Andrew Bartlett [Tue, 5 Dec 2023 23:38:54 +0000 (12:38 +1300)]
samba-tool domain backup: Use new ldb.disconnect() method to force-close files during backup
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Tue, 19 Mar 2024 22:31:23 +0000 (11:31 +1300)]
ldb:pytests: test ldb.connect() works after .disconnect()
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 5 Dec 2023 22:18:27 +0000 (11:18 +1300)]
pyldb: Add ldb.disconnect() method to ensure DB handles are closed
This is vital in our backup code, which needs to actually close the
LMDB at the correct point.
The Python ldb object itself is left in more or less the same state as
one that has not connected to a server or database (it is a very
simple wrapper in itself), and can be reconnected using the .connect()
method.
Pair-programmed-with: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Tue, 7 Nov 2023 21:43:38 +0000 (10:43 +1300)]
pyldb: Include a reference to the Ldb in objects that use
This will help avoid use-after-free of the internally cached ldb within
struct ldb_dn by ensuring that it lives as long.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andrew Bartlett [Sun, 3 Dec 2023 23:00:12 +0000 (12:00 +1300)]
selftest: Add tests that demonstrate the issues with ldb use after free
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Douglas Bagnall [Thu, 14 Mar 2024 00:25:48 +0000 (13:25 +1300)]
pytest:krb5/lockout: associate user DN with the ldb it is used with
LDB is soon going to object strongly to Python DNs that don't come from
the ldb that they are being used with, for memory safety reasons.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 9 Apr 2024 04:11:16 +0000 (16:11 +1200)]
auth/credentials: Read managed_password.passwords.query_interval only after parsing
The code previously read the uninitialised stack not the parsed
structure, and so could segfault if the stack was not zero.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Apr 9 23:59:54 UTC 2024 on atb-devel-224
Volker Lendecke [Fri, 9 Feb 2024 11:37:53 +0000 (12:37 +0100)]
smbd: Simplify an if-condition
current_sid == NULL is true if and only if we could not assign current_sid
because num_sids was too small. Make that more explicit.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 9 Feb 2024 11:47:48 +0000 (12:47 +0100)]
smbd: Save 3 lines
Just cosmetic
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 8 Feb 2024 17:16:39 +0000 (18:16 +0100)]
smbd: Remove an obsolete comment
This looks like a cut&paste from other smbXsrv files.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 8 Feb 2024 11:51:32 +0000 (12:51 +0100)]
smbXsrv_session: Remove a "can't happen" NULL check
This should really not happen, crashing would be the right
response. Align with
fdca0558efa.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 8 Feb 2024 11:47:07 +0000 (12:47 +0100)]
smbXsrv_session: Use talloc_tos() for pushing smbXsrv_session_globalB
Use the toplevel talloc pool, align with
0c709cb6b70.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 8 Feb 2024 11:23:21 +0000 (12:23 +0100)]
smbXsrv_session: Remove two implicit NULL initializations
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Thu, 8 Feb 2024 10:50:42 +0000 (11:50 +0100)]
smbXsrv_session: Use struct initialization
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 9 Apr 2024 21:53:00 +0000 (09:53 +1200)]
python/samba/tests: Fix gMSA blackbox test to expect failure to get password after membership change
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Andreas Schneider [Mon, 4 Mar 2024 15:08:46 +0000 (16:08 +0100)]
s3:rpc_server: Implement _lsa_CreateTrustedDomainEx3()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 29 Feb 2024 09:02:16 +0000 (10:02 +0100)]
s3:rpc_server: Implement lsa_CreateTrustedDomain_common()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 5 Jan 2024 10:16:58 +0000 (11:16 +0100)]
