The branch, master has been updated via ecff09d75df Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c via b1006c773be s4:kdc: Use talloc_get_type_abort() via ad1234d5ee8 s4:kdc: Create a temporary talloc context on which to allocate via cf139d14218 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged via d0d52262f78 s4:kdc: Flip sense of condition via f49ebef0035 s4:kdc: Unify common code paths via 6bb7aad1631 s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case via 7485638e026 s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc() via 6be1a397dac s4:kdc: Have samba_kdc_update_pac_blob() do less via e6c44222409 s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters via 8c107763980 s4:kdc: Log errors in samba_kdc_update_pac_blob() via ea007ef7188 s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code via baf03e3f114 s4:kdc: Add singular out path to samba_kdc_update_pac_blob() via d2a6c69940c s4:kdc: Make krb5_principal parameters const via f857967427f s4:kdc: Add helper function to determine whether a device is allowed to authenticate via 071ad174d92 s4:kdc: Add helper function to determine whether authentication to a server is allowed via af95ec0b3fb s4:kdc: Add functionality to log client and server authentication policies via 26d7d1a5af1 s4:auth: Log authentication policies for NTLM authentication via ad32cf0286c s4:auth: Add audit info parameters to check_password_recv() via 66841384751 s4:auth: Set ‘authoritative’ even if there is an error via ca9d27ae99d auth: Add functionality to log client and server policy information via f9c55b84ef1 lib:audit_logging: Add function to return the JSON null object via b11ad8b1376 python:tests: Fix typos via 78186805314 netcmd: domain: Fix typo via 7748e6857c4 tests/krb5: Test authentication policy audit logging via b0d20ce56c2 tests/krb5: Test more authentication logging of TGT lifetimes via a5770669e1a tests/krb5: Improve authentication policy creation via 0cfa7f6cff9 netcmd: domain: add error handling to domain claims commands via 76ca95db6bc netcmd: domain: add error handling to domain auth commands via ca4e36d17a8 netcmd: domain: add model exceptions and error handling via b00761da1d1 netcmd: domain: model stores ldb message for save via d7b04685680 netcmd: domain: man page updates for auth silo and policy cli via a9944ba860a netcmd: domain: silo member command tests via 3a579eab8bb netcmd: domain: model field tests via 83112842245 netcmd: domain: silo member add and remove does not write whole list via 705e65c16e8 netcmd: domain: remove parse_guid and parse_text as they are no longer used via daac480eb74 netcmd: domain: claims: base class is no longer required via bb0ab7b2410 netcmd: domain: claims: move claim value type lookup by attribute to model via 61ee26ade98 netcmd: domain: claims: make use of AttributeSchema and ClassSchema models via 44aaba8a82d netcmd: domain: add models for ClassSchema and AttributeSchema via 3ecea860aaf netcmd: auth silos: remove base class via d070a605bb0 netcmd: domain: add test for silo if policy is a dn via df5e6045fa1 netcmd: move get_policy method from base class to the model via 2842ed824ae netcmd: move method print_json to command base class via 15440c6d6bf netcmd: fix import sort/grouping as per python standard via 3da5be0b8f8 netcmd: move ldb_connect method to base class via d558b20ed10 netcmd: PEP257 fix incorrect docstring quotes via b6fda29fc7a netcmd: domain: claims: use consistent naming for options via b3fac344a35 netcmd: domain: claim commands use the model layer via 40da71fe9cf netcmd: domain: fix claims constant name was wrong should be claim type CN via 7e9d8072016 netcmd: domain: fix attributes created by test setUp method via 9911a81cc21 netcmd: domain: claim: show err if assertIsNone fails via 6056566a18d netcmd: domain: rename claim tests for consistency via 35d04e2463f netcmd: domain: tests for auth silo command line tools via 3df634e7527 netcmd: domain: add authentication silo commands via 3a0160ae943 netcmd: add domain models and basic model layer via d01cd64da23 netcmd: add custom json encoder for object type fields via 1a5184e404d netcmd: add optparse validators and Range validator from 9f5216912e0 vfs_gpfs: Move call to load GPFS library
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ecff09d75df52df8bd062e55e75d42d76e25d66e Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jun 26 11:03:14 2023 +1200 Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c Commit 6bd3b4528d4b33c8f7ae6341d166bea3a06cd971 diverged the const declarations in the header, this brings them back in alignnment as is Samba's normal practice. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Jun 26 00:26:37 UTC 2023 on atb-devel-224 commit b1006c773be1d28a15eeab37c7e49675d3a1dedd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 15:02:35 2023 +1200 s4:kdc: Use talloc_get_type_abort() We subsequently dereference the result without performing a NULL check. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ad1234d5ee80d157573681a0d60fc2a7a399c5ae Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 15:00:29 2023 +1200 s4:kdc: Create a temporary talloc context on which to allocate ‘client->context’ is too long-lived to use for allocating short-term data. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cf139d14218ab1423949fbc952ae056943858dc8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 14:49:11 2023 +1200 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d0d52262f781b8acddc4f50e09e2daa1198b8a3e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 14:32:09 2023 +1200 s4:kdc: Flip sense of condition A negative condition incurs more cognitive load. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f49ebef003587a89e7ce1698c53bc53243ff2d53 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 14:30:00 2023 +1200 s4:kdc: Unify common code paths Perhaps view with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6bb7aad16316d3f55b9af30a69b2d6b27f34e262 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 14:04:43 2023 +1200 s4:kdc: Use samba_kdc_obtain_user_info_dc() for !client_pac_is_trusted case This will help to reduce code duplication and the number of branching code paths. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7485638e0266a9a46c4ceb719a0a38abe5c8cd81 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 13:40:20 2023 +1200 s4:kdc: Move adding compounded authentication SID out of samba_kdc_obtain_user_info_dc() We may not always want this SID to be present. For example, to enforce authentication policies as Windows does, we’ll want the client’s security token without this SID. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6be1a397dacea1e31d9c1b24a07d3e91a715fc59 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 13:13:58 2023 +1200 s4:kdc: Have samba_kdc_update_pac_blob() do less Previously this function obtained the auth_user_info_dc structure, then used it to update the PAC blob. Now it does only one thing: fetch the auth_user_info_dc info and return it to the caller, who can then call samba_get_logon_info_pac_blob(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e6c442224095352ff11fc936207022298a08d57d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 13:06:24 2023 +1200 s4:kdc: Remove unused PAC_SIGNATURE_DATA parameters Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8c10776398030c1bab32a195a3c7f5ee4c9623a3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 13:04:17 2023 +1200 s4:kdc: Log errors in samba_kdc_update_pac_blob() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ea007ef718889245e923efcd29ee3560ab744961 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 12:57:38 2023 +1200 s4:kdc: Have samba_kdc_update_pac_blob() return krb5_error_code This gives it more control over the final Kerberos error code, so that we won’t always get ERR_GENERIC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit baf03e3f11442b94a3c4b3ecb93847d1d4bc50ff Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 12:53:07 2023 +1200 s4:kdc: Add singular out path to samba_kdc_update_pac_blob() This ensures that we always clean up resources. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d2a6c69940cf28c2ea901cc0d8d8d317c32db986 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 12:17:50 2023 +1200 s4:kdc: Make krb5_principal parameters const The ‘const’ is entirely unnecessary in a function declaration, but we add it just to be consistent. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f857967427f78cce6ffda117e9afab572707286d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 11:22:28 2023 +1200 s4:kdc: Add helper function to determine whether a device is allowed to authenticate Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 071ad174d925f9114be7873f5dbf569080a4cf39 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 11:20:04 2023 +1200 s4:kdc: Add helper function to determine whether authentication to a server is allowed Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit af95ec0b3fb3fc6299b7123c8ea79f22b2ed39f8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 11:01:04 2023 +1200 s4:kdc: Add functionality to log client and server authentication policies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 26d7d1a5af105aa6f1bd54ef1f64c4a049487fae Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 10:40:16 2023 +1200 s4:auth: Log authentication policies for NTLM authentication Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ad32cf0286c212bd3644b5d6a1ba4344170eeabe Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 10:21:59 2023 +1200 s4:auth: Add audit info parameters to check_password_recv() These pointers can be set by implementing functions in order for them to be logged in auth_check_password_recv(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 66841384751496ce3f4c4f06179b8814b3b34d98 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 10:26:25 2023 +1200 s4:auth: Set ‘authoritative’ even if there is an error This is consistent with all the other functions that set ‘authoritative’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ca9d27ae99d2a8b65ce60f49e84a498c8149ac60 