Stefan Metzmacher [Tue, 2 May 2023 13:15:16 +0000 (15:15 +0200)]
vfs_aio_pthread: don't crash without a pthreadpool
During 'samba-tool ntacl sysvolreset' and similar.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Baumbach [Wed, 21 Jun 2023 18:52:03 +0000 (20:52 +0200)]
samba-tool: print default (domain) for --dns-directory-partition option in help message
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 23 Mar 2022 23:12:47 +0000 (00:12 +0100)]
tests/krb5/s4u_tests.py: add test_constrained_delegation_authtime
This demonstrates that we use the correct authtime
when doing constrained delegation.
The actual fix for the problem is already in place via
commit
75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-
202306091507 (commit
7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patch is:
006a365a6aa3047a4e685e1607973746a28cc1f1 kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13137
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 17 Mar 2022 13:46:55 +0000 (14:46 +0100)]
tests/krb5/s4u_tests.py: add test_constrained_delegation_with_enc_auth_data_[no_]subkey()
This demonstrates that we use the correct key for EncAuthorizationData
together with constrained delegation.
The actual fix for the problem is already in place via
commit
75ec66c729faad60fa18b9504ba4053b3e2f47bc
third_party/heimdal: Import lorikeet-heimdal-
202306091507 (commit
7d8afc9d7e3d309ddccc2aea6405a8ca6280f6de)
The related patches are:
38c47c54f0c78fed5afc1aea9c5f6683e06ec842 kdc: fix memory leak when decryption AuthorizationData
61c0089ea3f5387953818a3ac99fb529244196e6 kdc: decrypt b->enc_authorization_data in tgs_build_reply()
fed5579814108ee90f701ca6bfb5500f7d839bc4 kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the keys from evidence_tkt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13131
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 14 Jun 2023 04:14:51 +0000 (16:14 +1200)]
WHATSNEW: Mention new default schema and Functional Level prep
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 21 20:01:06 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 3 Apr 2023 04:49:50 +0000 (16:49 +1200)]
s4:kdc: Gate claims, auth policies and NTLM restrctions behind 2012/2016 FLs
Samba security features like AD claims, Authentication Policies and
Authentication Silos are enabled once the DC is at the required functional level.
We comment at the callers of of dsdb_dc_functional_level() to explain
why we do this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 08:21:32 +0000 (10:21 +0200)]
testprogs/blackbox: also raise the levels to 2012_R2/2016 in functionalprep.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 08:21:32 +0000 (10:21 +0200)]
testprogs/blackbox: also prepare for to 2016 (schema=2019) in functionalprep.sh
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 10:07:08 +0000 (12:07 +0200)]
samba-tool: let 'domain level raise' call check_and_update_fl() in a transaction
This makes it possible to raise the levels without starting
'samba' first, which is very useful for blackbox tests.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 10:07:08 +0000 (12:07 +0200)]
samba-tool: move some parts of 'domain level [show|raise]' in to subfunctions
This will make it easier to use transactions in the following changes...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 10:07:08 +0000 (12:07 +0200)]
samba-tool: move some parts of 'domain level [show|raise]' in to try/except
This just adds indentation for now, the following changes will
add transactions...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 09:57:12 +0000 (11:57 +0200)]
samba-tool: let 'domain level raise --domain-level' use the correct crossRef dn
We should not rely on lp.get('workgroup')...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 09:07:17 +0000 (11:07 +0200)]
samba-tool: check for invalid 'domain level' subcommands first
This will simplify further changes...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 20 Jun 2023 23:43:01 +0000 (11:43 +1200)]
samba-tool: Fix missing import for "domain level raise --forest-level=2016"
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 21 Jun 2023 08:31:34 +0000 (10:31 +0200)]
docs-xml/smbdotconf: also allow 2012[_R2] for 'ad dc functional level'
We may not jump to 2016 directly...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 9 Jun 2023 03:46:33 +0000 (15:46 +1200)]
s4:kdc: Replace FAST cookie with dummy string
All that uses the FAST cookie is the gss-preauth authentication
mechanism, which is untested in Samba, and disabled by default.
