[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via aecbfe52183 python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS via ef87f0be600 python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expired on NTLM from 43802f1bedd python: remove string_to_byte_array() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit aecbfe5218326c2b4eb9a4e6c6b05719035585f9 Author: Andrew Bartlett Date: Wed Jun 12 10:24:18 2024 +1200 python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS This augments the PKINIT based tests to show this is correctly handled for the fare more usual case. Signed-off-by: Andrew Bartlett Reviewed-by: David Mulder Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224 commit ef87f0be6009dcb95316dbfd71ce9834e7a5a8ed Author: Andrew Bartlett Date: Wed Jun 12 08:51:54 2024 +1200 python/samba/tests/krb5: Add check to confirm UF_SMARCARD_REQUIRED password is expired on NTLM 8944a10b145e99eb6372cace8225e4c5e9d6160e broke password expiry checking on NTLM, but that is fixed after CID 1603594 triggered 815d696d4471f1b3a4267eb774eb80b07576031b. In the past we could not have password expiry times small enough to test expiry (unlike "must change now"), but having no test was not good. As we are already doing the sleep() here, add a test to the password rotation test. Signed-off-by: Andrew Bartlett Reviewed-by: David Mulder --- Summary of changes: python/samba/tests/krb5/as_req_tests.py | 80 - python/samba/tests/krb5/pkinit_tests.py | 14 + python/samba/tests/krb5/raw_testcase.py | 3 +- selftest/expectedfail.d/kdc_test_pw_expired | 2 + selftest/knownfail_mit_kdc | 2 + 5 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 selftest/expectedfail.d/kdc_test_pw_expired Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 4d0940caa46..55c27a2bed3 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -22,8 +22,12 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" -from samba import ntstatus +import time + +from samba import credentials, ntstatus +from samba.dcerpc import netlogon from samba.tests import DynamicTestCase +from samba.tests.pso import PasswordSettings from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 @@ -33,6 +37,8 @@ from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, +KDC_ERR_PREAUTH_FAILED, +KDC_ERR_KEY_EXPIRED, KU_PA_ENC_TIMESTAMP, NT_ENTERPRISE_PRINCIPAL, NT_PRINCIPAL, @@ -150,6 +156,7 @@ class AsReqBaseTest(KDCBaseTest): etypes, preauth_padata, kdc_options, +creds=client_creds, expected_supported_etypes=krbtgt_supported_etypes, expected_account_name=user_name, expect_edata=expect_pa_edata, @@ -591,6 +598,77 @@ class AsReqKerberosTests(AsReqBaseTest): expected_pa_error=KDC_ERR_CLIENT_REVOKED, expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS) +def test_pw_expired(self): +"""Test making an AS-REQ with an expired password.""" + +client_creds = self.get_cached_creds( +account_type=self.AccountType.USER) +client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS) + +userdn = str(client_creds.get_dn()) +samdb = self.get_samdb() + +# create a PSO setting password_age_max to 1 second +# +# The first parameter is not a username, just a new unique name for the PSO +short_expiry_pso = PasswordSettings(self.get_new_username(), samdb, +precedence=200, +password_age_max=1) +self.addCleanup(samdb.delete, short_expiry_pso.dn) +short_expiry_pso.apply_to(userdn) + +time.sleep(1) + +# Expect to get a CLIENT_REVOKED error. +self._run_as_req_enc_timestamp( +client_creds, +expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED), +expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED, +expected_pa_error=KDC_ERR_KEY_EXPIRED, +expect_pa_status=ntstatus.NT_STAT
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 43802f1bedd python: remove string_to_byte_array() via 982dab89326 samba-tool ldapcmp: remove a dodgy unused method via 6347b0c3736 pytest: simplify and fix HEXDUMP_FILTER used in hexdumps via 300bb809ab7 samba-tool domain trust: avoid useless use of string_to_byte_array via f8fb9f19bca python:lsa_utils: avoid useless use of py2-compat string_to_byte_array via 3b349c29b59 python:join: avoid useless use of py2-compat string_to_byte_array via 46933bc25de py:emulate: remove py2 str/bytes workaround in traffic_packets via 25e6d7c6a33 py:emulate: remove py2 str/bytes workaround in traffic via f0cf1879681 pytest: remove py2 str/bytes workaround in auth_log_samlogon via bd3792005ba pytest: remove py2 str/bytes workaround in samr_change_password via 2dc111b4c18 pytest: remove py2 str/bytes workaround in lsa_utils via b253b4e0eda pytest: remove py2 str/bytes workaround in dns_base via 5d2ea6908b1 pytest: remove py2 str/bytes workaround in py_credentials via de19f4d6753 s4/pytest: remove py2 str/bytes workaround in getnc_exop from 788ef8f07c7 s3/smbd: fix nested chdir into msdfs links on (widelinks = yes) share https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 43802f1beddc875d1f4fc15babdbadf7615705c9 Author: Douglas Bagnall Date: Wed Jun 12 12:16:46 2024 +1200 python: remove string_to_byte_array() This was a useful function during the Python 2 -> 3 migration, but it is not used any more. In all the cases it was used, we knew we already had a bytes object, and this was just an inefficient way of confirming that. In cases where we actually want to cast a string into a mutable list of byte-sized ints, the builtin bytearray() function will do a better job than this, because it will encode high unicode characters as utf-8 bytes, rather than adding them as out-of-range values in the list. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jun 12 09:16:39 UTC 2024 on atb-devel-224 commit 982dab893263b60609bf47a7138c91aefb41a038 Author: Douglas Bagnall Date: Wed Jun 12 11:42:27 2024 +1200 samba-tool ldapcmp: remove a dodgy unused method We have bindings for stringifying GUIDs, so I intended to replace this rather complicated code with that, but it turns out that this method has been unused since 5d42260eecfd4f26cc82637ce1bc989083c9eb9d in 2013. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6347b0c3736e1208d09f94e2b67f1b4234205374 Author: Douglas Bagnall Date: Wed Jun 12 11:34:36 2024 +1200 pytest: simplify and fix HEXDUMP_FILTER used in hexdumps The old test x if ((len(repr(chr(x))) == 3) and (x < 127)) else ord('.') went through some contortions to see if the character was printable, and it got it slightly wrong. The idea was that `repr(chr(97)` is "'a'", while `repr(chr(167)` is "'\xa7'", which we can distinguish using the length. But that miscategorised the backslash character, which is represented as "'\\'", a string of length 4, so it was show as '.' instead. Instead we notice that the characters we want to print in a hexdump are exactly those between 32 and 126, inclusive. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 300bb809ab7c06eb6abef91a313dbdb8edad7c83 Author: Douglas Bagnall Date: Wed Jun 12 11:21:59 2024 +1200 samba-tool domain trust: avoid useless use of string_to_byte_array `pw.encode('utf-16-le')` is always bytes. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit f8fb9f19bca909fe4d29378f255bad33ccb1d778 Author: Douglas Bagnall Date: Wed Jun 12 11:21:09 2024 +1200 python:lsa_utils: avoid useless use of py2-compat string_to_byte_array `pw.encode('utf-16-le')` is always bytes. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3b349c29b59ebe7e1e389dc0d51b2063c657b210 Author: Douglas Bagnall Date: Wed Jun 12 11:19:55 2024 +1200 python:join: avoid useless use of py2-compat string_to_byte_array This was a workaround for the migration to Python 3, but is now just extra work for the computer and cognitive load for us. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 46933bc25de6515866c6b9d1ae76fad6701fb252 Author: Douglas Bagnall Date: Wed Jun 12 11:17:22 2024 +1200 py:emulate: remove py2 str/bytes workaround in traffic_packets Signed-off-by: Douglas Bagnall Reviewed-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via db342d86a9c samba-tool user readpasswords: avoid `assert` for validation via b42c4891804 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594) via facb418c99d s4:dsdb: Remove trailing whitespace via 5ffa7683295 s4:auth: Add temporary memory context to authsam_reread_user_logon_data() via 7ae10eb25f8 s4:auth: Add common out path to authsam_reread_user_logon_data() via 4e8ca6140af ldb: Attach appropriate ldb context to returned result from 225e6aeafc7 s4/torture: Remove already existing test_dir https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit db342d86a9ccd15f764cb8e0a91774e1f8fd7858 Author: Douglas Bagnall Date: Fri Feb 2 15:01:21 2024 +1300 samba-tool user readpasswords: avoid `assert` for validation `assert` can be optimised away if python is run with `-O`. Signed-off-by: Douglas Bagnall Reviewed-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jun 11 05:32:28 UTC 2024 on atb-devel-224 commit b42c489180474627270e09408f84841baa175157 Author: Jo Sutton Date: Tue Jun 11 14:58:11 2024 +1200 s4:auth: Handle expired accounts in authsam_account_ok() (CID 1603594) We check the ACB_PW_EXPIRED bit to determine whether the account is expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer, we must increase the width of acct_flags so as not to lose that bit. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit facb418c99d5be62ae7e111539ca497a783b6a37 Author: Jo Sutton Date: Fri May 24 13:05:58 2024 +1200 s4:dsdb: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5ffa7683295ae7006a51dc8244918ed89f500184 Author: Jo Sutton Date: Mon Apr 29 17:07:43 2024 +1200 s4:auth: Add temporary memory context to authsam_reread_user_logon_data() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 7ae10eb25f821e617100cad113f751833b7c0893 Author: Jo Sutton Date: Mon Apr 29 17:09:12 2024 +1200 s4:auth: Add common out path to authsam_reread_user_logon_data() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 4e8ca6140aff0cac534d2ea2e370c1dc70a73b21 Author: Jo Sutton Date: Wed May 1 16:54:01 2024 +1200 ldb: Attach appropriate ldb context to returned result This is done by adding a new API that avoids the problems of ldb_dn_copy() and makes it clear that a struct ldb_context * pointer will be stored in the new copy. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/ldb/ABI/ldb-2.10.0.sigs | 1 + lib/ldb/common/ldb_dn.c | 16 + lib/ldb/include/ldb.h| 3 +++ lib/ldb/ldb_key_value/ldb_kv_search.c| 2 +- python/samba/netcmd/user/readpasswords/common.py | 5 +++- python/samba/tests/krb5/gmsa_tests.py| 2 +- source4/auth/sam.c | 29 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 28 +++ 8 files changed, 59 insertions(+), 27 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb/ABI/ldb-2.10.0.sigs b/lib/ldb/ABI/ldb-2.10.0.sigs index f23014ffaaa..bd9aa54a005 100644 --- a/lib/ldb/ABI/ldb-2.10.0.sigs +++ b/lib/ldb/ABI/ldb-2.10.0.sigs @@ -47,6 +47,7 @@ ldb_dn_check_special: bool (struct ldb_dn *, const char *) ldb_dn_compare: int (struct ldb_dn *, struct ldb_dn *) ldb_dn_compare_base: int (struct ldb_dn *, struct ldb_dn *) ldb_dn_copy: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *) +ldb_dn_copy_with_ldb_context: struct ldb_dn *(TALLOC_CTX *, struct ldb_dn *, struct ldb_context *) ldb_dn_escape_value: char *(TALLOC_CTX *, struct ldb_val) ldb_dn_extended_add_syntax: int (struct ldb_context *, unsigned int, const struct ldb_dn_extended_syntax *) ldb_dn_extended_filter: void (struct ldb_dn *, const char * const *) diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c index cb4266dca91..e785a6d9e3d 100644 --- a/lib/ldb/common/ldb_dn.c +++ b/lib/ldb/common/ldb_dn.c @@ -1398,6 +1398,22 @@ struct ldb_dn *ldb_dn_copy(TALLOC_CTX *mem_ctx, struct ldb_dn *dn) return new_dn; } +struct ldb_dn *ldb_dn_copy_with_ldb_context(TALLOC_CTX *mem_ctx, + struct ldb_dn *dn, + struct ldb_context *ldb) +{ + struct ldb_dn *new_dn = NULL; + + new_dn = ldb_dn_copy(mem_ctx, dn); + if (new_dn == NULL) { + return NULL; + } + + /* Set the ldb context. */ + new_dn->ldb =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 469b22b849a python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal via 15686fec981 python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done via f3528808aba WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour via 2854ef29b82 provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default via dee3c7be584 selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set via 491b79d445d kdc: Rotate smart-card only underlying password in 2nd half of lifetime via 8afe27058b0 kdc: Track the pwdLastSet of expired UF_SMARTCARD_REQUIRED accounts via 1e1c80656f7 kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords via d03b3faeb8e s4-auth: Use consistant externally-supplied time in auth stack via 1dcd8be8f06 kdc: Use a consistent, stable time throughout the Heimdal KDC via fe61009002d kdc: Mark KDC sam.ldb as not to use ldb_wrap cache via e178f6b0e96 ldb_wrap: Provide a way to avoid Samba using ldb_wrap() via 9ba5ebf4af7 kdc: Remove confusing duplicate open of sam.ldb to find RODC status via 09ae48b415b dsdb: Prepare to handle smartcard password rollover via 1bcc9f00157 dsdb: Use dsdb_gmsa_current_time() in construct_msds_user_account_control_computed via cc3ea4ed571 dsdb: UF_SMARTCARD_REQUIRED can have a password expiry, if configured! via 3669479f22f dsdb: Reduce minimum maxPwdAge from 1 day to nil via 302619f66f9 dsdb: Change the magic smartcard_reset to set AES keys like the krbtgt mode via 7c79abbab46 python/samba/tests/krb5: PKINIT tests of passwords that are naturally expired via 044cc538605 python/test/krb5: Use assertAlmostEqual in check_ticket_times() via 68fa90754fd python/tests/krb5: Move check_ticket_times() to kdc_base_test.py via 48bff4b95f8 python/samba/krb5: Add test for password rotation on UF_SMARCARD_REQUIRED accounts via a85f4c661b1 python/tests/krb5: Remove unused utf16pw variable via 504a47ecfd6 python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED via dc6c4b215e2 python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works via 4ec24a20764 python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to allow broader use via b664392208c s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check via 737f2414062 s4-auth: Update comment to mention 60mins in the NTLM grace period via e04eb9bb170 dsdb: Make argument order of dsdb_update_gmsa_{entry_,}keys() consistant with other uses from a9b3522f53a smbd: Ensure we grant owner sid in check_parent_access_fsp() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 469b22b849aa6a76739dc21d8a2d80907cdf8d73 Author: Andrew Bartlett Date: Tue Jun 4 13:26:18 2024 +1200 python/samba/tests/krb5: Allow PkInitTests.test_pkinit_ntlm_from_pac_must_change_now to pass on Samba/Heimdal This flexiblity in the tests avoids requiring Samba/Heimdal to omit an NTSTATUS error return and just be consistent between the different authentication paths. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Jun 10 05:32:54 UTC 2024 on atb-devel-224 commit 15686fec9819267f69a600cff859e52f77a64cef Author: Andrew Bartlett Date: Tue Jun 4 11:36:53 2024 +1200 python/samba/tests/krb5: Expand test without UF_SMARTCARD_REQUIRED to show rotation is not done This makes sense as otherwise the user would suddenly not know their password for use when they do not use their smartcard. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit f3528808aba9419c0895bdb709e1b0dc0bdced1e Author: Andrew Bartlett Date: Mon May 27 11:51:59 2024 +1200 WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 2854ef29b82d89fb5b5c9d8414227988783120b9 Author: Andrew Bartlett Date: Mon May 27 11:30:29 2024 +1200 provision: Match Windows 2022 and set msDS-ExpirePasswordsOnSmartCardOnlyAccounts by default We do this by telling the Domain Functional Level upgrade code that this is a new install. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit dee3c7be5846ae7c0952b1ace94dee23241dc794 Author: Andrew Bartlett Date: Mon May 27 11:53:15 2024 +1200 selftest: Add test that msDS-ExpirePasswordsOnSmartCardOnlyAccounts=TRUE is set This assures us that the new provision sets the value by default
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5d73bb4acd7 s3:utils: Use talloc instead of malloc functions via b9d93eccbc0 s3:util: Use a talloc stackframe in rpc_trustdom_establish() via e844f483bd8 s3:utils: Use a destructor in rpc_trustdom_establish() via 77a4ff5435b s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish() via 78f03c386c1 python: Add test for checking the SHA256SUM via f5de1f8585e python:netcmd: Create a SHA256SUM file with checksums via e584350a550 python:netcmd: Only put regular files into the tarball via 9fb57dab377 s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads' via 1185410a0d7 s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c from ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5d73bb4acd7cf062b9fd1a9ea6721e41a5e721fb Author: Andreas Schneider Date: Thu Jun 6 17:37:32 2024 +0200 s3:utils: Use talloc instead of malloc functions Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 6 21:32:53 UTC 2024 on atb-devel-224 commit b9d93eccbc03f135ea14a8bd3a4f5b16ed0bbdc6 Author: Andreas Schneider Date: Tue Apr 30 09:55:15 2024 +0200 s3:util: Use a talloc stackframe in rpc_trustdom_establish() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit e844f483bd825741d3532d3304c822ab02cf96b5 Author: Andreas Schneider Date: Thu Jun 6 17:31:10 2024 +0200 s3:utils: Use a destructor in rpc_trustdom_establish() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 77a4ff5435be5b80e96d7f85e71aac1949c5cff9 Author: Andreas Schneider Date: Tue Apr 30 09:46:33 2024 +0200 s3:utils: Remove overwrite of opt_workgroup in rpc_trustdom_establish() This is not used anywhere in that functions or the functions we are calling. It was replaced by command line cli credentials stored in c->creds. This fixes a memory leak. Direct leak of 12 byte(s) in 1 object(s) allocated from: #0 0x7f17fdaf5830 in strdup ../../../../libsanitizer/asan/asan_interceptors.cpp:578 #1 0x7f17fc7e7339 in smb_xstrdup ../../lib/util/util.c:752 #2 0x55f079bf0723 in rpc_trustdom_establish ../../source3/utils/net_rpc.c:6591 #3 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464 #4 0x55f079bdbecf in rpc_trustdom ../../source3/utils/net_rpc.c:7483 #5 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464 #6 0x55f079bfe7de in net_rpc ../../source3/utils/net_rpc.c:8413 #7 0x55f079c529af in net_run_function ../../source3/utils/net_util.c:464 #8 0x55f079baa0a8 in main ../../source3/utils/net.c:1436 #9 0x7f17f8a2a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 78f03c386c14b9e773763a8c41fdc1689a4f284d Author: Andreas Schneider Date: Thu Jun 6 10:12:08 2024 +0200 python: Add test for checking the SHA256SUM Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit f5de1f8585e1d4eda9530eee87046277a2c793e7 Author: Andreas Schneider Date: Wed Feb 15 08:10:03 2023 +0100 python:netcmd: Create a SHA256SUM file with checksums This allows to verify the backup tarball contents with: sha256sum -c SHA256SUM Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit e584350a550f7ec2008721ecafb254af92ed7525 Author: Andreas Schneider Date: Wed Feb 15 08:05:42 2023 +0100 python:netcmd: Only put regular files into the tarball We also have ldapi, other sockets or pipes around, we don't want to add. This will be relevant for adding checksums later. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9fb57dab377e53c9bd8450dda51a164bc712dca3 Author: Stefan Metzmacher Date: Thu Jun 6 10:39:33 2024 +0200 s3:utils: DNS_UTIL depends on libads headers so we need to depend on 'ads' Otherwise we don't get the correct header include paths and krb5.h in a non default location won't be found. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 1185410a0d717e22b359e11a538a08c0352e8703 Author: Stefan Metzmacher Date: Thu Jun 6 10:38:48 2024 +0200 s3:libsmb: we no longer need libads/kerberos_proto.h in namequery.c Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- Summary of changes: pyt
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ed61c57e023 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored via 76fec2668e7 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows via db350bc573b s4:dns_server: dns_verify_tsig should return REFUSED on error via 5906ed94f2c s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section via ae7538af044 s4:dns_server: use tkey->algorithm if available in dns_sign_tsig() via bd0235cd515 s4:dns_server: use the client provided algorithm for the fake TSIG structure via 3467d149149 s4:dns_server: only allow gss-tsig and gss.microsoft.com for TSIG via fa0f23e69ea s4:dns_server: only allow gss-tsig and gss.microsoft.com for TKEY via a56627b0d12 s4:dns_server: failed dns updates should result in REFUSED for ACCESS_DENIED via 708a6fae697 python:tests/dns_tkey: add test_update_tsig_record_access_denied() via 753428a3b6c s4:selftest/tests: pass USERNAME_UNPRIV=$DOMAIN_USER to samba.tests.dns_tkey via 88457da00d4 python:tests/dns_base: add get_unpriv_creds() helper via 848318338b2 python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022 via 8324d0739df python:tests/dns_base: let verify_packet() work against Windows via de4ed363d37 python:tests/dns_tkey: test bad and changing tsig algorithms via b9b03ca503c python:tests/dns_tkey: add gss.microsoft.com tsig updates via 3c7cb85eaf8 python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}() via 740bda87a80 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms via b0af60e7850 python:tests/dns_base: maintain a dict with tkey related state via 1b1e7e06cf6 python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True via 27d92fa808c python:tests/dns_base: pass tkey_trans(expected_rcode) via cd747307d84 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers via f8dfa9b33bd python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument via 6e997f93d53 python:tests/dns_tkey: make use of self.assert_echoed_dns_error() via ce591464cb1 python:tests/dns_base: add self.assert_echoed_dns_error() via c741d0f3969 python:tests/dns_base: let dns_transaction_tcp() handle short receives via c594cbad4af python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet() via ae23d512a72 python:tests/dns_base: generate a real signature in bad_sign_packet() via 319836ce9e6 lib/addns: remove unused kerberos/gssapi includes in dns.h from 096d3807b05 build: Make "samba4" public libraries provided (mostly) for OpenChange private https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ed61c57e02309b738e73fb12877a0a565b627724 Author: Stefan Metzmacher Date: Thu May 30 14:52:22 2024 +0200 s4:dns_server: no-op dns updates with ACCESS_DENIED should be ignored If the client does not have permissions to update the record, but the record already has the data the update tries to apply, it's a no-op that should result in success instead of failing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Jun 6 03:18:16 UTC 2024 on atb-devel-224 commit 76fec2668e73b9d15447abee551d5c04148aaf27 Author: Stefan Metzmacher Date: Thu May 30 14:39:28 2024 +0200 s4:dns_server: correctly sign dns update responses with gss-tsig like Windows This means we no longer generate strange errors/warnings in the Windows event log nor in the nsupdate -g output. Note: this is a only difference between gss-tsig and the legacy gss.microsoft.com algorithms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit db350bc573b378fb0615bdd8592cc9c62f6db146 Author: Stefan Metzmacher Date: Thu May 30 14:42:53 2024 +0200 s4:dns_server: dns_verify_tsig should return REFUSED on error BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7 Author: Stefan Metzmacher Date: Thu May 30 14:41:21 2024 +0200 s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019 Signed-off-by: Stefan Metzmacher Reviewed-
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 096d3807b05 build: Make "samba4" public libraries provided (mostly) for OpenChange private via d11b281aefa build: Remove incorrect pyembed=True from samba-policy via 829b52f99d5 s4-libnet: Split up samba-net into samba-net and samba-net-join from a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix flapping test https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 096d3807b0588ed4d03bd99bc96163a4821ec010 Author: Andrew Bartlett Date: Mon May 27 09:24:13 2024 +1200 build: Make "samba4" public libraries provided (mostly) for OpenChange private These libraries, mostly with ABI versions of 0.0.1 were made public in the early development of Samba4 and have not been seriously considered since. Most are to allow OpenChange to build. While the OpenChange server is no longer actively used, the MAPI client is used and we need to allow packages to be built that will allow the Evolution MAPI client to still work. Some appear to be mistakes (dcerpc-samr), historical abberations (tevent-util) or ideas that did not go very far (the samba-policy library for example). To allow any remaining users to access them, they are not made private in the build system but are instead listed so that they can be made public again via ./configure with the same --private-libraries='!LIB' syntax introduced to make ldb private by default. Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Jun 5 21:47:24 UTC 2024 on atb-devel-224 commit d11b281aefa98e6850053ccd6142253c6cf0d04f Author: Andrew Bartlett Date: Mon May 27 07:28:33 2024 +1200 build: Remove incorrect pyembed=True from samba-policy This is a normal C library, used by python but does not use any python itself (nor by dependencies any longer). Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy commit 829b52f99d5a9c9df19c9eb67611618095967edd Author: Andrew Bartlett Date: Mon May 27 19:44:38 2024 +1200 s4-libnet: Split up samba-net into samba-net and samba-net-join samba-net-join links to python and so needs the variable name with the python ABI tag, while samba-net is a normal C library and can be included in a package without python dependencies. Signed-off-by: Andrew Bartlett Reviewed-by: Alexander Bokovoy --- Summary of changes: WHATSNEW.txt | 21 + source4/lib/policy/wscript_build | 13 - source4/libnet/libnet_join.c | 1 + source4/libnet/libnet_vampire.c | 1 + source4/libnet/py_net.c | 1 + source4/libnet/wscript_build | 23 +++ source4/torture/libnet/libnet_BecomeDC.c | 1 + source4/torture/rpc/testjoin.c | 1 + source4/torture/wscript_build| 6 +++--- wscript | 20 +++- 10 files changed, 67 insertions(+), 21 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 67bdb963cca..6d1368c42b1 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -69,6 +69,27 @@ never took into account later changes, and so has not worked for a number of years. Samba 4.21 and LDB 2.10 removes this unused and broken feature. +Some Samba public libraries made private by default +--- + +The following Samba C libraries are currently made public due to their +use by OpenChange or for historical reasons that are no longer clear. + + dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig, + samba-credentials, dcerpc_server, samdb + +The libraries used by the OpenChange client now private, but can be +made public (like ldb above) with: + + ./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb' + +The C libraries without any known user or used only for the OpenChange +server (a dead project) may be made private entirely in a future Samba +version. + +If you use a Samba library in this list, please be in touch with the +samba-technical mailing list. + Using ldaps from 'winbindd' and 'net ads' - diff --git a/source4/lib/policy/wscript_build b/source4/lib/policy/wscript_build index 027d4bef0b6..f7d9b555f6a 100644 --- a/source4/lib/policy/wscript_build +++ b/source4/lib/policy/wscript_build @@ -3,20 +3,15 @@ pytalloc_util = bld.pyembed_libname('pytalloc-util') -samba_policy = bld.pyembed_libname('samba-policy') -samba_net = bld.pyembed
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a54dca4ea54 tests/krb5: Calculate correct gMSA password to fix flapping test via 9c700f790ba tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion via 5eac95652a8 s4:dsdb: Use talloc_get_type_abort() via 3256c6bfd6b tests/krb5: Make use of update_password() method via 38cfdb66231 ldb: Fix typo via 8989aa47b74 s3:winbind: Fix idmap_ad creating an invalid local krb5.conf via 9dcc52d2a57 s3:libads: Do not fail if we don't get an IP passed down via 28aa0b815ba s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP from c005de07aee smbd: list reparse tag in QUERY_DIRECTORY https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a54dca4ea546c596740d1afab70b1cdd25e1721b Author: Jo Sutton Date: Tue May 28 16:59:30 2024 +1200 tests/krb5: Calculate correct gMSA password to fix flapping test If this test happens to be run in the five minute window prior to the next ten‐hour GKDI interval — about once every one hundred and twenty runs — the ‘current’ password requested from LDAP will actually be the future password, which won’t match what’s in the database. Instead of taking the password from LDAP, calculate it ourselves with expected_gmsa_password_blob(). [330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local) UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local) REASON: Exception: Exception: Traceback (most recent call last): File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update self.assertEqual(creds.get_nt_hash(), nt_hash) AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14' Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Jun 4 20:52:09 UTC 2024 on atb-devel-224 commit 9c700f790baa5155465cb8e1bcdb4dcbbd28bbfd Author: Jo Sutton Date: Tue May 28 16:53:22 2024 +1200 tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5eac95652a89b4edb1e82f00c93267172aaeda42 Author: Jo Sutton Date: Tue May 28 14:24:51 2024 +1200 s4:dsdb: Use talloc_get_type_abort() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 3256c6bfd6b48bf08a8724f5e5bd654b9c5379fb Author: Jo Sutton Date: Mon May 27 17:53:17 2024 +1200 tests/krb5: Make use of update_password() method Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 38cfdb662319085569cf4d96bcbceeb74ae1c5f9 Author: Jo Sutton Date: Fri Apr 12 15:10:33 2024 +1200 ldb: Fix typo Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee Author: Andreas Schneider Date: Tue May 28 13:54:24 2024 +0200 s3:winbind: Fix idmap_ad creating an invalid local krb5.conf In case of a trusted domain, we are providing the realm of the primary trust but specify the KDC IP of the trusted domain. This leads to Kerberos ticket requests to the trusted domain KDC which doesn't know about the machine account. However we need a ticket from our primary trust KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2 Author: Andreas Schneider Date: Tue May 28 13:53:51 2024 +0200 s3:libads: Do not fail if we don't get an IP passed down The IP should be optional and we should look it up if not provided. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 28aa0b815baf4668e3df01d52597c40fd430e2fb Author: Andreas Schneider Date: Tue May 28 13:51:53 2024 +0200 s3:libads: Allow get_kdc_ip_string() to lookup the KDCs IP Remove the requirement to provide an IP address. We should look up the IP of the KDC and use it for the specified realm/workgroup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- Summary of changes: lib/ldb/common/attrib_handlers.c | 2 +- python/samba/tests/krb5/gmsa_tests.py| 22 +-- source3/libads/kerberos.c| 32
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d6581d213d5 ldb: move struct ldb_debug_ops to ldb_private.h via 6dd68d89786 ldb: move struct ldb_utf8_fns to ldb_private.h via a00c0ebd090 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow via b6974030e6a lib/fuzzing: add fuzz_strncasecmp_ldb via b22e1d3207d ldb: don't cast to unsigned for ldb_ascii_toupper() via e33a0dd70f0 ldb: ldb_set_utf8_functions follows README.Coding via 4a6a1d1f0af ldb: deprecate ldb_set_utf8_fns via 42ae85d70af ldb: remove old ldb_comparison_fold_utf8_broken() via 960724a06e4 ldb: ldb_comparison_fold always uses the casecmp function via edabb9f4cb9 ldb-samba: use ldb_comparison_fold_utf8() via 0becc8a90cb ldb-samba: add ldb_comparison_fold_utf8, wrapping strncasecmp_ldb via f9797950fd6 util:charset: strncasecmp_ldb avoids iconv for ASCII via 55397514db5 util:charset: strncasecmp_ldb degrades to ASCII strncasecmp via eb91e3437b4 util:charset: add strncasecmp_ldb() via 7cc3c56293d ldb: ldb_set_utf8_default() sets comparison function via 6c27284f7e9 ldb: ldb_comparison_fold_ascii sorts unsigned via 92275e27947 ldb: add ldb_comparison_fold_ascii() for default comparisons via 947f977acb7 ldb: ldb_comparison_fold uses the utf-8 casecmp function via ae7ca36830b ldb: add ldb_set_utf8_functions() for setting casefold functions via 1624ac7a987 ldb: move ldb_comparison_fold guts into a separate function via 278a3c7f7c6 ldb: add a utf-8 comparison fold callback via f9fbc7a5067 lib/util/charset: be explicit about INVALID_CODEPOINT value via 023a7ce7d5a ldb: add test_ldb_comparison_fold from 589a9ea6767 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d6581d213d5f625da493f14620e1a12e79a8e195 Author: Douglas Bagnall Date: Thu May 23 09:40:00 2024 +1200 ldb: move struct ldb_debug_ops to ldb_private.h Only accessed through struct ldb_context -> debug_ops, which is already private. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224 commit 6dd68d897865bd2518a6a71753ca0bc76d51b37e Author: Douglas Bagnall Date: Thu May 23 09:36:57 2024 +1200 ldb: move struct ldb_utf8_fns to ldb_private.h It is only accessed via ldb functions that find it on the already-private struct ldb_context. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a00c0ebd090f69f94ce6ba7774a9fc126d7de504 Author: Douglas Bagnall Date: Mon May 13 11:08:35 2024 +1200 s4:dsdb:strcasecmp_with_ldb_val() avoids overflow In the unlikely event that strlen(str) > INT_MAX, the result could have overflowed. This is not a sort transitivity issue, as this is not a symmetric sort comparison, but it would affect binary search reliability. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b6974030e6a7ddb330894f46631c8da4359b2d18 Author: Douglas Bagnall Date: Mon May 13 10:39:44 2024 +1200 lib/fuzzing: add fuzz_strncasecmp_ldb As well as checking for the usual overflows, this asserts that strncasecmp_ldb is always transitive, by splitting the input into 3 pieces and comparing all pairs. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b22e1d3207d90f102247d690bfe31db55d7b681e Author: Douglas Bagnall Date: Fri May 17 11:38:10 2024 +1200 ldb: don't cast to unsigned for ldb_ascii_toupper() Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e33a0dd70f00481d1c3d9e2fdd227e26431402ef Author: Douglas Bagnall Date: Tue May 21 10:55:53 2024 +1200 ldb: ldb_set_utf8_functions follows README.Coding Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 4a6a1d1f0afa830a679781a522d724bd861a3601 Author: Douglas Bagnall Date: Fri May 17 11:35:01 2024 +1200 ldb: deprecate ldb_set_utf8_fns Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 42ae85d70af8da1aecbf45f5fb6e7d7ee1c379fb Author: Douglas Bagnall Date: Fri May 10 15:43:36 2024 +1200 ldb: remove old ldb_comparison_fold_utf8_broken() There are no callers. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 960724a06e4dcb793d606c71d6e79387761b3d42 Author: Douglas Bagnall Date: Thu May 16 17:01:10 2024 +1200 ldb: ldb_comparison_fold always uses the casecmp function Signed-off-by: Douglas Bagnall Reviewed-by: Andrew B
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 589a9ea6767 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts via d8302e95326 s4:kdc: Merge current and previous gMSA keys during period when both are valid via a0d639bfb82 tests/krb5: Test that previous keys are counted as current keys following a gMSA key rollover via 5ea07824655 s4:libnet: Allow simulating AS‐REQ flags combination for keytab export via 71899ceb40d s4:libnet: Update export_keytab() docstring via 048de3da01f s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry() via aa8aeeb655a python:tests: Extract keytab_as_set() function to be usable by other tests via 5682df15a09 python:tests: Manually raise AssertionError via 95e80bf1e05 python:tests: Rename ‘keytab_as_set’ variable to be distinct from keytab_as_set() method via 4597d314029 third_party/heimdal: Import lorikeet-heimdal-202405220400 (commit 8276d6311146b8ab5d57d092bc5d5fa28282a900) via 4de25061120 WHATSNEW: Add 'dns hostname' via f64e728444b auth:ntlmssp: Use lpcfg_dns_hostname() via 78c2427d9b9 auth:ntlmssp: Remove trailing spaces via 26fd78040e5 s4:rpc_server: Use lpcfg_dnsdomain() in dnsdb.c via ad9198bb864 s4:rpc_server: Use lpcfg_dns_hostname() in dnsdb.c via 6bd56a2c19d s4:rpc_server: Use lpcfg_dns_hostname() in dnsutils.c via cb9ff7b4c5b s4:rpc_server: Use lpcfg_dns_hostname() in dns_server.c via 8ae565a14b5 s4:dns_server: Use lpcfg_dns_hostname() in dlz_bind9.c via f353ce5f965 s4:dfs_server: Use lpcfg_dns_hostname() in dfs_server_ad.c via f3f8aa49641 s3:rpc_server: Use lpcfg_dns_hostname() in srv_witness_nt.c via c00571a8b25 python:tests: Ignore case for group_name comparison via c2d4fe11b4d s3:utils: Use lp_dnsdomain() in net_ads.c via 382c300acda s3:libnet: Convert myalias to lower case via 0e96092c189 s3:libnet: Use lp_dns_hostname() in libnet_join.c via 84989f2bf4a s3:lib: Remove obsolete name_to_fqdn() via f6efc74670d s3:librpc: Use lp_dns_hostname() for creating the fqdn via b93fef8e90d s3:utils: Use lp_dns_hostname() for 'net' dns updates via 758bb9aacd5 docs-xml: Add smb.conf option 'dns hostname' from e0d9e285921 selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env variables https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 589a9ea6767a8112baf664dd18c4aa1667e57d76 Author: Jo Sutton Date: Thu May 9 13:16:50 2024 +1200 s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224 commit d8302e95326639c159fa46788cf645c11d56420c Author: Jo Sutton Date: Mon Apr 15 14:46:47 2024 +1200 s4:kdc: Merge current and previous gMSA keys during period when both are valid Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit a0d639bfb825c2ec0840c048b9b1b3d1474c1146 Author: Jo Sutton Date: Fri Apr 26 13:43:57 2024 +1200 tests/krb5: Test that previous keys are counted as current keys following a gMSA key rollover Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5ea07824655170fb20bb0c6862d7697ca96b8697 Author: Jo Sutton Date: Fri Apr 26 13:54:42 2024 +1200 s4:libnet: Allow simulating AS‐REQ flags combination for keytab export Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 71899ceb40dcea6a70102c7318c55cf9b3687379 Author: Jo Sutton Date: Wed Apr 24 17:11:03 2024 +1200 s4:libnet: Update export_keytab() docstring Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 048de3da01f2f7c7210085a624e38d671b38aeda Author: Jo Sutton Date: Wed Apr 24 13:45:08 2024 +1200 s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry() This will allow us to specify whether to specify this flag for a keytab export. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit aa8aeeb655a5605b2ecbca89762f6a2402152116 Author: Jo Sutton Date: Wed Apr 24 12:48:53 2024 +1200 python:tests: Extract keytab_as_set() function to be usable by other tests Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5682df15a098dcad7398d8dafdcbccac37371c1a Author: Jo Sutton Date: Wed Apr 24 13:38:53 2024 +1200 python:tests: Manually raise AssertionError This removes the last dependency on ‘self’ in this method. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 95e80bf1e0533716a4a15
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e0d9e285921 selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env variables via 83030780285 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() via 5abeb724d74 s3:smbcacls: fix ace_compare via c7299556845 lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun via 99d26221311 spelling: comments: synthax -> syntax via 64003d86778 spelling: fix spelling of privilege.ldb in comments via 94b8deffa2d libsmb: Remove file_info->[ug]id via f2b692fb458 smbd: Simplify request_timed_out via 0fe1a6e9dac lib: Use struct initialization via c443d377a0b libsmb: Remove a talloc_strdup() via 335877ec04c libsmb: Remove an unneeded NULL check via 5384244f760 libsmb: Remove unused cli_list_trans() via e79698c4be6 libsmb: Use SMB2_0_INFO_ constants instead of magic numbers via 7ecf3b0e25c libsmb: Execute a "TODO", remove IVAL2_TO_SMB_BIG_UINT via 27ac0beaa01 lib: Fix a typo via 0013105eb55 libsmb: Avoid pointless intermediate variables via 06a322a17f8 libsmb: Use the direct FSCC_ infolevels via dd1dd65026e smbd: Remove an unused function parameter via f69fe79189e smbd: Remove an unnecessary else via ff43158c528 smbd: Remove a no-op call to init_strict_lock_struct via 661532c46c0 smbd: Remove an unnecessary else branch via 6f0628c8485 smbd: Return correct error for fallback sendfile via 9115836687f smbd: Use direct struct initialization via 979f3e23990 smbd: Remove the ZERO_ZERO define via 3542f938c53 smbd: Fix whitespace via a8b9a8358e2 smbd: Move a DBG_DEBUG up via 477dec3770b smbd: Modernize a few DEBUGs from bdfbf25255e test_kinit_export_keytab: reset pw of the test account and test --only-current-keys https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e0d9e285921ce841e4872aadc6e4750b2ad48973 Author: Stefan Metzmacher Date: Tue May 14 16:55:58 2024 +0200 selftest/Samba4: make use of get_cmd_env_vars() to setup all relevant env variables Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 22 05:26:48 UTC 2024 on atb-devel-224 commit 83030780285290ecf64b57c1744634379b68ea01 Author: Stefan Metzmacher Date: Tue Feb 6 21:09:58 2024 +0100 s4:dsdb/repl: let drepl_out_helpers.c always go via dreplsrv_out_drsuapi_send() I have customer backtraces showing that 'drsuapi' is NULL in dreplsrv_op_pull_source_get_changes_trigger() called from the WERR_DS_DRA_SCHEMA_MISMATCH retry case of dreplsrv_op_pull_source_apply_changes_trigger(), while 'drsuapi' was a valid pointer there. From reading the code I don't understand how this can happen, but it does very often on RODCs. And this fix prevents the problem. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15573 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 5abeb724d74af2b861f2ee6bc27762bb5bf07bca Author: Douglas Bagnall Date: Tue May 21 20:20:36 2024 +1200 s3:smbcacls: fix ace_compare We got this wrong in commit 31101a9fa1503be9d8137e42466f57d85136a156. In fact, we should probably not reorder the inherited ACLs, but that is for another patch series. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c7299556845a764c7ca6195ede3f273bc20ebfbb Author: Douglas Bagnall Date: Tue May 14 14:58:51 2024 +1200 lib/fuzzing: fuzz_stable_sort_r_unstable tries to catch overrun Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 99d2622131161d7d597f5b0a9e2b509817483217 Author: Douglas Bagnall Date: Wed Apr 10 21:25:12 2024 +1200 spelling: comments: synthax -> syntax Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 64003d867786231c130b13f6d84f9d248631d3be Author: Douglas Bagnall Date: Wed Apr 10 21:22:57 2024 +1200 spelling: fix spelling of privilege.ldb in comments 'privileges' is a word, but the ldb referred to is privilege.ldb Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 94b8deffa2d8af39309a94d94f4c0c97ea85265b Author: Volker Lendecke Date: Tue May 21 11:21:03 2024 +0200 libsmb: Remove file_info->[ug]id These fields were never assigned Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit f2b692fb458f0253adcb8b7ae2b9eb99346559fb Author: Volker Lendecke Date: Tue May 21 08:38:19 2024 +0200 smbd: Simplify request_
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via bdfbf25255e test_kinit_export_keytab: reset pw of the test account and test --only-current-keys via b4be5718d3d samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option via 2793ef3e163 samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep() via e2a5fbf5cf2 s4:libnet_export_keytab: add only_current_keys option via 7f1e89488a7 s4:kdc: also provide cross-realm keys via samba_kdc_seq() via 37292f8a60f s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA via 6ecc607edee s4:kdc: split out samba_kdc_fill_trust_keys() helper via f5c8c212dcb s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry() via f48699641cf s4:kdc: add a returned_kvno helper variable in samba_kdc_trust_message2entry() via d1efc396de4 s4:kdc: let samba_kdc_trust_message2entry() ignore KRB5_PROG_ETYPE_NOSUPP via 8cfebc36edc s4:kdc: split out samba_kdc_fill_trust_keys() helper via 83f03513fd5 s3:libnet: add a debug message to libnet_keytab_add_to_keytab_entries() via 888a785f476 s3:libnet: add support for trusted domains in libnet_dssync_keytab.c via 2b2cc544725 s3:libnet: split out store_or_fetch_attribute() from parse_user() in libnet_dssync_keytab.c via feff15fc88b s3:libnet: split out parse_user() in libnet_dssync_keytab.c via 52df4063871 s3:libnet: let parse_user() in libnet_dssync_keytab.c work without nt hash from 01849ab1bca s4:kdc: Implement KDC plugin hardware authentication policy https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit bdfbf25255e457c3e5d5d75ee09fca3af461c5a7 Author: Stefan Metzmacher Date: Wed Apr 17 16:15:17 2024 +0200 test_kinit_export_keytab: reset pw of the test account and test --only-current-keys Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 22 04:07:02 UTC 2024 on atb-devel-224 commit b4be5718d3de3bc90d142cb53f79fe067d0a3e0a Author: Stefan Metzmacher Date: Fri Mar 15 16:14:18 2024 +0100 samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 2793ef3e1632c735f9caac015503aab06f53d543 Author: Stefan Metzmacher Date: Fri Mar 15 16:31:22 2024 +0100 samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep() This tests that only_current_keys=True works. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit e2a5fbf5cf2b65db77e7c5a859c896acca69f432 Author: Stefan Metzmacher Date: Fri Mar 15 16:11:10 2024 +0100 s4:libnet_export_keytab: add only_current_keys option By default we also export on the old and older passwords... In order to do a kinit with a keytab it might we useful to include only the current keys. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7f1e89488a7212832819380a93fe137a6fa28c37 Author: Stefan Metzmacher Date: Thu Feb 3 14:14:06 2022 +0100 s4:kdc: also provide cross-realm keys via samba_kdc_seq() This means that 'samba-tool domain exportkeytab' is able to export them. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 37292f8a60f8fa82faa7bde4314919dcae6fb7ab Author: Stefan Metzmacher Date: Fri Mar 15 19:23:46 2024 +0100 s4:kdc: let samba_kdc_trust_message2entry() return all keys with SDB_F_ADMIN_DATA Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 6ecc607edeeeb1877b5ecf02ba60d6c8799f583a Author: Stefan Metzmacher Date: Fri Mar 15 19:19:20 2024 +0100 s4:kdc: split out samba_kdc_fill_trust_keys() helper This simplifies the logic in samba_kdc_trust_message2entry(), is very similar to our samba_kdc_fill_user_keys() helper and will make it trivial to provide the previous keys in entry->old_keys in the next commit. Review with: git show -p --patience Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f5c8c212dcba48167d8ae8c555a5c4750cb763fd Author: Stefan Metzmacher Date: Fri Mar 15 19:19:20 2024 +0100 s4:kdc: add available_enctypes to supported_session_etypes in samba_kdc_trust_message2entry() This aligns the logic of samba_kdc_trust_message2entry() with samba_kdc_message2entry_keys(). Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit f48699641cf95f1e2d197e0f8ea1ed4ce2c4fb41 Author: Stefan Metzmacher Date: Fri Mar 15 19:19:20 2024 +0100 s4:kdc: add a returned_kvno helper variable
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 01849ab1bca s4:kdc: Implement KDC plugin hardware authentication policy via 0582cf6077c s4:kdc: Remove trailing whitespace via 09bcd48f790 third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f) via d36bfbf632e tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs via f3ff4915adf s4:kdc: Initialize local variable just in case (CID 1596759) via 3b90753b552 s4:kdc: Free target principal string to avoid memory leak (CID 1596760) via 7e7bb259a60 s4:kdc: Initialize pointer variable just in case (CID 1596762) via e1460c9e342 s4:dsdb: Make map containing default attribute values static via 927c672faff s4:dsdb: Do not set lockoutTime for trust accounts via 4c759c26752 s4:dsdb: Make use of userAccountControl helper function via 1b8b8550aaa s4:dsdb: Add userAccountControl helper function via 0e93456a66b s4:dsdb: Remove redundant user flags macro via 32199b9bcfd s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change via fbdeb4b0b47 lib:crypto: Add constant denoting maximum GKDI clock skew in minutes via c167ac53016 s4:libnet: Remove unnecessary declarations via 33ed55ce8f5 s4:libnet: Remove trailing whitespace via 5c4f2623c52 tests/krb5: Add more tests for gMSAs via 6f094180106 tests/krb5: Test viewing gMSA passwords after performing simple binds via f9cbda9cf0e tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons via 336a58473ad tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter via ad0740751e8 tests/krb5: Test performing NTLMSSP logons at different times via e5357c75a60 s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period via 92d010af2d0 s4:dsdb: Let dsdb gMSA time influence pwdLastSet via 9fac9b776e7 tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection via aa4347ff23e tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon() via 41e71406a14 tests/krb5: Make use of gmsa_series_for_account() method via 577aa790425 tests/krb5: Add quantized_time() method via 65fe09007f8 tests/krb5: Read current time from correct SamDB via fdaa2943697 python:tests: Pass ServerPasswordSet2() parameters in correct order via cb357a011b0 python:tests: Remove unnecessary ‘pass’ statement via e875193c1ca python:tests: Remove unused netlogon connection parameter via 170dd47eae5 s4:libcli: Add more controls to our list of known controls via 526652d162f s4:libcli: Fix code spelling via e4045cd5b15 s4:setup: Update name of dsdb password change control via f5cbe497897 s4:dsdb: Fix code spelling via cbebffd56da s4:dsdb: Remove trailing whitespace via 359b3b63213 lib:fuzzing: Fix undefined shift via be076b30972 lib:fuzzing: Remove unused variable via 7b02221c4f5 auth:credentials: Check for NT hash being NULL from 2b495c44a2a smbd: Fix a typo in a few places https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 01849ab1bcaad9e96b388cad178182d6a77ac3cb Author: Jo Sutton Date: Mon May 13 10:58:51 2024 +1200 s4:kdc: Implement KDC plugin hardware authentication policy NOTE: This commit finally works again! Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224 commit 0582cf6077c3f6866f38e85440c8ed464b303bdd Author: Jo Sutton Date: Wed May 15 16:28:12 2024 +1200 s4:kdc: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 09bcd48f79043e54fdce840f70e370b9a507d0fc Author: Jo Sutton Date: Thu May 9 16:57:14 2024 +1200 third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit d36bfbf632ed0d3c53c9ef24eac682cb91274ec8 Author: Jo Sutton Date: Tue May 14 13:05:31 2024 +1200 tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs A lot of these tests are going to start failing, so skip them until we’ve implemented the corresponding behaviour for the KDC. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit f3ff4915adfd63f287147c73fd69050c5b7de580 Author: Jo Sutton Date: Mon May 6 12:20:44 2024 +1200 s4:kdc: Initialize
