The branch, master has been updated via a2d96f5e291 s4:kdc: Always regard device info when checking a server authentication policy via c0ef3b4292d s4:dsdb: Skip allocation of empty device SIDs array via 4b19a707f2a s4:kdc: Use claims to evaluate RBCD conditions via f7064f6fd26 s4:kdc: Use device info to evaluate RBCD conditions via 9b4dbaecfe5 s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd() via 51d516cc2f8 s4:kdc: Rename ‘user_info_dc’ to ‘client_info’ via 310c537ffa1 s4:kdc: Call samba_kdc_get_user_info_dc() to get client information via 6c02e9ac62f s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation via b13701ac181 s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers via 390be7d3325 s4:kdc: Adapt interface to new Heimdal revision via 204b1f0c121 third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb) via 3280893ae80 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204)) via 09857f86f59 s4:kdc: Use claims and device info to evaluate server authentication policy via 3c511c59ca0 s4:kdc: Make samba_kdc_get_user_info_dc() non‐static via 03e3a3a49a1 s4:kdc: Use ‘claims_data’ functions to create client claims blob via 608c8d493c7 s4:kdc: Use device claims to evaluate client authentication policy via 7336fbb2ece s4:kdc: Use claims and device info to evaluate server authentication policy via 9cef5de95af s4:kdc: Have samba_kdc_allowed_to_authenticate_to() take claims and device info via 430f7a8918e s4:kdc: Fetch device claims for server restrictions via 407a979b983 s4:kdc: Do not perform compound authentication for services without Compound Identity support via 43cce1d190d tests/krb5: Correctly test services that do not support Compound Identity via 3199a815db2 s4:kdc: Make samba_kdc_add_compounded_auth() static via 981411ba4a7 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_add_compounded_auth() via 0d2424a26a5 s4:kdc: Change the type of ‘compounded_auth’ to boolean via 0038cc050b5 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_add_claims_valid() via b15ef257787 s4:kdc: Introduce helper variable ‘server_restrictions_present’ via b5ebe74e5ee s4:kdc: Simplify creation of device claims blob via 6d3d6f9bbec s4:kdc: Note use of parent memory context via 65a6676cc43 s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc() via 6228267cba6 s4:kdc: Create the Requester SID blob only if we actually need it via 1e3c3479850 s4:kdc: Remove unused function get_claims_blob_for_principal() via 9859711513d s4:kdc: Modify samba_kdc_get_claims_blob() to use claims_data functions via 2462dacc243 s4:kdc: Add functions to fetch claims from the DB or from the PAC via e09bf1bc9e8 s4:auth: Explicitly initialize claims structures via 3e5aba62ecd s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims via e3953e18aef s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’ via 72b26d5684a s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc() via 9937c1c5464 s4:kdc: Cache user info and resource groups from PACs via 37321e6f76a s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc() via 19b1e31e234 s4:kdc: Always fetch resource groups via a7765d13814 s4:kdc: Label ‘resource_groups_out’ parameter via 2f3a8ae8d50 s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc() via 300459e86a8 s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc() via 30cfa9b79ac s4:kdc: Pass resource groups parameter only if we are creating a TGT via 3f6e6a3c230 s4:kdc: Make ‘resource_groups_out’ parameter const via d7ed1b53020 s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac() via b2bb86bc54a s4:kdc: Simplify memory management with talloc stackframe via 886bbcdc1c7 s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc() via 02daf011f75 s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc() via 453bb84e640 s4:kdc: Rename variable ‘user_info_dc’ to ‘info’ via 7ee08114d4a s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’ via 3045908557b s4:kdc: Fix leak via c559e9922e1 s4:kdc: Introduce intermediate variable ‘resource_groups’ via d57062300f8 s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db() via 0ed6d11e582 s4:kdc: Check parameters of samba_kdc_get_user_info_from_db() via d02f37b489f s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’ via 024d8cf500d s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db() via 8b518817e3f s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob() via 29c230531c6 s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac() via 16cb8c47872 s4:kdc: Make boolean members into bit‐fields via a57d973d804 s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code via 54cd2af2de7 s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob() via d51c505d355 s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db via 64326818ebd s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db() via c35d1fe593f s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller via 0a61dc6ce98 s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc() via 96ab35bb911 s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc() via ce7c543ffcb s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’ via 9c4647436cf s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’ via f03b14f8b8b s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’ via a7323d704e2 s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’ via 704c71daf50 libcli/security: Initialize conditional ACE token from 4b9b7f70f25 libsmb: Use cli_smb2_qpathinfo_send() for SMB_QUERY_FILE_ALT_NAME_INFO
