The branch, master has been updated
via 531a33b9c98 s4:rpc_server/netlogon: fix error codes in
dcesrv_netr_NetrLogonSendToSam
via a382636fc2a s4:rpc_server/netlogon: implement
dcesrv_netr_ServerPasswordGet()
via 350db61bef4 s4:selftest: run samba.tests.krb5.netlogon
via 6f52ffab82d python:tests/krb5: add netlogon.py
via 4030a62b2d9 python:tests/krb5: avoid some problems when running
against w2025 (preview) with STRICT_CHECKING=0
via db0e7dfc418 python:tests/krb5: remember the objectGUID of created
accounts
via 04da20c8133 pycredentials: add credentials.netlogon_creds_*()
functions via py_module_methods
via bd76d0460bf pycredentials: add creds.[g|s]et_netlogon_creds()
via 01758da131f pycredentials: remove unused module methods
via 018a3ced1c7 pyrpc_util: fix error Exception message in
py_check_dcerpc_type()
via 567d4e356a1 s4:rpc_server/netlogon: let
dcesrv_netr_LogonSamLogon_base_reply handle encryption errors
via a4105f94f93 libcli/auth: let
netlogon_creds_crypt_samlogon_validation handle generic info
via 18a62ea23fd tests/krb5: make use of conn.auth_info() in
_test_samlogon()
via cbd990b2b6e s4:pyrpc: add conn.auth_info()
via ec6892bd1fc gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid
GSS_C_DELEG[_POLICY]_FLAG
via f59b8ac1364 s3:cli_pipe: pass target_service to
cli_rpc_pipe_open_with_creds()
via 4dbbfcb0040 s3:libads: add kerberos_kinit_passwords_ext() helper
via 017e6e1cb1f s3:libads: split out kerberos_kinit_generic_once()
via 32dd400f9eb s3:libads: remove unused time_offset from
kerberos_kinit_password()
via 890fd844864 s3:libads: let kerberos_kinit_password_ext() always
initialize *ntstatus
via e470d331948 s3:libads: fix compiler warning in trust_pw_change()
via b6123197d13 s3:rpc_client: remember the local/remote ipv4 or ipv6
addresses
via d6aa886ce22 s3:winbindd: remove useless lines in
add_trusted_domains_dc()
via fa044643160 s3:winbindd: make use of samba_sockaddr in
set_remote_addresses() to avoid warnings
via 0de93c34db1 s3:winbindd: make use of samba_sockaddr
add_one_dc_unique() to avoid warnings
via 6cc8dfea6e6 s3:winbindd: let wb_dsgetdcname* normalize to dns names
on an ad_dc
via 0a31a5d20e7 s3:utils: let net_rpc_testjoin() work for ad domains
and no ipv4 address
via e47ce1d10b1 s3:libsmb: let discover_dc_netbios() return
DOMAIN_CONTROLLER_NOT_FOUND
via ed6a9ccef61 libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is
the proposed flags changed
via 84703cb1fdb s4:torture/rpc: make use of
creds->client_requested_flags
via 07b51a12c06 s4:librpc/rpc: make use of
creds_state->client_requested_flags
via a2b6a68b80f schannel.idl: change netlogon_creds_CredentialState
layout for 4.22
via 52b94f3f0f8 Revert "libcli/auth: let
netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy"
via aea024779f4 libcli/auth: don't loose server_dns_domain in
netlogon_creds_cli_context_global()
via 544838ac5b6 netlogon.idl: add
NetlogonTicketLogonInformation/NetlogonValidationTicketLogon
via 61a5151af55 librpc/ndr: let ndr_print_bitmap_flag work for
bitmap64bit values
via 14128289a30 python/ndr: allow print_secrets=True for ndr_print*
via 377db59ce90 pidl/Python: allow ndr_print(print_secrets=True)
via a69310eeab4 librpc/ndr: add
ndr_print_{struct,union,function}_secret_string()
via 705f774863d librpr/ndr: split out ndr_print_generic_string()
via d9b0aed5478 netlogon.idl: use authservice("netlogon")
via 9ede82167bf netlogon.idl: mark some structs as public so that
ndr.ndr_deepcopy() works in python
via dbe3308cbaf samr/netlogon.idl: add [flag(NDR_SECRET)] in some more
