server and similar to LDB now that
gendb_search_v() is no longer the dominant interface.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Andrew Bartlett
acf6d89c3e dsdb: Add dsdb_search_scope_as_string() and use in ldap_backend.c
This will be useful when adding debugging to other routines.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Pavel Filipenský
256471299a auth:kerberos: Fix resource leak in smb_krb5_update_keytab()
Reported by Red Hat internal covscan
leaked_storage: Variable "keytab" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Pavel Filipenský
f1356805ba auth:kerberos: Fix resource leak in smb_krb5_get_keytab_container()
Reported by Red Hat internal covscan
leaked_storage: Variable "keytab" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Pavel Filipenský
dfc26dc494 auth:kerberos: Fix resource leak in parse_principal()
Reported by Red Hat internal covscan
leaked_storage: Variable "princ" going out of scope leaks the storage it points to.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Pavel Filipenský
f374da1dd9 s4:auth: Fix trailing whitespaces in kerberos_util.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 10:56:54 +00:00
Andrew Bartlett
4250d07e4d dsdb: Use samdb_system_container_dn() in dsdb_trust_*()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
9b4f3f3cb4 s4-rpc_server/backupkey: Use samdb_system_container_dn() in get_lsa_secret()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
13eed1e0e7 s4-rpc_server/backupkey: Use samdb_system_container_dn() in set_lsa_secret()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
a900f6aa5d s4-rpc_server/netlogon: Use samdb_system_container_dn() in fill_trusted_domains_array()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
4e18066fa2 s4-rpc_server/lsa: Use samdb_system_container_dn() in dcesrv_lsa_get_policy_state()
This is now exactly the same actions, but just uses common code to do it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
3669caa97f dsdb: Use samdb_get_system_container_dn() to get Password Settings Container
By doing this we use the common samdb_get_system_container_dn() routine and we
avoid doing a linerize and parse step on the main DN, instead using the
already stored parse of the DN.  This is more hygenic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
97b682e0eb dsdb: Use samdb_system_container_dn() in samldb.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Andrew Bartlett
25b0e1102e dsdb: Add new function samdb_system_container_dn()
This will replace many calls crafting or searching for this DN
elsewhere in the code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:33 +00:00
Arvid Requate
2d461844a2 Bug #9959: Don't search for CN=System
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:32 +00:00
Arvid Requate
b6e80733c3 For Bug #9959: local talloc frame for next commit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9959

Signed-off-by: Arvid Requate <requate@univention.de>

[abartlet@samba.org Added additional talloc_free() in failure paths]
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-31 06:18:32 +00:00
Andrew Bartlett
e36a4149d8 librpc/idl: Remove DCOM and WMI IDL
As hinted in f2416493c0 the DCOM and WMI
IDL is now unused.  These generate code with PIDL, costing a small
amount of build time but more importantly are fuzzed, which costs an
ongoing amount of CPU time as oss-fuzz tries to find parsing issues.

We do not need to continue this waste, and these can be restored
if this effort is ever to start again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Andrew Bartlett
abc3d58e1c dcom: Remove remainder of DCOM test client code
This follows f2416493c0, removing the remaining parts
of our DCOM effort.  This can be resumed at a later time, but for now this is untested
(as we have no server) and just uses build time.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-28 10:48:32 +00:00
Jule Anger
4516fee9b5 testprogs/blackbox: add test_ldap_tls_reload.sh
This tests the reload (and if needed regeneration) of
tls certificates.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
0c7cfb7a11 s4:ldap_server: reload tls certificates on smbcontrol reload-certs
Reload certificates with the command 'smbcontrol ldap_server reload-certs'.
The message is send to the master process, who forwards it to the workers
processes.
The master process reload and, if necessary, create the certificates first,
then the workers processes reload them.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
321162c9bf s4:ldap_server: remember dns_host_name in ldap_service
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
cc4995d932 s4:ldap_server: don't store task_server in ldapsrv_service
We store individual pointers we need and adjust them
as needed in ldapsrv_post_fork() and the newly added
ldapsrv_before_loop().

This will be required for the next steps.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
7804bf55ad s4:tls_tstream: create tstream_tls_params_internal
The following commits will implement the reloading of tls certificates.
Therefore we need to overwrite the interal memory.

