The branch, master has been updated via e7f38c3a190 pytest:samba-tool domain test policy: test SDDL diagnostics via d915443ab00 pytest: samba_tool domain auth policy fix for SDDL err msg via cc2498f35b4 samba-tool: try to present diagnostics for SDDL errors. via 42b5a09a031 pytest:sddl: assert SDDLValueError values make sense via d7fe04205f8 s4/librpc/py_security: use SDDLValueError for better error messages via fd8cf82be1e pytest:sddl: handle SDDLValueError via 328ddf6d3aa pytest:security_descriptors: handle SDDLValueError via d47c6654f96 pytest: sid_strings: handle SDDLValueError via 054725440f2 s4/librpc/py_security: add SDDLValueError via 0c123e142f4 ndr/py_security: mod patch reports errors via cbf8349ec53 lib/ldb: pyldb search iterator avoids exception leak via 1d8024e733e lib/ldb: py LDBError avoids leak and checks for alloc failure via ffa08426e0e libcli/security: conditional ace err messages don't hardcode offset via c31d41d7219 libcli/security: sddl: guard against inconsistent msg pointers via c63a8989770 libcli/security: sddl: remove unreachable debug via 67fa97d61f9 libcli/security: sddl_decode_ace/acl pass through messages via 93347aa5af1 libcli/security: add sddl_decode_err_msg() via 9b57d5cd5c8 libcli/security: sddl_conditional_ace: ensure message is talloced via cc11165ecbc libcli/security: sddl: check a talloc_zero via 5319c5bdac8 libcli/security: SDDL accepts lowercase "s-" in SIDs via c75be6c3261 librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits via a396b705c8a librpc:ndr: Introduce ‘ndr_flags_type’ type via c4f281e9ae3 librpc:ndr: Introduce ‘libndr_flags’ type via 4ec7578e79c s4:torture: Make static variables constant via 83c68236526 librpc:ndr: Fix code spelling via 0071a60fb63 dcerpc.idl: Use simple boolean value instead of flag via bea9958b607 s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data() via 57c543a1d91 third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617) via b06751389db s4:auth: Comment about claims in the security token via ebbba22cfbd s4:auth: Remove trailing whitespace via 0733ea3663f s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself via f8bfd607ca3 tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs via 6760dd48ad0 s4:kdc: Do not add Claims Valid SID twice via 54eb175816b tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’ via 66b45978621 tests/krb5: Don’t pass unnecessary parameter via 2b69e1e7c31 tests/krb5: Use __slots__ to indicate which attributes are used by classes via b0da50b5b0d s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it via 915b40521e6 s4:auth: Check that the PAC is not NULL before dereferencing it via 76e27c3ab13 libcli/security: Add sid_attrs_contains_sid() via 69edfd7b11a libcli/security: Make use of sids_contains_sid() via 04611d9ebc1 libcli/security: Add sids_contains_sid() via ce3f04dca9a libcli/security: Make use of sids_contains_sid_attrs() via 5ff72d0e04e libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs() via 487e21ec899 s4:dsdb: Make sids_contains_sid() usable by other Samba modules via ce9fbceadba libcli/security: Correct function documentation via 01b89669931 libcli/security: Remove unnecessary return statement via 12b0c9d043f s4:dsdb: Align integer type via 3b936623a42 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs via 7ba4bb81645 tests/krb5: Add tests to see how SIDs are conveyed from PACs via dc1e2b41ca4 tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs via 947d3e5932e tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC from 1862561d1a1 smbd: Open file as REPARSE_POINT in unlink_internals()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e7f38c3a190c0faacdbab230439d98d7e3fe7c0e Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Oct 28 12:09:04 2023 +1300 pytest:samba-tool domain test policy: test SDDL diagnostics The existing 'bad SDDL' test has SDDL so bad that the diagnostics are not exercised. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Nov 1 21:12:33 UTC 2023 on atb-devel-224 commit d915443ab0076389036890c0046de9d33c5d7be6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Oct 27 16:14:04 2023 +1300 pytest: samba_tool domain auth policy fix for SDDL err msg Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cc2498f35b4bc39b939069863ab5e8483aa026ec Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Oct 27 13:16:56 2023 +1300 samba-tool: try to present diagnostics for SDDL errors. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 42b5a09a0318580ae34fb9feabdd512d9ceb2935 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 26 16:31:40 2023 +1300 pytest:sddl: assert SDDLValueError values make sense Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d7fe04205f8dedd61404c2aa03f1dda7d2dc72b7 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 26 17:46:35 2023 +1300 s4/librpc/py_security: use SDDLValueError for better error messages The aim is to allow samba-tool to tell users where their SDDL went wrong. Some tests would turn into errors (not knownfail-able failures) if they were not changed at the same time, so they are changed too. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fd8cf82be1e36a6398de3d6f48daf890a7fa8c9c Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Oct 28 11:39:17 2023 +1300 pytest:sddl: handle SDDLValueError Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 328ddf6d3aab9bc1dea13170b6acef391ba8d3de Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Oct 27 13:21:24 2023 +1300 pytest:security_descriptors: handle SDDLValueError Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d47c6654f9603bab40e53a422a2f34187f7b2fb8 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Oct 27 13:20:33 2023 +1300 pytest: sid_strings: handle SDDLValueError Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 054725440f2d5452219fbbaa868feb2fe862c3ba Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Oct 25 15:56:30 2023 +1300 s4/librpc/py_security: add SDDLValueError This will soon be raised for SDDL parsing errors. It would have been nice to have it as a subclass of ValueError, meaning that all existing callers would continue to catch this error as before, but it turns out that that is quite difficult. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0c123e142f41092210c953f82db29d4eff6950e6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Oct 27 13:19:47 2023 +1300 ndr/py_security: mod patch reports errors We can, so we might as well. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cbf8349ec53d0f4e50397149bff3fec5e18004d8 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Oct 25 13:18:34 2023 +1300 lib/ldb: pyldb search iterator avoids exception leak Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1d8024e733e9717e86883c03092264fbcf25ac1d Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Oct 25 13:15:36 2023 +1300 lib/ldb: py LDBError avoids leak and checks for alloc failure Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ffa08426e0e95e7a1e013ae9164b39072160ff4f Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed Nov 1 10:46:20 2023 +1300 libcli/security: conditional ace err messages don't hardcode offset Usually the conditions are embedded in part of some SDDL, and the offset from the beginning of the condtions is a bit useless and confusing. Callers of sddl_decode_err_msg get the offset from the beginning of the SDDL which is a different and more useful number. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c31d41d72199937f5902c3e32b88c4743522ef26 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 26 17:28:44 2023 +1300 libcli/security: sddl: guard against inconsistent msg pointers Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c63a8989770b99dcb6396e77c0a9f24ad4111627 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 26 17:25:43 2023 +1300 libcli/security: sddl: remove unreachable debug As it stands, ace_conditions_compile_sddl() won't produce a message when it succeeds (i.e. return non-NULL), so this debug is just clutter. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 67fa97d61f9ffc4d5a87d340954e55db8afea3d1 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 26 17:20:49 2023 +1300 libcli/security: sddl_decode_ace/acl pass through messages Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 93347aa5af151c4441b768580d174a0d26fb5b91 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Thu Oct 26 16:55:33 2023 +1300 libcli/security: add sddl_decode_err_msg() This will return an error message, if it can, along with an indicative position. For conditional ACEs the message might be accurate, and the position fine-grained. For example, you might be able to construct the message like this: D:(XA;;CC;;;S-1-2-3;(@User.Title == !(@User.Title))) ^ 16: unexpected operator For non-conditional ACEs, the position typically points to the beginning of the ACE, like this: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A; OICI; GRGWGX;;;AU) ^ unknown error Here the error is in the spaces either side of " OICI; ", but the pointer points to the beginning of the ACE. The old sddl_decode() function becomes a wrapper around the new function, which inherits the guts of the old function. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9b57d5cd5c880e1cd2ea43b586686481cb347aa6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Oct 21 12:56:24 2023 +1300 libcli/security: sddl_conditional_ace: ensure message is talloced It is simpler for the message to have consistent parentage; it is easier to drop one message we'll never see than to talloc it. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cc11165ecbcb1f51f853ffe8b1ab9ec338bfb4d0 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Oct 21 12:56:54 2023 +1300 libcli/security: sddl: check a talloc_zero Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5319c5bdac8ad299ad6538fa4d48293ab36d09e1 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Sat Oct 21 12:47:33 2023 +1300 libcli/security: SDDL accepts lowercase "s-" in SIDs This is what Windows does, and it removes a couple of knownfails. We can change it here cheaply without affecting the core dom_sid code, which is good because there seem to be other places where we need the uppercase S (for example in ldap search <SID=> queries). Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c75be6c326119a64e95513b3bad3f78522f4587a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 11:08:49 2023 +1300 librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits This gives us thirty‐two new LIBNDR_ flags to play with. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a396b705c8a8f3f0e10a925349034dd513cbc7dc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Oct 27 14:41:17 2023 +1300 librpc:ndr: Introduce ‘ndr_flags_type’ type Instead of ‘int’ or ‘uint32_t’, neither of which convey much meaning, consistently use a newly added type to hold NDR_ flags. Update the NDR 4.0.0 ABI. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c4f281e9ae36c225b6003e0fa1cb8fb2e67bf543 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 10 15:47:03 2023 +1200 librpc:ndr: Introduce ‘libndr_flags’ type The LIBNDR_FLAG_ namespace is getting dangerously full, with only a single flag value (1 << 9) remaining for use. After that flag is put into use, we won’t be able to add any new flags without increasing the flag width to 64‐bit. Up to now we’ve used a haphazard mix of int, unsigned, and uint32_t to store these flags. Introduce a new type, ‘libndr_flags’, to be used consistently to hold LIBNDR flags. If in the future we find we need to move to 64‐bit flags, this type gives us an opportunity to do that. Bump the NDR version to 4.0.0 — an major version increment, for we’re changing the function ABI and adding the new symbol ndr_print_libndr_flags. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ec7578e79cf821e6dc8945eee393635cd4c62ca Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 11:04:58 2023 +1300 s4:torture: Make static variables constant Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 83c68236526289a0e063b2a15fc3017f4c4e63e9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Oct 27 13:00:42 2023 +1300 librpc:ndr: Fix code spelling Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0071a60fb635b87499f9c9ee0ca4cf360d80d134 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 11 12:00:24 2023 +1200 dcerpc.idl: Use simple boolean value instead of flag One advantage of this is that the type of the switch value is no longer tied to the type of the NDR flags. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bea9958b60754dd4dec08a862ea1bd356b7e4b06 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 11 16:31:13 2023 +1300 s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data() NOTE: This commit finally works again! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 57c543a1d91112301b38e3832f706684b4d30877 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 13:22:05 2023 +1300 third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b06751389db1faf9f74bfe172e15ad291d9135b6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 16:18:35 2023 +1300 s4:auth: Comment about claims in the security token Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ebbba22cfbd50c854da30b03360f559a8f49f9a6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 19 19:45:17 2023 +1300 s4:auth: Remove trailing whitespace Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0733ea3663f0bad035795e35e9ad909a5488fb85 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 16:14:26 2023 +1300 s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself samba_kdc_get_user_info_dc() will add the Asserted Identity and Claims Valid SIDs as appropriate. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f8bfd607ca3701384622caf2a223883f57ce1c36 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 16:08:41 2023 +1300 tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs These tests crash Windows, but we can assume reasonable behaviour for Samba. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6760dd48ad0c0e7e003c1911a79535d144655126 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 14:50:12 2023 +1300 s4:kdc: Do not add Claims Valid SID twice samba_kdc_get_user_info_dc() now adds the SID itself. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 54eb175816b72e7274a66ef718b3f33a9c007f71 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 13:49:09 2023 +1300 tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 66b45978621ad8b02dc2cdf957c25bd2982c0505 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 10:52:03 2023 +1300 tests/krb5: Don’t pass unnecessary parameter Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2b69e1e7c316e634090aad1d97ecadf8cdf529f3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:05:17 2023 +1300 tests/krb5: Use __slots__ to indicate which attributes are used by classes These should help to catch mistaken attempts to set invalid attributes. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b0da50b5b0d4817184202c63ddeb71e1c20b631e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 15:12:34 2023 +1300 s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 915b40521e660a4e685f45bbb4dd1bc7308492d1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 15:09:28 2023 +1300 s4:auth: Check that the PAC is not NULL before dereferencing it Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 76e27c3ab1349fb4b7a71d7420a4616275befa37 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 15:03:04 2023 +1300 libcli/security: Add sid_attrs_contains_sid() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 69edfd7b11ab01ca321eaa85a80e5e44e4b2ff02 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:52:42 2023 +1300 libcli/security: Make use of sids_contains_sid() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 04611d9ebc1c54c6ec6ee3a6a365035dd477283c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:51:17 2023 +1300 libcli/security: Add sids_contains_sid() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ce3f04dca9a673517879998af60fd7b346201de3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:35:12 2023 +1300 libcli/security: Make use of sids_contains_sid_attrs() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5ff72d0e04e6c8d55c32ad9a73c9b79c4893f83a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:48:23 2023 +1300 libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 487e21ec89999f1357db4144775d1923d99260f5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:33:00 2023 +1300 s4:dsdb: Make sids_contains_sid() usable by other Samba modules Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ce9fbceadbabe35cae07f5b0c52d0258ded782ee Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:32:09 2023 +1300 libcli/security: Correct function documentation Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 01b8966993186ce3f71e8d938c2cc28c4fbaf77b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:21:42 2023 +1300 libcli/security: Remove unnecessary return statement Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 12b0c9d043ff6ccff5e4d024dcf8dd2847e05734 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 14:17:31 2023 +1300 s4:dsdb: Align integer type Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3b936623a421a5a25f3fce717a6ca8652e7e0845 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 13:40:37 2023 +1300 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7ba4bb81645be100ac2e871de6cf92a79a29fbe5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 25 16:38:57 2023 +1300 tests/krb5: Add tests to see how SIDs are conveyed from PACs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dc1e2b41ca4bbd9882c2bcf5aa0bca217002fb80 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 16:12:36 2023 +1300 tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 947d3e5932e128fdbe782477e981087d8cf5bc26 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Oct 30 15:20:59 2023 +1300 tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/fuzzing/fuzz_ndr_X.c | 4 +- lib/ldb/pyldb.c | 23 +- libcli/nbt/nbtname.c | 10 +- libcli/security/dom_sid.h | 11 +- libcli/security/sddl.c | 102 ++++++--- libcli/security/sddl.h | 3 + libcli/security/sddl_conditional_ace.c | 20 +- libcli/security/secace.h | 3 +- libcli/security/util_sid.c | 99 +++++++-- librpc/ABI/{ndr-3.0.2.sigs => ndr-4.0.0.sigs} | 217 +++++++++--------- librpc/idl/dcerpc.idl | 4 +- librpc/idl/ntprinting.idl | 8 +- librpc/ndr/libndr.h | 129 ++++++----- librpc/ndr/ndr.c | 14 +- librpc/ndr/ndr_auth.c | 4 +- librpc/ndr/ndr_auth.h | 4 +- librpc/ndr/ndr_backupkey.c | 10 +- librpc/ndr/ndr_backupkey.h | 4 +- librpc/ndr/ndr_basic.c | 144 ++++++------ librpc/ndr/ndr_bkupblobs.c | 8 +- librpc/ndr/ndr_cab.c | 8 +- librpc/ndr/ndr_dcerpc.c | 12 +- librpc/ndr/ndr_dcerpc.h | 2 +- librpc/ndr/ndr_dns.c | 16 +- librpc/ndr/ndr_dns.h | 8 +- librpc/ndr/ndr_dns_utils.c | 2 +- librpc/ndr/ndr_dns_utils.h | 2 +- librpc/ndr/ndr_dnsp.c | 12 +- librpc/ndr/ndr_dnsp.h | 8 +- librpc/ndr/ndr_dnsserver.c | 8 +- librpc/ndr/ndr_dnsserver.h | 4 +- librpc/ndr/ndr_drsblobs.c | 16 +- librpc/ndr/ndr_drsblobs.h | 2 +- librpc/ndr/ndr_drsuapi.c | 18 +- librpc/ndr/ndr_drsuapi.h | 