places
from eb02776cf41 s3:tests: Adapt winbind_call_depth_trace to depth=3
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 531a33b9c98a0a118538f2502151f22382e62d37
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 25 18:25:52 2024 +0100
s4:rpc_server/netlogon: fix error codes in dcesrv_netr_NetrLogonSendToSam
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Thu Dec 5 17:46:49 UTC 2024 on atb-devel-224
commit a382636fc2ac9b0c0d16d2bb10d3eaf338f416d4
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 25 18:12:22 2024 +0100
s4:rpc_server/netlogon: implement dcesrv_netr_ServerPasswordGet()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 350db61bef41dace1c6f59d52b5dc6a2c4cf3a0f
Author: Stefan Metzmacher <[email protected]>
Date: Sat Nov 23 00:24:34 2024 +0100
s4:selftest: run samba.tests.krb5.netlogon
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 6f52ffab82df4005e491a4c729ebffe35bcf3d12
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 8 17:08:26 2024 +0100
python:tests/krb5: add netlogon.py
This adds tests for the application layer encryption used
based on the secure channel session key.
This will get tests for netr_ServerAuthenticateKerberos()
in order to explore its details.
This runs against Windows 2022 as well as Windows 2025 (preview)
using something like this:
SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
STRICT_CHECKING=0 \python/samba/tests/krb5/netlogon.py
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 4030a62b2d9ee524f6f02506323343cd36daae24
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 21 15:57:41 2024 +0100
python:tests/krb5: avoid some problems when running against w2025 (preview)
with STRICT_CHECKING=0
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit db0e7dfc418c372da641b2f9bac7f75c95c8f8c5
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 21 18:10:18 2024 +0100
python:tests/krb5: remember the objectGUID of created accounts
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 04da20c813329475e6298fd4e34acaa2405ee3bf
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 18 19:26:30 2024 +0100
pycredentials: add credentials.netlogon_creds_*() functions via
py_module_methods
This makes it possible to explore the functions arround
netlogon_creds_CredentialState via python.
This allows us to write tests in order to explore
the details of netr_ServerAuthenticateKerberos().
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit bd76d0460bfd295ac15cb9f0ac7b8718a982ee79
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 18 18:49:40 2024 +0100
pycredentials: add creds.[g|s]et_netlogon_creds()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 01758da131f62cc4e140b7390a4bd831a85b9978
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 18 18:03:24 2024 +0100
pycredentials: remove unused module methods
It's not useful to use the PyCredentials methods
also as module methods...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 018a3ced1c75a800a61f2a2343ef4b8e2d3ef32b
Author: Stefan Metzmacher <[email protected]>
Date: Tue Nov 19 15:55:30 2024 +0100
pyrpc_util: fix error Exception message in py_check_dcerpc_type()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 567d4e356a10c5af3b679dcb338ae2bd3ce88b19
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 15 17:12:52 2024 +0100
s4:rpc_server/netlogon: let dcesrv_netr_LogonSamLogon_base_reply handle
encryption errors
This might be the better option when we implement
netr_ServerAuthenticateKerberos().