Note we need to make sure x509_cred and dh_params from
tstream_tls_params_internal stay alive for the whole lifetime
of this session!

See 'man gnutls_credentials_set' and
'man gnutls_certificate_set_dh_params'.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
1472e4c9db s4:process_prefork: create new messaging context for the master process
In order to allow the before_loop() hook to register messages or event
handlers, we need to fix up task->event_ctx and create a new
task->msg_ctx. It also means the struct task_server pointer
changes in the master before_loop() hook.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
3af6ad6eea s4:process: add method called before entering the tevent_loop_wait
This gives the service a chance to register messaging and/or event handlers
on the correct contexts.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Jule Anger
c8ee3d4525 s4:process_prefork: avoid memory leaks caused by messaging_post_self
Sending a message to a process with multiple tevent contexts
can cause a message to get stuck and cause a data leak.

In general it's safer to call imessaging_dgm_unref_ev() before
talloc_free()...

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-25 20:04:29 +00:00
Ralph Boehme
a9a2b182df CVE-2023-3347: CI: add a test for server-side mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
d402c0cc6a CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
6d77daa3af CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c
This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
3b3c30e2ac CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()
Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the value, it
crashes when trying to use the "simple" object as a "complex" one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-07-21 12:05:35 +00:00
Ralph Boehme
10b6890d26 CVE-2023-34966: CI: test for sl_unpack_loop()
Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow@samba.org>
2023-07-21 12:05:35 +00:00
Andrew Bartlett
5afd206d1d python: Remove const from PyList_AsStringList()
The returned strings are not owned by python, so need not be const.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-21 05:23:32 +00:00
Andrew Bartlett
fd81759e2e python: Move PyList_AsStringList to common code so we can reuse
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15289

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-07-21 05:23:32 +00:00
Dmitry Antipov
980c1565ed s4:param: replace calls to deprecated Python methods
Replace calls to (obsolete but still stable)
PyEval_CallObjectWithKeywords() with PyObject_Call()
by using trivial wrapper.

Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Adjusted to always use the PyObject_Call()
 as it is available in all of Samba's supported python versions]
2023-07-21 01:25:36 +00:00
Stefan Metzmacher
40fb810de3 s4:dns_server: Add some more debugging in order to find problems with level 10 logs
We had customer problems where level 10 logs were not good enough in
order to find the reason for failing dns updates.

With the new debug message there's at least a chance to
find out what the problem could be.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 09:58:37 +00:00
Stefan Metzmacher
76b0530e67 s4:dns_server: defer calling werr_to_dns_err() in a central place
The WERROR codes are much more verbose and it's better to
keep them until we really need the mapping to DNS error codes.

This will allow us to create much better debug messages in
the next commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2023-07-19 09:58:37 +00:00
Stefan Metzmacher
3ed1ba6fed s4:provision: use better values for operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Stefan Metzmacher
9a79bed41e s4:pydsdb: add dc_operatingSystemVersion() helper
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Stefan Metzmacher
b058b39f38 s4:dsdb: let dsdb_check_and_update_fl() also operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

While we also fixed operatingSystem[Version] at provision time,
we do it also in dsdb_check_and_update_fl() in order to
handle old provisions and systems joined to an existing domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Stefan Metzmacher
16865d6d43 upgradeprovision: handle operatingSystem similar to operatingSystemVersion
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Joseph Sutton
db64b2762c s4:kdc: Add auth_data_reqd flag to SDBFlags
This is to adapt to Heimdal:

commit 3c4548025c0a239ff580e7974939185eadf1856b
Author: Nicolas Williams <nico@twosigma.com>
Date:   Sun Jun 4 22:54:03 2023 -0500

    hdb: Add auth-data-reqd flag

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:34 +00:00
Joseph Sutton
3ea1c55921 tests/krb5: Add PK-INIT testing framework
To run these tests standalone, you will need the certificate and private
key of the Certificate Authority. These can be specified together in the
same file with the environment variable CA_CERT, or the private key may
be specified in its own file with CA_PRIVATE_KEY.

If either of these files are encrypted, you can specify the password in
the environment variable CA_PASS.