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 712ffbffc03 s3:libsmb: allow store_cldap_reply() to work with a ipv6 response via 05807488fd3 Combine ICU libraries icu-i18n and icu-uc into a single dependency via 0c983bd0095 Improve CHECK_LIB interaction with CHECK_PKG via 363c3318577 Augment library_flags() to return libraries via 5aafd2fb404 selftest: add test for User.get_primary_group method via 8fe7f0a6d50 python: models: add get_primary_group method to User model via 1f47c0f6093 python: models: rename argument ldb to samdb via 237d9d0228c tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative via 380d9c5a739 .gitlab-ci-main.yml: debug kernel details of the current runner from 9844ac289be ldb-samba: ldif_read_objectSid avoids VLA https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 712ffbffc03c7dcd551c1e22815ebe7c0b9b45d2 Author: Stefan Metzmacher Date: Tue May 7 14:53:24 2024 + s3:libsmb: allow store_cldap_reply() to work with a ipv6 response BUG: https://bugzilla.samba.org/show_bug.cgi?id=15642 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 10 01:35:18 UTC 2024 on atb-devel-224 commit 05807488fd340751ee976c5f8a367013ff94843e Author: Earl Chew Date: Sat Dec 16 08:48:36 2023 -0800 Combine ICU libraries icu-i18n and icu-uc into a single dependency Rather than probing for icu-i18n, icu-uc, and icudata libraries separately, only probe for icu-i18n, and icu-uc, as direct dependencies This avoids overlinking with icudata, and allows the package to build even when ICU is not installed as a system library. RN: Only use icu-i18n and icu-uc to express ICU dependency BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0c983bd0095d4fb20ef8b42f5efb740393073862 Author: Earl Chew Date: Sat Dec 16 17:47:09 2023 -0800 Improve CHECK_LIB interaction with CHECK_PKG When checking for shared libraries, only name the target library if it was not previously discoverd by pkg-config --libs and now available from uselib_store. This avoids using both sources of information which results in the library being named twice on the command line. Once the library is confirmed by CHECK_LIB, append the library if not already present, to avoid dropping libraries that were previously discovered by CHECK_PKG. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 363c33185779141fdfbda695997d548939a0251f Author: Earl Chew Date: Sun Dec 17 08:37:33 2023 -0800 Augment library_flags() to return libraries Extend library_flags() to return the libraries provided by pkg-config --libs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15623 Signed-off-by: Earl Chew Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5aafd2fb4042a2f787dd6a7bc9584494d29c405f Author: Rob van der Linde Date: Tue Apr 30 23:54:13 2024 +1200 selftest: add test for User.get_primary_group method Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8fe7f0a6d507c4711c9edbc8eab86cf0a46facaf Author: Rob van der Linde Date: Tue Apr 30 23:43:30 2024 +1200 python: models: add get_primary_group method to User model Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 1f47c0f609355aa469c04dafe6c4505f5823a6e3 Author: Rob van der Linde Date: Tue Apr 30 23:42:05 2024 +1200 python: models: rename argument ldb to samdb This argument is actually an instance of SamDB (which inherits from Ldb). This should have been called samdb. Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 237d9d0228cfed6d2e08b41b888d30aac5ab89e3 Author: Stefan Metzmacher Date: Wed May 8 18:03:54 2024 +0200 tests/ntacls: unblock failing gitlab pipelines because test_setntacl_forcenative This expects PermissionError: [Errno 1] Operation not permitted, but it seems that setxattr() for security.NTACL works on gitlab runners without being root. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 380d9c5a7392741ff2134ef1e83df45a29293db3 Author: Stefan Metzmacher Date: Wed May 8 16:12:06 2024 +0200 .gitlab-ci-main.yml: debug kernel details of the current runner Signed-off-by: Stefan Metzmacher Reviewed
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9844ac289be ldb-samba: ldif_read_objectSid avoids VLA via bf4af1a28a3 ldb-samba: ldif_read_objectSid() short-circuits without 'S' via 6c0bdf37187 lib/fuzzing: add fuzz_stable_sort_r_unstable via 59cbaa91348 ldb: note a transitivity problem in ldb_comparison_fold via e2051eebd49 ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold via f81b7c7eb20 ldb:attrib_handlers: use NUMERIC_CMP in ldb_comparison_fold via 3e899ef5bfa ldb-samba: remove unused ldif_comparision_objectSid_isString() via 8c702735641 ldb-samba: simplify extended_dn_read_SID() via c6c7cb8d4ba ldb-samba: simplify ldif_canonicalise_objectSid() via be5fd9a3a1b ldb-samba: simplify ldif_comparison_objectSid() via d801ed8b111 pytest: sid_strings: Samba DN object refuses sub-auth overflow via edf9b282ba6 pytest: sid_strings: adjust to match Windows 2016 via 473502d1701 pytest: sid_strings: Windows does allow lowercase s-1-... SIDs via fb724c61107 pytest: sid_strings: use more reliable well known SID via ae4f095586e ldb-samba: ldif_write_schemaInfo() uses correct size via 13af2cb0217 lib:util: codepoint_cmpi: be transitive and case-insensitive via 310d59c7cc3 lib:util:tests: more tests for codepoint_cmpi via 827b0c39ed0 s4:dsdb:mod: repl_md: message sort uses NUMERIC_CMP() via c5c29f59fa6 s4:rpc_srv:getncchanges: USN sort uses qsort() instead of ldb_qsort() via 65df8ce05c1 s4:rpc_srv:getncchanges: 4.5 anc emulation uses qsort(), not ldb_qsort() via 5335f122fb5 s4:dsdb:mod: repl_md: make message_sort transitive via 7f995ab887a ldb:tools: ldbsearch doesn't need ldb_qsort() via b37186cf917 s4:dsdb:util_trusts: simplify the NULL case in dns_cmp via 91b802941c1 s4:dsdb:util_trusts: describe dns_cmp return values via 8f080c0295d ldb:tests: add a test for dotted i uppercase via af7654331fb ldb: avoid NULL deref in ldb_db_compare from d58a72c572f .gitlab-ci: Remove tags no longer provided by gitlab.com https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9844ac289be3430fd3f72c5e57fa00e012c5d417 Author: Douglas Bagnall Date: Sat May 4 13:40:35 2024 +1200 ldb-samba: ldif_read_objectSid avoids VLA I don't think this variable length array is any trouble, but people complain about them (e.g. https://nullprogram.com/blog/2019/10/27/) because they make things more complex at run-time, and this is a somewhat performance sensitive path. DOM_SID_STR_BUFLEN + 1 is 191 -- if that stack allocation is going to cause trouble, then so was the VLA <= that. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 8 00:26:42 UTC 2024 on atb-devel-224 commit bf4af1a28a3580223fcc3a861c7fdd1b43f234d1 Author: Douglas Bagnall Date: Sat May 4 13:32:39 2024 +1200 ldb-samba: ldif_read_objectSid() short-circuits without 'S' This avoids a memcpy, and level 3 debug verbosity from dom_sid_parse_endp(). In other places we have something like `|| in->data[1] != '-'`, but that is not useful here -- the value is either a string SID, or a binary SID that starts with '\1', or some awful value that we *do* want to get messages about. This replaces the work of ldif_comparision_objectSid_isString(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=10763 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6c0bdf371878eb1a3a1c3b1663379a89bd0ec2c0 Author: Douglas Bagnall Date: Wed May 1 17:16:38 2024 +1200 lib/fuzzing: add fuzz_stable_sort_r_unstable This should find out how well stable_sort copes with an unstable non-transitive comparison function. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 59cbaa91348857c51854ee5e6bc8f78cdcde4e56 Author: Douglas Bagnall Date: Tue Apr 30 12:41:25 2024 +1200 ldb: note a transitivity problem in ldb_comparison_fold Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e2051eebd492a419f840280336eb242d0b4a26ac Author: Douglas Bagnall Date: Fri Apr 26 15:58:44 2024 +1200 ldb:attrib_handlers: reduce non-transitive behaviour in ldb_comparison_fold If two strings are invalid UTF-8, the string is first compared with memcmp(), which compares as unsigned char. If the strings are of different lengths and one is a substring of the other, the memcmp() returns 0 and a second comparison is made which assumes the next character in the shorter string is '\0' -- but this comparison wa
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 73e3ffb8418 python:tests: Store keys as bytes rather than as lists of ints via 6f12cf958f8 python:tests: Rewrite condition of while loop via cb97e3f13df python:tests: Store keys as bytes rather than as tuples via 94e055b582e python:gkdi: Add helper methods returning previous and next GKIDs via 282e5784a03 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export via 5a048ef0f81 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() via 1889e0aea38 python: Move get_admin_sid() to SamDB via 786eab65cef s4:auth: Export AES128 gMSA keys along with AES256 keys by default via 103ca0276fb tests/krb5: Check that updated NT hashes of gMSAs have the values we expect via 1171589e355 ldb: Remove unnecessary declaration via 46955bc7664 lib:crypto: Fix Coverity build via 82224fca78c ctdb: Report errors from getline() via f9309c221b9 ctdb: Ensure ‘ret’ is always initialized from 1a02c6e59c1 WHATSNEW: document ldaps/tls related option changes https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 73e3ffb841842c748e0cda59ada0617dda035853 Author: Jo Sutton Date: Wed Apr 24 13:34:27 2024 +1200 python:tests: Store keys as bytes rather than as lists of ints Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 24 06:20:58 UTC 2024 on atb-devel-224 commit 6f12cf958f8ed92c3373372760564d95adcdfb94 Author: Jo Sutton Date: Wed Apr 24 13:37:40 2024 +1200 python:tests: Rewrite condition of while loop Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cb97e3f13dfa8e8f7512639389aaccf93d53959a Author: Jo Sutton Date: Wed Apr 24 13:36:28 2024 +1200 python:tests: Store keys as bytes rather than as tuples Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 94e055b582e3c4498b99d3997df3db614b3e94e8 Author: Jo Sutton Date: Wed Apr 24 12:42:40 2024 +1200 python:gkdi: Add helper methods returning previous and next GKIDs Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 282e5784a03add45dc662b27da6f2d29e1ab80cb Author: Jo Sutton Date: Mon Apr 15 14:45:51 2024 +1200 s4:kdc: Add helper variable indicating whether we think we are performing a keytab export Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 5a048ef0f81d4f212019a9687a726eb0bfd67227 Author: Jo Sutton Date: Mon Apr 15 14:39:45 2024 +1200 s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() This ldb context can be used to query the current gMSA time. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1889e0aea389662a1e4111d7537f3c4e1c93d492 Author: Jo Sutton Date: Mon Apr 15 13:23:15 2024 +1200 python: Move get_admin_sid() to SamDB Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 786eab65cefac69dfd38646437720f33994f8f47 Author: Jo Sutton Date: Tue Apr 23 13:13:20 2024 +1200 s4:auth: Export AES128 gMSA keys along with AES256 keys by default This is what an existing test expects. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 103ca0276fbda03592bfb4a460ba946218abfb16 Author: Jo Sutton Date: Mon Apr 22 10:53:30 2024 +1200 tests/krb5: Check that updated NT hashes of gMSAs have the values we expect Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1171589e355e55b5fa08ae7da0210ac9ca2c7107 Author: Jo Sutton Date: Wed Apr 24 12:31:36 2024 +1200 ldb: Remove unnecessary declaration This declaration is a hold‐over from the Python 2 module initialization pattern. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 46955bc7664b8cf665c9bccf3b88d4afa26b9526 Author: Jo Sutton Date: Mon Apr 22 11:10:00 2024 +1200 lib:crypto: Fix Coverity build The Coverity build is failing with the following errors: [1936/5164] Compiling lib/crypto/gkdi.c In file included from /usr/lib64/gcc/x86_64-suse-linux/7/include/stdint.h:9:0, from /usr/include/inttypes.h:27, from ../../lib/crypto/../replace/replace.h:64, from ../../source4/include/includes.h:23, from ../../lib/crypto/gkdi.c:21: ../../lib/crypto/gkdi.c: In function ‘gkdi_get_key_start_time’: ../../lib/crypto/gkdi.c:197:4: error: initializer element is not constant UINT64_MAX / ^ ../../lib/crypto/gkdi.c:197:4: note: (near initialization for ‘max_gkid.l0_idx’) ../../lib/crypto/gkdi.c:200:4: error: initializer element is not constant UINT64_MAX / ^ ../../lib/crypto/gkdi.c:200:4
[SCM] Samba Shared Repository - branch master updated
include a TLS server name indication in the client handshake via ecdd7691913 s4:lib/tls: we no longer need ifdef GNUTLS_NO_TICKETS via 60b11645b0d s4:lib/tls: split out tstream_tls_prepare_gnutls() via ac4bca77039 s4:lib/tls: assert that event contexts are not mixed via 6688945fa03 s3:lib/tls: we need to call tstream_tls_retry_handshake/disconnect() until all buffers are flushed via 5844ef27aa4 s4:lib/tls: remove tstream_tls_push_trigger_write step via 68f6a461e17 s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl() via 8deba427e26 s4:libcli/ldap: fix no memory error code in ldap_bind_sasl() via 2435ab1ad70 ldb_ildap: require ldb_get_opaque(ldb, "loadparm") to be valid via 8007569e9f7 s4:libcli/ldap: ldap4_new_connection() requires a valid lp_ctx via 96e4a92f192 tests/segfault.py: make sure samdb.connect(url) has a valid lp_ctx from 1cba9de1444 Fix a few "might be uninitialized" errors https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1a02c6e59c18fdd23114312b8afca057f72602d4 Author: Stefan Metzmacher Date: Mon Mar 4 19:34:22 2024 +0100 WHATSNEW: document ldaps/tls related option changes Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 24 00:59:53 UTC 2024 on atb-devel-224 commit acaa24c65d9f0300e0c6cb04d406b075a8994cee Author: Stefan Metzmacher Date: Mon Mar 4 19:33:52 2024 +0100 smbdotconf: finally remove unused "client use spnego principal" option Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 4ff1b321edbf35f72fc1837d77fb54f038a5b5e1 Author: Stefan Metzmacher Date: Tue Mar 5 08:54:02 2024 +0100 s4:selftest: remove useless 'client use spnego principal' tests Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 5d350c1ecd18d2d691aeb559b387c8e3c811cb81 Author: Stefan Metzmacher Date: Mon Mar 4 19:31:33 2024 +0100 auth/gensec: remove useless client_use_spnego_principal usage It's off by default and all sane servers use not_defined_in_RFC4178@please_ignore anyway. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit a34532cd9b12a576ff189caba8dcbd65520688e6 Author: Stefan Metzmacher Date: Mon Mar 4 15:54:36 2024 +0100 s3:selftest/tests.py: run TLDAP tests with sasl-sign,sasl-seal,ldaps,starttls Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit d189952f0ef45be8dc6b2dcc14e606d50bf90bad Author: Stefan Metzmacher Date: Tue Feb 13 22:53:29 2024 +0100 s3:torture: add ldaps/starttls support to run_tldap() Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 09647d1dc96690e7b52d4f37b6b4fc835a140817 Author: Stefan Metzmacher Date: Mon Mar 4 15:27:24 2024 +0100 s3:torture: add '-T 'option=value' this is similar to '--option='=value' Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit e6be6fa94881a78c9e542d1187cf87f013b1d71d Author: Stefan Metzmacher Date: Mon Mar 4 15:08:17 2024 +0100 blackbox/test_net_ads_search_server: also test ldaps/starttls Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 9827055be3caaa0e98957446dfbab0b6b62b3253 Author: Stefan Metzmacher Date: Tue Feb 13 16:04:57 2024 +0100 s4:selftest: also test samba4.ldb.simple.ldap with starttls and SASL-BIND Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0122c0a6986e28355ca22545fa40442afc0c43e2 Author: Stefan Metzmacher Date: Wed Jan 24 10:43:42 2024 +0100 s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 0f8a7c9ef6e34d973dfdf966041d3e68118563f8 Author: Stefan Metzmacher Date: Fri Jan 26 09:18:33 2024 +0100 s3:idmap_ad: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} Review with: git show --patience Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 864ed28ce0e2d4b6712cf742f2dadd2aee445b9d Author: Stefan Metzmacher Date: Tue Jan 30 10:27:58 2024 +0100 s3:libads: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 844e1bdc6d43dc42550229bcc69dd4fe7631f042 Author: Stefan Metzmacher Date: Fri Feb 9 15:40:00 2024 +0100 smbdotconf: add client ldap sasl wrapping = {starttls,ldaps} In order to use SASL authentitation within a TLS connection we now provide "client ldap sasl wrapping = starttls" or "client ldap sasl wrapping = ldaps". Signed-off-by: Stefan Metz
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c49c48afe09 ldb:utf8: ldb_ascii_toupper() avoids real toupper() via dca6b2d2552 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop via 078ecf486a6 ldb:pytests: test for Turkic i-dots in ldb_comparison_fold via a75c98ad688 ldb:attrib_handlers: make ldb_comparison_Boolean more consistent via 7280c8e53f4 ldb-samba:ldif_handlers: dn_link_comparison: sort invalid DNs via 341b8fb60e2 ldb-samba:ldif_handlers: dn_link_comparison leaks less via 70356592563 ldb-samba:ldif_handlers: dn_link_comparison correctly sorts deleted objects via 11d5a809325 ldb-samba:ldif_handlers: dn_link_comparison semi-sorts invalid DNs via db963b1674e ldb-samba:ldif_handlers: dn_link_comparison semi-sorts deleted objects via 2d3b917d0a0 ldb-samba:ldif_handlers: extended_dn_read_Sid(): free on failure via 42f2d96f82a ldb-samba:ldif_handlers: ldif_read_objectSid(): free a thing on failure via 6722e80d1b3 ldb-samba: ldif-handlers: make ldif_comparison_objectSid() accurate via 4af670384a1 s4:dsdb: fix spelling in comment via a9eaf8a3abe ldb: comment for ldb_dn_compare_base via 6229feab74a s4:rpcsrv:samr: improve a comment in compare_msgRid via 7be535315a5 s4:rpcsrv:dnsserver: make dns_name_compare transitive with NULLs via 31c322874b8 s3:libsmb:nmblib: use NUMERIC_CMP in status_compare via 7ba6fcb9365 lib/socket: rearrange iface_comp() to use NUMERIC_CMP via acaa1323d03 gensec: sort_gensec uses NUMERIC_CMP via 75682e397b9 s3:rpc:wkssvc_nt: dom_user_cmp uses NUMERIC_CMP via 8317a617364 dsdb:schema: use NUMERIC_CMP in place of uint32_cmp via 386216d4a15 s3:mod:vfs_vxfs: use NUMERIC_CMP in vxfs_ace_cmp via 8b2605a5d9c s3:mod:posixacl_xattr: use NUMERIC_CMP in posixacl_xattr_entry_compare via 9b73235d495 s3:brlock: use NUMERIC_CMP in #ifdef-zeroed lock_compare via 5fe488d515a ldb:dn: make ldb_dn_compare() self-consistent via 531f31df993 ldb:sort: generalise both-NULL check to equality check via d4e69734c65 ldb:sort: check that elements have values via d785c1991c9 ldb:mod:sort: rearrange NULL checks from 20ce68f1594 tests/krb5: Test retrieving a denied gMSA password over an unsealed connection https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c49c48afe09a1a78989628bbffd49dd3efc154dd Author: Douglas Bagnall Date: Sat Apr 20 09:57:15 2024 +1200 ldb:utf8: ldb_ascii_toupper() avoids real toupper() If a non-lowercase ASCII character has an uppercase counterpart in some locale, toupper() will convert it to an int codepoint. Probably that codepoint is too big to fit in our char return type, so we would truncate it to 8 bit. So it becomes an arbitrary mapping. It would also behave strangely with a byte with the top bit set, say 0xE2. If char is unsigned on this system, that is 'â', which uppercases to 'Â', with the codepoint 0xC2. That seems fine in isolation, but remember this is ldb_utf8.c, and that byte was not a codepoint but a piece of a long utf-8 encoding. In the more likely case where char is signed, toupper() is being passed a negative number, the result of which is undefined. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 23 02:37:25 UTC 2024 on atb-devel-224 commit dca6b2d25529288eaf7b31baf37ca4f6de4f4b9d Author: Douglas Bagnall Date: Thu Apr 11 13:46:28 2024 +1200 ldb:attrib_handlers: use ldb_ascii_toupper() in first loop In a dotless-I locale, we might meet an 'i' before we meet a byte with the high bit set, in which case we still want the ldb casefold comparison. Many ldb operations will do some case-folding before getting here, so hitting this might be quite rare even in those locales. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 078ecf486a62dc3aaa2842ada96456ac9870dad7 Author: Douglas Bagnall Date: Wed Apr 17 11:42:30 2024 +1200 ldb:pytests: test for Turkic i-dots in ldb_comparison_fold In tr_TR and some other locales where the letter 'i' uppercases to 'İ', which is not ideal for LDB as we need certain strings like 'guid' to casefold in the ASCII way. In fixing https://bugzilla.samba.org/show_bug.cgi?id=15248) we solved this problem in many cases, but for unindexed searches where the 'i' is not the last character in the string. This test shows that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15637 Sig
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 532789b4f3f s4:dsdb: Implement msDS-ManagedPassword attribute via ddcf20b518c s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL via be0029cff4a python:tests: Catch failures to authenticate with gMSA managed passwords via a52239af9df selftest: Expand out knownfails for gMSA getpassword tests via 6f9281b028c s4:dsdb: Set up passwords and password IDs of new gMSAs via 85fbdcd048f s4:dsdb: Add functions for Group Managed Service Accounts implementation via 85d34934e13 s4:dsdb: Factor out a function to remove all password related attributes via 7b7fdfbce3c lib:crypto: Reformat source code via bb5ca9f466f tests/krb5: Add tests for gMSAs via 42710f0455c python:nt_time: Add NT_TIME_MAX constant via c6ed19ad1a7 python:gkdi: Reformat code with ‘ruff’ via 5aaebb537e3 python:gkdi: Add Gkdi.from_key_envelope() method via 0c0a25d0b2d python:gkdi: Add notes on GKDI time periods via 13815813341 tests/gkdi: Change ‘current_gkid’ parameter to ‘current_time’ via b64a02d5b5a tests/gkdi: Remove implicit clock skew offset via 13dcf7f74c2 tests/gkdi: Allow current time to be overridden via 6d20d436dee tests/krb5: Make use of ‘expect_edata’ parameter via 1f4e1c026d9 tests/krb5: Remove unused variable via 586c4ec718c tests/krb5: Fix code spelling via 5656fd2ff2b tests/krb5: Remove unused import via 4b6f65a4a25 python:tests: Fix typo via 5379956bd44 python:tests: Reformat code via ae39a15b518 python:tests: Fix set declaration via ea83bb84b98 python:tests: Replace deprecated method assertRaisesRegexp() via ff8e98daf1c s4:ldap_server: Consider ldapi connections to be encrypted via c63cabf1e09 s4:ldap_server: Store whether an LDAP connection is over ldapi via c2378d0c6f3 s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi connections via ec6579829f9 s4:ldap_server: Rename privileged ops to indicate they are used for ldapi via 7df4bdd0fe7 s4:ldap_server: Fix code spelling via 1a6dbcfb105 s4:ldap_server: Remove trailing whitespace via c9370d3ced2 selftest: Move some KDS root key tests around to prepare for gMSA server side via bd60c605ca1 selftest: Remove duplicate setup of "spn/upn namespaces" in the customdc testenv via aa6795b32ff s3:auth: Add support standalone server with MIT Keberos 1.21 via b58395e5c37 s3:auth: Split auth3_generate_session_info_pac() into functions via 20c546f928d s3:auth: Re-format auth3_generate_session_info_pac() via cdb31d7e45b s3:auth: Remove trailing spaces from 75a4fbbf6a3 smbdotconf: Enable "winbind debug traceid" by default https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 532789b4f3f0efe5350089391a97f24296f3be90 Author: Jo Sutton Date: Tue Feb 13 15:45:21 2024 +1300 s4:dsdb: Implement msDS-ManagedPassword attribute Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 16 05:02:30 UTC 2024 on atb-devel-224 commit ddcf20b518c676140d83052bf0b79628a9299012 Author: Jo Sutton Date: Tue Apr 9 16:15:48 2024 +1200 s4:dsdb: Add extra attrs to search request even if replacement attribute is NULL Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit be0029cff4af5c7ef0fb54bdf18fbcb7165572eb Author: Jo Sutton Date: Tue Apr 9 14:09:17 2024 +1200 python:tests: Catch failures to authenticate with gMSA managed passwords Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit a52239af9dff958fb26c7bf5242a3f9e9b4fc3a2 Author: Jo Sutton Date: Tue Apr 9 13:55:58 2024 +1200 selftest: Expand out knownfails for gMSA getpassword tests Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 6f9281b028ca6a8f392a1c0fff02ba9af5c0072f Author: Jo Sutton Date: Fri Apr 5 13:23:18 2024 +1300 s4:dsdb: Set up passwords and password IDs of new gMSAs Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 85fbdcd048fefc5c7edca709855e7510f3085a9a Author: Jo Sutton Date: Tue Feb 13 16:09:57 2024 +1300 s4:dsdb: Add functions for Group Managed Service Accounts implementation Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 85d34934e1348e4b09591499f6080b2867b9c99d Author: Jo Sutton Date: Tue Apr 9 12:15:00 2024 +1200 s4:dsdb: Factor out a function to remove all password related attributes Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 7b7fdfbce3c2b6f86399fb585e334a78fe696423 Author: Jo Sutton Date: Tue Apr 2 10:33:27 2024 +1300 lib:crypto:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 81598b42455 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP() via e35d54fd4d3 s3:util:sharesec ace_compare() uses NUMERIC_CMP() via 31101a9fa15 s3:smbcacls: use NUMERIC_CMP in ace_compare via 5e99262aaf5 s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP() via a197be2003d s4:wins: use NUMERIC_CMP in nbtd_wins_randomize1Clist_sort() via d8b97649ef4 s4:wins: winsdb_addr_sort_list() uses NUMERIC_CMP() via 66d47537e42 s4:wins: use NUMERIC_CMP in winsdb_addr_sort_list() via 42ead213484 s4:dns_server: use NUMERIC_CMP in rec_cmp() via ed3ab87bdb0 s4:rpc_server: compare_SamEntry() uses NUMERIC_CMP() via dd4a0c27681 s3:lib:util_tdb: use NUMERIC_CMP() in tdb_data_cmp() via 4641a971517 libcli/security: use NUMERIC_CMP in dom_sid_compare_auth() via cb94202c1cf libcli/security: use NUMERIC_CMP in dom_sid_compare() via 21a071e4864 ldb: reduce non-transitive comparisons in ldb_msg_element_compare() via 5c36bc82415 ldb: avoid non-transitive comparison in ldb_val_cmp() via e1519c36678 util:datablob: avoid non-transitive comparison in data_blob_cmp() via 838c6847029 ldb:attrib_handlers: ldb_comparison_binary uses NUMERIC_CMP() via f78b964cd81 ldb:attrib_handlers: ldb_comparison_Boolean uses NUMERIC_CMP() via 997b72d79e6 util: charset:util_str: use NUMERIC_CMP in strncasecmp_m_handle via 6159b098cf3 lib/torture: add assert_int_{less,greater} macros via 3414a894ad6 s3:libsmb:namequery: use NUMERIC_CMP in addr_compare via 4a9d274d43b s3:libsmb:namequery: note intransitivity in addr_compare() via f07ae699070 util:charset:codepoints: codepoint_cmpi warning about non-transitivity via 675fdeee3d6 util:charset:codepoints: condepoint_cmpi uses NUMERIC_CMP() via d4ce8231f98 util:test: test_ms_fn_match_protocol_no_wildcard: allow -1 via f788a36 util:charset:util_str: use NUMERIC_CMP in strcasecmp_m_handle via a512759d7b2 torture:charset: test more of strcasecmp_m via dda0bb6fc71 torture:charset: use < and > assertions for strncasecmp_m via ac0a8cd92ca torture:charset: use < and > assertions for strcasecmp_m via 09c98ff1263 util:binsearch: user NUMERIC_CMP() via ee4ebcccd7d s4: use numeric_cmp in dns_common_sort_zones() via 623adcf4aae s4:dsdb:mod:operational: use NUMERIC_CMP in pso_compare via a6d76d6ee9f s4:ntvfs: use NUMERIC_CMP in stream_name_cmp via 75e51bd99b7 ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare() via 5150b318f48 ldb:ldb_dn: use safe NUMERIC_CMP in ldb_dn_compare_base() via de1b94f79ea ldb: add NUMERIC_CMP macro to ldb.h via 5ab93f48c57 util:tsort.h: add a macro for safely comparing numbers via 8b6a584170e lib/fuzzing/decode_ndr_X_crash: guess the pipe from filename via 73e4f6026ad ldb: avoid out of bounds read and write in ldb_qsort() from 60df2a09a43 selftest: move some more expected failures to expectedfail.d https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 81598b42455d6758941da532c668b6d4e969cc40 Author: Douglas Bagnall Date: Thu Apr 4 14:33:47 2024 +1300 s3:libsmb_xattr: ace_compare() uses NUMERIC_CMP() the access_mask is the easiest to overflow with subtraction -- other fields are 8 or 16 bit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 10 23:58:12 UTC 2024 on atb-devel-224 commit e35d54fd4d381df67ab9b4f8390e2109b2142678 Author: Douglas Bagnall Date: Thu Apr 4 14:08:02 2024 +1300 s3:util:sharesec ace_compare() uses NUMERIC_CMP() ace->access_mask is uint32_t, so can overflow a signed int. This would be easy to trigger, as it is a flags field rather than an allocation count. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 31101a9fa1503be9d8137e42466f57d85136a156 Author: Douglas Bagnall Date: Wed Apr 3 12:56:48 2024 +1300 s3:smbcacls: use NUMERIC_CMP in ace_compare BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 5e99262aaf5fc6601f3859c8b060b680b11bf6ea Author: Douglas Bagnall Date: Thu Apr 4 14:25:54 2024 +1300 s3:util:net_registry: registry_value_cmp() uses NUMERIC_CMP() v->type is an int-sized enum, so overflow might be possible if it could be arbitrarily set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15625 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 60df2a09a43 selftest: move some more expected failures to expectedfail.d via bda4e1233a1 ldb: Add more segfault tests DN handling via 8ac18495ba2 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb via d38a9e93cf3 python:upgrade/upgradeprovision: use dn.copy to align ldbs via 345eb854c3b pyldb: add dn.copy() python method. via fa9a32139ff s4:samba_upgradeprovision: align DN ownership via ed6d151c1b7 pyldb: add Message.ldb accessor via 8b6df2d0bca pyldb: add Dn.ldb accessor via a95e6aa5667 pyldb: add PyErr_internal_LDB_DN_OR_RAISE via d712c8d2edd pyldb: normalise name of pyldb_Message_Check via 72ad126ab74 ldb:pyldb: reorder structs for possible type-punning via c39021a494f pyldb: py_ldb_msg_set_dn checks dn ldb equality via 61ba0cc17df pyldb: py_ldb_msg_elements uses PyErr_LDB_MESSAGE_OR_RAISE via 9cadc61cd4c pyldb: py_ldb_msg_items checks for more errors via 6a2e6139ad0 pldb: py_ldb_msg_items uses PyErr_LDB_MESSAGE_OR_RAISE via b5fcc55b5ec pyldb: py_ldb_msg_contains() checks ldb equality via acba42b126c pyldb: py_ldb_msg_keys() uses PyErr_LDB_MESSAGE_OR_RAISE via d05ae6872b1 pyldb: py_ldb_msg_richcmp() uses PyErr_LDB_MESSAGE_OR_RAISE() via bc45a258d2a pyldb: use PyErr_LDB_MESSAGE_OR_RAISE() in various functions via f0e665f4a9a pyldb: add PyErr_LDB_MESSAGE_OR_RAISE() macro via b81b2578ad1 pyldb: catch up with README.Coding for some `PyArg_ParseTuple`s via 13545ed1390 pyldb: py_ldb_dn_concat() uses PyErr_LDB_DN_OR_RAISE via 1bbca1e3b42 pyldb: py_ldb_dn_len checks dn and ldb validity via f8b92e52811 pyldb: make py_ldb_dn_add_base() a bit less leaky via b83ea997e75 pyldb: py_ldb_dn_add_base() uses PyErr_LDB_DN_OR_RAISE via 67a9e573b00 pyldb: make py_ldb_dn_add_child() a bit less leaky via 310624ead50 pyldb: py_ldb_dn_add_child() uses PyErr_LDB_DN_OR_RAISE via 1eeb0e36516 pyldb: py_ldb_dn_get_parent() uses PyErr_LDB_DN_OR_RAISE via 8830149ef96 pyldb: py_ldb_dn_richcmp() uses PyErr_LDB_DN_OR_RAISE via 982a87cedfc pyldb: py_ldb_dn_get_extended_component() uses PyErr_LDB_DN_OR_RAISE via 5154c8c996f pyldb: py_ldb_dn_extended_str() uses PyErr_LDB_DN_OR_RAISE() via 0ce3f355022 pyldb: py_ldb_dn_get_casefold() uses PyErr_LDB_DN_OR_RAISE() via 85ba5d2c8f2 pyldb: py_ldb_dn_get_extended_component uses PyErr_LDB_DN_OR_RAISE() via 087d43ac615 pyldb: adapt some simple dn methods to use LDB_DN_OR_RAISE() via f98035a2a31 ldb:pyldb: PyErr_LDB_DN_OR_RAISE makes more rigourous checks via 8bb6287c3ba pytest:segfault: some more ldb crashes via 0bf80c10ca5 samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup via 8612b3e38b3 ldb:pytests: test ldb.connect() works after .disconnect() via fdc3212275b pyldb: Add ldb.disconnect() method to ensure DB handles are closed via 784ee21616a pyldb: Include a reference to the Ldb in objects that use via ffbe623963a selftest: Add tests that demonstrate the issues with ldb use after free via 3ffc6c139b0 pytest:krb5/lockout: associate user DN with the ldb it is used with from dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 60df2a09a4394d2b494224ad3d33314079e73066 Author: Douglas Bagnall Date: Fri Mar 22 16:20:18 2024 +1300 selftest: move some more expected failures to expectedfail.d Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Apr 10 06:15:46 UTC 2024 on atb-devel-224 commit bda4e1233a145f11aa92b89a5658d94cd9252267 Author: Andrew Bartlett Date: Mon Mar 25 22:21:19 2024 +1300 ldb: Add more segfault tests DN handling - from_dict DN use-after-free - check for the same directly creating the ldb.Message Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8ac18495ba238985a82dbe5a3c95c78c3c51f4b6 Author: Douglas Bagnall Date: Mon Mar 18 12:24:53 2024 +1300 pyldb: don't allow py_ldb_dn_copy() with the wrong pyldb Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d38a9e93cf3444d7fe3939728673a637a03eb819 Author: Douglas Bagnall Date: Sun Mar 17 18:07:44 2024 +1300 python:upgrade/upgradeprovision: use dn.copy to align ldbs We need to do this when the dn is on a message from another ldb. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 345eb854c3b03a3c8e0e19fba0edb9eafd055ab9 Author: Douglas Bagnall Date: Sun Mar 1
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via dbba6c22a41 auth/credentials: Read managed_password.passwords.query_interval only after parsing via 811c184bbb3 smbd: Simplify an if-condition via 51c950c1629 smbd: Save 3 lines via f573a513415 smbd: Remove an obsolete comment via 798826d4f1a smbXsrv_session: Remove a "can't happen" NULL check via 89981987379 smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB via 292c2645468 smbXsrv_session: Remove two implicit NULL initializations via c5f98c0d95c smbXsrv_session: Use struct initialization via 005ce15aab3 python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change via 50f424e8d35 s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3() via 8df1728e124 s3:rpc_server: Implement lsa_CreateTrustedDomain_common() via 3385c2fe44a s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck() via 8f52b649799 s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2() via 56e1051ad7e s3:rpc_client: Implement createtrustdomex3 command via bb4d8de9a80 s3:rpc_client: Implement createtrustdomex2 command via d078ee6af61 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes() via 97499a47550 s4:torture: Add test for lsa_CreateTrustedDomainEx3 via f390981c1a7 s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3() via 933ba496073 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3() via 87595140c34 s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA via 0177cd898ef s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain via b957cb34d44 s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx via 1790828bc5f s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2 via 6d90397ff28 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common() via dad8c78edc7 s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck() via 18af510bd50 s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain() via 8b1c0bd718b s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c via 354f61d868d s4:torture: Use dcerpc_lsa_OpenPolicy3_r() via 8e35e5f5675 s4:torture: Use rpc_lsa_encrypt_trustdom_info() via 05e9cb36b77 s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info() via dbe9e9a8393 s4:torture: Use init_lsa_String() from init_lsa.h via 84d51503630 librpc:rpc: Add dcerpc_lsa.h via 2d60d1b96aa python: Use OpenPolicyFallback() in trust.py via 859e7f8c5f1 python: Implement CreateTrustedDomainFallback() via 812d4e0d6cc python: Add aead_aes_256_cbc_hmac_sha512() via 23e61d2cebc python: Use secrets.token_bytes instead of random via decacb0e7e1 python: Set parameter types for CreateTrustedDomainRelax() via 9e5fc815644 python:tests: Clean lsa_utils.py code according to Python standards via e32be2ade4f python:tests: Rename createtrustrelax.py to lsa_utils.py via 00ed209e483 python: Implement OpenPolicyFallback() via 85d0ab38f7c python:samba: Rename trust_utils.py to lsa_utils.py via 01940ae7afa buildtools: Fix PYTHONPATH and print it from be2ade2d88b netcmd: fix broken shell command missing Model https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit dbba6c22a41ab12bd9804f10a878c965100ac7c0 Author: Andrew Bartlett Date: Tue Apr 9 16:11:16 2024 +1200 auth/credentials: Read managed_password.passwords.query_interval only after parsing The code previously read the uninitialised stack not the parsed structure, and so could segfault if the stack was not zero. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Apr 9 23:59:54 UTC 2024 on atb-devel-224 commit 811c184bbb30f8364a6c2f1835732d0c25e1b9c7 Author: Volker Lendecke Date: Fri Feb 9 12:37:53 2024 +0100 smbd: Simplify an if-condition current_sid == NULL is true if and only if we could not assign current_sid because num_sids was too small. Make that more explicit. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 51c950c16297ce45aeec85dff53af04f7f3b620f Author: Volker Lendecke Date: Fri Feb 9 12:47:48 2024 +0100 smbd: Save 3 lines Just cosmetic Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit f573a5134151e029329f19f292e6d6a324e291b8 Author: Volker Lendecke Date: Thu Feb 8 18:16:39 2024 +0100 smbd: Remove an obsolete comment This looks like a cut&paste from other smbXsrv fil
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via be2ade2d88b netcmd: fix broken shell command missing Model via bcae4c2dbea python: lint: fix pylint R1720 unnecessary "raise" after "else" via 3dd49b9f567 python: lint: remove unused imports in claims and gmsa commands via 8f7ff1c7ef4 python: tests: type check should always use "is" or "is not" via e388bf4b4a2 python: tests: fix closing quote in docstring example via a18c53a9b98 libcli/http: Detect unsupported Transfer-encoding type via 93709d31590 selftest: Add new test for testing non-chunk transfer encoding via efdbf0511e0 selftest: fix potential reference before assigned error via 8e931fce126 Do not fail checksums for RFC8009 types via 2ecb69d9b7f python:tests: Improve keytab comparison of dckeytab from 814ae222ca1 s3:winbindd: use better debug messages than 'talloc_strdup failed' https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit be2ade2d88bb89763fce2a34f8f68941424ad9ee Author: Rob van der Linde Date: Thu Mar 28 16:06:05 2024 +1300 netcmd: fix broken shell command missing Model This is already in MODELS which is populated in ModelMeta Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Apr 8 04:07:22 UTC 2024 on atb-devel-224 commit bcae4c2dbea7067932e931456998b1ada20d615c Author: Rob van der Linde Date: Thu Mar 28 16:15:06 2024 +1300 python: lint: fix pylint R1720 unnecessary "raise" after "else" Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3dd49b9f567fdf14e7a616351805d1aac9a3083a Author: Rob van der Linde Date: Thu Mar 28 16:09:44 2024 +1300 python: lint: remove unused imports in claims and gmsa commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8f7ff1c7ef4a570193faa2e3181a757bc98c3e08 Author: Rob van der Linde Date: Thu Mar 28 15:59:33 2024 +1300 python: tests: type check should always use "is" or "is not" Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e388bf4b4a2012bd1fdde7e63b957b32c1a69c75 Author: Rob van der Linde Date: Thu Mar 28 15:58:34 2024 +1300 python: tests: fix closing quote in docstring example Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a18c53a9b98e2e8dea08cf0ef08efc59e58ec137 Author: Noel Power Date: Thu Mar 28 10:48:58 2024 + libcli/http: Detect unsupported Transfer-encoding type Also removes knownfail for test that now passes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 93709d31590d4ca25fbac813b9e499755b81ddb5 Author: Noel Power Date: Thu Mar 28 09:16:33 2024 + selftest: Add new test for testing non-chunk transfer encoding And add a known fail because there is a bug :-( BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit efdbf0511e0a89f865210170001fbebf17a45278 Author: Noel Power Date: Thu Mar 28 09:09:02 2024 + selftest: fix potential reference before assigned error This would only happen if the test failed (but the message would be incorrect as 'e' the exception to be stringified doesn't exist. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 8e931fce126e8c1128da893c806702731c08758a Author: Alexander Bokovoy Date: Thu Jun 22 09:56:12 2023 +0300 Do not fail checksums for RFC8009 types While Active Directory does not support yet RFC 8009 encryption and checksum types, it is possible to verify these checksums when running with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA domain controller which uses them by default. [2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)] ../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum) check_pac_checksum: Checksum Type 20 is not supported [2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac) PAC Decode: Failed
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 06c589aaa1a python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED via f29693d1311 python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash via 2fd5166a8c1 python/tests/krb5: Allow getting a TGT in pkinit tests via b2fe1ea1c6a python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED via 7cc8f455191 tests/krb5: Fix PK-INIT test framework to allow expired password keys via 46263c5c202 python/samba/krb5: Allow client address (caddr) to be missing or empty via 3d1ec5dc676 auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials via 93f4be16471 netcmd: docs: update documentation for new auth policy command structure via 6e02c97193c netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group via dcb6a14fa23 netcmd: auth policy: add service-allowed-to-authenticate-from subcommands via 97c2ff19daa netcmd: auth policy: remove old user-allowed-to-authenticate-from-silo and group via e88be1aed97 netcmd: auth policy: add user-allowed-to-authenticate-from subcommands via 2cbacad82d6 netcmd: auth policy: remove old service-allowed-to-authenticate-to-silo and group via 316a84a5975 netcmd: auth policy: add service-allowed-to-authenticate-to subcommands via 5db2a1581d3 netcmd: auth policy: remove old user-allowed-to-authenticate-to-silo and group via 4ba087f8187 netcmd: auth policy: add user-allowed-to-authenticate-to subcommands via 49c3bca8033 netcmd: auth policy: remove old computer-allowed-to-authenticate-to-silo and group via 86d3706bd26 netcmd: auth policy: add computer-allowed-to-authenticate-to subcommands via 96f00738cec netcmd: auth policy: extract policy base commands into policy.py via c0e748f0117 netcmd: auth policy: turn policy.py into module via 13d53ee3e25 netcmd: auth silo: extract silo base commands into silo.py via a2e9529ee63 netcmd: auth silo: move silo_member.py into silo module via 4d2c8ea9578 netcmd: auth silo: turn silo.py into module via 2af65446cfd netcmd: docs: add section headings for auth policies and silos via 7fbe5156096 netcmd: docs: consistently put around GROUP and SILO via 4e1d12835ff netcmd: docs: --user-allowed-to-authenticate-from-device-group was missing via 26feb09fd10 netcmd: docs: --user-allowed-to-authenticate-from-device-silo missing "device" via a7edd5b5367 netcmd: docs: add documentation for service-account group-msa-membership commands via 03a6740a90b netcmd: docs: add documentation for service-account base command via cf60e3cad6b netcmd: gmsa: improve descriptions of --dns-host-name and match docs via 828420b4f09 python: domain: models: add OrganizationalUnit container model via 5ac4b6969be python: domain: models: move OrganizationalPerson to org.py via 3c0833ead51 python: domain: models: move MODELS to registry.py because it's not really a constant via bfd1f8cd467 python: domain: models: MODELS lookup does need to include base Model for shell command via 0c5d09ae143 python: domain: models: add children method to return a models direct children via cca0cfe421c python: tests: write a test for the Model.as_dict method via 917e2a73538 python: tests: computer model tests should clean up via ed07dee8649 python: domain: models: as_dict() should also exclude empty list fields via fc982e550f4 s4-dsdb: Create KdfParameters at runtime via d316e5f0869 s4-dsdb: Indent DH parameters table in gkdi_create_root_key() via 3687bf22aa1 s4-dsdb: Populate new GKDI root keys from the server configuration object via 565314f4482 pyldb: Improve search for error string in PyErr_SetLdbError via 06912de3b2a dsdb: Add API tests for new_gkdi_root_key() via f379ea8b812 pyldb: Consolidate PyErr_SetLdbError() using the pyldb version via 287cf82682c plydb: Keep talloc_reference() to the DN in PyDict_AsMessage via 37327afd0aa pyldb: Fix documentation comment on Message.from_dict() method from f0a8d832683 s4/torture: Fix misplaced positional arguments for u64 comparison https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 06c589aaa1a30e5577d9de4532246949f30809e5 Author: Andrew Bartlett Date: Wed Mar 20 14:56:47 2024 +1300 python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED This in particular tests the returned NTLM password buffers as well as the password rotation on expired accounts described at https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-creden
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9550d37f2f9 winbind: Log NOT_IMPLEMENTED as debug via 03240c91fb6 libcli/http: Handle http chunked transfer encoding via 30acd609f56 tests: add test for chunked encoding with http cli library via 5f03d84e3b5 libcli/http: Optimise reading for content-length via 74cdebeae3d selftest: Add basic content-lenght http tests via cd6c075476c Add simple http_client for use in black box tests (in following commits) from 6fb98f70c62 ndr: always attempt ACE coda pull if ACE type suggests a coda https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9550d37f2f9170c183d5a5e8f666cbbf21c5f444 Author: David Mulder Date: Mon Mar 11 07:36:58 2024 -0600 winbind: Log NOT_IMPLEMENTED as debug This message happens frequently when running a PDC/NT4 mode w/out winbind. Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 27 02:15:31 UTC 2024 on atb-devel-224 commit 03240c91fb6ffcf5afe47c14a1ba7a8bc12f2348 Author: Noel Power Date: Mon Mar 25 19:44:10 2024 + libcli/http: Handle http chunked transfer encoding Also removes the knownfail for the chunked transfer test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 commit 30acd609f560352d3edb0c931b9a864110025b2c Author: Noel Power Date: Thu Sep 23 12:18:22 2021 +0100 tests: add test for chunked encoding with http cli library Adds http test client to excercise the http client library and a blackbox test to run the client. This client is built only with selftest also adds a knownfail for the test Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 commit 5f03d84e3b52bf5a31a0f885cb83bdcb48ec96f7 Author: Noel Power Date: Fri Mar 22 08:55:49 2024 + libcli/http: Optimise reading for content-length Instead of reading byte-by-byte we know the content length we want to read so lets use it. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 commit 74cdebeae3d1bc35eea96b51b9491f6c52844b10 Author: Noel Power Date: Mon Mar 25 16:25:55 2024 + selftest: Add basic content-lenght http tests very simple test of basic http request/response plus some checks to ensure http response doesn't exceed the response max length set by the client call. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit cd6c075476c820b4fe8bdc10a24d8fc8ac74e9c9 Author: Noel Power Date: Mon Mar 25 19:21:54 2024 + Add simple http_client for use in black box tests (in following commits) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611 Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett --- Summary of changes: libcli/http/http.c | 265 +- libcli/http/http_internal.h | 4 + python/samba/tests/blackbox/http_chunk.py | 116 python/samba/tests/blackbox/http_content.py | 95 +++ selftest/tests.py | 2 + source3/auth/auth_winbind.c | 6 +- source4/client/http_test.c | 401 source4/wscript_build | 5 + 8 files changed, 886 insertions(+), 8 deletions(-) create mode 100644 python/samba/tests/blackbox/http_chunk.py create mode 100644 python/samba/tests/blackbox/http_content.py create mode 100644 source4/client/http_test.c Changeset truncated at 500 lines: diff --git a/libcli/http/http.c b/libcli/http/http.c index 96c573af137..3681500f194 100644 --- a/libcli/http/http.c +++ b/libcli/http/http.c @@ -45,6 +45,12 @@ static int http_response_needs_body(struct http_request *req) char c; unsigned long long v; + cmp = strcasecmp(h->key, "Transfer-Encoding"); + if (cmp == 0) { + cmp = strcasecmp(h->value, "chunked"); + return 2; + } + cmp = strcasecmp(h->key, "Content-Length"); if (cmp != 0) { continue; @@ -66,6 +72,11 @@ static int http_response_needs_body(struct http_request *req) return 0; } +struct http_chunk +{ + struct http_chunk *prev, *next; + DATA_BLOB blob; +}; struct http_read_response_state { enum http_parser_state parser_state; @@ -73,6 +84,7 @@ struct