Disabling the FAST cookie code (and sending a dummy string instead)
relieves us of the maintenance and testing burden of this untested code.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 21 13:19:17 UTC 2023 on atb-devel-224
Joseph Sutton [Mon, 12 Jun 2023 00:12:06 +0000 (12:12 +1200)]
third_party/heimdal: Import lorikeet-heimdal-
202306112240 (commit
c7f4ffe1a6e8dafc86ec3357c498d31c97ece386)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Mon, 12 Jun 2023 01:06:21 +0000 (13:06 +1200)]
tests/krb5: Test that FX-COOKIE matches cookie returned by Windows
The cookie produced by Windows differs depending on whether FAST was
used.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Tue, 20 Jun 2023 07:56:22 +0000 (09:56 +0200)]
smbd: Don't set security_descriptor_hash_v4->time
This prevents de-duplication of xattrs in the backend file system
where otherwise ACLs are often very similar.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jun 21 07:11:56 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 20 Jun 2023 09:52:12 +0000 (11:52 +0200)]
s3:winbind: Fix talloc parent in find_dc() leading to a segfault
[2023/06/16 16:30:18.677249, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/cmdline/cmdline.c:56(_samba_cmdline_talloc_log)
Bad talloc magic value - unknown value
[2023/06/16 16:30:18.677374, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:173(smb_panic_log)
===============================================================
[2023/06/16 16:30:18.677388, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:177(smb_panic_log)
INTERNAL ERROR: Bad talloc magic value - unknown value in pid 28112 (4.18.3)
[2023/06/16 16:30:18.677398, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:182(smb_panic_log)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
[2023/06/16 16:30:18.677408, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:183(smb_panic_log)
===============================================================
[2023/06/16 16:30:18.677420, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:185(smb_panic_log)
PANIC (pid 28112): Bad talloc magic value - unknown value in 4.18.3
[2023/06/16 16:30:18.677698, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:293(log_stack_trace)
BACKTRACE: 22 stack frames:
#0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7fcc04ad35d4]
#1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7fcc04ad382d]
#2 /lib64/libtalloc.so.2(+0x3121) [0x7fcc04650121]
#3 /usr/sbin/winbindd(_wbint_InitConnection+0xe8) [0x55aa1fd79028]
#4 /usr/sbin/winbindd(+0x59488) [0x55aa1fd7e488]
#5 /lib64/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x69) [0x7fcc05890469]
#6 /usr/sbin/winbindd(winbindd_dual_ndrcmd+0x3c5) [0x55aa1fd762d5]
#7 /usr/sbin/winbindd(+0x4d664) [0x55aa1fd72664]
#8 /lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x97) [0x7fcc03d2e707]
#9 /lib64/libtevent.so.0(+0xef4f) [0x7fcc03d34f4f]
#10 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b]
#11 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5]
#12 /usr/sbin/winbindd(+0x4fd14) [0x55aa1fd74d14]
#13 /usr/sbin/winbindd(+0x505cd) [0x55aa1fd755cd]
#14 /lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x182) [0x7fcc03d2ec72]
#15 /lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fcc03d2eca7]
#16 /lib64/libtevent.so.0(+0xed2f) [0x7fcc03d34d2f]
#17 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b]
#18 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5]
#19 /usr/sbin/winbindd(main+0xd34) [0x55aa1fd402f4]
#20 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fcc0339dd85]
#21 /usr/sbin/winbindd(_start+0x2e) [0x55aa1fd40e8e]
[2023/06/16 16:30:18.677828, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../source3/lib/dumpcore.c:318(dump_core)
coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15398
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 20 11:07:45 UTC 2023 on atb-devel-224
Björn Baumbach [Thu, 15 Jun 2023 16:24:50 +0000 (18:24 +0200)]
samba-tool: add new --dns-directory-partition option to dns zonecreate command
The new --dns-directory-partition chooses the directory partition for
the new zone - "domain" or "forest". Defaults to the current default
"domain".
