1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

3268 Commits

Author SHA1 Message Date
Joseph Sutton
7b710a05de samba-tool group: Add --special parameter to add predefined special group
This allows default security groups that have been added since Windows
Server 2008 R2, such as Protected Users, to be created in pre-existing
domains. An error message is generated if a group already exists with
the same name, DN, or SID.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
3e0c94a345 tests/krb5: Add tests for the Protected Users group
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
ded5115f73 tests/krb5: Add helper function to modify ticket flags
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
c80cd8c957 tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
042137f8fa tests/krb5: Add account to cleanup list before adding it to database
This ensures accounts are still cleaned up if a test fails before adding
it to the cleanup list.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
539cdaa75b tests/krb5: Add more encryption type constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
90e5802773 tests/krb5: Remove accounts in reverse order of addition
This prevents problems if accounts are added as children of other
accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Joseph Sutton
c91af5f1a8 tests/krb5: Simplify logic
This code can be made part of the previous 'else' branch.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Fri Mar 18 00:11:25 UTC 2022 on sn-devel-184
2022-03-18 00:11:25 +00:00
Joseph Sutton
a9025b68b2 tests/krb5: Improve mock RODC creation
Use a unique name for the mock RODC. Don't assign to _rodc_ctx until the
RODC has been created, so we don't try to use a mock RODC that failed to
create.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-03-17 23:11:37 +00:00
Joseph Sutton
80b22a7869 python: Restore SDDL abbreviations for SIDs
This time we use the correct values.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Joseph Sutton
d55b717fd6 python: Use explicit SIDs instead of SDDL abbreviations
This is to prepare for changing the SDDL string values.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Joseph Sutton
c26ee3ba96 python:tests: Add tests for SDDL SID strings
We get the server to decode the SDDL by putting the SID strings in the
defaultSecurityDescriptor of a new class and making an object of that
class. We then check that the resulting SID is what we expect.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 23:11:37 +00:00
Andrew Bartlett
faea2f8a6b selftest: Remove auth_log test for RAP password change
RAP is SMB1, the password change routine requires LM hashes and so everything
here is going away or has now gone, so remove the test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
d0b922bd51 ntlm_auth: Adapt --diagnostics mode to expect that the DC does not support LANMAN by default
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Andrew Bartlett
28fc8df722 selftest: Allow samba.tests.ntlm_auth to fail rather than error checking --diagnostics
This allows a knownfail entry to be written for this test.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-17 01:57:38 +00:00
Joseph Sutton
27dd0afb62 python/ntacls.py: Fix ACE type comparison
SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the one in
gp_create_gpt_security_descriptor().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-17 00:41:34 +00:00
Joseph Sutton
2a8ae72bc0 samba-tool: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-17 00:41:34 +00:00
Andreas Schneider
18dbdf6aac python:tests: Fix type error in raw_testcase.py
This fixes a lot of tests with Python 3.8. Stacktrace example:

File "python/samba/tests/krb5/as_req_tests.py", line 249, in test_as_req_enc_timestamp_rc4_dummy
  self._run_as_req_enc_timestamp(
File "python/samba/tests/krb5/as_req_tests.py", line 129, in _run_as_req_enc_timestamp
  as_rep, kdc_exchange_dict = self._test_as_exchange(
File "python/samba/tests/krb5/raw_testcase.py", line 3982, in _test_as_exchange
  rep = self._generic_kdc_exchange(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2029, in _generic_kdc_exchange
  return check_rep_fn(kdc_exchange_dict, callback_dict, rep)
File "python/samba/tests/krb5/raw_testcase.py", line 2328, in generic_check_kdc_rep
  self.check_reply_padata(kdc_exchange_dict,
File "python/samba/tests/krb5/raw_testcase.py", line 2998, in check_reply_padata
  got_patypes = tuple(pa['padata-type'] for pa in rep_padata)
TypeError: 'NoneType' object is not iterable

This adds additional checks for rep_padata.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-03-17 00:41:33 +00:00
Stefan Metzmacher
a30a762625 python:tests: let insta_creds() also copy the bind_dn from the template
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-10 03:16:35 +00:00
Andreas Schneider
f1ca16f309 s4:mitkdc: Add support for MIT Kerberos 1.20
This also addresses CVE-2020-17049.

MIT Kerberos 1.20 is in pre-release state at the time writing this commit. It
will be released in autumn 2022. We need to support MIT Kerberos 1.19 till
enough distributions have been released with MIT Kerberos 1.20.