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6fb98f70c62 ndr: always attempt ACE coda pull if ACE type suggests a coda from 7edf5467fc7 lib: Remove timeval_set() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6fb98f70c6274e172787c8d5f73aa93920171e7c Author: Douglas Bagnall Date: Sat Mar 23 08:27:41 2024 +1300 ndr: always attempt ACE coda pull if ACE type suggests a coda We were skipping the pull in cases where the coda size was calculated to be zero. This has the right result for empty conditional ACEs, but not for Resource Attribute ACEs where the CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 coda was not intialised. The situation is made a bit worse, because the function that calculates the coda size (ndr_subcontext_size_of_ace_coda()) can return zero in conditions that are not exactly errors, but in which the would-be calculated value makes so little sense that zero is thought to be a safer default. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66577 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15613 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 25 06:00:21 UTC 2024 on atb-devel-224 --- Summary of changes: librpc/ndr/ndr_sec_helper.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/ndr/ndr_sec_helper.c b/librpc/ndr/ndr_sec_helper.c index f870a17aafc..1a156b01d40 100644 --- a/librpc/ndr/ndr_sec_helper.c +++ b/librpc/ndr/ndr_sec_helper.c @@ -104,7 +104,6 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags { NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); if (ndr_flags & NDR_SCALARS) { - ssize_t sub_size; NDR_CHECK(ndr_pull_align(ndr, 5)); NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type)); NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags)); @@ -112,12 +111,12 @@ _PUBLIC_ enum ndr_err_code ndr_pull_security_ace(struct ndr_pull *ndr, ndr_flags NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask)); NDR_CHECK(ndr_maybe_pull_security_ace_object_ctr(ndr, NDR_SCALARS, r)); NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee)); - sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags); - if (!sec_ace_has_extra_blob(r->type) || sub_size == 0) { + if (!sec_ace_has_extra_blob(r->type)) { r->coda.ignored.data = NULL; r->coda.ignored.length = 0; } else { struct ndr_pull *_ndr_coda; + ssize_t sub_size = ndr_subcontext_size_of_ace_coda(r, r->size, ndr->flags); NDR_CHECK(ndr_pull_subcontext_start(ndr, &_ndr_coda, 0, sub_size)); NDR_CHECK(ndr_pull_set_switch_value(_ndr_coda, &r->coda, r->type)); NDR_CHECK(ndr_pull_security_ace_coda(_ndr_coda, NDR_SCALARS|NDR_BUFFERS, &r->coda)); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7edf5467fc7 lib: Remove timeval_set() via a3e186b6171 lib: Remove timeval_until() via 842e7378439 fuzz:fuzz_ndr_X: don't skip printing on push error via cebe12bc85a ldb-samba: matching rules: notify of search failure in transitive filter via 90964caaf2e fuzz:_conditional_ace_blob discards a const via e1071cd1df6 fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail via 168e5df62f9 fuzzing: fuzz_ndr_X ndr_print does printing from 4f0ed9b0038 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7edf5467fc77cc1039c0ef9fd4579bfb7333c159 Author: Volker Lendecke Date: Wed Mar 13 16:19:48 2024 +0100 lib: Remove timeval_set() We have the same function in tevent, no need to duplicate code. More lines just due to clang-format. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 22 06:07:42 UTC 2024 on atb-devel-224 commit a3e186b61719cd0e1ec60006d7ea675c01d69c36 Author: Volker Lendecke Date: Wed Mar 13 16:07:00 2024 +0100 lib: Remove timeval_until() We have the same function in tevent, no need to duplicate code. Signed-off-by: Volker Lendecke Reviewed-by: Andrew Bartlett commit 842e7378439fcf354260c98b9ea7dadf59c601c7 Author: Douglas Bagnall Date: Thu Mar 21 14:48:34 2024 +1300 fuzz:fuzz_ndr_X: don't skip printing on push error push should not have changed the struct, so it is valid to try to print it also. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit cebe12bc85a7f178e7ccaecd1c075f2e40478139 Author: Douglas Bagnall Date: Thu Dec 28 12:45:41 2023 +1300 ldb-samba: matching rules: notify of search failure in transitive filter It can be very hard to known where transitive checks fail, and this will help. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15515 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 90964caaf2e2ae0c36aa223ddfb66a5cdec42a6c Author: Douglas Bagnall Date: Thu Dec 28 13:46:48 2023 +1300 fuzz:_conditional_ace_blob discards a const Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1071cd1df6b639a2a4b273b82bdc968df363dbb Author: Douglas Bagnall Date: Wed Mar 20 17:29:52 2024 +1300 fuzz:fuzz_conditional_ace_blob lets long generated SDDL fail This can legitimately fail, due to e.g. integers being interpreted as local attributes due to their position (the original data is complete nonsense, bravely decompiled by sddl_from_conditional_ace). In the example found the original begins like 61 72 74 78 02 00 00 00 00 00 00 00 00 03 01 02 |artx| 0010 f7 ff ff ff ff ff ff ff 03 01 a1 02 00 3b 00 00 |.;..| 0020 00 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 |.;..| 0030 03 01 02 a5 ff ff ff ff ff ff ff 03 01 a1 02 78 |...x| 0040 00 00 00 00 00 00 00 03 01 85 02 00 3b 00 00 00 |;...| 0050 00 00 00 03 01 a1 02 00 3b 00 00 00 00 00 00 03 |;...| 0060 01 02 a5 00 00 00 00 00 00 00 03 01 81 02 00 00 || 0070 00 00 00 00 00 00 03 01 81 02 00 3b 00 00 00 00 |...;| while the SDDL cycled version looks like 61 72 74 78 f8 04 00 00 00 30 00 30 00 f8 2e 00 |artx.0.0| 0010 00 00 30 00 31 00 37 00 37 00 37 00 37 00 37 00 |..0.1.7.7.7.7.7.| 0020 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 |7.7.7.7.7.7.7.7.| 0030 37 00 37 00 37 00 37 00 37 00 37 00 36 00 37 00 |7.7.7.7.7.7.6.7.| 0040 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 30 00 |..0.3.5.4.0.| 0050 30 00 a1 f8 0c 00 00 00 30 00 33 00 35 00 34 00 |0...0.3.5.4.| 0060 30 00 30 00 f8 2e 00 00 00 30 00 31 00 37 00 37 |0.0..0.1.7.7| 0070 00 37 00 37 00 37 00 37 00 37 00 37 00 37 00 37 |.7.7.7.7.7.7.7.7| and this new interpretation ends up being more than 1 bytes long, so the conversion fails. The SDDL ends up looking like this: (((00) || (0177767)) || (035400)) || \ (((035400) || (0177645)) \ >= 0170) || (035400)) || (((035400 != 0245) [...] where all the octal digits on the left hand side of operators are UTF-16 strings. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65322 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bart
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4f0ed9b0038 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ via eac23954156 s4:auth: Update error messages via 67af86d2ab8 auth:credentials: Remove unused include via 8b86174bd34 auth:credentials: Remove trailing line via 67457394e42 tests/krb5: Allow specifying SamDB to use when creating an account via 0bc8d1469b8 python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew via 96ac8144b43 python: Correct time conversion function name via cd44f8063b2 s4:libnet: Fix code spelling via d8fa0dd62eb python: Type ‘format’ parameter as optional via cd7b0720de7 python: Correctly qualify strptime() via ed5f8af3299 python:tests: Fix code spelling via 2f25c23b7bb s4:auth: Allocate strings on shorter‐lived memory context via 398a555fc26 python:tests: Simplify expression via 86db3056177 python:tests: Use Managed Service Accounts well‐known GUID via 55bc523da7d s4:auth: Fix grammar in error message from 8f1a80147d8 pidl: add "return ENOTSUP" for int return type in s3 template https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4f0ed9b00389fa641a423b88ab5462b32dd7bbca Author: Jo Sutton Date: Tue May 2 15:42:24 2023 +1200 tests/krb5: Add tests for AllowedToAuthenticateTo with an AS-REQ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15607 Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 21 04:19:18 UTC 2024 on atb-devel-224 commit eac2395415616595c6163768baa163a83a3cea5a Author: Jo Sutton Date: Tue Mar 12 11:08:30 2024 +1300 s4:auth: Update error messages Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 67af86d2ab8cb1c9f7a253652feb4897389c6e64 Author: Jo Sutton Date: Tue Mar 12 11:08:14 2024 +1300 auth:credentials: Remove unused include Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 8b86174bd3409a651fc4d8c8a5edc55b714502ed Author: Jo Sutton Date: Tue Mar 12 11:07:56 2024 +1300 auth:credentials: Remove trailing line Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 67457394e423598af7b8aa654628af9b7ecea5ee Author: Jo Sutton Date: Fri Mar 8 16:34:49 2024 +1300 tests/krb5: Allow specifying SamDB to use when creating an account Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 0bc8d1469b89ddf4b3f6cd07e0941137e05dff9d Author: Jo Sutton Date: Mon Mar 4 13:38:10 2024 +1300 python:tests: Do not have current_time() and current_nt_time() implicitly include clock skew This is just too error‐prone. current_gkid() will still continue to return the next GKID if it’s within clock skew. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 96ac8144b4311516bd4acf9be95a86b574f359f4 Author: Jo Sutton Date: Thu Mar 7 17:14:24 2024 +1300 python: Correct time conversion function name Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cd44f8063b2f7ed6bbcd063e450ec99624308c61 Author: Jo Sutton Date: Tue Mar 5 12:37:11 2024 +1300 s4:libnet: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit d8fa0dd62eb158e6f4c2270267421c3a77be6680 Author: Jo Sutton Date: Tue Mar 5 12:32:16 2024 +1300 python: Type ‘format’ parameter as optional Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cd7b0720de7b85903c5d4dfb74fb66bd29519f1d Author: Jo Sutton Date: Tue Mar 5 12:31:27 2024 +1300 python: Correctly qualify strptime() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit ed5f8af3299143e020a72916c37a3d54a71f1ccc Author: Jo Sutton Date: Mon Mar 4 13:38:29 2024 +1300 python:tests: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 2f25c23b7bb4f935e3b9ebf77fa1309de1e2df48 Author: Jo Sutton Date: Thu Mar 14 15:14:55 2024 +1300 s4:auth: Allocate strings on shorter‐lived memory context Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 398a555fc26b386668c83320ce9898816c717f41 Author: Jo Sutton Date: Wed Mar 13 10:12:33 2024 +1300 python:tests: Simplify expression ‘not keytab_bytes’ is shorter and equivalent. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 86db3056177115a2b443a8b4c6ff8b2b6086d2c8 Author: Jo Sutton Date: Tue Mar 12 16:24:59 2024 +1300 python:tests: Use Managed Service Accounts well‐known GUID Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 55bc523da7d516a4ed43eafb0f22170ea59d9e32 Author: Jo Sutton Date:
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8f1a80147d8 pidl: add "return ENOTSUP" for int return type in s3 template via 56719a5d107 pidl: fix trailing double-quote on last line of s3 server stubs via efffb2484bb s3-librpc: merge two PIDL lists via d13226366b2 ldb_dn: make LDB_FREE, TALLOC_FREE via bf654a04675 pyldb: ldb_msg_richcmp: avoid one intransitive compare via 8cf77b5775a ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare() via 118b9ec5e07 pyldb: add a FIXME for a non-transitive compare via 461192fdbea pyldb_utils: pyldb_Object_AsDn() sets TypeError more often via e4babdfa445 ldb:pyldb.h: include some headers that are used via 2ed90bbfb47 lib/ldb: don't allow repeated connections via d58c2c299de ldb:pytests: test duplicate connections fail via c7c42762c68 ldb-samba:ldb_wrap: don't crash if "ldb_url" opaque is unset via 4ce132cea93 pyldb: py_ldb_init() uses py_ldb_connect() for connecting via 14a6109e9a2 pyldb: catch errors in ldb_db_get_casefold via c17ff0a3357 pytest:segfault: do not assume PLEASE_NO_GDB_BACKTRACE var is unset via 5ceecd3f739 pytest:segfault: prevent @no_gdb_backtrace smearing on exception via 682a87fd0a8 selftest: Run samba.tests.segfault with TALLOC_FREE_FILL via c04ac95ce40 py:samdb: make SamDB.__str__ show the URL and ID via ecd65265ac0 selftest/gdb_backtrace: print `info threads` and some signpost headers via 12ce289922c selftest/gdb_backtrace: avoid printing backtrace twice with 1 thread via 904479cdf6d selftest/gdb_backtrace: print python traceback if available from da500249fcf tests: gmsa blackbox tests https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8f1a80147d8d95c5f59f2e8c2a18bfaee29cfcf5 Author: Günther Deschner Date: Tue Mar 19 22:00:11 2024 +0100 pidl: add "return ENOTSUP" for int return type in s3 template Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 21 00:45:29 UTC 2024 on atb-devel-224 commit 56719a5d107b6590b10165347345d6b5366af755 Author: Günther Deschner Date: Tue Mar 19 18:24:13 2024 +0100 pidl: fix trailing double-quote on last line of s3 server stubs Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit efffb2484bbf7058eec1f085bab65639c42b1656 Author: Günther Deschner Date: Thu Mar 14 15:22:25 2024 +0100 s3-librpc: merge two PIDL lists Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit d13226366b254502125f572b8bd574709c125613 Author: Douglas Bagnall Date: Fri Mar 15 23:29:34 2024 +1300 ldb_dn: make LDB_FREE, TALLOC_FREE This LDB_FREE() seems to predate TALLOC_FREE(), and was identical until TALLOC_FREE was optimised to avoid calling talloc_free(NULL) in b9fcfc6399eab750880ee0b9806311dd351a8ff6. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit bf654a046754c1ceaf669fb7e9f36eddc3266a28 Author: Douglas Bagnall Date: Fri Mar 15 15:47:55 2024 +1300 pyldb: ldb_msg_richcmp: avoid one intransitive compare Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8cf77b5775a314b606bf870f99695a45cfbbd084 Author: Douglas Bagnall Date: Fri Mar 15 15:03:44 2024 +1300 ldb:ldb_dn: use safe transitive comparison in ldb_dn_compare() The comparison we make is unconventional, and makes no difference in normal usage, where we just want to know whether two DNs are the same or not. But with over 100 callers, it is possible that something somewhere is attempting a sort. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 118b9ec5e075e19c79e8974beeb64dcb0392877f Author: Douglas Bagnall Date: Thu Mar 14 16:36:07 2024 +1300 pyldb: add a FIXME for a non-transitive compare Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 461192fdbeaafcd9d0af083d220afff3af2bdef7 Author: Douglas Bagnall Date: Fri Mar 15 12:12:26 2024 +1300 pyldb_utils: pyldb_Object_AsDn() sets TypeError more often Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e4babdfa4451ce251ce4632a320deb63d38003cd Author: Douglas Bagnall Date: Thu Mar 7 22:29:10 2024 +1300 ldb:pyldb.h: include some headers that are used Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2ed90bbfb4777f5948df10760342c031b5fcd081 Author: Douglas Bagnall Date: Wed Mar 20 12:18:12 2024 +1300 lib/ldb: don't allow repeated connections In the best case, this would have leaked. Si
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via da500249fcf tests: gmsa blackbox tests via 7dcc06fa88b tests: models: test additional Computer constructor cases via c004fdd0f34 tests: models: fix username should be account_name via 87cf1a29378 tests: user: create gmsa with models via ea3838b6bcc tests: user: fix PEP8 spacing around operator via 878abe023ed tests: user: gmsa dNSHostName is a required field via 40e0cb2ccaa tests: samdb: Make use of the domain_sid property via 3c022f444a1 python: fix json encoder should handle Exception via 52165b8eada python: models: add Container model via bda232944cf python: models: add kwargs to __json__ and as_dict methods via 7fafb268bf9 python: pep8: fix import sorting after move via f739ef813c0 python: move models out of the netcmd package via 1f511acc133 python: create domain module to move models into via e25c4872034 netcmd: gmsa: show viewers also works if SID is not found via 12adbfc6abf netcmd: gmsa: add and remove don't fetch trustee if it is a SID via 87d00915e96 netcmd: gmsa: add_trustee and remove_trustee change argument to sid via 48c0ed76e02 netcmd: gmsa: fix typo if trustee is not found via a6e79982c90 netcmd: gmsa: create should allow custom SDDL via 200948c172d netcmd: models: improve Computer constructor adding "$" handling via bd79c074e2d netcmd: models: allow scope to be overridden in query via 3e22f8f3034 netcmd: models: add User.get_sid_for_principal helper via 12f3db0109a netcmd: models: User.find also tries object_sid via 4f97df7056b python: samdb: Make connecting_user_sid a property via c221f7080c5 python: samdb: Move get_connecting_user_sid to samdb from b815abe7799 libcli/security: check again for NULL values https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit da500249fcf52629c8d3da4d608b85b96b43cca6 Author: Rob van der Linde Date: Fri Mar 1 11:22:03 2024 +1300 tests: gmsa blackbox tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Mar 20 04:53:57 UTC 2024 on atb-devel-224 commit 7dcc06fa88b06cedcaa9165536eb47c6fed27fc4 Author: Rob van der Linde Date: Wed Mar 6 16:52:53 2024 +1300 tests: models: test additional Computer constructor cases Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c004fdd0f34ec009fa4f24535ffb5773ee506e37 Author: Rob van der Linde Date: Wed Mar 6 16:49:21 2024 +1300 tests: models: fix username should be account_name The reason this didn't fail, is because it doesn't save the Computers. This gets fixed in the next commit. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 87cf1a2937837d268de0339f88f02d4304355f75 Author: Rob van der Linde Date: Tue Mar 5 16:39:33 2024 +1300 tests: user: create gmsa with models It was fetching the GMSA with the models straight after creating it anyway. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ea3838b6bcc5a60bbef201f016dfecea0af68b54 Author: Rob van der Linde Date: Tue Mar 5 16:20:52 2024 +1300 tests: user: fix PEP8 spacing around operator Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 878abe023ed8cabe3e24a998a9ed870de8f64ee1 Author: Rob van der Linde Date: Tue Mar 5 12:14:06 2024 +1300 tests: user: gmsa dNSHostName is a required field Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 40e0cb2ccaa659d3ee109949044fe006e7a7d2bb Author: Rob van der Linde Date: Wed Feb 28 17:00:24 2024 +1300 tests: samdb: Make use of the domain_sid property Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3c022f444a1c8644cdd4011475b2a16f834b18ab Author: Rob van der Linde Date: Wed Mar 20 09:50:49 2024 +1300 python: fix json encoder should handle Exception This happens if --json is used and a CommandError is raised, so will affect other commands too where --json is used. This happens in the print_json_status method. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 52165b8eada72ac2d2e015faba372af8ae9c7284 Author: Rob van der Linde Date: Wed Mar 13 23:07:52 2024 +1300 python: models: add Container model Signed-off-by: Rob van der Linde Reviewed-by: Doug
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b815abe7799 libcli/security: check again for NULL values via 78f728063a1 libcli/security: claims_conversions: check for NULL in claims array from 97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b815abe77991d7929717ea3ed4b9d7bef7179715 Author: Douglas Bagnall Date: Sun Mar 17 23:08:23 2024 +1300 libcli/security: check again for NULL values Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 18 02:51:08 UTC 2024 on atb-devel-224 commit 78f728063a1e510966a45f7f1d9515ea3bd16214 Author: Douglas Bagnall Date: Sun Mar 17 23:07:17 2024 +1300 libcli/security: claims_conversions: check for NULL in claims array If by mistake we end up with a NULL in our array of claims pointers, it is better to return an error than crash. There can be NULLs in the array if a resource attribute ACE has a claim that uses 0 as a relative data pointer. Samba assumes this means a NULL pointer, rather than a zero offset. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66777 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15606 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: libcli/security/claims-conversions.c | 13 + 1 file changed, 13 insertions(+) Changeset truncated at 500 lines: diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c index bbba5973852..ccf1375fc8f 100644 --- a/libcli/security/claims-conversions.c +++ b/libcli/security/claims-conversions.c @@ -262,6 +262,9 @@ static bool claim_v1_offset_to_ace_token( uint8_t f = claim->flags & CLAIM_SECURITY_ATTRIBUTE_VALUE_CASE_SENSITIVE; result->flags = f | CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR; + if (claim->values[offset].int_value == NULL) { + return false; + } switch (claim->value_type) { case CLAIM_SECURITY_ATTRIBUTE_TYPE_INT64: return claim_v1_int_to_ace_int(claim, offset, result); @@ -935,6 +938,16 @@ NTSTATUS claim_v1_check_and_sort(TALLOC_CTX *mem_ctx, .case_sensitive = case_sensitive }; + /* +* It could be that the values array contains a NULL pointer, in which +* case we don't need to worry about what type it is. +*/ + for (i = 0; i < claim->value_count; i++) { + if (claim->values[i].int_value == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + } + if (claim->value_type == CLAIM_SECURITY_ATTRIBUTE_TYPE_BOOLEAN) { NTSTATUS status = claim_v1_check_and_sort_boolean(mem_ctx, claim); if (NT_STATUS_IS_OK(status)) { -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() via 9d7a97dc982 samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export via a0867595fbd s4-libnet: Prepare for a "rolling update" keytab export via 7b662a92878 s4-auth/kerberos: Do not add true duplicates to exported keytab via 3bb215d1946 selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour via f81d7047b6a selftest: Add tests for "samba-tool domain exportkeytab" with existing files" via b2dff173666 samba-tool domain exportkeytab: Raise a proper CommandError via 014f1b561e8 s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export via 0cb1e4dbf8e samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab" via 2f97f6fe484 lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry() via 9fc4070f89d lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry() via 43ce741d1ff python/tests: Add test that gMSA keytab export works and matches direct keytab export via 91c05536108 s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong via 0490aed7168 auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords() via bd2edecff06 s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab" via 66a9c1daa86 s4-kdc: Prepare for gMSA support by recording it on the entry via 48affb137fb auth/credentials: Allow generation of old Kerberos keys also via b8308f3fe06 auth/credentials: Make cli_credentials_get_aes256_key into generic key access via 13d346ce0c4 auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob via 44063674734 s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy() via dd993c21703 auth/credentials: Dynamically calculate the salt principal (unless speccified) via 9fc11e329c9 auth/credentials: Use salt on credentials object for Creds.get_aes256_key() via 74f9d2e5190 auth/credentials: Add bindings for getting and setting the salt principal via f34b910b5bc s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA via d4155f8a998 Make "samba-tool domain exportkeytab" prune old keys via 6b3ce044d2d s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab() via 2c33862b9e0 s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES via a2ed51df7c0 s4-auth/kerberos: Remove unused paremters to create_keytab() via 9246ee48040 samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb via b6cffcb3fb0 libnet: Prepare to allow "samba-tool domain exportkeytab to support -H via 7a8c091698e python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal from c97071726e1 packaging: Provide a systemd service file for samba-bgqd https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----- commit 97a23e57dc88fe6b4a851bb0e0db09a4ee9b37fb Author: Andrew Bartlett Date: Thu Mar 14 16:55:19 2024 +1300 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries() Previously any errors noticed during the main loop would be ignored. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224 commit 9d7a97dc9820e9f69a25a7321d84eb18cd3c6c08 Author: Andrew Bartlett Date: Thu Mar 7 14:53:53 2024 +1300 samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has silently unlinked the given target file. Instead, the administrator now needs to specify a file that does not exist. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit a0867595fbdb0e59b3c649f80f36e99ca74af41e Author: Andrew Bartlett Date: Wed Mar 6 17:48:09 2024 +1300 s4-libnet: Prepare for a "rolling update" keytab export This mode will allow keytabs to be exported with all current keys added to historical keys, which will be useful in a domain with many gMSA servers that require wireshark decryption. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 7b662a928784c889f0d0e4124b723fa6fd20 Author: Andrew Bartlett Date: Wed Mar 6 17:43:47 2024 +1300 s4-auth/kerberos: Do not add true duplicates to exported key
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via da7f056fb5d lib/ldb-samba: Remove unused ldb.set_opaque_integer() via d73c92a35dd dsdb: Remove calls to ldb.set_opaque_integer() via 416b6c5a03d lib/ldb-samba: Align py_ldb_set_opaque_integer() with pyldb_set_opaque() and use "unsigned long long" via 195c0e0d491 lib/ldb: Allocate opaque on ldb_ctx via b42043897a6 python/samba/provision: Ensure KDS root key is usable as soon as provision is complete via fb219d545bb selftest: Assert that the provision KDS root key is already valid for use from 9b0330ea3f5 pytest:samba-tool domain kds root-key: test with normal user https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit da7f056fb5d932ad4a302f1fab0ef886183f3b8f Author: Andrew Bartlett Date: Mon Mar 4 14:45:42 2024 +1300 lib/ldb-samba: Remove unused ldb.set_opaque_integer() Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Mar 5 03:55:33 UTC 2024 on atb-devel-224 commit d73c92a35dda1e20cd75b7061fc151234996d9b4 Author: Andrew Bartlett Date: Mon Mar 4 14:44:53 2024 +1300 dsdb: Remove calls to ldb.set_opaque_integer() This routine will shortly be removed, it is now replaced by an improved ldb.set_opaque() Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 416b6c5a03d4fa9d55decc1de6a9ab409fa045f0 Author: Andrew Bartlett Date: Mon Mar 4 14:27:19 2024 +1300 lib/ldb-samba: Align py_ldb_set_opaque_integer() with pyldb_set_opaque() and use "unsigned long long" We need to change the internal types assumed in Samba for the opaque integers to "unsigned long long" as this is what ldb.set_opaque() will create, and we want to move to this interface rather than have a duplicate. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 195c0e0d4912d37a8404e83e0e3357bb47b61e0d Author: Andrew Bartlett Date: Mon Mar 4 13:02:54 2024 +1300 lib/ldb: Allocate opaque on ldb_ctx Just in case this LDB is given away into the C code, that opaque must live as long as the LDB itself, not the python wrapper object. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit b42043897a6ebf52f70c5bdcdcfe6a18f8ad6fd8 Author: Andrew Bartlett Date: Tue Mar 5 11:49:49 2024 +1300 python/samba/provision: Ensure KDS root key is usable as soon as provision is complete We do this by setting the start time to being 10 hours 5min earlier than now. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit fb219d545bb3bd328200a3097b52594617fc246a Author: Andrew Bartlett Date: Tue Mar 5 12:38:06 2024 +1300 selftest: Assert that the provision KDS root key is already valid for use Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- Summary of changes: lib/ldb-samba/pyldb.c| 67 lib/ldb/pyldb.c | 6 +-- python/samba/join.py | 12 ++--- python/samba/provision/__init__.py | 20 +-- python/samba/tests/dsdb_quiet_provision_tests.py | 14 - source4/dsdb/common/util.c | 14 ++--- source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 4 +- source4/dsdb/samdb/ldb_modules/rootdse.c | 13 +++-- source4/torture/drs/python/ridalloc_exop.py | 4 +- 9 files changed, 55 insertions(+), 99 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/ldb-samba/pyldb.c b/lib/ldb-samba/pyldb.c index 2241abc01df..8154679146b 100644 --- a/lib/ldb-samba/pyldb.c +++ b/lib/ldb-samba/pyldb.c @@ -91,71 +91,6 @@ static PyObject *py_ldb_set_credentials(PyObject *self, PyObject *args) Py_RETURN_NONE; } -/* XXX: This function really should be in libldb's pyldb.c */ -static PyObject *py_ldb_set_opaque_integer(PyObject *self, PyObject *args) -{ - int value; - int *old_val, *new_val; - char *py_opaque_name, *opaque_name_talloc; - struct ldb_context *ldb; - int ret; - TALLOC_CTX *tmp_ctx; - - if (!PyArg_ParseTuple(args, "si", &py_opaque_name, &value)) - return NULL; - - ldb = pyldb_Ldb_AS_LDBCONTEXT(self); - - /* see if we have a cached copy */ - old_val = (int *)ldb_get_opaque(ldb, py_opaque_name); - /* XXX: We shouldn't just blindly assume that the value that is -* already present has the size of an int and is not shared -* with other code that may rely on it not changing. -* JRV 20100403 */ - - if (old_val) { - *old_val = value; - Py_RETURN_NONE;
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9b0330ea3f5 pytest:samba-tool domain kds root-key: test with normal user via ccfa16e2ec4 samba-tool: tidy up uncaught insufficient rights LdbError from ee94d708557 ldb: Update ldb.get_opaque() to return talloc‐managed opaque values https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9b0330ea3f5d5b41f84356ec54a2e5a6ecbbaccd Author: Douglas Bagnall Date: Mon Mar 4 10:46:02 2024 +1300 pytest:samba-tool domain kds root-key: test with normal user It would be bad if samba-tool let ordinary users read root-key secrets. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Mar 4 03:20:46 UTC 2024 on atb-devel-224 commit ccfa16e2ec48da4ab601ca6b8b0ccfc77d625085 Author: Douglas Bagnall Date: Mon Mar 4 10:43:17 2024 +1300 samba-tool: tidy up uncaught insufficient rights LdbError It is likely that many sub-commands will produce a traceback when people go `-H ldap://server -Ubob` when they needed to go `-UAdministrator`. We can catch these and show only the core message. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/netcmd/__init__.py| 5 +- .../samba/tests/samba_tool/domain_kds_root_key.py | 105 + 2 files changed, 109 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/__init__.py b/python/samba/netcmd/__init__.py index 3e1f1c45aef..7d743526207 100644 --- a/python/samba/netcmd/__init__.py +++ b/python/samba/netcmd/__init__.py @@ -23,7 +23,7 @@ import textwrap import traceback import samba -from ldb import ERR_INVALID_CREDENTIALS, LdbError +from ldb import ERR_INVALID_CREDENTIALS, ERR_INSUFFICIENT_ACCESS_RIGHTS, LdbError from samba import colour from samba.auth import system_session from samba.getopt import Option, OptionParser @@ -242,6 +242,9 @@ class Command(object): elif ldb_emsg.startswith("Unable to open tdb "): self._print_error(message, ldb_emsg, 'ldb') force_traceback = False +elif ldb_ecode == ERR_INSUFFICIENT_ACCESS_RIGHTS: +self._print_error("User has insufficient access rights") +force_traceback = False else: self._print_error(message, ldb_emsg, 'ldb') diff --git a/python/samba/tests/samba_tool/domain_kds_root_key.py b/python/samba/tests/samba_tool/domain_kds_root_key.py index ad8e6e97f90..3a6613a14c0 100644 --- a/python/samba/tests/samba_tool/domain_kds_root_key.py +++ b/python/samba/tests/samba_tool/domain_kds_root_key.py @@ -39,6 +39,9 @@ HOST = "ldap://{DC_SERVER}".format(**os.environ) CREDS = "-U{DC_USERNAME}%{DC_PASSWORD}".format(**os.environ) SMBCONF = os.environ['SERVERCONFFILE'] +# alice%Secret007 +NON_ADMIN_CREDS = "-U{DOMAIN_USER}%{DOMAIN_USER_PASSWORD}".format(**os.environ) + TIMESTAMP_RE = r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+00:00' NOWISH = 'about now' @@ -500,6 +503,22 @@ class KdsRootKeyTests(KdsRootKeyTestsBase): f"created root key {new_guids[0]}, usable from {TIMESTAMP_RE}") self._delete_root_key(new_guids[0]) +def test_create_json_non_admin(self): +"""can you create a root-key without being admin?""" +pre_create = self._get_root_key_guids() + +result, out, err = self.runcmd("domain", "kds", "root-key", "create", + "-H", HOST, NON_ADMIN_CREDS, "--json") +self.assertCmdFail(result) + +post_create = self._get_root_key_guids() + +self.assertEqual(set(pre_create), set(post_create)) +data = json.loads(out) +self.assertEqual(data['status'], 'error') +self.assertEqual(data['message'], 'User has insufficient access rights') +self.assertEqual(err, "", "not expecting stderr messages") + def test_create_json_1997(self): """does create work?""" pre_create = self._get_root_key_guids() @@ -640,6 +659,81 @@ class KdsRootKeyTests(KdsRootKeyTestsBase): self.assertIn(guid, pre_names) self.assertNotIn(guid, post_names) +def test_delete_non_admin(self): +"""does delete as non-admin fail?""" +# make one to delete, and get the list as JSON +_guid, dn, _created, _used = self.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ee94d708557 ldb: Update ldb.get_opaque() to return talloc‐managed opaque values via 256320532a4 ldb: Update ldb.set_opaque() to accept only supported types via 81fd42165e9 ldb: Remove trailing whitespace via ab6cb4bc972 ldb: Pass a supported opaque type to ldb.set_opaque() via 35e7ce88dd7 ldb: Add tests for Python set_opaque() and get_opaque() via 757036cefe5 pyldb: Remove unused and broken Python access to LDB module API via 7a38a98871b pyldb: Improve docstric for whoami(), which takes no arguments. via f8fcd21812d pyldb: Remove last caller to and definition of PyLdb_Check() via 61e5958a3ac pyldb: Use "O!" to specify the type of py_ldb via 8b0d00a8e3e pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h via 6c3ca9e4967 dns: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE() via 083c948 dns: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE() via 2ba8e656dab dsdb: Use pyldb_check_type() in PyErr_LDB_DN_OR_RAISE() via da63ee78b34 dsdb: Use pyldb_Ldb_AsLdbContext() in PyErr_LDB_OR_RAISE() via dbdecac5f89 ldb/pyldb: Call Py_DECREF(list) on failure in PyLdbResult_FromResult() via 53cdfff711a ldb/pyldb: Check errors from PyLdbMessage_FromMessage from cabe817f63e netcmd: models: Create ClaimType in the model layer instead https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ee94d7085570da981b0772c141a76a899c7b0e66 Author: Jo Sutton Date: Fri Mar 1 16:23:58 2024 +1300 ldb: Update ldb.get_opaque() to return talloc‐managed opaque values Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Mar 3 23:33:44 UTC 2024 on atb-devel-224 commit 256320532a45e1e8ff94d2c7b246797a5f8291b6 Author: Jo Sutton Date: Fri Mar 1 16:23:53 2024 +1300 ldb: Update ldb.set_opaque() to accept only supported types Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 81fd42165e9fd55fd15e4abd3172e3e291edc527 Author: Jo Sutton Date: Thu Feb 29 13:07:47 2024 +1300 ldb: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit ab6cb4bc97255296d53415eafbeb1a71a9d17cc8 Author: Jo Sutton Date: Fri Mar 1 16:18:10 2024 +1300 ldb: Pass a supported opaque type to ldb.set_opaque() We are about to modify ldb.set_opaque() to accept only certain types, and ldb.Ldb is not one of those types. Pass in a value that is supported and whose lifetime is guaranteed to outlive the Ldb object. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 35e7ce88dd7694663a0c5f171f6a0fa751265902 Author: Jo Sutton Date: Fri Mar 1 16:06:49 2024 +1300 ldb: Add tests for Python set_opaque() and get_opaque() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 757036cefe589248ace0d6da2ef70f9a7ff19554 Author: Andrew Bartlett Date: Tue Nov 14 19:12:02 2023 +1300 pyldb: Remove unused and broken Python access to LDB module API These exposed the private LDB modules API to python, and was untested and broken since LDB was made async internally as it never called ldb_wait() on the result. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 7a38a98871b63b57ae4e8bbb6c59213f8271a1b5 Author: Andrew Bartlett Date: Wed Dec 6 11:18:47 2023 +1300 pyldb: Improve docstric for whoami(), which takes no arguments. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit f8fcd21812d307d63639755221662568203e6e53 Author: Andrew Bartlett Date: Tue Dec 5 11:59:46 2023 +1300 pyldb: Remove last caller to and definition of PyLdb_Check() This is now checked by PyArg_ParseTupleAndKeywords(). Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 61e5958a3acf2169fc25ba7ec71b67ad08c38012 Author: Andrew Bartlett Date: Tue Dec 5 11:53:58 2023 +1300 pyldb: Use "O!" to specify the type of py_ldb Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 8b0d00a8e3e9fb427db6eef565de7b09e42784f8 Author: Andrew Bartlett Date: Tue Dec 5 10:34:56 2023 +1300 pyldb: Move PyErr_LDB_OR_RAISE() and PyErr_LDB_DN_OR_RAISE() into pyldb.h While these style of macros are against our coding style, it is still better to have them in a single place, and while pyldb.h is technically public Samba is the only user of the C bindings. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6c3ca9e4967746af5bf087a339e368d4a0bf9e96 Author: Andrew Bartlett Date: Tue Dec 5 10:31:48 2023 +1300 dns: Use pyldb_check_type() in P
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cabe817f63e netcmd: models: Create ClaimType in the model layer instead via 09aa2597888 netcmd: models: ClaimType: move all dunder methods to the top for consistency via 2d7cbba23ef netcmd: claims: tidy up, avoid setting enabled twice via 05098443475 netcmd: models: rename lookup methods to find for consistency via 076bc6ee1da netcmd: models: Rename username to account_name for consistency via e70b8751398 netcmd: models: Add optional base_dn argument to Model.query method via d961aacdf2b netcmd: models: Add Person and OrganizationalPerson via 7a4dc035210 netcmd: models: Add a repr method to Query for help in the shell via 3d367079081 netcmd: models: Rename method to Query._from_message for consistency via a1345442ccb netcmd: models: Model.from_message should be internal via 993b6da2db8 netcmd: silos: silo and auth policy commands use Query class better via 9238afc16c6 netcmd: silos: silo and auth policy commands use print via 983f04e1aa6 netcmd: models: move remove trustee code to the GMSA model via 2456fa71bd6 netcmd: models: move add trustee code to the GMSA model via 85ca9e7cba4 netcmd: tests: add tests for service-account commands via a7a35ae5e3c netcmd: gmsa: cli commands for managing group msa membership via 7b1b7d130bc netcmd: gmsa: base cli commands for group managed service accounts via 14a4f642b46 python: models: Computer constructor automatically adds "$" to account name via 87c8e578de0 selftest: aces: fix mutable default args in assemble_ace via 1093f4b6b11 selftest: aces: use constant from samba.security via 62e11cfa8af python: sd_utils: pep8 import sorting via 0127ddd7e26 python: sd_utils: remove redundant brackets around simple assert statements via 1afb6465b81 python: sd_utils: pep8 fix spacing around via 63d9b27908c netcmd: properly show command name in show help via 120bf34c696 netcmd: add newline before epilog so there is a space between via 982ebebfbe1 netcmd: models: model __json__ method should call as_dict instead via 181764a5d62 netcmd: models: setting kwarg to None should use field default via ca973caa283 netcmd: models: Model.query adds optional polymorphic flag for returning specific class types via ccce7e7c031 netcmd: models: ModelMeta needs to also set fields and meta if class is Model via 58700354869 netcmd: models: move object_sid field from User to base Model via f54cfbea908 netcmd: models: bring Model class forward into module via f8b5f7f5920 netcmd: models: ModelMeta no longer needs to inherit from ABCMeta via f90e09a2856 netcmd: models: Model.get_object_class returns top instead of None via b3cc3ade434 netcmd: models: Query.first and Query.last should use count from instance via e41114ad5b1 netcmd: models: set the default for managed password interval on the model via 611403d4013 netcmd: models: move group msa membership default to constants via dccafff1b36 netcmd: shell: show Models subheading via 14285db4823 netcmd: models: make MODELS constant keyed by object class instead via 1d0084673ef netcmd: models: move MODELS constant to constants.py to avoid import loop via a5470623526 netcmd: models: update docstring of Computer.find method via 6834a1bdc9e netcmd: models: gmsa move find method to Computer model via e1d61746c32 netcmd: models: gmsa GroupManagedServiceAccount inherits from Computer via 1cd7cf66807 netcmd: models: gmsa move GroupManagedServiceAccount model to gmsa.py via 84c721ec4a9 netcmd: models: gmsa trustees update docstring and incorrect return type via c8857abb740 netcmd: models: gmsa trustees property only looks at allowed aces via f5c6a42d97f netcmd: models: make GroupManagedServiceAccount.trustees a property via cd395558b02 netcmd: models: avoid fetching each user in trustees method via cf110742af0 netcmd: models: Remove unused groups_sddl method from User model via 4e31942d1fe netcmd: models: add default SDDL to group_msa_membership from 9f167b9b772 WHATSNEW: Add information on LDB no longer available standalone https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cabe817f63e1518f4a3b467694646b0a90fda647 Author: Rob van der Linde Date: Wed Feb 28 13:17:48 2024 +1300 netcmd: models: Create ClaimType in the model layer instead Having it inside a command isn't very re-usable. Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 1 05:52
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9f167b9b772 WHATSNEW: Add information on LDB no longer available standalone via 81994b85adf build: Allow --with-ldbmodulesdir to override location of LDB modules via 5af23f1b585 ldb: Unconditionally set LDB_PACKAGE_VERSION via 625fb48326e ldb: Remove "private_library" variable with just one user via 07cc744effe ldb: Rename VERSION to LDB_VERSION to avoid confusion via d163518e2ff lib/ldb: Remove duplicate aspects of build system via ef7e9566bf5 ldb: Remove remaining components of independent ldb build system via 7c860d79d3c lib/ldb: Remove references to conf.env.standalone_ldb via c1125a316fc lib/ldb: bld.CONFIG_SET(USING_SYSTEM_LDB) is now never set via 1edd8c066c2 lib/ldb: Adapt pkg-config files to being build from the main build. via de1ab855ee2 lib/ldb: Always build standalone via b83614144b7 build: Move --with-ldap/--without-ldap from source3 build to top level via 1f50febc99f ldb: Remove the ability for Samba to compile against a system LDB via e10932577bb build: Remove duplicated check for -Wl,-no-undefined on OpenBSD via 9fe559ecea4 build: Call conf.CHECK_XSLTPROC_MANPAGES() directly in wscript via 3b80c7f4ac1 autobuild: Move autobuild to expecting ldb to build as part of Samba via 9b5d226a5ae ldb: Honour --private-library=!ldb as meaning build as a public library via 1f41997b4c6 build: Allow --private-libraries to include a default via 7d1bc4fa902 build: Ensure that a forced-private library has no public headers via 2471a0037e2 ldb: Make pyldb-util always a private library via a4afb2eeade selftest: Bring ldb test defintions into one place in selftest/tests.py via 05ce3810e39 selftest: Always and only run ldb test-tdb test in Samba selftest via b98e05aec81 selftest: Move LDB cmocka based unit tests to Samba testsuite via 4c16618ee3c ldb: Prepare ldb tests for subunit output via b76516d5155 sefltest: Remove duplicate run of ldb.python.crash and ldb.python.repack via 8af7867505e ldb: Move tests to selftest/tests.py and out of standlone build from d6bfd26049b pytests: samba-tool domain kds root_key https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9f167b9b772214e76e75213711952ec6f9c9620e Author: Andrew Bartlett Date: Mon Feb 19 11:01:30 2024 +1300 WHATSNEW: Add information on LDB no longer available standalone Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 1 03:45:21 UTC 2024 on atb-devel-224 commit 81994b85adf21cce128c23ad1863e9b45717ecec Author: Andrew Bartlett Date: Wed Feb 14 11:54:54 2024 +1300 build: Allow --with-ldbmodulesdir to override location of LDB modules This will allow some packagers to set this to a directory that does not mention Samba, or to put a version string in to avoid loading old modules. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 5af23f1b5850df2285986a279c3911724eaa4660 Author: Andrew Bartlett Date: Mon Feb 12 15:00:30 2024 +1300 ldb: Unconditionally set LDB_PACKAGE_VERSION This is only parsed once now and there is no confusion with the main build, so we can set it without checking. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 625fb48326ec62a33ce0abdbfb0f6f3d33d7cc64 Author: Andrew Bartlett Date: Mon Feb 12 15:26:14 2024 +1300 ldb: Remove "private_library" variable with just one user Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 07cc744effeff5e359010674a31dd8e16d75d6fc Author: Andrew Bartlett Date: Mon Feb 12 14:06:12 2024 +1300 ldb: Rename VERSION to LDB_VERSION to avoid confusion Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit d163518e2ff7d7bef79e6948462e65cec40976c7 Author: Andrew Bartlett Date: Mon Feb 12 11:16:28 2024 +1300 lib/ldb: Remove duplicate aspects of build system We no longer need aspects of our build that made sense for the standalone operation of LDB now that ldb is only provided as part of Samba. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ef7e9566bf55033ebbc75c115213de7ae04cfe44 Author: Andrew Bartlett Date: Mon Feb 12 14:05:17 2024 +1300 ldb: Remove remaining components of independent ldb build system Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 7c860d79d3c2337d174a1f908b03c25af8ec2c02 Author: Andrew Bartlett Date: Mon Feb 12 12:41:02 2024 +1300 lib/ldb: Remove references to conf.env.standalone_ldb This is not a simple replacement a
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d6bfd26049b pytests: samba-tool domain kds root_key via d0234391a8a samba-tool: add `samba-tool domain kds root_key delete` via 710093dc279 samba-tool: add `samba-tool domain kds root_key create` via ee1e9f1fb22 samba-tool: add `samba-tool domain kds root_key view` via a92699cda06 samba-tool: add `samba-tool domain kds root_key list` via 884d40ca165 samba-tool: don't error if there are no sub-commands via 79342a8411d provision: add a default root key via 53bf56c62b1 pytest:dsdb: check that there is a gkdi root key via c6208a3b0ec pytest:gkdi: shift create_root_key into a function via e1ab10b1fc1 pytest:samba-tool: add a flag to print more in runcmd via ae0f38c319c samba-tool user delete: use account type constant via e5efa217467 samba-tool domain: add LDB Result to json encoders via bbd9249a9c2 ldb:pyldb exposes Result type via 17dbaf4d330 python:samdb: wrapper for _dsdb_create_gkdi_root_key() via a7c955dc7f9 s4:pydsdb: python bindings for gkdi_new_root_key() via 214ac139d86 samba-tool domain kds root_key via 327f5dc4e58 samba-tool domain kds: add root key sub-command via fbd9740272e samba-tool domain: add kds sub-branch via d46daab2aed s4:dsdb: Add functions for GKDI root key creation via e7a96915e82 lib:crypto: Check for overflow in GKDI rollover interval calculation via 2be2dca44a6 lib:crypto: Correct GKDI interval start time calculation via 924eb6bac50 lib:crypto: Add error checking to GKDI key start time calculation via 02f18a88dad selftest: Ignore msKds-DomainID in ldapcmp_restoredc.sh and samba.tests.domain_backup_offline from 667265b6851 ctdb-tests: Limit red-black tree test to 5s of random inserts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d6bfd26049b954ff976a528818e1019c4414f8e6 Author: Douglas Bagnall Date: Fri Feb 16 16:36:06 2024 +1300 pytests: samba-tool domain kds root_key Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Mar 1 01:27:30 UTC 2024 on atb-devel-224 commit d0234391a8a47f6f39f7965c03fbda8f61815251 Author: Douglas Bagnall Date: Wed Feb 28 17:55:54 2024 +1300 samba-tool: add `samba-tool domain kds root_key delete` For deleting root keys. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 710093dc27922c0e28a8950120821df6f853b3ee Author: Douglas Bagnall Date: Wed Feb 28 17:55:16 2024 +1300 samba-tool: add `samba-tool domain kds root_key create` For making new root keys. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ee1e9f1fb220fb3c2c3cf0c87b92900acb8e8909 Author: Douglas Bagnall Date: Wed Feb 28 17:54:24 2024 +1300 samba-tool: add `samba-tool domain kds root_key view` This is for looking at one root key. There isn't much to know. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a92699cda06bf278d91c1351685613ccaa91cd9d Author: Douglas Bagnall Date: Wed Feb 28 17:34:25 2024 +1300 samba-tool: add `samba-tool domain kds root_key list` This lists root keys, in descending chronological order according to the use_start_toime attribute. That's becuase you usually only care about the newest one. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 884d40ca16549d5a69119a2a2470ae4e45ee816a Author: Douglas Bagnall Date: Thu Feb 29 16:29:30 2024 +1300 samba-tool: don't error if there are no sub-commands This is useful when you commit samba-tool tests before you commit the samba-tool code, and you want the tests to fail rather than error. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 79342a8411d6e1534e03ce43be0506007959c115 Author: Douglas Bagnall Date: Wed Feb 28 15:28:22 2024 +1300 provision: add a default root key Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 53bf56c62b18da1bfd85099454ebc654ab738785 Author: Douglas Bagnall Date: Wed Feb 28 15:32:41 2024 +1300 pytest:dsdb: check that there is a gkdi root key Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit c6208a3b0ec1d8a6c76755d66846d28deb274123 Author: Douglas Bagnall Date: Thu Feb 22 16:17:37 2024 +1300 pytest:gkdi: shift create_root_key into a function This is so the samba-tool domain kds root_key tests can use it as a function. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1ab10b1fc19ac35ea1dcaf0161d59d394fc363c Author: Douglas Bagnall Date: Fri Feb 23 16:24:11 2024 +1300