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 16 21:23:28 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 11 Apr 2023 13:30:23 +0000 (15:30 +0200)]
s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_cross_node.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:29:41 +0000 (15:29 +0200)]
s3:tests: Do not export UID_WRAPPER_ROOT in test_smbXsrv_client_dead_rec.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:29:01 +0000 (15:29 +0200)]
s3:tests: Do not export UID_WRAPPER_ROOT in test_net_machine_account
Just set it for the test.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:27:31 +0000 (15:27 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_net_rpc_oldjoin.sh
This is already set for smbpasswd.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:26:52 +0000 (15:26 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_heimdal.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Tue, 11 Apr 2023 13:26:21 +0000 (15:26 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_kpasswd_mit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 27 Mar 2023 08:17:39 +0000 (10:17 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_pdbtest.sh
We already set root for smbpasswd.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 27 Mar 2023 08:16:40 +0000 (10:16 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_net_ads_dns.sh
There is not need for root here.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Mon, 27 Mar 2023 08:03:50 +0000 (10:03 +0200)]
testprogs: Do not export UID_WRAPPER_ROOT in test_samba-tool_ntacl.sh
There is not need for root here.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 16 Jun 2023 07:57:00 +0000 (09:57 +0200)]
testprogs:subunit: Fix integer comparisons
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andreas Schneider [Fri, 16 Jun 2023 07:42:07 +0000 (09:42 +0200)]
testprogs:subunit: Fix assigning an array to a string
$@ is an array and we want a string.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:42:16 +0000 (02:42 +0200)]
vfs_default.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:30:32 +0000 (02:30 +0200)]
smbXsrv_tcon.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:23:59 +0000 (02:23 +0200)]
dcesrv_drsuapi.c:use DBG* macros instead of static log level numbers
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:18:21 +0000 (02:18 +0200)]
smb2_service.c: use DBG* macros instread of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Wed, 7 Jun 2023 00:05:57 +0000 (02:05 +0200)]
smbXsrv_session.c: use DBG* macros instead of static log level numbers
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Tue, 6 Jun 2023 23:50:39 +0000 (01:50 +0200)]
dns_update.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Tue, 6 Jun 2023 23:45:47 +0000 (01:45 +0200)]
oplock_linux.c: use DBG macros instead of static log level
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Mon, 12 Jun 2023 15:24:15 +0000 (17:24 +0200)]
nmbd_become_lmb.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Mon, 12 Jun 2023 15:23:40 +0000 (17:23 +0200)]
nmbd/asyncdns.c: use DBG* macros instead of static log level numbers
Some log levels change because the macros don't cover all the previously used
log levels or because importance was slightly reconsidered.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Mon, 12 Jun 2023 15:23:01 +0000 (17:23 +0200)]
nmbd_sendannounce.c: use DBG* macros instead of static log level numbers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Björn Jacke [Tue, 6 Jun 2023 22:16:25 +0000 (00:16 +0200)]
nmbd: use DBG_ macros and raise some log levels
BUG: https://bugzilla.samba.org/show_bug.cgi?id=4143
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Volker Lendecke [Fri, 16 Jun 2023 11:53:25 +0000 (13:53 +0200)]
smbd: smbd_dirptr_lanman2_match_fn(): Remove "exact_match" handling
No caller uses this anymore. The only downside here now is that we
always go directly to mask_match instead of a trying strcasecmp_m
first. I very much doubt this makes a measurable difference because
this would have been called for non-wildcard
readdirs (a.k.a. qpathinfo), and there we do this only once per
complete directory read. Also I don't believe mask_match() is
measurably more expensive than strcasecmp_m() for the usually short
filenames we're looking at here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 16 17:07:46 UTC 2023 on atb-devel-224
Volker Lendecke [Fri, 16 Jun 2023 11:45:57 +0000 (13:45 +0200)]
smbd: Remove a smb1-only optimization findfirst/findnext
I don't think this is an effective optimization at all anymore. It was
intended to speed up non-wildcard readdirs after we found the correct
entry. Nowadays we do the non-wildcard readdirs by a direct fstatat,
and after we successfully found the entry dptr_ReadDirName()
immediately returns without any further action. So my very strong
guess is that this never really kicked in anymore. Not using this flag
can't be *that* bad, smb2 never used it.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 16 Jun 2023 11:32:24 +0000 (13:32 +0200)]
smbd: Remove "a heuristic to avoid seeking the dirptr"
-- we don't seek the dirptr anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 9 Mar 2023 15:16:50 +0000 (16:16 +0100)]
libsmb: Test smb1 mknod
Requires O_PATH to work correctly
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Feb 2023 16:20:55 +0000 (17:20 +0100)]
pylibsmb: Add smb1_stat()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Feb 2023 15:43:46 +0000 (16:43 +0100)]
pylibsmb: Add mknod()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 16 Feb 2023 12:41:44 +0000 (13:41 +0100)]
libsmb: Add SMB1 posix cli_mknod
This is a dead horse, but in the future it will make it easier to test
the smb311 unix extension code.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Mon, 24 Apr 2023 14:46:17 +0000 (16:46 +0200)]
rpc_server: Fix talloc hierarchy in _srvsvc_NetSrvGetInfo()
Make ->comment a proper talloc child of the right structure.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 31 May 2023 07:48:58 +0000 (09:48 +0200)]
profiling: Factor out functions to read smbprofile.tdb
We don't need all of Samba just to dump contents of this tdb, make
exporting profile information cheaper.