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit a4105f94f930bd46f80ffec218bb2a57548b2b11
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 18 19:50:22 2024 +0100
libcli/auth: let netlogon_creds_crypt_samlogon_validation handle generic
info
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 18a62ea23fd6b2b493a0f17575a1e84b7370d1d6
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 11 23:27:05 2024 +0100
tests/krb5: make use of conn.auth_info() in _test_samlogon()
In future we'll have KRB5 instead of SCHANNEL...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit cbd990b2b6ead8a0b706a247c906d97817df4605
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 11 23:20:52 2024 +0100
s4:pyrpc: add conn.auth_info()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit ec6892bd1fcc0391f9aa831d7e4f095825dafb56
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 6 14:29:10 2024 +0100
gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid
GSS_C_DELEG[_POLICY]_FLAG
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit f59b8ac136430df85e2e3af20e552d9fafb6918c
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 6 14:16:27 2024 +0100
s3:cli_pipe: pass target_service to cli_rpc_pipe_open_with_creds()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 4dbbfcb00401d7a797154c812587bfe2dda0aea1
Author: Stefan Metzmacher <[email protected]>
Date: Wed Sep 25 16:02:02 2024 +0200
s3:libads: add kerberos_kinit_passwords_ext() helper
This can check more than one password and is designed to
support getting a TGT for our machine account also falling
back to older passwords...
If we don't have a plaintext password it falls back to an nt_hash.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 017e6e1cb1f3274c7eaf94c5e17b3e4eaf731510
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 12 20:53:14 2024 +0200
s3:libads: split out kerberos_kinit_generic_once()
This can be used to kinit with a keyblock later
and also a loop over multiple password generations will
be possible.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 32dd400f9eb01ea058a9089b6dc462d025a5daff
Author: Stefan Metzmacher <[email protected]>
Date: Thu Sep 12 19:56:05 2024 +0200
s3:libads: remove unused time_offset from kerberos_kinit_password()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 890fd8448640379a8c673068020331f6049a6416
Author: Stefan Metzmacher <[email protected]>
Date: Tue Nov 5 13:57:46 2024 +0100
s3:libads: let kerberos_kinit_password_ext() always initialize *ntstatus
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit e470d331948cf4b45b9046c3a91d4370b83823a1
Author: Stefan Metzmacher <[email protected]>
Date: Mon Nov 4 19:13:55 2024 +0100
s3:libads: fix compiler warning in trust_pw_change()
../../source3/libads/trusts_util.c: In function ‘trust_pw_change’:
../../source3/libads/trusts_util.c:302:45: warning: dereferencing
type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
302 | (void **)&new_trust_pw_blob.data,
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit b6123197d13b5350b8fc88e9c8d59f0f05c3aed6
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 1 12:52:15 2024 +0200
s3:rpc_client: remember the local/remote ipv4 or ipv6 addresses
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit d6aa886ce22045075c90ee37e8c6949201997507
Author: Stefan Metzmacher <[email protected]>
Date: Wed Oct 2 16:54:26 2024 +0200
s3:winbindd: remove useless lines in add_trusted_domains_dc()
add_trusted_domain() above already sets this...
Review with: git show -U15
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit fa0446431601699d8f1607b7d1b0995e7c52a5b6
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 1 15:42:50 2024 +0200
s3:winbindd: make use of samba_sockaddr in set_remote_addresses() to avoid
warnings
../../source3/winbindd/winbindd_dual_ndr.c: In function
‘set_remote_addresses’:
../../source3/winbindd/winbindd_dual_ndr.c:467:51: warning: dereferencing
type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
467 | struct sockaddr *sar = (struct sockaddr *)&st;
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 0de93c34db1579c05c2ed1bc4442c285fc98d975
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 1 15:35:50 2024 +0200
s3:winbindd: make use of samba_sockaddr add_one_dc_unique() to avoid
warnings
../../source3/winbindd/winbindd_cm.c: In function ‘add_one_dc_unique’:
../../source3/winbindd/winbindd_cm.c:1172:48: warning: dereferencing
type-punned pointer might break strict-aliasing rules [-Wstrict-aliasing]
1172 | (struct sockaddr *)(void
*)&(*dcs)[i].ss,
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 6cc8dfea6e62ea93e1d6849ed27065d73f328b6d
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 15 13:37:50 2024 +0200
s3:winbindd: let wb_dsgetdcname* normalize to dns names on an ad_dc
wb_dsgetdcname() is typically used by dcerpc_wbint_DsGetDcName_send()
from netr_DsRGetDCName* in the netlogon server, when domain members
try to ask for domain controllers of a trusted domain.
