The branch, master has been updated via 310629508bf gitignore: add WAF lockfile via e2ace2d6137 build: Add 'make printversion' to provide version string via 53ff61bbddd s4:kdc: Remove unused function int2SDBFlags() via 7405a8fab0d s4:kdc: Explicitly initialize SDBFlags structures via 9fcace5818a s4:kdc: Make ‘struct user_info_dc’ members const via b7b4c7ca8c4 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667) via c15a9af8e58 tests/krb5: Fix ASN.1 source via 1712449aa67 tests/krb5: Don’t expect groups if we’re expecting an error via a8a186868e4 tests/krb5: Fix tests that crash Windows via 52ea480543b tests/krb5: Expect a status code with policy errors via b5b8b16a50e tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD via 35c7061f97a buildtools: Correctly raise exception via ec23abfe1f7 buildtools: Don’t call normpath() repeatedly from bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 310629508bfbedecfab9b653b7cba0282f5c0e8b Author: Michael Adam <ob...@samba.org> Date: Mon Oct 16 19:04:55 2023 +0200 gitignore: add WAF lockfile BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Christof Schmitt <christof.schm...@us.ibm.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224 commit e2ace2d613701f3d4a7c7c202f68d2f193c0a64a Author: Christof Schmitt <christof.schm...@us.ibm.com> Date: Thu Sep 12 16:11:34 2013 -0700 build: Add 'make printversion' to provide version string BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Christof Schmitt <christof.schm...@us.ibm.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 53ff61bbddd5c4db6f0849c833c800f2a792e45f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 12 11:56:01 2023 +1300 s4:kdc: Remove unused function int2SDBFlags() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7405a8fab0d4a8ba31213abbe2bfaa1197fd3415 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 12 11:54:50 2023 +1300 s4:kdc: Explicitly initialize SDBFlags structures Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9fcace5818a43770c2f30710fb32e0db8dd599c3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 12 13:40:21 2023 +1300 s4:kdc: Make ‘struct user_info_dc’ members const Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b7b4c7ca8c4309e9563ac90378b84e4b83bd1eab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Oct 6 14:11:24 2023 +1300 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667) Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c15a9af8e58075f364c617578abee9b897abc342 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 16 15:37:29 2023 +1300 tests/krb5: Fix ASN.1 source It currently fails to compile. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1712449aa67d52ff5f3bb6b673644b25bce41086 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 16 14:41:51 2023 +1300 tests/krb5: Don’t expect groups if we’re expecting an error Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a8a186868e4f4e8a8d711437747e6af47edb9be9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 2 12:20:48 2023 +1300 tests/krb5: Fix tests that crash Windows Expect an actual error code or an outcome, not CRASHES_WINDOWS. I don’t know which error codes Windows might be expected to produce, so I’ve chosen some that seem plausible. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 52ea480543b53173b9f92550b844224d17c14c51 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 17 14:03:33 2023 +1300 tests/krb5: Expect a status code with policy errors Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5b8b16a50ecb7225fe1bfa31d3a839efdd9f7d0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 17 13:34:29 2023 +1300 tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD If we’re verifying that a ticket was permitted to be issued by an RODC, and not trusting the group SIDs in the ticket, is there any reason to ban its use with RBCD? A client with a ticket issued by an RODC that happens to select a DC to direct an RBCD request at should not have the request mysteriously fail. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 35c7061f97a1f0dd79efe3a567b7054304192f55 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Oct 13 12:38:35 2023 +1300 buildtools: Correctly raise exception This avoids errors like the following: ‘RuntimeError: No active exception to reraise’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ec23abfe1f77b756ea63f4fc0a572c4d9cd8c30b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Oct 13 11:23:27 2023 +1300 buildtools: Don’t call normpath() repeatedly A non‐negligible fraction of the build process — especially for incremental builds — is spent calling normpath() over and over again. Make builds faster by not doing that. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitignore | 1 + Makefile | 4 + buildtools/wafsamba/samba_utils.py | 6 +- python/samba/tests/krb5/conditional_ace_tests.py | 131 ++++++++++++++--------- python/samba/tests/krb5/rfc4120.asn1 | 2 +- selftest/knownfail_heimdal_kdc | 21 ---- source4/dsdb/samdb/ldb_modules/samba_dsdb.c | 7 +- source4/kdc/db-glue.c | 4 +- source4/kdc/pac-glue.c | 5 +- source4/kdc/samba_kdc.h | 6 +- source4/kdc/sdb.c | 28 ----- source4/kdc/sdb.h | 1 - wscript | 5 + 13 files changed, 107 insertions(+), 114 deletions(-) Changeset truncated at 500 lines: diff --git a/.gitignore b/.gitignore index de3feaabf28..9a663e2a065 100644 --- a/.gitignore +++ b/.gitignore @@ -88,3 +88,4 @@ compile_commands.json .clangd/ .cache/ .ropeproject/ +.tmplock diff --git a/Makefile b/Makefile index 09700af32c2..b037c398391 100644 --- a/Makefile +++ b/Makefile @@ -67,6 +67,10 @@ distcheck: touch .tmplock WAFLOCK=.tmplock $(WAF) distcheck +printversion: + touch .tmplock + WAFLOCK=.tmplock $(WAF) printversion + clean: $(WAF) clean diff --git a/buildtools/wafsamba/samba_utils.py b/buildtools/wafsamba/samba_utils.py index 39512f0ac96..f287e85d838 100644 --- a/buildtools/wafsamba/samba_utils.py +++ b/buildtools/wafsamba/samba_utils.py @@ -469,8 +469,7 @@ def RECURSE(ctx, directory): return ctx.recurse(relpath) if 'waflib.extras.compat15' in sys.modules: return ctx.recurse(relpath) - Logs.error('Unknown RECURSE context class: {}'.format(ctxclass)) - raise + raise Errors.WafError('Unknown RECURSE context class: {}'.format(ctxclass)) Options.OptionsContext.RECURSE = RECURSE Build.BuildContext.RECURSE = RECURSE @@ -710,8 +709,9 @@ def samba_before_apply_obj_vars(self): """before apply_obj_vars for uselib, this removes the standard paths""" def is_standard_libpath(env, path): + normalized_path = os.path.normpath(path) for _path in env.STANDARD_LIBPATH: - if _path == os.path.normpath(path): + if _path == normalized_path: return True return False diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index 5c5616ce1f1..62f2e7a647a 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -1350,7 +1350,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): ('{a}', claims.CLAIM_TYPE_BOOLEAN, [2]), ('{b}', claims.CLAIM_TYPE_BOOLEAN, [3]), ]), - ], '{a} == {b}', CRASHES_WINDOWS), + ], '{a} == {b}', (None, CRASHES_WINDOWS)), ([ (claims.CLAIMS_SOURCE_TYPE_AD, [ ('{a}', claims.CLAIM_TYPE_BOOLEAN, [1]), @@ -1469,7 +1469,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): (claims.CLAIMS_SOURCE_TYPE_AD, [ ('{larger_claim}', claims.CLAIM_TYPE_STRING, ['z' * 100000]), ]), - ], '{larger_claim} > "z"', CRASHES_WINDOWS), + ], '{larger_claim} > "z"', (True, CRASHES_WINDOWS)), # Test a great number of claims. Windows does not appear to like # receiving this many claims. ([ @@ -1477,7 +1477,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): ('{many_claims}', claims.CLAIM_TYPE_UINT64, list(range(0, 100000))), ]), - ], '{many_claims} Any_of "99999"', CRASHES_WINDOWS), + ], '{many_claims} Any_of "99999"', (True, CRASHES_WINDOWS)), # Test a claim with a very long name. Much larger than this, and # conditional_ace_encode_binary() will refuse to encode the conditions. ([ @@ -1565,18 +1565,18 @@ class ConditionalAceTests(ConditionalAceBaseTests): (claims.CLAIMS_SOURCE_TYPE_AD, [ ('{invalid_sid}', 5, []), ]), - ], '{invalid_sid} == {invalid_sid}', CRASHES_WINDOWS), + ], '{invalid_sid} == {invalid_sid}', (None, CRASHES_WINDOWS)), ([ (claims.CLAIMS_SOURCE_TYPE_AD, [ ('{invalid_octet_string}', 16, []), ]), - ], '{invalid_octet_string} == {invalid_octet_string}', CRASHES_WINDOWS), + ], '{invalid_octet_string} == {invalid_octet_string}', (None, CRASHES_WINDOWS)), # Sending an empty string will crash Windows. ([ (claims.CLAIMS_SOURCE_TYPE_AD, [ ('{empty_string}', claims.CLAIM_TYPE_STRING, ['']), ]), - ], '{empty_string}', CRASHES_WINDOWS), + ], '{empty_string}', (None, CRASHES_WINDOWS)), # But sending empty arrays is OK. ([ (claims.CLAIMS_SOURCE_TYPE_AD, [ @@ -1595,8 +1595,13 @@ class ConditionalAceTests(ConditionalAceBaseTests): outcome): self.assertIsInstance(expression, str) - if outcome is CRASHES_WINDOWS and not self.crash_windows: - self.skipTest('test crashes Windows servers') + try: + outcome, crashes_windows = outcome + self.assertIs(crashes_windows, CRASHES_WINDOWS) + if not self.crash_windows: + self.skipTest('test crashes Windows servers') + except TypeError: + self.assertIsNot(outcome, CRASHES_WINDOWS) if claim_map is None: claim_map = {} @@ -2145,37 +2150,34 @@ class ConditionalAceTests(ConditionalAceBaseTests): def test_rbcd_device_from_rodc(self): self._rbcd('Member_of SID({service_sid})', device_from_rodc=True, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_rbcd_service_from_rodc(self): self._rbcd('Member_of SID({service_sid})', service_from_rodc=True, - code=KDC_ERR_BADOPTION, edata=self.expect_padata_outer) def test_rbcd_device_and_service_from_rodc(self): self._rbcd('Member_of SID({service_sid})', service_from_rodc=True, device_from_rodc=True, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_rbcd_client_from_rodc(self): self._rbcd('Member_of SID({service_sid})', client_from_rodc=True, - code=KDC_ERR_MODIFIED, edata=self.expect_padata_outer) def test_rbcd_client_and_device_from_rodc(self): self._rbcd('Member_of SID({service_sid})', client_from_rodc=True, device_from_rodc=True, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_rbcd_client_and_service_from_rodc(self): self._rbcd('Member_of SID({service_sid})', client_from_rodc=True, service_from_rodc=True, - code=KDC_ERR_BADOPTION, edata=self.expect_padata_outer) def test_rbcd_all_from_rodc(self): @@ -2183,7 +2185,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): client_from_rodc=True, service_from_rodc=True, device_from_rodc=True, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def _rbcd(self, rbcd_expression=None, @@ -2206,8 +2208,13 @@ class ConditionalAceTests(ConditionalAceBaseTests): expected_groups=None, expected_device_groups=None, expected_claims=None): - if code is CRASHES_WINDOWS and not self.crash_windows: - self.skipTest('test crashes Windows servers') + try: + code, crashes_windows = code + self.assertIs(crashes_windows, CRASHES_WINDOWS) + if not self.crash_windows: + self.skipTest('test crashes Windows servers') + except TypeError: + self.assertIsNot(code, CRASHES_WINDOWS) samdb = self.get_samdb() functional_level = self.get_domain_functional_level(samdb) @@ -2389,7 +2396,6 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.aa_asserted_identity})', client_sids=client_sids, - expected_groups=client_sids, code=KDC_ERR_POLICY, status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, event=AuditEvent.KERBEROS_SERVER_RESTRICTION, @@ -2405,8 +2411,10 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.aa_asserted_identity})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, code=KDC_ERR_POLICY, + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, edata=self.expect_padata_outer) def test_tgs_without_aa_asserted_identity_device_from_rodc(self): @@ -2418,8 +2426,11 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.aa_asserted_identity})', device_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(KDC_ERR_POLICY, CRASHES_WINDOWS), + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, + edata=self.expect_padata_outer) def test_tgs_without_aa_asserted_identity_both_from_rodc(self): client_sids = { @@ -2431,8 +2442,11 @@ class ConditionalAceTests(ConditionalAceBaseTests): client_from_rodc=True, device_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(KDC_ERR_POLICY, CRASHES_WINDOWS), + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, + edata=self.expect_padata_outer) def test_tgs_with_aa_asserted_identity(self): client_sids = { @@ -2455,9 +2469,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.aa_asserted_identity})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=KDC_ERR_POLICY, - edata=self.expect_padata_outer) + expected_groups=client_sids) def test_tgs_with_aa_asserted_identity_device_from_rodc(self): client_sids = { @@ -2470,7 +2482,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): device_from_rodc=True, client_sids=client_sids, expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_tgs_with_aa_asserted_identity_both_from_rodc(self): client_sids = { @@ -2484,7 +2496,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): device_from_rodc=True, client_sids=client_sids, expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_tgs_without_service_asserted_identity(self): client_sids = { @@ -2494,7 +2506,6 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.service_asserted_identity})', client_sids=client_sids, - expected_groups=client_sids, code=KDC_ERR_POLICY, status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, event=AuditEvent.KERBEROS_SERVER_RESTRICTION, @@ -2510,8 +2521,10 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.service_asserted_identity})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, code=KDC_ERR_POLICY, + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, edata=self.expect_padata_outer) def test_tgs_without_service_asserted_identity_device_from_rodc(self): @@ -2523,8 +2536,11 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.service_asserted_identity})', device_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(KDC_ERR_POLICY, CRASHES_WINDOWS), + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, + edata=self.expect_padata_outer) def test_tgs_without_service_asserted_identity_both_from_rodc(self): client_sids = { @@ -2536,8 +2552,11 @@ class ConditionalAceTests(ConditionalAceBaseTests): client_from_rodc=True, device_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(KDC_ERR_POLICY, CRASHES_WINDOWS), + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, + edata=self.expect_padata_outer) def test_tgs_with_service_asserted_identity(self): client_sids = { @@ -2560,9 +2579,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({self.service_asserted_identity})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=KDC_ERR_POLICY, - edata=self.expect_padata_outer) + expected_groups=client_sids) def test_tgs_with_service_asserted_identity_device_from_rodc(self): client_sids = { @@ -2575,7 +2592,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): device_from_rodc=True, client_sids=client_sids, expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_tgs_with_service_asserted_identity_both_from_rodc(self): client_sids = { @@ -2589,7 +2606,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): device_from_rodc=True, client_sids=client_sids, expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_tgs_without_claims_valid(self): client_sids = { @@ -2599,7 +2616,6 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})', client_sids=client_sids, - expected_groups=client_sids, code=KDC_ERR_POLICY, status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, event=AuditEvent.KERBEROS_SERVER_RESTRICTION, @@ -2615,8 +2631,10 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, code=KDC_ERR_POLICY, + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, edata=self.expect_padata_outer) def test_tgs_without_claims_valid_device_from_rodc(self): @@ -2628,8 +2646,11 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})', device_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(KDC_ERR_POLICY, CRASHES_WINDOWS), + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, + edata=self.expect_padata_outer) def test_tgs_without_claims_valid_both_from_rodc(self): client_sids = { @@ -2641,8 +2662,11 @@ class ConditionalAceTests(ConditionalAceBaseTests): client_from_rodc=True, device_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(KDC_ERR_POLICY, CRASHES_WINDOWS), + status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, + event=AuditEvent.KERBEROS_SERVER_RESTRICTION, + reason=AuditReason.ACCESS_DENIED, + edata=self.expect_padata_outer) def test_tgs_with_claims_valid(self): client_sids = { @@ -2665,9 +2689,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): self._tgs(f'Member_of SID({security.SID_CLAIMS_VALID})', client_from_rodc=True, client_sids=client_sids, - expected_groups=client_sids, - code=KDC_ERR_POLICY, - edata=self.expect_padata_outer) + expected_groups=client_sids) def test_tgs_with_claims_valid_device_from_rodc(self): client_sids = { @@ -2680,7 +2702,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): device_from_rodc=True, client_sids=client_sids, expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def test_tgs_with_claims_valid_both_from_rodc(self): client_sids = { @@ -2694,7 +2716,7 @@ class ConditionalAceTests(ConditionalAceBaseTests): device_from_rodc=True, client_sids=client_sids, expected_groups=client_sids, - code=CRASHES_WINDOWS) + code=(0, CRASHES_WINDOWS)) def _tgs(self, target_policy=None, @@ -2713,8 +2735,13 @@ class ConditionalAceTests(ConditionalAceBaseTests): expected_groups=None, expected_device_groups=None, expected_claims=None): - if code is CRASHES_WINDOWS and not self.crash_windows: - self.skipTest('test crashes Windows servers') + try: + code, crashes_windows = code + self.assertIs(crashes_windows, CRASHES_WINDOWS) + if not self.crash_windows: + self.skipTest('test crashes Windows servers') + except TypeError: + self.assertIsNot(code, CRASHES_WINDOWS) samdb = self.get_samdb() functional_level = self.get_domain_functional_level(samdb) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 62af4207d61..1b2c7cc06dc 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -129,7 +129,7 @@ -- Support. For questions and support, please contact doch...@microsoft.com - The above is the IPR notice from MS-KILE +-- The above is the IPR notice from MS-KILE KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 2ef041b6a29..842309bafe8 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -111,12 +111,8 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_1_b_6_1___a_or_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_a_6_2_b_6_3___a_equals_b_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_b_6_1___b_or_b_or_b_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_empty_string_3___empty_string_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_and_true_boolean_6_0_1___false_and_true_boolean_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_false_boolean_6_0___false_boolean_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_octet_string_16___invalid_octet_string_equals_invalid_octet_string_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_invalid_sid_5___invalid_sid_equals_invalid_sid_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_larger_claim_3_zzzzzzzzzzzzzzzzzzz ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_many_claims_2_0_1_2_3_4_5_6_7_8_9_10 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_non_empty_string_3_foo_bar___non_empty_string_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_nonzero_int_1_1___nonzero_int_\(ad_dc\) @@ -129,35 +125,18 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_all_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_service_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_and_service_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_both_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_aa_asserted_identity_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_device_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\) ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_both_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_claims_valid_device_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_both_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_client_from_rodc\(ad_dc\) -^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_service_asserted_identity_device_from_rodc\(ad_dc\) # # Conditional ACE device restrictions # diff --git a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c b/source4/dsdb/samdb/ldb_modules/samba_dsdb.c index d9de16e02c2..37213a5febc 100644 --- a/source4/dsdb/samdb/ldb_modules/samba_dsdb.c -- Samba Shared Repository