The branch, master has been updated via db342d86a9c samba-tool user readpasswords: avoid `assert` for validation via b42c4891804 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594) via facb418c99d s4:dsdb: Remove trailing whitespace via 5ffa7683295 s4:auth: Add temporary memory context to authsam_reread_user_logon_data() via 7ae10eb25f8 s4:auth: Add common out path to authsam_reread_user_logon_data() via 4e8ca6140af ldb: Attach appropriate ldb context to returned result from 225e6aeafc7 s4/torture: Remove already existing test_dir
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit db342d86a9ccd15f764cb8e0a91774e1f8fd7858 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri Feb 2 15:01:21 2024 +1300 samba-tool user readpasswords: avoid `assert` for validation `assert` can be optimised away if python is run with `-O`. Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224 commit b42c489180474627270e09408f84841baa175157 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Tue Jun 11 14:58:11 2024 +1200 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594) We check the ACB_PW_EXPIRED bit to determine whether the account is expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer, we must increase the width of acct_flags so as not to lose that bit. Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit facb418c99d5be62ae7e111539ca497a783b6a37 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Fri May 24 13:05:58 2024 +1200 s4:dsdb: Remove trailing whitespace Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5ffa7683295ae7006a51dc8244918ed89f500184 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 29 17:07:43 2024 +1200 s4:auth: Add temporary memory context to authsam_reread_user_logon_data() Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7ae10eb25f821e617100cad113f751833b7c0893 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Mon Apr 29 17:09:12 2024 +1200 s4:auth: Add common out path to authsam_reread_user_logon_data() Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4e8ca6140aff0cac534d2ea2e370c1dc70a73b21 Author: Jo Sutton <josut...@catalyst.net.nz> Date: Wed May 1 16:54:01 2024 +1200 ldb: Attach appropriate ldb context to returned result This is done by adding a new API that avoids the problems of ldb_dn_copy() and makes it clear that a struct ldb_context * pointer will be stored in the new copy. Signed-off-by: Jo Sutton <josut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/ldb/ABI/ldb-2.10.0.sigs | 1 + lib/ldb/common/ldb_dn.c | 16 +++++++++++++ lib/ldb/include/ldb.h | 3 +++ lib/ldb/ldb_key_value/ldb_kv_search.c | 2 +- python/samba/netcmd/user/readpasswords/common.py | 5 +++- python/samba/tests/krb5/gmsa_tests.py | 2 +- source4/auth/sam.c | 29 ++++++++++++++++-------- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 28 +++++++++++------------ 8 files changed, 59 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-2.10.0.sigs b/lib/ldb/ABI/ldb-2.10.0.sigs index f23014ffaaa..bd9aa54a005 100644 --- a/lib/ldb/ABI/ldb-2.10.0.sigs +++ b/lib/ldb/ABI/ldb-2.10.0.sigs @@ -47,6 +47,7 @@ ldb_dn_check_special: bool (struct ldb_dn *, const char *) ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_copy_with_ldb_context: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *, struct ldb_context *) ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index cb4266dca91..e785a6d9e3d 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -1398,6 +1398,22 @@ struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct ldb_dn *dn) return new_dn; } +struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct ldb_context *ldb) +{ + struct ldb_dn *new_dn = NULL; + + new_dn = ldb_dn_copy(mem_ctx, dn); + if (new_dn == NULL) { + return NULL; + } + + /* Set the ldb context. */ + new_dn->ldb = ldb; + return new_dn; +} + /* modify the given dn by adding a base. * * return true if successful and false if not diff --git a/lib/ldb/include/ldb.h