The branch, master has been updated via 06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED via f29693d1311 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash via 2fd5166a8c1 python/tests/krb5: Allow getting a TGT in pkinit tests via b2fe1ea1c6a python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED via 7cc8f455191 tests/krb5: Fix PK-INIT test framework to allow expired password keys via 46263c5c202 python/samba/krb5: Allow client address (caddr) to be missing or empty via 3d1ec5dc676 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials via 93f4be16471 netcmd: docs: update documentation for new auth policy command structure via 6e02c97193c netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group via dcb6a14fa23 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands via 97c2ff19daa netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group via e88be1aed97 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands via 2cbacad82d6 netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group via 316a84a5975 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands via 5db2a1581d3 netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group via 4ba087f8187 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands via 49c3bca8033 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group via 86d3706bd26 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands via 96f00738cec netcmd: auth policy: extract policy base commands into policy.py via c0e748f0117 netcmd: auth policy: turn policy.py into module via 13d53ee3e25 netcmd: auth silo: extract silo base commands into silo.py via a2e9529ee63 netcmd: auth silo: move silo_member.py into silo module via 4d2c8ea9578 netcmd: auth silo: turn silo.py into module via 2af65446cfd netcmd: docs: add section headings for auth policies and silos via 7fbe5156096 netcmd: docs: consistently put <constant> around GROUP and SILO via 4e1d12835ff netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing via 26feb09fd10 netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device" via a7edd5b5367 netcmd: docs: add documentation for service-account group-msa-membership commands via 03a6740a90b netcmd: docs: add documentation for service-account base command via cf60e3cad6b netcmd: gmsa: improve descriptions of --dns-host-name and match docs via 828420b4f09 python: domain: models: add OrganizationalUnit container model via 5ac4b6969be python: domain: models: move OrganizationalPerson to org.py via 3c0833ead51 python: domain: models: move MODELS to registry.py because it's not really a constant via bfd1f8cd467 python: domain: models: MODELS lookup does need to include base Model for shell command via 0c5d09ae143 python: domain: models: add children method to return a models direct children via cca0cfe421c python: tests: write a test for the Model.as_dict method via 917e2a73538 python: tests: computer model tests should clean up via ed07dee8649 python: domain: models: as_dict() should also exclude empty list fields via fc982e550f4 s4-dsdb: Create KdfParameters at runtime via d316e5f0869 s4-dsdb: Indent DH parameters table in gkdi_create_root_key() via 3687bf22aa1 s4-dsdb: Populate new GKDI root keys from the server configuration object via 565314f4482 pyldb: Improve search for error string in PyErr_SetLdbError via 06912de3b2a dsdb: Add API tests for new_gkdi_root_key() via f379ea8b812 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version via 287cf82682c plydb: Keep talloc_reference() to the DN in PyDict_AsMessage via 37327afd0aa pyldb: Fix documentation comment on Message.from_dict() method from f0a8d832683 s4/torture: Fix misplaced positional arguments for u64 comparison
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 06c589aaa1a30e5577d9de4532246949f30809e5 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 20 14:56:47 2024 +1300 python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED This in particular tests the returned NTLM password buffers as well as the password rotation on expired accounts described at https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Mar 28 02:53:53 UTC 2024 on atb-devel-224 commit f29693d1311a9675034dc7010076309ba2535d64 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 26 14:29:49 2024 +1300 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case as it will usually be random bytes so we can not just assert on the value any more. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> commit 2fd5166a8c1703af97b444077135e1b99e320dec Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 26 14:42:20 2024 +1300 python/tests/krb5: Allow getting a TGT in pkinit tests Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> commit b2fe1ea1c6aba116b31a1c803b4e0d36ac1a32ee Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 19 14:37:24 2024 +1300 python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> commit 7cc8f455191faacf32efc474c27e99d45ef2e024 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Fri Mar 22 12:58:19 2024 +1300 tests/krb5: Fix PK-INIT test framework to allow expired password keys Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 46263c5c202f6d409ad1b1d45ae523d9304f03d5 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 14 12:01:54 2024 +1300 python/samba/krb5: Allow client address (caddr) to be missing or empty Currently (as of 2024-02) windows 21H2 returns this as []. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> commit 3d1ec5dc676f59d6f8cbcf9869521bf6c67605e5 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Mar 20 14:42:31 2024 +1300 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials This function is based on a flawed premise that the pointer is a talloc context, but the second element in an array and any element in a structure is not a talloc context. The type has already been checked above. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> commit 93f4be164714ddd36e52bcc28d8278361ba6bf2f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 13:46:47 2024 +1300 netcmd: docs: update documentation for new auth policy command structure Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6e02c97193cdae6c2e557b8a151a71a96cf6f2a0 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 21 10:24:12 2024 +1300 netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dcb6a14fa234678141c7dc9fae0c10dfe53e4dbd Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 21 09:58:02 2024 +1300 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 97c2ff19daa7ee1717d0cdc1128ca03b5e8d3144 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 21 09:48:25 2024 +1300 netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e88be1aed978fc3109ba9bc9ea0ccc5a20f7a480 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 21 09:04:37 2024 +1300 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2cbacad82d62c9a952aadbf290b92c8fde564256 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Mar 21 00:10:11 2024 +1300 netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 316a84a5975bee3e3c6bbf90342d4bc8aace36b4 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 23:44:28 2024 +1300 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5db2a1581d39f383e7e098d34175e661a852abc6 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 23:29:12 2024 +1300 netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ba087f8187c07890d4ec5ecf5a979daadc58523 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 22:56:18 2024 +1300 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 49c3bca80334869274156a9fad5811a410063a91 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 22:31:48 2024 +1300 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 86d3706bd26d4d875d98eba13d32d9d559f3f008 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 19:40:34 2024 +1300 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 96f00738cec72224487522c2c134862661f2b0e4 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 19:20:06 2024 +1300 netcmd: auth policy: extract policy base commands into policy.py Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c0e748f0117308d36323001e1cf4387ca6c18297 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 18:54:12 2024 +1300 netcmd: auth policy: turn policy.py into module Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 13d53ee3e2547332b83424304c50d523d254bcf1 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 19:14:32 2024 +1300 netcmd: auth silo: extract silo base commands into silo.py Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a2e9529ee631447f8da4dfb44b1ffbd954a8c7f6 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 19:02:50 2024 +1300 netcmd: auth silo: move silo_member.py into silo module Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4d2c8ea95783cafcbf954f7bfb040225cb693a68 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 20 18:55:46 2024 +1300 netcmd: auth silo: turn silo.py into module Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2af65446cfd3bf4eba39cdc5ba3bea9d06712ccc Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 12:51:22 2024 +1300 netcmd: docs: add section headings for auth policies and silos Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7fbe515609671b0def8c8c481d9fb4ef254a6407 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 13:10:52 2024 +1300 netcmd: docs: consistently put <constant> around GROUP and SILO Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4e1d12835ffe57c047adae16f7209b3f5ea4e529 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 13:33:38 2024 +1300 netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 26feb09fd103cf791ca4d36ec2957611f09dca2b Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 13:29:43 2024 +1300 netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device" Make it consistent with --service-allowed-to-authenticate-from-device-silo by adding =SILO Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a7edd5b5367fa777299584a333b6f7efccbfefb4 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 18:26:57 2024 +1300 netcmd: docs: add documentation for service-account group-msa-membership commands Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 03a6740a90b2c6e5bdb7182444b5eb17b3fb98c1 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 18:07:02 2024 +1300 netcmd: docs: add documentation for service-account base command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cf60e3cad6bde875e3566e06d135d2f512eaa048 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Wed Mar 27 10:11:26 2024 +1300 netcmd: gmsa: improve descriptions of --dns-host-name and match docs Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 828420b4f0984e1bca45c340fe0df8c10cfd5e79 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Mar 22 11:54:39 2024 +1300 python: domain: models: add OrganizationalUnit container model Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5ac4b6969be802a3cdefff4f36b5542a94736295 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Mar 22 11:33:17 2024 +1300 python: domain: models: move OrganizationalPerson to org.py There are other models like OrganizationalUnit which can go in org.py better if this is done first Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3c0833ead5180492d958af66ad94db392e87ed07 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Fri Mar 22 11:02:50 2024 +1300 python: domain: models: move MODELS to registry.py because it's not really a constant Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bfd1f8cd467d081eac4dbdd3bd0e90ca1a7de1a0 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Mar 26 08:29:24 2024 +1300 python: domain: models: MODELS lookup does need to include base Model for shell command Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0c5d09ae14311f18deb3b1a5013152b4c26eb161 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Tue Mar 26 08:24:53 2024 +1300 python: domain: models: add children method to return a models direct children Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cca0cfe421c9ea226d9028ac4c5602a266786c95 Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 23:02:30 2024 +1300 python: tests: write a test for the Model.as_dict method Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 917e2a735383ae7dc2e67a540c66e87d6302cadb Author: Rob van der Linde <r...