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a2d96f5e29149dd3951e3a19ec52cc070ccc069a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 18:20:53 2023 +1300 s4:kdc: Always regard device info when checking a server authentication policy Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224 commit c0ef3b4292d2985807f8a203901b3f623357e5db Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 16:19:53 2023 +1300 s4:dsdb: Skip allocation of empty device SIDs array Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4b19a707f2ac78ee7ce45ec93c47edaca9d94e47 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:41:40 2023 +1300 s4:kdc: Use claims to evaluate RBCD conditions Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f7064f6fd26e2ee302141fec77c3b98ad4c236ae Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:40:13 2023 +1300 s4:kdc: Use device info to evaluate RBCD conditions Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9b4dbaecfe5678c3270cf71b97d8abda78bc91ff Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:38:29 2023 +1300 s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 51d516cc2f8ab3357b3aa625d6fd4d9420ff2976 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:22:28 2023 +1300 s4:kdc: Rename ‘user_info_dc’ to ‘client_info’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 310c537ffa15b85cc83c1c4ccb5adb55333574b6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:19:47 2023 +1300 s4:kdc: Call samba_kdc_get_user_info_dc() to get client information Among other things, this function can deal with RODC‐issued PACs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6c02e9ac62fc527c7af34214a7253631ae89de51 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:16:24 2023 +1300 s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b13701ac1810d98b43fa8fbe9fba603cddcbc286 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:12:30 2023 +1300 s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 390be7d332588d58472d51bb31458e84d285e86a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 15:03:22 2023 +1300 s4:kdc: Adapt interface to new Heimdal revision NOTE: This commit finally works again! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 204b1f0c12172eac0d39c7cfebd4f6d87a615ea3 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Oct 13 11:14:55 2023 +1300 third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 3280893ae80507e36653a0c7da03c82b88ece30b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 11:59:34 2023 +1300 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204)) The issue here is that only the size of the pointer, not the size of the struture was allocated with calloc(). This means that the malloc() for the freshness token bytes would have the memory address written beyond the end of the allocated memory. Additionally, the allocation was not free()ed, resulting in a memory leak. This means that a user could trigger ongoing memory allocation in the server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 09857f86f593d6dbada036a2bf59526083f370b1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 19:35:10 2023 +1300 s4:kdc: Use claims and device info to evaluate server authentication policy Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3c511c59ca0523c5f72c46904b14db201bdd81f2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 19:37:08 2023 +1300 s4:kdc: Make samba_kdc_get_user_info_dc() non‐static Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 03e3a3a49a1d7dd6284449f9409cc1425a2efdab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 19:32:24 2023 +1300 s4:kdc: Use ‘claims_data’ functions to create client claims blob Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 608c8d493c7f96bbf20dc95d3801f8d0293755be Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 19:27:59 2023 +1300 s4:kdc: Use device claims to evaluate client authentication policy Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7336fbb2ece658e47ad60ffa0244efd96848ac59 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 19:00:09 2023 +1300 s4:kdc: Use claims and device info to evaluate server authentication policy Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9cef5de95afe8627c1137d2c8124fdaccfd31eac Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 18:19:36 2023 +1300 s4:kdc: Have samba_kdc_allowed_to_authenticate_to() take claims and device info Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 430f7a8918ea8fa0f49e8e0e9b1cca86bf5397cd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 15:50:19 2023 +1300 s4:kdc: Fetch device claims for server restrictions View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 407a979b983a107a2c58fe6c7d54d5eb341d08f7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 14:19:13 2023 +1300 s4:kdc: Do not perform compound authentication for services without Compound Identity support Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 43cce1d190ddd3cf831cb5709816ccc03bf805d2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 14:08:43 2023 +1300 tests/krb5: Correctly test services that do not support Compound Identity These two tests now pass against Windows. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3199a815db2a1032b9e32858ec9e1176894ede17 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 15:24:57 2023 +1300 s4:kdc: Make samba_kdc_add_compounded_auth() static Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 981411ba4a7ca215cd8cb900252ce13b3d454ab2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 15:24:06 2023 +1300 s4:kdc: Remove ‘compounded_auth’ parameter from samba_kdc_add_compounded_auth() It’s only ever equal to SAMBA_COMPOUNDED_AUTH_INCLUDE. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0d2424a26a5eca2e180ab5581b2d93cbfc6d498b Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 11 17:25:48 2023 +1300 s4:kdc: Change the type of ‘compounded_auth’ to boolean View with ‘git show -b’. This allows us to make the call to authsam_shallow_copy_user_info_dc() and samba_kdc_add_compounded_auth() only if required. Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0038cc050b5dcda4f92779e014486d3b356ef33c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 15:19:01 2023 +1300 s4:kdc: Remove ‘claims_valid’ parameter from samba_kdc_add_claims_valid() It’s only ever equal to SAMBA_CLAIMS_VALID_INCLUDE. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b15ef2577874dfa38556e64d50d02b6bd8c0e277 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 9 13:41:59 2023 +1300 s4:kdc: Introduce helper variable ‘server_restrictions_present’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5ebe74e5eeb439873921367db3a8aa4062caa7e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 16:39:47 2023 +1300 s4:kdc: Simplify creation of device claims blob Let samba_kdc_get_claims_data() and claims_data_encoded_claims_set() handle the work for us. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6d3d6f9bbec432ca8a3839ab19775f9b948f55e3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 16:35:52 2023 +1300 s4:kdc: Note use of parent memory context Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 65a6676cc43381948b02fc5d740d0e727c299e24 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 16:11:57 2023 +1300 s4:kdc: Simplify samba_kdc_check_device() by calling samba_kdc_get_user_info_dc() The latter function accomplishes most of what we were doing ourselves. No intended change in behaviour. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6228267cba64121d14747700b785cc4aa041b810 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 16:07:55 2023 +1300 s4:kdc: Create the Requester SID blob only if we actually need it View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1e3c347985033fbb73f32097440427bb352baeea Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 15:34:55 2023 +1300 s4:kdc: Remove unused function get_claims_blob_for_principal() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9859711513d18a7ceba2ef80fcb3a3acfb51a888 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 15:34:41 2023 +1300 s4:kdc: Modify samba_kdc_get_claims_blob() to use claims_data functions The chief advantage of these functions is that the claims got from the database are retained in the ‘samba_kdc_entry’ object, allowing them to be reused should they be needed later during the same request. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2462dacc243e8628f3d66b569d1a2fedf368b4be Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 15:33:42 2023 +1300 s4:kdc: Add functions to fetch claims from the DB or from the PAC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e09bf1bc9e8529ff64803e15ab4ecf5a57ca0e73 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 13:43:54 2023 +1300 s4:auth: Explicitly initialize claims structures Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3e5aba62ecdc227466879d2e74d7314b5f21e6c0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 15:11:42 2023 +1300 s4:auth: Have claims_data_encoded_claims_set() return a reference to the encoded claims Having the lifetime of the encoded claims be tied in a predictable fashion to a caller‐controlled memory context is less prone to error. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e3953e18aef4203ed30f2d1fc7a76e130429e5dd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 5 11:07:48 2023 +1300 s4:kdc: Declare ‘auth_entry’ to be of type ‘samba_kdc_entry_pac’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 72b26d5684a338ef034ba697bc2217cd8bacc2bc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 12:57:45 2023 +1300 s4:kdc: Rename samba_kdc_obtain_user_info_dc() to samba_kdc_get_user_info_dc() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9937c1c5464e09b28907c915d2a5473e8b1a5611 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 4 17:19:31 2023 +1300 s4:kdc: Cache user info and resource groups from PACs When authentication policies are implemented, we shall need to fetch SIDs (and claims) from the PACs of users and devices repeatedly — not just when first looking up a user, but every time a policy needs to be evaluated. This will likely be more efficient if we can cache this information, removing the need to derive it more than once. View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 37321e6f76a79ef249245d52cab9be4910a29480 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Oct 11 17:07:02 2023 +1300 s4-kdc: Do not modify the returned user_info_dc from samba_kdc_get_user_info_dc() We have the duplicated shallow copy in each caller so that the caller is clear on what memory can be changed. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 19b1e31e234c7ee0f2ad58a4fbc275697e439683 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 4 17:10:35 2023 +1300 s4:kdc: Always fetch resource groups No behaviour change, and if the caller doesn’t need the resource groups after all, the cost incurred is little more than the allocation of a couple of dozen bytes of memory. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a7765d13814d0b6c53f771522c4c579d16b5c20e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 4 16:38:28 2023 +1300 s4:kdc: Label ‘resource_groups_out’ parameter Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2f3a8ae8d50a018e6040346a153db90090f24194 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 4 16:31:41 2023 +1300 s4:kdc: Remove ‘group_inclusion’ parameter from samba_kdc_obtain_user_info_dc() It could be equal only to AUTH_EXCLUDE_RESOURCE_GROUPS. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 300459e86a8c0b840c71d4771df670ee85defd7a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 4 16:23:12 2023 +1300 s4:kdc: Pass AUTH_EXCLUDE_RESOURCE_GROUPS into samba_kdc_obtain_user_info_dc() As the ‘group_inclusion’ parameter has an effect only if the ‘resource_groups_out’ parameter is non‐NULL, this does not result in a change in behaviour. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 30cfa9b79aca7ca985818f1d4ae0e7b019f3d6b3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 4 10:35:14 2023 +1300 s4:kdc: Pass resource groups parameter only if we are creating a TGT No change in behaviour. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3f6e6a3c230f6e9ee1a876bcc2eee3da11bfb38d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 20:08:03 2023 +1300 s4:kdc: Make ‘resource_groups_out’ parameter const The caller shouldn’t need to modify this. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d7ed1b530202b97a3478dd9b1290f4eba14e8c44 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 20:06:29 2023 +1300 s4:kdc: Check parameters of samba_kdc_get_user_info_from_pac() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b2bb86bc54a53ecf9f89a9fb3bff750ed6273f6e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 20:04:44 2023 +1300 s4:kdc: Simplify memory management with talloc stackframe Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 886bbcdc1c765b7f350b39f0904b23358738578b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 19:27:20 2023 +1300 s4:kdc: Remove common out path from samba_kdc_obtain_user_info_dc() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 02daf011f754c77f82bda4538e6adf5c1e205350 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 18:45:17 2023 +1300 s4:kdc: Split samba_kdc_get_user_info_from_pac() out of samba_kdc_obtain_user_info_dc() View with ‘git show -b’. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 453bb84e64091f646808382376b2b99fcf7fbf54 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 19:44:41 2023 +1300 s4:kdc: Rename variable ‘user_info_dc’ to ‘info’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7ee08114d4a0c1ee194550db01f30b2373a470dc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 19:43:21 2023 +1300 s4:kdc: Rename parameter ‘user_info_dc_out’ to ‘info_out’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3045908557bdbe8804256c82b2db14ee2be1e705 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 18:45:14 2023 +1300 s4:kdc: Fix leak Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c559e9922e1327e5c5c8dc0f5642b0acb485a382 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 18:41:59 2023 +1300 s4:kdc: Introduce intermediate variable ‘resource_groups’ No change in behaviour. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d57062300f8ab73d8326ac934cc910fed2bf23ba Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 17:01:07 2023 +1300 s4:kdc: Initialize out parameter of samba_kdc_get_user_info_from_db() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0ed6d11e58229dab0999ac95cc0d157e3124971f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 17:00:43 2023 +1300 s4:kdc: Check parameters of samba_kdc_get_user_info_from_db() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d02f37b489f61e3716a3fa6e38343ee5debd6898 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 15:35:27 2023 +1300 s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 024d8cf500d15decf83057adb516ad9a06e09cf9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 14:53:17 2023 +1300 s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8b518817e3fdc7df16ce37093e7fa0fdca7cd8a0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 14:58:52 2023 +1300 s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 29c230531c61722aafd5b8f72dedd15cfddbdc80 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 14:58:10 2023 +1300 s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 16cb8c47872559145209bdea719e41a02eddde93 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 14:33:48 2023 +1300 s4:kdc: Make boolean members into bit‐fields Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a57d973d804eeda2129017a94e4ee7cfa22cc26c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 13:39:48 2023 +1300 s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code instead of an NT status code. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 54cd2af2de7a2dec965e1362c83ade19c1e21796 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 13:48:11 2023 +1300 s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob() We shall need it in order to produce an error string. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d51c505d3554423d52e482d7313870366716b39d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 12:33:25 2023 +1300 s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 64326818ebd70f366eb94243874541a161ad70dd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 12:32:13 2023 +1300 s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c35d1fe593fb9d01bed9202aef1ffca2f3d3a7ff Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 12:28:58 2023 +1300 s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0a61dc6ce98b49826b461765a9a9789cf3c1e5cb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 11:58:05 2023 +1300 s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc() The latter function behaves identically, except that it makes a shallow copy of the returned structure, thus avoiding lifetime issues. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 96ab35bb911b0c5b38ac7f99a3187c6c3fd5098a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 11:14:30 2023 +1300 s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc() We want to call this function from more places. But some potential callers, found in db-glue.c, have only a partially‐initialized ‘samba_kdc_entry’ structure, without the crucial ‘msg’ member. These callers need to be able to pass in the ldb message as a separate parameter. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ce7c543ffcbdbe26b730cded780342645abd6f87 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 15:07:55 2023 +1300 s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9c4647436cf9cf11216e88c6c741f1efb947ec47 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 15:07:18 2023 +1300 s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f03b14f8b8b1692d32a2a3ce177781ad55e9cabb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 15:05:08 2023 +1300 s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a7323d704e25781026f90b065259d931f08aab1f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 3 15:03:23 2023 +1300 s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 704c71daf509c1857b0e2814c6b939f28f4dbaa8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 10 14:35:07 2023 +1300 libcli/security: Initialize conditional ACE token If the ‘flags’ member is not initialized, we invoke undefined behaviour when trying to push or evaluate the parsed conditional ACE. One way this issue can manifest is in the mysterious failure of Unicode comparisons owing to the CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE flag being set when it shouldn’t. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: libcli/security/conditional_ace.c | 2 +- python/samba/tests/krb5/claims_tests.py | 20 +- python/samba/tests/krb5/device_tests.py | 11 +- selftest/knownfail_heimdal_kdc | 110 +--- source4/auth/session.c | 36 +- source4/auth/session.h | 3 +- source4/dsdb/samdb/samdb.c | 2 +- source4/kdc/ad_claims.c | 33 -- source4/kdc/ad_claims.h | 5 - source4/kdc/db-glue.c | 30 +- source4/kdc/db-glue.h | 4 +- source4/kdc/hdb-samba4.c | 95 ++- source4/kdc/mit_samba.c | 84 ++- source4/kdc/pac-glue.c | 988 ++++++++++++++++++++------------ source4/kdc/pac-glue.h | 54 +- source4/kdc/samba_kdc.h | 14 +- source4/kdc/wdc-samba4.c | 127 +++- third_party/heimdal/kdc/kdc-plugin.c | 8 +- third_party/heimdal/kdc/kdc-plugin.h | 7 +- third_party/heimdal/kdc/krb5tgs.c | 7 +- third_party/heimdal/kdc/mssfu.c | 18 +- third_party/heimdal/kdc/pkinit.c | 5 +- third_party/heimdal/lib/asn1/gen.c | 118 ++-- third_party/heimdal/lib/asn1/symbol.c | 6 + third_party/heimdal/lib/asn1/symbol.h | 2 + third_party/heimdal/lib/hdb/hdb.h | 2 +- third_party/heimdal/lib/krb5/pac.c | 6 +- 27 files changed, 1078 insertions(+), 719 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/conditional_ace.c b/libcli/security/conditional_ace.c index a84060ce698..6fb0cd3a38b 100644 --- a/libcli/security/conditional_ace.c +++ b/libcli/security/conditional_ace.c @@ -322,7 +322,7 @@ static ssize_t pull_composite(TALLOC_CTX *mem_ctx, uint8_t *el_data = NULL; size_t available; bool ok; - el->type = data[i]; + *el = (struct ace_condition_token) { .type = data[i] }; i++; el_data = data + i; diff --git a/python/samba/tests/krb5/claims_tests.py b/python/samba/tests/krb5/claims_tests.py index 348ea99ec0d..074147e5afe 100755 --- a/python/samba/tests/krb5/claims_tests.py +++ b/python/samba/tests/krb5/claims_tests.py @@ -1722,7 +1722,7 @@ class ClaimsTests(KDCBaseTest): if tgs_to_krbtgt: requester_sid = user_sid - if tgs_to_krbtgt: + if not tgs_compound_id: expected_claims = None unexpected_claims = None @@ -1758,9 +1758,9 @@ class ClaimsTests(KDCBaseTest): unexpected_groups=None, expect_client_claims=True, expected_client_claims=None, - expect_device_info=not tgs_to_krbtgt, + expect_device_info=bool(tgs_compound_id), expected_device_groups=tgs_device_expected_mapped, - expect_device_claims=not tgs_to_krbtgt, + expect_device_claims=bool(tgs_compound_id), expected_device_claims=expected_claims, unexpected_device_claims=unexpected_claims) @@ -1841,7 +1841,7 @@ class ClaimsTests(KDCBaseTest): }, { # Make a TGS request containing claims to a service that lacks - # support for compound identity. The claims are still propagated to + # support for compound identity. The claims are not propagated to # the final ticket. 'test': 'device to service no compound id', 'groups': { @@ -1880,20 +1880,10 @@ class ClaimsTests(KDCBaseTest): 'tgs:expected': { (security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, SidType.EXTRA_SID, default_attrs), (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), - (security.SID_COMPOUNDED_AUTHENTICATION, SidType.EXTRA_SID, default_attrs), + # The Compounded Authentication SID should not be present. (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), }, - 'tgs:device:expected': { - (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), - (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), - frozenset([ - ('foo', SidType.RESOURCE_SID, resource_attrs), - ('bar', SidType.RESOURCE_SID, resource_attrs), - ]), - (asserted_identity, SidType.EXTRA_SID, default_attrs), - frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), - }, }, { # Make a TGS request containing claims to a service, but don't diff --git a/python/samba/tests/krb5/device_tests.py b/python/samba/tests/krb5/device_tests.py index 87b65735a03..43efc7b0fb2 100755 --- a/python/samba/tests/krb5/device_tests.py +++ b/python/samba/tests/krb5/device_tests.py @@ -208,16 +208,9 @@ class DeviceTests(KDCBaseTest): (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), (asserted_identity, SidType.EXTRA_SID, default_attrs), - (compounded_auth, SidType.EXTRA_SID, default_attrs), + # The Compounded Authentication