1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

39618 Commits

Author SHA1 Message Date
Pavel Filipenský
be29fe50ad selftest: setup clusteredmember with kerberos, change dependency to "ad_dc"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-26 17:12:36 +00:00
Andreas Schneider
7bb59168e9 s4:torture: Initialize struct cldap_netlogon
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/ldap/cldapbench.c:40: var_decl: Declaring variable ""io"" without initializer.
samba-4.20.0rc2/source4/torture/ldap/cldapbench.c:45: uninit_use_in_call: Using uninitialized value ""io.in.map_response"" when calling ""cldap_netlogon_recv"".
   43|   	TALLOC_CTX *tmp_ctx = talloc_new(NULL);
   44|   	io.in.version = 6;
   45|-> 	status = cldap_netlogon_recv(req, tmp_ctx, &io);
   46|   	talloc_free(req);
   47|   	if (NT_STATUS_IS_OK(status)) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 13:48:03 UTC 2024 on atb-devel-224
2024-07-18 13:48:03 +00:00
Andreas Schneider
bd298f2612 s4:torture: Remove trailing spaces from cldapbench.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Andreas Schneider
125c5a93bb s4:torture: Initialize struct netr_LogonSamLogonEx
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/schannel.c:49: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/schannel.c:152: uninit_use_in_call: Using uninitialized value ""r.in.validation_level"" when calling ""torture_comment"".
  150|   			""LogonSamLogonEx failed"");
  151|   	} else {
  152|-> 		torture_comment(tctx,
  153|   				""Skip auth_level[%u] Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n"",
  154|   				auth_level, ninfo.identity_info.account_name.string, crypto_alg,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Andreas Schneider
d64242f676 s4:torture: Initialize union spoolss_KeyNames
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/spoolss.c:7835: var_decl: Declaring variable ""key_buffer"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/spoolss.c:7906: uninit_use: Using uninitialized value ""key_buffer.string_array"".
 7904|
 7905|   	if (array) {
 7906|-> 		*array = key_buffer.string_array;
 7907|   	}
 7908|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:30 +00:00
Andreas Schneider
2e1ac4bbf5 s4:torture: Initialize pointer with NULL
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1447: var_decl: Declaring variable ""tree2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1492: uninit_use_in_call: Using uninitialized value ""tree2"" when calling ""smb2_util_unlink"".
 1490|   		}
 1491|
 1492|-> 		smb2_util_unlink(tree2, fname);
 1493|
 1494|   		talloc_free(tree);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-07-18 12:47:29 +00:00
Andreas Schneider
f7229d61ed s4:torture: Add new LSA test_query_forest_trust_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 18 12:36:25 UTC 2024 on atb-devel-224
2024-07-18 12:36:25 +00:00
Andreas Schneider
14a5d9e626 s4:torture: Split out a new LSA test_set_forest_trust_info() function
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-07-18 11:27:38 +00:00
Pavel Filipenský
471163e512 libnet: Fix debug text
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-17 07:48:31 +00:00
Andreas Schneider
85d80240ec s4:torture: Do not set sr.in.info to info be we queried the info
`sr.in.info = info` is correctly set later after we called
dcerpc_lsa_QueryTrustedDomainInfoByName_r() which filling the info
pointer with data.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:211: var_decl: Declaring variable ""info"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/forest_trust.c:248: uninit_use: Using uninitialized value ""info"".
  246|   	sr.in.trusted_domain = talloc_zero(tctx, struct lsa_String);
  247|   	sr.in.trusted_domain->string = name;
  248|-> 	sr.in.info = info;
  249|
  250|   	for (c = 0; il[c].info_level != -1; c++) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul 16 12:42:39 UTC 2024 on atb-devel-224
2024-07-16 12:42:39 +00:00
Andreas Schneider
bd5e095e27 s4:torture: Remove tailing spaces in forest_trust.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
03283dfae2 s4:torture: Initialize struct smb_nttrans
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/basic/scanner.c:368: var_decl: Declaring variable ""parms"" without initializer.
samba-4.20.0rc2/source4/torture/basic/scanner.c:388: uninit_use_in_call: Using uninitialized value ""parms.in.setup"" when calling ""smb_raw_nttrans"".
  386|   	parms.in.data = ntdata_blob;
  387|
  388|-> 	status = smb_raw_nttrans(cli->tree, mem_ctx, &parms);
  389|
  390|   	if (NT_STATUS_IS_ERR(status)) {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
7723353dae s4:torture: Remove tailing spaces in scanner.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
d003a17191 s4:torture: Initialize struct smb2_create
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/sharemode.c:639: var_decl: Declaring variable ""cr3"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/sharemode.c:736: uninit_use_in_call: Using uninitialized value ""cr3.out.file.handle"" when calling ""smb2_util_close"".
  734|   	smb2_util_close(tree, cr1.out.file.handle);
  735|   	smb2_util_close(tree, cr2.out.file.handle);
  736|-> 	smb2_util_close(tree, cr3.out.file.handle);
  737|   	smb2_util_unlink(tree, fname);
  738|   	return ret;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
ae47ec172f s4:torture: Initialize union smb_open
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/raw/open.c:1136: var_decl: Declaring variable ""io1"" without initializer.
samba-4.20.0rc2/source4/torture/raw/open.c:1198: uninit_use_in_call: Using uninitialized value ""io1.ntcreatex.out.file.fnum"" when calling ""smbcli_close"".
 1196|    done:
 1197|   	smbcli_close(cli->tree, io.ntcreatex.out.file.fnum);
 1198|-> 	smbcli_close(cli->tree, io1.ntcreatex.out.file.fnum);
 1199|   	smbcli_deltree(cli->tree, BASEDIR);
 1200|   	return ret;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andreas Schneider
3aa6aa02a8 s4:torture: Initialize struct netr_IdentityInfo
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samr.c:3601: var_decl: Declaring variable ""identity"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samr.c:3650: uninit_use: Using uninitialized value ""identity"". Field ""identity.domain_name.length"" is uninitialized.
 3648|   		}
 3649|
 3650|-> 		pinfo.identity_info = identity;
 3651|   		logon.password = &pinfo;
 3652|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2024-07-16 11:41:33 +00:00
Andréas Leroux
2c1a4a516f ldap_server: Add a ldapsrv debug class to log LDAP queries
Patch updated for recent samba versions in merge request #3295 by kvvloten
Initial patch created by Jeremy Allison (https://www.spinics.net/lists/samba/msg161128.html) to log LDAP server queries/functions in a separate file