The domain might disabled netbios support, so we better try the
already dns name if available.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 0a31a5d20e7a05f7fff12003e64ec6f9678a6ae6
Author: Stefan Metzmacher <[email protected]>
Date: Fri Oct 11 13:38:07 2024 +0000
s3:utils: let net_rpc_testjoin() work for ad domains and no ipv4 address
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit e47ce1d10b13d8ef165c70984e6e490f4c2a64c2
Author: Stefan Metzmacher <[email protected]>
Date: Fri Oct 11 13:32:22 2024 +0000
s3:libsmb: let discover_dc_netbios() return DOMAIN_CONTROLLER_NOT_FOUND
We may get NT_STATUS_NOT_FOUND when the name can't be resolved
and NT_STATUS_INVALID_ADDRESS if the system doesn't have ipv4
addresses...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit ed6a9ccef611897e9c997ca4a1897615fe4fd29a
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 17:32:07 2024 +0100
libcli/auth: return RESOURCE_REQUIREMENTS_CHANGED is the proposed flags
changed
This will be important when we add support for
netr_ServerAuthenticateKerberos().
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 84703cb1fdb92fe3ea0eafadccb3b8883e0c7ebb
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 8 15:56:04 2024 +0100
s4:torture/rpc: make use of creds->client_requested_flags
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 07b51a12c06d82782f5f15e0f66fde84e48d5b81
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 8 16:11:48 2024 +0100
s4:librpc/rpc: make use of creds_state->client_requested_flags
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit a2b6a68b80fbe26bc8ab9bfd38aff1be340ba68a
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 15 16:24:25 2024 +0100
schannel.idl: change netlogon_creds_CredentialState layout for 4.22
This breaks compat with 4.21 and moves stuff out of
netlogon_creds_CredentialState_extra_info.
It also prepares support for netr_ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 52b94f3f0f8e26f2398d77565494b00c7c78d4f3
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 29 17:33:39 2024 +0100
Revert "libcli/auth: let netlogon_creds_cli_store_internal check
netlogon_creds_CredentialState_legacy"
This reverts commit c3fa132fbe179bd4e1451240ce572ec791356a16.
We break the compat of the netlogon_creds_cli.tdb records compared to
4.21 with the next commits.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit aea024779f45e4815b897b89a58b7fed42592804
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 7 14:44:21 2024 +0100
libcli/auth: don't loose server_dns_domain in
netlogon_creds_cli_context_global()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 544838ac5b6ba802760307d8afef314afb619d49
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 21 14:16:12 2024 +0100
netlogon.idl: add
NetlogonTicketLogonInformation/NetlogonValidationTicketLogon
I have basic tests, which have shown that the payload is not
encrypted at application level.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 61a5151af556b2386894ba2c5eb834ca81001cdb
Author: Stefan Metzmacher <[email protected]>
Date: Thu Nov 21 14:11:06 2024 +0100
librpc/ndr: let ndr_print_bitmap_flag work for bitmap64bit values
Keep libndr at 6.0.0, this has not been released yet.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 14128289a30499b488484f3375ff0dbf7e214456
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 22 15:30:11 2024 +0100
python/ndr: allow print_secrets=True for ndr_print*
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 377db59ce90c56f8e664809684e429142988bd6e
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 22 15:00:23 2024 +0100