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0c1ac197768 samba-tool user getpassword: Clarify success wording via 00daa520ce8 python/nt_time: have a go at using 1_000_000 number separators. via d3d87aee2a7 python:nt_time: add a nt_now() function via 33a8ae1748a python:nt_time: add string_from_nt_time via 60022ed55f7 py:nt_time: add nt_time_from_string() via bfba074d2f4 pyldb: try to turn ldb_string_to_time() errors into exceptions via 8892b0cc926 ldb: ldb_string_to_time reports more errors via 9beb57892db s4:pydsdb: add not-implemented raising functions to when appropriate via ed344bb22f4 pyldb: catch some talloc failures via c68b390e66f pyldb: free some finished requests via a4c4e3c95f9 pyldb: free things more often on error via 994fa07 pyldb: add a macro to free when raising exceptions via 8cf9d4cae1e pytest:audit_log_base: use string_is_guid() via 6d087d1d29e pytest:auth_log_base: use string_is_guid() from 0fe263a56d0 pylibs: add string_is_guid() helper. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0c1ac19776835034df8f54a78c2022375cff921e Author: Andrew Bartlett Date: Thu Feb 29 14:57:40 2024 +1300 samba-tool user getpassword: Clarify success wording It may be the case that there was no password, or read access to the password was not permitted. The structure of the code and the pattern in LDIF that missing information is simply returned as missing attributes makes it hard to detect and communicate a clear error here, particularly as an error may not be wanted if (say) pwdLastSet is queried on a gMSA that we can not read. So we just make the string to indicate, as I think it was meant, that the tool ran to compleation. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Feb 29 05:07:45 UTC 2024 on atb-devel-224 commit 00daa520ce80deb76e08684b3f9b3f22202bcd2c Author: Douglas Bagnall Date: Fri Feb 23 16:23:03 2024 +1300 python/nt_time: have a go at using 1_000_000 number separators. I noticed these are available in Python 3.6+, which is what we support, and they're arguably nicer than using exponentiation. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d3d87aee2a782691f7bf5b8247f07068fc2fb381 Author: Douglas Bagnall Date: Wed Feb 28 16:52:12 2024 +1300 python:nt_time: add a nt_now() function Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 33a8ae1748ae02435b0097366085ddaabb503dc8 Author: Douglas Bagnall Date: Wed Feb 28 16:51:41 2024 +1300 python:nt_time: add string_from_nt_time Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 60022ed55f7a213440b70c6d4b4796a4a7b0fa9f Author: Douglas Bagnall Date: Wed Feb 14 14:31:35 2024 +1300 py:nt_time: add nt_time_from_string() This is for samba-tool, which could do with a common understanding of time strings across various sub-tools. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit bfba074d2f41e70ce743ce7e216c498ab5bd977a Author: Douglas Bagnall Date: Wed Feb 14 14:22:53 2024 +1300 pyldb: try to turn ldb_string_to_time() errors into exceptions Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8892b0cc92650c20f908f1076677ab4c2b6cc418 Author: Douglas Bagnall Date: Wed Feb 14 14:20:28 2024 +1300 ldb: ldb_string_to_time reports more errors The underlying function should return -1 and set errno when given invalid strings, but we were not looking and have decided on 0 for error. It would be a pain to change this function to return -1. Apart from the API fuss, it is sometimes used unchecked to set an unsigned number and an unchecked 0 is better than UINT*_MAX in those contexts. It is probably not easy to get an -1 from a timegm() -- most implementations will happily convert overflows for you, so e.g. the 15th month would be March of the next year. But EOVERFLOW is mentioned in the manpages. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9beb57892db1e4056a038519961cc657cf7a744f Author: Douglas Bagnall Date: Wed Feb 21 23:13:51 2024 +1300 s4:pydsdb: add not-implemented raising functions to when appropriate It will be less confusing, I hope. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ed344bb22f449b977e2ffc30e486446615163110 Author: Douglas Bagnall Date: Wed Feb 28 16:30:29 2024 +1300 pyldb: catch some talloc failures Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett c
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0fe263a56d0 pylibs: add string_is_guid() helper. via 7b089e1206a samba-tool: with --json, error messages are in JSON via 1f128fee27c samba-tool: instances remember whether --json was requested via 542ba5cbd5e samba-tool: add self.print_json_status() helper via 742fc4d841c samba-tool: avoid mutable Command class values via 29abab6a460 samba-tool domain level: avoid using assert via 8650ba0a187 samba-tool domain claim: use secrets module for token via 2908a6d67bc samba-tool user getpassword: Also return the time a GMSA password is valid until via 71f7c4a3c59 samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes via dfe71c4235a python/samba/tests: Include more detail on invoication in test of "samba-tool user show" via 380c80b4d60 samba-tool user getpassword: Do not show preview of gMSA password via 801e3fd6dd1 s3:libads: Trace ldap search base/filter/scope from 2b515b7dcc6 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0fe263a56d049b62be71ced9d8a78bc0a749c195 Author: Douglas Bagnall Date: Thu Feb 15 21:20:24 2024 + pylibs: add string_is_guid() helper. In various places we use regular expressions to check for GUID-ness, though typically we don't match GUIDs with uppercase hex digits when we really should. If we centralise the check, we have more chance of getting it right. Pair-programmed-by: Andrew Bartlett Signed-off-by: Douglas Bagnall Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Feb 29 02:38:07 UTC 2024 on atb-devel-224 commit 7b089e1206a8a8256ad108f5f0e03d3b33f8bf9f Author: Douglas Bagnall Date: Wed Feb 28 16:14:24 2024 +1300 samba-tool: with --json, error messages are in JSON Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1f128fee27c50aa305de3434443c4a52c408f9c6 Author: Douglas Bagnall Date: Wed Feb 28 16:13:15 2024 +1300 samba-tool: instances remember whether --json was requested All our subcommands are going to learn --json eventually, and they shouldn't all have to do this individually. The next commit uses this to automatically format CommandErrors as JSON. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 542ba5cbd5e9a562cd81b5b2385b56d03555a87f Author: Douglas Bagnall Date: Fri Feb 16 00:59:25 2024 + samba-tool: add self.print_json_status() helper This is a helper to return JSON for simple messages. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 742fc4d841c1b02cc733760e7841ca13a95f3ebc Author: Douglas Bagnall Date: Fri Feb 23 16:19:02 2024 +1300 samba-tool: avoid mutable Command class values These values are shared across all instances of the class, which makes no difference in samba-tool itself, because there is one instance per process. But in tests we can have many Command classes at once (due to runcmd()), and if any of them happened to append to takes_args or takes_options rather than replacing it, well, the effect would be subtle. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 29abab6a460aa61699c4a1811c148552874c1236 Author: Douglas Bagnall Date: Wed Feb 14 05:09:30 2024 + samba-tool domain level: avoid using assert Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8650ba0a187d4c0a05fd4596570b940431338a27 Author: Douglas Bagnall Date: Fri Feb 2 14:23:38 2024 +1300 samba-tool domain claim: use secrets module for token `binascii.hexlify(os.urandom(8)).decode()` was fine, but `os.urandom` is OS specific and can theoretically block (says the documentation). We will let Python's secrets module worry about such details. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2908a6d67bca58c9de6991cbe312276408a34b7a Author: Andrew Bartlett Date: Fri Feb 9 11:44:33 2024 +1300 samba-tool user getpassword: Also return the time a GMSA password is valid until Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 71f7c4a3c59d170f3cf48c5230d3edf4d51d500c Author: Andrew Bartlett Date: Wed Feb 28 17:27:31 2024 +1300 samba-tool: Allow ;format=UnixTime etc to operate on virtual attributes To convert a virtual attribute we must understand that it has been put into "obj" under the name including the ;format= part and so we must look it back up with that name when looking to
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 2b515b7dcc6 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used via 009a4706d23 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used via 724f403d886 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY via ea41dccb99b third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d) from f1a83798f01 third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 2b515b7dcc655f6be4365cc8adffee999b4354bf Author: Andrew Bartlett Date: Tue Feb 27 11:23:03 2024 +1300 s4-kdc: Add "Fresh Public Key Identity" SID if PKINIT freshness used Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Feb 28 04:45:48 UTC 2024 on atb-devel-224 commit 009a4706d238b7d6107c6adc684a37cd7a3bed0c Author: Andrew Bartlett Date: Tue Feb 27 11:55:33 2024 +1300 python/samba/tests/krb5: Expect SID_FRESH_PUBLIC_KEY_IDENTITY (only) when PKINIT freshness used Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 724f403d8863bf3f29bff35bff0f274183621bb3 Author: Andrew Bartlett Date: Tue Feb 27 11:09:38 2024 +1300 libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY This allows an ACL level check (rather than only an all-or-nothing KDC configuration) that PKINIT freshness was used during the AS-REQ. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit ea41dccb99b6448c93c43b8de8d2bcca698f1a7c Author: Andrew Bartlett Date: Tue Feb 27 14:55:27 2024 +1300 third_party/heimdal: import lorikeet-heimdal-202402270140 (commit e78a9d974c680d775650fb51f617ca7bf9d6727d) Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- Summary of changes: libcli/security/dom_sid.h | 1 + libcli/security/util_sid.c | 4 librpc/idl/security.idl| 8 python/samba/tests/krb5/pkinit_tests.py| 14 +- source4/kdc/pac-glue.c | 10 ++ source4/kdc/pac-glue.h | 1 + source4/kdc/wdc-samba4.c | 10 ++ third_party/heimdal/kdc/kdc-accessors.h| 7 +++ third_party/heimdal/kdc/kdc_locl.h | 1 + third_party/heimdal/kdc/libkdc-exports.def | 1 + third_party/heimdal/kdc/pkinit.c | 2 ++ third_party/heimdal/kdc/version-script.map | 1 + third_party/heimdal/lib/asn1/asn1_err.et | 2 +- third_party/heimdal/lib/asn1/asn1_print.c | 2 +- third_party/heimdal/lib/base/heimbase.c| 2 +- third_party/heimdal/lib/gssapi/spnego/accept_sec_context.c | 2 +- third_party/heimdal/lib/hx509/cert.c | 2 +- third_party/heimdal/lib/hx509/hx509_err.et | 4 ++-- third_party/heimdal/lib/krb5/crypto.c | 8 third_party/heimdal/lib/sqlite/sqlite3.c | 2 +- third_party/heimdal/po/heim_com_err569856/de.po| 2 +- .../heimdal/po/heim_com_err569856/heim_com_err569856.pot | 2 +- third_party/heimdal/po/heimdal_krb5/de.po | 3 +-- third_party/heimdal/po/heimdal_krb5/heimdal_krb5.pot | 2 +- third_party/heimdal/po/heimdal_krb5/sv_SE.po | 2 +- 25 files changed, 76 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index 343001e87ee..5e1c5d90958 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -43,6 +43,7 @@ extern const struct dom_sid global_sid_Network; extern const struct dom_sid global_sid_Asserted_Identity; extern const struct dom_sid global_sid_Asserted_Identity_Service; extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority; +extern const struct dom_sid global_sid_Fresh_Public_Key_Identity; extern const struct dom_sid global_sid_Creator_Owner; extern const struct dom_sid global_sid_Creator_Group; extern const struct dom_sid global_sid_Owner_Rights; diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c index 54a2fc35fda..0942b2fe259 100644 --- a/libcli/security/util_sid.c +++ b/libcli/security/util_sid.c @@ -83,6 +83,10 @@ const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /*
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f1a83798f01 third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2) via beaeeaff501 s4:rpc_server: Make some arrays static via 3b85345c4c5 lib:util: Fix printing hex‐escaped characters via 7e855f8d89c lib:util: Correctly determine whether a character needs to be escaped via 18208dbef72 s4:rpc_server: Remove trailing whitespace via 4b0f3f3d100 python: Fail the test if we don’t receive an NTSTATUSError via 3e342e2d37a tests/krb5: Move assertLocalSamDB() into RawKerberosTest via df475fbc2f8 tests/krb5: type hinting via 69c3044a726 python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab via a1d7af24853 python/tests: Convert dckeytab test to use new NDR keytab parser via 2e230f728ec python/tests: Add test for new krb5 keytab parser via e6ef2fc2240 librpc/idl: Check protocol version number in Kerberos ccache parser via ecaaff57e45 librpc/idl: Add a parser for a FILE: format keytab via 9a5cc120421 python/samba/samdb: Only do caching of well known DNs in dbcheck from 5a0fce58650 source4/torture: Add SEC_STD_DELETE to enable proper cleanup https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f1a83798f0102f7d35295a6c0d4db0580a791579 Author: Jo Sutton Date: Wed Feb 14 09:37:13 2024 +1300 third_party/heimdal: Import lorikeet-heimdal-202402132018 (commit 66d4c120376f60ce0d02f4c23956df8e4d6007f2) Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Feb 27 02:19:31 UTC 2024 on atb-devel-224 commit beaeeaff501b22fdfb3928d788597398fcbbbe29 Author: Jo Sutton Date: Tue Feb 20 16:46:07 2024 +1300 s4:rpc_server: Make some arrays static Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 3b85345c4c5bc7fa7196c8802a6be60e0e4a043f Author: Jo Sutton Date: Tue Feb 20 16:35:43 2024 +1300 lib:util: Fix printing hex‐escaped characters A signed char, passed to snprintf(), will be promoted to an ‘int’, and then interpreted (according to the format string) as an ‘unsigned int’. Any negative values passed in will thus be interpreted as large unsigned values, too large to be represented in the two characters allocated for them. In practice, they will always be represented as ‘\xFF’. Cast these characters to ‘unsigned char’, and use the appropriate length modifier for that type. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 7e855f8d89cb0b3491d31c93da608417c38c6b00 Author: Jo Sutton Date: Tue Feb 20 16:30:15 2024 +1300 lib:util: Correctly determine whether a character needs to be escaped The condition ‘c > 0x1F’ is clearly meant to test whether a character is a control code or not. While it works for ASCII characters, when ‘char’ is signed it fails for codepoints above 0x7f, which get represented as negative values. Make this calculation work as it was (presumably) intended by casting to ‘unsigned char’. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 18208dbef721babf21533e5058f388d3b98d372e Author: Jo Sutton Date: Tue Feb 20 14:43:33 2024 +1300 s4:rpc_server: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 4b0f3f3d100dcdf5a5bf9947a2baa574af76ad30 Author: Jo Sutton Date: Tue Feb 20 12:27:36 2024 +1300 python: Fail the test if we don’t receive an NTSTATUSError Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 3e342e2d37aed612cab59f5433870f5208a6 Author: Jo Sutton Date: Thu Feb 15 13:45:10 2024 +1300 tests/krb5: Move assertLocalSamDB() into RawKerberosTest Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit df475fbc2f8e19e37674ece59cdb8daa0aece072 Author: Jo Sutton Date: Fri Dec 8 14:05:45 2023 +1300 tests/krb5: type hinting Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 69c3044a7265c83d053b2690de772eb4ff9d86ca Author: Andrew Bartlett Date: Wed Feb 21 14:29:44 2024 +1300 python/tests: Use TestCaseInTempDir rather than "private dir" for exported keytab Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit a1d7af2485365b188f1364d6a8388c9cc30e8107 Author: Andrew Bartlett Date: Wed Feb 21 14:14:24 2024 +1300 python/tests: Convert dckeytab test to use new NDR keytab parser This is much nicer than reading strings out of the binary file. Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton commit 2e230f728ec8026997183ad50ff6371961c9a9ea Author: Andrew Bartlett Date: Wed Feb 21 10:22:12 2024
[SCM] Samba Shared Repository - branch master updated
instead of string via 9ca05ec28ce netcmd: delegation: don't use assert but raise CommandError via 6d7ad278659 netcmd: delegation: initial value not required because of raise below via ec6fb98b4a4 netcmd: delegation: move line down where it gets used via 1608dde944f netcmd: delegation: pep8 fix blank lines via 68092f85fa4 netcmd: bugfix: json encoder failed to call super method via ea63b058fc4 netcmd: json encoder supports security descriptor objects via de8b61cbbe3 netcmd: support hyphens in top-level commands and convert to underscore via 2a95f83c5c3 libds: remove unreachable break statements after return from 7a674ee9ffe docs-xml: document "smb3 share cap:{CONTINUOUS AVAILABILITY,SCALE OUT,CLUSTER,ASYMMETRIC}" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4698cf0f335f96cd902f234a09dc48102e33952a Author: Jo Sutton Date: Tue Feb 13 16:53:57 2024 +1300 s4:dsdb: Fix grammar Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Feb 16 03:47:12 UTC 2024 on atb-devel-224 commit a8387195707baa9c2a11437755eb85ff040dee0f Author: Jo Sutton Date: Wed Feb 14 08:17:03 2024 +1300 libcli/security: Make ‘session_info’ parameter const Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 8c970eaa2ed5bae4501df6ebfc3af67a946a0c76 Author: Jo Sutton Date: Mon Feb 12 16:48:36 2024 +1300 s4:ldap_server: Remove trailing whitespace Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1e13e37e219bcf5804662143fcf85332c6954ac8 Author: Jo Sutton Date: Thu Jan 18 14:28:04 2024 +1300 libcli/security: Include missing headers Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit b0b9e03c99098c46580b151064f673c6c47e1b4e Author: Jo Sutton Date: Tue Feb 13 14:13:46 2024 +1300 s4:dsdb: Let requests with the AS_SYSTEM control reset an account’s password dsdb_have_system_access() takes into account the AS_SYSTEM control as well as the result of dsdb_module_am_system(). This change means that we can reset the password of an account without being SYSTEM by means of the AS_SYSTEM control. This is essential for ldapsrv_SearchRequest() to be able to process the automatic password changes of Group Managed Service Accounts. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit eece2e8a9c6c5bf32c2824ed5853b88d1e3f679b Author: Jo Sutton Date: Tue Feb 13 14:12:30 2024 +1300 s4:dsdb: Make use of dsdb_have_system_access() There should not be any change in behaviour. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 1ad9b93dbf6dd2b899bcb11c20c841735aede12f Author: Jo Sutton Date: Tue Feb 13 14:09:23 2024 +1300 s4:dsdb: Add function to determine whether we have system access This takes into account the dsdb session info, as well as the presence or absence of an AS_SYSTEM control. Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit e0e2126face6d0a46dff348a8c690eb943dc2930 Author: Jo Sutton Date: Thu Feb 15 16:48:29 2024 +1300 s4:dsdb: Add include guard to dsdb/samdb/ldb_modules/util.h Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 91fdd4316458d1dd9c696aff8d36737e5095b10f Author: Jo Sutton Date: Thu Feb 15 16:48:06 2024 +1300 s4:dsdb: Remove redundant include Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 324d0fbc06d358756e69696b8d8cf389e91e0054 Author: Jo Sutton Date: Tue Feb 13 14:06:38 2024 +1300 s4:dsdb: Add function to create a GMSA password update request Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit d55c281c538dac7361614fc8c56466d1fbf89805 Author: Jo Sutton Date: Tue Feb 13 13:50:40 2024 +1300 s4:dsdb: Remove unused includes Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit e1d27ba5455cdd7a69e16112ed05c75ba5c1f003 Author: Jo Sutton Date: Tue Feb 13 13:45:10 2024 +1300 s4:dsdb: Add to ‘user_attrs’ attributes required for Group Managed Service Accounts Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 0d3d2c433a0ecb8fefe57fef2e60121f684ed6a7 Author: Jo Sutton Date: Tue Feb 13 13:43:59 2024 +1300 s3:passdb: Reformat long line Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 676601340c5ff8895845b089289dcbb2e9f60d91 Author: Jo Sutton Date: Tue Feb 13 13:40:48 2024 +1300 s3:passdb: Reformat array of strings Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit 2135e91b406104944b0f27edb892450acaae9968 Author: Jo Sutton Date: Tue Feb 13 13:40:29 2024 +1300 s3:passdb: Make a
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0e17b9cb19a selftest: Fix code spelling via b415d736f06 s4:dsdb: Fix code formatting via cf978d3e9fe s4:dsdb: Avoid buffer overflow in samdb_result_hashes() via 3c01d9a6ea6 s4:dsdb: Mark hash returned by samdb_result_hash() as secret via 3a7f4da6c47 s4:dsdb: Correct reference to source file via 7145993929a s4:dsdb: Remove trailing whitespace via 8c9344ea02d s4:dsdb: Correct NDR push error message via 2113f1c3178 s4:dsdb: Fix code spelling via 3b54546de66 s4:dsdb: Remove trailing whitespace via 75d9f5332d6 s4:auth: Fix code spelling via 76b9c9a8a66 s4:libcli: Remove unnecessary uses of discard_const_p() via e8497f13430 s4:dsdb: Remove duplicate userAccountControl array entry via def0cd0fd4e s3:smbd: Fix code spelling via 14da75c4e12 librpc:idl: Fix code spelling via 19870248c06 librpc:idl: Remove trailing whitespace via 437e3dd1e6a libcli/security: Make ‘replace_sid’ parameter const via 0b287f2e4e9 lib:util: Remove trailing whitespace via 160727acde8 ldb: Fix code spelling via 0c1f421c107 ndr: ignore trailing bytes in ndr_pull_security_ace() via a72c198921f ndr: ndr_push_security_ace: calculate coda size once via ecb5da3e492 ndr: avoid object ACE push overhead for non-object ACE via fce4d51eb49 ndr: avoid object ACE pull overhead for non-object ACE via 2a60ec98409 ndr: do not push ACE->coda.ignored blob via 4face258dee ndr: mark invalid pull ndr_flags as unlikely via c2673b02a7a ndr: skip talloc when pulling empty DATA_BLOB via ee1b8ae04b1 ndr: ACE push avoids no-op coda pushes via dc08e7924c2 ndr: make security_ace push manual via ac0c8ee01ea ndr: short-circuit ace coda if no bytes left via 1e6a876c2cc ndr: shift ndr_pull_security_ace to manual code via 9811762775b pidl: calculate subcontext_size only once per pull via 5fa66376654 perftest: ndr_pack runs in none environment via 93e6ea4cff2 perftest:ndr_pack: spin in do_nothing for a while via 2f68545087f perftest:ndr_pack: use a valid dummy SID via ceb5389260c perftest:ndr_pack_performance: remove irrelevant imports, options via d25fe2447b5 perftest:ndr_pack: slightly reduce python overhead via e802611743a perftest: ndr_pack_performance gets more SD types via d5371f6bcd2 perftest:ndr_pack: rename SD tests with object ACEs via a3641b323b7 netcmd: models: mark some hidden fields on the base Model as readonly via dcb3dd59147 netcmd: models: tests: add tests for NtTimeField via 37855511f63 netcmd: models: add new NtTimeField model field via 4c08b420ddf netcmd: models: model field DateTimeField returns datetime in UTC via 10ef49b0491 netcmd: models: move enum import to correct place via 21667b9b512 netcmd: models: fix build_expression on SIDField handles security.dom_sid via cbcc8039d15 netcmd: models: fix build_expression did not work with EnumField via 9bd7a56364d netcmd: models: fix BooleanField filtering didn't work on FALSE value via e11aa29ef85 netcmd: models: move expression code to Field class via d8251cc0ea9 netcmd: models: add AccountType enum to User model via 884b24dc6d8 netcmd: models: add AccountType IntFlag field via 4595a1dae37 netcmd: models: EnumField now also supports IntFlag via 3c8d449ad3d netcmd: models: check for None in build_expression instead via c2b63fe85ea netcmd: models: change import style to use brackets via d046f71878e netcmd: models: enums and constants also brought forward via 05f90fe1e4b netcmd: models: fix docstring was missing param via d6fe66ddeeb python: Remove ‘typing.Final’ via ecc84aa448a python: do not make use of typing.Final for python 3.6 from 9b2f2302ee4 s3/rpc_client: cleanup unmarshalling of variant types from row columns https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0e17b9cb19ae1c222ce86855bb348b9bef4dab63 Author: Jo Sutton Date: Fri Jan 12 13:28:55 2024 +1300 selftest: Fix code spelling Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Feb 8 03:51:51 UTC 2024 on atb-devel-224 commit b415d736f0688d6f6aab982e12a3dc9c15fa2723 Author: Jo Sutton Date: Fri Jan 12 11:39:11 2024 +1300 s4:dsdb: Fix code formatting Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett commit cf978d3e9fef1db1b5200de500c81d9de7f87572 Author: Jo Sutton Date: Fri Jan 12 10:43:39 2024 +1300 s4:dsdb: Avoid buffer overflow in samdb_result_hashes() Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5f5a49d78af lib:crypto: Add tests for GKDI key derivation via 9f16157f104 lib:crypto: Add implementation of GKDI key derivation via 6d280fac869 tests/krb5: Raise an error if root key data is the wrong length via 4946ab4c17f tests/krb5: Test that root key data is the correct length in bytes via 8277d7accf7 tests/krb5: Create root key just for implicit root key tests via bd3091dfc54 tests/krb5: Check properties of current GKDI key from b4563a24904 fuzz: allow max size conditional ACE round-trip failure https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5f5a49d78af938304586bb4ee45aabc5f28f54c3 Author: Joseph Sutton Date: Fri Dec 22 11:04:51 2023 +1300 lib:crypto: Add tests for GKDI key derivation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 22 06:31:29 UTC 2023 on atb-devel-224 commit 9f16157f1049677434aadd25b47e338a66099e86 Author: Joseph Sutton Date: Mon Nov 13 17:08:58 2023 +1300 lib:crypto: Add implementation of GKDI key derivation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6d280fac8690eb6985ce477f3f9bb6e5faf3256d Author: Joseph Sutton Date: Wed Dec 20 16:39:14 2023 +1300 tests/krb5: Raise an error if root key data is the wrong length Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4946ab4c17f1d4615a98e4c8d1f5e82456aa5cf7 Author: Joseph Sutton Date: Wed Dec 20 16:38:33 2023 +1300 tests/krb5: Test that root key data is the correct length in bytes Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8277d7accf71cad3b33051d8a4d45d74968f35c3 Author: Joseph Sutton Date: Tue Dec 19 09:38:27 2023 +1300 tests/krb5: Create root key just for implicit root key tests Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bd3091dfc545cb50734f7c9108be41f5cd4059b6 Author: Joseph Sutton Date: Tue Dec 19 09:37:40 2023 +1300 tests/krb5: Check properties of current GKDI key Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/crypto/gkdi.c | 375 ++ lib/crypto/gkdi.h | 67 + lib/crypto/test_gkdi_key_derivation.c | 492 ++ lib/crypto/wscript| 12 +- librpc/idl/gkdi.idl | 8 + python/samba/tests/gkdi.py| 13 +- python/samba/tests/krb5/gkdi_tests.py | 75 -- selftest/knownfail.d/gkdi | 1 + selftest/tests.py | 2 + 9 files changed, 1015 insertions(+), 30 deletions(-) create mode 100644 lib/crypto/test_gkdi_key_derivation.c Changeset truncated at 500 lines: diff --git a/lib/crypto/gkdi.c b/lib/crypto/gkdi.c index e049cf96bac..6799dcfd70e 100644 --- a/lib/crypto/gkdi.c +++ b/lib/crypto/gkdi.c @@ -18,4 +18,379 @@ along with this program. If not, see <https://www.gnu.org/licenses/>. */ +#include "includes.h" +#include +#include + +#include "lib/crypto/gnutls_helpers.h" + +#include "lib/util/bytearray.h" + +#include "librpc/gen_ndr/ndr_security.h" +#include "librpc/gen_ndr/gkdi.h" +#include "librpc/gen_ndr/ndr_gkdi.h" + #include "lib/crypto/gkdi.h" + +static const uint8_t kds_service[] = { + /* “KDS service” as a NULL‐terminated UTF‐16LE string. */ + 'K', 0, 'D', 0, 'S', 0, ' ', 0, 's', 0, 'e', 0, + 'r', 0, 'v', 0, 'i', 0, 'c', 0, 'e', 0, 0, 0, +}; + +struct GkdiContextShort { + uint8_t buf[sizeof((struct GUID_ndr_buf){}.buf) + sizeof(int32_t) + + sizeof(int32_t) + sizeof(int32_t)]; +}; + +static NTSTATUS make_gkdi_context(const struct GkdiDerivationCtx *ctx, + struct GkdiContextShort *out_ctx) +{ + enum ndr_err_code ndr_err; + DATA_BLOB b = {.data = out_ctx->buf, .length = sizeof out_ctx->buf}; + + if (ctx->target_security_descriptor.length) { + return NT_STATUS_INVALID_PARAMETER; + } + + ndr_err = ndr_push_struct_into_fixed_blob( + &b, ctx, (ndr_push_flags_fn_t)ndr_push_GkdiDerivationCtx); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + + return NT_STATUS_OK; +} + +static NTSTATUS make_gkdi_context_security_descriptor( + TALLOC_CTX *mem_ctx, + const struct GkdiDerivationCtx *ctx, + const DATA_BLOB security_descriptor, +
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b4563a24904 fuzz: allow max size conditional ACE round-trip failure via 21853b01e65 libcli/security: sddl conditional ACE: write -0 when asked via 8f0c91f3a83 libcli/security: rearrange conditional ACE sddl_write_int via 46f61570714 libcli/security: tests for signed zeros in sddl condtional ACEs via 8a9f395821d librpc: Do not allow u16string to be encoded in a big‐endian context via 346844b730b librpc: Change type of ‘u16string’ from ‘const uint16_t *’ to ‘const unsigned char *’ via 65db36ca327 librpc: Add missing spaces to error messages via a38025b3a73 s3/lib: add log_panic_action() via 85c4d03e38a s3/lib: factor out call_panic_action() from smb_panic_s3() from 080a62bba87 tests/krb5: Add Python implementation and tests for Group Key Distribution Service https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b4563a24904e823497552f6e4ef77e8041f2cc5d Author: Douglas Bagnall Date: Wed Dec 20 14:26:00 2023 +1300 fuzz: allow max size conditional ACE round-trip failure The encoder, being cautious not to overstep the arbitrary 1 byte boundary, might not encode an exactly 1 byte condition. This is an off-by-one, but in the safe direction. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65118 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 22 00:51:13 UTC 2023 on atb-devel-224 commit 21853b01e65f8b79bdf478d4fe470dcb1639cc48 Author: Douglas Bagnall Date: Wed Dec 20 13:40:15 2023 +1300 libcli/security: sddl conditional ACE: write -0 when asked Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8f0c91f3a833b24c27e63721ca15838c92a1cea4 Author: Douglas Bagnall Date: Wed Dec 20 13:38:53 2023 +1300 libcli/security: rearrange conditional ACE sddl_write_int REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 46f61570714fffe43f5328cd46e1d1848a4d5daa Author: Douglas Bagnall Date: Wed Dec 20 13:37:29 2023 +1300 libcli/security: tests for signed zeros in sddl condtional ACEs REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65122 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 8a9f395821d62273e28f32895a4c3116a0606423 Author: Joseph Sutton Date: Fri Dec 22 09:58:53 2023 +1300 librpc: Do not allow u16string to be encoded in a big‐endian context Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 346844b730b06fe5ad53dc93fc0f4d4470794cb5 Author: Joseph Sutton Date: Thu Dec 21 11:51:19 2023 +1300 librpc: Change type of ‘u16string’ from ‘const uint16_t *’ to ‘const unsigned char *’ A u16string is supposed to contain UTF‐16 code units, but ndr_pull_u16string() and ndr_push_u16string() fail to correctly ensure this on big‐endian systems. Code that relies on the u16string array containing correct values will then fail. Fix ndr_pull_u16string() and ndr_push_u16string() to work on big‐endian systems, ensuring that other code can use these strings without having to worry about first encoding them to little‐endian. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 65db36ca327d10344566e2fb4330e19050d645ef Author: Joseph Sutton Date: Fri Dec 22 09:54:55 2023 +1300 librpc: Add missing spaces to error messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a38025b3a73b9fe96c9a99adf4dfa5536806c15f Author: Ralph Boehme Date: Wed Dec 13 07:57:46 2023 +0100 s3/lib: add log_panic_action() Can be used to log a nice stack backtrace with full debug symbols by setting "panic action" to something like panic action = cd /home/slow/git/samba/master && /home/slow/git/samba/master/selftest/gdb_backtrace %d This is similar to log_stack_trace(), but that doesn't come with debug symbols. Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett commit 85c4d03e38a5c983e7b99ca48c3e262465485a56 Author: Ralph Boehme Date: Fri Dec 15 07:15:22 2023 +0100 s3/lib: factor out call_panic_action() from smb_panic_s3() No change in behaviour. Best viewed with git show -w. Signed-off-by: Ralph Boehme Reviewed-by: Andrew Bartlett --- Summary of changes: lib/fuzzing/fuzz_conditional_ace_blob.c | 11 ++ lib
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 080a62bba87 tests/krb5: Add Python implementation and tests for Group Key Distribution Service via f6bb2d40108 python: Add NT Time utility functions via a5a58918f79 pyglue: Export some GKDI constants via e19d74bb259 pyglue: Export some more HRESULT constants via 9ed2544d9fa pyglue: Fix code spelling via 6369f2cf1be lib:crypto: Add GKDI module with some constants via 44f6bfea5a2 gkdi.idl: Verify magic numbers of pulled GKDI structures via f86d65117ba s4:libcli: Fix conversion from HRESULT and WERROR to Python objects via 1e67be78554 s4:libcli: Remove trailing whitespace via 858f70037bd python:tests: Catch strings passed to utf16_encoded_len() with embedded nulls via 27231a965e3 selftest: Rename ‘samba.unittests.test_gnutls_sp800_108’ to something more consistent with existing tests via f5ae39548b9 gkdi.idl: Add ‘additional_info’ field to KeyEnvelope structure via 183fd79c381 gkdi.idl: Comment on domain and forest name fields via 4b39a3e7753 s3:utils: Do not pass invalid file descriptor to close() (CID 1550131) via dbfb19b7f90 tests/krb5: Remove redundant definitions via 0a65dff4737 ldb: Fix code spelling via dfefdcb1e00 buildtools: Use correct variable in error message via e2146e4a755 lib:cmdline: Fix code spelling via edb4c3b3dd2 pyglue: Remove unnecessary uses of discard_const_p() via 74ca3134b1b python:tests: Don’t needlessly create single‐element tuple via b7df67d0ae3 lib:util: Use portable integer constants via 507ff192630 s3:param: Remove unnecessary use of discard_const_p() via 10553111f0e python:tests: Rename parameter to be consistent with overridden method via 6256ad74426 python:tests: Raise exception of more specific type NotImplementedError via 3b150354534 python:tests: Use ‘False’ in boolean expression rather than ‘None’ via 93379df9778 librpc:ndr: Don’t unnecessarily parenthesize macro arguments via a334ad85b82 lib:util: Remove redundant casts in PUSH_*() macros via 7d88280baaa lib:util: Don’t unnecessarily parenthesize macro arguments via 0a62d38b639 lib:util: Cast macro parameter ‘val’ to expected type via 52c29ebc803 lib:util: Parenthesize macro parameters via dac9cd00858 s4:auth: Clarify comment about requiring FAST armor via 58c6e46adac s3:lib: Define TIME_FIXUP_CONSTANT_INT using INT64_C() macro via 26e704d1fa0 lib:util: Define TIME_FIXUP_CONSTANT_INT using INT64_C() macro from 828f3c99122 s3:ctdbd_conn: fix ctdbd_public_ip_foreach() for ipv6 addresses https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 080a62bba875c2a5df7c04703d095142200dad0e Author: Joseph Sutton Date: Fri Dec 8 16:38:21 2023 +1300 tests/krb5: Add Python implementation and tests for Group Key Distribution Service Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Dec 21 21:19:30 UTC 2023 on atb-devel-224 commit f6bb2d40108417d8c163f07f8519ff9ed16dd078 Author: Joseph Sutton Date: Mon Dec 18 19:11:37 2023 +1300 python: Add NT Time utility functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a5a58918f790dd368470b1a22f718216425bb7d1 Author: Joseph Sutton Date: Tue Dec 12 18:31:34 2023 +1300 pyglue: Export some GKDI constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e19d74bb259c2f9436425587d86cbfcd45a0b144 Author: Joseph Sutton Date: Tue Dec 12 18:31:19 2023 +1300 pyglue: Export some more HRESULT constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9ed2544d9fa658847aef7edf781624dd9cb4f650 Author: Joseph Sutton Date: Tue Dec 12 19:27:17 2023 +1300 pyglue: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6369f2cf1bec699296ca2c47b1f9a6a0d60878d0 Author: Joseph Sutton Date: Mon Nov 13 17:08:58 2023 +1300 lib:crypto: Add GKDI module with some constants Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 44f6bfea5a27303d8ffa2f454eb3d991ab5392c4 Author: Joseph Sutton Date: Tue Dec 12 18:27:46 2023 +1300 gkdi.idl: Verify magic numbers of pulled GKDI structures Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f86d65117ba0c964c64fb58b5a6845561156819c Author: Joseph Sutton Date: Fri Dec 8 15:58:32 2023 +1300 s4:libcli: Fix conversion from HRESULT and WERROR to Python objects The inner values of HRESULT and WERROR are 32‐bit unsigned integers, which might not be representable in type ‘int’. We must then use the ‘k’ format
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 83e36d97c95 netcmd: add shell command via c8ded4621d3 python: use python3 style super statements via 3db3251342a netcmd: getpassword: get rid of pointless overridden constructors via ddba4a06bbe python: pep257: docstring should use double quotes from ff52e342887 python: Remove references to removed parameters https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 83e36d97c956c2dba1caef45e0205cb5b1b164f3 Author: Rob van der Linde Date: Thu Nov 2 20:28:34 2023 +1300 netcmd: add shell command A simple samba-tool shell, can be quite useful to play around with the ldb database and models. All models get imported and the samdb connection variable made available. Example usage: bin/samba-tool shell -H --workgroup --realm >>> silos = AuthenticationSilo.query(ldb) >>> for silo in silos: ... print(silo) ... Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 15 03:51:55 UTC 2023 on atb-devel-224 commit c8ded4621d399e3561d6043bee4202ff42d50f1a Author: Rob van der Linde Date: Thu Dec 14 15:30:42 2023 +1300 python: use python3 style super statements Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3db3251342a9323be3ad3ec36588af7e9268af60 Author: Rob van der Linde Date: Thu Dec 14 15:24:29 2023 +1300 netcmd: getpassword: get rid of pointless overridden constructors Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ddba4a06bbe236dfecf6ee6fee8493e8ca0c2b14 Author: Rob van der Linde Date: Thu Dec 14 15:14:27 2023 +1300 python: pep257: docstring should use double quotes Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 18 +++ python/samba/common.py | 2 +- python/samba/dbchecker.py | 90 +++ python/samba/dnsserver.py | 16 +-- python/samba/drs_utils.py | 27 ++--- python/samba/gp/gp_sec_ext.py | 6 +- python/samba/gp/gpclass.py | 122 ++--- python/samba/gp/util/logging.py| 4 +- python/samba/gp_parse/gp_ini.py| 15 +-- python/samba/idmap.py | 10 +- python/samba/join.py | 56 +- python/samba/kcc/kcc_utils.py | 54 - python/samba/logger.py | 2 +- python/samba/netcmd/common.py | 14 +-- python/samba/netcmd/domain/backup.py | 32 +++--- python/samba/netcmd/drs.py | 12 +- python/samba/netcmd/gpcommon.py| 2 +- python/samba/netcmd/gpo.py | 25 ++--- python/samba/netcmd/main.py| 1 + python/samba/netcmd/rodc.py| 2 +- python/samba/netcmd/shell.py | 74 + python/samba/netcmd/user/readpasswords/common.py | 2 +- .../samba/netcmd/user/readpasswords/getpassword.py | 2 - .../netcmd/user/readpasswords/syncpasswords.py | 2 - python/samba/ntacls.py | 2 +- python/samba/policies.py | 12 +- python/samba/provision/__init__.py | 4 +- python/samba/provision/sambadns.py | 26 ++--- python/samba/samdb.py | 85 +++--- python/samba/subunit/run.py| 8 +- 30 files changed, 404 insertions(+), 323 deletions(-) create mode 100644 python/samba/netcmd/shell.py Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index c05be31b3d3..6b3a73020e3 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -2406,6 +2406,24 @@ Display an objectclass schema definition. + + shell + Opens an interactive Samba Python shell. + + + + shell [options] + Opens an interactive Python shell for Samba ldb connection. + + + -H, --URL + + LDB URL for database or target server. + + + + + sites Manage sites. d
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ff52e342887 python: Remove references to removed parameters via f9d4a40 python: Remove unused parameter ‘backup’ via 891e1da968a python: Remove unused parameter ‘serverrole’ via 7750edc14e2 python: Remove unused parameter ‘am_rodc’ via 10d79ef21f7 python: Remove unused parameter ‘am_rodc’ via e67196e13cb python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’ via beefbb277a9 python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’ via 7e7f7d63ed6 python: Remove unused parameter ‘fill’ via 9fbd3435512 python: Remove unused parameter ‘keytab_path’ via 9cc823454ac python: Remove unused parameter ‘erase’ via efaa27c498e python: Remove unused parameter ‘backend_store_size’ via b6dc21169c7 python: Remove unused parameter ‘root_gid’ via 6fdf710ba7e python: Remove unused parameters ‘maxuid’ and ‘maxgid’ via 8c288c6beb6 python: Remove unused parameters ‘maxuid’ and ‘maxgid’ via 8331142081a python: Remove unused parameter ‘name’ via 704ad18bf5b python: Remove unused parameter ‘netlogon’ via eb727331a37 python: Remove unused parameter ‘samdb’ via d9a665a0e44 python: Remove unused parameter ‘lp’ via 24e7220 python: Remove unused parameter ‘message’ via 5132771fb71 python: Remove unused parameter ‘targetdir’ via 8439dcb4842 python: Remove unused parameter ‘backend_store’ via e37dfc29671 python: Remove unused parameter ‘lp’ via 58814bfd392 python: Remove unused parameter ‘lp’ via c692653459b python: Remove unused parameter ‘targetdir’ via 49801372c61 python: Remove unused parameter ‘targetdir’ via a84c5212655 python: Remove unused parameter ‘backend_store’ via 95e0df789c3 python: Remove unused parameter ‘lp’ via 7064e39fae8 python: Remove unused parameter ‘logger’ via a341aca14cb python: Make use of ‘prefix’ parameter via d8b5cb103b1 python: Remove unused parameter ‘lp’ via 7e65a368d66 python: Remove unused parameter ‘targetdir’ via f9b22c6d5e0 python: Make use of ‘serverdn’ parameter via dddaed61ea6 python: Remove unused variable ‘machinesid’ via dd9dfb0e664 python: Remove unfinished join method via 25f8e507931 libcli/security: allow SDDL conditional ACE round-trip for -00 and -0x0 via 66f341e5c39 libcli/security: allow round-trip for conditional ACE hex integers via d33ed631479 libcli/security: allow round-trip for conditional ACE octal integers via bbe217604bd libcli/security: tests for conditional ACE integer base persistence via b247a11e62e libcli/security: fix tests for SDDL conditional ACE round-trip via db6b06578b6 libcli/security: clarify tests for SDDL round trips via a016ce70684 libcli/security: don't allow conditional ACE SIDs to have trailing bytes via e004a5a444f libcli/security: SDDL decode stops earlier with too many ACEs from 3a01ef710d4 tests: Add a test for the idmap_nss : use_upn setting https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ff52e342887a9a6054580fec238880646302ecb8 Author: Joseph Sutton Date: Fri Dec 1 15:01:16 2023 +1300 python: Remove references to removed parameters Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Dec 14 04:32:31 UTC 2023 on atb-devel-224 commit f9d4a408a4e5a5f193b5f314af1fa1d3a579 Author: Joseph Sutton Date: Thu Nov 23 21:04:07 2023 +1300 python: Remove unused parameter ‘backup’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 891e1da968a41c53ae3e2f24c9837930ce4c1007 Author: Joseph Sutton Date: Thu Nov 23 21:03:57 2023 +1300 python: Remove unused parameter ‘serverrole’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7750edc14e2a4d38873a5157681b881ae1d8785b Author: Joseph Sutton Date: Thu Nov 23 21:03:19 2023 +1300 python: Remove unused parameter ‘am_rodc’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 10d79ef21f708df54098a8fa8051deacc5cd97ae Author: Joseph Sutton Date: Thu Nov 23 21:02:13 2023 +1300 python: Remove unused parameter ‘am_rodc’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e67196e13cb4d470650291f17df05ea1ad877045 Author: Joseph Sutton Date: Thu Nov 23 21:01:19 2023 +1300 python: Remove unused parameters ‘backend_store’ and ‘backend_store_size’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit beefbb277a95b876e1fa323f9401da531d73ab9b Author: Joseph Sutton Date: Thu Nov 23 20:59:59 2023 +1300 python: Remove u
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f642aff5544 buildtools: Remove ‘keep_underscore’ parameter via 623645963ee buildtools: Remove useless ‘keep_underscore’ parameter via e3ad675303d buildtools: Pass through parameter ‘keep_underscore’ via 45b7a0c13e2 s4:librpc: Fix code spelling via 2e5d75141d7 buildtools: Fix code spelling via cdff2b767ec buildtools: Remove unused parameter ‘env’ from f2f7ed419e0 s3:utils: Fix auth callback with smburl https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f642aff554464b833ec4575464cc481ee9a8d807 Author: Joseph Sutton Date: Mon Nov 13 09:44:26 2023 +1300 buildtools: Remove ‘keep_underscore’ parameter Nothing now passes this in. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Dec 11 02:13:39 UTC 2023 on atb-devel-224 commit 623645963eef05f6ae3141392a6c828f85679ba6 Author: Joseph Sutton Date: Mon Nov 13 09:39:20 2023 +1300 buildtools: Remove useless ‘keep_underscore’ parameter SAMBA_LIBARY()’s ‘keep_underscore’ parameter has an effect only if None is passed in for ‘bundled_name’. However, SAMBA_PLUGIN() always passes in a string for ‘bundled_name’. Therefore ‘keep_underscore’ will never have any effect — remove it. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e3ad675303d21eded172cb692b9313e5dfbbbcca Author: Joseph Sutton Date: Sat Oct 21 12:08:23 2023 +1300 buildtools: Pass through parameter ‘keep_underscore’ This parameter has gone unused until now. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 45b7a0c13e292da5898ca67c4814cf80bd7ae6a4 Author: Joseph Sutton Date: Sat Nov 11 10:03:20 2023 +1300 s4:librpc: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2e5d75141d79d1be5495fc423131eeafb9fb6175 Author: Joseph Sutton Date: Sat Oct 21 15:14:04 2023 +1300 buildtools: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cdff2b767ec243bc4c29e4637fc20e7812621bb3 Author: Joseph Sutton Date: Sat Oct 21 14:13:27 2023 +1300 buildtools: Remove unused parameter ‘env’ This parameter goes unused, and nothing passes it in. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: buildtools/wafsamba/wafsamba.py | 15 +-- nsswitch/wscript_build | 2 -- source4/librpc/wscript_build| 2 +- 3 files changed, 6 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index 8c0aa23fe21..858458ae2af 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -109,7 +109,6 @@ def SAMBA_LIBRARY(bld, libname, source, ldflags='', external_library=False, realname=None, - keep_underscore=False, autoproto=None, autoproto_extra_source='', group='main', @@ -141,7 +140,7 @@ def SAMBA_LIBRARY(bld, libname, source, '''define a Samba library''' # We support: -# - LIBRARY: this can be use to link via -llibname +# - LIBRARY: this can be used to link via -llibname # - MODULE: this is module from SAMBA_MODULE() # - PLUGIN: this is plugin for external consumers to be #loaded via dlopen() @@ -298,10 +297,7 @@ def SAMBA_LIBRARY(bld, libname, source, if bundled_name is not None: pass elif target_type == 'PYTHON' or realname or not private_library: -if keep_underscore: -bundled_name = libname -else: -bundled_name = libname.replace('_', '-') +bundled_name = libname.replace('_', '-') else: assert (private_library is True and realname is None) bundled_name = PRIVATE_NAME(bld, libname.replace('_', '-')) @@ -654,7 +650,6 @@ def SAMBA_PLUGIN(bld, pluginname, source, vars=None, subdir=None, realname=None, - keep_underscore=False, autoproto=None, autoproto_extra_source='', install_path=None, @@ -1133,7 +1128,7 @@ def INSTALL_WILDCARD(bld, destdir, pattern, chmod=MODE_644, flat=False, python_fixup=python_fixup, base_name=trim_path) Build.BuildContext.INSTALL_WILDCARD = INSTALL_WILDCARD -def INSTALL_DIR(bld, path, chmod=0o755, en