2 +- librpc/ndr/ndr_frsrpc.c | 10 +- librpc/ndr/ndr_frsrpc.h | 6 +- librpc/ndr/ndr_krb5pac.c | 14 +- librpc/ndr/ndr_krb5pac.h | 3 +- librpc/ndr/ndr_nbt.c | 36 +-- librpc/ndr/ndr_nbt.h | 12 +- librpc/ndr/ndr_negoex.c | 26 +-- librpc/ndr/ndr_negoex.h | 22 +- librpc/ndr/ndr_netlogon.c | 8 +- librpc/ndr/ndr_netlogon.h | 8 +- librpc/ndr/ndr_ntlmssp.c | 12 +- librpc/ndr/ndr_ntlmssp.h | 6 +- librpc/ndr/ndr_ntprinting.c | 8 +- librpc/ndr/ndr_ntprinting.h | 4 +- librpc/ndr/ndr_orpc.c | 8 +- librpc/ndr/ndr_preg.c | 8 +- librpc/ndr/ndr_preg.h | 4 +- librpc/ndr/ndr_sec_helper.c | 32 +-- librpc/ndr/ndr_spoolss_buf.c | 186 ++++++++-------- librpc/ndr/ndr_spoolss_buf.h | 52 ++--- librpc/ndr/ndr_string.c | 60 ++--- librpc/ndr/ndr_witness.c | 12 +- librpc/ndr/ndr_witness.h | 4 +- librpc/ndr/ndr_wmi.h | 4 +- librpc/ndr/ndr_xattr.c | 8 +- librpc/ndr/ndr_xattr.h | 4 +- librpc/rpc/dcerpc_pkt_auth.c | 2 +- librpc/rpc/dcerpc_util.c | 2 +- librpc/rpc/dcesrv_core.c | 2 +- librpc/rpc/dcesrv_core.h | 2 +- librpc/rpc/rpc_common.h | 10 +- librpc/tests/test_ndr_string.c | 6 +- librpc/tools/ndrdump.c | 2 +- librpc/wscript_build | 2 +- pidl/lib/Parse/Pidl/NDR.pm | 2 + pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 24 +- pidl/lib/Parse/Pidl/Samba4/Python.pm | 14 +- pidl/lib/Parse/Pidl/Typelist.pm | 2 + python/samba/netcmd/__init__.py | 28 +++ python/samba/tests/krb5/authn_policy_tests.py | 11 +- python/samba/tests/krb5/conditional_ace_tests.py | 244 +++++++++++++++++++-- python/samba/tests/krb5/device_tests.py | 100 +++++++++ python/samba/tests/krb5/kdc_base_test.py | 11 +- python/samba/tests/krb5/raw_testcase.py | 37 ++++ .../samba/tests/samba_tool/domain_auth_policy.py | 46 +++- python/samba/tests/sddl.py | 17 +- python/samba/tests/security.py | 2 +- python/samba/tests/security_descriptors.py | 3 +- python/samba/tests/sid_strings.py | 2 +- selftest/knownfail.d/sid-strings | 2 - selftest/knownfail_heimdal_kdc | 6 - selftest/knownfail_mit_kdc | 9 + source3/librpc/ndr/ndr_ads.c | 4 +- source3/libsmb/cliquota.c | 2 +- source3/rpc_client/cli_pipe.c | 2 +- source3/rpc_client/wsp_cli.c | 18 +- source3/winbindd/winbindd_dual_ndr.c | 2 +- source4/auth/kerberos/kerberos_pac.c | 5 + source4/auth/ntlm/auth.c | 53 +++-- source4/auth/session.c | 12 +- source4/dsdb/common/util_groups.c | 25 +-- source4/dsdb/wscript_build | 2 +- source4/kdc/hdb-samba4.c | 2 +- source4/kdc/pac-glue.c | 165 +++++++------- source4/lib/messaging/messaging.c | 2 +- source4/librpc/ndr/py_security.c | 72 +++++- source4/librpc/rpc/dcerpc.c | 2 +- source4/librpc/rpc/pyrpc.h | 2 +- source4/torture/ndr/ndr.c | 20 +- source4/torture/ndr/ndr.h | 10 +- source4/torture/ndr/string.c | 16 +- source4/torture/rpc/iremotewinspool.c | 2 +- third_party/heimdal/kdc/fast.c | 19 +- third_party/heimdal/kdc/kdc-plugin.c | 13 ++ third_party/heimdal/kdc/kerberos5.c | 21 -- third_party/heimdal/kdc/libkdc-exports.def | 2 +- third_party/heimdal/kdc/process.c | 3 +- third_party/heimdal/kdc/version-script.map | 2 +- third_party/heimdal/lib/base/heimbase-svc.h | 2 +- third_party/heimdal/tests/plugin/kdc_test_plugin.c | 8 +- 115 files changed, 1614 insertions(+), 960 deletions(-) copy librpc/ABI/{ndr-3.0.2.sigs => ndr-4.0.0.sigs} (62%) Changeset truncated at 500 lines: diff --git a/lib/fuzzing/fuzz_ndr_X.c b/lib/fuzzing/fuzz_ndr_X.c index a3d7199edc9..16109cccb2b 100644 --- a/lib/fuzzing/fuzz_ndr_X.c +++ b/lib/fuzzing/fuzz_ndr_X.c @@ -152,10 +152,10 @@ static void ndr_print_nothing(struct ndr_print *ndr, const char *format, ...) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { uint8_t type; - int pull_push_print_flags; + ndr_flags_type pull_push_print_flags; uint16_t fuzz_packet_flags, function; TALLOC_CTX *mem_ctx = NULL; - uint32_t ndr_flags = 0; + libndr_flags ndr_flags = 0; struct ndr_push *ndr_push; enum ndr_err_code ndr_err; struct ndr_interface_call f_buffer; diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c index 49641957223..f398887e579 100644 --- a/lib/ldb/pyldb.c +++ b/lib/ldb/pyldb.c @@ -266,13 +266,25 @@ static PyTypeObject PyLdbControl = { static void PyErr_SetLdbError(PyObject *error, int ret, struct ldb_context *ldb_ctx) { - if (ret == LDB_ERR_PYTHON_EXCEPTION) + PyObject *exc = NULL; + if (ret == LDB_ERR_PYTHON_EXCEPTION) { return; /* Python exception should already be set, just keep that */ - - PyErr_SetObject(error, - Py_BuildValue(discard_const_p(char, "(i,s)"), ret, - ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx))); + } + exc = Py_BuildValue("(i,s)", ret, + ldb_ctx == NULL?ldb_strerror(ret):ldb_errstring(ldb_ctx)); + if (exc == NULL) { + /* + * Py_BuildValue failed, and will have set its own exception. + * It isn't the one we wanted, but it will have to do. + * This is all very unexpected. + */ + fprintf(stderr, "could not make LdbError %d!