1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

133026 Commits

Author SHA1 Message Date
Andreas Schneider
715f7c46b9 testprogs: Use common binary detection functions in test_kinit_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
aea8611b39 testprogs: Fix shell arithmetic in test_kinit_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
c5bf365d92 testprogs: Reformat test_kinit_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
b6cf609e9f nsswitch:tests: Use configuration variable passed to test_rfc2307_mapping.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
aa2ece8f64 s4:selftest: Move rfc2307_mapping test to ad_dc
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
c042b1fba0 s4:selftest: Reformat samba4.blackbox.rfc2307_mapping
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
f91f042c1d testprogs: Pass configuration to test_kinit_trusts_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
4ea94c8eaa testprogs: Pass configuration to test_kinit_trusts_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
3b78011213 testprogs: Remove UID_WRAPPER_ROOT export
This is not needed, we only need it for smbpasswd and in order to get
root we need to set the ruid and euid, which we already do.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
9e7de6dff6 testprogs: Pass configuration to test_password_settings.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
3af471fe45 s4:selftest: Use ad_dc env for samba4.blackbox.password_settings
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
7ed669ce90 s4:selftest: Reformat samba4.blackbox.password_settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
41b4a2a252 testprogs: Pass configuration to test_kpasswd_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
9e949bc403 testprogs: Pass configuration to test_kpasswd_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
62cfab55e6 testprogs: Specify the KRB5CCNAME on the command line
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
d2bd1e3409 testprogs: Pass configuration to test_export_keytab_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
ff77e910bc testprogs: Pass configuration to test_export_keytab_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
f9441ca26b testprogs: Correctly set configuration in test_kinit_heimdal.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
4f228c57f6 testprogs: Correctly set configuration in test_kinit_mit.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
2ad6b6fe2e s4:selftest: Use ad_dc environment for kinit tests
This makes sure they are run as part of "samba-addc-mit-1".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
4fa89f3aea s4:selftest: Use smbclient3 for kinit tests
smbclient3 has support for SMB2+.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
12d44773b5 s4:tests: Reformat kerberos tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andreas Schneider
94778b66e0 testprogs: Fix running export.keytab heimdal test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-06 13:45:35 +00:00
Andrew Bartlett
ca7b7bde39 selftest: Use "debug syslog format = always" in selftest
Some of the most difficult to debug issues in Samba development are around
timing, so this changes our default logging format in the selftest system
to include a high-resolution timestamp to help correlate bad events with
what else is going on at the same time.

This fits in well with the timestamps already logged into st/subunit
and may assist with correlation.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Apr  6 13:44:47 UTC 2023 on atb-devel-224
2023-04-06 13:44:47 +00:00
Andrew Bartlett
83fe7a0316 lib/util: Add "debug syslog format = always", which logs to stdout in syslog style
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
33effa76d6 s4:torture: Extend smb2 session requested_life_time
It also only waits for the required amount of time elapsed. Hopefully
this should avoid running into timeouts.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
e69453fc41 s4:torture: Fix warning messages for smb2.session
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
6dc7ae8b14 s4:torture: Fix warning messages for smb.raw.session
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
67535ac225 s4:torture: Remove trailing white spaces
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
938cbe07db s3:tests: Add exit code with failed tests
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
d163d1ba7a s3:tests: Use CONFIGURATION passed down to the test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
fa591f5223 s3:tests: Correctly implement tests for forceuser/forcegroup
They used the tmp share ...

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
bfae426203 s3:tests: Use the CONFIGURATION passed down to the test
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
d8acec0caf s3:selftest: Remove ad_dc_ntvfs for smbclient_machine_auth.plain
There is no need to run it against this environment and saves resources.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Andreas Schneider
e5ef368fb6 lib:ldb:tests: Fix signedness build error
lib/ldb/tests/ldb_filter_attrs_in_place_test.c:836:55: error: pointer
targets in passing argument 1 of ‘_assert_string_equal’ differ in
signedness [-Werror=pointer-sign]
  836 |         assert_string_equal(msg->elements[0].values[0].data,
      |                                                       ^
      |                                                       |
      |                                                       uint8_t * {aka unsigned char *}

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-04-06 12:51:30 +00:00
Stefan Metzmacher
0ef53b948e net_ads: fill ads->auth.realm from c->creds
We get the realm we use for authentication needs to
the realm belonging to the username we use.

We derive the username from c->creds, so we need to
do the same for the realm.

Otherwise we try to authenticate as the wrong user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Stefan Metzmacher
3b585f9e8c testprogs/blackbox: add test_net_ads_search_server.sh
This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2023-04-06 12:51:30 +00:00
Rob van der Linde
112faff82f dsdb: modify unicodePwd requires encrypted connection
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 01:33:05 UTC 2023 on atb-devel-224
2023-04-06 01:33:05 +00:00
Rob van der Linde
928de1d61c dsdb/tests: Add test for modification of unicodePwd over a cleartext/signed connection
This demonstrates that the server did not detect CVE-2023-0922

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Rob van der Linde
5abda27f0e dsdb: fix spelling in password_hash.c
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Andrew Bartlett
479634e4cd dsdb/tests: Double number of expressions in large_ldap.py ldap_timeout test
By slowing the filter down more this makes the test reliable on the
autobuild host.

This is not a long-term solution, but is a quick tweak that can be done
today to address current issues with getting commits past the host-based
(compared with cloud-based) autobuild.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:35 +00:00
Andrew Bartlett
e1c0c2066c dsdb/tests: Move SD modification on class-created objects to classSetUp
These modifications persist, so should be done at the class level,
not in the test.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15351

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-06 00:33:34 +00:00
Rob van der Linde
b74b9f4b06 CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Apr  5 03:08:51 UTC 2023 on atb-devel-224
2023-04-05 03:08:51 +00:00
Joseph Sutton
c33e78a27f CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.

Add or replace operations with no values and no privileges are
disallowed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Douglas Bagnall
62cc4302b6 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Joseph Sutton
8b4e6f7b3f s4-dsdb: Remove DSDB_ACL_CHECKS_DIRSYNC_FLAG
It's no longer used anywhere.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
82d2ec786f dsdb: Remove remaining references to DC_MODE_RETURN_NONE and DC_MODE_RETURN_ALL
The confidential_attrs test no longer uses DC_MODE_RETURN_NONE we can now
remove the complexity.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Joseph Sutton
d2bbb47a7c ldb: Use correct member of union
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
dfe7b05730 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00
Andrew Bartlett
9b8dd83fd0 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2023-04-05 02:10:35 +00:00