s3:rpc_server: Implement and use lsa_CreateTrustedDomain_precheck()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 28 Feb 2024 13:50:19 +0000 (14:50 +0100)]
s3:rpc_server: Log error in _lsa_CreateTrustedDomainEx2()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 29 Feb 2024 08:34:10 +0000 (09:34 +0100)]
s3:rpc_client: Implement createtrustdomex3 command
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 27 Feb 2024 08:08:28 +0000 (09:08 +0100)]
s3:rpc_client: Implement createtrustdomex2 command
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 27 Feb 2024 08:24:52 +0000 (09:24 +0100)]
s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info_aes()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 28 Nov 2023 14:46:54 +0000 (15:46 +0100)]
s4:torture: Add test for lsa_CreateTrustedDomainEx3
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Dec 2023 10:51:02 +0000 (11:51 +0100)]
s4:rpc_server: Enable AES in dcesrv_lsa_OpenPolicy3()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Dec 2023 09:32:45 +0000 (10:32 +0100)]
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomainEx3()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Dec 2023 09:32:25 +0000 (10:32 +0100)]
s4:rpc_server: Implement get_trustdom_auth_blob_aes() for LSA
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 22 Dec 2023 14:07:54 +0000 (15:07 +0100)]
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() in lsa_CreateTrustedDomain
This also removes dcesrv_lsa_CreateTrustedDomain_base() as it is unused with
this commit. We need to do it here or the compiler will complain about an unused
function.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 22 Dec 2023 14:00:20 +0000 (15:00 +0100)]
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 22 Dec 2023 13:58:26 +0000 (14:58 +0100)]
s4:rpc_server: Use dcesrv_lsa_CreateTrustedDomain_common() for lsa_CreateTrustedDomainEx2
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 20 Dec 2023 17:56:14 +0000 (18:56 +0100)]
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_common()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 15 Dec 2023 15:21:32 +0000 (16:21 +0100)]
s4:rpc_server: Implement dcesrv_lsa_CreateTrustedDomain_precheck()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Dec 2023 07:12:22 +0000 (08:12 +0100)]
s4:rpc_server: Use talloc_zero in dcesrv_lsa_CreateTrustedDomain()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 15 Dec 2023 15:21:15 +0000 (16:21 +0100)]
s4:rpc_server: Fix trailing white spaces in dcesrv_lsa.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 18 Mar 2024 17:45:19 +0000 (18:45 +0100)]
s4:torture: Use dcerpc_lsa_OpenPolicy3_r()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 27 Feb 2024 08:15:01 +0000 (09:15 +0100)]
s4:torture: Use rpc_lsa_encrypt_trustdom_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 27 Feb 2024 08:07:57 +0000 (09:07 +0100)]
s3:rpc_client: Implement rpc_lsa_encrypt_trustdom_info()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 27 Feb 2024 08:14:24 +0000 (09:14 +0100)]
s4:torture: Use init_lsa_String() from init_lsa.h
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 28 Nov 2023 14:30:38 +0000 (15:30 +0100)]
librpc:rpc: Add dcerpc_lsa.h
This adds AES constants by MS.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 3 Apr 2024 09:26:50 +0000 (11:26 +0200)]
python: Use OpenPolicyFallback() in trust.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 3 Apr 2024 09:16:19 +0000 (11:16 +0200)]
python: Implement CreateTrustedDomainFallback()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 3 Apr 2024 09:15:14 +0000 (11:15 +0200)]
python: Add aead_aes_256_cbc_hmac_sha512()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Wed, 3 Apr 2024 08:54:41 +0000 (10:54 +0200)]
python: Use secrets.token_bytes instead of random
random should not be used to create secure random numbers for tokens.