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f2f7ed419e0 s3:utils: Fix auth callback with smburl via 5b38f3be8cb s3:tests: Add interactive smbget test for password entry via a7622bc7db0 auth:creds: Add cli_credentials_get_domain_and_obtained() via 1041dae03f0 auth:creds: Fix cli_credentials_get_password_and_obtained() with callback via ab4b25964a4 auth:creds:tests: Add test for password callback via c46769f3f10 s3:tests: Fix smbget test via 1a04fd255c2 s3:tests: Remove the non-working test_kerberos_upn_denied of smbget via 468fb05d635 s3:tests: Fix the test_kerberos_trust in smbget testsuite via 62b0b79ce06 s3:tests: Fix test_kerberos in smbget tests via 337034e675a s3:tests: Pass down a normal domain user for test_smbget.sh via 56d0c3a0263 selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables via a2af6946f5e selftest: Remove trailing tabs/white spaces in Samba4.pm via c14c5dec09f s3:tests: Fix authentication with smbget_user in smbget tests via 646046cb583 selftest/knownfail: move more parts to expectedfail.d/ntlm-auth via 54f95df693b selftest/knownfail: move some parts to expectedfail.d/ntlm-auth via 5af5f9807d7 selftest/knownfail.d: move encrypted_secrets to expectedfail.d via 2497a4afe50 selftest/knownfail.d: move ntlmv1-restrictions to expectedfail.d via bac2559746f selftest/knownfail.d: move samba-4.5-emulation to expectedfail.d via f60d794666a selftest/knownfail.d: move labdc to expectedfail.d via 3ea40efe046 selftest/knownfail.d: remove empty files via 7a6d9a7217b selftest/knownfail.d: README memntions expectedfail.d via 04ed1206057 selftest: add an expectedfail directory from 992f7625211 selftest: Remove unused import https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2 Author: Andreas Schneider Date: Wed Dec 6 13:16:53 2023 +0100 s3:utils: Fix auth callback with smburl BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Sun Dec 10 22:22:51 UTC 2023 on atb-devel-224 commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce Author: Andreas Schneider Date: Wed Dec 6 15:58:08 2023 +0100 s3:tests: Add interactive smbget test for password entry BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a7622bc7db093558c6f6e3da4d2a899a764dec09 Author: Andreas Schneider Date: Wed Dec 6 13:26:43 2023 +0100 auth:creds: Add cli_credentials_get_domain_and_obtained() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699 Author: Andreas Schneider Date: Wed Dec 6 13:06:42 2023 +0100 auth:creds: Fix cli_credentials_get_password_and_obtained() with callback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ab4b25964a43a1ef550f10580ad395e178fe647e Author: Andreas Schneider Date: Wed Dec 6 13:16:26 2023 +0100 auth:creds:tests: Add test for password callback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit c46769f3f10d21ed802e17aa79ae17e345168e63 Author: Andreas Schneider Date: Thu Dec 7 09:47:14 2023 +0100 s3:tests: Fix smbget test Time to fix the smget share to not have `guest ok = yes` set. A new [smbget_guest] will be used for guest only tests. This way we can correctly test different authentication mechanisms. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7 Author: Andreas Schneider Date: Thu Dec 7 13:11:46 2023 +0100 s3:tests: Remove the non-working test_kerberos_upn_denied of smbget See TODO code comment for details. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 468fb05d6357779228e411076e286abcdb70cf96 Author: Andreas Schneider Date: Thu Dec 7 11:43:33 2023 +0100 s3:tests: Fix the test_kerberos_trust in smbget testsuite BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 62b0b79ce065246417996dec61afa6a10f6ab99b Author: Andreas Schneider Date: Thu Dec 7 10:51:32 2023 +0100 s3:tests: Fix test_kerberos in
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 992f7625211 selftest: Remove unused import via 5c4ee07ea2e Revert "s4:torture: Increase multichannel timeout" via b4039bf6908 s4:ntvfs: Remove trailing whitespace via 43c375515f2 pymessaging: Remove trailing whitespace via 251f39a9fe6 s4:kdc: Remove unused includes via 0982d030a49 s4:include: Fix code spelling via 3d04f62e179 s4:include: Remove trailing whitespace via b58cd077bc8 s4:dsdb: Fix code spelling via 64f66273292 s4:dsdb: Remove trailing whitespace via 9ebe4de113b s4:dsdb: Use portable integer constant INT64_MAX via e1dc284fed2 s4:dsdb: Use portable integer constant INT64_MAX via 6eec3ae6a65 s4:dsdb: Use portable integer constant INT64_MIN via ccbaaf26067 s4:dsdb: Remove unused includes via e8052ecad0e s4:dsdb: Remove trailing whitespace via 235b518ccf8 s4:auth: Fix code spelling via 513401806e2 s3:rpc_server: Fix code spelling via ed908e937cb s3:modules: Fix code spelling via f27ab6d9f5d s3:include: Fix code spelling via 8a9e07ad864 s3:include: Remove trailing whitespace via 9b06fd8ddae tests/krb5: Remove unused parameter via 2e891f59b8c tests/krb5: Fix indentation via d791bfae772 tests/dcerpc: Remove unused imports via e7a2c4ba64b tests/dcerpc: Correct docstring via 5287411be8d python:tests: Remove leftover debugging message via 49f54e2bd62 python:tests: Remove unused imports via abab561d443 python:tests: Remove unnecessary f‐strings via 2eb7b95de38 python: Add missing word to comment via c7ab99a8668 python: Fix code spelling via b82abfe00cc gp: Remove unused import via c62d17dbe70 security.idl: Remove trailing whitespace via e05c3477fc4 librpc: Fix code spelling via 4846ebbd8a6 librpc: Remove trailing whitespace via 6e998655835 libcli/security: Fix code spelling via b3199f2a696 libcli/security: Remove unused includes via 8aa164ce403 util/data_blob: Fix code spelling via c07f72a531a util/data_blob: Remove trailing whitespace via 1947bd6d6d9 util/charset: Remove trailing whitespace via a56bf3fa261 lib/torture: Remove trailing whitespace via 0691a112f6d talloc: Fix documentation via ac860150413 lib/fuzzing: Fix code spelling via f6bc1ad9667 ldb: Fix code spelling via 2a9e8849ad4 lib:crypto: Remove unused Rijndael cipher header via 7658c9bf0a9 lib:crypto: Remove redundant array zeroing via af2b5f46b9a docs-xml: Fix code spelling via cec6c7e233c ctdb: Fix code spelling via 265e3699ac3 ctdb: Remove trailing whitespace via 18d9873e5d7 buildtools: Update docstring to be more accurate via e607a59c806 auth:gensec: Zero digest array in error case via 60e9e3e01cd tests/ndr: Add tests for Group Key Distribution Service blobs via 2cb6e37e5b5 gkdi.idl: Add definitions for the Group Key Distribution Service via 261d3ade8dd python:tests: Permit newer copyright notice from 763b2efe69d s3:utils: Fix setting the debug level https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 992f76252114c09ddaad0204edd97af8043425b3 Author: Joseph Sutton Date: Thu Nov 9 10:55:24 2023 +1300 selftest: Remove unused import Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Dec 8 03:25:20 UTC 2023 on atb-devel-224 commit 5c4ee07ea2eaa5b5d307b467f5b829547f5a3da8 Author: Joseph Sutton Date: Thu Nov 30 11:57:08 2023 +1300 Revert "s4:torture: Increase multichannel timeout" This reverts commit c6d0df787a1f6007e1f4594f68ff1f75a46bd293. Said commit did not help with GitLab CI timeouts, but just made the CI pipeline take longer when the test did time out. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b4039bf69089feb5ba5d185fcf54696e4c3c005d Author: Joseph Sutton Date: Tue Oct 24 16:24:03 2023 +1300 s4:ntvfs: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 43c375515f281f94ceabf678f80ef90884fe4f00 Author: Joseph Sutton Date: Tue Nov 14 13:07:01 2023 +1300 pymessaging: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 251f39a9fe637964da28bc2908ba9dcce0bbf9f3 Author: Joseph Sutton Date: Mon Dec 4 19:25:33 2023 +1300 s4:kdc: Remove unused includes Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0982d030a49ca903733873ca99d112b4cf2662b4 Author: Joseph Sutton Date: Thu Nov 9 16:02:59 2023 +1300 s4:include: Fix code spelling Signed-o
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 763b2efe69d s3:utils: Fix setting the debug level via e5fe856e76e s3:tests: Add smbget test for smb://DOAMIN;user%password@server/share/file via 40de9033650 pycredentials: Properly check type in creds.set_nt_hash() and samr.encrypt_samr_password() from 00034d02289 s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 763b2efe69dc74e1c0cd954607031012f832486d Author: Andreas Schneider Date: Wed Dec 6 08:48:34 2023 +0100 s3:utils: Fix setting the debug level BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Dec 7 05:33:21 UTC 2023 on atb-devel-224 commit e5fe856e76eba26e3b85a391bcea02dfe045c26e Author: Andreas Schneider Date: Tue Dec 5 15:46:48 2023 +0100 s3:tests: Add smbget test for smb://DOAMIN;user%password@server/share/file This is supported according to the smbget manpage! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 40de90336506233994a57cbde7a107e26ffe22bf Author: Andrew Bartlett Date: Thu Dec 7 15:50:43 2023 +1300 pycredentials: Properly check type in creds.set_nt_hash() and samr.encrypt_samr_password() We should not be just doing a talloc type check, we should check the python type first. Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- Summary of changes: auth/credentials/pycredentials.c| 10 ++ auth/credentials/wscript_build | 3 ++- source3/script/tests/test_smbget.sh | 20 source3/utils/smbget.c | 6 +- 4 files changed, 37 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 8e7d8ae7b56..a27e02d1aa5 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -568,6 +568,11 @@ static PyObject *py_creds_set_nt_hash(PyObject *self, PyObject *args) } obt = _obt; + if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) { + /* py_check_dcerpc_type sets TypeError */ + return NULL; + } + pwd = pytalloc_get_type(py_cp, struct samr_Password); if (pwd == NULL) { /* pytalloc_get_type sets TypeError */ @@ -1073,6 +1078,11 @@ static PyObject *py_creds_encrypt_samr_password(PyObject *self, return NULL; } + if (!py_check_dcerpc_type(py_cp, "samba.dcerpc.samr", "Password")) { + /* py_check_dcerpc_type sets TypeError */ + return NULL; + } + pwd = pytalloc_get_type(py_cp, struct samr_Password); if (pwd == NULL) { /* pytalloc_get_type sets TypeError */ diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build index 7568554df4d..83c6e8ca5a0 100644 --- a/auth/credentials/wscript_build +++ b/auth/credentials/wscript_build @@ -27,12 +27,13 @@ bld.SAMBA_SUBSYSTEM('CREDENTIALS_CMDLINE', source='credentials_cmdline.c', deps='samba-credentials') +pyrpc_util = bld.pyembed_libname('pyrpc_util') pytalloc_util = bld.pyembed_libname('pytalloc-util') pyparam_util = bld.pyembed_libname('pyparam_util') bld.SAMBA_PYTHON('pycredentials', source='pycredentials.c', -public_deps='samba-credentials %s %s CREDENTIALS_CMDLINE CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pytalloc_util, pyparam_util), +public_deps='samba-credentials %s %s %s CREDENTIALS_CMDLINE CREDENTIALS_KRB5 CREDENTIALS_SECRETS' % (pyrpc_util, pytalloc_util, pyparam_util), realname='samba/credentials.so' ) diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh index 46c1f4a68a5..bdc62a71eff 100755 --- a/source3/script/tests/test_smbget.sh +++ b/source3/script/tests/test_smbget.sh @@ -145,6 +145,22 @@ test_singlefile_smburl() return 0 } +test_singlefile_smburl2() +{ + clear_download_area + $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile" + if [ $? -ne 0 ]; then + echo 'ERROR: RC does not match, expected: 0' + return 1 + fi + cmp --silent $WORKDIR/testfile ./testfile + if [ $? -ne 0 ]; then + echo 'ERROR: file content does not
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b12a33e2251 third_party/heimdal: import lorikeet-heimdal-202311290849 (commit 84fb4579594a5fd8f8462450777eb24d5832be07) via f65a17e7abb lib:crypto: Use bytearray macros from 83edfcff5cc vfs_ceph: call 'ceph_fgetxattr' only if valid fd https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b12a33e225197ec71285586ec44140b421f2e5c6 Author: Andrew Bartlett Date: Wed Nov 29 22:46:28 2023 +1300 third_party/heimdal: import lorikeet-heimdal-202311290849 (commit 84fb4579594a5fd8f8462450777eb24d5832be07) Some of our pending PRs for Heimdal were recently accepted, so this brings in a new update (mostly improved spelling). Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 21:25:56 UTC 2023 on atb-devel-224 commit f65a17e7abb83b2d352fd7f75d3a32b7a729b76c Author: Andreas Schneider Date: Thu Nov 30 08:32:45 2023 +0100 lib:crypto: Use bytearray macros Do not use old macros which are not descriptive by the name. Signed-off-by: Andreas Schneider Reviewed-by: Joseph Sutton --- Summary of changes: lib/crypto/gnutls_sp800_108.c | 4 +- third_party/heimdal/kdc/kerberos5.c| 17 +++--- third_party/heimdal/kdc/krb5tgs.c | 2 +- third_party/heimdal/kdc/pkinit.c | 10 ++-- third_party/heimdal/kuser/kinit.c | 2 +- third_party/heimdal/lib/base/json.c| 2 +- third_party/heimdal/lib/hdb/ext.c | 8 +-- third_party/heimdal/lib/hx509/cert.c | 26 - third_party/heimdal/lib/hx509/cms.c| 64 +++--- third_party/heimdal/lib/hx509/crypto-ec.c | 2 +- third_party/heimdal/lib/hx509/crypto.c | 4 +- third_party/heimdal/lib/hx509/hx509_err.et | 2 +- third_party/heimdal/lib/hx509/req.c| 2 +- third_party/heimdal/lib/hx509/revoke.c | 32 +-- third_party/heimdal/lib/hx509/test_cms.in | 2 +- third_party/heimdal/lib/kadm5/bump_pw_expire.c | 7 ++- third_party/heimdal/lib/krb5/cache.c | 4 +- third_party/heimdal/lib/krb5/crypto.c | 10 ++-- third_party/heimdal/lib/krb5/digest.c | 2 +- third_party/heimdal/lib/krb5/init_creds_pw.c | 34 ++-- third_party/heimdal/lib/krb5/krb5.conf.5 | 3 +- third_party/heimdal/lib/krb5/krb5_err.et | 2 +- third_party/heimdal/lib/krb5/pac.c | 4 +- third_party/heimdal/lib/krb5/pkinit.c | 16 +++--- third_party/heimdal/lib/krb5/store.c | 34 ++-- third_party/heimdal/lib/roken/parse_time-test.c| 1 + third_party/heimdal/lib/wind/utf8.c| 8 +-- third_party/heimdal/po/heimdal_krb5/de.po | 2 +- .../heimdal/po/heimdal_krb5/heimdal_krb5.pot | 2 +- third_party/heimdal/po/heimdal_krb5/sv_SE.po | 2 +- 30 files changed, 159 insertions(+), 151 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/crypto/gnutls_sp800_108.c b/lib/crypto/gnutls_sp800_108.c index dc04354d3d2..65710657bae 100644 --- a/lib/crypto/gnutls_sp800_108.c +++ b/lib/crypto/gnutls_sp800_108.c @@ -41,7 +41,7 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part( static const uint8_t zero = 0; int rc; - RSIVAL(buf, 0, i); + PUSH_BE_U32(buf, 0, i); rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf)); if (rc < 0) { return gnutls_error_to_ntstatus(rc, @@ -69,7 +69,7 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part( return gnutls_error_to_ntstatus( rc, NT_STATUS_HMAC_NOT_SUPPORTED); } - RSIVAL(buf, 0, L); + PUSH_BE_U32(buf, 0, L); rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf)); if (rc < 0) { return gnutls_error_to_ntstatus( diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c index 76cecd3e12f..5991711a289 100644 --- a/third_party/heimdal/kdc/kerberos5.c +++ b/third_party/heimdal/kdc/kerberos5.c @@ -1125,7 +1125,7 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa) ret = pa_enc_ts_decrypt_kvno(r, kvno, &enc_data, &ts_data, &pa_key); if (ret == KRB5KDC_ERR_ETYPE_NOSUPP) { char *estr; - _kdc_set_e_text(r, "No key matching entype"); + _kdc_set_e_text(r, "No key matching enctype"); if(krb5_enctype_to_string(r->context, enc_data.etype, &estr)) estr = NULL; if(estr == NULL) @@
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via af53df6cd6e python/samba/tests: Fix incorrect super-class in cred_opt.py setUp() via 0f2ff51a4b4 python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py via 42e78285632 python: Correct Python2 super() calls that called the wrong class via 6ac48336780 python: tests: update all super calls to python 3 style in tests via e8fda61a57f python: get rid of pointless empty overridden methods via 983f222e382 python: Use constants from hresult.h for python constants via b14ead30da3 python: move HRES_SEC_* constants to samba module via 1a45e49b5f6 python: tests: make HRES_SEC_E_* constant an int via 6bcfcacd536 python: PEP275: docstrings should always use double quotes via 35d71bfc6f5 python: fix missing colon around param in docstring from 72c6f38e9fe lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit af53df6cd6e21f7394bb4b638e398588c8495127 Author: Andrew Bartlett Date: Thu Nov 30 13:31:33 2023 +1300 python/samba/tests: Fix incorrect super-class in cred_opt.py setUp() This will allow TEST_DEBUG_LEVEL to work in this test. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 02:03:05 UTC 2023 on atb-devel-224 commit 0f2ff51a4b4884ada7335cba73dc516e8475f356 Author: Andrew Bartlett Date: Thu Nov 30 13:28:56 2023 +1300 python/samba/tests: Fix incorrect superclass in test_min_domain_uid.py This was not intentional as far as can be determined. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 42e7828563220f7c7f281f68c3cdcd529e6f6ef8 Author: Andrew Bartlett Date: Thu Nov 30 13:22:18 2023 +1300 python: Correct Python2 super() calls that called the wrong class These changes have been checked as safe as skipping a superclass has no actual impact. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 6ac48336780813cd5cb0cd9e5b5f1355aa342096 Author: Rob van der Linde Date: Tue Nov 28 16:38:22 2023 +1300 python: tests: update all super calls to python 3 style in tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett [abart...@samba.org Some python2 style super() calls remain due to being an actual, even if reasonable, behaviour change] commit e8fda61a57fbec996aa05eff8e696057237c7be0 Author: Rob van der Linde Date: Tue Nov 28 15:59:41 2023 +1300 python: get rid of pointless empty overridden methods Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 983f222e382dfd2cf9df202f0645bdb1ec8a62ed Author: Andrew Bartlett Date: Thu Nov 30 10:37:13 2023 +1300 python: Use constants from hresult.h for python constants This encourages us to keep a single source for constants. In the future this should be a generated python file like for ntstatus. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit b14ead30da3fa6a12412ce97724daebb3cc3ebfa Author: Rob van der Linde Date: Tue Nov 28 15:13:21 2023 +1300 python: move HRES_SEC_* constants to samba module Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1a45e49b5f6286f8a5071536e5a780322b7e1e9c Author: Rob van der Linde Date: Wed Nov 29 16:00:13 2023 +1300 python: tests: make HRES_SEC_E_* constant an int Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6bcfcacd536f8fb82aacd533f39b74e663bd343d Author: Rob van der Linde Date: Tue Nov 28 15:11:12 2023 +1300 python: PEP275: docstrings should always use double quotes Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 35d71bfc6f5cf379ac64a289bf97a6e4ddac1d20 Author: Rob van der Linde Date: Tue Nov 28 15:02:00 2023 +1300 python: fix missing colon around param in docstring Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- Summary of changes: python/pyglue.c| 5 ++ python/samba/__init__.py | 5 +- python/samba/tests/__init__.py | 6 +- python/samba/tests/audit_log_base.py | 2 +- python/samba/tests/audit_log_dsdb.py | 4 +- python/samba/tests/audit_log_pass_change.py| 5 +- python/samba/tests/auth.py
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 72c6f38e9fe lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors via 017c90e1bac lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key() via cd1168a1319 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths via 6b5ccd25083 lib:crypto: Clean up HMAC handle in one place via b1c6a93085a lib:crypto: Add missing call to gnutls_hmac_deinit() via 19f2365c6a0 lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key() via 014f606099b lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key() via 5f5b5b75ca5 lib:crypto: Add tests for samba_gnutls_sp800_108_derive_key() via 04b6dc8d0bb lib:crypto: Add samba_gnutls_sp800_108_derive_key() via 2c4b014b9ae lib:crypto: Remove unused variable via 768178be708 lib:crypto: Remove unused imports via 30be2446ed1 libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation() via b5b21579844 libcli/auth: Return more consistent status code on gnutls HMAC failure via 150a6ca38ab auth/gensec: Return more consistent status codes on gnutls hashing failure via 1e07da1cfe1 s4:utils: Use correct enumeration constant via 33167207d24 s4:utils: Remove trailing whitespace via 99ded98b394 s4:libcli: Call correct function to get HMAC output length via 769b6527526 s4:libcli: Remove trailing whitespace via 5d53ac8af07 libcli/smb: Call correct function to get HMAC output length via 2482a714cf2 libcli/auth: Call correct function to get HMAC output length via cee483fd4a0 libcli/auth: Use correct enumeration constant via 4bb031f8755 libcli/smb: Include missing headers via acb67bd93ed selftest: Remove knownfail entries for non‐existent tests via 187d3baab3c librpc:ndr: Use correct libndr flags type via 79f6da42128 librpc:ndr: Remove trailing whitespace via 5571116ba0a docs-xml: Add missing closing parenthesis via e3f81fa71ee pidl: Make sure to cast whole expressions via 59b94325248 conditional_ace.idl: Fix undefined shift via 3da132a8dfb pidl: Fix subscripts of dereferenced arrays via dbc9c9bd128 pidl: Remove unneeded casts via 561537adbbb pidl: Fix grammar in warning message via 25988f5d259 pidl: Remove trailing whitespace via 9d7bce5bbbd pidl: Remove unused imports from c4a5d4eb62f third_party: Update waf to version 2.0.26 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 72c6f38e9fe158ab639622da7a8a29d666b992b1 Author: Joseph Sutton Date: Thu Nov 23 16:54:12 2023 +1300 lib:crypto: Add test for samba_gnutls_sp800_108_derive_key() using NIST test vectors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 30 01:03:29 UTC 2023 on atb-devel-224 commit 017c90e1bac09afb33fbd4b6b87208f27f692820 Author: Joseph Sutton Date: Wed Nov 29 15:46:30 2023 +1300 lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key() Our code won’t use this, but NIST’s test vectors are based on handing a fixed buffer to the key derivation function. View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cd1168a131931abb7043f5b108da9aaa2094e391 Author: Joseph Sutton Date: Wed Nov 29 12:44:10 2023 +1300 lib:crypto: Have samba_gnutls_sp800_108_derive_key() support various output key lengths View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6b5ccd2508312e9c89262a123203c8eb7e25839d Author: Joseph Sutton Date: Wed Nov 29 12:27:03 2023 +1300 lib:crypto: Clean up HMAC handle in one place This is less error prone than having to ensure it’s cleaned up in every error path. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b1c6a93085a3eb324976375be6e441be28c9f846 Author: Joseph Sutton Date: Wed Nov 29 12:29:58 2023 +1300 lib:crypto: Add missing call to gnutls_hmac_deinit() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 19f2365c6a0cbc07d9e2301c3ab205b00787830e Author: Joseph Sutton Date: Wed Nov 29 12:28:10 2023 +1300 lib:crypto: Add common out path to samba_gnutls_sp800_108_derive_key() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 014f606099b787cb13f965aa2950399c75767033 Author: Joseph Sutton Date: Wed Nov 29 11:49:19 2023 +1300 lib:crypto: Split out core of samba_gnutls_sp800_108_derive_key() We are going to need to alter the structure of this function a little bit. Signed-off-by
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e2651628844 tests: claims blackbox: add device and server silo restrictions test via 834fc223e2e python: tests: claims blackbox tests use ntstatus constants via 0d907a02141 tests: claims blackbox: use raw strings rather than escaping \ via dc74cabaa4d tests: claims: blackbox device tests via 64212a371be selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5 via c49fd98ed7a s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials via 0293d233bf2 python/tests: Add test for creds.set_krb5_fast_credentials() via ebdb1f6b43a python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi via 61b0397de20 python/tests: Import samba.gensec, not gensec via cc2c9b2a1e7 auth/credentials: Add Python bindings for association of a connection for FAST via bed1893a75e auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST via dbb682f5fac build: Add build time detection for the MIT FAST ccache API via 6222d572eec third_party/heimdal: Provide krb5_init_creds_opt_set_fast_ccache() and krb5_init_creds_opt_set_fast_flags() (import lorikeet-heimdal-202311290114 (commit 4c8517e161396330c76240bf09609a0dd5f9ea20)) from a757a51a26f libcli/security: note suboptimality of conditional ACE Contains operators https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e2651628844d6a4262de4093770d958fc1ee4535 Author: Rob van der Linde Date: Tue Nov 28 13:05:33 2023 +1300 tests: claims blackbox: add device and server silo restrictions test Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 29 04:15:27 UTC 2023 on atb-devel-224 commit 834fc223e2e3a9c07e1df57cf7f4ae39afb13db2 Author: Rob van der Linde Date: Wed Nov 29 11:37:42 2023 +1300 python: tests: claims blackbox tests use ntstatus constants Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0d907a021415d1a94469faf3fcd301022979fefc Author: Rob van der Linde Date: Tue Nov 28 12:46:53 2023 +1300 tests: claims blackbox: use raw strings rather than escaping \ Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit dc74cabaa4d7ec52c9d33b19aaafe4272de249a5 Author: Rob van der Linde Date: Tue Nov 21 16:27:09 2023 +1300 tests: claims: blackbox device tests Signed-off-by: Rob van der Linde Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 64212a371be2c262338d604944cc73b397913fdb Author: Andrew Bartlett Date: Tue Nov 28 17:07:15 2023 +1300 selftest: Run samba.tests.gensec in an enviroment build also with MIT Krb5 We would like confidence that the FAST hooks work with both implementations. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit c49fd98ed7a547fe37b354d93671a9d2f05c8b34 Author: Andrew Bartlett Date: Mon Nov 20 14:12:19 2023 +1300 s4-auth/kerberos: Use FAST credentials for armor if specified in cli_credentials Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 0293d233bf206fabe1e209548c0c44d511f9e73f Author: Andrew Bartlett Date: Mon Nov 20 12:17:57 2023 +1300 python/tests: Add test for creds.set_krb5_fast_credentials() Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit ebdb1f6b43af4141bf598f6dffdc47df94401336 Author: Andrew Bartlett Date: Mon Nov 20 12:42:15 2023 +1300 python/tests: Lock in key-word arguments as key-word only in samba.tests.gssapi Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit 61b0397de2031813bdcf35a742eeba2dc9c5f9b9 Author: Andrew Bartlett Date: Mon Nov 20 13:02:21 2023 +1300 python/tests: Import samba.gensec, not gensec This allows this function to be used by gensec.py (a test) without collision. Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit cc2c9b2a1e72802675a6e0494679774b920abe8c Author: Andrew Bartlett Date: Mon Nov 20 12:16:04 2023 +1300 auth/credentials: Add Python bindings for association of a connection for FAST Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit bed1893a75e7bf5e7b607fb1bc5712e3175d17a9 Author: Andrew Bartlett Date: Fri Nov 17 17:41:53 2023 +1300 auth/credentials: Add API to allow requesting a Kerberos ticket to be protected with FAST Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall commit dbb682f5fac1094bfd5ad70c35bfe9e9c877b935 Author: Andrew Bartlett Date: Tue Nov 28
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a757a51a26f libcli/security: note suboptimality of conditional ACE Contains operators via 2eb00c0bba5 libcli/security: comparability check: claim members are of one type via 55999b7b7b2 libcli/security: shift comparability check to shortcut exits via 6c6f25904ee libcli/security: add shortcuts for conditional ACE compare via 8bad19c42e1 libcli/security: improve conditional ACE composite comparison via 6a07d2fe44e libcli/security: separate out claim_v1_to_ace_composite_unchecked() via e338625ebf1 libcli/security: avoid leak on SDDL encode failure via 4f56c702834 libcli/security: claim_v1_to_ace_token(): avoid unnecessary re-sort via e223ce4a930 libcli/security: add_claim_to_token() re-sorts/checks claims via 843fd4d15f7 libcli/security: resource attribute claims use claim_v1_check_and_sort() via 8074257c3ae libcli/security: wire claim conversion uses claim_v1_check_and_sort() via 4b032d25584 libcli/security: claim_v1_check_and_sort(): add all types via a19f914fb9f libcli/security: begin claim_v1_check_and_sort with Boolean checks via 4ebb488e512 libcli/security: don't allow two NULL string claims via 1c88dfc6ac5 libcli/security: wire claims conversion: remove strings uniqueness check via 08096fd5b40 libcli/security: int wire claims drop uniqueness check via 10fd3e5836c libcli/security: simplify wire claim conversion mem, 3/3: rm tmp_ctx via d7da41a9bef libcli/security: simplify wire claim conversion mem, 2/3: one tree via 7656d133345 libcli/security: simplify wire claim conversion mem, 1/3: avoid NULL parent via a836ad14422 pytest: conditional_ace_claims tests large composite comparisons via cea44421ebc libcli/security/sddl: improve some SDDL error messages via bc9da956822 pytest: conditional_ace_claims: write_c_test_on_failure() copes with claims via 4cc91d28283 pytest: token_factory note that a flag is not set via 51d9444baa0 pytest: token_factory copes with empty claims via f9f87247188 pytest: token_factory claims can have case_sensitive flag via adf695aa343 pytest: token_factory separate out list_to_claim() helper via fc480144292 libcli/security: sddl_conditional_ace: check a talloc_new() via 78506e1752a libcli/security: conditional ACE sddl writers take const tokens via 33d2deec514 lib/security:CA: tokens_are_comparable() accepts NULL operator via 6e15a20228c libcli/security: CA: tokens_are_comparable() considers the obvious via fc890742ab4 libcli/security: add test_claims_conversion via da077b84862 libcli/security: test_run_conditional_ace tests more comparisons via 2f40583ab2f libcli/security: test_run_conditional_ace can set debug levels via e81e0706388 librpc/idl:security: add claims flag indicating orderly and unique members via a8f83fe8a2f librpc/idl:security: add a couple of claims flags via f4ea27b84a5 librpc/idl:condtional_ace: shift CONDITIONAL_ACE_FLAG_TOKEN_FROM_ATTR to last bit via 6aa6ef4b7c1 librpc/idl:conditional_ace: make a flags field 32 bit via ca572691622 libcli/security: remove redundant claim SID size check via fa96bbbe816 libcli/security: avoid leak when converting SID claims from 8f42b8431ef s3: smbd: Allow fchmod from the NFS-style mode ACL in set_nt_acl() for a SMB2 POSIX handle. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a757a51a26f664591ab776db99bf48acfa698591 Author: Douglas Bagnall Date: Sat Nov 25 12:55:09 2023 +1300 libcli/security: note suboptimality of conditional ACE Contains operators The Contains and Any_of operators could use a sorted comparison like compare_composites_via_sort(), rather than O(n²) nested loops. But that would involve amount of quite fiddly work that I am not starting on now. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 27 23:38:13 UTC 2023 on atb-devel-224 commit 2eb00c0bba5ed1abaa15c1511c6012da56a78604 Author: Douglas Bagnall Date: Thu Nov 23 13:03:15 2023 +1300 libcli/security: comparability check: claim members are of one type We know from the way claims are defined, and from the code that checks sortedness and sets the flag. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 55999b7b7b2b423eea3c26425c09130059bb4fd9 Author: Douglas Bagnall Date: Thu Nov 23 13:01:49 2023 +1300 libcli/security: shift comparability check to shortcut exits The ordinary comparison path, using the sorted arrays, already implicitly checks for comparability. We only need this
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0b74adb3f01 samba-tool: Improve help messages for "samba-tool domain auth policy" via 828d534c47f docs-xml: Improve and consolidate "samba-tool domain auth policy create/modify" docs via 9c5a7d12445 netcmd: auth: set better metavar that matches the docs from 14b17c3de6d libcli/security/tests: gunzip the oversized-acls test vectors https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0b74adb3f01e8211f13391f021792799d528ebba Author: Andrew Bartlett Date: Thu Nov 23 17:31:23 2023 +1300 samba-tool: Improve help messages for "samba-tool domain auth policy" Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 27 04:05:46 UTC 2023 on atb-devel-224 commit 828d534c47fbee23349107e09f60b530a24cbd55 Author: Andrew Bartlett Date: Thu Nov 23 12:47:04 2023 +1300 docs-xml: Improve and consolidate "samba-tool domain auth policy create/modify" docs Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton commit 9c5a7d1244554136d1fc4f556b6f1bf91df61a7f Author: Rob van der Linde Date: Thu Nov 23 14:08:04 2023 +1300 netcmd: auth: set better metavar that matches the docs Signed-off-by: Rob van der Linde Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: docs-xml/manpages/samba-tool.8.xml| 346 +- python/samba/netcmd/domain/auth/policy.py | 81 --- python/samba/netcmd/domain/auth/silo.py | 18 +- 3 files changed, 212 insertions(+), 233 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index e96ee4fc048..227fd291eb0 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -723,8 +723,13 @@ --user-allow-ntlm-auth - Allow NTLM network authentication when user - is restricted to selected devices. + Allow NTLM and + Interactive NETLOGON SamLogon + authentication despite the + fact that + allowed-to-authenticate-from + is in use, which would + otherwise restrict the user to selected devices. @@ -732,10 +737,19 @@ --user-allowed-to-authenticate-from - Conditions user is allowed to authenticate from. + Conditions a device must meet + for users covered by this + policy to be allowed to + authenticate. While this is a + restriction on the device, + any conditional ACE rules are + expressed as if the device was + a user. - Must be a valid SDDL string. + Must be a valid SDDL string + without reference to Device + keywords. Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) @@ -746,7 +760,11 @@ --user-allowed-to-authenticate-from-silo - User is allowed to authenticate from a given silo. + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given silo. This attribute avoids the need to write SDDL by hand and @@ -755,24 +773,54 @@ -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 14b17c3de6d libcli/security/tests: gunzip the oversized-acls test vectors via 19129660dfe libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs via cf295c94aad libcli/security:sddl: remove vestiges of shared conditional/resource ACE SID parsing via 20ffec711d6 libcli/security: improve error messages in RA ACE SDDL via dc60891de9f libcli/security: conditional ACE sid parser no longer expects RA ACEs via 0a2e335e378 libcli/security: parse resource attribute ace SIDs separately via 79292c8d1ef libcli/security/sddl: write RA octet strings the Windows way via 38e7b4dcbdb libcli/security: add a parser for resource attribute ACE byte strings via 9ef71399cee libcli/security: sddl_conditional_ace: remove check_resource_attr_type() via 059610a62e5 libcli/security: sddl_conditional_ace: add parse_bool for RA aces via 800f770e111 libcli/security: sddl_conditional_ace: add parse_uint for RA aces via 33caae43812 libcli/security: un-invert parse_resource_attr_list, check type first via cda9371b59c libcli/security/test_sddl_conditional_ace: adjust RA octet parse tests via 4ab9cb19074 libcli/security:sddl_condtional_ace: log compiler errors at some debug levels via f18ffd11829 libcli/security: initialise conditional ACE token flags via 8e3be66a496 pytest: security_descriptors tests get enumerator in name via 5e925f9755f dosmode: prefer capabilities over become_root via 1dd81928a2f libgpo: fix wrong lineending in admx files from f5c76c3c814 Revert "README.Coding.md: add DBG_STARTUP_NOTICE macro" https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 14b17c3de6d478d1c86d23996f9c0acb7f2c07e1 Author: Douglas Bagnall Date: Fri Nov 24 17:15:55 2023 +1300 libcli/security/tests: gunzip the oversized-acls test vectors These are just as readable with `less` as they were with `zless`. This file has been slightly manually edited to add line-breaks. There is not an easy setting in Python's json module to get good formatting. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 27 02:10:12 UTC 2023 on atb-devel-224 commit 19129660dfe7312585b057a90b51ad9405661478 Author: Douglas Bagnall Date: Fri Nov 24 16:59:05 2023 +1300 libcli/security/tests: remove duplicate TX-integer tests from oversized-ACLs We had two sets of test vectors (Windows ground-truth for SDDL compilation) that got mixed up. The "oversized ACLs" set is ACLs that contain repeated ACEs, like "D:P(D;MP)(D;MP)" -- Windows will assign a size to the ACL that is greater than the sum of the ACEs, while Samba will not (in part because we don't actually store a size for the ACL, instead calculating it on the fly from the size of the ACEs). The "TX integers" set is for resource attribute ACEs with octet-string data that contains pure integers (lacking '#' characters) in their SDDL, like «(RA;WD;("bar",TX,0x0,0077,00,0077,00))». We used to think that was weird, and that RA-TX ACEs should contain octet-strings in the conditional ACE style. But now we have realised it's not weird, it's normal, and we have fixed our handling of these ACEs. As a result of this mix-up, some of the tests labelled as "oversized ACLs" started passing when we fixed the TX integer problem, and that was confusing. All of the removed tests are already on the TX integer set -- the removed ones were duplicates. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit cf295c94aad9e2bafad398a338669f90d605fb5f Author: Douglas Bagnall Date: Thu Nov 2 15:48:20 2023 +1300 libcli/security:sddl: remove vestiges of shared conditional/resource ACE SID parsing Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 20ffec711d60ba0d48e7677fddeb0886b9468139 Author: Douglas Bagnall Date: Thu Nov 2 15:42:11 2023 +1300 libcli/security: improve error messages in RA ACE SDDL Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit dc60891de9f1d4341b38e71c630c2fd70f900f11 Author: Douglas Bagnall Date: Thu Nov 2 15:41:33 2023 +1300 libcli/security: conditional ACE sid parser no longer expects RA ACEs Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0a2e335e378a985d08d74fb1935d0e852480ee3c Author: Douglas Bagnall Date: Thu Nov 2 15:37:33 2023 +1300 libcli/security: parse resource attribute ace SIDs separately Signed-off-by: Douglas Bagnall
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 028c90547e3 python:tests: Add ndrdump test for GMSA Managed Password blobs via c0e6fe0bff2 tests/ndr: Add tests for GMSA Managed Password blobs via 21a3f60cfc7 python:tests: Move NDR tests to their own directory via 19b4fb8b5ac librpc: Add NDR test for GMSA Managed Password blobs via 35611f2ba0f gmsa.idl: Add definition for MANAGEDPASSWORD_BLOB via f94b981e864 pidl: Add new ‘u16string’ type via 436814572d4 pidl: Add a helper function to determine whether a type is a string type via d1e5a6176c1 s4:librpc: Produce more helpful error message when bytes length is odd via 4629fc7c610 util/charset: Have talloc_utf16_str[n]dup() accept NULL pointers via 30dd348823c librpc:ndr: Don’t try to log always‐NULL string from 34d80fc96fe gitlab-ci: Update Fedora to version 39 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 028c90547e3c7ea6b49de6797579038f6d2f16bd Author: Joseph Sutton Date: Mon Nov 20 16:05:13 2023 +1300 python:tests: Add ndrdump test for GMSA Managed Password blobs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 20 22:51:17 UTC 2023 on atb-devel-224 commit c0e6fe0bff2bb692b5405fc6efeb1e362af821fe Author: Joseph Sutton Date: Mon Nov 13 17:08:58 2023 +1300 tests/ndr: Add tests for GMSA Managed Password blobs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 21a3f60cfc783d07994b29696c7a75e2372dd114 Author: Joseph Sutton Date: Mon Nov 20 15:46:16 2023 +1300 python:tests: Move NDR tests to their own directory Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 19b4fb8b5ac5aa0a998b7f530a748065cf489b4a Author: Joseph Sutton Date: Thu Nov 16 10:54:42 2023 +1300 librpc: Add NDR test for GMSA Managed Password blobs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 35611f2ba0feb79f78dbb7995a1018b39e2ad005 Author: Joseph Sutton Date: Fri Nov 17 14:59:20 2023 +1300 gmsa.idl: Add definition for MANAGEDPASSWORD_BLOB Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f94b981e8641a6b18f72a50b6596e9275bb034e4 Author: Joseph Sutton Date: Mon Nov 20 10:07:22 2023 +1300 pidl: Add new ‘u16string’ type This type represents a UTF‐16–encoded string. These strings are kept UTF‐16–encoded rather than converted to the Unix charset to be stored in memory; this avoids issues regarding NULL termination and conversion between character sets. We want to be able to handle strings that are not valid UTF‐16. Not bumping the NDR ABI version, because there hasn’t been an NDR release since commit c4f281e9ae36c225b6003e0fa1cb8fb2e67bf543. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 436814572d435f6de4f3b390f07d0124fc4a7105 Author: Joseph Sutton Date: Mon Nov 20 10:03:59 2023 +1300 pidl: Add a helper function to determine whether a type is a string type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d1e5a6176c1191e46a22319d356fa93b0fee76f3 Author: Joseph Sutton Date: Fri Nov 17 12:56:17 2023 +1300 s4:librpc: Produce more helpful error message when bytes length is odd Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4629fc7c610a255fda33ae4dce0fd225b01e5c88 Author: Joseph Sutton Date: Fri Nov 17 12:52:29 2023 +1300 util/charset: Have talloc_utf16_str[n]dup() accept NULL pointers This is in line with ‘talloc_str[n]dup()’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 30dd348823c03adcf0e1bbf7adaa5ea1c30ca7a5 Author: Joseph Sutton Date: Fri Nov 17 10:45:29 2023 +1300 librpc:ndr: Don’t try to log always‐NULL string Commit c51795c747198f9e002505ffa39ad710beff0358 reorganized ndr_pull_string() so that when we reach this DEBUG(), we don’t yet have a string to log — ‘as’ will always be NULL. Attempting to log a NULL string invokes undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/util/charset/util_unistr.c | 6 + librpc/ABI/ndr-4.0.0.sigs | 3 + librpc/idl/gmsa.idl| 44 ++ librpc/idl/idl_types.h | 5 + librpc/idl/wscript_build | 1 + librpc/ndr/libndr.h| 1 + librpc/ndr/ndr_string.c| 134 - librpc/tests/test_ndr_gmsa.c | 159
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5119d5540de s4-winreg: fix dcesrv_winreg_EnumValue behavior via 1fd0689f0ef s3-winreg: fix _winreg_EnumValue behavior via 43a8a03767a s4-torture: add test to check for Windows behavior of EnumValue call via 36745d63d68 s4-torture: add torture_assert_werr_equal_goto and torture_assert_werr_ok_goto macros via 9501dbeeb1e s3-rpcclient: add winreg_enumval command via baa67024bca s4/server.c: move some log messages from ERR to NOTICE via 55d895dc422 profile: issues info message with lower log level via 72f20311acc source3/nmbd/nmbd.c: use DBG_STARTUP_NOTICE via 50337acaa56 lib/util/become_daemon.c: use DBG_STARTUP_NOTICE via bb370b9381e README.Coding.md: add DBG_STARTUP_NOTICE macro via 159cfde446c logging: use DBG_STARTUP_NOTICE for startup message via ccfe345fece debug.h: introduce DEBUG_STARTUP_NOTICE via b7631bf603f lib/util: move copyright define to copyright.h from 19105f51d03 vfs_ceph: Fix some uninitialized structs and pointers https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5119d5540de6fa56cb92c82a2bf719c6656a2988 Author: Günther Deschner Date: Thu Nov 16 21:05:12 2023 +0100 s4-winreg: fix dcesrv_winreg_EnumValue behavior When returning WERR_MORE_DATA the winreg server needs to indicate the required buffer size. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 20 04:50:00 UTC 2023 on atb-devel-224 commit 1fd0689f0ef3e833ffd23683d89fa39077a7ce63 Author: Günther Deschner Date: Wed Nov 15 17:13:20 2023 +0100 s3-winreg: fix _winreg_EnumValue behavior When returning WERR_MORE_DATA the winreg server needs to indicate the required buffer size. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit 43a8a03767a0758e9dbe7a4d3473bfba4aa784c3 Author: Günther Deschner Date: Wed Nov 15 17:36:46 2023 +0100 s4-torture: add test to check for Windows behavior of EnumValue call Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit 36745d63d687bdd310be0415c1a871a65a5ee724 Author: Günther Deschner Date: Wed Nov 15 19:07:32 2023 +0100 s4-torture: add torture_assert_werr_equal_goto and torture_assert_werr_ok_goto macros Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit 9501dbeeb1e98ce0dfe2f6a6df63605734bd4ae4 Author: Günther Deschner Date: Mon Nov 13 16:49:32 2023 +0100 s3-rpcclient: add winreg_enumval command Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett commit baa67024bca391f2e212b91131f544cc911c6895 Author: Björn Jacke Date: Mon Sep 18 13:45:54 2023 +0200 s4/server.c: move some log messages from ERR to NOTICE BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 55d895dc42248ad524a10812b9975ac05a722fdc Author: Björn Jacke Date: Mon Sep 18 23:42:31 2023 +0200 profile: issues info message with lower log level BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 72f20311acc4ab8851f18ac2b87f7ecc7803afad Author: Björn Jacke Date: Mon Sep 18 14:35:55 2023 +0200 source3/nmbd/nmbd.c: use DBG_STARTUP_NOTICE BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 50337acaa566b6696e035e38f6408f65805182a0 Author: Björn Jacke Date: Mon Sep 18 14:34:29 2023 +0200 lib/util/become_daemon.c: use DBG_STARTUP_NOTICE BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit bb370b9381e5d223ff4ac62f612888f90a63fcc5 Author: Björn Jacke Date: Wed Nov 15 19:44:38 2023 +0100 README.Coding.md: add DBG_STARTUP_NOTICE macro BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit 159cfde446c95c387ef212be103b109ea0dca93d Author: Björn Jacke Date: Mon Jun 5 18:10:07 2023 +0200 logging: use DBG_STARTUP_NOTICE for startup message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15377 Signed-off-by: Bjoern Jacke Reviewed-by: Andrew Bartlett commit ccfe345fece0a5a44d766fb9426d43c2e046d040 Author: Björn Jacke Date: Mon Sep 18 13:48:06 2023 +0200 debug.h: introduce DEBUG_STARTUP_NOTICE this is log level -1 and lowest syslog priority. This is used for start up messages and copyright notices, which should
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fe1d45cf1e9 s4:librpc: Add functions converting between bytes and UTF‐16 strings via 5f3f3c0cc3e s4:librpc: Remove trailing whitespace via df19006c782 tests/krb5: Allow creating Group Managed Service Accounts via 7a9ad610226 pidl: Don’t overwrite exception set by PyUnicode_AsEncodedString() via ddb98e7d611 pidl: Remove trailing whitespace via e04f627e4f2 librpc:ndr: Fix comment via 204a46b712c librpc:ndr: Don’t duplicate strings needlessly via e01e6202e60 librpc:ndr: Move call to convert_string_talloc() on to its own line via 2e2b80f895d librpc:ndr: Introduce common out path in ndr_push_string() via 5e580fadeed librpc:ndr: Fix error message via 4b03c6de54b librpc:ndr: Fix code formatting via 939ceb233ef util/charset: Add talloc_utf16_str[n]dup() via b6ff89f6fb3 util/charset: Include missing headers via 3f0809f1eef util/charset: Remove unnecessary cast from 3f908e19a04 s4-scripting: Remove repl_cleartext_pwd.py https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fe1d45cf1e90e9d75f3a47d65b920e2a7e472c97 Author: Joseph Sutton Date: Thu Nov 16 11:20:22 2023 +1300 s4:librpc: Add functions converting between bytes and UTF‐16 strings Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 16 06:23:35 UTC 2023 on atb-devel-224 commit 5f3f3c0cc3ef7ca5237ba1e4865259e02f41a12c Author: Joseph Sutton Date: Wed Nov 8 21:09:14 2023 +1300 s4:librpc: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit df19006c7825609c18a6e21d3920696bc0955e70 Author: Joseph Sutton Date: Mon Nov 13 17:07:02 2023 +1300 tests/krb5: Allow creating Group Managed Service Accounts Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7a9ad610226dfbdb5e645e6fe98fd266a960e2d1 Author: Joseph Sutton Date: Wed Nov 15 12:10:36 2023 +1300 pidl: Don’t overwrite exception set by PyUnicode_AsEncodedString() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ddb98e7d611f7c3160af4ea54bb6cf6bdf1ad0a3 Author: Joseph Sutton Date: Thu Nov 9 14:08:19 2023 +1300 pidl: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e04f627e4f2c6b2a2501634fd212e2527f4e0891 Author: Joseph Sutton Date: Wed Nov 15 15:07:53 2023 +1300 librpc:ndr: Fix comment Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 204a46b712cb025d2462b7e4319c04d451e2d550 Author: Joseph Sutton Date: Thu Nov 16 10:15:36 2023 +1300 librpc:ndr: Don’t duplicate strings needlessly If the source string doesn’t need to be converted, there’s no reason for it to be talloc‐allocated. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e01e6202e606476066231b0b84903c604db07a6e Author: Joseph Sutton Date: Thu Nov 16 14:50:58 2023 +1300 librpc:ndr: Move call to convert_string_talloc() on to its own line Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2e2b80f895dbe436290321074464b54f2943640f Author: Joseph Sutton Date: Thu Nov 16 10:22:26 2023 +1300 librpc:ndr: Introduce common out path in ndr_push_string() This ensures that ‘dest’ gets freed on failure. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5e580fadeed52ab723c1f6252dd4a49d0824a229 Author: Joseph Sutton Date: Mon Nov 13 17:04:34 2023 +1300 librpc:ndr: Fix error message Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b03c6de54bfe7773ea97bf6707c6144433acf11 Author: Joseph Sutton Date: Thu Nov 16 10:43:12 2023 +1300 librpc:ndr: Fix code formatting Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 939ceb233ef94a0d2d45da39076ba3e78665c776 Author: Joseph Sutton Date: Thu Nov 16 11:10:28 2023 +1300 util/charset: Add talloc_utf16_str[n]dup() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b6ff89f6fb32a74365cc7116beb1ef949aaae021 Author: Joseph Sutton Date: Wed Nov 15 15:26:56 2023 +1300 util/charset: Include missing headers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 3f0809f1eef116454584a84b270a1fd7feeebe64 Author: Joseph Sutton Date: Mon Nov 13 12:21:20 2023 +1300 util/charset: Remove unnecessary cast Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: lib/util/charset/charset.h | 6 ++ lib/util/charset/convert_string.c| 2
