[SCM] Samba Shared Repository - branch master updated

2023-05-17 Thread Andrew Bartlett
The branch, master has been updated
   via  303d2109f63 s4:kdc: Check lifetime of correct ticket
   via  99f31cabf5f third_party/heimdal: Import 
lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0)
   via  53c47698f01 tests/krb5: Add tests presenting short-lived ticket in 
various scenarios
   via  9b1bd267f01 tests/krb5: Rename modify_requester_sid_time() to 
modify_lifetime()
   via  748fa19a26a tests/krb5: Change ‘sid’ parameter into optional 
‘requester_sid’ parameter
   via  787b701e68f tests/krb5: Use consistent time between 
get_KerberosTime() calls
   via  e1109fbfef9 tests/krb5: Move modify_requester_sid_time() to 
RawKerberosTest
   via  0e176d856fe s4:kdc: Remove manual addition of error data
   via  637fd961bd3 s4:kdc: Add NTSTATUS e-data to KDC reply
   via  90436389b81 third_party/heimdal: Import 
lorikeet-heimdal-202305170245 (commit 9c903d03c31ec96af79e2723e3ae41890dd83122)
   via  041f70055cf s4:kdc: Add function to attach an NTSTATUS code to a 
Kerberos request structure
   via  28cffae4b2c s4:kdc: Use more suitable type for final_ret
   via  d211d700ab9 tests/krb5: Set expected_status even if expect_status 
is not true
   via  4a3f764f7fa tests/krb5: Be less particular about getting NTSTATUS 
codes for KDC TGS tests
   via  9d3c3f06ab6 tests/krb5: Be less particular about expected status 
codes for S4U tests
   via  7266924b3d6 s4:kdc: Use talloc_get_type_abort()
  from  6ee5c80ea96 s4:kdc: Add support for constructed claims (for 
authentication silos)

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 303d2109f637b553c550183e9406b468ee7e2837
Author: Joseph Sutton 
Date:   Tue Apr 18 14:28:01 2023 +1200

s4:kdc: Check lifetime of correct ticket

The ticket returned by kdc_request_get_ticket() is the main TGT
presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a
user-to-user ticket, make sure we check the lifetime of that ticket
instead. To do this we need to pass the appropriate ticket into the
plugin function.

NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224

commit 99f31cabf5fe3ce7afe01148f311f45e4740794e
Author: Joseph Sutton 
Date:   Thu May 18 09:54:12 2023 +1200

third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit 
dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 53c47698f01b9b948cbb565c1cc808d9cfd423f8
Author: Joseph Sutton 
Date:   Thu May 18 10:59:53 2023 +1200

tests/krb5: Add tests presenting short-lived ticket in various scenarios

With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 9b1bd267f01e49f134663f42329c606f5483a3cb
Author: Joseph Sutton 
Date:   Thu May 18 11:07:36 2023 +1200

tests/krb5: Rename modify_requester_sid_time() to modify_lifetime()

...now that the requester SID parameter is optional.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 748fa19a26ae61888c5951cc0163a214f751589f
Author: Joseph Sutton 
Date:   Thu May 18 11:05:56 2023 +1200

tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter

This is so callers can modify the lifetime of a ticket without
necessarily changing the requester SID.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 787b701e68fc031f28045150d2b603e6a15f644e
Author: Joseph Sutton 
Date:   Thu May 18 11:03:40 2023 +1200

tests/krb5: Use consistent time between get_KerberosTime() calls

Otherwise get_KerberosTime() calls time.time() itself, the value of
which can change between calls.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit e1109fbfef9ab840b3c6cf1e626fb99de7771cd4
Author: Joseph Sutton 
Date:   Thu May 18 11:01:47 2023 +1200

tests/krb5: Move modify_requester_sid_time() to RawKerberosTest

We shall make use of it in KdcTgsTests.

Also move add_requester_sid(), which this function depends upon.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 0e176d856fea22973efe6db3ebea3b1fce36d87f
Author: Joseph Sutton 
Date:   Wed May 17 15:49:09 2023 +1200

s4:kdc: Remove manual addition of error data

This is now handled by the hdb_samba4_set_ntstatus() call above.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 637fd961bd359c3ca30e21ebae731ead5cfbc673
Author: Joseph Sutton 
Date:   Wed May 17 