Signed-off-by: Andréas Leroux <aleroux@tranquil.it>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jul  9 08:37:22 UTC 2024 on atb-devel-224
2024-07-09 08:37:22 +00:00
Andreas Schneider
742e5b48ae s4:torture: Initialize pointer with NULL
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samsync.c:342: var_decl: Declaring variable ""dom_sid"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samsync.c:385: uninit_use_in_call: Using uninitialized value ""dom_sid"" when calling ""dom_sid_dup"".
  383|   	}
  384|   	if (samsync_state->domain_handle[database_id]) {
  385|-> 		samsync_state->sid[database_id] = dom_sid_dup(samsync_state, dom_sid);
  386|   	}
  387|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-08 07:36:33 +00:00
Pavel Filipenský
f434524b47 s4:torture: Initialize struct smb2_handle consistently in lease.c
Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:567: var_decl: Declaring variable "h" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:642: uninit_use_in_call: Using uninitialized value "h" when calling "smb2_util_close".
  640|
  641|    done:
  642|->         smb2_util_close(tree, h);
  643|           smb2_util_close(tree, h2);
  644|

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2024-07-05 07:45:32 +00:00
Jo Sutton
e50a69334e s4:dsdb: Remove unnecessary MIN()
Since we have ensured that val->length >= sizeof(hash->hash),
MIN(val->length, sizeof(hash->hash)) will here always be equal to
sizeof(hash->hash).