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3f908e19a04 s4-scripting: Remove repl_cleartext_pwd.py via 4ec50d91097 s4-scripting/devel: Fix str() vs bytes() issue in repl_cleartext_pwd.py via 79ef40b0262 s4-scripting/devel: Fix repl_cleartext_pwd to use built-in RC4 via 6613b5bd121 s3/utils: Use sddl_decode_err_msg instead of sddl_decode via b319769ebd1 s3/utils: Detect (and report) failure to parse sddl via d0d026bdb51 libcli/security: Debug only when we failed to decode from 7c1e3f0d82a python:tests: Ensure we clean up callbacks in pymessaging tests https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3f908e19a0422f9552d43e30762d93a8fc988ab2 Author: Andrew Bartlett Date: Thu Nov 16 14:10:45 2023 +1300 s4-scripting: Remove repl_cleartext_pwd.py This script was the precursor to newer samba-tool commands and no longer works. The previous commits record some of the work to have it operate in the modern era, but keeping this around is more trouble than it is worth. Use these commands instead: samba-tool drs clone-dc-database --include-secrets samba-tool user getpassword administrator --attributes=virtualClearTextUTF8 Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 16 02:46:57 UTC 2023 on atb-devel-224 commit 4ec50d91097dd2467411b1150808ea62652696a3 Author: Andrew Bartlett Date: Thu Mar 30 01:29:22 2023 + s4-scripting/devel: Fix str() vs bytes() issue in repl_cleartext_pwd.py Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Joseph Sutton commit 79ef40b02627668e03651782e45b98ffa0373329 Author: Andrew Bartlett Date: Thu Mar 30 14:22:24 2023 +1300 s4-scripting/devel: Fix repl_cleartext_pwd to use built-in RC4 This allows the usage test to pass on our CI hosts without python-crypto and not uxsuccess on hosts with it. Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Joseph Sutton commit 6613b5bd121e3450060053a5ee8cff0ecd69d55e Author: Noel Power Date: Wed Nov 15 13:07:26 2023 + s3/utils: Use sddl_decode_err_msg instead of sddl_decode Use sddl_decode_err_msg instead of sddl_decode for possible better error reporting. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit b319769ebd1caf4a406211f62cf6086ad3057672 Author: Noel Power Date: Wed Nov 15 12:55:36 2023 + s3/utils: Detect (and report) failure to parse sddl Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit d0d026bdb512b5765f9a8ecc5268fbc238571adc Author: Noel Power Date: Wed Nov 15 11:29:46 2023 + libcli/security: Debug only when we failed to decode Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett --- Summary of changes: libcli/security/sddl.c| 13 +- selftest/knownfail.d/usage| 2 - source3/utils/smbcacls.c | 61 +++- source4/scripting/devel/repl_cleartext_pwd.py | 412 -- 4 files changed, 65 insertions(+), 423 deletions(-) delete mode 100755 source4/scripting/devel/repl_cleartext_pwd.py Changeset truncated at 500 lines: diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c index 2cad84a937a..a4659c107b5 100644 --- a/libcli/security/sddl.c +++ b/libcli/security/sddl.c @@ -995,11 +995,14 @@ struct security_descriptor *sddl_decode(TALLOC_CTX *mem_ctx, const char *sddl, ACE_CONDITION_FLAG_ALLOW_DEVICE, &msg, &msg_offset); - DBG_NOTICE("could not decode '%s'\n", sddl); - if (msg != NULL) { - DBG_NOTICE(" %*c\n", (int)msg_offset, '^'); - DBG_NOTICE("error '%s'\n", msg); - talloc_free(discard_const(msg)); + if (sd == NULL) { + DBG_NOTICE("could not decode '%s'\n", sddl); + if (msg != NULL) { + DBG_NOTICE(" %*c\n", + (int)msg_offset, '^'); + DBG_NOTICE("error '%s'\n", msg); + talloc_free(discard_const(msg)); + } } return sd; } diff --git a/selftest/knownfail.d/usage b/selftest/knownfail.d/usage index b8e0bbc356d..e7d707f0e7d 100644 --- a/selftest/knownfail.d/usage ++
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7c1e3f0d82a python:tests: Ensure we clean up callbacks in pymessaging tests via beff3e6d776 python:tests: Fix crashing pymessaging tests via ec3e420840e util/charset: Prefer PULL_LE_U16() to older SVAL() macro via 99e0a0f21ad util/charset/tests: Add tests for UTF‐16 string length functions via 7ebf7f424d0 s4:torture: Remove trailing whitespace via a46746381b2 util/charset: Add utf16_len_n() via 74a5a3b74e1 util/charset: Include final UTF‐16 code unit in length calculation loop via 516f35b5a11 util/charset: Add utf16_len() via 16996d145b1 util/charset: Rename utf16_len() to utf16_null_terminated_len() via 542e5a3039a util/charset: Rename utf16_len_n() to utf16_null_terminated_len_n() via c2a743190fc s4:smb_server: Remove trailing whitespace via a63cf19ee43 s4:libcli: Remove trailing whitespace via 982238e914a util/charset: Remove trailing whitespace via 1e029b2cd75 librpc:ndr: Convert NDR flags types to enumerations via 2562f24d112 librpc:ndr: Fix comment via 5b693597b0d libndr:ndr: Allow only one string encoding flag via ce2f4ecd596 librpc:ndr: Prohibit STR_NULLTERM|STR_NOTERM flags combination via ef0109d2cd7 librpc:ndr: Check return values of talloc functions via b11978a06cf librpc:ndr: Fix error messages via 609965b6ea0 libcli/security:sddl_decode message offset safety latch via 1f4e018ef1b libcli/security/test_sddl_conditional_ace: add message tests via 2b4f97249f3 libcli/security:sddl_parse: add some top level error messages via 15fcf9b769b libcl/security:sddl_decode_acl: expand a comment via 01f8b61035a libcli/security:sddl_decode_ace: fix ';' count message via dd41357fcd0 libcl/security:sddl_decode_acl: add a message via 206db403b49 libcli/security:sddl_decode_ace: add more messages via f712f8d3710 libcli/security: adjust log verbosity in sddl_decode via 74c6cf44b9d libcli/security:sddl_decode_ace: turn DBG_WARNINGs into messages via 23a83d37df6 pytest:samba-tool domain auth policy: expect error message detail via b18fe675c0d libcli/security:sddl_decode_err_msg(): don't pretend msg is optional (CID1548624) from 12e5c15a97b vfs_zfsacl: Call stat CAP_DAC_OVERRIDE functions https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7c1e3f0d82a08cf0e5fea4fabbc7ad05d0ebbb84 Author: Joseph Sutton Date: Tue Nov 14 12:45:35 2023 +1300 python:tests: Ensure we clean up callbacks in pymessaging tests Not calling ‘deregister()’ results in memory getting leaked. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 15 23:11:13 UTC 2023 on atb-devel-224 commit beff3e6d7762b423500a7ebf163878ede68b4a2f Author: Joseph Sutton Date: Tue Nov 14 12:34:01 2023 +1300 python:tests: Fix crashing pymessaging tests Commit 8c75d9fc73614fad29a998d08c4b11034ab2aebb changed Messaging.deregister() to take a two‐element tuple containing private data as well as a callback, but it did not change the call in samba.tests.messaging.MessagingTests.test_register to match. Since imessaging_deregister() completely ignored the ‘private_data’ parameter passed to it (assuming the callback was registered with msg_type == -1), everything still appeared to work — until commit b22c21799527323877b330c16c23057582721abb changed Messaging.deregister() to no longer leak memory. Now the wrong variable had its reference count decremented, causing the test to crash. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ec3e420840eded527a2a7bb1177b5daa79ee8448 Author: Joseph Sutton Date: Thu Nov 9 12:46:17 2023 +1300 util/charset: Prefer PULL_LE_U16() to older SVAL() macro Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 99e0a0f21adc36e42ecce56c88e584e38e6fb23d Author: Joseph Sutton Date: Tue Nov 14 12:31:07 2023 +1300 util/charset/tests: Add tests for UTF‐16 string length functions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7ebf7f424d0b5d6872ee6a74e369ccd96de4b9f3 Author: Joseph Sutton Date: Tue Nov 14 13:07:19 2023 +1300 s4:torture: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a46746381b2bf7c336e4411430ecfc5fbb3cbb2a Author: Joseph Sutton Date: Thu Nov 9 12:43:07 2023 +1300 util/charset: Add utf16_len_n() This function returns the length in bytes — at most ‘n’ — of a UTF‐16 string excluding the null terminator. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Ba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b6661e77de2 netcmd: docs: update docs for silo member grant + revoke via 88ea6b17e17 netcmd: tests: update silo member grant and revoke docstings and comments via 9708209d759 netcmd: tests: rename silo member tests to grant + revoke via 2ee86e78cf6 netcmd: tests: rename add_silo_member and remove_silo_member methods in test via d9552dc08db netcmd: silo member: update docstrings comments and print statements for grant + revoke via becb0ecf35d netcmd: silo member: update command line options help text for grant + revoke via fb2453d1a36 netcmd: silo member: rename add and remove commands to grant and revoke via 047ddb10019 netcmd: silo member: update model docstrings and exception text via abc3b508313 netcmd: silo member: rename model methods to grant and revoke via 19613057d90 netcmd: silo member: rename exceptions to grant and revoke via 422cc1d17d2 netcmd: models: fix incorrect return type should not be User via 42be08c1928 netcmd: models: Model.query method makes use of Query class via efedfab33e0 netcmd: models: add Query class to replace simple generator via 172f55fb0e8 netcmd: docs: document samba-tool user auth silo and policy commands via c9ba99a948d netcmd: tests: add tests for user auth policy and silo commands via ca9a11c6e81 netcmd: tests: rename domain_auth_base.py to silo_base.py via bcc77601f2f netcmd: tests: rename base class to be used by more tests via 422680f82fd netcmd: add auth silo and policy sub-commands to samba-tool user via 2f20fa9b90a netcmd: silo member: Make output consistent with user command via 30992e865c5 netcmd: model: User model str method returns username not cn via d4e84177ca4 netcmd: tests: make use of unique_name via d3e18dbe43f netcmd: silo member uses consistent output with other commands via 0eb727a54d4 netcmd: silo member add and remove should not set assigned_silo via 9250508601f netcmd: silo member: make use of User.find function via 921cc1df67e netcmd: model: add a find method to User model to avoid repeating code via a75cbd85e0f netcmd: model: add missing assigned_policy field on User model via 925ec0e6c8c netcmd: user: PEP8 E303 E305: fix too many or too little blank lines via db08030c8f4 netcmd: user: PEP8 E225: missing whitespace around operator via f1c6d4cb733 netcmd: user: PEP8 E221: fix multiple spaces before operator via 6b0cb653639 netcmd: user: PEP8 E127: fix hanging indent not lining up via 30cb66aec48 netcmd: user: PEP8 E502: backslash is redundant between brackets via cae5456a294 netcmd: user: PEP8 E117: code is overindented via d9c230ff80d python/samba/tests: Add smbcacl tests for save/restore via 520e3ac06d5 docs-xml: Update manpages for new -T, --save & --restore options via fa5725cdb01 s3/utils: Add support to smbcacls to restore dacls from file via db88697df2b s3/utils: Add functionality to smbcacls to save dacl(s) to a restore file via dd2133ba486 s3/utils: Add recursive option to smcacls via 1273f9a2a51 s3/utils: Add save and restore config switches (and help output) via 8ead28b26b8 s3/utils: ensure sddl_encode/sddl_decode both use domain_sid via 426ca4cf4b6 pytests: sid_strings: do not fail if epoch ending has zeros from b649007a532 smbd: remove now unneccessary wrapper vfs_fget_dos_attributes() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b6661e77de2e8bb63385c42f1eee97f835a16775 Author: Rob van der Linde Date: Wed Nov 8 10:21:02 2023 +1300 netcmd: docs: update docs for silo member grant + revoke Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 15 05:00:58 UTC 2023 on atb-devel-224 commit 88ea6b17e17a129d3c4135f0fb42c739effa8f17 Author: Rob van der Linde Date: Wed Nov 8 09:44:14 2023 +1300 netcmd: tests: update silo member grant and revoke docstings and comments Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 9708209d759c2bfd0e3845b5eb890c5abfd21ccc Author: Rob van der Linde Date: Wed Nov 8 09:42:33 2023 +1300 netcmd: tests: rename silo member tests to grant + revoke Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2ee86e78cf6119b0280e6777f1c97aa60ae9c4d2 Author: Rob van der Linde Date: Wed Nov 8 09:35:13 2023 +1300 netcmd: tests: rename add_silo_member and remove_silo_member methods in test Signed-off-by: Rob van der L
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 29bb93d03a4 libcli/security: conditional aces: don't allow U+ in unicode via 4decb074d8f librpc/ndr: Add support for LIBNDR_FLAG_STR_NO_EMBEDDED_NUL via 2b4a17f54fe librpc/ndr: Remove confusing case where returned string pointer "as" could be NULL from 29558014911 torture3: Correct use of enum client_flavour defines https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 29bb93d03a48c789e71a434eea65f286bd0029bd Author: Andrew Bartlett Date: Tue Nov 7 13:44:55 2023 +1300 libcli/security: conditional aces: don't allow U+ in unicode Allowing this broke a round-trip decode-encode fuzz test. Credit to OSS-Fuzz. REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62742 (Comments are from an earlier commit by Douglas Bagnall ) Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Joseph Sutton Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 13 02:30:23 UTC 2023 on atb-devel-224 commit 4decb074d8feed66201057fd663e257cf45c65d6 Author: Andrew Bartlett Date: Mon Nov 6 11:11:14 2023 +1300 librpc/ndr: Add support for LIBNDR_FLAG_STR_NO_EMBEDDED_NUL This requires that, other than termination, no NUL (\0) codepoints exist in the input string, because bytes beyon that will be lost in the output string. This in turn causes trouble for round-trip testing, so it is easiest to reject it upfront (on an opt-in basis). Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Joseph Sutton commit 2b4a17f54fee552717068377dfc15f474fde Author: Andrew Bartlett Date: Mon Nov 6 10:18:47 2023 +1300 librpc/ndr: Remove confusing case where returned string pointer "as" could be NULL The failure to talloc_strdup("") is just an error and all other cases set the string or given an error. Signed-off-by: Andrew Bartlett Reviewed-by: Reviewed-by: Joseph Sutton --- Summary of changes: librpc/idl/conditional_ace.idl | 7 +- librpc/idl/idl_types.h | 1 + librpc/ndr/libndr.h| 2 + librpc/ndr/ndr_string.c| 52 ++- librpc/tests/test_ndr_string.c | 337 - 5 files changed, 395 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/librpc/idl/conditional_ace.idl b/librpc/idl/conditional_ace.idl index e36fe9b43a1..5842c7dddcb 100644 --- a/librpc/idl/conditional_ace.idl +++ b/librpc/idl/conditional_ace.idl @@ -276,7 +276,12 @@ interface conditional_ace } ace_condition_int; typedef [public] struct { - [flag(STR_SIZE4|STR_NOTERM|STR_BYTESIZE)] string value; + /* +* Zeroes are not allowed in the binary format (which +* is otherwise UTF-16), and if we did let them +* through we would end up with a truncated string. +*/ + [flag(STR_SIZE4|STR_NOTERM|STR_BYTESIZE|STR_NO_EMBEDDED_NUL)] string value; } ace_condition_unicode; typedef [public] struct { diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h index 2d063de0bc7..a21893f6562 100644 --- a/librpc/idl/idl_types.h +++ b/librpc/idl/idl_types.h @@ -5,6 +5,7 @@ #define STR_NOTERM LIBNDR_FLAG_STR_NOTERM #define STR_NULLTERM LIBNDR_FLAG_STR_NULLTERM #define STR_BYTESIZE LIBNDR_FLAG_STR_BYTESIZE +#define STR_NO_EMBEDDED_NUL LIBNDR_FLAG_STR_NO_EMBEDDED_NUL #define STR_CONFORMANT LIBNDR_FLAG_STR_CONFORMANT #define STR_CHARLENLIBNDR_FLAG_STR_CHARLEN #define STR_UTF8 LIBNDR_FLAG_STR_UTF8 diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h index b0596039526..3a453b5b168 100644 --- a/librpc/ndr/libndr.h +++ b/librpc/ndr/libndr.h @@ -150,6 +150,7 @@ struct ndr_print { #define LIBNDR_FLAG_STR_NULLTERM (1U<<6) #define LIBNDR_FLAG_STR_SIZE2 (1U<<7) #define LIBNDR_FLAG_STR_BYTESIZE (1U<<8) +#define LIBNDR_FLAG_STR_NO_EMBEDDED_NUL (1U<<9) #define LIBNDR_FLAG_STR_CONFORMANT (1U<<10) #define LIBNDR_FLAG_STR_CHARLEN(1U<<11) #define LIBNDR_FLAG_STR_UTF8 (1U<<12) @@ -162,6 +163,7 @@ struct ndr_print { LIBNDR_FLAG_STR_NULLTERM | \ LIBNDR_FLAG_STR_SIZE2 | \ LIBNDR_FLAG_STR_BYTESIZE | \ + LIBNDR_FLAG_STR_NO_EMBEDDED_NUL | \ LIBNDR_FLAG_STR_CONFORMANT | \ LIBNDR_FLAG_STR_CHARLEN | \ LIBNDR_FLAG_STR_UTF8 | \ diff --git a/librpc/ndr/ndr_string.c b/librpc/ndr/ndr_string.c index d0b64dc6fd9..57a49e34c17 100644 --- a/librpc/ndr/ndr_string.c +++ b/librpc/ndr/ndr_string.c @@ -50,6 +50,12 @
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b8ffb245964 third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA) (Import lorikeet-heimdal-202311092338 (commit 50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea)) from fb867873d87 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b8ffb24596452edb647d8df8b2ec608a607ebac4 Author: Joseph Sutton Date: Fri Nov 10 12:43:03 2023 +1300 third_party/heimdal: krb5: Try to decode e-data as KERB-ERROR-DATA (falling back to METHOD-DATA) (Import lorikeet-heimdal-202311092338 (commit 50996e5f0b0f22a4eb755a6f22cb7b4ecab2aeea)) Previously we tried to decode KERB-ERROR-DATA as METHOD-DATA, resulting in a confusing error message. Now we just ignore it; but we could also choose to set an error message containing the NTSTATUS code in hexadecimal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15514 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Nov 10 01:35:32 UTC 2023 on atb-devel-224 --- Summary of changes: third_party/heimdal/lib/krb5/get_cred.c | 30 +- third_party/heimdal/lib/krb5/init_creds_pw.c | 37 2 files changed, 51 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/third_party/heimdal/lib/krb5/get_cred.c b/third_party/heimdal/lib/krb5/get_cred.c index 6e48846bcb3..ff06325912b 100644 --- a/third_party/heimdal/lib/krb5/get_cred.c +++ b/third_party/heimdal/lib/krb5/get_cred.c @@ -719,13 +719,31 @@ get_cred_kdc(krb5_context context, memset(&md, 0, sizeof(md)); if (rep.error.e_data) { - ret = decode_METHOD_DATA(rep.error.e_data->data, -rep.error.e_data->length, -&md, NULL); + KERB_ERROR_DATA kerb_error_data; + + memset(&kerb_error_data, 0, sizeof(kerb_error_data)); + + /* First try to decode the e-data as KERB-ERROR-DATA. */ + ret = decode_KERB_ERROR_DATA(rep.error.e_data->data, +rep.error.e_data->length, +&kerb_error_data, +&len); if (ret) { - krb5_set_error_message(context, ret, - N_("Failed to decode METHOD-DATA", "")); - goto out; + /* That failed, so try to decode it as METHOD-DATA. */ + ret = decode_METHOD_DATA(rep.error.e_data->data, +rep.error.e_data->length, +&md, NULL); + if (ret) { + krb5_set_error_message(context, ret, + N_("Failed to decode METHOD-DATA", "")); + goto out; + } + } else if (len != rep.error.e_data->length) { + /* Trailing data — just ignore the error. */ + free_KERB_ERROR_DATA(&kerb_error_data); + } else { + /* OK. */ + free_KERB_ERROR_DATA(&kerb_error_data); } } diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c index 2c026ad29f2..8b6db0be594 100644 --- a/third_party/heimdal/lib/krb5/init_creds_pw.c +++ b/third_party/heimdal/lib/krb5/init_creds_pw.c @@ -3146,19 +3146,36 @@ init_creds_step(krb5_context context, memset(&ctx->md, 0, sizeof(ctx->md)); if (ctx->error.e_data) { + KERB_ERROR_DATA kerb_error_data; krb5_error_code ret2; - ret2 = decode_METHOD_DATA(ctx->error.e_data->data, -ctx->error.e_data->length, -&ctx->md, -NULL); + memset(&kerb_error_data, 0, sizeof(kerb_error_data)); + + /* First try to decode the e-data as KERB-ERROR-DATA. */ + ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data, + ctx->error.e_data->length, + &kerb_error_data, + &len); if (ret2) { - /* -* Just ignore any error, the error will be pushed -* out from krb5_error_from_rd_
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fb867873d87 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields via c5932c4794b netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField() via 7f0f930a427 s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl() via 935f4edd81f libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable via a08a724a28e netcmd:tests: Test authentication policies containing device‐specific attributes and operators via db36a930e62 libcli/security: Mark arrays ‘const’ via e388e9a8560 ilbcli/security: Fix duplicated words via e822a4efb73 libcli/security: Include missing headers via 9c35b3747e4 libcli/security: Reassign flags via 5f9f9242ce7 s4:librpc: Fix leak via a11e0c02a45 s4:librpc: Remove trailing whitespace via d0ca1bcd983 third_party/heimdal: Import lorikeet-heimdal-202311082119 (commit 844610f06bac2b7b2a208cbabc7414bde23abac7) via 5ebd1b8daef tests/krb5: Test Kerberos principal names containing non–BMP Unicode characters via 0b059dafd91 tests/krb5: Add ‘expected_sname’ parameter to _fast_as_req() via e802cce43e9 tests/krb5: Encode KerberosString objects as UTF‐8 via ff83d4b08f4 tests/krb5: Move ‘rfc4120_pyasn1’ to ‘rfc4120_pyasn1_generated’ via 05ffdaeec77 librpc: add missing service control defines via fd319adcc1d s4-torture: add test for svcctl_ControlServiceExW() via 51c21f72afd librpc: add svcctl_ServiceStopReason enums via 80b4893aa12 s4-torture: add test for svcctl_QueryServiceConfigEx via cfedb32258b librpc: use SERVICE_CONTROL enum in ControlService calls via 7292e378781 librpc: add various new commands and types to SVCCTL IDL. via cb348e5be11 svcctl: rename SERVICE_FAILURE_ACTIONS to SERVICE_FAILURE_ACTIONSW via 6d8867925f1 svcctl: unify operation names and always prefix with svcctl_ from 963fc353e70 vfs_gpfs: Implement CAP_DAC_OVERRIDE for fstatat https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fb867873d872f78c652099637d3ee74d09426821 Author: Joseph Sutton Date: Tue Nov 7 15:44:21 2023 +1300 netcmd: Disallow device‐specific attributes and operators for allowed‐to‐authenticate‐from fields Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 9 09:01:25 UTC 2023 on atb-devel-224 commit c5932c4794b13a7975ec3c951e576a71152f4835 Author: Joseph Sutton Date: Tue Nov 7 15:43:29 2023 +1300 netcmd: Add ‘allow_device_in_sddl’ parameter to SDDLField() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7f0f930a427be94c82922c4947554a94534d9be9 Author: Joseph Sutton Date: Tue Nov 7 15:42:38 2023 +1300 s4:librpc: Add ‘allow_device_in_sddl’ parameter to security.descriptor.from_sddl() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 935f4edd81f8115c390daa8f35c35dda64e99cfb Author: Joseph Sutton Date: Fri Nov 3 14:57:02 2023 +1300 libcli/security: Optionally disallow device‐specific attributes and operators where they are not applicable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a08a724a28e4796eb0c739a560b0192a8ac2e00d Author: Joseph Sutton Date: Tue Nov 7 16:50:49 2023 +1300 netcmd:tests: Test authentication policies containing device‐specific attributes and operators Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit db36a930e62a00fb97c5b111c7d008522e32b110 Author: Joseph Sutton Date: Tue Nov 7 15:35:28 2023 +1300 libcli/security: Mark arrays ‘const’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e388e9a8560171b08181482025b1234aa17d4fb3 Author: Joseph Sutton Date: Tue Nov 7 13:39:04 2023 +1300 ilbcli/security: Fix duplicated words Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e822a4efb73c4f8576732b7eaef778db979fc26a Author: Joseph Sutton Date: Tue Nov 7 11:57:21 2023 +1300 libcli/security: Include missing headers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9c35b3747e487b351fa631b92197f90a353ec513 Author: Joseph Sutton Date: Tue Nov 7 11:48:58 2023 +1300 libcli/security: Reassign flags Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 5f9f9242ce709c17422d07bd58e8fccd9f6737ad Author: Joseph Sutton Date: Tue Nov 7 12:16:12 2023 +1300 s4:librpc: Fix leak We should not leak error messages returned by sddl_decode_err_msg(). Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 091af82f759 s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC via 2733cd7b4c8 s4:kdc: Move return code checks closer to where the return codes are set via 1c1d402f362 s4:auth: Add comment about claims going ignored for SamLogon via bafd63bef31 s4:auth: Remove trailing whitespace via beaec758c9f tests/krb5: Add tests for AllowedToAuthenticateTo with SamLogon via c277a4d3631 tests/krb5: Add test for an authentication policy that allows a specific account via 64806f37ab0 tests/krb5: Correct authentication policy SDDL via 6b2de474888 tests/krb5: Remove unused parameter ‘expected_device_groups’ via f8fb8f028c9 tests/krb5: Remove unused parameter ‘expected_device_groups’ from d314fc5874e smbd: Make get_real_filename_cache_key() static in files.c https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 091af82f75960c0c6abb04908b96051d9f53659d Author: Joseph Sutton Date: Tue Nov 7 16:19:30 2023 +1300 s4:kdc: Don’t convey PAC buffers from an RODC‐issued PAC Such buffers are not to be trusted. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Nov 7 22:54:42 UTC 2023 on atb-devel-224 commit 2733cd7b4c8b6a65a764eb7710a0f3f755f96675 Author: Joseph Sutton Date: Tue Nov 7 16:22:41 2023 +1300 s4:kdc: Move return code checks closer to where the return codes are set Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1c1d402f36290e3aec3133702e84bf3a9e5755a6 Author: Joseph Sutton Date: Tue Nov 7 11:45:50 2023 +1300 s4:auth: Add comment about claims going ignored for SamLogon Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bafd63bef31f30809fe16d357a8e1ba92dc6f264 Author: Joseph Sutton Date: Tue Nov 7 11:43:36 2023 +1300 s4:auth: Remove trailing whitespace Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit beaec758c9ffed19f00e87cdd317f47c13ef7dd2 Author: Joseph Sutton Date: Tue Nov 7 11:10:59 2023 +1300 tests/krb5: Add tests for AllowedToAuthenticateTo with SamLogon Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c277a4d3631f2c1b5cd0a32bc5dfcccaafef9cb9 Author: Joseph Sutton Date: Tue Oct 17 12:01:34 2023 +1300 tests/krb5: Add test for an authentication policy that allows a specific account This is a counterpart to ‘test_conditional_ace_allowed_from_user_deny’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 64806f37ab08c51d2fac23d7f153c3b2f0c5d984 Author: Joseph Sutton Date: Fri Nov 3 13:51:27 2023 +1300 tests/krb5: Correct authentication policy SDDL There is no claim called ‘abc’, so the condition ‘(abc)’ is always going to fail. Replace this with a condition using ‘Member_of’. Furthermore, an ACL containing only Deny ACEs will only ever deny. Add a trailing Allow ACE so that the ACL might allow other principals. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6b2de4748889a0b5674758169439cb7fb2106e7d Author: Joseph Sutton Date: Fri Nov 3 12:00:15 2023 +1300 tests/krb5: Remove unused parameter ‘expected_device_groups’ It was never passed in by any callers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f8fb8f028c90887da6bbb0d1850fde398f667b7a Author: Joseph Sutton Date: Fri Nov 3 11:59:48 2023 +1300 tests/krb5: Remove unused parameter ‘expected_device_groups’ It was never passed in by any callers. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/tests/krb5/conditional_ace_tests.py | 274 +-- selftest/knownfail_heimdal_kdc | 10 - source4/auth/ntlm/auth_sam.c | 43 ++-- source4/kdc/pac-glue.c | 17 +- 4 files changed, 297 insertions(+), 47 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index de26a920ae0..88507cce164 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -31,7 +31,7 @@ from string import Formatter import ldb from samba import dsdb, ntstatus -from samba.dcerpc import claims, krb5pac, security +from samba.dcerpc import claims, krb5pac, netlogon, security from samba.ndr import ndr_pack, ndr_unpack from samba.sd_utils import escaped_claim_id @@ -89,6 +89,11 @@ class ConditionalAceBaseTests(AuthnPolicyBaseTests): cls._mach_creds
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via cfec96d5e9f third_party/heimdal: Import lorikeet-heimdal-202311030123 (commit 2346a67fe25cbf16128501665db41f6840546e15) from 3ef68efca29 tests/krb5: Fix comments https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit cfec96d5e9fb2195f9e14e09bf66a68c969f4bbd Author: Joseph Sutton Date: Fri Nov 3 14:27:52 2023 +1300 third_party/heimdal: Import lorikeet-heimdal-202311030123 (commit 2346a67fe25cbf16128501665db41f6840546e15) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Nov 3 03:53:08 UTC 2023 on atb-devel-224 --- Summary of changes: third_party/heimdal/kdc/fast.c | 18 -- third_party/heimdal/kdc/pkinit.c | 2 +- third_party/heimdal/lib/hcrypto/bn.c | 4 +- third_party/heimdal/lib/hcrypto/pkcs12.c | 4 +- third_party/heimdal/lib/hdb/common.c | 1 - third_party/heimdal/lib/hdb/hdb-ldap.c | 1 + third_party/heimdal/lib/hx509/ca.c | 13 ++-- third_party/heimdal/lib/hx509/cms.c| 2 +- third_party/heimdal/lib/hx509/hxtool.c | 2 + third_party/heimdal/lib/hx509/ks_file.c| 2 +- third_party/heimdal/lib/krb5/acache.c | 2 + third_party/heimdal/lib/krb5/build_ap_req.c| 6 +- third_party/heimdal/lib/krb5/context.c | 72 -- third_party/heimdal/lib/krb5/kx509.c | 2 +- third_party/heimdal/lib/krb5/pkinit.c | 4 +- third_party/heimdal/lib/krb5/store.c | 2 +- third_party/heimdal/lib/roken/base32.c | 16 ++--- .../heimdal/lib/wind/gen-punycode-examples.py | 8 +-- 18 files changed, 108 insertions(+), 53 deletions(-) Changeset truncated at 500 lines: diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c index 7b96371723e..bc77f74664c 100644 --- a/third_party/heimdal/kdc/fast.c +++ b/third_party/heimdal/kdc/fast.c @@ -406,8 +406,8 @@ _kdc_fast_mk_e_data(astgs_request_t r, NULL, error_client, error_server, - NULL, - NULL, + csec, + cusec, e_data); if (ret) { kdc_log(r->context, r->config, 1, @@ -508,8 +508,8 @@ _kdc_fast_mk_error(astgs_request_t r, error_client = NULL; error_server = NULL; } - csec = 0; - cusec = 0; + csec = NULL; + cusec = NULL; } ret = krb5_mk_error(r->context, @@ -603,6 +603,9 @@ fast_unwrap_request(astgs_request_t r, * */ if (fxreq.u.armored_data.armor != NULL) { + krb5uint32 kvno; + krb5uint32 *kvno_ptr = NULL; + if (fxreq.u.armored_data.armor->armor_type != 1) { kdc_log(r->context, r->config, 4, "Incorrect AS-REQ armor type"); @@ -628,9 +631,14 @@ fast_unwrap_request(astgs_request_t r, goto out; } + if (ap_req.ticket.enc_part.kvno != NULL) { + kvno = *ap_req.ticket.enc_part.kvno; + kvno_ptr = &kvno; + } + ret = _kdc_db_fetch(r->context, r->config, armor_server_principal, HDB_F_GET_KRBTGT | HDB_F_DELAY_NEW_KEYS, - (krb5uint32 *)ap_req.ticket.enc_part.kvno, + kvno_ptr, &r->armor_serverdb, &r->armor_server); if(ret == HDB_ERR_NOT_FOUND_HERE) { free_AP_REQ(&ap_req); diff --git a/third_party/heimdal/kdc/pkinit.c b/third_party/heimdal/kdc/pkinit.c index d97ae227ae6..255441ce071 100644 --- a/third_party/heimdal/kdc/pkinit.c +++ b/third_party/heimdal/kdc/pkinit.c @@ -1078,9 +1078,9 @@ pk_mk_pa_reply_dh(krb5_context context, unsigned char *p; ret = _kdc_serialize_ecdh_key(context, cp->u.ecdh.key, &p, &dh_info.subjectPublicKey.length); -dh_info.subjectPublicKey.data = p; if (ret) goto out; +dh_info.subjectPublicKey.data = p; } else krb5_abortx(context, "no keyex selected ?"); diff --git a/third_party/heimdal/lib/hcrypto/bn.c b/third_party/heimdal/lib/hcrypto/bn.c index 62297b145f1..9e9db4ec89a 100644 --- a/third_party/heimdal/lib/hcrypto/bn.c +++ b/third_party/heimdal/lib/hcrypto/bn.c @@ -235,7 +235,7 @@ static const unsigned char is_set[8] = { 1, 2, 4, 8, 16, 32, 64, 128 }; int BN_is_bit_set(const BIGNUM *bn, int bit) { -heim_integer *hi = (heim_intege
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 3ef68efca29 tests/krb5: Fix comments via 62373eeef06 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims via 86fb7d17ff7 tests/krb5: Don’t reuse SID S-1-2-3-4 via 224408f9592 tests/krb5: Test target authentication policies when the TGT already contains device info/claims via 622ac53f222 tests/krb5: Add tests for PACs containing extraneous buffers via 69d588a8702 tests/krb5: Pass a list of PAC modification functions via 6e999eab1c3 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims via 014c939bdd7 tests/krb5: Add support to test framework for existing device info or claims buffers via e468a7d6271 tests/krb5: Always expect client claims via 7048f380eb2 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be via 51a4443b044 tests/krb5: No longer pass two‐component form of TGS principal via 6033b1c00dc tests/krb5: Remove unused import via b0a09a69cc8 selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping via 687b1b99314 tests: Convert the regression test for bug15505 to python via 9dd5e12cfa4 tests: Make clean_file() handle directories via b5392b552ed tests: Allow to specify share names in smb2symlink tests from 1372ef0ef46 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404) https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3ef68efca292651a7b83166767452a6986175924 Author: Joseph Sutton Date: Wed Nov 1 09:33:10 2023 +1300 tests/krb5: Fix comments Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 2 20:13:50 UTC 2023 on atb-devel-224 commit 62373eeef069a7631093f237b4ca95c3992fb346 Author: Joseph Sutton Date: Thu Nov 2 14:32:58 2023 +1300 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 86fb7d17ff7683c66ce74e16b3be927b97ea5e5d Author: Joseph Sutton Date: Thu Nov 2 14:32:00 2023 +1300 tests/krb5: Don’t reuse SID S-1-2-3-4 We’re already using it in ‘client_sids’ to work around a bug in Windows. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 224408f9592442a503c6b33454b9dcefec64331d Author: Joseph Sutton Date: Wed Nov 1 16:59:21 2023 +1300 tests/krb5: Test target authentication policies when the TGT already contains device info/claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 622ac53f2229c005a7f35779298af8405549c0d4 Author: Joseph Sutton Date: Thu Nov 2 15:29:32 2023 +1300 tests/krb5: Add tests for PACs containing extraneous buffers Test that the KDC removes these buffers from RODC‐issued PACs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 69d588a8702fa5b973e33bf7cea1d01fcf112b1c Author: Joseph Sutton Date: Thu Nov 2 15:27:24 2023 +1300 tests/krb5: Pass a list of PAC modification functions This is simpler than chaining functions together. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6e999eab1c3ffd79730f9003f7f284b51a840a15 Author: Joseph Sutton Date: Wed Nov 1 13:55:14 2023 +1300 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 014c939bdd7f49c484ec36f0ec9159aa7012edcd Author: Joseph Sutton Date: Wed Nov 1 10:16:57 2023 +1300 tests/krb5: Add support to test framework for existing device info or claims buffers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e468a7d62716ff28e84f753fe187828e94f2c50b Author: Joseph Sutton Date: Wed Nov 1 13:39:28 2023 +1300 tests/krb5: Always expect client claims Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7048f380eb28e9d411fae27fba45b66a08de0a54 Author: Joseph Sutton Date: Wed Nov 1 13:38:24 2023 +1300 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 51a4443b04490d412b018f3ef303f77cb7304d10 Author: Joseph Sutton Date: Wed Nov 1 13:07:54 2023 +1300 tests/krb5: No longer pass two‐component form of TGS principal Samba now handles one‐component TGS principals more correctly. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6033b1c00dc080a8f0445bae6a8c4ccd54934237 Author: Joseph Sutton Date: Wed Nov 1 12:05:50 2023 +1300 tests/krb5
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 1372ef0ef46 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404) via fa25793ebff s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499407) via c095ec02ff1 s3:rpc_client: Add missing ‘break’ statement via 90505d3aa82 s3:rpc_client: Align integer types (CID 1548342) via 4db4df284d5 s3:utils: Initialize flags (CID 1499396) via 4feb76592b8 s3:utils: Avoid integer overflow (CID 1548343) via 55d06fa9e32 s3:utils: Align integer type via 8b2269328bf s3:utils: Remove condition that cannot be true (CID 1548341) via 77183ded7de s3:utils: Check return value of samba_cmdline_init() (CID 1548345) via a9e8cf4ff66 s3:utils: Fix code spelling via 7322bb30982 s3:utils: Remove unused‐but‐set variable via ec687e7ca91 s3:smbd: Remove unreachable code (CID 710840) via 5f865bd14dd tests/krb5: Test conditional ACE expressions with empty composite literals via ff1d00e079b selftest: Sort conditional ACE knownfails via 4131179a048 libcli/security: Allow empty composites and resource attribute lists via 5df344a890f libcli/security: Remove reference to conditional ACE recursive composites via c2fe72fb213 third_party/heimdal: Import lorikeet-heimdal-202311012221 (commit 87159bd32148be80a0d9bfc984db481e4a0f2831) from e7f38c3a190 pytest:samba-tool domain test policy: test SDDL diagnostics https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 1372ef0ef46f6eee615c2fffd5286e96aeb8417a Author: Joseph Sutton Date: Tue Oct 31 12:14:27 2023 +1300 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404) dcesrv_lsa_CreateTrustedDomain_base() invokes DCESRV_PULL_HANDLE(), which invokes DCESRV_PULL_HANDLE_RETVAL(), which invokes DCESRV_CHECK_HANDLE(), which might invoke DCESRV_FAULT(), which accesses r2.out.result, which is uninitialized — invoking undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 2 04:04:49 UTC 2023 on atb-devel-224 commit fa25793ebff92bee2bb1bf0b437b5f705ee8a1dc Author: Joseph Sutton Date: Tue Oct 31 12:11:37 2023 +1300 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499407) dcesrv_lsa_CreateTrustedDomain_base() invokes DCESRV_PULL_HANDLE(), which invokes DCESRV_PULL_HANDLE_RETVAL(), which invokes DCESRV_CHECK_HANDLE(), which might invoke DCESRV_FAULT(), which accesses r2.out.result, which is uninitialized — invoking undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c095ec02ff1a13bed5503a460eb6a8a39f03ade3 Author: Joseph Sutton Date: Tue Oct 31 12:21:26 2023 +1300 s3:rpc_client: Add missing ‘break’ statement Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 90505d3aa82677c428fe87c38df1a3227c4ad115 Author: Joseph Sutton Date: Tue Oct 31 11:39:09 2023 +1300 s3:rpc_client: Align integer types (CID 1548342) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4db4df284d5e1d5300b9cd1597581c110cca3807 Author: Joseph Sutton Date: Tue Oct 31 12:16:15 2023 +1300 s3:utils: Initialize flags (CID 1499396) If ‘got_bcast’ is false and ‘give_flags’ is true, this variable will be used uninitialized. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4feb76592b8f63cb2e91ebeb36212daa5bd088da Author: Joseph Sutton Date: Tue Oct 31 11:35:25 2023 +1300 s3:utils: Avoid integer overflow (CID 1548343) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 55d06fa9e328897548455f757da1452138336016 Author: Joseph Sutton Date: Tue Oct 31 11:33:39 2023 +1300 s3:utils: Align integer type If ‘count’ is larger than INT_MAX, ‘i’ might overflow in the loop and lead to undefined behaviour. See also CID 1548342. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8b2269328bf1d85c6505cf8ecb95977435bdf93c Author: Joseph Sutton Date: Tue Oct 31 11:30:27 2023 +1300 s3:utils: Remove condition that cannot be true (CID 1548341) ‘limit’ is an unsigned integer, and thus will never be less than zero. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 77183ded7de9d5b23663aa5f68a94a9c9b87902c Author: Joseph Sutton Date: Tue Oct 31 11:20:05 2023 +1300 s3:utils: Check return value of samba_cmdline_init() (CID 1548345) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a9e8cf4ff6621bb4f50f10dc11f60c1995b01084 Author: Joseph Sutton Date: Tue
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e7f38c3a190 pytest:samba-tool domain test policy: test SDDL diagnostics via d915443ab00 pytest: samba_tool domain auth policy fix for SDDL err msg via cc2498f35b4 samba-tool: try to present diagnostics for SDDL errors. via 42b5a09a031 pytest:sddl: assert SDDLValueError values make sense via d7fe04205f8 s4/librpc/py_security: use SDDLValueError for better error messages via fd8cf82be1e pytest:sddl: handle SDDLValueError via 328ddf6d3aa pytest:security_descriptors: handle SDDLValueError via d47c6654f96 pytest: sid_strings: handle SDDLValueError via 054725440f2 s4/librpc/py_security: add SDDLValueError via 0c123e142f4 ndr/py_security: mod patch reports errors via cbf8349ec53 lib/ldb: pyldb search iterator avoids exception leak via 1d8024e733e lib/ldb: py LDBError avoids leak and checks for alloc failure via ffa08426e0e libcli/security: conditional ace err messages don't hardcode offset via c31d41d7219 libcli/security: sddl: guard against inconsistent msg pointers via c63a8989770 libcli/security: sddl: remove unreachable debug via 67fa97d61f9 libcli/security: sddl_decode_ace/acl pass through messages via 93347aa5af1 libcli/security: add sddl_decode_err_msg() via 9b57d5cd5c8 libcli/security: sddl_conditional_ace: ensure message is talloced via cc11165ecbc libcli/security: sddl: check a talloc_zero via 5319c5bdac8 libcli/security: SDDL accepts lowercase "s-" in SIDs via c75be6c3261 librpc:ndr: Increase size of ‘libndr_flags’ type to 64 bits via a396b705c8a librpc:ndr: Introduce ‘ndr_flags_type’ type via c4f281e9ae3 librpc:ndr: Introduce ‘libndr_flags’ type via 4ec7578e79c s4:torture: Make static variables constant via 83c68236526 librpc:ndr: Fix code spelling via 0071a60fb63 dcerpc.idl: Use simple boolean value instead of flag via bea9958b607 s4:kdc: Call kdc_request_set_e_data() instead of kdc_set_e_data() via 57c543a1d91 third_party/heimdal: Import lorikeet-heimdal-202310310018 (commit 3a433861903ff7c35f3a42c2e88aef2fab7bb5b4) (CID 1544591, CID 1544617) via b06751389db s4:auth: Comment about claims in the security token via ebbba22cfbd s4:auth: Remove trailing whitespace via 0733ea3663f s4:kdc: Have samba_kdc_get_device_info_blob() call samba_kdc_get_user_info_dc() instead of adding special SIDs itself via f8bfd607ca3 tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs via 6760dd48ad0 s4:kdc: Do not add Claims Valid SID twice via 54eb175816b tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’ via 66b45978621 tests/krb5: Don’t pass unnecessary parameter via 2b69e1e7c31 tests/krb5: Use __slots__ to indicate which attributes are used by classes via b0da50b5b0d s4:kdc: Add the Asserted Identity SID to the PAC only if the original RODC‐issued PAC contained it via 915b40521e6 s4:auth: Check that the PAC is not NULL before dereferencing it via 76e27c3ab13 libcli/security: Add sid_attrs_contains_sid() via 69edfd7b11a libcli/security: Make use of sids_contains_sid() via 04611d9ebc1 libcli/security: Add sids_contains_sid() via ce3f04dca9a libcli/security: Make use of sids_contains_sid_attrs() via 5ff72d0e04e libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs() via 487e21ec899 s4:dsdb: Make sids_contains_sid() usable by other Samba modules via ce9fbceadba libcli/security: Correct function documentation via 01b89669931 libcli/security: Remove unnecessary return statement via 12b0c9d043f s4:dsdb: Align integer type via 3b936623a42 s4:kdc: Add Claims Valid SID to info regenerated from RODC‐issued PACs via 7ba4bb81645 tests/krb5: Add tests to see how SIDs are conveyed from PACs via dc1e2b41ca4 tests/krb5: Test that the Claims Valid SID is added to RODC‐issued PACs via 947d3e5932e tests/krb5: Test that the Service Asserted Identity SID is not regarded from an RODC‐issued PAC from 1862561d1a1 smbd: Open file as REPARSE_POINT in unlink_internals() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e7f38c3a190c0faacdbab230439d98d7e3fe7c0e Author: Douglas Bagnall Date: Sat Oct 28 12:09:04 2023 +1300 pytest:samba-tool domain test policy: test SDDL diagnostics The existing 'bad SDDL' test has SDDL so bad that the diagnostics are not exercised. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Nov 1 21:12:33 UTC 2023 on atb-devel-224 commit d915443ab0076389036890
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0bb67a3a7e7 python: silos: add support for allowed to authenticate from silo shortcut via 84916935751 python: add docstring for escaped_claim_id function via 16d52aa559a python: move method escaped_claim_id from test to samba.sd_utils via 47f5bc78b88 python: silos: add some missing tests for auth policy command via 2aa4d67411a python: tests: claims and silo tests make use of unique_name via 2dd06ae41a2 python: tests: improve comments for auth silo and policy tests via 95cb6a0bb16 python: tests: qa and developers were not in the correct case via e87d74066af python: tests: addCleanup is always before create operation via d19e268221e python: tests: function to generate a unique name from caller via ed245e28875 netcmd: tests: make use of addCleanup via 3e9f74a680b netcmd: claims: rename claims and silo tests via 156887c6d0b netcmd: silo command uses more consistent naming for tgt args via 15fb8a5f2ef netcmd: silo command uses more consistent naming for policy args via c22400fd8ef netcmd: silo command remove combined --policy which set all 3 from b6ae5d66819 codespell: Ignore .git https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 0bb67a3a7e79a687e7809ab41f056c36629bc19f Author: Rob van der Linde Date: Thu Oct 12 17:08:34 2023 +1300 python: silos: add support for allowed to authenticate from silo shortcut this avoids the need to write SDDL, the user just needs to give the silo name Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 27 00:30:05 UTC 2023 on atb-devel-224 commit 8491693575115ef651a8320abd699edd3c739758 Author: Rob van der Linde Date: Fri Oct 27 12:11:34 2023 +1300 python: add docstring for escaped_claim_id function Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 16d52aa559ab60a9e2b1aba71c9f866833bab9f0 Author: Rob van der Linde Date: Thu Oct 26 13:13:44 2023 +1300 python: move method escaped_claim_id from test to samba.sd_utils This is so that it can be used in other places too without the need to import or extend the test base class Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 47f5bc78b88b371c40a85b0b716793da771dc6c9 Author: Rob van der Linde Date: Thu Oct 12 16:59:43 2023 +1300 python: silos: add some missing tests for auth policy command Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2aa4d67411a91d1e135164ddb4857d04d6692a35 Author: Rob van der Linde Date: Thu Oct 12 16:55:34 2023 +1300 python: tests: claims and silo tests make use of unique_name Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 2dd06ae41a2154db82378587fa662a35bf78c386 Author: Rob van der Linde Date: Thu Oct 26 11:18:04 2023 +1300 python: tests: improve comments for auth silo and policy tests Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 95cb6a0bb1625c2b2099c7374424d595164be2e8 Author: Rob van der Linde Date: Wed Oct 25 17:25:51 2023 +1300 python: tests: qa and developers were not in the correct case Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e87d74066af3b552333aa28d4180e11b32e465b9 Author: Rob van der Linde Date: Wed Oct 25 16:02:31 2023 +1300 python: tests: addCleanup is always before create operation This way if it raises during a create, it will still end up running the cleanup. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit d19e268221efca4079469c015f0fe3f2d0719f23 Author: Rob van der Linde Date: Thu Oct 12 15:21:08 2023 +1300 python: tests: function to generate a unique name from caller Uses the caller function to generate a unique name from the test function name. Unique name is converted to camel case Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit ed245e288756c34c263c37dd3d64203ee1efdaa5 Author: Rob van der Linde Date: Tue Oct 17 18:54:52 2023 +1300 netcmd: tests: make use of addCleanup Makes self.members redundant and tearDown method can go completely. Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3e9f74a680bc1d8c0daa133df3c4f8b84e1addc4 Author: Rob
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b6ae5d66819 codespell: Ignore .git via b436720e16e s3:rpc_server/wkssvc: Remove get logged on user list from utmp from 853ae7a913e smbd: add inode marshalling in smb3_file_posix_information_init() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b6ae5d6681919ef600e44fbf613d675f760dde07 Author: Andrew Bartlett Date: Thu Oct 26 11:17:43 2023 +1300 codespell: Ignore .git Otherwise the first line of commit messages is checked, because text is found in .git/logs/HEAD, but only on autobuild and not in CI (which does a shallow clone), and not the whole commit message either, which is inconsistent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15503 Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 26 23:27:29 UTC 2023 on atb-devel-224 commit b436720e16eeeff0c08cb61fc539b6c53ffdac4a Author: Samuel Cabrero Date: Tue Oct 24 11:31:17 2023 +0200 s3:rpc_server/wkssvc: Remove get logged on user list from utmp utmp is not Y2038 safe. Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett --- Summary of changes: .codespellrc | 2 +- source3/rpc_server/wkssvc/srv_wkssvc_nt.c | 163 ++ source3/wscript | 2 +- 3 files changed, 10 insertions(+), 157 deletions(-) Changeset truncated at 500 lines: diff --git a/.codespellrc b/.codespellrc index de4f0fbbbae..1faf9ba9194 100644 --- a/.codespellrc +++ b/.codespellrc @@ -1,4 +1,4 @@ [codespell] -skip = ./bin,./docs-xml/archives,./docs-xml/manpages/vfs_fruit.8.xml,./docs-xml/smbdotconf/browse/preferredmaster.xml,./lib/ldb/ldb_sqlite3/trees.ps,./libcli/util/ntstatus.h,./libcli/util/hresult.c,./python/samba/tests/blackbox/testdata,./source3/include/MacExtensions.h,./source3/selftest/ktest-krb5_ccache-2.txt,./source4/setup/display-specifiers,./source4/ldap_server/devdocs,./source4/selftest/provisions,./source4/setup/adprep/WindowsServerDocs,./source4/setup/display-specifiers,./source4/torture/vfs/fruit.c,./testdata,./third_party,*.IBM-DS,*.config,*.diff,*.dump,*.ldif,*.ldf,*.pdml,*.pem,*.po,*.schema +skip = ./.git,./bin,./docs-xml/archives,./docs-xml/manpages/vfs_fruit.8.xml,./docs-xml/smbdotconf/browse/preferredmaster.xml,./lib/ldb/ldb_sqlite3/trees.ps,./libcli/util/ntstatus.h,./libcli/util/hresult.c,./python/samba/tests/blackbox/testdata,./source3/include/MacExtensions.h,./source3/selftest/ktest-krb5_ccache-2.txt,./source4/setup/display-specifiers,./source4/ldap_server/devdocs,./source4/selftest/provisions,./source4/setup/adprep/WindowsServerDocs,./source4/setup/display-specifiers,./source4/torture/vfs/fruit.c,./testdata,./third_party,*.IBM-DS,*.config,*.diff,*.dump,*.ldif,*.ldf,*.pdml,*.pem,*.po,*.schema ignore-regex = \\[t] ignore-words = .codespellignore diff --git a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c index 592e8668cd3..0724dd00af5 100644 --- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c +++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c @@ -45,96 +45,6 @@ struct dom_usr { time_t login_time; }; -#ifdef HAVE_GETUTXENT - -#include - -struct usrinfo { - char *name; - struct timeval login_time; -}; - -static int usr_info_cmp(const struct usrinfo *usr1, const struct usrinfo *usr2) -{ - /* Called from qsort to compare two users in a usrinfo_t array for -* sorting by login time. Return >0 if usr1 login time was later than -* usr2 login time, <0 if it was earlier */ - return timeval_compare(&usr1->login_time, &usr2->login_time); -} - -/*** - Get a list of the names of all users logged into this machine - / - -static int get_logged_on_userlist(TALLOC_CTX *mem_ctx, char ***pusers) -{ - char **users; - int i, num_users = 0; - struct usrinfo *usr_infos = NULL; - struct utmpx *u; - - while ((u = getutxent()) != NULL) { - struct usrinfo *tmp; - if (u->ut_type != USER_PROCESS) { - continue; - } - for (i = 0; i < num_users; i++) { - /* getutxent can return multiple user entries for the -* same user, so ignore any dups */ - int cmp = strncmp(u->ut_user, usr_infos[i].name, sizeof(u->ut_user)); - if (cmp == 0) { - break; - } - } - if (i < num_users)