[SCM] Samba Shared Repository - branch master updated

2023-05-17 Thread Andrew Bartlett
The branch, master has been updated
   via  6ee5c80ea96 s4:kdc: Add support for constructed claims (for 
authentication silos)
   via  420fae5dcbe s4:kdc: Make use of dsdb_search_one()
   via  e1f8cb063dd s4:kdc: Don’t perform unnecessary search to get account 
objectClass
   via  10d6d77a272 s4:kdc: Have get_claims_for_principal() take the entire 
principal
   via  3d9863cfdc4 s4:kdc: Enforce TGT lifetime authentication policy
   via  1fdff371051 s4:kdc: Look up authentication policies for Kerberos 
clients and servers
   via  f1212ffe4e4 s4:kdc: Make maximum lifetime and renew time signed
   via  9eaff7e852b s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag
   via  eeebd488f2a third_party/heimdal: Import 
lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0)
   via  f547cf1db86 s4:kdc: Add helper functions for authentication policies
   via  633ebe1b3ef s4:kdc: Make a proper shallow copy of the 
auth_user_info_dc structure
   via  8cc0b76509b s4:auth: Add function to make a shallow copy of an 
auth_user_info_dc structure
   via  9ff7d6c5c55 s4:kdc: Add NTSTATUS strings to log messages
   via  32b49d8a56e lib:audit_logging: Fix typo in log message
   via  d7b68236ecf lib:audit_logging: Add function to add a formatted time 
value to a JSON message
   via  0080148483c lib:audit_logging: Add function to add an optional 
boolean value to a JSON message
   via  4440f1db54b lib:audit_logging: Add function to add flags to a JSON 
message
   via  89d30cdfe16 s4:auth: Remove superfluous semicolon
   via  34080e8839a s4:auth: Fix leak
   via  263deae7e2b auth: Fix leaks
   via  1de2feef90c auth: Correct parameter order in header
   via  6d8a7e1655c s4:kdc: Fix diagnostic messages
   via  ad14287dd7c s4:kdc: Fix error messages
   via  451f221bf35 s4:kdc: Check ldb_dn_new() return value
   via  8f7f55da1e4 s4:kdc: Remove double-free
   via  96a64b0522e s4:kdc: Remove double-free
   via  02e6970ad65 s4:kdc: Fix leaks
   via  2a9d057e828 s4:kdc: Make use of auth_generate_security_token()
   via  9aaedb152ca s4:auth: Fix typos
   via  e2e752b5461 s4:auth: Split out new function to generate a security 
token
   via  024e5f7e92a auth: Remove unnecessary return statements
   via  f948f9cb66f s3:utils: Fix typo
   via  798be592f90 s4:kdc: Fix debugging strings
   via  60803ea8c81 s4:kdc: Fix typos
   via  bbdb3bf8a63 s4:kdc: Factor out PAC blob functions into new source 
file
   via  9a78a8b3f21 s4:kdc: Add missing includes and declarations
   via  c782dd2ffea libcli: Add missing include
   via  cdb1047bdc5 s4:kdc: Include missing headers
   via  12fd8274fff s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant
   via  84a7ae8e0c7 tests/krb5: Add tests for authentication policies
   via  f9b666297cb tests/krb5: Allow specifying whether PA-DATA types are 
to be checked
   via  53b62429f89 tests/krb5: Allow server and workstation accounts to 
perform a SamLogon
   via  c1ab6036bb0 tests/krb5: Allow specifying machine credentials to 
_test_samlogon()
   via  031f1c7632e tests/krb5: Rename ‘server’ to ‘dc_server’
   via  78cca1411ff netlogon:schannel: Fix NULL pointer dereference
   via  3424c6d20fe tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is 
returned in KDC reply e-data
   via  18b24f95728 tests/krb5: Improve edata checking
   via  3063abbfb0a tests/krb5: Remove unused import
   via  0d609ee5ed3 samba-tool domain: Clean up code
   via  56d98e974c3 samba-tool domain: Remove unused variables
  from  e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern 
encryption algorithms

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit 6ee5c80ea9610adf4e4624d2e1953e3fc3e91b71
Author: Joseph Sutton 
Date:   Tue Mar 28 15:10:50 2023 +1300

s4:kdc: Add support for constructed claims (for authentication silos)

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

Autobuild-User(master): Andrew Bartlett 
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224

commit 420fae5dcbe886b7e66928e88d031c8569aacd5c
Author: Joseph Sutton 
Date:   Wed May 17 12:02:47 2023 +1200

s4:kdc: Make use of dsdb_search_one()

Ensure we get exactly one object back, or an error.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit e1f8cb063ddc3753ab8673416fa70fa616138f30
Author: Joseph Sutton 
Date:   Wed May 17 12:07:44 2023 +1200

s4:kdc: Don’t perform unnecessary search to get account objectClass

We now have this information in the ldb_message.

Signed-off-by: Joseph Sutton 
Reviewed-by: Andrew Bartlett 

commit 10d6d77a2720577e51bc93c51c85261c1e3d37b8
Author: Joseph Sutton 
Date:   Wed May 17 11:55:16 2023 +1200

s4:kdc: Have 

[SCM] Samba Shared Repository - branch master updated

2023-05-17 Thread Volker Lendecke
The branch, master has been updated
   via  e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern 
encryption algorithms
  from  8296b6884df s4:torture: Replace calls to deprecated function

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -
commit e03e738dfc96b3c8ce54e2d280143965713f4778
Author: Stefan Metzmacher 
Date:   Tue May 16 13:09:23 2023 +0200

librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms

We should not limit the possible encryption algorithms to the currently
known ones.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374

Signed-off-by: Stefan Metzmacher 
Reviewed-by: Volker Lendecke 

Autobuild-User(master): Volker Lendecke 
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224

---

Summary of changes:
 librpc/rpc/dcerpc_helper.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c
index eec78e034ee..e1589f90794 100644
--- a/librpc/rpc/dcerpc_helper.c
+++ b/librpc/rpc/dcerpc_helper.c
@@ -49,7 +49,12 @@ static bool smb3_sid_parse(const struct dom_sid *sid,
}
 
cipher = sid->sub_auths[3];
-   if (cipher > SMB2_ENCRYPTION_AES128_GCM) {
+   if (cipher > 256) {
+   /*
+* It is unlikely that we
+* ever have more then 256
+* encryption algorithms
+*/
return false;
}
 


-- 
Samba Shared Repository