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
66928d858f s4:auth: Correct order of parameters in documentation
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
939481329e perftest:ndr_pack_performance: Remove obselete comment
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
4844b1c34c perftest:ndr_pack_performance: Remove unused import
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
c4728578de s4:dsdb: Use appropriate type for userAccountControl flags
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Jo Sutton
3dffd0fa67 s4:auth: Use appropriate type for userAccountControl flags
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <martin@meltin.net>
2024-07-02 03:39:35 +00:00
Andreas Schneider
6d3cfb4b1c s4:torture: Initialize param arrays
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/gentest.c:2690: var_decl: Declaring variable ""parm"" without initializer.
samba-4.20.0rc2/source4/torture/gentest.c:2711: uninit_use: Using uninitialized value ""parm[0]"". Field ""parm[0].out"" is uninitialized.
 2709|   	}
 2710|
 2711|-> 	GEN_COPY_PARM;
 2712|   	GEN_SET_FNUM_SMB2(in.file.handle);
 2713|   	GEN_CALL_SMB2(smb2_lock(tree, &parm[i]));"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Mon Jul  1 00:23:08 UTC 2024 on atb-devel-224
2024-07-01 00:23:08 +00:00
Andreas Schneider
f52e7fd3c0 s4:torture: Remove trailing spaces from gentest.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:34 +00:00
Andreas Schneider
57001527ae s4:torture: Initialize pointers
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1518: var_decl: Declaring variable ""tree2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/durable_open.c:1584: uninit_use_in_call: Using uninitialized value ""tree2"" when calling ""smb2_util_close"".
 1582|   	if (tree != NULL) {
 1583|   		if (h != NULL) {
 1584|-> 			smb2_util_close(tree2, *h);
 1585|   		}
 1586|"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
1d38f6ee92 s4:torture: Initialize struct smb2_handle
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:452: var_decl: Declaring variable ""h"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:516: uninit_use_in_call: Using uninitialized value ""h"" when calling ""smb2_util_close"".
  514|
  515|    done:
  516|-> 	smb2_util_close(tree, h);
  517|   	smb2_util_close(tree, hnew);
  518|   	smb2_util_close(tree, h2);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
b6d66e55ad s4:torture: Initialize struct netr_LogonSamLogonEx
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/schannel.c:250: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/schannel.c:357: uninit_use_in_call: Using uninitialized value ""r.in.validation_level"" when calling ""torture_comment"".
  355|   			""LogonSamLogonEx failed"");
  356|   	} else {
  357|-> 		torture_comment(tctx,
  358|   				""Skip auth_level[%u] Testing LogonSamLogonEx with name %s using %s and validation_level: %d\n"",
  359|   				auth_level, ninfo.identity_info.account_name.string, crypto_alg,"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
9ec0f8bd60 s4:torture: Make sure struct smb2_handle is initialized
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:1223: var_decl: Declaring variable ""h2"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:1328: uninit_use_in_call: Using uninitialized value ""h2"" when calling ""smb2_util_close"".
 1326|    done:
 1327|   	smb2_util_close(tree, h);
 1328|-> 	smb2_util_close(tree, h2);
 1329|
 1330|   	smb2_util_unlink(tree, fname);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-30 23:20:33 +00:00
Andreas Schneider
a77cffaa25 s4:torture: Initialize struct wrepl_wins_name
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:1244: var_decl: Declaring variable ""wins_name1"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4835: assign: Assigning: ""wins_name_r1"" = ""&wins_name1"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:4905: uninit_use_in_call: Using uninitialized value ""*wins_name_r1"". Field ""wins_name_r1->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
 4903|
 4904|   		/* now apply R1 */
 4905|-> 		ret &= test_wrepl_update_one(tctx, ctx, records[i].r1.owner, wins_name_r1);
 4906|   		ret &= test_wrepl_is_applied(tctx, ctx, records[i].r1.owner,
 4907|   					     wins_name_r1, records[i].r1.apply_expected);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jun 28 12:44:31 UTC 2024 on atb-devel-224
2024-06-28 12:44:31 +00:00
Andreas Schneider
54ce370f7d s4:torture: Fully initialize struct samr_OpenUser
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/rpc/samr.c:7381: var_decl: Declaring variable ""r"" without initializer.
samba-4.20.0rc2/source4/torture/rpc/samr.c:7428: uninit_use: Using uninitialized value ""r.out.result.v"".
 7426|   		torture_assert_ntstatus_ok(tctx, dcerpc_samr_QueryUserInfo_r(b, tctx, &q),
 7427|   			""QueryUserInfo failed"");
 7428|-> 		if (!NT_STATUS_IS_OK(r.out.result)) {
 7429|   			torture_result(tctx, TORTURE_FAIL, ""QueryUserInfo(%u) failed - %s\n"", r.in.rid, nt_errstr(r.out.result));
 7430|   			return false;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
7990a2ba08 s4:torture: Initialize struct wrepl_wins_name
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6759: var_decl: Declaring variable ""wins_name_"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6760: assign: Assigning: ""wins_name"" = ""&wins_name_"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:9455: uninit_use_in_call: Using uninitialized value ""*wins_name"". Field ""wins_name->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
 9453|   		wins_name->unknown	= ""255.255.255.255"";
 9454|
 9455|-> 		ret &= test_wrepl_update_one(tctx, ctx, &ctx->b, wins_name);
 9456|
 9457|   		/*"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
09d731470e s4:torture: Initialize struct smb2_handle
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/smb2/lease.c:336: var_decl: Declaring variable ""hnew"" without initializer.
samba-4.20.0rc2/source4/torture/smb2/lease.c:377: uninit_use_in_call: Using uninitialized value ""hnew"" when calling ""smb2_util_close"".
  375|    done:
  376|   	smb2_util_close(tree, h);
  377|-> 	smb2_util_close(tree, hnew);
  378|
  379|   	smb2_util_unlink(tree, fname);"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
4777464946 s4:torture: Initialize struct nbt_name_query
"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/query.c:53: var_decl: Declaring variable ""io"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/query.c:76: uninit_use_in_call: Using uninitialized value ""io.in.retries"" when calling ""nbt_name_query_send"".
   74|   		while (num_sent - (result->num_pass+result->num_fail) < 10) {
   75|   			struct nbt_name_request *req;
   76|-> 			req = nbt_name_query_send(nbtsock, &io);
   77|   			torture_assert(tctx, req != NULL, ""Failed to setup request!"");
   78|   			req->async.fn = increment_handler;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Andreas Schneider
deced5eaae s3:torture: Remove trailing spaces in query.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
2024-06-28 11:39:33 +00:00
Volker Lendecke
8a7aad7fe0 torture4: Fix some whitespace
Review with "git show -w"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-24 16:21:32 +00:00
Andreas Schneider
3cb4073cd0 s4:dsdb: Avoid possible underflows with new_len
Found by Covscan.