pidl/Python: allow ndr_print(print_secrets=True)
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit a69310eeab4519963d8cdab13a2ca8be5793458c
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 22 14:21:23 2024 +0100
librpc/ndr: add ndr_print_{struct,union,function}_secret_string()
Keep libndr at 6.0.0, this has not been released yet.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 705f774863d8ac7729229d0342d79ccddbe992ad
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 22 14:10:56 2024 +0100
librpr/ndr: split out ndr_print_generic_string()
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit d9b0aed5478f84b962e9154c9defcd0d44b96c9a
Author: Stefan Metzmacher <[email protected]>
Date: Tue Oct 15 13:51:53 2024 +0000
netlogon.idl: use authservice("netlogon")
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit 9ede82167bf3c8b610935cce32fda6918429a009
Author: Stefan Metzmacher <[email protected]>
Date: Tue Nov 19 17:37:54 2024 +0100
netlogon.idl: mark some structs as public so that ndr.ndr_deepcopy() works
in python
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
commit dbe3308cbaf188402f1fa1268702cd4e8b9d7f08
Author: Stefan Metzmacher <[email protected]>
Date: Wed Nov 6 17:48:05 2024 +0100
samr/netlogon.idl: add [flag(NDR_SECRET)] in some more places
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 1217 ++++++++++++++++++-
auth/gensec/gensec.h | 1 +
libcli/auth/credentials.c | 50 +-
libcli/auth/netlogon_creds_cli.c | 34 +-
libcli/auth/schannel_state_tdb.c | 9 -
librpc/ABI/ndr-6.0.0.sigs | 5 +-
librpc/idl/netlogon.idl | 156 ++-
librpc/idl/samr.idl | 6 +-
librpc/idl/schannel.idl | 104 +-
librpc/ndr/libndr.h | 16 +-
librpc/ndr/ndr.c | 153 ++-
librpc/ndr/ndr_basic.c | 6 +-
librpc/rpc/server/netlogon/schannel_util.c | 4 +-
pidl/lib/Parse/Pidl/Samba4/Python.pm | 68 +-
python/samba/ndr.py | 12 +-
python/samba/tests/krb5/kdc_base_test.py | 10 +-
python/samba/tests/krb5/netlogon.py | 1483 ++++++++++++++++++++++++
python/samba/tests/krb5/raw_testcase.py | 13 +-
selftest/knownfail | 1 -
selftest/knownfail.d/samba.tests.krb5.netlogon | 5 +
source3/libads/kerberos.c | 694 ++++++++++-
source3/libads/kerberos_proto.h | 13 +-
source3/libads/krb5_setpw.c | 1 -
source3/libads/trusts_util.c | 2 +-
source3/librpc/crypto/gse.c | 5 +-
source3/libsmb/dsgetdcname.c | 14 +-
source3/libsmb/passchange.c | 1 +
source3/rpc_client/cli_pipe.c | 78 +-
source3/rpc_client/cli_pipe.h | 3 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +-
source3/rpcclient/rpcclient.c | 1 +
source3/utils/net_rpc.c | 22 +-
source3/winbindd/wb_dsgetdcname.c | 16 +
source3/winbindd/winbindd_cm.c | 13 +-
source3/winbindd/winbindd_dual_ndr.c | 22 +-
source3/winbindd/winbindd_util.c | 6 -
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/librpc/rpc/dcerpc_schannel.c | 10 +-
source4/librpc/rpc/pyrpc.c | 24 +
source4/librpc/rpc/pyrpc_util.c | 2 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 68 +-
source4/selftest/tests.py | 8 +
source4/torture/rpc/schannel.c | 34 +-
wscript_configure_embedded_heimdal | 2 +
wscript_configure_system_heimdal | 1 +
wscript_configure_system_mitkrb5 | 1 +
46 files changed, 4082 insertions(+), 322 deletions(-)
create mode 100755 python/samba/tests/krb5/netlogon.py
create mode 100644 selftest/knownfail.d/samba.tests.krb5.netlogon
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a2457009559..d20d58ebe0d 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -972,6 +972,85 @@ static PyObject *py_creds_get_secure_channel_type(PyObject
*self, PyObject *args
return PyLong_FromLong(channel_type);