b/lib/ldb/include/ldb.h index f29392ad4ea..f2d4642375f 100644 --- a/lib/ldb/include/ldb.h +++ b/lib/ldb/include/ldb.h @@ -1902,6 +1902,9 @@ bool ldb_dn_add_child_val(struct ldb_dn *dn, struct ldb_val value); struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); +struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct ldb_context *ldb); struct ldb_dn *ldb_dn_get_parent(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); char *ldb_dn_canonical_string(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); char *ldb_dn_canonical_ex_string(TALLOC_CTX *mem_ctx, struct ldb_dn *dn); diff --git a/lib/ldb/ldb_key_value/ldb_kv_search.c b/lib/ldb/ldb_key_value/ldb_kv_search.c index 5dbbae6b15c..9d0d218b48a 100644 --- a/lib/ldb/ldb_key_value/ldb_kv_search.c +++ b/lib/ldb/ldb_key_value/ldb_kv_search.c @@ -586,7 +586,7 @@ static int ldb_kv_search_and_return_base(struct ldb_kv_private *ldb_kv, * returned result, as it has already been * casefolded */ - struct ldb_dn *dn = ldb_dn_copy(msg, ctx->base); + struct ldb_dn *dn = ldb_dn_copy_with_ldb_context(msg, ctx->base, ldb); if (dn != NULL) { msg->dn = dn; } diff --git a/python/samba/netcmd/user/readpasswords/common.py b/python/samba/netcmd/user/readpasswords/common.py index 0aa1f237dc0..7944d4e1682 100644 --- a/python/samba/netcmd/user/readpasswords/common.py +++ b/python/samba/netcmd/user/readpasswords/common.py @@ -114,7 +114,10 @@ def get_crypt_value(alg, utf8pw, rounds=0): "5": {"length": 43}, "6": {"length": 86}, } - assert alg in algs + if alg not in algs: + raise ValueError(f"invalid algorithm code: {alg}" + f"(expected one of {','.join(algs.keys())})") + salt = os.urandom(16) # The salt needs to be in [A-Za-z0-9./] # base64 is close enough and as we had 16 diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py index f27e4235713..4189f05d22d 100755 --- a/python/samba/tests/krb5/gmsa_tests.py +++ b/python/samba/tests/krb5/gmsa_tests.py @@ -1800,7 +1800,7 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest): modify_attr("lockoutThreshold", lockout_threshold) creds = self.gmsa_account(kerberos_enabled=kerberos_enabled) - dn = ldb.Dn(samdb, str(creds.get_dn())) + dn = creds.get_dn() # Truncate the password to ensure that it is invalid. creds.set_password(creds.get_password()[:-1]) diff --git a/source4/auth/sam.c b/source4/auth/sam.c index d70fc468e20..093d29080ec 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -213,7 +213,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, bool allow_domain_trust, bool password_change) { - uint16_t acct_flags; + uint32_t acct_flags; const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; @@ -1000,13 +1000,20 @@ NTSTATUS authsam_reread_user_logon_data( const struct ldb_message *user_msg, struct ldb_message **current) { + TALLOC_CTX *tmp_ctx = NULL; const struct ldb_val *v = NULL; struct ldb_result *res = NULL; uint16_t acct_flags = 0; const char *attr_name = "msDS-User-Account-Control-Computed"; - + NTSTATUS status = NT_STATUS_OK; int ret; + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + status = NT_STATUS_NO_MEMORY; + goto out; + } + /* * Re-read the account details, using the GUID in case the DN * is being changed (this is automatic in LDB because the @@ -1016,7 +1023,7 @@ NTSTATUS authsam_reread_user_logon_data( * subset to ensure that we can reuse existing validation code. */ ret = dsdb_search_dn(sam_ctx, - mem_ctx, + tmp_ctx, &res, user_msg->dn, user_attrs, @@ -1024,7 +1031,8 @@ NTSTATUS authsam_reread_user_logon_data( if (ret != LDB_SUCCESS) { DBG_ERR("Unable to re-read account control data for %s\n", ldb_dn_get_linearized(user_msg->dn)); - return NT_STATUS_INTERNAL_ERROR; + status = NT_STATUS_INTERNAL_ERROR; + goto out; } /* @@ -1035,20 +1043,21 @@ NTSTATUS authsam_reread_user_logon_data( DBG_ERR("No %s attribute for %s\n", attr_name, ldb_dn_get_linearized(user_msg->dn)); - TALLOC_FREE(res); - return NT_STATUS_INTERNAL_ERROR; + status = NT_STATUS_INTERNAL_ERROR; + goto out; } acct_flags = samdb_result_acct_flags(res->msgs[0], attr_name); if (acct_flags & ACB_AUTOLOCK) { DBG_WARNING( "Account for user %s was locked out.