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:403: tainted_data_argument: The check ""i < new_len"" contains the tainted expression ""i"" which causes ""new_len"" to be considered tainted.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""new_len - i"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""(new_len - i) * 8UL"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow_sink: ""(new_len - i) * 8UL"", which might have underflowed, is passed to ""memmove(val1, val2, (new_len - i) * 8UL)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  405|   			const char **val2 = &attr_list[i];
  406|   			if (ldb_attr_cmp(*val1, *val2) == 0) {
  407|-> 				memmove(val1, val2, (new_len - i) * sizeof( *attr_list));
  408|   				attr_list[new_len-1] = NULL;
  409|   				new_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
44db391ae1 s4:dsdb: Remove trailing spaces in schema_query.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
94c06dd189 s4:torture: Initialize struct wrepl_wins_name
Found by Covscan.

"Error: UNINIT (CWE-457):
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:5040: var_decl: Declaring variable ""wins_name_"" without initializer.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:5041: assign: Assigning: ""wins_name"" = ""&wins_name_"", which points to uninitialized data.
samba-4.20.0rc2/source4/torture/nbt/winsreplication.c:6680: uninit_use_in_call: Using uninitialized value ""*wins_name"". Field ""wins_name->is_group"" is uninitialized when calling ""test_wrepl_update_one"".
 6678|   			wins_name->unknown	= ""255.255.255.255"";
 6679|
 6680|-> 			ret &= test_wrepl_update_one(tctx, ctx, &ctx->b, wins_name);
 6681|   			ret &= test_wrepl_is_applied(tctx, ctx, &ctx->b, wins_name, true);
 6682|   		} else {"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Andreas Schneider
5d568f6e61 s4:torture: Remove trailing spaces in winsreplication.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>
2024-06-24 06:14:36 +00:00
Stefan Metzmacher
db2c576f32 testprogs/blackbox: add test_ldap_token.sh to test "client use kerberos" and --use-kerberos
This shows that they are ignored for machine accounts as domain member.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-06-19 09:07:36 +00:00
Stefan Metzmacher
372476aeb0 s4:torture/smb2: add smb2.ioctl.copy_chunk_bug15644
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15664

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
2024-06-17 16:54:29 +00:00
Andreas Schneider
4a48148a7d s4:torture: Add missing NULL checks in spoolss.c
source4/torture/rpc/spoolss.c: In function
  ‘check_printer_driver_file.isra’:
source4/torture/rpc/spoolss.c:10850:58: error: ‘%s’ directive argument
  is null [-Werror=format-overflow=]
10850 |         const char *remote_name = talloc_asprintf(tctx, "%s\\%d\\%s",
      |                                                          ^~

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-06-13 12:25:37 +00:00
Douglas Bagnall
de19f4d675 s4/pytest: remove py2 str/bytes workaround in getnc_exop
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-12 08:14:34 +00:00
Noel Power
7f1de90f72 selftest: Add a python blackbox test for some misc (widelink) DFS tests
On master attempting to chdir into a nested dfs link

e.g. cd dfslink (works)
     cd dfslink/another_dfslink (fails)

[1] Add a test for this scenario (nested chdir)
[2] Add test for enumerating a dfs link in root of dfs share
[3] Add a test to check case insensitive chdir into dfs link on widelink
  enabled share