These tests create a new certificate for the user account, signed with
the private key of the Certificate Authority. We negotiate the reply key
with either of the public-key and Diffie-Hellman PK-INIT variants, and
use the reply key to decrypt the enc-part in the response. We also check
that the KDC’s signatures are valid.

Most of the failures with the Heimdal KDC are due to the wrong nonce
being returned in the reply compared to Windows, which issue is simple
enough to correct.

An example command line for manual testing against Windows:
SMB_CONF_PATH=ad_dc.conf KRB5_CONFIG=krb5.conf SERVICE_USERNAME=win2k19-dc.example.com ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass ADMIN_KVNO=1 FOR_USER=Administrator USERNAME=Administrator PASSWORD=locDCpass DC_SERVER=win2k19-dc.example.com SERVER=win2k19-dc.example.com DOMAIN=example REALM=example.com PYTHONPATH=bin/python STRICT_CHECKING=1 FAST_SUPPORT=1 CLAIMS_SUPPORT=1 COMPOUND_ID_SUPPORT=1 TKT_SIG_SUPPORT=1 FULL_SIG_SUPPORT=1 GNUTLS_PBKDF2_SUPPORT=1 EXPECT_PAC=1 EXPECT_EXTRA_PAC_BUFFERS=1 CHECK_CNAME=1 CHECK_PADATA=1 KADMIN_IS_TGS=0 FORCED_RC4=1 DEFAULT_ETYPES=36 CA_CERT=./win2k19-ca.pfx CA_PASS=1234 python3 python/samba/tests/krb5/pkinit_tests.py

To set up windows for this I first installed an Certificate Authority with an Enterprise CA.
Then I exported the private key and certificate of the CA:

1. go into the Certification Authority snap-in for the relevant computer,
2. right-clicking the CA
3. clicking ‘All Tasks’ → ‘Back up CA...’
4. and exporting the private key and CA certificate.

(I downloaded the resulting file via smbclient).

After setting up an Enterprise CA, I also needed to edit the domain
controller GPO to enable auto-enrollment, otherwise Windows would
refuse to accept as legitimate any certificates provided by the client.

That can be done by first enabling the policy:
 ‘Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client — Auto-Enrollment’,
and then ticking both ‘Renew expired certificates…’ and ‘Update certificates…’)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Joseph Sutton
7d2c267ae1 s4:kdc: Fix wrong debug message
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 01:47:33 +00:00
Stefan Metzmacher
d5f1097b62 s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Stefan Metzmacher
404ce08e90 s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-17 06:37:31 +00:00
Andreas Schneider
bb0297dadc python: Fix code spelling
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2023-07-13 05:41:36 +00:00
Joseph Sutton
edad945339 librpc/nbt: Avoid reading invalid member of union
WACK packets use the ‘data’ member of the ‘nbt_rdata’ union, but they
claim to be a different type — NBT_QTYPE_NETBIOS — than would normally
be used with that union member. This means that if rr_type is equal to
NBT_QTYPE_NETBIOS, ndr_push_nbt_res_rec() has to guess which type the
structure really is by examining the data member. However, if the
structure is actually of a different type, that union member will not be
valid and accessing it will invoke undefined behaviour.

To fix this, eliminate all the guesswork and introduce a new type,
NBT_QTYPE_WACK, which can never appear on the wire, and which indicates
that although the ‘data’ union member should be used, the wire type is
actually NBT_QTYPE_NETBIOS.

This means that as far as NDR is concerned, the ‘netbios’ member of the
‘nbt_rdata’ union will consistently be used for all NBT_QTYPE_NETBIOS
structures; we shall no longer access the wrong member of the union.

Credit to OSS-Fuzz.

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38480

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15019

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
Autobuild-Date(master): Fri Jul  7 01:14:06 UTC 2023 on atb-devel-224
2023-07-07 01:14:06 +00:00
Volker Lendecke
c7df6cea8a torture4: Fix an error message
The fsctl is called FSCTL_SET_ZERO_DATA

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-07-03 19:40:35 +00:00
Björn Jacke
405e9ba551 garbage_collect_tombstone.c: use DBG* macros instead of static numeric log levels
Some log levels changed slightly because the macros don't cover all the
previously used levels.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-02 16:50:36 +00:00
Björn Jacke
e4bb8b3d0d garbage_collect_tombstones.c: move info log message to appropriate level
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-02 16:50:36 +00:00
Andrew Bartlett
11b3c6826d Remove redundant check and fallback for AES CMAC 128 as we now require GnuTLS 3.6.13
This allows us to remove a lot of conditionally compiled code and so
know with more certainly that our tests are covering our code-paths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Andrew Bartlett
eda1022b59 crypto: Rely on GnuTLS 3.6.13 and gnutls_pbkdf2()
This removes a lot of inline #ifdef and means this feature is always tested.