}
+static PyObject *py_creds_get_netlogon_creds(PyObject *self, PyObject *unused)
+{
+ struct cli_credentials *creds = NULL;
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ PyObject *py_ncreds = Py_None;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (creds->netlogon_creds == NULL) {
+ Py_RETURN_NONE;
+ }
+
+ ncreds = netlogon_creds_copy(NULL, creds->netlogon_creds);
+ if (ncreds == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ py_ncreds = py_return_ndr_struct("samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState",
+ ncreds,
+ ncreds);
+ if (py_ncreds == NULL) {
+ TALLOC_FREE(ncreds);
+ return NULL;
+ }
+
+ return py_ncreds;
+}
+
+static PyObject *py_creds_set_netlogon_creds(PyObject *self, PyObject *args)
+{
+ struct cli_credentials *creds = NULL;
+ const struct netlogon_creds_CredentialState *ncreds = NULL;
+ PyObject *py_ncreds = Py_None;
+
+ creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (!PyArg_ParseTuple(args, "O", &py_ncreds))
+ return NULL;
+
+ if (py_ncreds == Py_None) {
+ ncreds = NULL;
+ } else {
+ bool ok;
+
+ ok = py_check_dcerpc_type(py_ncreds,
+ "samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ ncreds = pytalloc_get_type(py_ncreds,
+ struct
netlogon_creds_CredentialState);
+ if (ncreds == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+ }
+
+ cli_credentials_set_netlogon_creds(creds, ncreds);
+ if (ncreds != NULL && creds->netlogon_creds == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ Py_RETURN_NONE;
+}
+
static PyObject *py_creds_set_kerberos_salt_principal(PyObject *self, PyObject
*args)
{
char *salt_principal = NULL;
@@ -1673,6 +1752,16 @@ static PyMethodDef py_creds_methods[] = {
.ml_meth = py_creds_get_secure_channel_type,
.ml_flags = METH_VARARGS,
},
+ {
+ .ml_name = "get_netlogon_creds",
+ .ml_meth = py_creds_get_netlogon_creds,
+ .ml_flags = METH_NOARGS,
+ },
+ {
+ .ml_name = "set_netlogon_creds",
+ .ml_meth = py_creds_set_netlogon_creds,
+ .ml_flags = METH_VARARGS,
+ },
{
.ml_name = "set_kerberos_salt_principal",
.ml_meth = py_creds_set_kerberos_salt_principal,
@@ -1772,14 +1861,6 @@ static PyMethodDef py_creds_methods[] = {
{ .ml_name = NULL }
};
-static struct PyModuleDef moduledef = {
- PyModuleDef_HEAD_INIT,
- .m_name = "credentials",
- .m_doc = "Credentials management.",
- .m_size = -1,
- .m_methods = py_creds_methods,
-};
-
PyTypeObject PyCredentials = {
.tp_name = "credentials.Credentials",
.tp_new = py_creds_new,
@@ -1821,6 +1902,1126 @@ PyTypeObject PyCredentialCacheContainer = {
.tp_methods = py_ccache_container_methods,
};
+static PyObject *py_netlogon_creds_random_challenge(PyObject *module,
+ PyObject *unused)
+{
+ struct netr_Credential *challenge = NULL;
+ PyObject *py_challenge = Py_None;
+
+ challenge = talloc(NULL, struct netr_Credential);
+ if (challenge == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+ netlogon_creds_random_challenge(challenge);
+
+ py_challenge = py_return_ndr_struct("samba.dcerpc.netlogon",
+ "netr_Credential",
+ challenge,
+ challenge);
+ if (py_challenge == NULL) {
+ TALLOC_FREE(challenge);
+ return NULL;
+ }
+
+ return py_challenge;
+}
+
+static PyObject *py_netlogon_creds_client_init(PyObject *module,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "client_account",
+ "client_computer_name",
+ "secure_channel_type",
+ "client_challenge",
+ "server_challenge",
+ "machine_password",
+ "client_requested_flags",
+ "negotiate_flags",
+ NULL,
+ };
+ const char *client_account = NULL;
+ const char *client_computer_name = NULL;
+ unsigned short secure_channel_type = 0;
+ unsigned int client_requested_flags = 0;