Add knownfails for tests 1 and 3

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15435
2024-06-11 18:28:34 +00:00
Jo Sutton
b42c489180 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)
We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
facb418c99 s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
5ffa768329 s4:auth: Add temporary memory context to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Jo Sutton
7ae10eb25f s4:auth: Add common out path to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-11 04:32:30 +00:00
Anoop C S
225e6aeafc s4/torture: Remove already existing test_dir
In configurations where vfs_acl_xattr is used with 'ignore system acls'
option we encounter NT_STATUS_ACCESS_DENIED while trying to open an
already existing test_dir in smb2.delete-on-close-perms.READONLY. Due
to missing SEC_STD_DELETE permission from the list of allowed ACEs it
couldn't be removed via previous call to smb2_deltree(). Thus as seen
with other tests we now call set_dir_delete_perms() so that subsequent
attempt to remove it can succeed.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jun 10 13:17:58 UTC 2024 on atb-devel-224
2024-06-10 13:17:58 +00:00
Anoop C S
3b230769b0 s4/torture: Create test_dir with SEC_RIGHTS_DIR_ALL
In shares where acl_xattr vfs module is loaded with 'ignore system acls'
set, smb2.delete-on-close-perms.FIND_and_set_DOC fails to open test_dir
due to NT_STATUS_ACCESS_DENIED as it lacks few permissions for owner
when created using create_dir(). Test case aims to set delete-on-close
for which delete permission is necessary in first place. Therefore we
now perform the creation and subsequent opening of directory using
torture_smb2_testdir() so that the open handle comes with SEC_STD_DELETE
permission.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2024-06-10 12:16:32 +00:00
Andrew Bartlett
491b79d445 kdc: Rotate smart-card only underlying password in 2nd half of lifetime
This is a measure to avoid multiple servers rotating the password
but means that the maximum password age really must be set to
twice the TGT lifetime, eg a default of 20 hours.  The internet
suggestions of 1 day for this feature should work fine.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
8afe27058b kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts
This is to gracefully deal with races and to avoid additional password
rollover in situations where the TGT lifetime is longer than the
maximum password lifetime.  This is not a sensible combination, so
we just avoid the extra DB write, and update it only once per AS-REQ
in this case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:31 +00:00
Andrew Bartlett
1e1c80656f kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it.  As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
d03b3faeb8 s4-auth: Use consistant externally-supplied time in auth stack
This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts.  By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
1dcd8be8f0 kdc: Use a consistent, stable time throughout the Heimdal KDC
The MIT KDC has a fallback to a consistent time per fetch call, and
both implementations then follow the time in each 'struct
samba_kdc_entry'.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
fe61009002 kdc: Mark KDC sam.ldb as not to use ldb_wrap cache
This will ensure that the time which will be is passed in an opaque is
not used by other parts of Samba

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
e178f6b0e9 ldb_wrap: Provide a way to avoid Samba using ldb_wrap()
ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
9ba5ebf4af kdc: Remove confusing duplicate open of sam.ldb to find RODC status
Instead, make this query after we open the DB in common with the MIT code.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
09ae48b415 dsdb: Prepare to handle smartcard password rollover
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
1bcc9f0015 dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed
This both allows the time to be overriden in some future unit tests
(which is incredibly helpful in testing) and gets a full NTTIME
rather than just a time_t based time, so we do not need to wait
an extra second for the NTTIME to change.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
cc3ea4ed57 dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured!
While the passwords are random and rolled on the server, we can tell
about the expiry by setting pwdLastSet to 0.

Samba now honours the password expiry.

This is only enabled for domain functional level 2016 and when
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set to TRUE.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
3669479f22 dsdb: Reduce minimum maxPwdAge from 1 day to nil
This allows us to have tests, which pass on Windows, that
use a very short maxPwdAge.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
302619f66f dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode
This is because the smartcard reset now generates all the keys
on Windows, so we want to match Windows 2022 as at April 2024
behaviour.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
b664392208 s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check
This centralises the check rather than checking the time in
multiple spots.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
737f241406 s4-auth: Update comment to mention 60mins in the NTLM grace period
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
e04eb9bb17 dsdb: Make argument order of dsdb_update_gmsa_{entry_,}keys() consistant with other uses
Other functions in this file are TALLOC_CTX, struct ldb_context *, not
the other way around.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Stefan Metzmacher
ed61c57e02 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored
If the client does not have permissions to update the record,
but the record already has the data the update tries to apply,
it's a no-op that should result in success instead of failing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun  6 03:18:16 UTC 2024 on atb-devel-224
2024-06-06 03:18:16 +00:00
Stefan Metzmacher
76fec2668e s4:dns_server: correctly sign dns update responses with gss-tsig like Windows
This means we no longer generate strange errors/warnings
in the Windows event log nor in the nsupdate -g output.