No direct use yet, but it's a good cleanup IMHO
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 14 Jun 2023 05:23:52 +0000 (07:23 +0200)]
WHATSNEW: Mention removed "directory name cache size" parameter
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 30 May 2023 11:27:00 +0000 (13:27 +0200)]
lib: Add a few required #includes
You find them if you try to #include these files directly
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 26 Apr 2023 13:58:51 +0000 (15:58 +0200)]
winbind: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 23 May 2023 08:44:40 +0000 (10:44 +0200)]
lib: Simplify two if-expressions
This version looks easier to read to me.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 May 2023 05:50:43 +0000 (07:50 +0200)]
smbd: Remove references to get_Protocol()
We have that available in smbXsrv_connection that is available almost
everywhere.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 15 Jun 2023 13:41:35 +0000 (15:41 +0200)]
smbd: Modernize a DEBUG statement in smbd_dirptr_get_entry()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 14 Jun 2023 05:20:34 +0000 (07:20 +0200)]
docs: Remove seekdir/telldir reference
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Thu, 25 May 2023 05:31:02 +0000 (07:31 +0200)]
smbd: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 09:30:26 +0000 (11:30 +0200)]
libcli: Simplify security_token_is_sid()
Avoid an explicit if-statement.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 18 Apr 2023 11:39:09 +0000 (13:39 +0200)]
libcli: Simplify dom_sid_dup()
We have sid_copy() for this.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Joseph Sutton [Thu, 15 Jun 2023 00:31:03 +0000 (12:31 +1200)]
s4:auth: Remove unneeded ‘sam_ctx’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 06:30:35 UTC 2023 on atb-devel-224
Joseph Sutton [Thu, 4 May 2023 04:43:47 +0000 (16:43 +1200)]
s4:auth: Enforce machine authentication policy for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 4 May 2023 04:39:55 +0000 (16:39 +1200)]
s4:auth: Enforce device restrictions for NTLM authentication
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 23:24:27 +0000 (11:24 +1200)]
s4:kdc: Log TGS-REQs in the Heimdal KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Jun 2023 02:33:37 +0000 (14:33 +1200)]
tests/auth_log: Ensure tests continue to pass when new log types are added
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 04:35:26 +0000 (16:35 +1200)]
tests/auth_log: Add support for new ‘KDC Authorization’ log type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 23:18:45 +0000 (11:18 +1200)]
auth: Add new ‘KDC Authorization’ log type
This is similar, but not identical, to the existing ‘Authorization’
event. It will be used to log Kerberos TGS-REQs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 23:12:22 +0000 (11:12 +1200)]
lib:audit_logging: Add function to create JSON object containing auditing information
This can be included in logged authentications and authorizations.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 23:03:00 +0000 (11:03 +1200)]
s4:kdc: Add function to perform an access check to a service
If the ‘server_audit_info_out’ parameter is non-NULL, auditing
information will be returned so that it might be logged.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 23:00:38 +0000 (11:00 +1200)]
s4:kdc: Generate auditing infomation for NTLM device restrictions
This will provide more detail to be logged.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:54:18 +0000 (10:54 +1200)]
s4:kdc: Move NTLM device restrictions to ‘authn_policy_util’
We’re going to extend this code, and so we will require functions from
the utility module.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:46:55 +0000 (10:46 +1200)]
s4:kdc: Add function to perform an authentication policy access check with a device
If the ‘audit_info_out’ parameter is non-NULL, auditing information will
be returned so that it might be logged.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:37:03 +0000 (10:37 +1200)]
s4:kdc: Add getter functions for authn_audit_info
These functions return various pieces of information about an audit
event that can go into audit logs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:30:34 +0000 (10:30 +1200)]
s4:kdc: Add functions to create structures of auditing information for authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:18:38 +0000 (10:18 +1200)]
s4:kdc: Add helper functions to create optional int64 values
These values will be used to represent TGT lifetimes, which might or
might not be present.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:18:00 +0000 (10:18 +1200)]
s4:kdc: Add structure containing authentication policy auditing information
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:01:33 +0000 (10:01 +1200)]
s4:kdc: Rename ‘lifetime’ to indicate that it is measured in seconds
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 22:00:53 +0000 (10:00 +1200)]
s4:kdc: Rename authn_kerberos_client_policy::tgt_lifetime to tgt_lifetime_raw
This more clearly indicates that it is the raw TGT lifetime value
straight from the database.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 15 Jun 2023 02:59:10 +0000 (14:59 +1200)]
auth: Move authn_policy code into auth subsystem
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.