The secrets module is exactly for this.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Mar 2024 13:45:41 +0000 (14:45 +0100)]
python: Set parameter types for CreateTrustedDomainRelax()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Mar 2024 13:44:21 +0000 (14:44 +0100)]
python:tests: Clean lsa_utils.py code according to Python standards
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Mar 2024 13:06:46 +0000 (14:06 +0100)]
python:tests: Rename createtrustrelax.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Mar 2024 10:24:10 +0000 (11:24 +0100)]
python: Implement OpenPolicyFallback()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Mar 2024 09:08:33 +0000 (10:08 +0100)]
python:samba: Rename trust_utils.py to lsa_utils.py
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Thu, 21 Mar 2024 09:31:36 +0000 (10:31 +0100)]
buildtools: Fix PYTHONPATH and print it
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 28 Mar 2024 03:06:05 +0000 (16:06 +1300)]
netcmd: fix broken shell command missing Model
This is already in MODELS which is populated in ModelMeta
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 8 04:07:22 UTC 2024 on atb-devel-224
Rob van der Linde [Thu, 28 Mar 2024 03:15:06 +0000 (16:15 +1300)]
python: lint: fix pylint R1720 unnecessary "raise" after "else"
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 28 Mar 2024 03:09:44 +0000 (16:09 +1300)]
python: lint: remove unused imports in claims and gmsa commands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 28 Mar 2024 02:59:33 +0000 (15:59 +1300)]
python: tests: type check should always use "is" or "is not"
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Thu, 28 Mar 2024 02:58:34 +0000 (15:58 +1300)]
python: tests: fix closing quote in docstring example
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 28 Mar 2024 10:48:58 +0000 (10:48 +0000)]
libcli/http: Detect unsupported Transfer-encoding type
Also removes knownfail for test that now passes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 28 Mar 2024 09:16:33 +0000 (09:16 +0000)]
selftest: Add new test for testing non-chunk transfer encoding
And add a known fail because there is a bug :-(
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Noel Power [Thu, 28 Mar 2024 09:09:02 +0000 (09:09 +0000)]
selftest: fix potential reference before assigned error
This would only happen if the test failed (but the message would be
incorrect as 'e' the exception to be stringified doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15611
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Alexander Bokovoy [Thu, 22 Jun 2023 06:56:12 +0000 (09:56 +0300)]
Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.
[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
PAC Decode: Failed to verify the service signature: Invalid argument
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 5 Apr 2024 12:33:04 +0000 (14:33 +0200)]
python:tests: Improve keytab comparison of dckeytab
This will give better output on failure as it compares strings instead
of bytes.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 26 Jan 2024 08:25:11 +0000 (09:25 +0100)]
s3:winbindd: use better debug messages than 'talloc_strdup failed'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Apr 5 13:28:42 UTC 2024 on atb-devel-224
Stefan Metzmacher [Fri, 26 Jan 2024 08:21:03 +0000 (09:21 +0100)]
s3:passdb: use DBG_ERR() for 'talloc_strdup failed' messages
Otherwise it's completely unclear where the messages come from
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 15 Oct 2021 01:34:11 +0000 (03:34 +0200)]
s3:libads: avoid changing ADS->server.workgroup
ads_find_dc() uses c_domain = ads->server.workgroup and
don't expect it to get out of scope deep in resolve_and_ping_dns().
The result are corrupted domain values in the debug output.
Valgrind shows this:
Invalid read of size 1
at 0x483EF46: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x608BE94: __vfprintf_internal (vfprintf-internal.c:1688)
by 0x609ED49: __vasprintf_internal (vasprintf.c:57)
by 0x5D2EC0F: __dbgtext_va (debug.c:1860)
by 0x5D2ED3F: dbgtext (debug.c:1881)
by 0x4BFFB50: ads_find_dc (ldap.c:570)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
Address 0xb69f6f0 is 0 bytes inside a block of size 11 free'd
at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x4BFF0AF: ads_try_connect (ldap.c:299)
by 0x4BFF40E: cldap_ping_list (ldap.c:367)
by 0x4BFF75F: resolve_and_ping_dns (ldap.c:468)
by 0x4BFFA91: ads_find_dc (ldap.c:556)
by 0x4C001F4: ads_connect (ldap.c:704)
by 0x4C1DC12: ads_dc_name (namequery_dc.c:84)
Block was alloc'd at
at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x60B250E: strdup (strdup.c:42)
by 0x4FF1492: smb_xstrdup (util.c:743)
by 0x4C10E62: ads_init (ads_struct.c:148)
by 0x4C1DB68: ads_dc_name (namequery_dc.c:73)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14981
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Feb 2024 11:34:48 +0000 (12:34 +0100)]
s4:nbt_server: simulate nmbd and provide unexpected handling
This is needed in order to let nbt_getdc() work against
another AD DC and get back a modern response with
DNS based names. Instead of falling back to
the ugly name_status_find() that simulates just
an NETLOGON_SAM_LOGON_RESPONSE_NT40 response.