Note: this is a only difference between gss-tsig and
the legacy gss.microsoft.com algorithms.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
db350bc573 s4:dns_server: dns_verify_tsig should return REFUSED on error
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
5906ed94f2 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
ae7538af04 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
bd0235cd51 s4:dns_server: use the client provided algorithm for the fake TSIG structure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
3467d14914 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
fa0f23e69e s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
a56627b0d1 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
753428a3b6 s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Andrew Bartlett
d11b281aef build: Remove incorrect pyembed=True from samba-policy
This is a normal C library, used by python but does not use
any python itself (nor by dependencies any longer).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-06-05 20:42:34 +00:00
Andrew Bartlett
829b52f99d s4-libnet: Split up samba-net into samba-net and samba-net-join
samba-net-join links to python and so needs the variable name
with the python ABI tag, while samba-net is a normal C library
and can be included in a package without python dependencies.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2024-06-05 20:42:34 +00:00
Jo Sutton
5eac95652a s4:dsdb: Use talloc_get_type_abort()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Noel Power
a27525e555 s4/torture: Test with level 4 with NETLOGON_CONTROL_SET_DBFLAG function
Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG

This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Noel Power
1297c7ca65 s4/torture: Prepare to handle Level 4 check with unknown func code
A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).

Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
  s3 server returns WERR_NOT_SUPPORTED and
  s4 server returns WERR_INVALID_PARAMETER.

For level 3 both return WERR_NOT_SUPPORTED.

MS-NRPC doesn't seem to specifically indicate the required response in
this case.

this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-06-04 08:33:32 +00:00
Stefan Metzmacher
6c5781b5f1 s4:torture/smb2: add smb2.session.anon-{encryption{1,2,},signing{1,2}}
These demonstrate how anonymous encryption and signing work.
They pass against Windows 2022 as ad dc.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Stefan Metzmacher
6a89615d78 s4:libcli/smb2: add hack to test anonymous signing and encryption
This will be used in torture tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15412

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2024-05-23 12:35:37 +00:00
Douglas Bagnall
a00c0ebd09 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow
In the unlikely event that strlen(str) > INT_MAX, the result could
have overflowed.

This is not a sort transitivity issue, as this is not a symmetric sort
comparison, but it would affect binary search reliability.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 23:12:32 +00:00
Douglas Bagnall
edabb9f4cb ldb-samba: use ldb_comparison_fold_utf8()
This means ldb-samba/dsdb comparisons will be case-insensitive for
non-ASCII UTF-8 characters (within the bounds of the 16-bit casefold
table). And they will remain transitive.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 23:12:32 +00:00
Jo Sutton
589a9ea676 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224
2024-05-22 21:33:14 +00:00
Jo Sutton
d8302e9532 s4:kdc: Merge current and previous gMSA keys during period when both are valid
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
5ea0782465 s4:libnet: Allow simulating AS‐REQ flags combination for keytab export
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
71899ceb40 s4:libnet: Update export_keytab() docstring
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
048de3da01 s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry()
This will allow us to specify whether to specify this flag for a keytab
export.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
26fd78040e s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
ad9198bb86 s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
6bd56a2c19 s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
cb9ff7b4c5 s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
8ae565a14b s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Stefan Metzmacher
8303078028 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send()
I have customer backtraces showing that 'drsuapi' is NULL in
dreplsrv_op_pull_source_get_changes_trigger() called from the
WERR_DS_DRA_SCHEMA_MISMATCH retry case of
dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was
a valid pointer there.

From reading the code I don't understand how this can happen,
but it does very often on RODCs. And this fix prevents the problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Douglas Bagnall
99d2622131 spelling: comments: synthax -> syntax
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Douglas Bagnall
64003d8677 spelling: fix spelling of privilege.ldb in comments
'privileges' is a word, but the ldb referred to is privilege.ldb

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 04:23:29 +00:00
Stefan Metzmacher
e2a5fbf5cf s4:libnet_export_keytab: add only_current_keys option
By default we also export on the old and older passwords...

In order to do a kinit with a keytab it might we useful to
include only the current keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
7f1e89488a s4:kdc: also provide cross-realm keys via samba_kdc_seq()
This means that 'samba-tool domain exportkeytab' is able to
export them.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
37292f8a60 s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
6ecc607ede s4:kdc: split out samba_kdc_fill_trust_keys() helper
This simplifies the logic in samba_kdc_trust_message2entry(),
is very similar to our samba_kdc_fill_user_keys() helper
and will make it trivial to provide the previous keys
in entry->old_keys in the next commit.