\n", ldb_dn_get_linearized(user_msg->dn)); - TALLOC_FREE(res); - return NT_STATUS_ACCOUNT_LOCKED_OUT; + status = NT_STATUS_ACCOUNT_LOCKED_OUT; + goto out; } *current = talloc_steal(mem_ctx, res->msgs[0]); - TALLOC_FREE(res); - return NT_STATUS_OK; +out: + TALLOC_FREE(tmp_ctx); + return status; } static struct db_context *authsam_get_bad_password_db( diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 03f4e164ca5..70f76c4e1c1 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -117,7 +117,7 @@ struct replmd_replicated_request { /* * Backlinks for the replmd_add() case (we want to create * backlinks after creating the user, but before the end of - * the ADD request) + * the ADD request) */ struct la_backlink *la_backlinks; @@ -621,7 +621,7 @@ static int replmd_defer_add_backlink(struct ldb_module *module, { const struct dsdb_attribute *target_attr; struct la_backlink *bl; - + bl = talloc(ac, struct la_backlink); if (bl == NULL) { ldb_module_oom(module); @@ -666,7 +666,7 @@ static int replmd_add_backlink(struct ldb_module *module, const struct dsdb_attribute *target_attr; struct la_backlink bl; int ret; - + target_attr = dsdb_attribute_by_linkID(schema, schema_attr->linkID ^ 1); if (!target_attr) { /* @@ -783,7 +783,7 @@ static int replmd_op_callback(struct ldb_request *req, struct ldb_reply *ares) } } } - + if (!partition_ctrl) { ldb_set_errstring(ldb_module_get_ctx(ac->module),"No partition control on reply"); return ldb_module_done(ac->req, NULL, @@ -1151,7 +1151,7 @@ static int replmd_add_fix_la(struct ldb_module *module, TALLOC_CTX *mem_ctx, talloc_free(tmp_ctx); return LDB_ERR_OPERATIONS_ERROR; } - + ret = get_parsed_dns(module, tmp_ctx, el, &pdn, sa->syntax->ldap_oid, parent); if (ret != LDB_SUCCESS) { @@ -1244,7 +1244,7 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req) struct replPropertyMetaDataBlob nmd; struct ldb_val nmd_value; struct ldb_dn *extended_dn = NULL; - + /* * The use of a time_t here seems odd, but as the NTTIME * elements are actually declared as NTTIME_1sec in the IDL, @@ -1301,9 +1301,9 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req) } else { /* a new GUID */ guid = GUID_random(); - + guid_blob_stack = data_blob_const(guid_data, sizeof(guid_data)); - + /* This can't fail */ ndr_push_struct_into_fixed_blob(&guid_blob_stack, &guid, (ndr_push_flags_fn_t)ndr_push_GUID); @@ -1414,7 +1414,7 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req) talloc_free(ac); return ret; } - } + } /* * Prepare the context for the backlinks and @@ -2795,7 +2795,7 @@ static int replmd_modify_la_add(struct ldb_module *module, ret = replmd_add_backlink(module, replmd_private, ac->schema, msg_dn, - &dns[i].guid, + &dns[i].guid, true, schema_attr, parent); @@ -4388,7 +4388,7 @@ static int replmd_delete_internals(struct ldb_module *module, struct ldb_request .data = discard_const_p(uint8_t, "TRUE"), .length = 4 }; - + unsigned int i; uint32_t dsdb_flags = 0; struct replmd_private *replmd_private; @@ -6300,7 +6300,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar) &guid_txt), ldb_dn_get_linearized(msg->dn))); } - + local_isDeleted = ldb_msg_find_attr_as_bool(ar->search_msg, "isDeleted", false); remote_isDeleted = ldb_msg_find_attr_as_bool(msg, @@ -7699,7 +7699,7 @@ static int replmd_allow_missing_target(struct ldb_module *module, missing_str, ldb_dn_get_linearized(target_dn), ldb_dn_get_linearized(source_dn)); } - + return LDB_SUCCESS; } @@ -8353,7 +8353,7 @@ static int replmd_process_linked_attribute(struct ldb_module *module, if (!(rmd_flags & DSDB_RMD_FLAG_DELETED)) { /* remove the existing backlink */ ret = replmd_add_backlink(module, replmd_private, - schema, + schema, src_dn, &pdn->guid, false, attr, parent); -- Samba Shared Repository