This way dsgetdcname() can work with just the netbios
domain name given and still return an active directory
response.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Feb 2024 12:49:21 +0000 (13:49 +0100)]
s4:libcli/dgram: add nbt_dgram_send_raw() to send raw blobs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Feb 2024 16:47:45 +0000 (17:47 +0100)]
s4:libcli/dgram: make use of socket_address_copy()
This avoids talloc_reference...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Feb 2024 15:42:16 +0000 (16:42 +0100)]
s4:libcli/dgram: let the generic incoming handler also get unexpected mailslot messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Feb 2024 16:47:13 +0000 (17:47 +0100)]
libcli/nbt: add nbt_name_send_raw()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Feb 2024 16:29:46 +0000 (17:29 +0100)]
s3:libsmb/dsgetdcname: use NETLOGON_NT_VERSION_AVOID_NT4EMUL
In 2024 we always want an active directory response...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Feb 2024 10:38:19 +0000 (11:38 +0100)]
s3:libsmb/unexpected: pass nmbd_socket_dir from the callers of nb_packet_{server_create,reader_send}()
This will allow source4/nbt_server to make use of
nb_packet_server_create().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Feb 2024 12:49:43 +0000 (13:49 +0100)]
s3:libsmb/unexpected: don't use talloc_tos() in async code
It's not needed and it requires the caller to setup a
stackframe...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Feb 2024 15:37:34 +0000 (16:37 +0100)]
s3:wscript: LIBNMB requires lp_ functions
We need to make this explicit in order to let LIBNMB be used
in source4 code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 15 Feb 2024 15:53:29 +0000 (16:53 +0100)]
s3:include: split out fstring.h
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 14 Feb 2024 13:15:47 +0000 (14:15 +0100)]
s3:include: let nameserv.h be useable on its own
A lot of stuff is private to nmbd and can
be moved from nameserv.h.
This allows move required types from smb.h to
nameserv.h, so that this can be standalone.
Including it from smb.h is not a huge problem
as nmbd internals are gone from nameserv.h.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15620
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pavel Filipenský [Thu, 14 Mar 2024 14:24:21 +0000 (15:24 +0100)]
tests: Add a test for "all_groups=no" to test_idmap_ad.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224
Pavel Filipenský [Mon, 25 Mar 2024 21:38:18 +0000 (22:38 +0100)]
selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Tue, 12 Mar 2024 12:20:24 +0000 (13:20 +0100)]
s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad
The LDAP query of lookup_groupmem() returns all group members from AD
even those with missing uidNumber. Such group members are useless in
UNIX environment for idmap_ad backend since there is no uid mapping.
'test_user' is member of group "Domanin Users" with 200K members,
only 20K members have set uidNumber.
Without this fix:
$ time id test_user
real 1m5.946s
user 0m0.019s
sys 0m0.012s
With this fix:
$ time id test_user
real 0m3.544s
user 0m0.004s
sys 0m0.007s
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Wed, 13 Mar 2024 12:55:41 +0000 (13:55 +0100)]
docs-xml: Add parameter all_groupmem to idmap_ad
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Anoop C S [Thu, 21 Mar 2024 11:19:04 +0000 (16:49 +0530)]
vfs_ceph: Implement SMB_VFS_FGET_DOS_ATTRIBUTES to preserve create_time
In order to avoid the dependency on dos attribute for create_time we now
preserve the btime before parsing dos attribute which may update btime
from its value with an old one unless we explicitly reset dos attribute
with new create_time in SMB_VFS_FNTIMES implementation. Therefore have
an implementation for SMB_VFS_FGET_DOS_ATTRIBUTES to save and restore
updated create_time.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Mon Apr 1 15:24:39 UTC 2024 on atb-devel-224
Anoop C S [Fri, 22 Mar 2024 06:08:08 +0000 (11:38 +0530)]
source3/smbd: Update timestamps after a successful SMB_VFS_FNTIMES
When an open file handle is used to change timestamps we fail to return
updated values to clients until next open is issued. Unless we fill in
the timestamps subsequent calls like GETINFO cannot see the latest value
causing incorrect results. Therefore copy those timestamp values as soon
as it is set on the backend.
Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Tue, 27 Feb 2024 14:39:30 +0000 (15:39 +0100)]
lib: Use struct initialization in imessaging_client_init()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Mar 28 09:13:43 UTC 2024 on atb-devel-224
Volker Lendecke [Tue, 27 Feb 2024 14:39:16 +0000 (15:39 +0100)]
lib: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Wed, 21 Feb 2024 09:55:55 +0000 (10:55 +0100)]
lib: Fix dbwrap_tdb.h prerequisites
It uses enum dbwrap_lock_order, so include dbwrap.h
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Tue, 20 Feb 2024 12:04:28 +0000 (13:04 +0100)]
lib: Give tallocmsg.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Wed, 28 Feb 2024 15:45:57 +0000 (16:45 +0100)]
lib: Fix whitespace
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sat, 10 Feb 2024 13:27:38 +0000 (14:27 +0100)]
smbd: Remove an outdated comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 4 Feb 2024 17:07:19 +0000 (18:07 +0100)]
smbd: Remove struct open_symlink_err
This was just a wrapper for a single pointer, remove it
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 4 Feb 2024 16:42:28 +0000 (17:42 +0100)]
smbd: Remove "unparsed" from struct open_symlink_err
We have the reserved field unparsed_path_length as part of struct
symlink_reparse_struct.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 4 Feb 2024 16:27:50 +0000 (17:27 +0100)]
smbd: Remove "st" from struct open_symlink_err
Since
c96010a2a9f nobody reads it anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 4 Feb 2024 17:50:47 +0000 (18:50 +0100)]
smbd: Fix returning symlink stat info in the NO_OPATH case
Our callers don't look at symlink_err's struct stat anymore, they look
at the fname's one since we return them properly even for symlinks. So
don't bother filling in symlink_err->st, nobody reads it anyways.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 4 Feb 2024 15:07:22 +0000 (16:07 +0100)]
smbd: Make read_symlink_reparse() return a reparse_data_buffer
Will make generalized handling of reparse point error returns easier
once we will also allow creating symlink reparse point files over smb.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Volker Lendecke [Sun, 4 Feb 2024 10:10:18 +0000 (11:10 +0100)]
smbd: Simplify users of fsp_fullbasepath()
All three users had to strip a trailing "/.". Centralize this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andrew Bartlett [Wed, 20 Mar 2024 01:56:47 +0000 (14:56 +1300)]
python/samba/tests/krb5: Extend PKINIT tests to cover UF_SMARTCARD_REQUIRED
This in particular tests the returned NTLM password buffers as well as
the password rotation on expired accounts described at
https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/whats-new-in-credential-protection
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Mar 28 02:53:53 UTC 2024 on atb-devel-224
Andrew Bartlett [Tue, 26 Mar 2024 01:29:49 +0000 (14:29 +1300)]
python/tests/krb5: Prepare to allow tests that use the PAC returned NT hash
We want to use the PAC returned NT hash in the UF_SMARTCARD_REQUIRED case
as it will usually be random bytes so we can not just assert on the
value any more.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 26 Mar 2024 01:42:20 +0000 (14:42 +1300)]
python/tests/krb5: Allow getting a TGT in pkinit tests
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Tue, 19 Mar 2024 01:37:24 +0000 (14:37 +1300)]
python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Jo Sutton [Thu, 21 Mar 2024 23:58:19 +0000 (12:58 +1300)]
tests/krb5: Fix PK-INIT test framework to allow expired password keys
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 13 Mar 2024 23:01:54 +0000 (12:01 +1300)]
python/samba/krb5: Allow client address (caddr) to be missing or empty
Currently (as of 2024-02) windows 21H2 returns this as [].
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Andrew Bartlett [Wed, 20 Mar 2024 01:42:31 +0000 (14:42 +1300)]
auth/credentials: Remove use of pytalloc_get_type() of NDR types in pycredentials
This function is based on a flawed premise that the
pointer is a talloc context, but the second element
in an array and any element in a structure is not a
talloc context.
The type has already been checked above.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
Rob van der Linde [Mon, 25 Mar 2024 00:46:47 +0000 (13:46 +1300)]
netcmd: docs: update documentation for new auth policy command structure
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 20 Mar 2024 21:24:12 +0000 (10:24 +1300)]
netcmd: auth policy: remove old service-allowed-to-authenticate-from-silo and group
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Rob van der Linde [Wed, 20 Mar 2024 20:58:02 +0000 (09:58 +1300)]
netcmd: auth policy: add service-allowed-to-authenticate-from subcommands
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>