Review with: git show -p --patience

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
f5c8c212dc s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry()
This aligns the logic of samba_kdc_trust_message2entry() with
samba_kdc_message2entry_keys().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
f48699641c s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry()
This will simplifiy further changes.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
d1efc396de s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP
We already handle it in samba_kdc_fill_user_keys() mostly for DES keys,
but other encryption types might be from kerberos libraries in future.
And things like FIPS mode may also alter the runtime behaviour.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
8cfebc36ed s4:kdc: split out samba_kdc_fill_trust_keys() helper
Let samba_kdc_trust_message2entry() also fill in the salt used
by the key. This is not strictly needed, but it's better to
be consistent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Jo Sutton
01849ab1bc s4:kdc: Implement KDC plugin hardware authentication policy
NOTE: This commit finally works again!

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224
2024-05-16 03:14:47 +00:00
Jo Sutton
0582cf6077 s4:kdc: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
f3ff4915ad s4:kdc: Initialize local variable just in case (CID 1596759)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
3b90753b55 s4:kdc: Free target principal string to avoid memory leak (CID 1596760)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
7e7bb259a6 s4:kdc: Initialize pointer variable just in case (CID 1596762)
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
e1460c9e34 s4:dsdb: Make map containing default attribute values static
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
927c672faf s4:dsdb: Do not set lockoutTime for trust accounts
This matches the behaviour of Windows.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
4c759c2675 s4:dsdb: Make use of userAccountControl helper function
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
1b8b8550aa s4:dsdb: Add userAccountControl helper function
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
0e93456a66 s4:dsdb: Remove redundant user flags macro
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
32199b9bcf s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change
gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
c167ac5301 s4:libnet: Remove unnecessary declarations
This declaration is a hold‐over from the Python 2 module initialization
pattern.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
33ed55ce8f s4:libnet: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e5357c75a6 s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
92d010af2d s4:dsdb: Let dsdb gMSA time influence pwdLastSet
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
170dd47eae s4:libcli: Add more controls to our list of known controls
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
526652d162 s4:libcli: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
e4045cd5b1 s4:setup: Update name of dsdb password change control
Commit 0a907c2f45 renamed this control to
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
f5cbe49789 s4:dsdb: Fix code spelling
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
cbebffd56d s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Douglas Bagnall
827b0c39ed s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP()
No change at all in the result, just saving lines and branches.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Douglas Bagnall
c5c29f59fa s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Douglas Bagnall
65df8ce05c s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Douglas Bagnall
5335f122fb s4:dsdb:mod: repl_md: make message_sort transitive
Before we had (with a TODO of regret):

       if (!a1 || !a2) {
               return strcasecmp(e1->name, e2->name);
       }

so, given {name:"A", id 2}, {name:"B", NO id}, {name:"C", id 1},

 A < B by name
 B < C by name
 A > C by id

Now the sort order is always A > C > B.

This sort could have caused mysterious crashes in repl_meta_data if
the schema is out of sync.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Douglas Bagnall
b37186cf91 s4:dsdb:util_trusts: simplify the NULL case in dns_cmp
In this comparison function a NULL string is treated as the ancestor
of all names, but you need to look hard to see that.

