The branch, master has been updated
via db342d86a9c samba-tool user readpasswords: avoid `assert` for
validation
via b42c4891804 s4:auth: Handle expired accounts in
authsam_account_ok() (CID 1603594)
via facb418c99d s4:dsdb: Remove trailing whitespace
via 5ffa7683295 s4:auth: Add temporary memory context to
authsam_reread_user_logon_data()
via 7ae10eb25f8 s4:auth: Add common out path to
authsam_reread_user_logon_data()
via 4e8ca6140af ldb: Attach appropriate ldb context to returned result
from 225e6aeafc7 s4/torture: Remove already existing test_dir
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit db342d86a9ccd15f764cb8e0a91774e1f8fd7858
Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Date: Fri Feb 2 15:01:21 2024 +1300
samba-tool user readpasswords: avoid `assert` for validation
`assert` can be optimised away if python is run with `-O`.
Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224
commit b42c489180474627270e09408f84841baa175157
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Tue Jun 11 14:58:11 2024 +1200
s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594)
We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit facb418c99d5be62ae7e111539ca497a783b6a37
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Fri May 24 13:05:58 2024 +1200
s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 5ffa7683295ae7006a51dc8244918ed89f500184
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 29 17:07:43 2024 +1200
s4:auth: Add temporary memory context to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7ae10eb25f821e617100cad113f751833b7c0893
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Mon Apr 29 17:09:12 2024 +1200
s4:auth: Add common out path to authsam_reread_user_logon_data()
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4e8ca6140aff0cac534d2ea2e370c1dc70a73b21
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Wed May 1 16:54:01 2024 +1200
ldb: Attach appropriate ldb context to returned result
This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/ABI/ldb-2.10.0.sigs | 1 +
lib/ldb/common/ldb_dn.c | 16 +++++++++++++
lib/ldb/include/ldb.h | 3 +++
lib/ldb/ldb_key_value/ldb_kv_search.c | 2 +-
python/samba/netcmd/user/readpasswords/common.py | 5 +++-
python/samba/tests/krb5/gmsa_tests.py | 2 +-
source4/auth/sam.c | 29 ++++++++++++++++--------
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 28 +++++++++++------------
8 files changed, 59 insertions(+), 27 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/ABI/ldb-2.10.0.sigs b/lib/ldb/ABI/ldb-2.10.0.sigs
index f23014ffaaa..bd9aa54a005 100644
--- a/lib/ldb/ABI/ldb-2.10.0.sigs
+++ b/lib/ldb/ABI/ldb-2.10.0.sigs
@@ -47,6 +47,7 @@ ldb_dn_check_special: bool (struct ldb_dn *, const char *)
ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *)
ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *)
ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *)
+ldb_dn_copy_with_ldb_context: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *,
struct ldb_context *)
ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val)
ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const
struct ldb_dn_extended_syntax *)
ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *)
diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c
index cb4266dca91..e785a6d9e3d 100644
--- a/lib/ldb/common/ldb_dn.c
+++ b/lib/ldb/common/ldb_dn.c
@@ -1398,6 +1398,22 @@ struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct
ldb_dn *dn)
return new_dn;
}
+struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn,
+ struct ldb_context *ldb)
+{
+ struct ldb_dn *new_dn = NULL;
+
+ new_dn = ldb_dn_copy(mem_ctx, dn);
+ if (new_dn == NULL) {
+ return NULL;
+ }
+
+ /* Set the ldb context. */
+ new_dn->ldb = ldb;
+ return new_dn;
+}
+
/* modify the given dn by adding a base.