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d57f3bdcd33 s4:kdc: Simplify principal_comp_strcmp_int() to handle only equality via ea6d2ddb66e s4:kdc: Check for overflow before calling smb_krb5_princ_component() via 12211735772 s4:kdc: Have principal_comp_strcmp_int() properly indicate an error via ddef0e5e1f6 s4:kdc: Consider a single‐component krbtgt principal to be the TGS via 7b68f751be1 third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670) via 6d7a05bf780 s4:kdc: Make use of smb_krb5_principal_is_tgs() via 865e4f0f8cb s4:kdc: Change signature of is_kadmin_changepw() to accommodate failure cases via 9a0c5ee4aef s4:kdc: Have smb_krb5_principal_get_comp_string() properly indicate an error via 2944bc1e02a s4:dsdb: Initialize pointers to NULL via 800f3203b1d lib/krb5_wrap: Check return value of krb5_principal_get_comp_string() via 3917a1995c3 tests/krb5: Add tests for single‐component krbtgt principals via f266f5c670b tests/krb5: Also consider single‐component krbtgt principals to be TGS principals via 3960eabca78 libutil/iconv: avoid overflow in surrogate pairs via 949fe570777 libutil/iconv: don't allow wtf-8 surrogate pairs via d7481f94e0f util/charset/torture: test convert_string_talloc with emptyish strings via 58011bc64a8 s4/torture/gentest: explain seemingly redundant initialisation via b5a728e81e8 util/convert string: remove inaccurate misspelt comment via 7f870211fbf s4/torture/gentest: remove redundant op entry via 15b7508babf docs/manpages: fix links to mod_ntlm_winbind and squid via ffdd9ddeaea s4:dns_server: loudly warn when a tombstone record has other records via 78658eee76b s4/dsdb: try not to leak on access check failure via acb0a299172 librpc/ndr_basic: attempt only IPv4 addresses in push_ipv4 via 44ce1ad5c8b idl/spoolss: fix spelling of UTF16 charset via df8ab7edfa2 util/charset: disambiguate docs for convert_string twins via 7cf4efe7684 lib/util/charset: @param typos from 704a615521c docs-xml: add manpage for wspsearch cli client https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d57f3bdcd3374b9661571e5e815be93c666a47cf Author: Joseph Sutton Date: Thu Sep 21 11:37:30 2023 +1200 s4:kdc: Simplify principal_comp_strcmp_int() to handle only equality We only ever use the principal comparison functions to check equality. Having these functions only handle equality simplifies their implementation and makes them a bit easier to use. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 26 02:26:02 UTC 2023 on atb-devel-224 commit ea6d2ddb66ec28097c1fe47e2d0a9ab8c1f3e7c6 Author: Joseph Sutton Date: Thu Sep 21 12:01:27 2023 +1200 s4:kdc: Check for overflow before calling smb_krb5_princ_component() smb_krb5_princ_component() takes its component index parameter as ‘int’, not ‘unsigned int’. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 122117357722445526124ec5ecf9e152bc8e2c87 Author: Joseph Sutton Date: Thu Sep 21 11:22:51 2023 +1200 s4:kdc: Have principal_comp_strcmp_int() properly indicate an error We should return error codes rather than silently mask failures. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ddef0e5e1f63775cd22ee3b3febc6f765abbebf8 Author: Joseph Sutton Date: Thu Sep 21 11:14:36 2023 +1200 s4:kdc: Consider a single‐component krbtgt principal to be the TGS This matches the behaviour of Windows. NOTE: This commit finally works again! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7b68f751be14cfbbab49ffa0084cc72e41d0a3f5 Author: Joseph Sutton Date: Mon Sep 25 13:16:43 2023 +1300 third_party/heimdal: Import lorikeet-heimdal-202309250010 (commit b73ae22b9b1c6fc06d0d79afe55517367a5f9670) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6d7a05bf780481a2792ff87ae635fb91e1f0c640 Author: Joseph Sutton Date: Thu Sep 21 11:22:47 2023 +1200 s4:kdc: Make use of smb_krb5_principal_is_tgs() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett c
[SCM] Samba Shared Repository - branch master updated
0e45a0cec95 s3:param: Make init_globals() public via e30c404fb7a s3:param: Use the memory context we just created instead of tos via 49424f18b19 s3:param: Use a talloc stackframe in pyparam via e24900ac895 s3:client: Call gfree_all() before exit in smbspool via e48798cbb03 s3:client: Call gfree_all() before exit in smbclient via 4d411cf5cec s3:utils: Call gfree_all() before exit in smbtree via 643e0ae8761 s3:utils: Call gfree_all before exit in smbpasswd via 6aa56331212 s3:utils: Remove trailing white spaces in smbpasswd.c via bbda37e4e3d s3:utils: Call gfree_all() before exit in smbget via 8a873f89773 s3:utils: Call gfree_all() before exit in smbfilter via f849efebb84 s3:utils: Remove trailing white spaces in smbfilter.c via 2eee959fab6 s3:utils: Call gfree_all() before exit in smbcquotas via 6d482485ca9 s3:utils: Call gfree_all() before exit in smbcontrol via 9428fa3599a s3:utils: Call gfree_all() before exit in smbcacls via d7a8e63f1db s3:utils: Call gfree_all() before exit in sharesec via 72add41e2a7 s3:utils: Call gfree_all() before exit in regedit via 66c76976150 s3:utils: Call gfree_all() before exit in pdbedit via 8482d46faba s3:utils: Call gfree_all() before exit in ntlm_auth via 0653f78bcc7 s3:utils: Call gfree_all() before exit in net from 3c4714bc834 s3:rpc_server: Correctly reset DEVMODE bit https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 704a615521cd90693009366fa8ae23a25210d119 Author: Noel Power Date: Tue Oct 25 18:30:31 2022 +0100 docs-xml: add manpage for wspsearch cli client Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Oct 25 23:20:33 UTC 2023 on atb-devel-224 commit a3a7a94ff4303f1c99c10d2dda4cea86574582e3 Author: Noel Power Date: Thu Jul 21 16:53:17 2016 +0100 s3/utils: Add search client Simple cli client for doing a basic windows search. example: wspsearch -U$(USER)%$(PASSWD) //$(SERVER)/$(SHARE) --search='DSC' --kind=Picture Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 387c9f3aa5fd71ece868ad02a9e65669b59ed8b6 Author: Noel Power Date: Mon Oct 17 20:15:32 2022 +0100 libcli/wsp: Add simple client api for wsp client code. Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 47a0dc6fa6c983bed65d2e950845ae47e1f4df64 Author: Noel Power Date: Wed Aug 23 12:06:02 2023 +0100 add accessor for tstream_context Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 2b2fdd5323cd5588e08c16953802a880bcab483e Author: Noel Power Date: Wed Aug 23 11:28:21 2023 +0100 remove problematic include (seems to bring in conflicted definitions) Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 8977d0a5bce25a2a50f8d77f6997bb9b5282bad4 Author: Noel Power Date: Tue Oct 25 11:30:03 2022 +0100 librpc/wsp: Add some util functions needed for wsp client api Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 86d434218063cf0c982015be908681bd9fe91f12 Author: Noel Power Date: Mon Oct 24 20:50:27 2022 +0100 libcli/wsp: Test AQS parser Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit 68ce6cf68457aa7f07bc9d9ee8c64906106783fb Author: Noel Power Date: Mon Oct 17 19:14:35 2022 +0100 librpc/wsp: Add functions to dump restriction as string Signed-off-by: Noel Power Reviewed-by: Andrew Bartlett commit b28fb85a1f88aa55db07a53eae32bd663a3e08d8 Author: Noel Power Date: Wed Jun 29 11:29:54 2016 +0100 libcli/wsp: Add support for simplified Advanced Query Syntax Add support to parse AQS-like (Advanced query syntax) AQS - see https://learn.microsoft.com/en-gb/windows/win32/search/-search-3x-advancedquerysyntax The basic (AQS) syntax is supported e.g. a query is built of a sequence of queries connected by AND, OR and NOT where the query elements are essentially restrictions defined by a property. There are some limitations on the operators supported[1] and additionally some things like enumerated ranges are not supported at all and range values are not delimited as specified [2]. Some special cases that you see in the windows search UI are exceptions [3] which are handled more or less as keywords Some examples: The following are all exactly the same query just expressed using different variations of the syntax 'ALL:($ System.Size:10241-102401' 'ALL:$ System.Size:>=10241 AND System.Size:<102401' 'ALL:$ System.Size:small' The queries above by default select the property
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 50b8a2de2aa python: getopt: HostOptions and other option groups inherit from samba OptionGroup class via 7c389e19212 netcmd: auth policy: add OptionGroup classes for user, service and computer options via 0667708cef2 python: netcmd: make use of HostOptions for claims and sites commands via e1244ba304a python: getopt: Add HostOptions to avoid need to manually add -H via 0f3d6d80dab python: netcmd: make use of required flag on Option for claims commands via e60f3afcc5f python: getopt: implement required flag on options and OptionParser via 837e1d9fdad python: getopt: subclass OptionParser to populate option_class via 6943a58bff3 netcmd: tests: stop checking for ERROR prefix from CommandError via fb058e7f2ce python: netcmd: remove OptionError alias to OptionValueError via 14b21298687 python: netcmd: catch parent exception class OptParseError instead via f77064c8225 python: getopt: rename SambaOption to Option via d54f52b847f python: netcmd: parser class in getSamDB should set option_class via b7a1946d8b7 python: netcmd: fix import grouping and sorting in base first via 5f8c46d1dec python: netcmd: remove redundant Option subclass via 32032937ed9 python: netcmd: SUPPRESS_HELP constant has no effect here via a930456f0c9 python: netcmd: dbcheck: fix import grouping and order via 3a5a5cae3a6 python: netcmd: ntacl: fix import grouping and order via 90f7ad08b53 python: tests: fix some hidden tab characters in tests.py via 0f93e1d17f8 python: add docstrings to Validator and ValidationError via dc513a82a6a python: move Validator base class and ValidationError to getopt via 29c9991594f python: getopt: move validators logic to parent class via bdad257a312 netcmd: don't turn exception into CommandError in run_validators via 99c93c1e89e netcmd: PEP8: minor whitespace fix, file did not pass PEP8 via c3876242fdf netcmd: move comment above class to docstring via 8b575612975 netcmd: correctly pass Samba option class to OptionParser via 96959b72679 python: getopt: move SambaOption to the top of the file via c688e73358c python: getopt: correctly group and sort imports via 1f8b4913c60 python: getopt: update super calls to python3 style via e209b8d79c2 python: move comment for check_bytes to docstring via 22316fea335 python: PEP8 fixup whitespace in getopt.py first via 029e0457ccc netcmd: tests: make check_run and related methods classmethod for consistency via b543874abc3 tests: minor indentation and whitespace fixes from 7c8dea14da6 smbtorture: add test for fruit:validate_afpinfo option https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 50b8a2de2aadd94386fb0525bfc741867121c929 Author: Rob van der Linde Date: Fri Oct 20 14:46:40 2023 +1300 python: getopt: HostOptions and other option groups inherit from samba OptionGroup class Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Oct 25 00:31:37 UTC 2023 on atb-devel-224 commit 7c389e19212f76aaf9cba8ac8315742c7294e2c8 Author: Rob van der Linde Date: Tue Oct 10 23:31:33 2023 +1300 netcmd: auth policy: add OptionGroup classes for user, service and computer options Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0667708cef2e4375552860ae67ac24e6b0f593d0 Author: Rob van der Linde Date: Fri Oct 6 15:49:27 2023 +1300 python: netcmd: make use of HostOptions for claims and sites commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e1244ba304a2de598779f9fcf1307244f333ab65 Author: Rob van der Linde Date: Fri Oct 6 15:47:43 2023 +1300 python: getopt: Add HostOptions to avoid need to manually add -H Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0f3d6d80dab0be046663e8bac2357b20520c70e3 Author: Rob van der Linde Date: Fri Oct 6 14:50:32 2023 +1300 python: netcmd: make use of required flag on Option for claims commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e60f3afcc5fca7ec1d8aacfc7abf19009b3d831c Author: Rob van der Linde Date: Fri Oct 6 12:58:46 2023 +1300 python: getopt: implement required flag on options and OptionParser Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 837e1d9fdad79ea3a7fdce1232d8dd834f181a63 Author: Rob van der Linde
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 63aeb64504c s4:kdc: Add device to Authenticated Users for authentication policy evaluation via eaffadb8286 s4:kdc: Add a flag indicating that the device should be added to Authenticated Users via c91d1618e33 s4:kdc: Add device to default groups for authentication policy evaluation via fc2f886441e s4:kdc: Add a flag indicating that the device should be added to the default groups via 7728a0622e0 s4:kdc: Make a copy of the device SIDs to be placed in the security token via eb21ac87776 tests/krb5: Test whether the device belongs to some default groups via 0f5033a1e76 tests/krb5: Work around Samba’s incorrect krbtgt principal handling via 4e8fb9706e2 tests/krb5: Remove unnecessary target_creds variables from 4c291514a9e s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 63aeb64504cf6b9cbb52ac338129b9930d65f6b3 Author: Joseph Sutton Date: Fri Oct 20 15:01:30 2023 +1300 s4:kdc: Add device to Authenticated Users for authentication policy evaluation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224 commit eaffadb8286ef6d68d433f8c8f244f20ad00e9d3 Author: Joseph Sutton Date: Fri Oct 20 15:00:12 2023 +1300 s4:kdc: Add a flag indicating that the device should be added to Authenticated Users Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c91d1618e339da1c29b371866d5ab243e3d3fad6 Author: Joseph Sutton Date: Thu Oct 19 20:02:43 2023 +1300 s4:kdc: Add device to default groups for authentication policy evaluation This means that expressions like ‘Device_Member_of(WD)’ will now work, as they should. It *also* means that expressions like ‘Device_Member_of(NU)’ will work, even though they shouldn’t. This is because we consider SID_NT_NETWORK to be a default group. Our new behaviour may be wrong, but at least it’s now consistent with the behaviour of user‐relative expressions like ‘Member_of(WD)’ and ‘Member_of(NU)’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fc2f886441e2cd806c26712762a6813f6ce4f924 Author: Joseph Sutton Date: Thu Oct 19 20:02:32 2023 +1300 s4:kdc: Add a flag indicating that the device should be added to the default groups Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7728a0622e0f7a7bf672131b757799e03b99d2dd Author: Joseph Sutton Date: Thu Oct 19 20:02:13 2023 +1300 s4:kdc: Make a copy of the device SIDs to be placed in the security token We shall need to add extra SIDs on the end. View with ‘git show -b’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit eb21ac87776d113e40070babadcf104f087c0b1d Author: Joseph Sutton Date: Thu Oct 19 17:11:41 2023 +1300 tests/krb5: Test whether the device belongs to some default groups Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 0f5033a1e76a0e079b6dc1859f2cb2d9110e1b1f Author: Joseph Sutton Date: Thu Oct 19 16:23:32 2023 +1300 tests/krb5: Work around Samba’s incorrect krbtgt principal handling These tests fail only because they are using the ‘krbtgt@REALM’ form of the krbtgt principal that Samba doesn’t handle correctly. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4e8fb9706e226fe4f44140c1df64c155c36f22f7 Author: Joseph Sutton Date: Thu Oct 19 16:22:28 2023 +1300 tests/krb5: Remove unnecessary target_creds variables Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- Summary of changes: auth/common_auth.h | 2 + python/samba/tests/krb5/conditional_ace_tests.py | 229 --- python/samba/tests/krb5/kdc_tgs_tests.py | 8 +- selftest/knownfail_heimdal_kdc | 8 +- selftest/knownfail_mit_kdc | 9 +- source4/auth/session.c | 59 +- source4/kdc/authn_policy_util.c | 5 + 7 files changed, 280 insertions(+), 40 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/common_auth.h b/auth/common_auth.h index 58fb2cd0b3d..1afb79eb5df 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -41,6 +41,8 @@ enum auth_password_state { #define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */ #define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4c291514a9e s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation via d209cdf4f0c s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified via 37594035547 s4:kdc: Use HDB flag constants instead of SDB ones via 4e83dfb6764 s4:kdc: Always regard device info when the client performs RBCD via fc7f64baa35 s4:dsdb: Remove reference to non‐existent code via 053292a7e8d tests/krb5: Delete connection variable via 7ea71c4882e tests/krb5: Make ‘services’ parameter required via ea10d01bfd6 tests/krb5: Remove unreachable exception handlers via e48eb621cd9 tests/krb5: Fix RC4‐only Protected Users tests via f1babf2f3db tests/krb5: Remove unnecessary f‐strings via 137499aef60 tests/krb5: Remove unused imports via d363c7bf55a tests/krb5: Fix DES3CBC random_to_key() via a0d32a39804 tests/krb5: Make ‘keybytes’ a bytes object rather than a list via 69db1b58882 tests/krb5: Don’t expect edata if no error is expected via ee43eed6354 tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used via 991e8f5a7f5 tests/krb5: Use None for the default values of parameters via 2ddd8ca3c72 tests/krb5: Move assignments closer to where the variables are used via 7f860d1cba4 tests/krb5: Remove incorrect functional level check via 11835ed5bbb tests/krb5: Update method names to be consistent with other tests via 88d5ae3218d tests/krb5: Have _modify_tgt() accept only keyword arguments via 59f7052295a tests/krb5: Correctly pass arguments to _modify_tgt() via a365f04d0f3 tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code via fc475b2e209 tests/krb5: Add ‘expect_edata’ parameter to _user2user() via fcdc0101225 tests/krb5: Fix comment via 879e7a3c3e8 tests/krb5: Remove marker via 29176807bc2 s4:torture: Check return values of gnutls functions (CID 1547212) via 07ec3457dc2 s4:torture: Fix leaks via cf30ddb56d2 s4:torture: Check return values of talloc functions from 52fd0d79ab0 smbd: put back code to fill in user and group SID https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4c291514a9e144c84d774120001775005838e80d Author: Joseph Sutton Date: Tue Oct 17 20:24:04 2023 +1300 s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224 commit d209cdf4f0c8ab948f59ef4cbe824a6fa9bef4ad Author: Joseph Sutton Date: Tue Oct 17 20:18:28 2023 +1300 s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are specified Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 375940355477e5d564b633d81777a3eba0f162e5 Author: Joseph Sutton Date: Tue Oct 17 20:18:12 2023 +1300 s4:kdc: Use HDB flag constants instead of SDB ones These flags are passed to us by Heimdal, and so they are HDB flags, not SDB flags. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4e83dfb6764325bcb420407929399ff4c2b46656 Author: Joseph Sutton Date: Tue Oct 17 14:24:46 2023 +1300 s4:kdc: Always regard device info when the client performs RBCD Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit fc7f64baa35689b860d208702416f85bb212a3be Author: Joseph Sutton Date: Tue Oct 17 11:18:50 2023 +1300 s4:dsdb: Remove reference to non‐existent code Commit 498542be0bbf4f26558573c1f87b77b8e3509371 removed the code in question. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 053292a7e8d2568a06cb6590815039e241d66c52 Author: Joseph Sutton Date: Wed Oct 18 16:07:30 2023 +1300 tests/krb5: Delete connection variable This avoids a ‘variable set but unused’ warning. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7ea71c4882e97c33e1714f8be461aedb57b82aae Author: Joseph Sutton Date: Wed Oct 18 16:06:51 2023 +1300 tests/krb5: Make ‘services’ parameter required We use it unconditionally without a check for None. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ea10d01bfd699b623536ca6fdd8e9b5d5db8d06f Author: Joseph Sutton Date: Wed Oct 18 16:05:17 2023 +1300 tests/krb5: Remove unreachable exception handlers ‘IOError’ is a subclass of ‘error’, which has already been handled. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e48eb621cd92cc3d97b77126512295d5bf14ed49 Author: Joseph Sutton Date: Wed Oct 18 16:03:45 2023 +1300 tests/krb5: Fix RC4‐only Protected
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f392fdfd47f shadow_copy2: Add missing TALLOC_FREE via c6d0df787a1 s4:torture: Increase multichannel timeout via 5ec5496df40 s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request via 53e4fe647ec s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map() via dfdb8736c75 s4:rpc_server: simplify logic in dcesrv_epm_Map matching via 7a7a38b870d librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor via 1058382d048 librpc/rpc: add dcerpc_floor_pack_uuid_full() helper function via ac392c35e49 s3:rpc_server: let create_policy_hnd() return a pointer via 403bceef914 s4:rpc_server/remote: make use of dcesrv_async_reply() via 06c12033b35 s4:rpc_server/netlogon: make use of dcesrv_async_reply() via d880999480e s4:rpc_server/lsa: make use of dcesrv_async_reply() via eaf3654dd1e s4:rpc_server/common: make use of dcesrv_async_reply() via 27d11803a45 s4:rpc_server/echo: make use of dcesrv_async_reply() via b8eae782251 librpc/rpc: add dcesrv_async_reply() helper that disconnects as needed via 5a6978205ed librpc/rpc: allow dcesrv_context to propose the preferred ndr syntax via f8b76235fe0 s3:rpc_server: distribute clients based on available association group slots via 40e780ad162 dcesrv_core: maintain the number of allocated association groups per dce_ctx via 2c2c2f43688 s3:rpc_server: improve debugging in rpc_host_distribute_clients() via cd2cb49179c s3:rpc_server: simplify rpc_host_find_worker() via eb8cf371b8d s3:rpc_server: correctly allow up to 65536 workers processes via e4bdab659bb rpc_host.idl: change server_index from uint8 to uint32 via 94723b6732a s3:rpc_server: call reopen_logs before we print the copyright notice via f35baa4eb2e s3:rpc_server: make use of dcesrv_register_default_auth_types[_machine_principal]() via ae38cfe6da7 s3:rpc_server: let get_servers() callback of rpc_worker_main() return NTSTATUS via 2d73b1e0618 s3:rpc_server: let register_ep_server() errors result in DBG_ERR() via 2ba5016e4b4 librpc/rpc: add dcesrv_register_default_auth_types[_machine_principal]() helpers via 1d0a5b3ac75 librpc/rpc: implement dcesrv_mgmt_inq_princ_name infrastructure via 9f51379dd73 librpc/rpc: let dcesrv_mgmt_inq_if_ids() filter out the mgmt syntax_id via 6cb12d3955d librpc/rpc: apply some code cleanup and error checks to dcesrv_mgmt.c via a38f58ac85f s4:torture/rpc: let test_inq_princ_name_size also test for princ_name_size = 0 and BAD_STUB_DATA via 2a290dcb945 s3:selftest: also run rpc.mgmt against the nt4_dc (and ad_dc) via 09daeba6962 libcli/util: let win_errstr() fallback to hresult_errstr() from 237b6fc3ad6 s3:tests: Plan test_smbspool_krb.sh for environment ad_member_fips https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f392fdfd47f47e371fe75f5cd4647126922fda19 Author: MikeLiu Date: Fri Oct 13 11:55:52 2023 +0800 shadow_copy2: Add missing TALLOC_FREE Signed-off-by: MikeLiu Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 17 20:22:18 UTC 2023 on atb-devel-224 commit c6d0df787a1f6007e1f4594f68ff1f75a46bd293 Author: Andreas Schneider Date: Tue Oct 17 14:29:03 2023 +0200 s4:torture: Increase multichannel timeout This avoid running into timeouts on Gitlab CI. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 5ec5496df40e6015ec8de6133a406bb50efebe35 Author: Stefan Metzmacher Date: Fri Oct 13 09:18:25 2023 +0200 s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request This matches it much easier to understand. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 53e4fe647ec3f840836340cf9eac4f79b8794aad Author: Stefan Metzmacher Date: Fri Oct 13 09:11:51 2023 +0200 s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map() This already checks for EPM_PROTOCOL_UUID and simplifies the logic. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit dfdb8736c750079bc42d274a416c9f7ea3f820dc Author: Stefan Metzmacher Date: Thu Oct 12 17:19:21 2023 +0200 s4:rpc_server: simplify logic in dcesrv_epm_Map matching Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett commit 7a7a38b870dd8f0b384e290b8e9e18305bf54f90 Author: Stefan Metzmacher Date: Wed Aug 9 19:39:21 2023 +0200 librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor Signed-off-by: Stefan Metzmacher
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 310629508bf gitignore: add WAF lockfile via e2ace2d6137 build: Add 'make printversion' to provide version string via 53ff61bbddd s4:kdc: Remove unused function int2SDBFlags() via 7405a8fab0d s4:kdc: Explicitly initialize SDBFlags structures via 9fcace5818a s4:kdc: Make ‘struct user_info_dc’ members const via b7b4c7ca8c4 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667) via c15a9af8e58 tests/krb5: Fix ASN.1 source via 1712449aa67 tests/krb5: Don’t expect groups if we’re expecting an error via a8a186868e4 tests/krb5: Fix tests that crash Windows via 52ea480543b tests/krb5: Expect a status code with policy errors via b5b8b16a50e tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD via 35c7061f97a buildtools: Correctly raise exception via ec23abfe1f7 buildtools: Don’t call normpath() repeatedly from bf79979f847 s4:kdc: fix user2user tgs-requests for normal user accounts https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 310629508bfbedecfab9b653b7cba0282f5c0e8b Author: Michael Adam Date: Mon Oct 16 19:04:55 2023 +0200 gitignore: add WAF lockfile BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Michael Adam Reviewed-by: Christof Schmitt Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224 commit e2ace2d613701f3d4a7c7c202f68d2f193c0a64a Author: Christof Schmitt Date: Thu Sep 12 16:11:34 2013 -0700 build: Add 'make printversion' to provide version string BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497 Signed-off-by: Christof Schmitt Reviewed-by: Andrew Bartlett commit 53ff61bbddd5c4db6f0849c833c800f2a792e45f Author: Joseph Sutton Date: Thu Oct 12 11:56:01 2023 +1300 s4:kdc: Remove unused function int2SDBFlags() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7405a8fab0d4a8ba31213abbe2bfaa1197fd3415 Author: Joseph Sutton Date: Thu Oct 12 11:54:50 2023 +1300 s4:kdc: Explicitly initialize SDBFlags structures Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9fcace5818a43770c2f30710fb32e0db8dd599c3 Author: Joseph Sutton Date: Thu Oct 12 13:40:21 2023 +1300 s4:kdc: Make ‘struct user_info_dc’ members const Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b7b4c7ca8c4309e9563ac90378b84e4b83bd1eab Author: Joseph Sutton Date: Fri Oct 6 14:11:24 2023 +1300 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1449667) Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c15a9af8e58075f364c617578abee9b897abc342 Author: Joseph Sutton Date: Mon Oct 16 15:37:29 2023 +1300 tests/krb5: Fix ASN.1 source It currently fails to compile. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1712449aa67d52ff5f3bb6b673644b25bce41086 Author: Joseph Sutton Date: Mon Oct 16 14:41:51 2023 +1300 tests/krb5: Don’t expect groups if we’re expecting an error Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit a8a186868e4f4e8a8d711437747e6af47edb9be9 Author: Joseph Sutton Date: Mon Oct 2 12:20:48 2023 +1300 tests/krb5: Fix tests that crash Windows Expect an actual error code or an outcome, not CRASHES_WINDOWS. I don’t know which error codes Windows might be expected to produce, so I’ve chosen some that seem plausible. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 52ea480543b53173b9f92550b844224d17c14c51 Author: Joseph Sutton Date: Tue Oct 17 14:03:33 2023 +1300 tests/krb5: Expect a status code with policy errors Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b5b8b16a50ecb7225fe1bfa31d3a839efdd9f7d0 Author: Joseph Sutton Date: Tue Oct 17 13:34:29 2023 +1300 tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD If we’re verifying that a ticket was permitted to be issued by an RODC, and not trusting the group SIDs in the ticket, is there any reason to ban its use with RBCD? A client with a ticket issued by an RODC that happens to select a DC to direct an RBCD request at should not have the request mysteriously fail. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 35c7061f97a1f0dd79efe3a567b7054304192f55 Author: Joseph Sutton Date: Fri Oct 13 12:38:35 2023 +1300 buildtools: Correctly raise exception This avoids errors like the following: ‘RuntimeError: No active exception to reraise’ Signed-off-by: Joseph Sut
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6e862bd3690 s4/torture: fix exit status of raw.bench-lookup via b76e184c073 gpdupate: Implement Drive Maps Client Side Extension via 42d03da3063 gpupdate: Test Drive Maps Client Side Extension from acd9248b13c tevent: version 0.16.0 https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6e862bd3690c041aa061ed8f7ee1d9207381674f Author: Oleg Kravtsov Date: Fri Oct 6 12:20:05 2023 +0300 s4/torture: fix exit status of raw.bench-lookup Use correct value of 'result' when the test passes. Signed-off-by: Oleg Kravtsov Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Oct 16 02:01:17 UTC 2023 on atb-devel-224 commit b76e184c07333b00daab5969ba4687b8844c1ce3 Author: David Mulder Date: Fri Mar 10 14:30:17 2023 -0700 gpdupate: Implement Drive Maps Client Side Extension Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett commit 42d03da3063a1ac7c20674312a3d730ac143874b Author: David Mulder Date: Fri Mar 10 14:29:24 2023 -0700 gpupdate: Test Drive Maps Client Side Extension Signed-off-by: David Mulder Reviewed-by: Andrew Bartlett --- Summary of changes: python/samba/gp/gp_drive_maps_ext.py | 169 +++ python/samba/gp/gpclass.py | 67 + python/samba/tests/bin/gio | 11 ++ python/samba/tests/gpo.py| 188 ++- source4/scripting/bin/samba-gpupdate | 2 + source4/torture/raw/lookuprate.c | 1 + 6 files changed, 437 insertions(+), 1 deletion(-) create mode 100644 python/samba/gp/gp_drive_maps_ext.py create mode 100755 python/samba/tests/bin/gio Changeset truncated at 500 lines: diff --git a/python/samba/gp/gp_drive_maps_ext.py b/python/samba/gp/gp_drive_maps_ext.py new file mode 100644 index 000..85aaa56b439 --- /dev/null +++ b/python/samba/gp/gp_drive_maps_ext.py @@ -0,0 +1,169 @@ +# gp_drive_maps_user_ext samba gpo policy +# Copyright (C) David Mulder 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import json +from samba.gp.gpclass import gp_xml_ext, gp_misc_applier, drop_privileges, \ +expand_pref_variables +from subprocess import Popen, PIPE +from samba.gp.gp_scripts_ext import fetch_crontab, install_crontab, \ +install_user_crontab +from samba.gp.util.logging import log +from samba.gp import gp_scripts_ext +gp_scripts_ext.intro = ''' +### autogenerated by samba +# +# This file is generated by the gp_drive_maps_user_ext Group Policy +# Client Side Extension. To modify the contents of this file, +# modify the appropriate Group Policy objects which apply +# to this machine. DO NOT MODIFY THIS FILE DIRECTLY. +# + +''' + +def mount_drive(uri): +log.debug('Mounting drive', uri) +out, err = Popen(['gio', 'mount', uri], + stdout=PIPE, stderr=PIPE).communicate() +if err: +if b'Location is already mounted' not in err: +raise SystemError(err) + +def unmount_drive(uri): +log.debug('Unmounting drive', uri) +return Popen(['gio', 'mount', uri, '--unmount']).wait() + +class gp_drive_maps_user_ext(gp_xml_ext, gp_misc_applier): +def parse_value(self, val): +vals = super().parse_value(val) +if 'props' in vals.keys(): +vals['props'] = json.loads(vals['props']) +if 'run_once' in vals.keys(): +vals['run_once'] = json.loads(vals['run_once']) +return vals + +def unapply(self, guid, uri, val): +vals = self.parse_value(val) +if 'props' in vals.keys() and \ +vals['props']['action'] in ['C', 'R', 'U']: +unmount_drive(uri) +others, entries = fetch_crontab(self.username) +if 'crontab' in vals.keys() and vals['crontab'] in entries: +entries.remo
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via d895c98c507 wintest: Fix invalid escape sequences via 3f70da665bd selftest: Use now() instead of utcnow() via 44958f363ee s4:torture: Use assertEqual() instead of assertEquals() via 9e3a858969a s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite() via bb77f36f49c s4:dsdb:tests: Fix assertion messages via 1513a4592c0 s4:dsdb:tests: Remove unused variables via 079306cf34f s4:dsdb:tests: Remove unused imports via 39a4d27a83c s3:script: Remove semicolons via 1a4ec25b327 tests/krb5: Fix assertion messages via 2f5833cbb3a tests/krb5: Use assertEqual() instead of assertEquals() via f7009e2a35c python:tests: Use now() instead of utcnow() via af61444d7a5 python:tests: Remove semicolons via 7efe6b0ab42 python:tests: Correct search expression via ed97b15fe97 python:tests: Fix comment via d2196545bb0 python:tests: Fix exception message via 2fa838d4395 python:tests: Use assertEqual() instead of assertEquals() via 08dbb35e7e4 python:subunit: Use now() instead of utcnow() via 7c89c5880ea python:colour: Fix exception message via 876ee3fb849 examples: Fix invalid escape sequences via 1f3d49edc6d examples: Don’t use deprecated method ‘has_key()’ via 2870ef951e9 buildtools: Remove semicolons from afb335664c9 s4-torture: add another test to demonstrate identical functions https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit d895c98c507a72116ef414e07da4dab7c8f61504 Author: Joseph Sutton Date: Mon Sep 11 11:59:55 2023 +1200 wintest: Fix invalid escape sequences Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 13 04:55:06 UTC 2023 on atb-devel-224 commit 3f70da665bd7e4946cc5e777c52fdaa1954119d3 Author: Joseph Sutton Date: Mon Oct 2 13:58:18 2023 +1300 selftest: Use now() instead of utcnow() utcnow() is deprecated and will be removed in a future version of Python. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 44958f363eef97c3bbc9c69a78d89f53df21edda Author: Joseph Sutton Date: Mon Oct 2 13:35:32 2023 +1300 s4:torture: Use assertEqual() instead of assertEquals() assertEquals() was removed in Python 3.12. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9e3a858969a035518ed5b1a87c378e2371efd3b5 Author: Joseph Sutton Date: Mon Oct 2 15:07:54 2023 +1300 s4:dsdb:tests: Use loadTestsFromTestCase() instead of makeSuite() makeSuite() is deprecated and will be removed in Python 3.13. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit bb77f36f49c7866f8353b68129202a1e7793bc14 Author: Joseph Sutton Date: Mon Oct 2 14:25:52 2023 +1300 s4:dsdb:tests: Fix assertion messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1513a4592c0aa95d52dc5adce45be602cdacc354 Author: Joseph Sutton Date: Mon Oct 2 14:25:16 2023 +1300 s4:dsdb:tests: Remove unused variables Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 079306cf34fb460d87ad1109ff32e889667f7086 Author: Joseph Sutton Date: Mon Oct 2 14:24:49 2023 +1300 s4:dsdb:tests: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 39a4d27a83cb59474fc349ae3e68c10374c296d6 Author: Joseph Sutton Date: Thu Aug 17 11:20:40 2023 +1200 s3:script: Remove semicolons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 1a4ec25b3270544c1611ee7f876be43dd68b9806 Author: Joseph Sutton Date: Mon Oct 2 15:06:45 2023 +1300 tests/krb5: Fix assertion messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2f5833cbb3adc0e3cc666edb62fa860288bf6a36 Author: Joseph Sutton Date: Mon Oct 2 13:32:10 2023 +1300 tests/krb5: Use assertEqual() instead of assertEquals() assertEquals() was removed in Python 3.12. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f7009e2a35ce6dc0113cf373db06f5f9938f6748 Author: Joseph Sutton Date: Mon Oct 2 13:58:00 2023 +1300 python:tests: Use now() instead of utcnow() utcnow() is deprecated and will be removed in a future version of Python. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit af61444d7a58d1b05aa8cad552ac778dc56b552a Author: Joseph Sutton Date: Thu Aug 17 11:09:31 2023 +1200 python:tests: Remove semicolons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7efe6b0ab42f7b6af5c82a8f6d412f9da16a963b Author: Joseph Sutton Date: Mon Oct 2 15:07:16 2023 +1300 python:tests
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via afb335664c9 s4-torture: add another test to demonstrate identical functions via e05c83408f7 s3-iremotewinspool: check for correct object_uuid in dispatch fn. via e6b07d42538 s4-torture: add testcase to iremotewinspool suite to explore object_uuid handling via e7a4c86878a s3-iremotewinspool: properly map incoming PAR to RPRN requests. via 7f3f6530d45 s3-iremotewinspool: add PAR->RPRN mapping table via 240b082dc4b s4:rpc_server: Check return values of gnutls functions (CID 1452111) via ca2a97b729d s4:rpc_server: Check mkdir() return value (CID 1034649) via c2daa3564a1 s4:ntvfs: Correctly acknowledge PVFS_FLAG_STRICT_SYNC flag (CID 241154) via bea908cf604 s4:ntvfs: Remove dead code path via 4bb18ece5bf s4:ntvfs: Remove unneeded NULL check (CID 240771) via c65411eab58 s4:messaging: Remove redundant code via 61534dd22d9 s4:libcli: Check return value of convert_string_talloc() (CID 1272839) via 077a7e41341 s4:libcli: Remove unnecessary casts via 20d1578 s4:dsdb: Don’t overwrite existing error code (CID 1445263) via b60604b1379 s4:dsdb: Log correct ldb error via ea561fea6fb s4:dsdb: Replace early ‘continue’ with ‘if’ statement (CID 1414738) via d4042e880f6 s4:dsdb: Check return value of ldb_msg_add_empty() (CID 1272827) via b098eb82bf4 s4:dsdb: Fix unreachable code (CID 1435967) via 4cf9f43e431 s4:dsdb: Remove unreachable code (CID 1034686) via 7e8c38604ab s4:dsdb: Check return code (CID 1444824/1444844) via 61037a85bf8 s4:dsdb: Permit forward link to be missing in linked_attributes_fix_forward_link() via d0db0ff268b s4:dsdb: Check whether ‘p’ is NULL before dereferencing it (CID 240875) via 1ad4dd92882 s4:dns_server: Check return value of ldb_transaction_commit() (CID 1034631) via d3b1aa6359d s4:dns_server: Merge similar code paths via fa68f26167e s4:auth: Remove event context on failure via 79a9a07c799 s4:auth: Fix resource leak (CID 1107222) via ac00851fc9f s3:utils: Check return value of cli_RNetServiceEnum() (CID 1273313) via 59e16873210 s3:utils: Avoid integer overflow (CID 1035488) via 7eaad46f8c3 smb2_server: Check status codes (CID 1474441) via 7774ca87e7d smb2_server: Remove unreachable code (CID 1444981) via 68fb12cb797 Revert "smbd: Fix CID 1504457 Resource leak" via dbf96126cb2 s3:smbd: Avoid integer overflow (CID 1035487) via 1e4d4e6abd3 s3:rpcclient: Do not pass uninitialized pointer to printf() (CID 1476170) via 67b2dc725da s3:nmbd: Remove redundant code (CID 1414756) via c30aa741ee9 s3:modules: Initialize mask_permset (CID 1435850) via 86b0755a4b7 s3:modules: Remove unreachable code (CID 1508998) via d53483a5405 s3:libsmb: Fix array traversal (CID 1034683) via 0c2d2f833eb s3:libnet: Remove always‐false comparison (CID 241309) via 728177088cc Revert "s3:libads: Don’t do first loop iteration if ‘attr’ is NULL" via 7eb47179b57 s3:lib: Rearrange preprocessor directives to avoid structurally dead code (CID 242032) via 3179fc2a703 s3:client: Correctly call setgroups() (CID 1449449) via b28a268b459 smbXcli: Remove unreachable code (CID 1444978) via 86f8cde6b34 lib:util: Remove always‐false comparison (CID 242193) via 700754b0961 util: Remove redundant assertion (CID 1497841) via 757cd49b844 tdb: Do not pass non–null‐terminated strings to strcmp() (CID 1449485) via 8f4aa3508c0 lib:replace: Properly check result of write() and read() (CID 1034925) via fe86989fcc1 lib:printer_driver: Check return value of gp_inifile_enum_section() (CID 1444835) via 03ca8c25d09 lib:compression: Correctly fix sign extension of long matches (CID 1517275) from a2d96f5e291 s4:kdc: Always regard device info when checking a server authentication policy https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit afb335664c9f01f3a3b6f98712b31e4289d58aaf Author: Günther Deschner Date: Thu Sep 28 22:01:36 2023 +0200 s4-torture: add another test to demonstrate identical functions Create a spoolss_EnumPrinters request and send it to both endpoints and verify they deliver identical replies. Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 13 03:19:59 UTC 2023 on atb-devel-224 commit e05c83408f7e39c5359865394b629579abbeb4b4 Author: Günther Deschner Date: Mon Sep 25 20:31:24 2023 +0200 s3-iremotewinspool: check for correct object_uuid in dispatch fn. Guenther Signed-off-by: Guenther Deschner Reviewed-by: A
[SCM] Samba Shared Repository - branch master updated
() via 0ed6d11e582 s4:kdc: Check parameters of samba_kdc_get_user_info_from_db() via d02f37b489f s4:kdc: Rename local variable ‘user_info_dc’ to ‘info’ via 024d8cf500d s4:kdc: Pass ‘samdb’ into samba_kdc_get_user_info_from_db() via 8b518817e3f s4:kdc: Add ‘samdb’ parameter to samba_kdc_get_device_info_blob() via 29c230531c6 s4:kdc: Add ‘samdb’ parameter to samba_kdc_verify_pac() via 16cb8c47872 s4:kdc: Make boolean members into bit‐fields via a57d973d804 s4:kdc: Modify samba_kdc_get_user_info_from_db() to return a Kerberos error code via 54cd2af2de7 s4:kdc: Pass Kerberos context into samba_kdc_get_device_info_blob() via d51c505d355 s4:kdc: Rename samba_kdc_entry::user_info_dc to samba_kdc_entry::info_from_db via 64326818ebd s4:kdc: Rename samba_kdc_get_user_info_dc() to samba_kdc_get_user_info_from_db() via c35d1fe593f s4:kdc: Inline samba_kdc_get_user_info_from_db() into its only caller via 0a61dc6ce98 s4:kdc: Replace calls to samba_kdc_get_user_info_from_db() with calls to samba_kdc_get_user_info_dc() via 96ab35bb911 s4:kdc: Add ‘msg’ parameter to samba_kdc_get_user_info_dc() via ce7c543ffcb s4:kdc: Rename ‘user_info_dc_out’ parameter of samba_kdc_get_user_info_dc() to ‘info_out’ via 9c4647436cf s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_dc() to ‘entry’ via f03b14f8b8b s4:kdc: Rename ‘user_info_dc’ parameter of samba_kdc_get_user_info_from_db() to ‘info_out’ via a7323d704e2 s4:kdc: Rename ‘skdc_entry’ parameter of samba_kdc_get_user_info_from_db() to ‘entry’ via 704c71daf50 libcli/security: Initialize conditional ACE token from 4b9b7f70f25 libsmb: Use cli_smb2_qpathinfo_send() for SMB_QUERY_FILE_ALT_NAME_INFO https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a2d96f5e29149dd3951e3a19ec52cc070ccc069a Author: Joseph Sutton Date: Mon Oct 9 18:20:53 2023 +1300 s4:kdc: Always regard device info when checking a server authentication policy Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Oct 13 00:11:08 UTC 2023 on atb-devel-224 commit c0ef3b4292d2985807f8a203901b3f623357e5db Author: Joseph Sutton Date: Tue Oct 10 16:19:53 2023 +1300 s4:dsdb: Skip allocation of empty device SIDs array Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b19a707f2ac78ee7ce45ec93c47edaca9d94e47 Author: Joseph Sutton Date: Tue Oct 10 15:41:40 2023 +1300 s4:kdc: Use claims to evaluate RBCD conditions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit f7064f6fd26e2ee302141fec77c3b98ad4c236ae Author: Joseph Sutton Date: Tue Oct 10 15:40:13 2023 +1300 s4:kdc: Use device info to evaluate RBCD conditions Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9b4dbaecfe5678c3270cf71b97d8abda78bc91ff Author: Joseph Sutton Date: Tue Oct 10 15:38:29 2023 +1300 s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 51d516cc2f8ab3357b3aa625d6fd4d9420ff2976 Author: Joseph Sutton Date: Tue Oct 10 15:22:28 2023 +1300 s4:kdc: Rename ‘user_info_dc’ to ‘client_info’ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 310c537ffa15b85cc83c1c4ccb5adb55333574b6 Author: Joseph Sutton Date: Tue Oct 10 15:19:47 2023 +1300 s4:kdc: Call samba_kdc_get_user_info_dc() to get client information Among other things, this function can deal with RODC‐issued PACs. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6c02e9ac62fc527c7af34214a7253631ae89de51 Author: Joseph Sutton Date: Tue Oct 10 15:16:24 2023 +1300 s4:kdc: Add comment regarding RODC‐issued evidence tickets for constrained delegation Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b13701ac1810d98b43fa8fbe9fba603cddcbc286 Author: Joseph Sutton Date: Tue Oct 10 15:12:30 2023 +1300 s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 390be7d332588d58472d51bb31458e84d285e86a Author: Joseph Sutton Date: Tue Oct 10 15:03:22 2023 +1300 s4:kdc: Adapt interface to new Heimdal revision NOTE: This commit finally works again! Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 204b1f0c12172eac0d39c7cfebd4f6d87a615ea3 Author: Andrew Bartlett Date: Fri Oct 13 11:14:55 2023 +1300 third_party/heimdal: import lorikeet-heimdal-202310092248 (commit cd12cddd8058d9fe627b5b203e471b8d761dcfbb) NOTE: THIS COMMIT WON’T