By pulling the logic for NULLs to the front, hopefully we have to look
less hard.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Douglas Bagnall
91b802941c s4:dsdb:util_trusts: describe dns_cmp return values
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-07 23:25:35 +00:00
Stefan Metzmacher
4dd2468d5b s4:gensec_gssapi: make use of gensec_kerberos_possible()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-05-07 11:30:33 +00:00
Andreas Schneider
c5a1c8d45b s4:dsdb: Fix stack use after scope in gkdi_create_root_key()
==20978==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f4f91ff51a0 at pc 0x7f4f94cf93d6 bp 0x7ffdb90fc510 sp 0x7ffdb90fbcd0
READ of size 64 at 0x7f4f91ff51a0 thread T0
    #0 0x7f4f94cf93d5 in memcpy ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115
    #1 0x7f4f933bdb67 in ldb_val_dup ../../lib/ldb/common/ldb_msg.c:325
    #2 0x7f4f933c11d1 in ldb_msg_copy ../../lib/ldb/common/ldb_msg.c:1182
    #3 0x7f4f933c13d2 in ldb_msg_normalize ../../lib/ldb/common/ldb_msg.c:1235
    #4 0x7f4f933ab556 in ldb_request ../../lib/ldb/common/ldb.c:1196
    #5 0x7f4f8e82b1d4 in dsdb_autotransaction_request ../../source4/dsdb/common/util.c:1220
    #6 0x7f4f8e831c8a in dsdb_add ../../source4/dsdb/common/util.c:5354
    #7 0x7f4f8e853a01 in gkdi_create_root_key ../../source4/dsdb/gmsa/gkdi.c:493
    #8 0x7f4f8e853a01 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:551
    #9 0x7f4f8cd4ca52 in py_dsdb_create_gkdi_root_key ../../source4/dsdb/pydsdb.c:1388
    #10 0x7f4f947ce01c  (/lib64/libpython3.11.so.1.0+0x1ce01c) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #11 0x7f4f947de4c0 in _PyObject_Call (/lib64/libpython3.11.so.1.0+0x1de4c0) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #12 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #13 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #14 0x7f4f947de5d8  (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #15 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #16 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #17 0x7f4f947edabb  (/lib64/libpython3.11.so.1.0+0x1edabb) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #18 0x7f4f947de5d8  (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #19 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #20 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #21 0x7f4f947ed9fb  (/lib64/libpython3.11.so.1.0+0x1ed9fb) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #22 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #23 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #24 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #25 0x7f4f947b6e79  (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #26 0x7f4f94839997 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x239997) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #27 0x7f4f94856862  (/lib64/libpython3.11.so.1.0+0x256862) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #28 0x7f4f94852e59  (/lib64/libpython3.11.so.1.0+0x252e59) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #29 0x7f4f94868fb1  (/lib64/libpython3.11.so.1.0+0x268fb1) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #30 0x7f4f948687a3 in _PyRun_SimpleFileObject (/lib64/libpython3.11.so.1.0+0x2687a3) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #31 0x7f4f94868453 in _PyRun_AnyFileObject (/lib64/libpython3.11.so.1.0+0x268453) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #32 0x7f4f94861c53 in Py_RunMain (/lib64/libpython3.11.so.1.0+0x261c53) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #33 0x7f4f94829996 in Py_BytesMain (/lib64/libpython3.11.so.1.0+0x229996) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7)
    #34 0x7f4f9422a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #35 0x7f4f9422a2b8 in __libc_start_main_impl ../csu/libc-start.c:360
    #36 0x5604497e3084 in _start (/usr/bin/python3.11+0x1084) (BuildId: f5d6e3bdbf9098a6ddde0b7f2e07ffc9ad1b1dc3)

Address 0x7f4f91ff51a0 is located in stack of thread T0 at offset 416 in frame
    #0 0x7f4f8e852b37 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:537

  This frame has 12 object(s):
    [32, 40) 'root_key_dn' (line 539)
    [64, 72) 'res' (line 540)
    [96, 104) 'server_config_res' (line 118)
    [128, 136) 'kdf_algorithm' (line 128)
    [160, 168) 'domain_dn' (line 388)
    [192, 208) 'kdf_parameters_blob' (line 129)
    [224, 240) 'root_key_data_blob' (line 353)
    [256, 272) 'guid_blob' (line 467)
    [288, 312) 'kdf_parameters' (line 226)
    [352, 368) 'root_key_id' (line 116)
    [384, 400) 'guid_buf' (line 466)
    [416, 480) 'root_key_data' (line 352) <== Memory access at offset 416 is inside this variable

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <jsutton@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May  3 12:20:55 UTC 2024 on atb-devel-224
2024-05-03 12:20:55 +00:00
Jo Sutton
282e5784a0 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24 05:16:29 +00:00
Jo Sutton
5a048ef0f8 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys()
This ldb context can be used to query the current gMSA time.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24 05:16:29 +00:00
Jo Sutton
1889e0aea3 python: Move get_admin_sid() to SamDB
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24 05:16:29 +00:00
Jo Sutton
786eab65ce s4:auth: Export AES128 gMSA keys along with AES256 keys by default
This is what an existing test expects.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24 05:16:29 +00:00
Stefan Metzmacher
4ff1b321ed s4:selftest: remove useless 'client use spnego principal' tests
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
9827055be3 s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
0122c0a698 s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS}
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
84b4551cdf s4:lib/tls: add tstream_tls_sync_setup()
This operates in a non-async fashion and may block
in the push and pull function.

It will be used to plug into openldap transport
layer, this is needed in order to have access
to the channel bindings. And also use the same
configuration for all our gnutls based tls code.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
f1a83feb0e s3:libads: always require ber_sockbuf_add_io() and LDAP_OPT_SOCKBUF
There's no point in trying to support --with-ads, but only use
plaintext ldap without sign/seal.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
ca93631291 s4:lib/tls: add support for gnutls_certificate_set_x509_{system_trust,trust_dir}()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
8062d31793 s4:ldap_server: remove unused include of gensec_internal.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
065da87329 s4:selftest: also test samba4.ldb.simple.ldap*SASL-BIND with ldap_testing:{channel_bound,tls_channel_bindings,forced_channel_binding}
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00
Stefan Metzmacher
7acb15a53c s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl()
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.

And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-23 23:50:34 +00:00