We can do this as we have chosen GnuTLS 3.6.13 as the new minimum version.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-30 14:00:38 +00:00
Stefan Metzmacher
b0524830aa s4:kdc: don't log an error if msDS-AllowedToActOnBehalfOfOtherIdentity is missing
We log a warnings if access is not granted from a security descriptor in
msDS-AllowedToActOnBehalfOfOtherIdentity, so we should use the same log
level if msDS-AllowedToActOnBehalfOfOtherIdentity is not available at
all.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jun 27 06:39:08 UTC 2023 on atb-devel-224
2023-06-27 06:39:08 +00:00
Joseph Sutton
e936788712 s4:kdc: Include default groups in security token
This is consistent with the behaviour of the existing function
_authn_policy_access_check() and of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
34760dfc89 s4:kdc: Implement Heimdal hook for resource-based constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
0e43d11e39 s4:kdc: Remove useless sdb → hdb error code translation
samba_kdc_check_s4u2proxy() is never going to return an SDB_* error
code, so these conditions can never be hit.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
7e76f36d91 s4:kdc: Initialize pointers with NULL
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-27 05:45:36 +00:00
Joseph Sutton
7828c6535c s4:kdc: Don’t overwrite error code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224
2023-06-26 12:11:30 +00:00
Joseph Sutton
192024e840 s4:kdc: Add comment to clarify that we fetch the client claims
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Stefan Metzmacher
fcea53584d s4:kdc: clear client and device claims from trusts
As we don't support the Claims Transformation Algorithm [MS-CTA]
we better clear claims as they have no valid meaning in our domain.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
7a4fa2c564 s4:kdc: Make [client,device]_claims_blob const pointers
This is so that we can have them point to ‘null_data’ if we so choose.

We can’t assign the result of data_blob_talloc() to a const pointer, so
we go through an intermediary non-const pointer for the
device_claims_blob case.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
ebc27cf32a s4:kdc: Remove unnecessary NULL check
pac_blobs_add_blob() already checks whether the blob argument is NULL,
and skips adding the blob if so.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Stefan Metzmacher
c69174c07c s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac()
For now we only pass in the krbtgt that verified the client pac
and optionally the krbtgt that verified the device pac.

These can be different depending on the domain of the related
principals.

If we want to apply SID filtering in future we may also need
to pass in the krbtgt that verified the delegated_proxy_pac,
but that needs more research and if not required for the
following changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-26 11:10:31 +00:00
Stefan Metzmacher
1ffca866c1 s4:kdc: adjust formatting of samba_kdc_update_pac() documentation
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
b42fbc7839 s4:kdc: Enforce authentication policy service restrictions when getting a PAC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
3240ac4ebe s4:kdc: Check authentication policy server restrictions
For a constrained delegation request, we need to pass ‘delegated_proxy’
(and the delegated proxy PAC, if one was provided) into
samba_kdc_update_pac() so that we can verify that the delegating server
is allowed to authenticate to the target server.

The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
9a9f479919 s4:kdc: Check authentication policy device restrictions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
f3714a3e3a s4:kdc: Add comment stating that policies aren’t looked up for S4U clients
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
620c842da0 s4:kdc: Remove unused ‘server’ parameter in pac_verify()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
67436de3e7 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event
NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
19f867bc54 s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors
Such errors were not logged in the past, either, but that was accidental
— a result of failing too early for an authentication event to be set —
rather than the auditing being deliberately designed that way.

Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to
ensure that PREAUTH_REQUIRED errors continue to go unlogged.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Joseph Sutton
8425ffc8f3 s4:kdc: Update Samba KDC plugin to match new Heimdal version
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-26 11:10:31 +00:00
Andrew Bartlett
ecff09d75d Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c
Commit 6bd3b4528d diverged the const
declarations in the header, this brings them back in alignnment as
is Samba's normal practice.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224
2023-06-26 00:26:37 +00:00
Joseph Sutton
b1006c773b s4:kdc: Use talloc_get_type_abort()
We subsequently dereference the result without performing a NULL check.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
ad1234d5ee s4:kdc: Create a temporary talloc context on which to allocate
‘client->context’ is too long-lived to use for allocating short-term
data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
cf139d1421 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
d0d52262f7 s4:kdc: Flip sense of condition
A negative condition incurs more cognitive load.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
f49ebef003 s4:kdc: Unify common code paths
Perhaps view with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
6bb7aad163 s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case
This will help to reduce code duplication and the number of branching
code paths.

View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
7485638e02 s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc()
We may not always want this SID to be present. For example, to enforce
authentication policies as Windows does, we’ll want the client’s
security token without this SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
6be1a397da s4:kdc: Have samba_kdc_update_pac_blob() do less
Previously this function obtained the auth_user_info_dc structure, then
used it to update the PAC blob. Now it does only one thing: fetch the
auth_user_info_dc info and return it to the caller, who can then call
samba_get_logon_info_pac_blob().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
e6c4422240 s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
8c10776398 s4:kdc: Log errors in samba_kdc_update_pac_blob()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
ea007ef718 s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code
This gives it more control over the final Kerberos error code, so that
we won’t always get ERR_GENERIC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
baf03e3f11 s4:kdc: Add singular out path to samba_kdc_update_pac_blob()
This ensures that we always clean up resources.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
d2a6c69940 s4:kdc: Make krb5_principal parameters const
The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
f857967427 s4:kdc: Add helper function to determine whether a device is allowed to authenticate
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
071ad174d9 s4:kdc: Add helper function to determine whether authentication to a server is allowed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
af95ec0b3f s4:kdc: Add functionality to log client and server authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
26d7d1a5af s4:auth: Log authentication policies for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
ad32cf0286 s4:auth: Add audit info parameters to check_password_recv()
These pointers can be set by implementing functions in order for them to
be logged in auth_check_password_recv().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
6684138475 s4:auth: Set ‘authoritative’ even if there is an error
This is consistent with all the other functions that set
‘authoritative’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
ca9d27ae99 auth: Add functionality to log client and server policy information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Joseph Sutton
7748e6857c tests/krb5: Test authentication policy audit logging
For each test, we check the authentication logs and ensure the messages
are as we expect.

We only test AS-REQs and TGS-REQs with the Heimdal KDC at the moment,
assuming that MIT doesn’t support logging for those cases.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:32 +00:00
Rob van der Linde
3a579eab8b netcmd: domain: model field tests
Add tests for model fields to ensure they behave as expected when
calling from_db_value and to_db_value methods.

Add a base class for the tests themselves via a mixin as unittest
doesn't support abstract test case classes.

For each field, from_db_value and to_db_value must either be a list or
a property that returns a list.

The list contains input values and expected values, the expected value
can also be a callback for more complex comparison, this is used for
the possible claim values xml.

It is important that singular values and list values are tested, and
also None to ensure that fields properly get unset when a model is
saved.

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-06-25 23:29:32 +00:00
Rob van der Linde
6056566a18 netcmd: domain: rename claim tests for consistency
The domain_auth tests are also prefixed with domain, it matches the
cli command "samba-tool domain claim".

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-06-25 23:29:32 +00:00
Rob van der Linde
35d04e2463 netcmd: domain: tests for auth silo command line tools
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-06-25 23:29:32 +00:00
Stefan Metzmacher
a75378e354 s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()
It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
2023-06-24 07:18:03 +00:00
Stefan Metzmacher
d4007b0ef9 s4:dsdb/tests: also verify too old, older password interaction with badPwdCount
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:36 +00:00
Stefan Metzmacher
28cf6c7067 s4:dsdb/tests: Test Kerberos login with old password fails (but badPwdCount=0)
This demonstrates the pre-authentication failures with passwords from
the password history don't incremend badPwdCount, similar to the
NTLMSSP and simple bind cases. But it's still an interactive logon,
which doesn't use 'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:35 +00:00
Stefan Metzmacher
370ba4ad52 s4:kdc: handle passwords from the history in hdb_samba4_auth_status()
This is important in order to prevent ACCOUNT_LOCKED_OUT
with cached credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-24 06:25:35 +00:00
Stefan Metzmacher
619f097b7d testprogs/blackbox: pass $CONFIGURATION to test_samba-tool_ntacl.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-21 23:24:37 +00:00
Joseph Sutton
a9d543cdfc s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs
Samba security features like AD claims, Authentication Policies and
Authentication Silos are enabled once the DC is at the required functional level.