\n", ret); + return; + } + PyErr_SetObject(error, exc); + Py_DECREF(exc); } + static PyObject *py_ldb_bytes_str(PyBytesObject *self) { char *msg = NULL; @@ -3005,6 +3017,7 @@ static PyObject *py_ldb_search_iterator_result(PyLdbSearchIteratorObject *self, if (self->state.exception != NULL) { PyErr_SetObject(PyExc_LdbError, self->state.exception); + Py_DECREF(self->state.exception); self->state.exception = NULL; return NULL; } diff --git a/libcli/nbt/nbtname.c b/libcli/nbt/nbtname.c index 1881e463635..a2b0d346c26 100644 --- a/libcli/nbt/nbtname.c +++ b/libcli/nbt/nbtname.c @@ -106,7 +106,7 @@ static uint8_t *compress_name(TALLOC_CTX *mem_ctx, /** pull a nbt name from the wire */ -_PUBLIC_ enum ndr_err_code ndr_pull_nbt_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_name *r) +_PUBLIC_ enum ndr_err_code ndr_pull_nbt_name(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct nbt_name *r) { uint8_t *scope; char *cname; @@ -155,7 +155,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_nbt_name(struct ndr_pull *ndr, int ndr_flags /** push a nbt name to the wire */ -_PUBLIC_ enum ndr_err_code ndr_push_nbt_name(struct ndr_push *ndr, int ndr_flags, const struct nbt_name *r) +_PUBLIC_ enum ndr_err_code ndr_push_nbt_name(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct nbt_name *r) { uint8_t *cname, *fullname; enum ndr_err_code ndr_err; @@ -326,7 +326,7 @@ _PUBLIC_ char *nbt_name_string(TALLOC_CTX *mem_ctx, const struct nbt_name *name) /** pull a nbt name, WINS Replication uses another on wire format for nbt name */ -_PUBLIC_ enum ndr_err_code ndr_pull_wrepl_nbt_name(struct ndr_pull *ndr, int ndr_flags, struct nbt_name **_r) +_PUBLIC_ enum ndr_err_code ndr_pull_wrepl_nbt_name(struct ndr_pull *ndr, ndr_flags_type ndr_flags, struct nbt_name **_r) { struct nbt_name *r; uint8_t *namebuf; @@ -400,7 +400,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_wrepl_nbt_name(struct ndr_pull *ndr, int ndr /** push a nbt name, WINS Replication uses another on wire format for nbt name */ -_PUBLIC_ enum ndr_err_code ndr_push_wrepl_nbt_name(struct ndr_push *ndr, int ndr_flags, const struct nbt_name *r) +_PUBLIC_ enum ndr_err_code ndr_push_wrepl_nbt_name(struct ndr_push *ndr, ndr_flags_type ndr_flags, const struct nbt_name *r) { uint8_t *namebuf; uint32_t namebuf_len; @@ -478,7 +478,7 @@ _PUBLIC_ void ndr_print_wrepl_nbt_name(struct ndr_print *ndr, const char *name, talloc_free(s); } -_PUBLIC_ enum ndr_err_code ndr_push_nbt_qtype(struct ndr_push *ndr, int ndr_flags, enum nbt_qtype r) +_PUBLIC_ enum ndr_err_code ndr_push_nbt_qtype(struct ndr_push *ndr, ndr_flags_type ndr_flags, enum nbt_qtype r) { /* For WACK replies, we need to send NBT_QTYPE_NETBIOS on the wire. */ NDR_CHECK(ndr_push_enum_uint16(ndr, NDR_SCALARS, (r == NBT_QTYPE_WACK) ? NBT_QTYPE_NETBIOS : r)); diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index e3be817dd43..343001e87ee 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -141,6 +141,15 @@ void del_sid_from_array(const struct dom_sid *sid, struct dom_sid **sids, bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx, uint32_t rid, uint32_t **pp_rids, size_t *p_num); bool is_null_sid(const struct dom_sid *sid); +bool sids_contains_sid(const struct dom_sid *sids, + const uint32_t num_sids, + const struct dom_sid *sid); +bool sid_attrs_contains_sid(const struct auth_SidAttr *sids, + const uint32_t num_sids, + const struct dom_sid *sid); +bool sids_contains_sid_attrs(const struct auth_SidAttr *sids, + const uint32_t num_sids, + const struct dom_sid *sid, + uint32_t attrs); #endif /*_DOM_SID_H_*/ - diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 5f8a01fbef8..15943e6aa24 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -208,7 +208,7 @@ static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const cha size_t i; /* see if its in the numeric format */ - if (strncmp(sddl, "S-", 2) == 0) { + if (strncasecmp(sddl, "S-", 2) == 0) { struct dom_sid *sid = NULL; char *sid_str = NULL; const char *end = NULL; @@ -230,6 +230,13 @@ static struct dom_sid *sddl_transition_decode_sid(TALLOC_CTX *mem_ctx, const cha if (sid_str == NULL) { return NULL; } + if (sid_str[0] == 's') { + /* + * In SDDL, but not in the dom_sid parsers, a + * lowercase "s-1-1-0" is accepted. + */ + sid_str[0] = 'S'; + } sid = talloc(mem_ctx, struct dom_sid); if (sid == NULL) { TALLOC_FREE(sid_str); @@ -481,16 +488,16 @@ static bool sddl_decode_guid(const char *str, struct GUID *guid) static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx, const char *conditions, - const char **message, - size_t *length) + size_t *length, + const char **msg, + size_t *msg_offset) { DATA_BLOB blob = {0}; struct ace_condition_script *script = NULL; - size_t message_offset; script = ace_conditions_compile_sddl(mem_ctx, conditions, - message, - &message_offset, + msg, + msg_offset, length); if (script != NULL) { bool ok = conditional_ace_encode_binary(mem_ctx, @@ -499,10 +506,6 @@ static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx, if (! ok) { DBG_ERR("could not blobify '%s'\n", conditions); } - if (*message) { - DBG_ERR(" %*c", (int)message_offset, '^'); - DBG_ERR("error '%s'\n", *message); - } } return blob; } @@ -516,7 +519,8 @@ static DATA_BLOB sddl_decode_conditions(TALLOC_CTX *mem_ctx, static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, struct security_ace *ace, char **sddl_copy, - struct sddl_transition_state *state) + struct sddl_transition_state *state, + const char **msg, size_t *msg_offset) { const char *tok[7]; const char *s; @@ -664,13 +668,14 @@ static bool sddl_decode_ace(TALLOC_CTX *mem_ctx, * conditional ACE compiler. */ size_t length; - const char *message = NULL; DATA_BLOB conditions = {0}; s = tok[6]; - conditions = sddl_decode_conditions(mem_ctx, s, &message, &length); + conditions = sddl_decode_conditions(mem_ctx, s, &length, msg, msg_offset); if (conditions.data == NULL) { - DBG_WARNING("Conditional ACE compilation failure: %s\n", message); + DBG_WARNING("Conditional ACE compilation failure at %zu: %s\n", + *msg_offset, *msg); + *msg_offset += s - *sddl_copy; return false; } ace->coda.conditions = conditions; @@ -729,7 +734,8 @@ static const struct flag_map acl_flags[] = { */ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, const char **sddlp, uint32_t *flags, - struct sddl_transition_state *state) + struct sddl_transition_state *state, + const char **msg, size_t *msg_offset) { const char *sddl = *sddlp; char *sddl_copy = NULL; @@ -789,8 +795,10 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, return NULL; } ok = sddl_decode_ace(acl->aces, &acl->aces[acl->num_aces], - &sddl_copy, state); + &sddl_copy, state, msg, msg_offset); if (!ok) { + *msg_offset += sddl_copy - aces_start; + talloc_steal(sd, *msg); talloc_free(acl); return NULL; } @@ -803,10 +811,14 @@ static struct security_acl *sddl_decode_acl(struct security_descriptor *sd, } /* - decode a security descriptor in SDDL format -*/ -struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, - const struct dom_sid *domain_sid) + * Decode a security descriptor in SDDL format, catching compilation + * error messages, if any. + * + * The message will be a direct talloc child of mem_ctx or NULL. + */ +struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl, + const struct dom_sid *domain_sid, + const char **msg, size_t *msg_offset) { struct sddl_transition_state state = { /* @@ -818,12 +830,24 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, .domain_sid = domain_sid, .forest_sid = domain_sid, }; + const char *start = sddl; struct security_descriptor *sd; sd = talloc_zero(mem_ctx, struct security_descriptor); - + if (sd == NULL) { + goto failed; + } sd->revision = SECURITY_DESCRIPTOR_REVISION_1; sd->type = SEC_DESC_SELF_RELATIVE; + if (msg != NULL) { + if (msg_offset == NULL) { + DBG_ERR("Programmer misbehaviour\n"); + goto failed; + } + *msg = NULL; + *msg_offset = 0; + } + while (*sddl) { uint32_t flags; char c = sddl[0]; @@ -833,13 +857,13 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, switch (c) { case 'D': if (sd->dacl != NULL) goto failed; - sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state); + sd->dacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset); if (sd->dacl == NULL) goto failed; sd->type |= flags | SEC_DESC_DACL_PRESENT; break; case 'S': if (sd->sacl != NULL) goto failed; - sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state); + sd->sacl = sddl_decode_acl(sd, &sddl, &flags, &state, msg, msg_offset); if (sd->sacl == NULL) goto failed; /* this relies on the SEC_DESC_SACL_* flags being 1 bit shifted from the SEC_DESC_DACL_* flags */ @@ -859,15 +883,43 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, goto failed; } } - return sd; - failed: + if (msg != NULL) { + if (*msg != NULL) { + *msg = talloc_steal(mem_ctx, *msg); + } + /* + * The actual message (*msg) might still be NULL, but the + * offset at least provides a clue. + */ + *msg_offset += sddl - start; + } DEBUG(2,("Badly formatted SDDL '%s'\n", sddl)); talloc_free(sd); return NULL; } + +/* + decode a security descriptor in SDDL format +*/ +struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, + const struct dom_sid *domain_sid) +{ + const char *msg = NULL; + size_t msg_offset = 0; + struct security_descriptor *sd = sddl_decode_err_msg(mem_ctx, sddl, domain_sid, + &msg, &msg_offset); + DBG_NOTICE("could not decode '%s'\n", sddl); + if (msg != NULL) { + DBG_NOTICE(" %*c\n", (int)msg_offset, '^'); + DBG_NOTICE("error '%s'\n", msg); + talloc_free(discard_const(msg)); + } + return sd; +} + /* turn a set of flags into a string */ diff --git