Joseph Sutton [Tue, 17 Oct 2023 01:24:46 +0000 (14:24 +1300)]
s4:kdc: Always regard device info when the client performs RBCD
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 22:18:50 +0000 (11:18 +1300)]
s4:dsdb: Remove reference to non‐existent code
Commit
498542be0bbf4f26558573c1f87b77b8e3509371 removed the code in
question.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:07:30 +0000 (16:07 +1300)]
tests/krb5: Delete connection variable
This avoids a ‘variable set but unused’ warning.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:06:51 +0000 (16:06 +1300)]
tests/krb5: Make ‘services’ parameter required
We use it unconditionally without a check for None.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:05:17 +0000 (16:05 +1300)]
tests/krb5: Remove unreachable exception handlers
‘IOError’ is a subclass of ‘error’, which has already been handled.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:03:45 +0000 (16:03 +1300)]
tests/krb5: Fix RC4‐only Protected Users tests
We forgot to actually use the ‘supported_enctypes’ parameter.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:02:36 +0000 (16:02 +1300)]
tests/krb5: Remove unnecessary f‐strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:02:00 +0000 (16:02 +1300)]
tests/krb5: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 02:59:56 +0000 (15:59 +1300)]
tests/krb5: Fix DES3CBC random_to_key()
Because ‘keybytes’ is an immutable bytes object, ‘keybytes[7] = …’ has
no hope of working.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 04:08:01 +0000 (17:08 +1300)]
tests/krb5: Make ‘keybytes’ a bytes object rather than a list
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 02:08:47 +0000 (15:08 +1300)]
tests/krb5: Don’t expect edata if no error is expected
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 01:18:47 +0000 (14:18 +1300)]
tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 01:17:59 +0000 (14:17 +1300)]
tests/krb5: Use None for the default values of parameters
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 01:15:27 +0000 (14:15 +1300)]
tests/krb5: Move assignments closer to where the variables are used
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 01:06:42 +0000 (14:06 +1300)]
tests/krb5: Remove incorrect functional level check
RBCD has no relevance to a method called _tgs().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 01:05:16 +0000 (14:05 +1300)]
tests/krb5: Update method names to be consistent with other tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 00:53:59 +0000 (13:53 +1300)]
tests/krb5: Have _modify_tgt() accept only keyword arguments
to prevent further accidents.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 00:52:55 +0000 (13:52 +1300)]
tests/krb5: Correctly pass arguments to _modify_tgt()
We were passing the new realm as the ‘renewable’ parameter!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 06:06:31 +0000 (19:06 +1300)]
tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 18 Oct 2023 03:51:24 +0000 (16:51 +1300)]
tests/krb5: Add ‘expect_edata’ parameter to _user2user()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 22:59:40 +0000 (11:59 +1300)]
tests/krb5: Fix comment
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 22:25:43 +0000 (11:25 +1300)]
tests/krb5: Remove marker
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 05:25:36 +0000 (18:25 +1300)]
s4:torture: Check return values of gnutls functions (CID
1547212)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 06:10:56 +0000 (19:10 +1300)]
s4:torture: Fix leaks
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 06:09:54 +0000 (19:09 +1300)]
s4:torture: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Ralph Boehme [Wed, 18 Oct 2023 13:32:03 +0000 (15:32 +0200)]
smbd: put back code to fill in user and group SID
This is accidentally removed by
6874ed6a9defdf6f842e1e25f1ffd95708534ca6.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Oct 18 16:46:00 UTC 2023 on atb-devel-224
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:libads: Improve logging for failover scenarios
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Wed Oct 18 15:47:09 UTC 2023 on atb-devel-224
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:libsmb: Improve logging for failover scenarios
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:winbindd: Improve logging for failover scenarios in winbindd_pam.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Wed, 18 Oct 2023 09:32:57 +0000 (11:32 +0200)]