We comment at the callers of of dsdb_dc_functional_level() to explain
why we do this.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-06-21 19:08:37 +00:00
Joseph Sutton
ad98643fbd s4:kdc: Replace FAST cookie with dummy string
All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224
2023-06-21 13:19:17 +00:00
Björn Jacke
659e88544a dcesrv_drsuapi.c:use DBG* macros instead of static log level numbers
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-16 20:28:29 +00:00
Björn Jacke
fa700369a9 dns_update.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-16 20:28:29 +00:00
Volker Lendecke
a4972336f1 lib: Add a few required #includes
You find them if you try to #include these files directly

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-06-16 16:14:30 +00:00
Joseph Sutton
32fdc764ef s4:auth: Remove unneeded ‘sam_ctx’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 06:30:35 UTC 2023 on atb-devel-224
2023-06-15 06:30:35 +00:00
Joseph Sutton
6c9c7c5b69 s4:auth: Enforce machine authentication policy for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
7a7dbdb773 s4:auth: Enforce device restrictions for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
63fe986357 s4:kdc: Log TGS-REQs in the Heimdal KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
3f3c017a26 s4:kdc: Add function to perform an access check to a service
If the ‘server_audit_info_out’ parameter is non-NULL, auditing
information will be returned so that it might be logged.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
5bd6ce29de s4:kdc: Generate auditing infomation for NTLM device restrictions
This will provide more detail to be logged.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
6dce6318e4 s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’
We’re going to extend this code, and so we will require functions from
the utility module.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
b5506d5ee3 s4:kdc: Add function to perform an authentication policy access check with a device
If the ‘audit_info_out’ parameter is non-NULL, auditing information will
be returned so that it might be logged.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
a3063fb4f5 s4:kdc: Add functions to create structures of auditing information for authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
a2ff8c4e43 s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
a1364c205f s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw
This more clearly indicates that it is the raw TGT lifetime value
straight from the database.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
b3a8565582 auth: Move authn_policy code into auth subsystem
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.

We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
21d1f1ca99 s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
b859b3b67d s4:kdc: Consolidate assignments to r->error_code and final_ret
This makes it clearer that we are assigning a value to both together.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
868e114660 s4:kdc: Don’t log authentication failures as successes
If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Joseph Sutton
efb85e3d6d s4/scripting/bin: Add NT_STATUS_OK to list of definitions
Add NT_STATUS_OK to our pre-generated list of status codes. Ensure it
goes first in the list to ensure that code that previously found this
error code in ‘special_errs’ maintains the same behaviour by falling
back to ‘nt_errs’.

This makes NT_STATUS_OK available to Python code using the ‘ntstatus’
module.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-14 22:57:35 +00:00
Andrew Bartlett
4952cb88e4 s4-server: Call dsdb_check_and_update_fl() during startup transaction.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
c28e719bb0 selftest: Add unit tests of the DC startup FL check/update code
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
b8a613b4b1 dsdb: Add routine to check the DB vs lp functional levels
This will be called at server startup (as well as from Python tests)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andrew Bartlett
4919e8d808 dsdb: Indicate in rootdse.c why samdb_ntds_settings_dn() is not used
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Pavel Filipenský
076d852467 testprogs: Add test_alias_membership
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
33b3a51a31 s4:torture: Limit run of test_membership_user() only to ad_member_idmap_rid
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Pavel Filipenský
09e853af7f s4:torture: Skip test_membership_user for users that get incorrectly assigned group sid
This commit should be removed once wb_queryuser() is fixed.