@catalyst.net.nz> Date: Mon Mar 25 22:04:19 2024 +1300 python: tests: computer model tests should clean up Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ed07dee8649eaf4266965e959e3d4c0b7e1c8a3e Author: Rob van der Linde <r...@catalyst.net.nz> Date: Sun Mar 24 23:36:22 2024 +1300 python: domain: models: as_dict() should also exclude empty list fields Empty list fields happen if many=True is used on the field. This means that the field is automatically initialised as an empty list, so this can only ever be sa list or None. The side-effect of this was that it appears in as_dict() when it shouldn't, because the field isn't populated. This fixes it. Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fc982e550f4c5824c189704efaf79038c0d78413 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Mar 22 16:58:40 2024 +1300 s4-dsdb: Create KdfParameters at runtime While this is by definition less efficient, I prefer not to have the magic buffer of pre-caclulated bytes, we don't create Root Keys very often. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit d316e5f0869f0b0f0fdc7f2dab4a40fd28baccf9 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Mar 22 16:43:38 2024 +1300 s4-dsdb: Indent DH parameters table in gkdi_create_root_key() Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 3687bf22aa1ce2515997b06efb536d5da4294c9a Author: Andrew Bartlett <abart...@samba.org> Date: Fri Mar 22 14:08:22 2024 +1300 s4-dsdb: Populate new GKDI root keys from the server configuration object This honours MS-GKDI 3.1.4.1.1 Creating a New Root Key Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 565314f448236ff41d9c6c532949c19ee85b6425 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 25 12:44:29 2024 +1300 pyldb: Improve search for error string in PyErr_SetLdbError We allow a fallback to ldb_strerror() even if there was an LDB context, allowing failing functions to reset a previous error string but not set a new one. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 06912de3b2ae84c795f5d3e7ee03872937260ee4 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Mar 26 10:28:38 2024 +1300 dsdb: Add API tests for new_gkdi_root_key() These show that the new root key should be based on the server configuration object, not just hardcoded defaults. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit f379ea8b81251efad05ebb913ed0a0205fa0bcd5 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 25 12:36:35 2024 +1300 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version Now that pyldb-util is a private library to Samba, we have no excuses not to consolidate helper functions like this. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 287cf82682c0f70a57e7d90748778e3b3fc36cda Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 25 22:33:02 2024 +1300 plydb: Keep talloc_reference() to the DN in PyDict_AsMessage Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> commit 37327afd0aa486c8e07bb8a7ad0cc1d8641931e1 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Mar 25 22:30:29 2024 +1300 pyldb: Fix documentation comment on Message.from_dict() method This method does not take keyword arguments. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: auth/credentials/pycredentials.c | 13 +- docs-xml/manpages/samba-tool.8.xml | 590 +++++++++++++++------ lib/crypto/gkdi.h | 2 + lib/ldb-samba/pyldb.c | 10 - lib/ldb/pyldb.c | 34 +- lib/ldb/pyldb.h | 2 + lib/ldb/pyldb_util.c | 31 ++ python/samba/domain/models/__init__.py | 5 +- python/samba/domain/models/constants.py | 4 - python/samba/domain/models/model.py | 16 +- python/samba/domain/models/{person.py => org.py} | 20 +- python/samba/domain/models/person.py | 13 +- python/samba/domain/models/query.py | 2 +- .../domain/{__init__.py => models/registry.py} | 6 +- python/samba/domain/models/user.py | 2 +- python/samba/netcmd/domain/auth/policy/__init__.py | 68 +++ .../policy/computer_allowed_to_authenticate_to.py | 125 +++++ .../netcmd/domain/auth/{ => policy}/policy.py | 239 +-------- .../policy/service_allowed_to_authenticate_from.py | 123 +++++ .../policy/service_allowed_to_authenticate_to.py | 123 +++++ .../policy/user_allowed_to_authenticate_from.py | 123 +++++ .../auth/policy/user_allowed_to_authenticate_to.py | 125 +++++ .../netcmd/domain/{claim => auth/silo}/__init__.py | 24 +- .../domain/auth/{silo_member.py => silo/member.py} | 0 python/samba/netcmd/domain/auth/{ => silo}/silo.py | 17 +- .../netcmd/service_account/service_account.py | 4 +- python/samba/netcmd/shell.py | 1 + python/samba/tests/blackbox/claims.py | 23 +- python/samba/tests/dsdb_quiet_provision_tests.py | 211 ++++++++ python/samba/tests/krb5/kdc_base_test.py | 19 +- python/samba/tests/krb5/pkinit_tests.py | 264 ++++++++- python/samba/tests/krb5/raw_testcase.py | 30 +- python/samba/tests/krb5/rfc4120_constants.py | 1 + .../samba/tests/samba_tool/domain_auth_policy.py | 442 +++++---------- python/samba/tests/samba_tool/domain_models.py | 51 +- selftest/knownfail_heimdal_kdc | 3 + selftest/knownfail_mit_kdc_1_20 | 4 + source4/dsdb/common/util.c | 6 +- source4/dsdb/gmsa/gkdi.c | 330 ++++++++---- source4/dsdb/pydsdb.c | 10 - 40 files changed, 2159 insertions(+), 957 deletions(-) copy python/samba/domain/models/{person.py => org.py} (84%) copy python/samba/domain/{__init__.py => models/registry.py} (87%) create mode 100644 python/samba/netcmd/domain/auth/policy/__init__.py create mode 100644 python/samba/netcmd/domain/auth/policy/computer_allowed_to_authenticate_to.py rename python/samba/netcmd/domain/auth/{ => policy}/policy.py (55%) create mode 100644 python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_from.py create mode 100644 python/samba/netcmd/domain/auth/policy/service_allowed_to_authenticate_to.py create mode 100644 python/samba/netcmd/domain/auth/policy/user_allowed_to_authenticate_from.py create mode 100644 python/samba/netcmd/domain/auth/policy/user_allowed_to_authenticate_to.py copy python/samba/netcmd/domain/{claim => auth/silo}/__init__.py (55%) rename python/samba/netcmd/domain/auth/{silo_member.py => silo/member.py} (100%) rename python/samba/netcmd/domain/auth/{ => silo}/silo.py (96%) Changeset truncated at 500 lines: diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index a16be546901..5cdbe7796e6 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -574,11 +574,7 @@ static PyObject *py_creds_set_nt_hash(PyObject *self, PyObject *args) return NULL; } - pwd = pytalloc_get_type(py_cp, struct samr_Password); - if (pwd == NULL) { - /* pytalloc_get_type sets TypeError */ - return NULL; - } + pwd = pytalloc_get_ptr(py_cp); return PyBool_FromLong(cli_credentials_set_nt_hash(creds, pwd, obt)); } @@ -1093,7 +1089,12 @@ static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self, return NULL; } - pwd = pytalloc_get_type(py_cp, struct netr_CryptPassword); + if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.netlogon", "netr_CryptPassword")) { + /* py_check_dcerpc_type sets TypeError */ + return NULL; + } + + pwd = pytalloc_get_ptr(py_cp); if (pwd == NULL) { /* pytalloc_get_type sets TypeError */ return NULL; diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index e6c0c08c240..62ce4e690d4 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -599,6 +599,11 @@ <para>Restore the domain's DB from a backup-file.</para> </refsect3> +<refsect2> + <title>domain auth policy</title> + <para>Manage authentication policies.</para> +</refsect2> + <refsect3> <title>domain auth policy list</title> <para>List authentication policies on the domain.</para> @@ -756,22 +761,6 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term>--user-allowed-to-authenticate-from-silo</term> - <listitem> - <para> - User is allowed to - authenticate, if the device they - authenticate from is assigned - and granted membership of a - given silo. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-from - </para> - </listitem> - </varlistentry> <varlistentry> <term>--user-allowed-to-authenticate-to=SDDL</term> <listitem> @@ -792,42 +781,6 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term>--user-allowed-to-authenticate-to-by-group=GROUP</term> - <listitem> - <para> - The user account, offering a - network service, covered by - this policy, will only be allowed - access from other accounts - that are members of the given - <constant>GROUP</constant>. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--user-allowed-to-authenticate-to-by-silo=SILO</term> - <listitem> - <para> - The user account, offering a - network service, covered by - this policy, will only be - allowed access from other accounts - that are assigned to, - granted membership of (and - meet any authentication - conditions of) the given SILO. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --user-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> <varlistentry> <term>--service-tgt-lifetime-mins</term> <listitem> @@ -868,41 +821,6 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term>--service-allowed-to-authenticate-from-device-silo=SILO</term> - <listitem> - <para> - The service account (eg a Managed - Service Account, Group Managed - Service Account) is allowed to - authenticate, if the device it - authenticates from is assigned - and granted membership of a - given <constant>SILO</constant>. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-from - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--service-allowed-to-authenticate-from-device-group=GROUP</term> - <listitem> - <para> - The service account (eg a Managed - Service Account, Group Managed - Service Account) is allowed to - authenticate, if the device it - authenticates from is a member - of the given <constant>group</constant>. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-from - </para> - </listitem> - </varlistentry> <varlistentry> <term>--service-allowed-to-authenticate-to=SDDL</term> <listitem> @@ -923,42 +841,6 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term>--service-allowed-to-authenticate-to-by-group=GROUP</term> - <listitem> - <para> - The service account (eg a Managed - Service Account, Group Managed - Service Account), will only be - allowed access by other accounts - that are members of the given - <constant>GROUP</constant>. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--service-allowed-to-authenticate-to-by-silo=SILO</term> - <listitem> - <para> - The service account (eg a - Managed Service Account, Group - Managed Service Account), will - only be allowed access by other - accounts that are assigned - to, granted membership of (and - meet any authentication - conditions of) the given SILO. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> <varlistentry> <term>--computer-tgt-lifetime-mins</term> <listitem> @@ -986,43 +868,7 @@ </para> </listitem> </varlistentry> - <varlistentry> - <term>--computer-allowed-to-authenticate-to-by-group=GROUP</term> - <listitem> - <para> - The computer account (eg a server - or workstation), will only be - allowed access by other accounts - that are members of the given - <constant>GROUP</constant>. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --computer-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--computer-allowed-to-authenticate-to-by-silo=SILO</term> - <listitem> - <para> - The computer account (eg a - server or workstation), will - only be allowed access by - other accounts that are - assigned to, granted - membership of (and meet any - authentication conditions of) - the given SILO. - </para> - <para> - This attribute avoids the need to write SDDL by hand and - cannot be used with --computer-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> - - </variablelist> + </variablelist> </refsect3> <refsect3> @@ -1056,6 +902,220 @@ </variablelist> </refsect3> +<refsect3> + <title>domain auth policy user-allowed-to-authenticate-from set</title> + <para>Set the user-allowed-to-authenticate-from property by scenario.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--by-group=GROUP</term> + <listitem><para> + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given <constant>GROUP</constant>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--silo=SILO</term> + <listitem><para> + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given <constant>SILO</constant>. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy user-allowed-to-authenticate-to set</title> + <para>Set the user-allowed-to-authenticate-to property by scenario.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--group=GROUP</term> + <listitem><para> + The user account, offering a + network service, covered by + this policy, will only be allowed + access from other accounts + that are members of the given + <constant>GROUP</constant>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--silo=SILO</term> + <listitem><para> + The user account, offering a + network service, covered by + this policy, will only be + allowed access from other accounts + that are assigned to, + granted membership of (and + meet any authentication + conditions of) the given <constant>SILO</constant>. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy service-allowed-to-authenticate-from set</title> + <para>Set the service-allowed-to-authenticate-from property by scenario.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--group=GROUP</term> + <listitem><para> + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is a member + of the given <constant>GROUP</constant>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--silo=SILO</term> + <listitem><para> + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is assigned + and granted membership of a + given <constant>SILO</constant>. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy service-allowed-to-authenticate-to set</title> + <para>Set the service-allowed-to-authenticate-to property by scenario.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--group=GROUP</term> + <listitem><para> + The service account (eg a Managed + Service Account, Group Managed + Service Account), will only be + allowed access by other accounts + that are members of the given + <constant>GROUP</constant>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--silo=SILO</term> + <listitem><para> + The service account (eg a + Managed Service Account, Group + Managed Service Account), will + only be allowed access by other + accounts that are assigned + to, granted membership of (and + meet any authentication + conditions of) the given <constant>SILO</constant>. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy computer-allowed-to-authenticate-to set</title> + <para>Set the computer-allowed-to-authenticate-to property by scenario.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--name</term> + <listitem><para> + Name of authentication policy. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--group=GROUP</term> + <listitem><para> + The computer account (eg a server + or workstation), will only be + allowed access by other accounts + that are members of the given + <constant>GROUP</constant>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--silo=SILO</term> + <listitem><para> + The computer account (eg a + server or workstation), will + only be allowed access by + other accounts that are + assigned to, granted + membership of (and meet any + authentication conditions of) + the given <constant>SILO</constant>. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect2> + <title>domain auth silo</title> + <para>Manage authentication silos.</para> +</refsect2> + <refsect3> <title>domain auth silo list</title> <para>List authentication silos on the domain.</para> @@ -1635,6 +1695,216 @@ </variablelist> </refsect3> +<refsect2> + <title>service-account</title> + <para>Service account management.</para> +</refsect2> + +<refsect3> + <title>service-account list</title> + <para>List service accounts on the domain.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. + </para></listitem> + </varlistentry> + <varlistentry> + <term>--json</term> + <listitem><para> + View service accounts as JSON instead of a list. + </para></listitem> + </varlistentry> + </variablelist> +</refsect3> + +<refsect3> + <title>service-account view</title> + <para>View a single service account on the domain.</para> + <variablelist> + <varlistentry> + <term>-H, --URL</term> + <listitem><para> + LDB URL for database or target server. -- Samba Shared Repository