[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 303d2109f63 s4:kdc: Check lifetime of correct ticket via 99f31cabf5f third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0) via 53c47698f01 tests/krb5: Add tests presenting short-lived ticket in various scenarios via 9b1bd267f01 tests/krb5: Rename modify_requester_sid_time() to modify_lifetime() via 748fa19a26a tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter via 787b701e68f tests/krb5: Use consistent time between get_KerberosTime() calls via e1109fbfef9 tests/krb5: Move modify_requester_sid_time() to RawKerberosTest via 0e176d856fe s4:kdc: Remove manual addition of error data via 637fd961bd3 s4:kdc: Add NTSTATUS e-data to KDC reply via 90436389b81 third_party/heimdal: Import lorikeet-heimdal-202305170245 (commit 9c903d03c31ec96af79e2723e3ae41890dd83122) via 041f70055cf s4:kdc: Add function to attach an NTSTATUS code to a Kerberos request structure via 28cffae4b2c s4:kdc: Use more suitable type for final_ret via d211d700ab9 tests/krb5: Set expected_status even if expect_status is not true via 4a3f764f7fa tests/krb5: Be less particular about getting NTSTATUS codes for KDC TGS tests via 9d3c3f06ab6 tests/krb5: Be less particular about expected status codes for S4U tests via 7266924b3d6 s4:kdc: Use talloc_get_type_abort() from 6ee5c80ea96 s4:kdc: Add support for constructed claims (for authentication silos) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 303d2109f637b553c550183e9406b468ee7e2837 Author: Joseph Sutton Date: Tue Apr 18 14:28:01 2023 +1200 s4:kdc: Check lifetime of correct ticket The ticket returned by kdc_request_get_ticket() is the main TGT presented in a TGS-REQ. If we’re verifying a FAST armor ticket or a user-to-user ticket, make sure we check the lifetime of that ticket instead. To do this we need to pass the appropriate ticket into the plugin function. NOTE: This commit finally works again! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 18 05:49:31 UTC 2023 on atb-devel-224 commit 99f31cabf5fe3ce7afe01148f311f45e4740794e Author: Joseph Sutton Date: Thu May 18 09:54:12 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202305172147 (commit dedb12e3db6e3e5b87869e77f1f1d2ee1f0d32a0) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 53c47698f01b9b948cbb565c1cc808d9cfd423f8 Author: Joseph Sutton Date: Thu May 18 10:59:53 2023 +1200 tests/krb5: Add tests presenting short-lived ticket in various scenarios With the Heimdal KDC, we erroneously accept short-lived FAST and user-to-user tickets. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9b1bd267f01e49f134663f42329c606f5483a3cb Author: Joseph Sutton Date: Thu May 18 11:07:36 2023 +1200 tests/krb5: Rename modify_requester_sid_time() to modify_lifetime() ...now that the requester SID parameter is optional. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 748fa19a26ae61888c5951cc0163a214f751589f Author: Joseph Sutton Date: Thu May 18 11:05:56 2023 +1200 tests/krb5: Change ‘sid’ parameter into optional ‘requester_sid’ parameter This is so callers can modify the lifetime of a ticket without necessarily changing the requester SID. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 787b701e68fc031f28045150d2b603e6a15f644e Author: Joseph Sutton Date: Thu May 18 11:03:40 2023 +1200 tests/krb5: Use consistent time between get_KerberosTime() calls Otherwise get_KerberosTime() calls time.time() itself, the value of which can change between calls. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e1109fbfef9ab840b3c6cf1e626fb99de7771cd4 Author: Joseph Sutton Date: Thu May 18 11:01:47 2023 +1200 tests/krb5: Move modify_requester_sid_time() to RawKerberosTest We shall make use of it in KdcTgsTests. Also move add_requester_sid(), which this function depends upon. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0e176d856fea22973efe6db3ebea3b1fce36d87f Author: Joseph Sutton Date: Wed May 17 15:49:09 2023 +1200 s4:kdc: Remove manual addition of error data This is now handled by the hdb_samba4_set_ntstatus() call above. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 637fd961bd359c3ca30e21ebae731ead5cfbc673 Author: Joseph Sutton Date: Wed May 17