+ unsigned int negotiate_flags = 0;
+ PyObject *py_client_challenge = Py_None;
+ const struct netr_Credential *client_challenge = NULL;
+ PyObject *py_server_challenge = Py_None;
+ const struct netr_Credential *server_challenge = NULL;
+ PyObject *py_machine_password = Py_None;
+ const struct samr_Password *machine_password = NULL;
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ PyObject *py_ncreds = Py_None;
+ struct netr_Credential *initial_credential = NULL;
+ PyObject *py_initial_credential = Py_None;
+ PyObject *py_result = Py_None;
+ bool ok;
+
+ ok = PyArg_ParseTupleAndKeywords(args, kwargs, "ssHOOOII",
+ discard_const_p(char *, kwnames),
+ &client_account,
+ &client_computer_name,
+ &secure_channel_type,
+ &py_client_challenge,
+ &py_server_challenge,
+ &py_machine_password,
+ &client_requested_flags,
+ &negotiate_flags);
+ if (!ok) {
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_client_challenge,
+ "samba.dcerpc.netlogon",
+ "netr_Credential");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ client_challenge = pytalloc_get_type(py_client_challenge,
+ struct netr_Credential);
+ if (client_challenge == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_server_challenge,
+ "samba.dcerpc.netlogon",
+ "netr_Credential");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ /*
+ * we can't use pytalloc_get_type as
+ * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
+ * correct talloc name because of old
+ * compilers.
+ */
+ server_challenge = pytalloc_get_ptr(py_server_challenge);
+ if (server_challenge == NULL) {
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_machine_password,
+ "samba.dcerpc.samr",
+ "Password");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ machine_password = pytalloc_get_type(py_machine_password,
+ struct samr_Password);
+ if (machine_password == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ initial_credential = talloc_zero(NULL, struct netr_Credential);
+ if (initial_credential == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ ncreds = netlogon_creds_client_init(NULL,
+ client_account,
+ client_computer_name,
+ secure_channel_type,
+ client_challenge,
+ server_challenge,
+ machine_password,
+ initial_credential,
+ client_requested_flags,
+ negotiate_flags);
+ if (ncreds == NULL) {
+ TALLOC_FREE(initial_credential);
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ py_ncreds = py_return_ndr_struct("samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState",
+ ncreds,
+ ncreds);
+ if (py_ncreds == NULL) {
+ TALLOC_FREE(initial_credential);
+ TALLOC_FREE(ncreds);
+ return NULL;
+ }
+
+ py_initial_credential = py_return_ndr_struct("samba.dcerpc.netlogon",
+ "netr_Credential",
+ initial_credential,
+ initial_credential);
+ if (py_ncreds == NULL) {
+ Py_DECREF(py_ncreds);
+ TALLOC_FREE(initial_credential);
+ return NULL;
+ }
+
+ py_result = Py_BuildValue("(OO)",
+ py_ncreds,
+ py_initial_credential);
+ if (py_result == NULL) {
+ Py_DECREF(py_ncreds);
+ Py_DECREF(py_initial_credential);
+ return NULL;
+ }
+
+ return py_result;
+}
+
+static PyObject *py_netlogon_creds_client_update(PyObject *module,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "netlogon_creds",
+ "negotiated_flags",
+ "client_rid",
+ NULL,
+ };
+ PyObject *py_ncreds = Py_None;
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ unsigned int negotiated_flags = 0;
+ unsigned int client_rid = 0;
+ bool ok;
+
+ ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OII",
+ discard_const_p(char *, kwnames),
+ &py_ncreds,
+ &negotiated_flags,
+ &client_rid);
+ if (!ok) {