SID should not be present. (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), }, - # The device info is still generated. - 'tgs:device:expected': { - (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), - (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), - (asserted_identity, SidType.EXTRA_SID, default_attrs), - frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), - }, }, { 'test': 'universal groups to krbtgt', @@ -2102,7 +2095,7 @@ class DeviceTests(KDCBaseTest): expected_groups=tgs_expected_mapped, unexpected_groups=None, expect_device_claims=None, - expect_device_info=not tgs_to_krbtgt, + expect_device_info=bool(tgs_compound_id), expected_device_groups=tgs_device_expected_mapped) rep = self._generic_kdc_exchange(kdc_exchange_dict, diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index e5c9a841bd3..2ef041b6a29 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -83,97 +83,18 @@ # # Conditional ACE tests # -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_claim_equals_claim\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_enforced_silo_equals\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_enforced_silo_not_equals_deny\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_unenforced_silo_equals_deny\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_from_unenforced_silo_not_equals\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_to_client_equals\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_allowed_to_device_equals\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_42_equals_literal__42_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_A_is_less_than__\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__123_456__equals_literal__123_456_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__APPLE_BANANA_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__BANANA_APPLE_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__apple_banana__equals_literal__apple_banana_apple_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_FOO\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains__foo_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains__foo_bar_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__contains_literal__foo_bar_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain__foo_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain__foo_bar_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_contain_literal__foo_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal__foo_bar_baz_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__does_not_equal_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__FOO_BAR_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__bar_foo_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__foo_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__equals__foo_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_BAR\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of__bar_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_baz\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_literal__bar_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_any_of_literal__baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of__bar_baz_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of_baz\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp__foo_bar__matches_none_of_literal__baz_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_a_is_less_than__\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_contains_literal__bar_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_equals_literal__bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_bar_matches_any_of_literal__bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_exceeds_dog\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_exceeds_or_equals_dog\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_dog\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_or_equals_dog\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_cat_is_less_than_ćàț\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_Foo_BAR\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_literal__foo_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_exceeds_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_contains_literal__foo_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_does_not_equal_bar\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_does_not_equal_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_equals_bar\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_equals_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_exceeds_or_equals_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_foo_bar\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_or_equals_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_is_less_than_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_matches_any_of_foo\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ß_exceeds_SS\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ß_is_less_than_ẞ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ćàș_is_less_than_ĆÀȚ\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_matches_any_of_literal__foo_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ćàț_equals_ĆÀȚ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ɜ_is_less_than_Ɜ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ʞ_is_less_than_ʟ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ʞ_is_less_than_Ʞ\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ԛԣ_equals_ԚԢ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ḽ_equals_Ḽ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⅸ_equals_Ⅸ\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⱦ_equals_Ⱦ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ⳬ_exceeds_Ⳬ\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ꙭ_equals_Ꙭ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ꞧ_exceeds_Ꞧ\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ퟻ_is_less_than_豈\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_ퟻ_is_less_than_𐀀\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_foo_bar_equals_FOO_BAR\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_cmp_𐀀_is_less_than_豈\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_1000_unicode_3_a___1000_unicode_equals_a -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_180388626432___a_equals_180388626432\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42_42_42___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_1_42___a_equals_42\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_0___a_equals_3\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_1_2_3___a_equals_1_2_3_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_4294967296___a_exceeds_0\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42_42___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_42___a_equals_42\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_2_4_5_6___a_does_not_equal_1_2_3_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_FOO_foo___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_bar___a_equals_foo_bar_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_bar_b_3_FOO_BAR___a_equals_b_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_foo_foo___a_equals_a_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_3_this_is_not_the_value_a_3 -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_0___a_equals_a_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_and_a_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0__not_a_or_not_a_\(ad_dc\) @@ -181,29 +102,21 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_0___a_and_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_0___a_or_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_0_b_6_1___a_and_b_\(ad_dc\) +^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1___a_equals_42\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1___a_or_a_or_a_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1__not_a_or_a_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_0___a_and_not_b_or_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_0___a_or_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_and_b_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_equals_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_3_FOO_BAR_BAZ_a_3_foo_bar_baz___a_does_not_equal_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_dotty_claim_3_a___dotty_claim_equals_a___dotty_claim_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_dup_3_foo_dup_3_foo_2_dup_2_42_dup_2_42_2_dup_3_foo_dup_3_foo_dup_3_foo_bar_dup_3_foo_bar___dup_equals_dup_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_escaped_claim_3_claim_value___escaped_claim_equals_claim_value___escaped_claim_foo_bar_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_booleans_6_0_0___false_booleans_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_higher_unicode_3_a___higher_unicode_equals_a ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_large_claim_3_zzzzzzzzzzzzzzzzzzzz ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_long_name_3_a___long_name_equals_a ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\) @@ -215,17 +128,11 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_int_1_0_1___zero_and_one_int_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_ints_1_0_0___zero_ints_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uints_2_0_0___zero_uints_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__2_a_3_foo___a_equals_foo_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_aa_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_claims_valid\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\) @@ -233,19 +140,12 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_aa_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_claims_valid\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_compounded_authentication\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_service_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\) @@ -258,10 +158,6 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_client_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_claims_present\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_invalid_no_attrs\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_claims_present\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_pac_device_info_no_compound_id_support\(ad_dc\) # # Conditional ACE device restrictions # diff --git a/source4/auth/session.c b/source4/auth/session.c index 818fdf583df..46b833713ba 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -492,30 +492,36 @@ NTSTATUS encode_claims_set(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - metadata_ndr = talloc_zero(tmp_ctx, struct CLAIMS_SET_METADATA_NDR); + metadata_ndr = talloc(tmp_ctx, struct CLAIMS_SET_METADATA_NDR); if (metadata_ndr == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - metadata = talloc_zero(metadata_ndr, struct CLAIMS_SET_METADATA); + metadata = talloc(metadata_ndr, struct CLAIMS_SET_METADATA); if (metadata == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - claims_set_info = talloc_zero(metadata, struct CLAIMS_SET_NDR); + claims_set_info = talloc(metadata, struct CLAIMS_SET_NDR); if (claims_set_info == NULL) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - metadata_ndr->claims.metadata = metadata; + *metadata_ndr = (struct CLAIMS_SET_METADATA_NDR) { + .claims.metadata = metadata, + }; - metadata->claims_set = claims_set_info; - metadata->compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF; + *metadata = (struct CLAIMS_SET_METADATA) { + .claims_set = claims_set_info, + .compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF, + }; - claims_set_info->claims.claims = claims_set; + *claims_set_info = (struct CLAIMS_SET_NDR) { + .claims.claims = claims_set, + }; ndr_err = ndr_push_struct_blob(claims_blob, mem_ctx, metadata_ndr, (ndr_push_flags_fn_t)ndr_push_CLAIMS_SET_METADATA_NDR); @@ -612,9 +618,13 @@ NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx, * From a ‘claims_data’ structure, return an encoded claims blob that can be put * into a PAC. */ -NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data, +NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx, + struct claims_data *claims_data, DATA_BLOB *encoded_claims_set_out) { + uint8_t *data = NULL; + size_t len; + if (encoded_claims_set_out == NULL) { return NT_STATUS_INVALID_PARAMETER; } @@ -643,7 +653,15 @@ NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data, claims_data->flags |= CLAIMS_DATA_ENCODED_CLAIMS_PRESENT; } - *encoded_claims_set_out = claims_data->encoded_claims_set; + if (claims_data->encoded_claims_set.data != NULL) { + data = talloc_reference(mem_ctx, claims_data->encoded_claims_set.data); + if (data == NULL) { + return NT_STATUS_NO_MEMORY; + } + } + len = claims_data->encoded_claims_set.length; + + *encoded_claims_set_out = data_blob_const(data, len); return NT_STATUS_OK; } diff --git a/source4/auth/session.h b/source4/auth/session.h index 391fcc34bf7..3258c807137 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -136,7 +136,8 @@ NTSTATUS claims_data_from_claims_set(TALLOC_CTX *claims_data_ctx, * From a ‘claims_data’ structure, return an encoded claims blob that can be put * into a PAC. */ -NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data, +NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx, + struct claims_data *claims_data, DATA_BLOB *encoded_claims_set_out); /* diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 81576829a75..42375a8437b 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -247,7 +247,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, } } - if (authentication_was_compounded) { + if (authentication_was_compounded && num_device_sids) { ptoken->device_sids = talloc_array(ptoken, struct dom_sid, num_device_sids); if (ptoken->device_sids == NULL) { talloc_free(ptoken); diff --git a/source4/kdc/ad_claims.c b/source4/kdc/ad_claims.c index b8c355a11ed..5ce23be57ba 100644 --- a/source4/kdc/ad_claims.c +++ b/source4/kdc/ad_claims.c @@ -1227,36 +1227,3 @@ int get_claims_set_for_principal(struct ldb_context *ldb, principal_class->governsID_id, claims_set_out); } - -int get_claims_blob_for_principal(struct ldb_context *ldb, - TALLOC_CTX *mem_ctx, - const struct ldb_message *principal, - DATA_BLOB *claims_blob_out) -{ - struct CLAIMS_SET *claims_set = NULL; - int ret; - NTSTATUS status; - - *claims_blob_out = data_blob_null; - - ret = get_claims_set_for_principal(ldb, - mem_ctx, - principal, - &claims_set); - if (ret) { - return ret; - } - - if (claims_set == NULL) { - return LDB_SUCCESS; - } - - /* Encode the claims ready to go into a PAC buffer. */ - status = encode_claims_set(mem_ctx, claims_set, claims_blob_out); - if (!NT_STATUS_IS_OK(status)) { - ret = LDB_ERR_OPERATIONS_ERROR; - talloc_free(claims_set); - } - - return ret; -} diff --git a/source4/kdc/ad_claims.h b/source4/kdc/ad_claims.h index b934e34bbd7..e54b1dac7a7 100644 --- a/source4/kdc/ad_claims.h +++ b/source4/kdc/ad_claims.h @@ -33,9 +33,4 @@ int get_claims_set_for_principal(struct ldb_context *ldb, const struct ldb_message *principal, struct CLAIMS_SET **claims_set_out); -int get_claims_blob_for_principal(struct ldb_context *ldb, - TALLOC_CTX *mem_ctx, - const struct ldb_message *principal, - DATA_BLOB *claims_blob_out); - #endif diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index c47aa69b035..89de751f616 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1484,9 +1484,12 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * and computers should never be members of Protected Users, or * they may fail to authenticate. */ - status = samba_kdc_get_user_info_from_db(p, msg, &user_info_dc); - if (!NT_STATUS_IS_OK(status)) { - ret = EINVAL; + ret = samba_kdc_get_user_info_from_db(tmp_ctx, + kdc_db_ctx->samdb, + p, + msg, + &user_info_dc); + if (ret) { goto out; } @@ -3371,7 +3374,9 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( struct samba_kdc_db_context *kdc_db_ctx, krb5_const_principal client_principal, krb5_const_principal server_principal, - krb5_const_pac header_pac, + const struct auth_user_info_dc *user_info_dc, + const struct auth_user_info_dc *device_info_dc, + const struct auth_claims auth_claims, struct samba_kdc_entry *proxy_skdc_entry) { krb5_error_code code; @@ -3381,7 +3386,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( const char *proxy_dn = NULL; const DATA_BLOB *data = NULL; struct security_descriptor *rbcd_security_descriptor = NULL; - struct auth_user_info_dc *user_info_dc = NULL; struct security_token *security_token = NULL; uint32_t session_info_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS | @@ -3450,18 +3454,6 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( server_name, proxy_dn); - code = kerberos_pac_to_user_info_dc(mem_ctx, - header_pac, - context, - &user_info_dc, - AUTH_INCLUDE_RESOURCE_GROUPS, - NULL, - NULL, - NULL); - if (code != 0) { - goto out; - } -- Samba Shared Repository