We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 04:29:27 +0000 (16:29 +1200)]
tests/auth_log: Refactor waitForMessages() to use nextMessage()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 14 23:55:42 UTC 2023 on atb-devel-224
Joseph Sutton [Wed, 14 Jun 2023 04:30:30 +0000 (16:30 +1200)]
tests/auth_log: Add method to fetch the next relevant message from the messaging bus
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 05:23:41 +0000 (17:23 +1200)]
tests/krb5: Test authentication with policy restrictions and a wrong password
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 18 May 2023 00:00:29 +0000 (12:00 +1200)]
tests/krb5: Test S4U2Self followed by constrained delegation with authentication policies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:26:25 +0000 (11:26 +1200)]
tests/krb5: Remove unneeded ‘dn’ parameter
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 03:51:09 +0000 (15:51 +1200)]
s4:kdc: Fix typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 22:51:54 +0000 (10:51 +1200)]
tests/krb5: Make use of KerberosCredentials.get_sid()
KerberosCredentials objects now keep track of their account’s SID, which
removes the need to look it up with KDCBaseTest.get_objectSid().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:21:43 +0000 (11:21 +1200)]
tests/krb5: Keep track of account SIDs
This prevents having to look them up in the database when tests need
them.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 22:59:41 +0000 (10:59 +1200)]
tests/krb5: Fix overlong lines
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 22:58:12 +0000 (10:58 +1200)]
tests/krb5: Add a couple of authentication policy tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:02:28 +0000 (11:02 +1200)]
tests/krb5: Test authentication logging of TGT lifetimes
It is useful to test a combination of device restrictions and TGT
lifetime restrictions so that we can check what TGT lifetime values end
up in the logs.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:12:15 +0000 (11:12 +1200)]
tests/krb5: Cache created authentication policies
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:13:00 +0000 (11:13 +1200)]
tests/krb5: Keep track of the type of each created account
This allows us to determine which parts of an authentication policy
apply to a particular account, which will be necessary to test audit
logging.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:28:40 +0000 (11:28 +1200)]
librpc/idl: Add authentication policy event IDs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:37:03 +0000 (11:37 +1200)]
s4:kdc: Consolidate assignments to r->error_code and final_ret
This makes it clearer that we are assigning a value to both together.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 13 Jun 2023 23:58:13 +0000 (11:58 +1200)]
s4:kdc: Don’t log authentication failures as successes
If a client was authorized, we would ignore the Kerberos error code and
just log the return value of authsam_logon_success_accounting().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 03:28:39 +0000 (15:28 +1200)]
tests/auth_log: Properly expect authentication failures
These authentications are actually failing (due to RESPONSE_TOO_BIG
errors), but our authentication logging infrastructure hides this.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 14 Jun 2023 01:47:20 +0000 (13:47 +1200)]
tests/auth_log: Make samba.tests.auth_log test executable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 26 May 2023 03:14:22 +0000 (15:14 +1200)]
s4/scripting/bin: Add NT_STATUS_OK to list of definitions
Add NT_STATUS_OK to our pre-generated list of status codes. Ensure it
goes first in the list to ensure that code that previously found this
error code in ‘special_errs’ maintains the same behaviour by falling
back to ‘nt_errs’.
This makes NT_STATUS_OK available to Python code using the ‘ntstatus’
module.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>