s3:winbindd: Improve logging for failover scenarios in winbindd_cm.c
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
MikeLiu [Fri, 13 Oct 2023 03:55:52 +0000 (11:55 +0800)]
shadow_copy2: Add missing TALLOC_FREE
Signed-off-by: MikeLiu <mikeliu@qnap.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 17 20:22:18 UTC 2023 on atb-devel-224
Andreas Schneider [Tue, 17 Oct 2023 12:29:03 +0000 (14:29 +0200)]
s4:torture: Increase multichannel timeout
This avoid running into timeouts on Gitlab CI.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 13 Oct 2023 07:18:25 +0000 (09:18 +0200)]
s4:rpc_server/epmapper: use ndr_syntax_id_equal() in dcesrv_epm_Map() to match the request
This matches it much easier to understand.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 13 Oct 2023 07:11:51 +0000 (09:11 +0200)]
s4:rpc_server/epmapper: check dcerpc_floor_get_uuid_full() result in dcesrv_epm_Map()
This already checks for EPM_PROTOCOL_UUID and simplifies the logic.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 15:19:21 +0000 (17:19 +0200)]
s4:rpc_server: simplify logic in dcesrv_epm_Map matching
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 17:39:21 +0000 (19:39 +0200)]
librpc/rpc: also get the 2nd half of the ndr_syntax_id from a floor
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 17:23:59 +0000 (19:23 +0200)]
librpc/rpc: add dcerpc_floor_pack_uuid_full() helper function
This handles the full syntax with split major and minor version,
from lhs and rhs.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Sun, 13 Aug 2023 11:34:30 +0000 (13:34 +0200)]
s3:rpc_server: let create_policy_hnd() return a pointer
This allows a TALLOC_FREE() on it to unregister and destroy the
handle easily.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 09:05:46 +0000 (11:05 +0200)]
s4:rpc_server/remote: make use of dcesrv_async_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 09:05:46 +0000 (11:05 +0200)]
s4:rpc_server/netlogon: make use of dcesrv_async_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 09:05:46 +0000 (11:05 +0200)]
s4:rpc_server/lsa: make use of dcesrv_async_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 09:05:46 +0000 (11:05 +0200)]
s4:rpc_server/common: make use of dcesrv_async_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 09:05:46 +0000 (11:05 +0200)]
s4:rpc_server/echo: make use of dcesrv_async_reply()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 14 Aug 2023 10:58:14 +0000 (12:58 +0200)]
librpc/rpc: add dcesrv_async_reply() helper that disconnects as needed
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 14 Aug 2023 10:48:28 +0000 (12:48 +0200)]
librpc/rpc: allow dcesrv_context to propose the preferred ndr syntax
This allows specific services to use ndr64.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 13:39:38 +0000 (15:39 +0200)]
s3:rpc_server: distribute clients based on available association group slots
The important factor to distribute connection to workers
should be the number of used association group slots instead
of the raw number of connections. If one worker has a lot of
association groups with just one connection each, but another
with few association groups, but multiple connections per
association group. The one with less association groups should
get the connection. Note each worker is only able to allocate
UINT16_MAX allocation groups, but the number of connections
is only limited by RAM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 10:49:42 +0000 (12:49 +0200)]
dcesrv_core: maintain the number of allocated association groups per dce_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 12:21:44 +0000 (14:21 +0200)]
s3:rpc_server: improve debugging in rpc_host_distribute_clients()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 12:16:48 +0000 (14:16 +0200)]
s3:rpc_server: simplify rpc_host_find_worker()
This will help me in the next commits.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 19 Jan 2023 11:27:20 +0000 (12:27 +0100)]
s3:rpc_server: correctly allow up to 65536 workers processes
We already limit the per worker portion of the association
group id to UINT16_MAX, so we can also use 16-bit instead
of just 8-bit to encode the worker index.
While there we should actually ensure that the max worker
index is UINT16_MAX.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Thu, 12 Oct 2023 10:30:00 +0000 (12:30 +0200)]
rpc_host.idl: change server_index from uint8 to uint32
This reflects what we're using in the C code already...