*
* return true if successful and false if not
diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h
index f29392ad4ea..f2d4642375f 100644
--- a/lib/ldb/include/ldb.h
+++ b/lib/ldb/include/ldb.h
@@ -1902,6 +1902,9 @@ bool ldb_dn_add_child_val(struct ldb_dn *dn,
struct ldb_val value);
struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct ldb_dn *dn);
+struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx,
+ struct ldb_dn *dn,
+ struct ldb_context *ldb);
struct ldb_dn *ldb_dn_get_parent(TALLOC_CTX *mem_ctx, struct ldb_dn *dn);
char *ldb_dn_canonical_string(TALLOC_CTX *mem_ctx, struct ldb_dn *dn);
char *ldb_dn_canonical_ex_string(TALLOC_CTX *mem_ctx, struct ldb_dn *dn);
diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c
b/lib/ldb/ldb_key_value/ldb_kv_search.c
index 5dbbae6b15c..9d0d218b48a 100644
--- a/lib/ldb/ldb_key_value/ldb_kv_search.c
+++ b/lib/ldb/ldb_key_value/ldb_kv_search.c
@@ -586,7 +586,7 @@ static int ldb_kv_search_and_return_base(struct
ldb_kv_private *ldb_kv,
* returned result, as it has already been
* casefolded
*/
- struct ldb_dn *dn = ldb_dn_copy(msg, ctx->base);
+ struct ldb_dn *dn = ldb_dn_copy_with_ldb_context(msg,
ctx->base, ldb);
if (dn != NULL) {
msg->dn = dn;
}
diff --git a/python/samba/netcmd/user/readpasswords/common.py
b/python/samba/netcmd/user/readpasswords/common.py
index 0aa1f237dc0..7944d4e1682 100644
--- a/python/samba/netcmd/user/readpasswords/common.py
+++ b/python/samba/netcmd/user/readpasswords/common.py
@@ -114,7 +114,10 @@ def get_crypt_value(alg, utf8pw, rounds=0):
"5": {"length": 43},
"6": {"length": 86},
}
- assert alg in algs
+ if alg not in algs:
+ raise ValueError(f"invalid algorithm code: {alg}"
+ f"(expected one of {','.join(algs.keys())})")
+
salt = os.urandom(16)
# The salt needs to be in [A-Za-z0-9./]
# base64 is close enough and as we had 16
diff --git a/python/samba/tests/krb5/gmsa_tests.py
b/python/samba/tests/krb5/gmsa_tests.py
index f27e4235713..4189f05d22d 100755
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -1800,7 +1800,7 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
modify_attr("lockoutThreshold", lockout_threshold)
creds = self.gmsa_account(kerberos_enabled=kerberos_enabled)
- dn = ldb.Dn(samdb, str(creds.get_dn()))
+ dn = creds.get_dn()
# Truncate the password to ensure that it is invalid.
creds.set_password(creds.get_password()[:-1])
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index d70fc468e20..093d29080ec 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -213,7 +213,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
bool allow_domain_trust,
bool password_change)
{
- uint16_t acct_flags;
+ uint32_t acct_flags;
const char *workstation_list;
NTTIME acct_expiry;
NTTIME must_change_time;
@@ -1000,13 +1000,20 @@ NTSTATUS authsam_reread_user_logon_data(
const struct ldb_message *user_msg,
struct ldb_message **current)
{
+ TALLOC_CTX *tmp_ctx = NULL;
const struct ldb_val *v = NULL;
struct ldb_result *res = NULL;
uint16_t acct_flags = 0;
const char *attr_name = "msDS-User-Account-Control-Computed";
-
+ NTSTATUS status = NT_STATUS_OK;
int ret;
+ tmp_ctx = talloc_new(mem_ctx);
+ if (tmp_ctx == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
/*
* Re-read the account details, using the GUID in case the DN
* is being changed (this is automatic in LDB because the
@@ -1016,7 +1023,7 @@ NTSTATUS authsam_reread_user_logon_data(
* subset to ensure that we can reuse existing validation code.
*/
ret = dsdb_search_dn(sam_ctx,
- mem_ctx,
+ tmp_ctx,
&res,
user_msg->dn,
user_attrs,
@@ -1024,7 +1031,8 @@ NTSTATUS authsam_reread_user_logon_data(
if (ret != LDB_SUCCESS) {
DBG_ERR("Unable to re-read account control data for %s\n",
ldb_dn_get_linearized(user_msg->dn));
- return NT_STATUS_INTERNAL_ERROR;
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
}
/*
@@ -1035,20 +1043,21 @@ NTSTATUS authsam_reread_user_logon_data(
DBG_ERR("No %s attribute for %s\n",
attr_name,
ldb_dn_get_linearized(user_msg->dn));
- TALLOC_FREE(res);
- return NT_STATUS_INTERNAL_ERROR;