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 17:07:05 2023 +1200 auth: Add functionality to log client and server policy information Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f9c55b84ef1e02d50355921ede910f459a1d74ee Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jun 15 13:30:45 2023 +1200 lib:audit_logging: Add function to return the JSON null object Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b11ad8b137619a73853f7d6dc5e749305149c677 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 13 10:34:39 2023 +1200 python:tests: Fix typos Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 78186805314f1fab9714017c80e175eb8dbd4573 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu May 25 14:50:16 2023 +1200 netcmd: domain: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7748e6857c4018fe20ee30c612b8723fb5cd6468 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 16:25:16 2023 +1200 tests/krb5: Test authentication policy audit logging For each test, we check the authentication logs and ensure the messages are as we expect. We only test AS-REQs and TGS-REQs with the Heimdal KDC at the moment, assuming that MIT doesn’t support logging for those cases. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b0d20ce56c2ed54122cb6614c9a36b7de5c8a779 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 11:40:57 2023 +1200 tests/krb5: Test more authentication logging of TGT lifetimes It is useful to test a combination of device restrictions and TGT lifetime restrictions so that we can check what TGT lifetime values end up in the logs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a5770669e1a0f68fe2ebec4cdab22376a5d40825 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 14 16:14:42 2023 +1200 tests/krb5: Improve authentication policy creation Don’t require passing in an ID to create an authentication policy. Instead, have create_authn_policy() generate one for us. We now return an actual AuthenticationPolicy object rather than just a DN. This will give the tests more details to work with about the policies. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0cfa7f6cff978041665d8688567077a71fb32cc6 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Jun 23 12:52:58 2023 +1200 netcmd: domain: add error handling to domain claims commands Similar to the auth commands commit prior to this. Where we wre catching LdbError before we now catch ModelError, all exceptions that are known and handled in the model layer will have a user-friendly error message. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 76ca95db6bce16d8b01a5f9b9be84e1061953060 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Jun 23 12:26:38 2023 +1200 netcmd: domain: add error handling to domain auth commands Where we wre catching LdbError before we now catch ModelError, all exceptions that are known and handled in the model layer will have a user-friendly error message. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit ca4e36d17a8392c6228b791b41024cf1b1db0c93 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Jun 23 12:24:24 2023 +1200 netcmd: domain: add model exceptions and error handling * Only handle what we know, otherwise raise the existing LdbError * Cutom messages added in the model layer so we don't have to do it in the commands themselves Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit b00761da1d1777943f7ab4ef99dda0866f408053 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Jun 19 13:23:33 2023 +1200 netcmd: domain: model stores ldb message for save The message is stored in self._apply which also gets called by self.refresh() This is the better thing to do than fetching in save. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit d7b04685680a05137867575e85723409be5e3693 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Jun 8 15:03:16 2023 +1200 netcmd: domain: man page updates for auth silo and policy cli Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit a9944ba860a785a19fdb7da9af6d5c763a05498f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Jun 6 14:11:26 2023 +1200 netcmd: domain: silo member command tests Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 3a579eab8bb1f0b27be85c73ca614cdc5f7443dc Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu May 25 12:32:13 2023 +1200 netcmd: domain: model field tests Add tests for model fields to ensure they behave as expected when calling from_db_value and to_db_value methods. Add a base class for the tests themselves via a mixin as unittest doesn't support abstract test case classes. For each field, from_db_value and to_db_value must either be a list or a property that returns a list. The list contains input values and expected values, the expected value can also be a callback for more complex comparison, this is used for the possible claim values xml. It is important that singular values and list values are tested, and also None to ensure that fields properly get unset when a model is saved. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 8311284224539710b89ae4557951f132620c8553 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed May 17 23:35:16 2023 +1200 netcmd: domain: silo member add and remove does not write whole list Writing the whole list at once can lead to data loss if multiple administrators are doing this at the same time. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 705e65c16e85da6117d224c7ec26adcdedce83b9 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed May 17 16:27:54 2023 +1200 netcmd: domain: remove parse_guid and parse_text as they are no longer used Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit daac480eb74de8cfc033fcc9eaf8f5d7577ccf09 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed May 17 11:13:33 2023 +1200 netcmd: domain: claims: base class is no longer required base.py has been removed as this has all been moved to the model layer as the auth commands ldb is now just a local variable Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit bb0ab7b24105a3339771193cf0676164bb3a6bab Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed May 17 10:56:02 2023 +1200 netcmd: domain: claims: move claim value type lookup by attribute to model Also, there was no need for the cached property previously in the command, as the command only calls this once. Fetching all value types seems excessive now with the new model layer, we just fetch the one we need and get a model object back. Use the method lookup, it's consistent with the rest, and raise either LookupError or ValueError. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 61ee26ade98514788eea8c7f3e2e576d657fe929 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed May 17 09:50:13 2023 +1200 netcmd: domain: claims: make use of AttributeSchema and ClassSchema models Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 44aaba8a82dccf4034635229395491c0859da375 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed May 17 09:46:45 2023 +1200 netcmd: domain: add models for ClassSchema and AttributeSchema Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 3ecea860aaf8f0e7cac2100a605e915973481b3f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 15:28:04 2023 +1200 netcmd: auth silos: remove base class There is no point to the base class anymore. And since the model layer has dramatically simplified the code in the commands, ldb can just be a local variable. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit d070a605bb0bbcb0ee49ed44192588151b104d9c Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Jun 6 16:26:37 2023 +1200 netcmd: domain: add test for silo if policy is a dn Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit df5e6045fa1c0ee2225fc76d7ff83dee57c2576e Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 15:12:14 2023 +1200 netcmd: move get_policy method from base class to the model There isn't much left of the base class, the next thing is to remove it. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 2842ed824ae41aa96673bcbebd309b90813d1ef2 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 14:35:41 2023 +1200 netcmd: move method print_json to command base class This is used in quite a few commands, move to base class. This ensures the correct encoder class and settings are always used, and they are only defined in one place. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 15440c6d6bfd23cd4756511ec3abb891f3d7f8a3 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 14:24:27 2023 +1200 netcmd: fix import sort/grouping as per python standard Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 3da5be0b8f8ddbac05d58871f08448c3c4dc27b8 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 13:54:59 2023 +1200 netcmd: move ldb_connect method to base class This method is needed by just about every command and moving it here is another step towards elinimanting the base classes in domain/auth and domain/claim. The base classes are almost empty now, since introducing the model layer. The next step is to get rid of these base classes completely. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit d558b20ed10a1d7f07fcc861e0db5635998ba455 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 13:39:12 2023 +1200 netcmd: PEP257 fix incorrect docstring quotes Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit b6fda29fc7a4d34606522759bc1bf77d3a77d90e Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:56:09 2023 +1200 netcmd: domain: claims: use consistent naming for options The name of the option should be the same as the attribute name. You can still tell where it's being used (display_name), especially now with the model layer: ClaimType.get(ldb, display_name=name) The silo commands tend to use the `cn` field, while the claims commands use the `displayName` field, but the option is always called `name` for consistency. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit b3fac344a35dc9a66c434ee610c0cee2815d8500 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:52:04 2023 +1200 netcmd: domain: claim commands use the model layer This makes it consistent with the auth silo code, both should now make use of the models. Claims commands are now using the model layer with one exception and that is the get_attribute_from_schema and get_class_from_schema methods in the base class. These will be made into models in another commit. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 40da71fe9cf8832361bab6cfd31ba2f163478722 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu May 25 14:43:19 2023 +1200 netcmd: domain: fix claims constant name was wrong should be claim type CN Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 7e9d807201637b1ac898f44ef3220f2feb5ac51d Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:33:50 2023 +1200 netcmd: domain: fix attributes created by test setUp method Discovered this while converting the claims cli commands to use the models, some tests failed. The reason for this was that they relied on the attributes in the list ATTRIBUTES to exist. However, then we have to also prefix the attributes we create in the test_claim_type_create test. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 9911a81cc21c928825ade11723977a139b80432b Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:30:40 2023 +1200 netcmd: domain: claim: show err if assertIsNone fails Other tests do this too, this is very useful if things fail Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 6056566a18d819bf4eebe66a256515a75ae38ce6 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:27:41 2023 +1200 netcmd: domain: rename claim tests for consistency The domain_auth tests are also prefixed with domain, it matches the cli command "samba-tool domain claim". Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 35d04e2463f05ee0067b288774dd6238f12935ed Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:22:25 2023 +1200 netcmd: domain: tests for auth silo command line tools Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 3df634e7527c2e0f9c71d62afc7a48300b7bd388 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:15:06 2023 +1200 netcmd: domain: add authentication silo commands Authentication policies: * samba-tool domain auth policy list * samba-tool domain auth policy view * samba-tool domain auth policy create * samba-tool domain auth policy modify * samba-tool domain auth policy delete Authentication silos: * samba-tool domain auth silo list * samba-tool domain auth silo view * samba-tool domain auth silo create * samba-tool domain auth silo modify * samba-tool domain auth silo delete Authentication silo members: * samba-tool domain auth silo member list * samba-tool domain auth silo member add * samba-tool domain auth silo member remove Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 3a0160ae94301c9931ee25eb7a87cf77cd588f33 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:09:39 2023 +1200 netcmd: add domain models and basic model layer The ORM is somewhat inspired by Django, but it has some key differences that make it work better with the Ldb database. A field can be a singular value or a list, so a BooleanField can either be True, or [True, False, True], or None. The only thing that many=True does is say that the field "prefers" to be a list, but really any field can be a list. For example when creating a new object, it initialises the field as an empty list rather than None if many=True. When saving an object, if it is an update operation, only write the fields that have actually changed. When updating an object, any fields that are unset (set to None, or an empty list) will be treated as a REMOVE operation. Note that silo members should not be saved this way, writing the whole list can lead to data loss if multiple admins are saving the silo at the same time. Silo members will need to be handled differently, just removing one member but not writing the whole list. Unlike Django, there is no .objects class, instead there are a bunch of static methods for querying: * Model.get * Model.query * Model.create * Model.get_or_create Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit d01cd64da23bb092c63ef7a2ff57d83c6b4e76e8 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 12:00:56 2023 +1200 netcmd: add custom json encoder for object type fields The custom JSONEncoder class is also capable of encoding Dn objects to str, and any object that has a __json__ method. The __json__ method is not an official dunder method, but this has been used by other frameworks too (like Pyramid). Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 1a5184e404d602e389b96535e792fc77314f1fd4 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue May 16 11:47:45 2023 +1200 netcmd: add optparse validators and Range validator Add the ability to the add validators to optparse Option fields. The Option class was already subclassed in `netcmd/__init__.py` so adding some functionality to this was relatively easy. Added the ability to add Validator classes to a field so that this can be used for anything else in the future, but for now there is a Range validator required by upcoming auto silo commands. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: auth/auth_log.c | 98 +- auth/common_auth.h | 10 +- auth/gensec/gensec.c | 4 +- docs-xml/manpages/samba-tool.8.xml | 625 +++++ lib/audit_logging/audit_logging.c | 17 + lib/audit_logging/audit_logging.h | 1 + python/samba/netcmd/__init__.py | 59 +- python/samba/netcmd/domain/__init__.py | 2 + .../netcmd/domain/{claim => auth}/__init__.py | 14 +- python/samba/netcmd/domain/auth/policy.py | 413 +++ python/samba/netcmd/domain/auth/silo.py | 419 +++ python/samba/netcmd/domain/auth/silo_member.py | 224 ++ python/samba/netcmd/domain/claim/base.py | 181 -- python/samba/netcmd/domain/claim/claim_type.py | 293 +- python/samba/netcmd/domain/claim/value_type.py | 63 +- python/samba/netcmd/domain/common.py | 16 +- .../netcmd/domain/{claim => models}/__init__.py | 22 +- python/samba/netcmd/domain/models/auth_policy.py | 98 + python/samba/netcmd/domain/models/auth_silo.py | 98 + python/samba/netcmd/domain/models/claim_type.py | 58 + .../{claim/__init__.py => models/exceptions.py} | 37 +- python/samba/netcmd/domain/models/fields.py | 431 +++ python/samba/netcmd/domain/models/model.py | 440 +++ python/samba/netcmd/domain/models/schema.py | 124 + python/samba/netcmd/domain/models/user.py | 54 + python/samba/netcmd/domain/models/value_type.py | 93 + python/samba/netcmd/encoders.py | 49 + python/samba/netcmd/validators.py | 77 + python/samba/tests/krb5/authn_policy_tests.py | 2906 +++++++++++++++----- python/samba/tests/krb5/claims_tests.py | 9 +- python/samba/tests/krb5/kdc_base_test.py | 31 +- python/samba/tests/safe_tarfile.py | 4 +- python/samba/tests/samba_tool/domain_auth_base.py | 216 ++ .../samba/tests/samba_tool/domain_auth_policy.py | 607 ++++ python/samba/tests/samba_tool/domain_auth_silo.py | 567 ++++ .../tests/samba_tool/{claim.py => domain_claim.py} | 78 +- python/samba/tests/samba_tool/domain_models.py | 332 +++ selftest/knownfail.d/claims-client-tool | 2 +- selftest/knownfail.d/silo-client-tool | 2 + selftest/knownfail_heimdal_kdc | 55 + source3/auth/auth.c | 8 +- source3/auth/auth_generic.c | 4 +- source3/rpc_server/rpc_server.c | 4 +- source3/winbindd/winbindd_pam.c | 4 +- source4/auth/auth.h | 2 + source4/auth/ntlm/auth.c | 18 +- source4/auth/ntlm/auth_anonymous.c | 5 + source4/auth/ntlm/auth_developer.c | 7 +- source4/auth/ntlm/auth_sam.c | 55 +- source4/auth/ntlm/auth_simple.c | 8 +- source4/auth/ntlm/auth_winbind.c | 4 + source4/dsdb/samdb/ldb_modules/password_hash.c | 4 +- source4/kdc/hdb-samba4.c | 116 +- source4/kdc/kdc-glue.h | 8 + source4/kdc/mit_samba.c | 8 +- source4/kdc/pac-glue.c | 506 +++- source4/kdc/pac-glue.h | 33 +- source4/kdc/wdc-samba4.c | 38 +- source4/kdc/wscript_build | 4 +- source4/ldap_server/ldap_backend.c | 4 +- source4/rpc_server/dcerpc_server.c | 4 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 +- source4/rpc_server/samr/samr_password.c | 4 +- source4/selftest/tests.py | 9 +- source4/smb_server/smb/sesssetup.c | 4 +- 65 files changed, 8282 insertions(+), 1412 deletions(-) copy python/samba/netcmd/domain/{claim => auth}/__init__.py (73%) create mode 100644 python/samba/netcmd/domain/auth/policy.py create mode 100644 python/samba/netcmd/domain/auth/silo.py create mode 100644 python/samba/netcmd/domain/auth/silo_member.py delete mode 100644 python/samba/netcmd/domain/claim/base.py copy python/samba/netcmd/domain/{claim => models}/__init__.py (67%) create mode 100644 python/samba/netcmd/domain/models/auth_policy.py create mode 100644 python/samba/netcmd/domain/models/auth_silo.py create mode 100644 python/samba/netcmd/domain/models/claim_type.py copy python/samba/netcmd/domain/{claim/__init__.py => models/exceptions.py} (66%) create mode 100644 python/samba/netcmd/domain/models/fields.py create mode 100644 python/samba/netcmd/domain/models/model.py create mode 100644 python/samba/netcmd/domain/models/schema.py create mode 100644 python/samba/netcmd/domain/models/user.py create mode 100644 python/samba/netcmd/domain/models/value_type.py create mode 100644 python/samba/netcmd/encoders.py create mode 100644 python/samba/netcmd/validators.py create mode 100644 python/samba/tests/samba_tool/domain_auth_base.py create mode 100644 python/samba/tests/samba_tool/domain_auth_policy.py create mode 100644 python/samba/tests/samba_tool/domain_auth_silo.py rename python/samba/tests/samba_tool/{claim.py => domain_claim.py} (92%) create mode 100644 python/samba/tests/samba_tool/domain_models.py create mode 100644 selftest/knownfail.d/silo-client-tool Changeset truncated at 500 lines: diff --git a/auth/auth_log.c b/auth/auth_log.c index 019cbe114bf..9a110fd0b48 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -44,9 +44,9 @@ * increment the major version. */ #define AUTH_MAJOR 1 -#define AUTH_MINOR 2 +#define AUTH_MINOR 3 #define AUTHZ_MAJOR 1 -#define AUTHZ_MINOR 1 +#define AUTHZ_MINOR 2 #define KDC_AUTHZ_MAJOR 1 #define KDC_AUTHZ_MINOR 0 @@ -149,11 +149,15 @@ static void log_authentication_event_json( const char *domain_name, const char *account_name, struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, enum event_id_type event_id, int debug_level) { struct json_object wrapper = json_empty_object; struct json_object authentication = json_empty_object; + struct json_object client_policy = json_null_object(); + struct json_object server_policy = json_null_object(); char logon_id[19]; int rc = 0; const char *clientDomain = ui->orig_client.domain_name ? @@ -285,6 +289,30 @@ static void log_authentication_event_json( goto failure; } + if (client_audit_info != NULL) { + client_policy = json_from_audit_info(client_audit_info); + if (json_is_invalid(&client_policy)) { + goto failure; + } + } + + rc = json_add_object(&authentication, "clientPolicyAccessCheck", &client_policy); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authentication, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + wrapper = json_new_object(); if (json_is_invalid(&wrapper)) { goto failure; @@ -327,6 +355,8 @@ static void log_authentication_event_json( json_free(&wrapper); return; failure: + json_free(&server_policy); + json_free(&client_policy); /* * On a failure authentication will not have been added to wrapper so it * needs to be freed to avoid a leak. @@ -365,10 +395,14 @@ static void log_successful_authz_event_json( const char *auth_type, const char *transport_protection, struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, int debug_level) { struct json_object wrapper = json_empty_object; struct json_object authorization = json_empty_object; + struct json_object client_policy = json_null_object(); + struct json_object server_policy = json_null_object(); int rc = 0; authorization = json_new_object(); @@ -431,6 +465,30 @@ static void log_successful_authz_event_json( goto failure; } + if (client_audit_info != NULL) { + client_policy = json_from_audit_info(client_audit_info); + if (json_is_invalid(&client_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "clientPolicyAccessCheck", &client_policy); + if (rc != 0) { + goto failure; + } + + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + wrapper = json_new_object(); if (json_is_invalid(&wrapper)) { goto failure; @@ -456,6 +514,8 @@ static void log_successful_authz_event_json( json_free(&wrapper); return; failure: + json_free(&server_policy); + json_free(&client_policy); /* * On a failure authorization will not have been added to wrapper so it * needs to be freed to avoid a leak. @@ -490,6 +550,7 @@ static void log_authz_event_json( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, @@ -502,6 +563,7 @@ static void log_authz_event_json( { struct json_object wrapper = json_empty_object; struct json_object authorization = json_empty_object; + struct json_object server_policy = json_null_object(); int rc = 0; authorization = json_new_object(); @@ -554,6 +616,18 @@ static void log_authz_event_json( goto failure; } + if (server_audit_info != NULL) { + server_policy = json_from_audit_info(server_audit_info); + if (json_is_invalid(&server_policy)) { + goto failure; + } + } + + rc = json_add_object(&authorization, "serverPolicyAccessCheck", &server_policy); + if (rc != 0) { + goto failure; + } + wrapper = json_new_object(); if (json_is_invalid(&wrapper)) { goto failure; @@ -579,6 +653,7 @@ static void log_authz_event_json( json_free(&wrapper); return; failure: + json_free(&server_policy); /* * On a failure authorization will not have been added to wrapper so it * needs to be freed to avoid a leak. @@ -619,6 +694,8 @@ static void log_authentication_event_json( const char *domain_name, const char *account_name, struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, enum event_id_type event_id, int debug_level) { @@ -634,6 +711,8 @@ static void log_successful_authz_event_json( const char *auth_type, const char *transport_protection, struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info, int debug_level) { log_no_json(msg_ctx, lp_ctx); @@ -644,6 +723,7 @@ static void log_authz_event_json( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, @@ -813,7 +893,9 @@ void log_authentication_event( NTSTATUS status, const char *domain_name, const char *account_name, - struct dom_sid *sid) + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info) { /* set the log level */ int debug_level = AUTH_FAILURE_LEVEL; @@ -845,6 +927,8 @@ void log_authentication_event( domain_name, account_name, sid, + client_audit_info, + server_audit_info, event_id, debug_level); } @@ -918,7 +1002,9 @@ void log_successful_authz_event( const char *service_description, const char *auth_type, const char *transport_protection, - struct auth_session_info *session_info) + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info) { int debug_level = AUTHZ_SUCCESS_LEVEL; @@ -944,6 +1030,8 @@ void log_successful_authz_event( auth_type, transport_protection, session_info, + client_audit_info, + server_audit_info, debug_level); } } @@ -959,6 +1047,7 @@ void log_authz_event( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, @@ -980,6 +1069,7 @@ void log_authz_event( log_authz_event_json(msg_ctx, lp_ctx, remote, local, + server_audit_info, service_description, auth_type, domain_name, diff --git a/auth/common_auth.h b/auth/common_auth.h index 3880b857058..24b7b14f51a 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -177,6 +177,7 @@ struct auth4_context { * NOTE: msg_ctx and lp_ctx is optional, but when supplied allows streaming the * authentication events over the message bus. */ +struct authn_audit_info; void log_authentication_event(struct imessaging_context *msg_ctx, struct loadparm_context *lp_ctx, const struct timeval *start_time, @@ -184,7 +185,9 @@ void log_authentication_event(struct imessaging_context *msg_ctx, NTSTATUS status, const char *domain_name, const char *account_name, - struct dom_sid *sid); + struct dom_sid *sid, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info); /* * Log details of a successful authorization to a service. @@ -206,7 +209,9 @@ void log_successful_authz_event(struct imessaging_context *msg_ctx, const char *service_description, const char *auth_type, const char *transport_protection, - struct auth_session_info *session_info); + struct auth_session_info *session_info, + const struct authn_audit_info *client_audit_info, + const struct authn_audit_info *server_audit_info); /* * Log details of an authorization to a service. @@ -219,6 +224,7 @@ void log_authz_event( struct loadparm_context *lp_ctx, const struct tsocket_address *remote, const struct tsocket_address *local, + const struct authn_audit_info *server_audit_info, const char *service_description, const char *auth_type, const char *domain_name, diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 3641d4ba65e..26b5865bff5 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -242,7 +242,9 @@ static void log_successful_gensec_authz_event(struct gensec_security *gensec_sec service_description, final_auth_type, transport_protection, - session_info); + session_info, + NULL /* client_audit_info */, + NULL /* server_audit_info */); } diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 910d9093771..567342b2709 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -599,6 +599,631 @@ <para>Restore the domain's DB from a backup-file.</para> </refsect3> +<refsect3> + <title>domain auth policy list</title> + <para>List authentication policies on the domain.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--json</term> + <listitem><para> + View authentication policies as JSON instead of a list. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy view</title> + <para>View an authentication policy on the domain.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of the authentication policy to view (required). + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy create</title> + <para>Create authentication policies on the domain.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of the authentication policy (required). + </para></listitem> + </varlistentry> + <varlistentry> + <term>--description</term> + <listitem><para> + Optional description for the authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--protect</term> + <listitem> + <para> + Protect authentication policy from accidental deletion. + </para> + <para> + Cannot be used together with --unprotect. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--unprotect</term> + <listitem> + <para> + Unprotect authentication policy from accidental deletion. + </para> + <para> + Cannot be used together with --protect. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--audit</term> + <listitem> + <para> + Only audit authentication policy. + </para> + <para> + Cannot be used together with --enforce. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--enforce</term> + <listitem> + <para> + Enforce authentication policy. + </para> + <para> + Cannot be used together with --audit. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--strong-ntlm-policy</term> + <listitem> + <para> + Strong NTLM Policy (Disabled, Optional, Required). + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--user-tgt-lifetime</term> + <listitem> + <para> + Ticket-Granting-Ticket lifetime for user accounts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--user-allow-ntlm-auth</term> + <listitem> + <para> + Allow NTLM network authentication when user + is restricted to selected devices. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--service-tgt-lifetime</term> + <listitem> + <para> + Ticket-Granting-Ticket lifetime for service accounts. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--service-allow-ntlm-auth</term> + <listitem> + <para> + Allow NTLM network authentication when service + is restricted to selected devices. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--computer-tgt-lifetime</term> + <listitem> + <para> + Ticket-Granting-Ticket lifetime for computer accounts. + </para> + </listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy modify</title> + <para>Modify authentication policies on the domain.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of the authentication policy (required). + </para></listitem> + </varlistentry> + <varlistentry> + <term>--description</term> + <listitem><para> + Optional description for the authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--protect</term> + <listitem> + <para> -- Samba Shared Repository