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-06-13 12:15:32 +00:00
Stefan Metzmacher
5303f6f7fd s4:torture/smb2: add smb2.bench.read test
This test opens one file for each loop (for nprocs * qdepth loops)
and for each file it loops in read requests for the first
io_size bytes.

time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.read \
        --option="torture:timelimit=600" \
        --option="torture:nprocs=1" \
        --option="torture:qdepth=4" \
        --option="torture:io_size=4096"

In order to generate constant load for profiles
--option="torture:looplimit=150000" can be used to stop
after the given number of loops before the timelimit hits.

Sometimes the bottleneck is the smbtorture process.
In order to bring the smbd process to 100% cpu, you can use
'--option="libsmb:client_guid=6112f7d3-9528-4a2a-8861-0ca129aae6c4"'
and run multiple instances of the test at the same time,
which both talk to the same smbd process.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jun  1 08:14:23 UTC 2023 on atb-devel-224
2023-06-01 08:14:23 +00:00
Stefan Metzmacher
5648836386 s4:torture/smb2: add --option="torture:looplimit=150000" to smb2.bench.echo
Also see the commit message of 23988f19e7
for other examples...

This test calls SMB2_Echo in a loop per connection.

time smbtorture //127.0.0.1/m -Uroot%test smb2.bench.echo \
        --option="torture:timelimit=600" \
        --option="torture:looplimit=150000" \
        --option="torture:nprocs=1" \
        --option="torture:qdepth=1"

This is a very useful test to show how many requests are possible
at the raw SMB2 layer.

In order to do profiling and being able to compare the
profiles between runs, it is important to produce the
exact same load in each run, which is not possible
with the typical --option="torture:timelimit=600".

E.g. when the server runs under 'valgrind --tool=callgrind bin/smbd'
I typically run without "torture:looplimit" first in order to
see, which rate is possible per second, then I'll add a
"torture:looplimit" in order to run about half of the timelimit.
Then the looplimit should run for some time, but finish
before the timelimit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-06-01 07:20:31 +00:00
Stefan Metzmacher
d01db89d90 s4:torture/smb2: move benchmarking tests to bench.c
I'll add more tests there soon

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2023-06-01 07:20:31 +00:00
Andrew Bartlett
9aa440d52d s4-rpc_server: Filter via dsdb_dc_functional_level() before we are returning a lookup directly
Otherwise, punt to winbindd to see if another DC has this capability.

This allows a FL2008-emulating DC to forward a request to a
2012R2-emlating DC, particularly in another domain.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 31 04:59:01 UTC 2023 on atb-devel-224
2023-05-31 04:59:01 +00:00
Andrew Bartlett
920e1a5bae selftest: Rework samba.tests.getdcname not to use ncalrpc
This test is able to operate over the network, which aids testing against
a comparative windows DC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-05-29 22:32:28 +00:00
Joseph Sutton
5dfb090d9c s4:rpc_server/samr: Log correct authentication description for samr_ChangePasswordUser2()
We would unconditionally log "samr_ChangePasswordUser3", which was
misleading.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
838cdd1680 s4:torture: Consistently use NBT_SERVER_* flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Joseph Sutton
f75b980fff s4:torture: Handle new NBT_SERVER_* flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-29 22:32:28 +00:00
Ralph Boehme
59eadfe21a CI: add a test for fruit AppleDouble conversion when deletion triggers conversion
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15378

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2023-05-25 23:59:33 +00:00
Joseph Sutton
22d0aa53bf s4-dsdb:large_ldap: Call setUpClass() method of base class
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
8dea2a4345 s4:kdc: Move parameter comments adjacent to parameters
This is more consistent with the non-NULL parameters, and makes it
easier to swap in the real values when we get them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
200117f5ed audit_tests: Check return value of json_new_array()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
65923be91e s4:kdc: Use talloc_steal() rather than talloc_reference()
This is consistent with the other uses in this file (in
authn_policy_ntlm_client() and authn_policy_server()).