Note this is an incompatible change, but we also changed
from named_pipe_auth_req_info7 to named_pipe_auth_req_info8
in master...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 16 Aug 2023 14:47:24 +0000 (16:47 +0200)]
s3:rpc_server: call reopen_logs before we print the copyright notice
This matches what we do in smbd, winbindd and nmbd.
For the workers it's important to call it at all, otherwise
things like 'debug pid = yes' or 'debug class = yes' have no effect
in the workers.
We could argue if we want the copyright notice on the start
of each worker at all, but that's a different discussion...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 14:41:33 +0000 (16:41 +0200)]
s3:rpc_server: make use of dcesrv_register_default_auth_types[_machine_principal]()
This mostly matches windows now...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 14:06:06 +0000 (16:06 +0200)]
s3:rpc_server: let get_servers() callback of rpc_worker_main() return NTSTATUS
This means the rpc_worker_main() logic is the only layer that
needs to call exit() and its able to do some cleanup before.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 13:37:12 +0000 (15:37 +0200)]
s3:rpc_server: let register_ep_server() errors result in DBG_ERR()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 13:29:29 +0000 (15:29 +0200)]
librpc/rpc: add dcesrv_register_default_auth_types[_machine_principal]() helpers
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 11:26:31 +0000 (13:26 +0200)]
librpc/rpc: implement dcesrv_mgmt_inq_princ_name infrastructure
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 15:05:56 +0000 (17:05 +0200)]
librpc/rpc: let dcesrv_mgmt_inq_if_ids() filter out the mgmt syntax_id
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 10:42:43 +0000 (12:42 +0200)]
librpc/rpc: apply some code cleanup and error checks to dcesrv_mgmt.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 15:24:07 +0000 (17:24 +0200)]
s4:torture/rpc: let test_inq_princ_name_size also test for princ_name_size = 0 and BAD_STUB_DATA
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 9 Aug 2023 15:32:11 +0000 (17:32 +0200)]
s3:selftest: also run rpc.mgmt against the nt4_dc (and ad_dc)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 18 Aug 2023 08:59:00 +0000 (10:59 +0200)]
libcli/util: let win_errstr() fallback to hresult_errstr()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pavel Filipenský [Sun, 24 Sep 2023 13:03:24 +0000 (15:03 +0200)]
s3:tests: Plan test_smbspool_krb.sh for environment ad_member_fips
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Tue Oct 17 19:19:32 UTC 2023 on atb-devel-224
Pavel Filipenský [Sun, 24 Sep 2023 13:03:35 +0000 (15:03 +0200)]
s3:tests: Add smbspool test using kerberos authentication: test_smbspool_krb.sh
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Pavel Filipenský [Mon, 25 Sep 2023 07:11:52 +0000 (09:11 +0200)]
s3:tests: The correct name of shell variable is 'samba_smbspool_krb5'
There is no shell variable named 'smbspool_krb5'.
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Michael Adam [Mon, 16 Oct 2023 17:04:55 +0000 (19:04 +0200)]
gitignore: add WAF lockfile
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497
Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct 17 04:16:29 UTC 2023 on atb-devel-224
Christof Schmitt [Thu, 12 Sep 2013 23:11:34 +0000 (16:11 -0700)]
build: Add 'make printversion' to provide version string
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15497
Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 11 Oct 2023 22:56:01 +0000 (11:56 +1300)]
s4:kdc: Remove unused function int2SDBFlags()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 11 Oct 2023 22:54:50 +0000 (11:54 +1300)]
s4:kdc: Explicitly initialize SDBFlags structures
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 12 Oct 2023 00:40:21 +0000 (13:40 +1300)]
s4:kdc: Make ‘struct user_info_dc’ members const
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 6 Oct 2023 01:11:24 +0000 (14:11 +1300)]
s4:dsdb: Check return value of ldb_msg_add_empty() (CID
1449667)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 02:37:29 +0000 (15:37 +1300)]
tests/krb5: Fix ASN.1 source
It currently fails to compile.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 16 Oct 2023 01:41:51 +0000 (14:41 +1300)]
tests/krb5: Don’t expect groups if we’re expecting an error
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 1 Oct 2023 23:20:48 +0000 (12:20 +1300)]
tests/krb5: Fix tests that crash Windows
Expect an actual error code or an outcome, not CRASHES_WINDOWS.
