The branch, master has been updated via def505e68be wafsamba: Fix call to sorted() via 005866b1092 s4-smbtorture: Fix typo in assertion message via 27dd0afb62d python/ntacls.py: Fix ACE type comparison via 52afaa0ceb5 s4:policy: Fix ACE type comparison via 95abdbcbb8c dsdb audit tests: Use assert_in_range() for comparing timestamps via 591db0ccc09 dsdb audit tests: Fix flapping test via 2a8ae72bc01 samba-tool: Fix typo via c4ecb66715c s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin via 1a28d97fefe s4:kdc: Remove trailing whitespace in wdc-samba4.c via 2380c7eab4d s4:kdc: Remove ks_is_tgs_principal() via c78f5b724be s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac() via b59c55e0528 s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac() via 0828cbd4bfe s4:kdc: Implement common samba_kdc_update_pac() via 27554581c1d s4:kdc: Make pac parameter of samba_client_requested_pac() const via 95cdbe1724f s4:kdc: Cleanup include files in pac-glue.c via a84cabf4711 lib:krb5_wrap: Implement smb_krb5_principal_is_tgs() via 1f24724b24e auth: Add required headers to auth_sam_reply.h via 27dd3d9fca0 s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy() via 70b4660c208 s4:kdc: Make sure ret is set if we goto bad_option via 94e9b338338 s4:kdc: Fix return code in mit_samba_update_pac() via 18dbdf6aace python:tests: Fix type error in raw_testcase.py via 5294dc80090 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() via b01388da8a7 s4-kdc: Handle previously unhandled auth event types from 70b9977a46e s3:libsmb: Fix errno for failed authentication in SMBC_server_internal()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit def505e68be66e0179a345d3f7e2bd930712e150 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Feb 15 20:05:55 2022 +1300 wafsamba: Fix call to sorted() In Python 3, sorted() does not take a 'cmp' parameter, so we need to use the 'key' parameter instead. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Mar 17 01:36:59 UTC 2022 on sn-devel-184 commit 005866b10922c8dd59d334f1a77712be33213986 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Feb 15 09:25:38 2022 +1300 s4-smbtorture: Fix typo in assertion message Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 27dd0afb62d4f7427c966e984c7c8b01bc4d93b5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Mar 4 16:11:42 2022 +1300 python/ntacls.py: Fix ACE type comparison SEC_ACE_TYPE_ values are not flags, so this comparison does not behave as intended. Modify the check to more closely match the one in gp_create_gpt_security_descriptor(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 52afaa0ceb5f2a372c075f64c5ae445621263b36 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Mar 2 17:14:42 2022 +1300 s4:policy: Fix ACE type comparison SEC_ACE_TYPE_ values are not flags, so this comparison does not behave as intended. Modify the check to more closely match the comment. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 95abdbcbb8c96bb58aa1fe08ddc5c8280e9e6a30 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Mar 17 11:20:45 2022 +1300 dsdb audit tests: Use assert_in_range() for comparing timestamps This can make the code clearer. assert_in_range() takes only integer parameters, but POSIX allows us to assume that time_t is an integer. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 591db0ccc090f49c74dff8dab6a7240432d03024 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 28 20:42:36 2021 +1300 dsdb audit tests: Fix flapping test Use gettimeofday() to obtain the current time for comparison, to be consistent with audit_logging.c. On Linux, time() may occasionally return a smaller value than gettimeofday(), despite being called later. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2a8ae72bc0125e22b2637b961ca3b03a16774dcb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Mar 18 19:22:52 2021 +1300 samba-tool: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c4ecb66715caec7cb900f6bdf6b7ad749c4ef037 Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 10:41:41 2022 +0100 s4:kdc: Use samba_kdc_update_pac() in Heimdal DB plugin Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 1a28d97fefed6391e4d4e9c37b51baac598a66cc Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 13:15:08 2022 +0100 s4:kdc: Remove trailing whitespace in wdc-samba4.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 2380c7eab4d5fea7ca3f284482429b914b84c900 Author: Andreas Schneider <a...@samba.org> Date: Tue Mar 15 07:33:57 2022 +0100 s4:kdc: Remove ks_is_tgs_principal() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit c78f5b724be429ad313adc7215cd42b2a3eddb2c Author: Andreas Schneider <a...@samba.org> Date: Tue Mar 8 07:34:16 2022 +0100 s4:kdc: Use samba_kdc_update_pac() in mit_samba_update_pac() This is for MIT Kerberos >= 1.20. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit b59c55e0528a7319d825df33fd7f8ddac694ab93 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 10 17:20:46 2022 +0100 s4:kdc: Use samba_kdc_update_pac() in mit_samba_reget_pac() This is for MIT Kerberos <= 1.19 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 0828cbd4bfe0340dd05a8e47eca647d134863d2e Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 10:24:14 2022 +0100 s4:kdc: Implement common samba_kdc_update_pac() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 27554581c1d870f7dd95e2ea984b4ac71b2014ce Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 10:23:18 2022 +0100 s4:kdc: Make pac parameter of samba_client_requested_pac() const Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 95cdbe1724f8bbf8f98f26b2271e8f1a64dbe18a Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 07:45:03 2022 +0100 s4:kdc: Cleanup include files in pac-glue.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit a84cabf471198b19d24b74c1deae9d49049823dc Author: Andreas Schneider <a...@samba.org> Date: Tue Mar 15 07:30:03 2022 +0100 lib:krb5_wrap: Implement smb_krb5_principal_is_tgs() This will be used later and allows to remove static implementations. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 1f24724b24e04ee4ac1bdf44f83a4f4e19497856 Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 10:25:38 2022 +0100 auth: Add required headers to auth_sam_reply.h Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 27dd3d9fca094e19803bc0b934ff4c873138eb6a Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 16:02:18 2022 +0100 s4:kdc: Fix comparison in samba_kdc_check_s4u2proxy() CID 1502873: Control flow issues (NO_EFFECT) >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "el->num_values >= 0U". This is probably just a paranoia check as num_values should be set to at least 1 if the we have an LDAP entry. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 70b4660c2089bff25f3c56d3f918491799417999 Author: Andreas Schneider <a...@samba.org> Date: Tue Mar 8 15:04:34 2022 +0100 s4:kdc: Make sure ret is set if we goto bad_option The ret variable is just used to set the error message for logging. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 94e9b338338bc55312e4cb481a36d583066995cf Author: Andreas Schneider <a...@samba.org> Date: Tue Mar 8 08:43:07 2022 +0100 s4:kdc: Fix return code in mit_samba_update_pac() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 18dbdf6aace6e37f294781fe7e379da87558992a Author: Andreas Schneider <a...@samba.org> Date: Mon Mar 7 11:22:29 2022 +0100 python:tests: Fix type error in raw_testcase.py This fixes a lot of tests with Python 3.8. Stacktrace example: File "python/samba/tests/krb5/as_req_tests.py", line 249, in test_as_req_enc_timestamp_rc4_dummy self._run_as_req_enc_timestamp( File "python/samba/tests/krb5/as_req_tests.py", line 129, in _run_as_req_enc_timestamp as_rep, kdc_exchange_dict = self._test_as_exchange( File "python/samba/tests/krb5/raw_testcase.py", line 3982, in _test_as_exchange rep = self._generic_kdc_exchange(kdc_exchange_dict, File "python/samba/tests/krb5/raw_testcase.py", line 2029, in _generic_kdc_exchange return check_rep_fn(kdc_exchange_dict, callback_dict, rep) File "python/samba/tests/krb5/raw_testcase.py", line 2328, in generic_check_kdc_rep self.check_reply_padata(kdc_exchange_dict, File "python/samba/tests/krb5/raw_testcase.py", line 2998, in check_reply_padata got_patypes = tuple(pa['padata-type'] for pa in rep_padata) TypeError: 'NoneType' object is not iterable This adds additional checks for rep_padata. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 5294dc80090482d5669126802672eb2c89e269cf Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 16 09:21:03 2022 +0100 s4:kdc: tunnel the check_client_access status to hdb_samba4_audit() Otherwise useful information gets lost while converting from NTSTATUS to krb5_error and back to NTSTATUS again. E.g. NT_STATUS_ACCOUNT_DISABLED would be audited as NT_STATUS_ACCOUNT_LOCKED_OUT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b01388da8a72c11c46bb27e773b354520bc6ac88 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Mar 15 15:34:34 2022 +1300 s4-kdc: Handle previously unhandled auth event types Cases to handle KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY and KDC_AUTH_EVENT_PREAUTH_SUCCEEDED were removed in: commit 791be84c3eecb95e03611458e2305bae272ba267 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Mar 2 10:10:08 2022 +1300 s4:kdc: hdb_samba4_audit() is only called once per request Normally these auth event types are overwritten with the KDC_AUTH_EVENT_CLIENT_AUTHORIZED event type, but if a client passes the pre-authentication check, and happens to fail the client access check (e.g. because the account is disabled), we get error messages of the form: hdb_samba4_audit: Unhandled hdb_auth_status=9 => INTERNAL_ERROR To avoid such errors, use the error code provided in the request structure to obtain a relevant status code in cases not handled explicitly. For unexpected values we return KRB5KRB_ERR_GENERIC in order to hopefully prevent success. And within make test we panic in order let a ci run fail. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15015 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/auth_sam_reply.h | 4 + buildtools/wafsamba/samba_deps.py | 6 +- lib/krb5_wrap/krb5_samba.c | 28 + lib/krb5_wrap/krb5_samba.h | 3 + python/samba/netcmd/domain.py | 2 +- python/samba/ntacls.py | 3 +- python/samba/tests/krb5/raw_testcase.py | 6 +- selftest/knownfail_mit_kdc | 2 - selftest/knownfail_mit_kdc_pre_1_20 | 5 - .../dsdb/samdb/ldb_modules/tests/test_audit_log.c | 66 +- .../samdb/ldb_modules/tests/test_group_audit.c | 23 +- source4/kdc/db-glue.c | 5 +- source4/kdc/hdb-samba4.c | 47 ++ source4/kdc/mit_samba.c | 794 ++------------------- source4/kdc/pac-glue.c | 564 ++++++++++++++- source4/kdc/pac-glue.h | 22 +- source4/kdc/samba_kdc.h | 1 + source4/kdc/wdc-samba4.c | 495 ++----------- source4/lib/policy/gp_manage.c | 3 +- source4/torture/drs/unit/prefixmap_tests.c | 2 +- 20 files changed, 861 insertions(+), 1220 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index e4b26e961d7..d8a30c6b36f 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -23,6 +23,10 @@ #ifndef __AUTH_AUTH_SAM_REPLY_H__ #define __AUTH_AUTH_SAM_REPLY_H__ +#include "libcli/util/ntstatus.h" +#include "libcli/util/werror.h" +#include "librpc/gen_ndr/auth.h" + #undef _PRINTF_ATTRIBUTE #define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) /* this file contains prototypes for functions that are private diff --git a/buildtools/wafsamba/samba_deps.py b/buildtools/wafsamba/samba_deps.py index 9c922f7e036..c0a330b1b5e 100644 --- a/buildtools/wafsamba/samba_deps.py +++ b/buildtools/wafsamba/samba_deps.py @@ -1023,10 +1023,10 @@ def show_object_duplicates(bld, tgt_list): Logs.info("showing indirect dependency counts (sorted by count)") - def indirect_count(t1, t2): - return len(t2.indirect_objects) - len(t1.indirect_objects) + def indirect_count(t): + return len(t.indirect_objects) - sorted_list = sorted(tgt_list, cmp=indirect_count) + sorted_list = sorted(tgt_list, key=indirect_count, reverse=True) for t in sorted_list: if len(t.indirect_objects) > 1: Logs.info("%s depends on %u indirect objects" % (t.sname, len(t.indirect_objects))) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index e9eaddac75d..2351d172779 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -3348,6 +3348,34 @@ void smb_krb5_principal_set_type(krb5_context context, #endif } +/** + * @brief Check if a principal is a TGS + * + * @param[in] context The library context + * + * @param[inout] principal The principal to check. + * + * @returns 1 if equal, 0 if not and -1 on error. + */ +int smb_krb5_principal_is_tgs(krb5_context context, + krb5_const_principal principal) +{ + char *p = NULL; + int eq = 1; + + p = smb_krb5_principal_get_comp_string(NULL, context, principal, 0); + if (p == NULL) { + return -1; + } + + eq = krb5_princ_size(context, principal) == 2 && + (strequal(p, KRB5_TGS_NAME)); + + talloc_free(p); + + return eq; +} + #if !defined(HAVE_KRB5_WARNX) /** * @brief Log a Kerberos message diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h index c8573f52bd9..653cd561406 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -306,6 +306,9 @@ void smb_krb5_principal_set_type(krb5_context context, krb5_principal principal, int type); +int smb_krb5_principal_is_tgs(krb5_context context, + krb5_const_principal principal); + krb5_error_code smb_krb5_principal_set_realm(krb5_context context, krb5_principal principal, const char *realm); diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index e814a47233d..49e60625e44 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -120,7 +120,7 @@ common_provision_join_options = [ help="choose machine password (otherwise random)"), Option("--plaintext-secrets", action="store_true", help="Store secret/sensitive values as plain text on disk" + - "(default is to encrypt secret/ensitive values)"), + "(default is to encrypt secret/sensitive values)"), Option("--backend-store", type="choice", metavar="BACKENDSTORE", choices=["tdb", "mdb"], help="Specify the database backend to be used " diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py index 89e64b7dc5a..f35be48c30b 100644 --- a/python/samba/ntacls.py +++ b/python/samba/ntacls.py @@ -301,7 +301,8 @@ def dsacl2fsacl(dssddl, sid, as_sddl=True): aces = ref.dacl.aces for i in range(0, len(aces)): ace = aces[i] - if not ace.type & security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT and str(ace.trustee) != security.SID_BUILTIN_PREW2K: + if ace.type in (security.SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT, + security.SEC_ACE_TYPE_ACCESS_ALLOWED) and str(ace.trustee) != security.SID_BUILTIN_PREW2K: # if fdescr.type & security.SEC_DESC_DACL_AUTO_INHERITED: ace.flags = ace.flags | security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT if str(ace.trustee) == security.SID_CREATOR_OWNER: diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 584a3fe5567..69c52b25761 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2995,10 +2995,14 @@ class RawKerberosTest(TestCaseInTempDir): kcrypto.Enctype.AES128}: expected_patypes += (PADATA_ETYPE_INFO2,) + if not self.strict_checking and rep_padata is None: + rep_padata = () + + self.assertIsNotNone(rep_padata) got_patypes = tuple(pa['padata-type'] for pa in rep_padata) self.assertSequenceElementsEqual(expected_patypes, got_patypes) - if not expected_patypes: + if len(expected_patypes) == 0: return None pa_dict = self.get_pa_dict(rep_padata) diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index c2a35c68152..25b1e5bb413 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -219,8 +219,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # MIT currently fails some as_req_no_preauth tests. # -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn(?!_) -^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_spn_realm ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_aes128_rc4.*fl2003dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_enc_timestamp_mac_aes128_rc4.*fl2003dc ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth.*aes.*rc4.*fl2003dc diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20 index 988342c77b6..a32ae4c0e71 100644 --- a/selftest/knownfail_mit_kdc_pre_1_20 +++ b/selftest/knownfail_mit_kdc_pre_1_20 @@ -118,10 +118,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple # ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid\( -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_validate # # PAC tests # @@ -145,7 +141,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple # PAC attributes tests # ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req(?!_invalid) -^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_attrs_none # # PAC request tests # diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c index 2fba2406b64..885248e5fb9 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c +++ b/source4/dsdb/samdb/ldb_modules/tests/test_audit_log.c @@ -41,10 +41,12 @@ static void check_timestamp(time_t before, const char* timestamp) struct tm tm; time_t after; time_t actual; - const double lower = -1; + struct timeval tv; - after = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + after = tv.tv_sec; /* * Convert the ISO 8601 timestamp into a time_t @@ -71,12 +73,8 @@ static void check_timestamp(time_t before, const char* timestamp) /* * The timestamp should be before <= actual <= after - * Note: as the microsecond portion of the time is truncated we use - * a -1 as the lower bound for the time difference instead of - * zero */ - assert_true(difftime(actual, before) >= lower); - assert_true(difftime(after, actual) >= lower); + assert_in_range(actual, before, after); } static void test_has_password_changed(void **state) @@ -295,6 +293,8 @@ static void test_operation_json_empty(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -310,7 +310,9 @@ static void test_operation_json_empty(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_SUCCESS; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = operation_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); @@ -426,6 +428,8 @@ static void test_operation_json(void **state) json_t *f = NULL; json_t *g = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -465,7 +469,9 @@ static void test_operation_json(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_ERR_OPERATIONS_ERROR; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = operation_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); @@ -621,6 +627,8 @@ static void test_as_system_operation_json(void **state) json_t *f = NULL; json_t *g = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -669,7 +677,9 @@ static void test_as_system_operation_json(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_ERR_OPERATIONS_ERROR; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = operation_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); @@ -796,6 +806,8 @@ static void test_password_change_json_empty(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -811,7 +823,9 @@ static void test_password_change_json_empty(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_SUCCESS; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = password_change_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); @@ -899,6 +913,8 @@ static void test_password_change_json(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -936,7 +952,9 @@ static void test_password_change_json(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_SUCCESS; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = password_change_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); @@ -1025,10 +1043,14 @@ static void test_transaction_json(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; GUID_from_string(GUID, &guid); - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = transaction_json("delete", &guid, 10000099); assert_int_equal(3, json_object_size(json.root)); @@ -1086,10 +1108,14 @@ static void test_commit_failure_json(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; GUID_from_string(GUID, &guid); - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = commit_failure_json( "prepare", 987876, @@ -1173,6 +1199,8 @@ static void test_replicated_update_json_empty(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -1193,7 +1221,9 @@ static void test_replicated_update_json_empty(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_SUCCESS; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = replicated_update_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); @@ -1309,6 +1339,8 @@ static void test_replicated_update_json(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -1345,7 +1377,9 @@ static void test_replicated_update_json(void **state) reply = talloc_zero(ctx, struct ldb_reply); reply->error = LDB_ERR_NO_SUCH_OBJECT; - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = replicated_update_json(module, req, reply); assert_int_equal(3, json_object_size(json.root)); diff --git a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c index 0bbde9f3e3b..f7075f3485e 100644 --- a/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c +++ b/source4/dsdb/samdb/ldb_modules/tests/test_group_audit.c @@ -268,9 +268,12 @@ static void _check_timestamp( struct tm tm; time_t after; time_t actual; + struct timeval tv; - after = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + after = tv.tv_sec; /* * Convert the ISO 8601 timestamp into a time_t @@ -806,6 +809,8 @@ static void test_audit_group_json(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -826,7 +831,9 @@ static void test_audit_group_json(void **state) req->operation = LDB_ADD; add_transaction_id(req, TRANSACTION); - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = audit_group_json(module, req, "the-action", @@ -910,6 +917,8 @@ static void test_audit_group_json_error(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -930,7 +939,9 @@ static void test_audit_group_json_error(void **state) req->operation = LDB_ADD; add_transaction_id(req, TRANSACTION); - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = audit_group_json(module, req, "the-action", @@ -1015,6 +1026,8 @@ static void test_audit_group_json_no_event(void **state) json_t *v = NULL; json_t *o = NULL; time_t before; + struct timeval tv; + int rc; TALLOC_CTX *ctx = talloc_new(NULL); @@ -1035,7 +1048,9 @@ static void test_audit_group_json_no_event(void **state) req->operation = LDB_ADD; add_transaction_id(req, TRANSACTION); - before = time(NULL); + rc = gettimeofday(&tv, NULL); + assert_return_code(rc, errno); + before = tv.tv_sec; json = audit_group_json(module, req, "the-action", diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 62cc8bdef1d..f79ff1b8c3c 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -2743,8 +2743,10 @@ samba_kdc_check_s4u2proxy(krb5_context context, el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo"); if (el == NULL) { + ret = ENOENT; goto bad_option; } + SMB_ASSERT(el->num_values != 0); /* * This is the Microsoft forwardable flag behavior. @@ -2752,7 +2754,7 @@ samba_kdc_check_s4u2proxy(krb5_context context, * If the proxy (target) principal is NULL, and we have any authorized * delegation target, allow to forward. */ - if (el->num_values >= 0 && target_principal == NULL) { + if (target_principal == NULL) { return 0; } @@ -2810,6 +2812,7 @@ samba_kdc_check_s4u2proxy(krb5_context context, } if (!found) { + ret = ENOENT; goto bad_option; } diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 5720dfadc1f..e82ebbe7daa 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -612,7 +612,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, ui.auth_description = auth_description; if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) { + /* This is the final sucess */ status = NT_STATUS_OK; + } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { + /* + * This was only a pre-authentication success, + * but we didn't reach the final + * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, + * so consult the error code. -- Samba Shared Repository