a/libcli/security/sddl.h b/libcli/security/sddl.h index 824b7032546..c4dc72d834d 100644 --- a/libcli/security/sddl.h +++ b/libcli/security/sddl.h @@ -25,6 +25,9 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, const struct dom_sid *domain_sid); +struct security_descriptor *sddl_decode_err_msg(TALLOC_CTX *mem_ctx, const char *sddl, + const struct dom_sid *domain_sid, + const char **msg, size_t *msg_offset); char *sddl_encode(TALLOC_CTX *mem_ctx, const struct security_descriptor *sd, const struct dom_sid *domain_sid); char *sddl_encode_ace(TALLOC_CTX *mem_ctx, const struct security_ace *ace, diff --git a/libcli/security/sddl_conditional_ace.c b/libcli/security/sddl_conditional_ace.c index 2f243bca6a6..2a86cd34e7f 100644 --- a/libcli/security/sddl_conditional_ace.c +++ b/libcli/security/sddl_conditional_ace.c @@ -1268,7 +1268,6 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp, if (msg == NULL) { goto fail; } - comp->message_offset = comp->offset; if (comp->message == NULL) { /* @@ -1276,13 +1275,8 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp, * * This is the common case. */ - comp->message = talloc_asprintf(comp->mem_ctx, - "%"PRIu32": %s", - comp->offset, msg); - TALLOC_FREE(msg); - if (comp->message == NULL) { - goto fail; - } + comp->message_offset = comp->offset; + comp->message = msg; return; } /* @@ -1290,8 +1284,8 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp, * This is unlikely to happen. */ comp->message = talloc_asprintf(comp->mem_ctx, - "%s AND THEN %"PRIu32": %s", - comp->message, comp->offset, + "%s AND THEN %s", + comp->message, msg); TALLOC_FREE(msg); if (comp->message == NULL) { @@ -1299,7 +1293,8 @@ static void comp_error(struct ace_condition_sddl_compiler_context *comp, } return; fail: - comp->message = "failed to set error message"; + comp->message = talloc_strdup(comp->mem_ctx, + "failed to set error message"); } @@ -2736,8 +2731,7 @@ struct ace_condition_script * ace_conditions_compile_sddl( bool ok; struct ace_condition_sddl_compiler_context comp = {}; - /* just in case, a message for the next few tallocs */ - *message = "allocation error"; + *message = NULL; *message_offset = 0; ok = init_compiler_context(mem_ctx, diff --git a/libcli/security/secace.h b/libcli/security/secace.h index 8f1a5581d39..879c711e485 100644 --- a/libcli/security/secace.h +++ b/libcli/security/secace.h @@ -22,9 +22,10 @@ #define _ACE_H_ #include "librpc/gen_ndr/security.h" +#include "librpc/ndr/libndr.h" bool sec_ace_object(uint8_t type); -size_t ndr_subcontext_size_of_ace_coda(const struct security_ace *ace, size_t ace_size, int flags); +size_t ndr_subcontext_size_of_ace_coda(const struct security_ace *ace, size_t ace_size, libndr_flags flags); bool sec_ace_callback(uint8_t type); bool sec_ace_resource(uint8_t type); bool sec_ace_has_extra_blob(uint8_t type); diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c index 7c20836314f..54a2fc35fda 100644 --- a/libcli/security/util_sid.c +++ b/libcli/security/util_sid.c @@ -383,12 +383,11 @@ NTSTATUS add_sid_to_array(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, NTSTATUS add_sid_to_array_unique(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, struct dom_sid **sids, uint32_t *num_sids) { - uint32_t i; + bool contains; - for (i=0; i<(*num_sids); i++) { - if (dom_sid_equal(sid, &(*sids)[i])) { - return NT_STATUS_OK; - } + contains = sids_contains_sid(*sids, *num_sids, sid); + if (contains) { + return NT_STATUS_OK; } return add_sid_to_array(mem_ctx, sid, sids, num_sids); @@ -437,23 +436,17 @@ NTSTATUS add_sid_to_array_attrs(TALLOC_CTX *mem_ctx, * @param [in] sid The SID to append. * @param [in] attrs SE_GROUP_* flags to go with the SID. * @param [inout] sids A pointer to the auth_SidAttr array. - * @param [inout] num A pointer to the size of the auth_SidArray array. + * @param [inout] num_sids A pointer to the size of the auth_SidArray array. * @returns NT_STATUS_OK on success. */ NTSTATUS add_sid_to_array_attrs_unique(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, uint32_t attrs, struct auth_SidAttr **sids, uint32_t *num_sids) { - uint32_t i; - - for (i=0; i<(*num_sids); i++) { - if (attrs != (*sids)[i].attrs) { - continue; - } - if (!dom_sid_equal(sid, &(*sids)[i].sid)) { - continue; - } + bool contains; + contains = sids_contains_sid_attrs(*sids, *num_sids, sid, attrs); + if (contains) { return NT_STATUS_OK; } @@ -487,8 +480,6 @@ void del_sid_from_array(const struct dom_sid *sid, struct dom_sid **sids, for ( ; i<*num; i++ ) { sid_copy( &sid_list[i], &sid_list[i+1] ); } - - return; } bool add_rid_to_array_unique(TALLOC_CTX *mem_ctx, @@ -519,6 +510,80 @@ bool is_null_sid(const struct dom_sid *sid) return dom_sid_equal(sid, &null_sid); } +/** + * Return true if an array of SIDs contains a certain SID. -- Samba Shared Repository