I don’t know which error codes Windows might be expected to produce, so
I’ve chosen some that seem plausible.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 17 Oct 2023 01:03:33 +0000 (14:03 +1300)]
tests/krb5: Expect a status code with policy errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 17 Oct 2023 00:34:29 +0000 (13:34 +1300)]
tests/krb5: Don’t consider RODC‐issued tickets to be banned with RBCD
If we’re verifying that a ticket was permitted to be issued by an RODC,
and not trusting the group SIDs in the ticket, is there any reason to
ban its use with RBCD?
A client with a ticket issued by an RODC that happens to select a DC to
direct an RBCD request at should not have the request mysteriously fail.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 12 Oct 2023 23:38:35 +0000 (12:38 +1300)]
buildtools: Correctly raise exception
This avoids errors like the following:
‘RuntimeError: No active exception to reraise’
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 12 Oct 2023 22:23:27 +0000 (11:23 +1300)]
buildtools: Don’t call normpath() repeatedly
A non‐negligible fraction of the build process — especially for
incremental builds — is spent calling normpath() over and over again.
Make builds faster by not doing that.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 11 Oct 2023 13:58:22 +0000 (15:58 +0200)]
s4:kdc: fix user2user tgs-requests for normal user accounts
User2User tgs requests use the session key of the additional
ticket instead of the long term keys based on the password.
In addition User2User also asserts that client and server
are the same account (cecked based on the sid).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Oct 16 15:38:12 UTC 2023 on atb-devel-224
Stefan Metzmacher [Sun, 15 Oct 2023 23:33:15 +0000 (12:33 +1300)]
third_party/heimdal kdc: introduce HDB_F_USER2USER_PRINCIPAL (import lorikeet-heimdal-
202310152331 (commit
a571340c9e1b75d4f5d96f08fcf9fd660d3ba3d4))
This allows HDB backends to do special handling for
User2User TGS-REQs. The main reason is to let
the HDB_F_GET_SERVER lookup to succeed even for
non-computer accounts. In Samba these are typically
not returned in HDB_F_GET_SERVER in order to avoid
generating tickets with the user password.
But for User2User the account password is not used,
so it is safe to return the server entry.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to be an import from lorikeet-heimdal as requested]
Stefan Metzmacher [Wed, 11 Oct 2023 13:54:15 +0000 (15:54 +0200)]
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15492
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 29 Jan 2016 22:35:31 +0000 (23:35 +0100)]
CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 7 Jun 2023 16:18:58 +0000 (18:18 +0200)]
CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor for missing deleted objects container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Mon, 26 Jun 2023 13:14:24 +0000 (15:14 +0200)]
CVE-2018-14628: s4:dsdb: remove unused code in dirsync_filter_entry()
This makes the next change easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 29 Jan 2016 22:34:15 +0000 (23:34 +0100)]
CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container
This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 29 Jan 2016 22:33:37 +0000 (23:33 +0100)]
CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Fri, 29 Jan 2016 22:30:59 +0000 (23:30 +0100)]
CVE-2018-14628: python:descriptor: add get_deletedobjects_descriptor()
samba-tool drs clone-dc-database was quite useful to find
the true value of nTSecurityDescriptor of the CN=Delete Objects
containers.
Only the auto inherited SACL is available via a ldap search.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Oleg Kravtsov [Fri, 6 Oct 2023 09:20:05 +0000 (12:20 +0300)]
s4/torture: fix exit status of raw.bench-lookup
Use correct value of 'result' when the test passes.