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
e843e59076 s4:kdc: Make parameters const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
fc212116dc s4:kdc: Make functions static
These functions are used only internally.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
4667707720 s4:auth: Allocate user_info_dc->sids on correct talloc context
‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
f0ec5763e6 s4:kdc: Allocate user_info_dc->sids on correct talloc context
‘user_info_dc->sids’ must live for at least as long as ‘user_info_dc’,
or a use-after-free may result.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
a1a1adb7b7 s4/messaging/py: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
ca987dcb41 s4/messaging/py: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
3ce96c9ebd s4/messaging/py: Fix leak of p_server_id
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
4c67cac68b s4/messaging/py: Check py_return_ndr_struct() return value
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
28536f32da s4/messaging/py: Fix callback return value leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
cfd80303f1 s4/messaging/py: Fix leak
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
b22c217995 s4/messaging/py: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
77d8b6762f s4/messaging: Return the number of previously-registered functions that are removed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
e29c3374bc s4/messaging/py: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
48602b0e29 s4/messaging/py: Add more helpful error message for a wrongly-sized tuple
>>> m = Messaging((1,2,3,4,5))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: function takes exactly 1 argument (5 given)

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
f6b1307a85 s4/messaging/py: Document lp_ctx parameter of messaging.Messaging()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
f320b73ba6 s4/messaging/py: Remove incorrect function names in messaging.Messaging()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:31 +00:00
Joseph Sutton
7e32c7655d s4:kdc: Note correct constant
KRB5_PADATA_PW_SALT is wrong. It’s an unrelated constant that just
happens to share the same value.

Heimdal uses the correct constant, kERB_ERR_TYPE_EXTENDED.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-24 00:50:30 +00:00
Joseph Sutton
303d2109f6 s4:kdc: Check lifetime of correct ticket
The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224
2023-05-18 05:49:31 +00:00
Joseph Sutton
0e176d856f s4:kdc: Remove manual addition of error data
This is now handled by the hdb_samba4_set_ntstatus() call above.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
637fd961bd s4:kdc: Add NTSTATUS e-data to KDC reply
If an NTSTATUS code has been set in the KDC request structure, encode it
as KERB-ERROR-DATA and add it to the KDC reply.

hdb_samba4_set_ntstatus() adds the NTSTATUS code to the request
structure.

hdb_samba4_get_ntstatus() gets that status code back from the request
structure.

hdb_samba4_set_edata_from_ntstatus() encodes the status code and adds it
to the reply.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
041f70055c s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure
Our KDC plugin can use this to store NTSTATUS codes that can be added to
the final KDC reply later.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:30 +00:00
Joseph Sutton
28cffae4b2 s4:kdc: Use more suitable type for final_ret
This now matches the return type of the function.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
7266924b3d s4:kdc: Use talloc_get_type_abort()
We dereference this pointer immediately after this call, so we should be
sure it is not NULL.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 04:53:29 +00:00
Joseph Sutton
6ee5c80ea9 s4:kdc: Add support for constructed claims (for authentication silos)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
2023-05-18 01:58:24 +00:00
Joseph Sutton
420fae5dcb s4:kdc: Make use of dsdb_search_one()
Ensure we get exactly one object back, or an error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
e1f8cb063d s4:kdc: Don’t perform unnecessary search to get account objectClass
We now have this information in the ldb_message.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
10d6d77a27 s4:kdc: Have get_claims_for_principal() take the entire principal
The ldb_message contains more information than just the DN, such as
which authentication policy or silo is assigned.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
3d9863cfdc s4:kdc: Enforce TGT lifetime authentication policy
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
1fdff37105 s4:kdc: Look up authentication policies for Kerberos clients and servers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
f1212ffe4e s4:kdc: Make maximum lifetime and renew time signed
This is now consistent with Heimdal, and with our usage of time_t
elsewhere.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
9eaff7e852 s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag
This corresponds with the HDB_F_ARMOR_PRINCIPAL flag in Heimdal, and
indicates a lookup of an armor ticket client principal, rather than the
principal of the main TGT. This helps us to determine whether an
authentication policy will apply to a principal acting as a client, and
hence whether we have to look up the policy in the database.

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
f547cf1db8 s4:kdc: Add helper functions for authentication policies
These functions are not yet used.

They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
633ebe1b3e s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure
Just copying the structure fields is prone to lead to use-after-frees if
we access them after the original structure and its fields are freed.

Instead, call authsam_shallow_copy_user_info_dc() to make the copy. This
properly references the fields in the original structure so that they
will not be freed until we are sure we have finished with them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
8cc0b76509 s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
9ff7d6c5c5 s4:kdc: Add NTSTATUS strings to log messages
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
89d30cdfe1 s4:auth: Remove superfluous semicolon
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00