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 90ba53eee4a samba-tool: Fix for gpo restore not working without --tmpdir via 5ff80465975 libcli/security: fix talloc context for integer values (CID 1545156) via b2107889332 libcli/security: test_run_condtional_ace: va_end() on errors via 272f26e3ad0 libcli/security: conditional ACEs check again for NULL/empty claims via 6af1a71752b netcmd: auth: manpage documentation for conditional ace fields via 12a98ab4fc7 netcmd: tests: add some tests for valid and invalid SDDL in cli commands via 645b77342f4 netcmd: auth: add new SDDL fields to create and modify auth policy commands via 385029fbc67 netcmd: models: add SDDL fields to AuthenticationPolicy model via 1325e013034 netcmd: models: add SDDL model field via 83d321e764a netcmd: models: add FieldError subclass which stores the field via 950a70a190a netcmd: models: field to_db_value needs ldb param via 27cd5982085 netcmd: tests: modify auth silo cli tests setup their own test data via 2a333554594 netcmd: tests: modify auth policy cli tests setup their own test data via c01e9431276 netcmd: tests: modify claim cli tests setup their own test data via f1d5f93f3d4 netcmd: tests: test that create objects make use of addCleanup via 91fa5088b56 netcmd: tests: tests tidyup and make use of setUpTestData via 16c19c470ee netcmd: tests: make _run a classmethod in SambaToolCmdTest via 71c191ca9fc python: tests: implement setUpTestData overridable class method via f9d406dca60 netcmd: tests: bugfix: argument -U was already in creds so listed twice via 7f4db71025e netcmd: tests: avoid the need to create a random command in GetSamDB from 08b9d5c7b9f tests/krb5: Add samba.tests.krb5.conditional_ace_tests https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 90ba53eee4a3614da81ee562be2a55c01888c2cf Author: Kacper Date: Wed Aug 30 14:33:49 2023 +0200 samba-tool: Fix for gpo restore not working without --tmpdir cmd_restore depends on cmd_create but the later cleans up required temp files for cmd_restore to function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15462 RN: Fix for gpo restore not working without --tmpdir Signed-off-by: Kacper Boström Reviewed-by: Andrew Bartlett Reviewed-by: David Mulder Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Sep 29 03:15:18 UTC 2023 on atb-devel-224 commit 5ff804659758e3aae2dc38645d7ab26cefb0c533 Author: Douglas Bagnall Date: Fri Sep 29 12:35:10 2023 +1300 libcli/security: fix talloc context for integer values (CID 1545156) Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit b2107889332135fc39c092a8d44ff5b9a0ecdcfb Author: Douglas Bagnall Date: Fri Sep 29 12:25:21 2023 +1300 libcli/security: test_run_condtional_ace: va_end() on errors CID 1545154, CID 1545155. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 272f26e3ad01a6017b52a992123106777ed3aaa3 Author: Douglas Bagnall Date: Fri Sep 29 12:24:14 2023 +1300 libcli/security: conditional ACEs check again for NULL/empty claims CID 1545152. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 6af1a71752b715120075323dbcd1326c79df7ace Author: Rob van der Linde Date: Thu Sep 21 11:41:02 2023 +1200 netcmd: auth: manpage documentation for conditional ace fields Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 12a98ab4fc7765f8b58f115f90ef399c26a2fb77 Author: Rob van der Linde Date: Thu Sep 28 15:33:18 2023 +1300 netcmd: tests: add some tests for valid and invalid SDDL in cli commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 645b77342f42a55b8693e867ec92da2ea5a3b31c Author: Rob van der Linde Date: Wed Sep 20 13:04:14 2023 +1200 netcmd: auth: add new SDDL fields to create and modify auth policy commands Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 385029fbc672cd6e3a37ff6a7ad09dc6ad1eb542 Author: Rob van der Linde Date: Wed Sep 20 13:02:21 2023 +1200 netcmd: models: add SDDL fields to AuthenticationPolicy model Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 1325e01303499b7d94e3b781bee3672c2a94f190 Author: Rob van der Linde Date: Wed Sep 20 12:52:31 2023 +1200 netcmd: models: add SDDL model field Signed-off-by: Rob van der Linde Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 08b9d5c7b9f tests/krb5: Add samba.tests.krb5.conditional_ace_tests via 0e7e46c396b tests/krb5: Add method to replace client or device claims in a PAC via 6f5368dd326 tests/krb5: Add method to replace the device SIDs in a PAC via 2d0bdb5ce92 tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs via cc1dd00d0fb tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids() via 9fb0380cb82 tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids() via 34e721030df tests/krb5: Make set_pac_sids() parameters keyword‐only via d6ec0e4f405 tests/krb5: Allow passing mapping=None to map_to_sid() via dfd2027d7e5 tests/krb5: Don’t bother regenerating the PAC if modify_pac_fn or update_pac_checksums are false via d054f583ead tests/krb5: Allow multiple ticket modification functions via 60e479d855d tests/krb5: Allow filter for tests that crash Windows via 939a74e39b0 tests/krb5: Allow variation in PADATA_PW_SALT via c33ce174547 tests/krb5: Sort imports from ad76bb2e0c6 streams_depot: Goto done if FSETXATTR SAMBA_XATTR_MARKER failed https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 08b9d5c7b9f0d25a278f46c567b3703a1f90ecc6 Author: Joseph Sutton Date: Thu Sep 28 14:10:16 2023 +1300 tests/krb5: Add samba.tests.krb5.conditional_ace_tests This is a test using conditional ACEs and claims to confirm that we understand the full end-to-end network behaviour of these all the way from the PAC to the application in the access check of the KDC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Pair-programmed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 28 04:35:05 UTC 2023 on atb-devel-224 commit 0e7e46c396b973e5d49e0f6eb17ad30135db5c05 Author: Joseph Sutton Date: Thu Sep 28 16:13:08 2023 +1300 tests/krb5: Add method to replace client or device claims in a PAC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 6f5368dd32689019fff8071ec4601971712dd1d2 Author: Joseph Sutton Date: Thu Sep 28 16:12:46 2023 +1300 tests/krb5: Add method to replace the device SIDs in a PAC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 2d0bdb5ce92ea87f7228d6bb8918ec2fcf414af7 Author: Joseph Sutton Date: Thu Sep 28 16:09:06 2023 +1300 tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cc1dd00d0fb89997b31dcef181fba16c3732a816 Author: Joseph Sutton Date: Thu Sep 28 16:08:25 2023 +1300 tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9fb0380cb8239ba9421f14ce23f12c133f716eb6 Author: Joseph Sutton Date: Thu Sep 28 16:07:43 2023 +1300 tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 34e721030dffe3ffad98e1a9b7c581897c9436eb Author: Joseph Sutton Date: Thu Sep 28 16:06:01 2023 +1300 tests/krb5: Make set_pac_sids() parameters keyword‐only Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d6ec0e4f4053549193248a6b6974af993130f264 Author: Joseph Sutton Date: Thu Sep 28 16:03:09 2023 +1300 tests/krb5: Allow passing mapping=None to map_to_sid() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit dfd2027d7e57e64b7b477706ce214cfec77586bb Author: Joseph Sutton Date: Thu Sep 28 15:51:35 2023 +1300 tests/krb5: Don’t bother regenerating the PAC if modify_pac_fn or update_pac_checksums are false Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit d054f583ead4c4a41d235db463dc968d67039313 Author: Joseph Sutton Date: Thu Sep 28 14:52:11 2023 +1300 tests/krb5: Allow multiple ticket modification functions This means that callers can specify a stack of possible modifications. Signed-off-by: Andrew Bartlett Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 60e479d855d0e28ec27f28610d6cb1f5617bdfac Author: Joseph Sutton Date: Thu Sep 28 14:50:39 2023 +1300 tests/krb5: Allow filter for tests that crash Windows Set CRASH_WINDOWS=0 when running against a Windows DC. These crashes are only possible because we can modify the PAC, but having these tests allows us to lock down Samba behaviour, so we include them. Signed-off-by: Joseph Sutton Signed-off-by: Andrew Bartlett Reviewed-by: Andrew Bartlett commit 939a74e39b06535fa5f25a6933825366325fbc62 Author: Joseph Sutton Date: Thu Sep 28 14:49:11 2023 +1300
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via c8b90d8d200 librpc: Fix typos in error messages via 464d86cac56 pidl: Use INT_MAX as enum constant for portability via acc614f28a3 librpc: Use portable format specifiers via 267464f6c6d librpc/ndr: Use portable format specifiers via fb39bb1953e pidl: Use portable format specifiers via ce43dd0571d ndr: Display values for failed range checks via 0078a330dc3 testdata: Mark compression test data as binary via 4839adf9da1 s4:auth: Add functions to convert between different claims formats via 58aa8d99c4f s4:auth: Include missing headers via 5e164cc2d66 s4:kdc: Move encode_claims_set() into the auth_session subsystem via ab227bbe8e4 s4:auth: Fix ‘user_info_dc_out’ leak via 0a9f2486420 s4:auth: Return a talloc‐allocated resource groups structure via 219ee05d6e6 s4:auth: Introduce helper variable ‘resource_groups_in’ via 842f845c8ac s4:auth: Make returning resource groups the last thing we do via a2700cf685f s4:torture: Initialize ‘tm’ structure via 9bd9b9bfd95 s4:kdc: Fix ldb_msg_find_krb5time_ldap_time() via bdf0e1be35a s4:kdc: Initialize ‘tm’ structure via 8ce4e3729f0 s3:smbd: Initialize ‘tm’ structure via c278a1d3e1c s3:rpc_server: Initialize ‘tm’ structure via 67f3fead5fe s3:passdb: Initialize ‘tm’ structure via 955fd832534 s3:modules: Initialize ‘tm’ structure via 31c7d7cfb32 s3:lib: Initialize ‘tm’ structure via 2f6083f59f0 lib:audit_logging: Initialize ‘tm’ structure via 58bd2f525b0 lib/krb5_wrap: Simplify assignments via 0bd7863ec0f lib/krb5_wrap: Make use of smb_krb5_make_data() via 48969305595 libcli/security: Test hex‐escapes that should be literals via c755bbd6bc6 libcli/security: Fix code formatting via ac34f48ab1a libcli/security: Use ACL revision constants via 37ed208701b libcli/security: Refer to UTF‐16 code units rather than to codepoints via a064e2f2589 libcli/security: Remove unused flag SDDL_FLAG_IS_FAKE_OP via 8d4f60c8449 libcli/security: Remove unused flag SDDL_FLAG_IS_LITERAL via 55e198fc6d1 libcli/security: Remove unused flag SDDL_FLAG_IS_ATTR via e1a45ec341e libcli/security: Remove unused flag SDDL_FLAG_EXPECTING_END via 21f765c1b97 libcli/security: Remove unused macro via 37a32d3b40a python:tests: Remove unused import via c94db7d2e83 s4:auth: Correct error message via dc731603811 s4:torture: Use SID constants via 8b496331b9e s4:rpc_server: Use Builtin SID constant via 4bef3fd7e98 s4:ntvfs: Use World and System SID constants via 4405e709c05 s4:dsdb: Use Builtin SID constant via e6bb3a347f0 s4:auth: Use Anonymous and System SID constants via b1b7d33bd50 s4:kdc: Use Compounded Authentication and Claims Valid SID constants via 56def24b4c0 libcli:security: Add Compounded Authentication and Claims Valid SID constants via 89985f6fec2 s4:kdc: Use Asserted Identity SID constants via dcca6bba2aa s4:dsdb: Use NULL SID constant via 214f6c64621 libcli:security: Correct Asserted Identity SID definitions via 2782df62ad5 libcli:security: Use SELF SID constant via cdbb5ab7d0f libcli:security: Add SELF SID constant via 26ff87dcfea python:tests: Fix invalid escape sequences via c0795c807a0 tests/krb5: Match filter after transforming test name via 9cb3beee75c libcli/security: Emit error message if program is too large via f035985dbd2 libcli/security: Add function to convert token claims to security attribute claims via a4010c9b65f libcli/security: Add some missing declarations via 48606c8aedd libcli/security: Const‐qualify function parameters via f5568a0a5e5 libcli/security: Remove bool_value member via 40c5ed60baa libcli/security: Use correct union member via c9aab312b7f libcli/security: Add header guard from 3b6c1f1a9c4 libcli/security: condtional ACE recursive composites are not supported https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c8b90d8d2003f2c27431874ac76bbc7f18bb7abf Author: Joseph Sutton Date: Tue May 4 15:08:53 2021 +1200 librpc: Fix typos in error messages Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Sep 27 03:38:00 UTC 2023 on atb-devel-224 commit 464d86cac5656c227b7cc1047f3f4b0d27340dea Author: Joseph Sutton Date: Fri Apr 23 16:37:01 2021 +1200 pidl: Use INT_MAX as enum constant for portability Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit acc614f28a39315a3d304919187dae2372fe60f9 Author: Joseph Sutton Date: Tue May 11 10:29:31 2021
[SCM] Samba Shared Repository - branch master updated
via d7c0948d1a6 libcli/security: windows-sddl-test: fix read of text examples via ee386021706 libcli/security: windows-sddl-test: fix typo in --help via 28d23377741 pytest:security_descriptors: test collected conditional ACEs via a392b40328e pytest:security descriptors: hack to capture results as json via 901f77c5436 pytest: security descriptors: test some conditional and RA ACEs via 7b9462faf05 pytest: security_descriptors: tests without revision number hack via afec8524bcd libcli/security: use sec_object_ace() in size_security_ace via b6a665cc8e8 librpc/ndr:ndr_sec_helper: fix a typo via 63be8401201 pytest: security_descriptors test for repetitive ACLs via 5569c17741f pytest: security_descriptors comparison is quieter via 829d77b4a02 s4/librpc: build conditional ace Python bindings via 295c609f5a2 lib/fuzzing: fuzz SDDL conditional ACEs via e4865a3ba15 libcli/security: test SDDL compilation in cmocka via b08093ed9d2 lbcli/security: callback object ACES fall back with no GUID via 2923898e88d libcli/security/create_descriptor: calc_inherited handles new types via 1ccb549 libcli/security: SDDL: add callback and resource ace type flags via 3959fba37a7 libcli/security: sddl_encode_ace encodes resource attribute ACEs via ed52c9ed36b libcli/security: sddl_encode_ace encodes conditional ACEs via 6683d611e14 libcli/security: sdd_decode_ace handles resource attribute types via 84fa39722fe libcli/security: sdd_decode_ace handles callback types via e88ea32c21e libcli/security: add conditional ace files to samba-security via d6bd491efcb libcli:security: add code to interpret conditional ACES via 4b8e9e3f0ca libcli:security: add functions to decode and decode RA ACEs via 969cb79daef libcli/security: add conditional ACE SDDL functions via 6f588a1fc50 libcli:security: helpers for converting claim types via 94f0a1083a4 libcli:security: outline for sddl_conditional_ace.c via 140f7466a45 libcli/security: add stub of conditional ACE code. via 672fc0a1abb libcli/security: find SDDL coda for RA and conditional ACEs via cdd9424e4f3 libcli/security: whitespace repair in sddl.c via a8e3f5d33f6 ndr_sec_helper: ace length should be multiple of 4 via 5e1ed7b71f0 ndr_sec_helper: ndr_size_security_ace: do less work via df8eec384fe librpc:security.idl: add conditional ace coda via e8192dddf3b libcli/sec: reformat long line in wscript_build via 40d9b08db4b librpc:security.idl: ace->coda can be resource attribute via 498c4110173 libcli/security: callback object aces are object aces via 762646b5aaa libcli/security: use tabs in sec_ace_object() via e81e98c4854 libcli/security: helper to find ACEs with meaningful codas via 41e1b6957ae libcli/security: helper to find resource attribute ACEs via 617cfa0e965 libcli/security: helper to find callback/conditional aces via 34aa33a1a4f security.idl: use sec_ace_object() in object switch via 4ef7845b570 security.idl: extend security token with device SIDs from d7394a90f51 testparm: Allow idmap ranges overlap for idmap_nss https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 3b6c1f1a9c47d8d76a7cd946468c1c42e4fb097a Author: Douglas Bagnall Date: Fri Sep 22 16:29:51 2023 +1200 libcli/security: condtional ACE recursive composites are not supported We can't add them via SDDL on Windows, and they aren't useful for claims. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Sep 27 00:41:26 UTC 2023 on atb-devel-224 commit 38247d39e1e98cab50d9911b0aa0ee4eb309114b Author: Douglas Bagnall Date: Fri Sep 22 16:31:36 2023 +1200 libcli/security: conditional ace sddl: do not read nested composites Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 96dbc71e137ea65df11d1a8cec089fde2d070ba6 Author: Douglas Bagnall Date: Fri Sep 22 16:30:41 2023 +1200 libcli/security: conditional ace sddl: do not write nested composites Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 3be69fc3dcedee77d8eacf7cf82d0f33df2d42fe Author: Douglas Bagnall Date: Fri Sep 22 15:19:32 2023 +1200 fuzzing: fuzz_sddl_parse forgives bad utf-8 Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit e4da279b1c06711c27e2aa1a4e36f35b674eaca4 Author: Douglas Bagnall Date: Thu Jul 6 15:31:52 2023 +1200 util/str: helper to check for utf-8 validity Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 65674cde60ca21d2f451f5e68f6b7cb7d1e33
[SCM] Samba Shared Repository - branch master updated
invalid escape sequence via 3fca94cd691 python:tests: Remove unused variables via fb071bc33db docs-xml: Add missing paragraph section via 30db01269c1 s4:kdc: Fix leaks via bac02f087c9 s4:kdc: Don’t operate directly on caller‐owned pointer via 2981a7f0598 s4:kdc: Allocate contents of PAC blobs on blob talloc contexts via 3387140df83 s4:kdc: Inline samba_get_requester_sid_pac_blob() via afd48f8dcde s4:kdc: Fix error message via e427b5b796e s4:kdc: Initialize pointers to NULL via acda12a7e2c s4:kdc: Correct error message via 1f4438c5a2f s4:kdc: Check return value of smb_krb5_principal_get_comp_string() via 2d929f1391c s4:kdc: Remove unused talloc context via 49b96243b52 s4:kdc: Check return value of samdb_result_dom_sid() via ba1750082ad claims.idl: Be more lenient in our expectations for the compression of claims via 571ff5f3141 claims.idl: Allow empty claim value buffers via 7ac99b197f7 s4:kdc: Make functions to add special SIDs non‐static via 1f20e557fc6 s4:kdc: Check result of talloc_realloc() via 3ef5e6554b9 s4:kdc: Handle invalid enum values via 39340f65189 s4:kdc: Check result of dom_sid_parse() via 716bf29d2d8 s4:kdc: Remove unused flags via ffbd95e6f19 s4:kdc: Use smb_krb5_data_from_blob() via 97906d275d0 s4:kdc: Remove duplicate function signature via c92fac94cd6 s4:kdc: Prefer explicit initialization to ZERO_STRUCT() via b208c8e8489 libcli:security: Prefer explicit initialization to ZERO_STRUCTP() via 9846da6f4be s4:scripting: Remove unused imports via 9f5667032c2 python:tests: Remove unused imports via 9f78cc3b11c librpc:ndr: Avoid overflow in size calculation via c86038095e3 libgpo: Remove unnecessary cast via 0bcf44c8b77 lib:tdr: Remove unnecessary cast via 74e1bb05712 lib:mscat: Remove unnecessary casts from 4af3faace48 nsswitch/wb_common.c: fix socket fd and memory leaks of global state https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 96e18e17748d851fc785178fdcc3e38ddeea2fe0 Author: Andreas Schneider Date: Tue Sep 5 10:06:24 2023 +0200 s3:param: Remove unused lp_set_cmdline() Signed-off-by: Andreas Schneider Reviewed-by: Pavel Kalugin Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 14 22:30:06 UTC 2023 on atb-devel-224 commit c839a25d2cf1e9d7d232687ce9cfa3caaa6cc93e Author: Andreas Schneider Date: Wed Aug 2 09:23:44 2023 +0200 s3:client: Use lpcfg_set_cmdline() This lp_set_cmdline() leaks memory and we want to get rid of it. Signed-off-by: Andreas Schneider Reviewed-by: Pavel Kalugin Reviewed-by: Andrew Bartlett commit f7a06f3a5db2694b0bb3f44b019a70e595e6a8af Author: Pavel Kalugin Date: Sun Sep 3 23:21:35 2023 +0300 s3:libsmb: Use lpcfg_set_cmdline() Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 04d20c3aebd229ba6150950ad46356189b3384bb Author: Pavel Kalugin Date: Sun Aug 20 23:50:38 2023 +0300 s3:netapi: Fix a leak in libnetapi_net_init() Allow libnetapi_net_init() to be called more than once without leaking libnetapi_ctx allocated on a previous call, which is currently the case in the `net rpc` code. Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 9b6246737b98a3f84d3f6aa54296d5a60477e4ef Author: Pavel Kalugin Date: Sun Aug 20 23:06:56 2023 +0300 libnetapi: Use lpcfg_set_cmdline() Replace lp_set_cmdline() with lpcfg_set_cmdline() in netapi.c. For this purpose: 1. Add loadparm_context to the libnetapi_ctx because we need it in libnetapi_set_debuglevel() and libnetapi_set_logfile(). 2. Move loadparm_context creation from libnetapi_net_init() to libnetapi_init() and add the lp_ctx parameter to the former. Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ea59632b3a704f883dfafa709d1eb2f729d71e9b Author: Pavel Kalugin Date: Mon Aug 14 06:57:27 2023 +0300 s3:utils: Use lpcfg_set_cmdline() in smbpasswd Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 6f00a088266d71f1ee94ee3c78ca695edc457467 Author: Pavel Kalugin Date: Mon Aug 14 06:01:28 2023 +0300 s3:torture: Use lpcfg_set_cmdline() Signed-off-by: Pavel Kalugin Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit b6e4643274dcdb58ca1706ba6cfd512ef0c31974 Author: Pavel Kalugin Date: Mon Aug 14 04:37:16 2023 +0300 s3:notifyd: Use lpcfg_set_cmdline() Signed-off-by: Pavel Kalugin
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 65b2110937c auth:credentials: Check if password_obtained > obtained via 8cdb4f29850 netapi: Pass net's cmdline credentials to libnetapi_net_init() via 5cad8278109 netapi: Pass loadparm_context to libnetapi_net_init() via da841a80e3b s3:rpc: bump named_pipe_auth_req_info version number via a842c14dc8a .gitlab-ci.yml: Move coverity build to internal Heimdal via ebdaaf92238 s4:wrepl_server: Fix code spelling via 39a88a83f3d s4:torture: Fix code spelling via 882a4674c0e s4:samba: Fix code spelling via 36ccc9cf26b s4:rpc_server: Fix code spelling via b1e2315528d s4:ntvfs: Fix code spelling via 1bb5cfef875 s4:libnet: Fix code spelling via 0cef5dafdc4 s4:libcli: Fix code spelling via 0834b30921d s4:kdc: Fix code spelling via 65c26c0b725 s4:dsdb: Fix code spelling via 8a93a4fa6c0 s4:dns_server: Fix code spelling via 20ab21e698f s4:client: Fix code spelling via 354eff14eb2 s4:auth: Fix code spelling via 4e74350fbbd s3:winbindd: Fix code spelling via c6c1b55ac4e s3:utils: Fix code spelling via b60f86a0b8c s3:smbd: Fix code spelling via 72e79e13095 s3:rpc_server: Fix code spelling via 32a1e7428c7 s3:rpc_client: Fix code spelling via c4a02d8ee14 s3:registry: Fix code spelling via 47dcdb31263 s3:nmbd: Fix code spelling via bbd9fabf5f5 s3:librpc: Fix code spelling via d7331a68215 s3:libnet: Fix code spelling via 06816117efa s3:libads: Fix code spelling via 2a4d35edee1 s3:lib: Fix code spelling via 9e2a93d54b3 s3:auth: Fix code spelling via 26fd734d566 selftest: Fix code spelling via bb79de4cbe9 python:tests: Fix code spelling via c87504289f5 pidl: Fix code spelling via df24eced484 librpc: Fix code spelling via 5292c774a57 libgpo: Fix code spelling via 87749b5518e libcli: Fix code spelling via dd2b568721d lib:charset: Fix code spelling via 6a303be56c1 tevent: Fix code spelling via 53caec3c36b tdb: Fix code spelling via 9d699895adc lib:printer_driver: Fix code spelling via 5fbbf9b9ba1 ldb: Fix code spelling via 7d9edb82c47 lib:krb5_wrap: Fix spelling in documentation via 74580daac96 lib:crypto: Fix code spelling via 1c35195ff76 lib:compression: Fix code spelling via f6ff6f7cdf8 docs-xml: Fix spelling via c62491473a5 ctdb: Fix code spelling via e69ba9a0a38 auth: Fix code spelling via f51efc4008d Makefile: Fix spelling from ebb6eb9c2fc libsmb: Fix parsing symlink reparse points https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 65b2110937c4b97be4030ecb49aa0801fc940bf8 Author: Samuel Cabrero Date: Thu Sep 7 14:51:15 2023 +0200 auth:credentials: Check if password_obtained > obtained Fixes reading the password from STDIN or environment vars if it was already given in the command line: $ export PASSWD_FD=0 $ ./bin/net offlinejoin composeodj <...> --password=FOO Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Sep 11 03:36:28 UTC 2023 on atb-devel-224 commit 8cdb4f2985075b12201d3295f640bddcfbfe5962 Author: Samuel Cabrero Date: Thu Sep 7 14:53:22 2023 +0200 netapi: Pass net's cmdline credentials to libnetapi_net_init() Avoid unnecessary credentials allocation and initialization by passing the net's cmdline creds to libnetapi_net_init() directly. Fixes the problem of running cli_credentials_guess() (which runs password callbacks) twice, one for the net's cmdline creds and a second time for the creds initialized in libnetapi_net_init(), just to override them immediately after. Example: $ export PASSWD_FD=0 $ ./bin/net offlinejoin composeodj <...> foo bar Password is read from STDIN twice. Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit 5cad827810975084f061f56548006fdd2d15dc7b Author: Samuel Cabrero Date: Thu Sep 7 14:34:36 2023 +0200 netapi: Pass loadparm_context to libnetapi_net_init() The net's tool cmdline lp_ctx can be reused, no need to init a new one except for external library users. Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit da841a80e3b9a3560488c3ddcb0b366b33eb14c1 Author: Douglas Bagnall Date: Fri Sep 8 09:35:51 2023 +1200 s3:rpc: bump named_pipe_auth_req_info version number This is because commit f893cf85cc387b66c496661e11073b1215270022 changed the security token in secuirty.idl, and bumping the version was missed. Signed-off-b
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f893cf85cc3 security.idl: extend security token for claims via 7f57b5ed5b6 librpc:security.idl: add Resource Attribute claim types via 0d6c7bea422 librpc:security.idl: add enums for resource attribute aces via 895893478eb libcli:sec:display: use macro for more ace types via 601d60e3915 libcli:sec:display: print callback ace types via 416f6ef7262 librpc:security.idl: add more ACE enum types, with annotations via a84e89aa712 libcli/security: create_descriptor handles unknown ACE types via 676a7152d14 librpc/idl: add conditional ACE structures and constants via 2bf404eb5a9 libcli/security: make sddl_encode_sid an external function via 6d012757a07 libcli/security: make sddl_decode_sid an external function via 1de2af9f30a pytests:security: don't use invalid domain SID S-2-0-0 via a420aa919cc s4:samdb: Avoid memory leaks in partition_metadata_get_uint64() from 3fc35827569 smb2_server: move struct msghdr to smbd_smb2_send_queue https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f893cf85cc387b66c496661e11073b1215270022 Author: Douglas Bagnall Date: Wed Aug 23 12:04:29 2023 +1200 security.idl: extend security token for claims A security token contains the context needed to make access decisions for a particular client, which has until now been a number of SIDs and flags. Claims are arbitrary attributes that can be tacked onto the security token. Typically they will arrive via a Kerberos PAC, but we don't need to worry about that now -- only that they are stored on the token. The security token in [MS-DTYP] 2.5.2 is described in abstract terms (it is not transmitted on the wire) as behaving *as if* it held claims in three arrays of CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 structures. We take that suggestion literally. This is *almost* the same as storing the [MS-ADTS] 2.2.18 claims wire structures that the claims are presumably derived from, and doing that might seem like a small optimisation. But we don't do that because of subtle differences and we already need CLAIM_SECURITY_ATTRIBUTE_RELATIVE_V1 in security.idl for resource attribute ACEs. The three stored claim types are user claims, device claims, and local claims. Local claims relate to local Windows accounts and are unlikely to occur in Samba. Nevertheless we have the array there just in case. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Sep 7 05:50:24 UTC 2023 on atb-devel-224 commit 7f57b5ed5b6300ed631033cff4f49a4e0cae5573 Author: Douglas Bagnall Date: Wed Aug 23 12:03:53 2023 +1200 librpc:security.idl: add Resource Attribute claim types This will be used in Resource Attribute ACEs, and in security tokens when security tokens become claim-aware. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 0d6c7bea4227b88328c407f630bc638909c3f036 Author: Douglas Bagnall Date: Thu Jul 13 21:31:50 2023 +1200 librpc:security.idl: add enums for resource attribute aces Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 895893478ebd71708477b49ca1102515fc512d8f Author: Douglas Bagnall Date: Wed Sep 6 09:36:45 2023 +1200 libcli:sec:display: use macro for more ace types Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 601d60e391598f9115abce947e06820a1e72cb34 Author: Douglas Bagnall Date: Wed Dec 14 10:56:42 2022 +1300 libcli:sec:display: print callback ace types Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 416f6ef72626bfc5619f2a17b8eb551e5e30602e Author: Douglas Bagnall Date: Fri Dec 2 12:44:54 2022 +1300 librpc:security.idl: add more ACE enum types, with annotations The callback types are used for conditional ACEs. The others are just there and we might as well know them. Several ACE types are "reserved for future use" by Microsoft. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit a84e89aa712bfb0ed2b0ba64d98dc919193d8055 Author: Douglas Bagnall Date: Fri Jul 21 14:36:20 2023 +1200 libcli/security: create_descriptor handles unknown ACE types Because we're going to add more ACE types. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett commit 676a7152d141ca576fe2f0a75bc9c3e3ad197481 Author: Douglas Bagnall Date: Thu Feb 9 10:44:46 2023 +1300 librpc/idl: add conditional ACE structures and constants This will be used to decode the expressions on conditional ACEs. At the moment it changes nothing.
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f3c632e74ba testprogs: Add net offlinejoin composeodj tests via e92e4b95442 testprogs: Cleanup machine account in net offlinejoin tests via c14a4f51443 s3:net: Allow to load ODJ blob from stdin via b2399b6994c s3:net: Load ODJ blob from file only if "loadfile" parameter is present via 4a1f2071a60 s3:net: Add "net offlinejoin composeodj" command via a8bd8f22aac s3:libnetapi: Implement NetComposeOfflineDomainJoin_l() via 7cabbec2eaf s3:libnetapi: Add NetComposeOfflineDomainJoin() to API. via 532701e3cce s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate via 740e704bd68 s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL via bdab834dfad s3:libnetapi: Add some comments to document ODJ blob charset conversions via e4afb211fe3 s3:libnetapi: Return error from RequestOfflineJoin via d3f3c40141d pidl/tests: Add tests for hang with nested struct. via 3f3fccab05d pidl/lib: Add recursion detection logic to prevent looping. from 171171565f1 .gitlab-ci: Do builds under /builds as this is never an overlayfs https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f3c632e74ba100b455eeac66e8914b11d1d9b0a0 Author: Samuel Cabrero Date: Mon Sep 4 16:49:52 2023 +0200 testprogs: Add net offlinejoin composeodj tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Sep 5 22:11:46 UTC 2023 on atb-devel-224 commit e92e4b9544231c15eaf0bdbba4505345cd0f6ab5 Author: Samuel Cabrero Date: Mon Sep 4 16:18:35 2023 +0200 testprogs: Cleanup machine account in net offlinejoin tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit c14a4f51443f67bc46a670a342eed8cb9e81f37d Author: Samuel Cabrero Date: Wed Aug 30 20:53:18 2023 +0200 s3:net: Allow to load ODJ blob from stdin BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit b2399b6994c89404f245e1a97ba1c1cf13d7fc86 Author: Samuel Cabrero Date: Wed Aug 30 20:25:17 2023 +0200 s3:net: Load ODJ blob from file only if "loadfile" parameter is present BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit 4a1f2071a6028a761bbe7efee20e9654851b51f0 Author: Samuel Cabrero Date: Thu Aug 31 12:46:52 2023 +0200 s3:net: Add "net offlinejoin composeodj" command BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit a8bd8f22aac2c223e85e318dba7af8b64052b053 Author: Samuel Cabrero Date: Thu Aug 31 12:45:42 2023 +0200 s3:libnetapi: Implement NetComposeOfflineDomainJoin_l() BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit 7cabbec2eaf5aefd3751c635c12556eca590f506 Author: Samuel Cabrero Date: Thu Aug 31 12:44:26 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() to API. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit 532701e3cce9d15e95166ee7c24cd1e4af51fcc4 Author: Samuel Cabrero Date: Thu Aug 31 12:43:22 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() boilerplate BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit 740e704bd68a6b618b62336ba1583c0edeb82d6f Author: Samuel Cabrero Date: Thu Aug 31 12:39:04 2023 +0200 s3:libnetapi: Add NetComposeOfflineDomainJoin() to IDL BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit bdab834dfad55776155915f7ec410b5a192406fa Author: Samuel Cabrero Date: Mon Sep 4 10:47:06 2023 +0200 s3:libnetapi: Add some comments to document ODJ blob charset conversions BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit e4afb211fe32f2aa92cc903df948874046f60305 Author: Samuel Cabrero Date: Wed Aug 30 19:59:04 2023 +0200 s3:libnetapi: Return error from RequestOfflineJoin The error code must be returned to caller even if the error string is not set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13577 Signed-off-by: Samuel Cabrero Reviewed-by: Andrew Bartlett commit d3f3c40141d9d
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 70dea37d063 wscript: Refer to correct ConfigSet variable via 54ebd103c85 wscript: Remove semicolons via 8f430492c8e wscript: Remove unused imports via c6d0323bf15 wscript: Use ‘is’ to compare with singletons via b5cc15fdf16 wscript: Remove unused variable via 752a1c409e0 third_party/heimdal_build: Use ‘is’ to compare with singletons via a6c442acea1 third_party/heimdal_build: Remove semicolons via dfe25969f31 third_party/heimdal_build: Remove unused imports via 0898329b8d7 selftest: Don’t use invalid escape sequences via 0fe4a12b3f3 selftest: Remove star imports via 6db02afab81 selftest: Remove unused imports via 3c7ef6d0415 s4:dsdb:tests: Fix usage lines via fec8d228ad1 s4:dsdb:tests: Remove unused imports via 6e20afeb42a s4:dsdb:tests: Fix spelling via 357b520b37f tests/krb5: Have modified_ticket() not modify its arguments via b4a2e64110f tests/krb5: Add KerberosCredentials.get_rid() via 7b4b03e5e79 tests/krb5: Re-raise any LdbError other than ERR_ENTRY_ALREADY_EXISTS via 3f01cf91699 tests/krb5: Correctly assert that we found a LOGON_INFO PAC buffer via 04cdb13c080 tests/krb5: Remove local variable via 1def8f04f34 tests/krb5: Move KDC TGT tests to new file via e390e674ecb tests/krb5: Remove test of pre-1.20 MIT Kerberos behaviour via 2b566979acf gp: Use read_file() instead of readfp() via 34042677b7d gp: Fix resource leaks via 928f2bbc6b5 gp: Use assertEqual() instead of assertEquals() via 953bc91851c gp: Check correct variables via 036a523e516 gp: Prefer ‘x not in y’ to ‘not x in y’ via 94afa3b1946 gp: Don’t shadow imports via 5755b4a4905 gp: Add missing import via de04333b4d5 pytest/dns_aging: Assert that the name of the node to search for is a string via 472d80c1c9f pytest/dns_aging: Correctly check that record is tombstoned via 8e5c998b1d3 pytest/dns_aging: Check value of ‘dtime’ via d3bc6faa7a5 python:tests: Rename test method so as not to mask previously-defined method via bbd0e35f11f python:tests: Complete assertion messages via c4e0d4fbd17 python:tests: Fix usage line via 83230577ece python: Fix reference to undefined name ‘samba’ via 5c5045eeb44 samba-tool: Remove useless return via b076cad4b26 python:join: Fix references to undefined variables via b068592dd0d python: Fix invalid escape sequences via 12f1c7825db python: Remove redundant backslashes via fce882ab671 python: Remove unused imports via 6c6db88ddac python: Fix spelling via 5de640fc581 ldb: Heed return code from Python testsuite via b440732e7fc ldb: Remove unused import via e4ab1de4e41 lib:ldb:tests: Remove explicit comparison with False via 84dc7129ead buildtools: Properly set global variable via 8d61d3f8e02 buildtools: Prefer ‘x not in y’ to ‘not x in y’ via 6df81630af8 buildtools: Use ‘is’ to compare with singletons via 94f46f0cbbc buildtools: Fix comments and documentation via 6668d213e77 pyldb: Fix leaks via 5e9187baf92 pyldb: Check return values of Python functions via e5794b8c8a6 pyldb: Check return values of talloc functions via 93d37f8bfca pyldb: Check whether Python object is a list from 7dc181757c7 gp: Send list of keys instead of dict to remove https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 70dea37d063fea3e72f5a04c29e6bbd5e11d20b0 Author: Joseph Sutton Date: Tue Aug 29 12:18:27 2023 +1200 wscript: Refer to correct ConfigSet variable LIB_GSSAPI appears to be an error of copy-and-pasting. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed Aug 30 03:15:05 UTC 2023 on atb-devel-224 commit 54ebd103c859333e96c1b609ada42de52029b18a Author: Joseph Sutton Date: Tue Aug 29 12:15:19 2023 +1200 wscript: Remove semicolons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 8f430492c8e92a542d0d3a92bb82d1f7e1bb105c Author: Joseph Sutton Date: Tue Aug 29 12:14:45 2023 +1200 wscript: Remove unused imports Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c6d0323bf1535f41d11a1df3561128cdd84e6848 Author: Joseph Sutton Date: Tue Aug 29 12:11:39 2023 +1200 wscript: Use ‘is’ to compare with singletons Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit b5cc15fdf16dbfa64b6808dca5c0ac6701f1a553 Author: Joseph Sutton Date: Tue Aug 29 12:11:08 2023 +1200 wscript: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 7dc181757c7 gp: Send list of keys instead of dict to remove via ee814f7707a gp: Test disabled enrollment unapplies policy via 2a6ae997f24 gp: Template changes should invalidate cache via 2d6943a8644 gp: Test adding new cert templates enforces changes via 157335ee93e gp: Convert CA certificates to base64 via 1ef722cf66f gp: Test with binary content for certificate data via bce3a892045 gp: Change root cert extension suffix via fa80d1d8643 gp: Support update-ca-trust helper via a1b285e485c gp: Support more global trust directories via 776597bce92 samba-tool: Allow LDB URL to be None via 8e7a62b6ffa waf: Build nmbd with -Wno-error=stringop-overflow from c7672779128 util: Avoid logging to multiple backends for stdout/stderr https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a Author: Gabriel Nagy Date: Wed Aug 16 12:33:59 2023 +0300 gp: Send list of keys instead of dict to remove `cache_get_all_attribute_values` returns a dict whereas we need to pass a list of keys to `remove`. These will be interpolated in the gpdb search. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224 commit ee814f7707a8ddef2657212cd6d31799501b7bb3 Author: Gabriel Nagy Date: Fri Aug 18 17:26:59 2023 +0300 gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1 Author: Gabriel Nagy Date: Wed Aug 16 12:37:17 2023 +0300 gp: Template changes should invalidate cache If certificate templates are added or removed, the autoenroll extension should react to this and reapply the policy. Previously this wasn't taken into account. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 2d6943a864405f324c467e8c3464c31ac08457b0 Author: Gabriel Nagy Date: Fri Aug 18 17:16:23 2023 +0300 gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 157335ee93eb866f9b6a47486a5668d6e76aced5 Author: Gabriel Nagy Date: Wed Aug 16 12:20:11 2023 +0300 gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting to a string fails with the following: 'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte We found a fix to be encoding the certificate to base64 when constructing the CA list. Section 4.4.5.2 of MS-CAESO also suggests that the content of `cACertificate` is binary (OCTET string). Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70 Author: Gabriel Nagy Date: Fri Aug 18 17:06:43 2023 +0300 gp: Test with binary content for certificate data This fails all GPO-related tests that call `gpupdate --rsop`. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit bce3a89204545dcab5fb39a712590f6e166f997b Author: Gabriel Nagy Date: Fri Aug 11 18:46:42 2023 +0300 gp: Change root cert extension suffix On Ubuntu, certificates must end in '.crt' in order to be considered by the `update-ca-certificates` helper. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit fa80d1d86439749c44e60cf9075e84dc9ed3c268 Author: Gabriel Nagy Date: Thu Aug 17 01:09:28 2023 +0300 gp: Support update-ca-trust helper This is used on RHEL/Fedora instead of update-ca-certificates. They behave similarly so it's enough to change the command name. Signed-off-by: Gabriel Nagy Reviewed-by: Joseph Sutton Reviewed-by: David Mulder commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f Author: Gabriel Nagy Date: Thu Aug 17 01:05:54 2023 +0300 gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). To determine the correct directory to use
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via aba7eb094b9 selftest: Report time at which testsuite starts via fc41a35a9bd selftest: Fix subunit reporting the time incorrectly via cbc0ff187a0 selftest: Remove leftover from debugging via 7ce6e3c9cac selftest: Remove unused variable via c2126e08f47 selftest: Remove semicolon via 892c1b0a0c9 s4:torture: Fix code spelling via 783f09cc37f s4:smb_server: Fix code spelling via 4b03aabe451 s4:kdc: Use smb_krb5_make_data() via 6d2c7c45ca4 s4:kdc: Use ‘krb5_error_code’ for return types via 9166d01b19f s4:kdc: Set SAMBA_KDC_FLAG_PROTOCOL_TRANSITION flag for MIT Kerberos via bbfa98ec05c s4:kdc: Remove support code for older versions of MIT Kerberos via 6b580f73688 s4:kdc: Do not panic if authsam_logon_success_accounting() fails via 448cc122a8f s3:rpc_server: Remove unnecessary cast via b3c47b65836 s3:libnet: Fix reference to incorrect function names via 4004ded906d s3:libnet: Remove unnecessary cast via 683dab11024 python:tests: Save files with intended contents via 2d6b10da225 python:tests: Fix spelling via 981c3413893 python:tests: Reuse policies and silos created by setUp() across all tests via f71893c1a3e python:tests: Reuse claims created by setUp() across all tests via a985873c46f python:tests: Make getSamDB() a static method via b7e00680102 python:subunit: Use ‘is’ to compare variables with singletons via c052b17556b python:subunit: Fix docstring via 859bbef4722 python:netcmd: Remove semicolon via d40293e0df5 python:netcmd: Add missing newlines to error messages via a836b433ed7 pidl: Use non-existent function dissect_ndr_int64() via d5cbb542d0f librpc:ndr: Use portable integer types via 593a7fb6382 libcli/auth: Remove unnecessary casts via d608dc175e0 lib:krb5_wrap: Fix references to incorrect function names via 02b546778f0 lib:krb5_wrap: Fix code spelling from 37fdd79cc0b tests/krb5: Remove incorrect comments https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit aba7eb094b978f69a632ec6e9080d55b788c9001 Author: Joseph Sutton Date: Thu Aug 17 13:29:41 2023 +1200 selftest: Report time at which testsuite starts With no call to report_time() preceding it, PlainFormatter.start_testsuite() would always claim that no time had elapsed prior to the first testsuite starting to run. This gave a misleading impression of the time spent running the first testsuite. Now the time will be consistent with that reported for subsequent testsuites, and will properly include any time that test environments took to start up. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Tue Aug 22 00:36:52 UTC 2023 on atb-devel-224 commit fc41a35a9bd8706d8a3770a2b8f1467cd00452b8 Author: Joseph Sutton Date: Thu Aug 17 12:46:17 2023 +1200 selftest: Fix subunit reporting the time incorrectly Although report_time() would output the time in UTC, it neglected to specify the timezone offset. Thus subunithelper.parse_results() would interpret the time string it was given as being in local time. TestProtocolClient.time() then converted that *back* into UTC, giving an incorrect result (unless UTC is your local timezone). Fix this by having report_time() indicate that the time zone is UTC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15162 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit cbc0ff187a0cc54dddfe60235a555676a546cc6f Author: Joseph Sutton Date: Thu Aug 17 13:42:47 2023 +1200 selftest: Remove leftover from debugging Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 7ce6e3c9cac1653579d7f4efdfca76491c1fa5e7 Author: Joseph Sutton Date: Wed Aug 16 15:20:48 2023 +1200 selftest: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c2126e08f4764da3d1033ec72f704e7abe54ba67 Author: Joseph Sutton Date: Wed Aug 16 15:19:05 2023 +1200 selftest: Remove semicolon Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 892c1b0a0c97e09a553a4084a1819827a437126a Author: Joseph Sutton Date: Wed Aug 2 14:52:13 2023 +1200 s4:torture: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 783f09cc37fcd4ec31ca6ba7d268f8aa11ea832b Author: Joseph Sutton Date: Tue Aug 1 15:52:07 2023 +1200 s4:smb_server: Fix code spelling Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 4b03aabe451bae6bbeadcaaf8c2ff62041511ca3 Author: Joseph Sutton Date: Wed Aug 16 15:57:53
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 61d97ebf7d4 gitlab-ci: Add running codespell via e54939c8453 scripts: Add codespell check via 45e17b70004 wintest: Fix code spelling via be56ec0a6b9 tests: Fix code spelling via a7ed7405af9 testprogs: Fix code spelling via 5f024d57b31 s4:wrepl_server: Fix code spelling via dbfc239f5b5 s4:wrepl_server: Remove trailing white spaces via 920ffe5dc9a s4:torture: Fix code spelling via 0d241305b4e s4:torture:smb2: Fix code spelling via 085cfe0c4a3 s4:torture:rpc: Fix code spelling via ff2f813b68c s4:torture:raw: Fix code spelling via 428c1556460 s4:torture:nbt: Fix code spelling via c4ed99a2231 s4:torture:nbench: Fix code spelling via 664f69617df s4:torture:libnetapi: Fix code spelling via faa06e5ed21 s4:torture:ldb: Fix code spelling via 1c4e84fd2a0 s4:torture:ldap: Fix code spelling via 3f023d74143 s4:torture:ldap: Remove trailing white spaces via 56fdc3c5882 s4:torture:krb5: Fix code spelling via e2c952cfea0 s4:torture:dns: Fix code spelling via 5850ea63386 s4:torture:basic: Fix code spelling via 69b7876965a s4:torture:drs: Fix code spelling via 3dd7625ab97 s4:torture:dfs: Fix code spelling via 5dd07a44a24 s4:torture:auth: Fix code spelling via e1da1fc9d97 s4:smb_server: Fix code spelling via 5a0201e8b48 s4:setup: Fix code spelling via 541f4d08a36 s3:ldap_server: Fix code spelling via 9ebd645e63f s4:selftest: Fix code spelling via 9c13765f2d9 s4:scripting: Fix code spelling via ee1bc66e025 s4:samba: Fix code spelling via 8d85b9987ee s4:rpc_server: Fix code spelling via 6427dafe702 s4:ntvfs: Fix code spelling via 42f094afde1 s4:librpc: Fix code spelling via 37664f4ce7d s4:libnet: Fix code spelling via 950f0b47d94 s4:libcli: Fix code spelling via a749d885f3a s4:libcli: Remove tailing white spaces via 783eff3f76d s4:lib: Fix code spelling from 42e4691cf55 audit_logging: Simplify json_add_stringn() with json_stringn() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 61d97ebf7d4c46b1a0946634b6e3fe69f44dd01c Author: Andreas Schneider Date: Wed Mar 22 10:15:54 2023 +0100 gitlab-ci: Add running codespell Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 14 22:44:58 UTC 2023 on atb-devel-224 commit e54939c8453c518ec121f02912d95c9143e6bd3f Author: Andreas Schneider Date: Tue Mar 14 08:51:03 2023 +0100 scripts: Add codespell check Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 45e17b700049f6672149b14216a30818df2bd4b7 Author: Andreas Schneider Date: Thu Aug 3 15:50:30 2023 +0200 wintest: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit be56ec0a6b9b8ed07416c3f1f2805f4c6622b9da Author: Andreas Schneider Date: Thu Aug 3 15:50:07 2023 +0200 tests: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit a7ed7405af938e757d895464028345a1b669ccfb Author: Andreas Schneider Date: Thu Aug 3 15:49:45 2023 +0200 testprogs: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 5f024d57b313d608660aac240500796dd2dc7eb0 Author: Andreas Schneider Date: Thu Aug 3 15:48:16 2023 +0200 s4:wrepl_server: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit dbfc239f5b51e9142d96d3d2e34ba10b630385b0 Author: Andreas Schneider Date: Thu Aug 3 15:49:06 2023 +0200 s4:wrepl_server: Remove trailing white spaces Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 920ffe5dc9a2a12f9bacd9c7eb2ce629207c4863 Author: Andreas Schneider Date: Thu Aug 3 15:46:43 2023 +0200 s4:torture: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 0d241305b4e445a543375a93f0f5485a1ad0ae34 Author: Andreas Schneider Date: Thu Aug 3 15:45:39 2023 +0200 s4:torture:smb2: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 085cfe0c4a3b9ec8a9d37d7f29ad6ae4950e63ee Author: Andreas Schneider Date: Thu Aug 3 15:45:20 2023 +0200 s4:torture:rpc: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit ff2f813b68ca3db3b73df5d62c9181b844d05c17 Author: Andreas Schneider Date: Thu Aug 3 15:45:05 2023 +0200 s4:torture:raw: Fix code spelling Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett commit 428c15564600dc45da2649e74497f7421b5849b0
[SCM] Samba Shared Repository - branch master updated
Use portable format specifier via 329bfe47d9e auth: Remove unnecessary casts from 57672e45e36 bootstrap: Install codespell https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit c01c206d7652e5bc5d4134f786522a17729de403 Author: Joseph Sutton Date: Fri Aug 11 10:54:52 2023 +1200 s4:kdc: Add get_claims_set_for_principal() Add a new function, get_claims_set_for_principal(), that returns the claims as a CLAIMS_SET structure rather than as a blob. To accommodate this, move the call to encode_claims_set() out of get_all_claims() and into get_claims_blob_for_principal(). Being able to get the unencoded claims will save us from having to decode claims that we just needlessly encoded. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Aug 14 05:51:45 UTC 2023 on atb-devel-224 commit 21e0c2589549daba3b0b211641c23ed0039adc30 Author: Joseph Sutton Date: Fri Aug 11 12:21:16 2023 +1200 s4:kdc: Rename ‘claims_blob’ parameter to ‘claims_blob_out’ Just to make perfectly clear that it is an out parameter. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 504a36f3208e020e6959f272b472ce2b9366141e Author: Joseph Sutton Date: Fri Aug 11 12:20:09 2023 +1200 s4:kdc: Rename get_claims_for_principal() to get_claims_blob_for_principal() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit e6b78ef7f7ef2d9fc16aee3f7edfc31163fdf284 Author: Joseph Sutton Date: Fri Aug 11 12:15:05 2023 +1200 s4:kdc: Ensure that we don’t dereference a NULL pointer Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 58371c33e924ecb793f71871712025424f3e80b5 Author: Joseph Sutton Date: Fri Aug 11 12:10:46 2023 +1200 s4:kdc: Properly allocate claims set on a talloc context Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c6cd6b25ff1edf6b1983916087bef227ecb1a3cf Author: Joseph Sutton Date: Fri Aug 11 12:06:00 2023 +1200 s4:kdc: Remove ldb_context parameter as being no longer needed Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 78fc6fbb61c40efe6cd20b83270acb11348eb5aa Author: Joseph Sutton Date: Fri Aug 11 12:04:02 2023 +1200 s4:kdc: Have encode_claims_set return NTSTATUS This change will simplify things later. Probably. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 365455b6a14b1f1e7e0b831ae28bb7996b5138a6 Author: Joseph Sutton Date: Fri Aug 11 10:36:04 2023 +1200 s4:dsdb: Check for overflow in security_token_create() Overflow is unlikely ever to occur, but you never know. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 479ebdd041a0992e443f0590822eb57c8063157d Author: Joseph Sutton Date: Fri Aug 11 10:35:43 2023 +1200 s4:dsdb: Make ‘sids’ parameter const Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 37c8c3432860f08f4324f3072d3804056a3db809 Author: Joseph Sutton Date: Fri Aug 11 10:34:47 2023 +1200 s4:dsdb: Use uint32_t for ‘num_sids’ This matches the use of uint32_t for security_token::num_sids. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit c1061ae8a7b99175ac13612f86156717f8c73284 Author: Joseph Sutton Date: Fri Aug 11 10:25:08 2023 +1200 s4:kdc: Free error message returned by krb5_get_error_message() Also check whether the message is NULL. Passing NULL to vasprintf() is undefined behaviour. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 9d485b262a57439dfba6deff5e8c4fb7023a5d1f Author: Joseph Sutton Date: Fri Aug 11 10:23:10 2023 +1200 s4:kdc: Use common out path in mit_samba_kpasswd_change_password() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit ab098c24314eb2b0745f71af62d8c396e5f8e8bf Author: Joseph Sutton Date: Fri Aug 11 10:21:07 2023 +1200 s4:kdc: Inline samba_get_claims_blob() Wrapping a function this simple doesn’t gain us very much. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 63f798442ce48c0b35ada165a1421f6ae7f0a640 Author: Joseph Sutton Date: Fri Aug 11 10:15:56 2023 +1200 s4:kdc: Don’t enforce a server authentication policy for the krbtgt As the server authentication policy will be non-NULL only for entries looked up as servers, the krbtgt shouldn’t have an authentication policy anyway. But we might as well be explicit. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett commit 914f1700991cca15fe9fd3d9e3174b044963049c Author: Joseph Sutton Date: Fri Aug 11 10:13:38 2023 +1200 s4:kdc: Switch to using samdb_result