Pair-Programmed-With: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-04 14:05:31 +00:00
Andreas Schneider
f025cc1a12 python: Reformat shell scripts
shfmt -f python/ | xargs shfmt -w -p -i 0 -fn

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-03 00:59:34 +00:00
Stefan Metzmacher
ad0b5561b4 upgradehelpers.py: add a comment to update_krbtgt_account_password()
The backend generates its own random krbtgt password values.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-23 07:50:38 +00:00
Stefan Metzmacher
725c94d57d provision: add a comment that the value of krbtgtpass is ignored in the backend
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-23 07:50:38 +00:00
Stefan Metzmacher
6bb7c0f249 upgradehelpers.py: let update_machine_account_password() use 120 character passwords
We already changed provision to use 120 character passwords with commit
609ca65765.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-23 07:50:38 +00:00
Stefan Metzmacher
3b91be3658 provision: use 120 characters for the dns account password
We should use the same as for the computer account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-23 07:50:38 +00:00
Stefan Metzmacher
59ac782452 samba-tool/join_member: let py_net_join_member() choose the password
It means we'll let trust_pw_new_value() generate the password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-02-23 07:50:38 +00:00
Joseph Sutton
c58ede44f3 CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN
This test currently fails, as re-adding an SPN means that later checks
do not run.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-01-31 15:27:37 +00:00
Douglas Bagnall
f376827478 pytest:auth_log: expect TLS connections when using ldaps
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-01-26 11:44:32 +00:00
Stefan Metzmacher
12464bd4c2 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.

This is fixed now and we no longer expect ndrdump to exit with 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184
2022-01-24 16:18:34 +00:00
Stefan Metzmacher
1dc385cb64 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Stefan Metzmacher
9110a8854a blackbox.ndrdump: adjust example files to changed dump_data() output.
The cleanup using dump_data_block16() fixed the space handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Stefan Metzmacher
7055827b8f HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
2022-01-19 21:41:59 +00:00
Andrew Bartlett
e5b9cc8f6c selftest: Update SimpleKerberosTests now that Samba supports FAST
Heimdal matches Windows in this respect

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
64e539bb7f tests/krb5: Add option to check reply padata
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Stefan Metzmacher
52ccce259d tests/auth_log: adjust expected authDescription for test_smb_bad_user
With NO_SUCH_USER we don't know if any pre-authentication was requested,
so with the new Heimdal code we now used use "AS-REQ" instead of
assuming ENC-TS Pre-authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-01-19 20:50:35 +00:00
Andrew Bartlett
6e8ac61b36 tests: Update latin1 list and ignored file list for new Heimdal import
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
e9caa1edef tests/krb5: Update supported enctype checking
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
775bfc7250 tests/krb5: Add AS-REQ PAC tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
f94bdb41fc tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
48362a706f tests/krb5: Add FAST enc-pa-rep tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
c51805f90c tests/krb5: Adjust expected error codes
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Joseph Sutton
a107bb8b0d tests/krb5: Generate unique UPNs for AS-REQ enterprise tests
This helps to avoid problems with account creation due to UPN uniqueness
constraints.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-17 20:05:32 +00:00
Andreas Schneider
2da538a458 python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 20 17:01:11 UTC 2021 on sn-devel-184
2021-12-20 17:01:11 +00:00
Stefan Metzmacher
bd804e0eef Revert "python:tests: Don't require an emtpy 'authorization-data' to be present"
This reverts commit 36325f1ee9.

This was not the latest version from:
https://gitlab.com/samba-team/samba/-/merge_requests/2304

The correct version follows...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-12-20 16:10:31 +00:00
Andreas Schneider
36325f1ee9 python:tests: Don't require an emtpy 'authorization-data' to be present
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Mon Dec 20 08:26:45 UTC 2021 on sn-devel-184
2021-12-20 08:26:45 +00:00
Joseph Sutton
0f4eca775a tests/krb5: Add tests for AS-REQ to self with FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
2021-12-15 04:33:11 +00:00
Joseph Sutton
100be7eb8e tests/krb5: Correctly determine whether tickets are service tickets
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
1eb91291b5 tests/krb5: Generate unique UPNs for enterprise tests
This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
7dfcbc4e38 tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-12-15 03:41:32 +00:00
Joseph Sutton
221569a14c tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be missing for skew errors
A skew error means the client just tried using PADATA-ENC-TIMESTAMP or
PADATA-ENCRYPTED-CHALLENGE, so it might not be necessary to announce
them in that case.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec  7 08:32:42 UTC 2021 on sn-devel-184
2021-12-07 08:32:42 +00:00