Signed-off-by: Oleg Kravtsov <oleg@tuxera.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Oct 16 02:01:17 UTC 2023 on atb-devel-224
David Mulder [Fri, 10 Mar 2023 21:30:17 +0000 (14:30 -0700)]
gpdupate: Implement Drive Maps Client Side Extension
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
David Mulder [Fri, 10 Mar 2023 21:29:24 +0000 (14:29 -0700)]
gpupdate: Test Drive Maps Client Side Extension
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Stefan Metzmacher [Wed, 19 Jul 2023 21:04:01 +0000 (23:04 +0200)]
tevent: version 0.16.0
- the epoll backend is no longer limited to 2 event handlers
per low level fd.
- finally add support for TEVENT_FD_ERROR
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Oct 13 10:45:51 UTC 2023 on atb-devel-224
Stefan Metzmacher [Wed, 13 Jul 2011 07:46:26 +0000 (09:46 +0200)]
tevent: add support for TEVENT_FD_ERROR
After 12 years we finally got TEVENT_FD_ERROR support :-)
TEVENT_FD_WRITE event handlers never get errors reported
instead the event handler is silently disabled.
There are likely callers relying on that behavior, so
we are not able to chance it.
Now TEVENT_FD_WRITE can be used together with TEVENT_FD_ERROR
in order to get errors reported without waiting for TEVENT_FD_READ.
TEVENT_FD_ERROR can also be used alone in order to detect errors
on sockets in order to cleanup resources.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 28 Dec 2022 15:54:24 +0000 (16:54 +0100)]
tevent: add test_event_fd3
The tests the interaction of multiple event handlers on
the same low level fd.
It shows that poll and epoll backends behave in the
same fair way.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 24 Apr 2023 14:37:38 +0000 (14:37 +0000)]
tevent: add test_fd_speed3
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Fri, 11 Nov 2022 21:30:35 +0000 (22:30 +0100)]
tevent: let tevent_epoll.c use new generic mpx infrastructure
This allows any number of event handlers per low level fd.
It means the epoll backend behaves like the poll backend now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Wed, 9 Nov 2022 21:48:10 +0000 (22:48 +0100)]
tevent: add tevent_common_fd_mpx infrastructure
Backends may require to map individual tevent_fd instances to
a single low level kernel state (e.g. for epoll).
This generic infrastructure adds helper functions using
a generic (sub)part of struct tevent_fd.
The new code will allow us to support more than 2 tevent_fd
instances per fd, which makes sure all backends can provide
a similar behavior. This will be important when we add
TEVENT_FD_ERROR as a 3rd kind of fd event.
The aim is to use this in order to replace the limited implementation
we already have in tevent_epoll.c.
As these helpers are typically called from within
'void tevent_fd_set_flags(struct tevent_fd *fde, uint16_t flags)'
there's no way to report errors. So in order avoid additional
error handling complexity the helpers try to avoid
any allocations which may fail. It also means the logic in
tevent_epoll.c doesn't have to change much.
These are implemented as static line functions in order to avoid
the function call overhead, which showed up in profiles of the
early implementation.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Thu, 31 Aug 2023 16:09:28 +0000 (18:09 +0200)]
tevent: split out a tevent_common_fd_disarm() helper
It means tevent_trace_fd_callback(TEVENT_EVENT_TRACE_DETACH)
is always called and similar future changes are only
needed in one place.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 30 Jan 2023 15:10:07 +0000 (16:10 +0100)]
ldb: sync DLIST_DEMOTE_SHORT() changes to include/dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 30 Jan 2023 15:10:07 +0000 (16:10 +0100)]
lib/util: sync DLIST_DEMOTE_SHORT() changes to dlinklist.h
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Stefan Metzmacher [Mon, 30 Jan 2023 15:10:07 +0000 (16:10 +0100)]
tevent: introduce DLIST_DEMOTE_SHORT()
It turns out that the overhead of DLIST_DEMOTE() implemented
as DLIST_REMOVE();DLIST_ADD_END(), is very high if the list
contains only 1 or 2 elements.
The next commits will make use of DLIST_DEMOTE_SHORT() for
multiplexing multiple tevent_fd structures for a single fd
and the most important and common case is a list with just
one element.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>