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_ncreds,
+ "samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ ncreds = pytalloc_get_type(py_ncreds,
+ struct netlogon_creds_CredentialState);
+ if (ncreds == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ ncreds->negotiate_flags = negotiated_flags;
+ ncreds->client_sid.sub_auths[0] = client_rid;
+
+ Py_RETURN_NONE;
+}
+
+static PyObject *py_netlogon_creds_client_authenticator(PyObject *module,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "netlogon_creds",
+ NULL,
+ };
+ PyObject *py_ncreds = Py_None;
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ struct netlogon_creds_CredentialState _ncreds;
+ struct netr_Authenticator _auth;
+ struct netr_Authenticator *auth = NULL;
+ PyObject *py_auth = Py_None;
+ NTSTATUS status;
+ bool ok;
+
+ ok = PyArg_ParseTupleAndKeywords(args, kwargs, "O",
+ discard_const_p(char *, kwnames),
+ &py_ncreds);
+ if (!ok) {
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_ncreds,
+ "samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ ncreds = pytalloc_get_type(py_ncreds,
+ struct netlogon_creds_CredentialState);
+ if (ncreds == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ _ncreds = *ncreds;
+ status = netlogon_creds_client_authenticator(&_ncreds, &_auth);
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
+
+ auth = talloc(NULL, struct netr_Authenticator);
+ if (auth == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+ *auth = _auth;
+
+ py_auth = py_return_ndr_struct("samba.dcerpc.netlogon",
+ "netr_Authenticator",
+ auth,
+ auth);
+ if (py_auth == NULL) {
+ TALLOC_FREE(auth);
+ return NULL;
+ }
+
+ *ncreds = _ncreds;
+ return py_auth;
+}
+
+static PyObject *py_netlogon_creds_client_verify(PyObject *module,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "netlogon_creds",
+ "received_credentials",
+ "auth_type",
+ "auth_level",
+ NULL,
+ };
+ PyObject *py_ncreds = Py_None;
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ PyObject *py_rcreds = Py_None;
+ const struct netr_Credential *rcreds = NULL;
+ uint8_t _auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthType auth_type;
+ uint8_t _auth_level = DCERPC_AUTH_LEVEL_NONE;
+ enum dcerpc_AuthLevel auth_level;
+ NTSTATUS status;
+ bool ok;
+
+ ok = PyArg_ParseTupleAndKeywords(args, kwargs, "OObb",
+ discard_const_p(char *, kwnames),
+ &py_ncreds,
+ &py_rcreds,
+ &_auth_type,
+ &_auth_level);
+ if (!ok) {
+ return NULL;
+ }
+ auth_type = _auth_type;
+ auth_level = _auth_level;
+
+ ok = py_check_dcerpc_type(py_ncreds,
+ "samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ ncreds = pytalloc_get_type(py_ncreds,
+ struct netlogon_creds_CredentialState);
+ if (ncreds == NULL) {
+ /* pytalloc_get_type sets TypeError */
+ return NULL;
+ }
+
+ ok = py_check_dcerpc_type(py_rcreds,
+ "samba.dcerpc.netlogon",
+ "netr_Credential");
+ if (!ok) {
+ /* py_check_dcerpc_type sets TypeError */
+ return NULL;
+ }
+
+ /*
+ * we can't use pytalloc_get_type as
+ * NDR_PULL_ALLOC()/talloc_ptrtype() doesn't set the
+ * correct talloc name because of old
+ * compilers.
+ */
+ rcreds = pytalloc_get_ptr(py_rcreds);
+ if (rcreds == NULL) {
+ return NULL;
+ }
+
+ status = netlogon_creds_client_verify(ncreds,
+ rcreds,
+ auth_type,
+ auth_level);
+ PyErr_NTSTATUS_IS_ERR_RAISE(status);
+
+ Py_RETURN_NONE;
+}
+
+static PyObject *py_netlogon_creds_encrypt_netr_LogonLevel(PyObject *module,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "netlogon_creds",
+ "level",
+ "info",
+ "auth_type",
+ "auth_level",
+ NULL,
+ };
+ PyObject *py_ncreds = Py_None;
--
Samba Shared Repository