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
}
acct_flags = samdb_result_acct_flags(res->msgs[0], attr_name);
if (acct_flags & ACB_AUTOLOCK) {
DBG_WARNING(
"Account for user %s was locked out.\n",
ldb_dn_get_linearized(user_msg->dn));
- TALLOC_FREE(res);
- return NT_STATUS_ACCOUNT_LOCKED_OUT;
+ status = NT_STATUS_ACCOUNT_LOCKED_OUT;
+ goto out;
}
*current = talloc_steal(mem_ctx, res->msgs[0]);
- TALLOC_FREE(res);
- return NT_STATUS_OK;
+out:
+ TALLOC_FREE(tmp_ctx);
+ return status;
}
static struct db_context *authsam_get_bad_password_db(
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 03f4e164ca5..70f76c4e1c1 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -117,7 +117,7 @@ struct replmd_replicated_request {
/*
* Backlinks for the replmd_add() case (we want to create
* backlinks after creating the user, but before the end of
- * the ADD request)
+ * the ADD request)
*/
struct la_backlink *la_backlinks;
@@ -621,7 +621,7 @@ static int replmd_defer_add_backlink(struct ldb_module
*module,
{
const struct dsdb_attribute *target_attr;
struct la_backlink *bl;
-
+
bl = talloc(ac, struct la_backlink);
if (bl == NULL) {
ldb_module_oom(module);
@@ -666,7 +666,7 @@ static int replmd_add_backlink(struct ldb_module *module,
const struct dsdb_attribute *target_attr;
struct la_backlink bl;
int ret;
-
+
target_attr = dsdb_attribute_by_linkID(schema, schema_attr->linkID ^ 1);
if (!target_attr) {
/*
@@ -783,7 +783,7 @@ static int replmd_op_callback(struct ldb_request *req,
struct ldb_reply *ares)
}
}
}
-
+
if (!partition_ctrl) {
ldb_set_errstring(ldb_module_get_ctx(ac->module),"No partition
control on reply");
return ldb_module_done(ac->req, NULL,
@@ -1151,7 +1151,7 @@ static int replmd_add_fix_la(struct ldb_module *module,
TALLOC_CTX *mem_ctx,
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
-
+
ret = get_parsed_dns(module, tmp_ctx, el, &pdn,
sa->syntax->ldap_oid, parent);
if (ret != LDB_SUCCESS) {
@@ -1244,7 +1244,7 @@ static int replmd_add(struct ldb_module *module, struct
ldb_request *req)
struct replPropertyMetaDataBlob nmd;
struct ldb_val nmd_value;
struct ldb_dn *extended_dn = NULL;
-
+
/*
* The use of a time_t here seems odd, but as the NTTIME
* elements are actually declared as NTTIME_1sec in the IDL,
@@ -1301,9 +1301,9 @@ static int replmd_add(struct ldb_module *module, struct
ldb_request *req)
} else {
/* a new GUID */
guid = GUID_random();
-
+
guid_blob_stack = data_blob_const(guid_data, sizeof(guid_data));
-
+
/* This can't fail */
ndr_push_struct_into_fixed_blob(&guid_blob_stack, &guid,
(ndr_push_flags_fn_t)ndr_push_GUID);
@@ -1414,7 +1414,7 @@ static int replmd_add(struct ldb_module *module, struct
ldb_request *req)
talloc_free(ac);
return ret;
}
- }
+ }
/*
* Prepare the context for the backlinks and
@@ -2795,7 +2795,7 @@ static int replmd_modify_la_add(struct ldb_module *module,
ret = replmd_add_backlink(module, replmd_private,
ac->schema,
msg_dn,
- &dns[i].guid,
+ &dns[i].guid,
true,
schema_attr,
parent);
@@ -4388,7 +4388,7 @@ static int replmd_delete_internals(struct ldb_module
*module, struct ldb_request
.data = discard_const_p(uint8_t, "TRUE"),
.length = 4
};
-
+
unsigned int i;
uint32_t dsdb_flags = 0;
struct replmd_private *replmd_private;
@@ -6300,7 +6300,7 @@ static int replmd_replicated_apply_merge(struct
replmd_replicated_request *ar)
&guid_txt),
ldb_dn_get_linearized(msg->dn)));
}
-
+
local_isDeleted = ldb_msg_find_attr_as_bool(ar->search_msg,
"isDeleted", false);
remote_isDeleted = ldb_msg_find_attr_as_bool(msg,
@@ -7699,7 +7699,7 @@ static int replmd_allow_missing_target(struct ldb_module
*module,
missing_str, ldb_dn_get_linearized(target_dn),
ldb_dn_get_linearized(source_dn));
}
-
+
return LDB_SUCCESS;
}
@@ -8353,7 +8353,7 @@ static int replmd_process_linked_attribute(struct
ldb_module *module,
if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) {
/* remove the existing backlink */
ret = replmd_add_backlink(module, replmd_private,
- schema,
+ schema,
src_dn,
&pdn->guid, false, attr,
parent);
--
Samba Shared Repository