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6ee5c80ea96 s4:kdc: Add support for constructed claims (for authentication silos) via 420fae5dcbe s4:kdc: Make use of dsdb_search_one() via e1f8cb063dd s4:kdc: Don’t perform unnecessary search to get account objectClass via 10d6d77a272 s4:kdc: Have get_claims_for_principal() take the entire principal via 3d9863cfdc4 s4:kdc: Enforce TGT lifetime authentication policy via 1fdff371051 s4:kdc: Look up authentication policies for Kerberos clients and servers via f1212ffe4e4 s4:kdc: Make maximum lifetime and renew time signed via 9eaff7e852b s4:kdc: Add SDB_F_ARMOR_PRINCIPAL flag via eeebd488f2a third_party/heimdal: Import lorikeet-heimdal-202305160500 (commit 8836d64dee78a74aa740e31b7ad406b8a8cfdad0) via f547cf1db86 s4:kdc: Add helper functions for authentication policies via 633ebe1b3ef s4:kdc: Make a proper shallow copy of the auth_user_info_dc structure via 8cc0b76509b s4:auth: Add function to make a shallow copy of an auth_user_info_dc structure via 9ff7d6c5c55 s4:kdc: Add NTSTATUS strings to log messages via 32b49d8a56e lib:audit_logging: Fix typo in log message via d7b68236ecf lib:audit_logging: Add function to add a formatted time value to a JSON message via 0080148483c lib:audit_logging: Add function to add an optional boolean value to a JSON message via 4440f1db54b lib:audit_logging: Add function to add flags to a JSON message via 89d30cdfe16 s4:auth: Remove superfluous semicolon via 34080e8839a s4:auth: Fix leak via 263deae7e2b auth: Fix leaks via 1de2feef90c auth: Correct parameter order in header via 6d8a7e1655c s4:kdc: Fix diagnostic messages via ad14287dd7c s4:kdc: Fix error messages via 451f221bf35 s4:kdc: Check ldb_dn_new() return value via 8f7f55da1e4 s4:kdc: Remove double-free via 96a64b0522e s4:kdc: Remove double-free via 02e6970ad65 s4:kdc: Fix leaks via 2a9d057e828 s4:kdc: Make use of auth_generate_security_token() via 9aaedb152ca s4:auth: Fix typos via e2e752b5461 s4:auth: Split out new function to generate a security token via 024e5f7e92a auth: Remove unnecessary return statements via f948f9cb66f s3:utils: Fix typo via 798be592f90 s4:kdc: Fix debugging strings via 60803ea8c81 s4:kdc: Fix typos via bbdb3bf8a63 s4:kdc: Factor out PAC blob functions into new source file via 9a78a8b3f21 s4:kdc: Add missing includes and declarations via c782dd2ffea libcli: Add missing include via cdb1047bdc5 s4:kdc: Include missing headers via 12fd8274fff s4:kdc: Make use of KDC_REQUEST_KV_PA_NAME constant via 84a7ae8e0c7 tests/krb5: Add tests for authentication policies via f9b666297cb tests/krb5: Allow specifying whether PA-DATA types are to be checked via 53b62429f89 tests/krb5: Allow server and workstation accounts to perform a SamLogon via c1ab6036bb0 tests/krb5: Allow specifying machine credentials to _test_samlogon() via 031f1c7632e tests/krb5: Rename ‘server’ to ‘dc_server’ via 78cca1411ff netlogon:schannel: Fix NULL pointer dereference via 3424c6d20fe tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data via 18b24f95728 tests/krb5: Improve edata checking via 3063abbfb0a tests/krb5: Remove unused import via 0d609ee5ed3 samba-tool domain: Clean up code via 56d98e974c3 samba-tool domain: Remove unused variables from e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6ee5c80ea9610adf4e4624d2e1953e3fc3e91b71 Author: Joseph Sutton Date: Tue Mar 28 15:10:50 2023 +1300 s4:kdc: Add support for constructed claims (for authentication silos) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224 commit 420fae5dcbe886b7e66928e88d031c8569aacd5c Author: Joseph Sutton Date: Wed May 17 12:02:47 2023 +1200 s4:kdc: Make use of dsdb_search_one() Ensure we get exactly one object back, or an error. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e1f8cb063ddc3753ab8673416fa70fa616138f30 Author: Joseph Sutton Date: Wed May 17 12:07:44 2023 +1200 s4:kdc: Don’t perform unnecessary search to get account objectClass We now have this information in the ldb_message. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 10d6d77a2720577e51bc93c51c85261c1e3d37b8 Author: Joseph Sutton Date: Wed May 17 11:55:16 2023 +1200 s4:kdc: Have
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e03e738dfc9 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms from 8296b6884df s4:torture: Replace calls to deprecated function https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e03e738dfc96b3c8ce54e2d280143965713f4778 Author: Stefan Metzmacher Date: Tue May 16 13:09:23 2023 +0200 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms We should not limit the possible encryption algorithms to the currently known ones. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374 Signed-off-by: Stefan Metzmacher Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224 --- Summary of changes: librpc/rpc/dcerpc_helper.c | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c index eec78e034ee..e1589f90794 100644 --- a/librpc/rpc/dcerpc_helper.c +++ b/librpc/rpc/dcerpc_helper.c @@ -49,7 +49,12 @@ static bool smb3_sid_parse(const struct dom_sid *sid, } cipher = sid->sub_auths[3]; - if (cipher > SMB2_ENCRYPTION_AES128_GCM) { + if (cipher > 256) { + /* +* It is unlikely that we +* ever have more then 256 +* encryption algorithms +*/ return false; } -- Samba Shared Repository